diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml index a6649621a..d5fdb29ed 100644 --- a/.github/workflows/functional-tests.yml +++ b/.github/workflows/functional-tests.yml @@ -33,7 +33,7 @@ jobs: max-parallel: 4 matrix: python-version: ["3.11"] - playwright-browser: ["chromium", "firefox"] + playwright-browser: ["chromium"] steps: - uses: actions/checkout@v4 diff --git a/.gitignore b/.gitignore index 95c3c9f41..227d1a9e9 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ db/ /backend/profiles ./backend/ciso_assistant/.meta caddy_data/ +**/dist/ diff --git a/LICENSE b/LICENSE-AGPL.txt similarity index 100% rename from LICENSE rename to LICENSE-AGPL.txt diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 000000000..7830f0b49 --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,11 @@ +Source code in this repository is variously licensed under the GNU Affero General Public License (AGPL), or the intuitem Commercial License (https://intuitem.com/license/commercial/). + +- All the files within the top-level "enterprise" directory are released under the intuitem Commercial Software License. + +- All the files outside the top-level "enterprise" directory are released under the [AGPLv3](https://choosealicense.com/licenses/agpl-3.0/). + +Binary files are generated for each edition for CISO Assistant: +- Binaries located at ghcr.io/intuitem/ciso-assistant-community/ are released under the AGPL. +- Binaries located at ghcr.io/intuitem/ciso-assistant-pro/ and ghcr.io/intuitem/ciso-assistant-enterprise/ are released under the intuitem Commercial Software License. + +intuitem Commercial Software License requires a valid contract between the licensee and intuitem. diff --git a/README.md b/README.md index 4683fef83..f6e53b827 100644 --- a/README.md +++ b/README.md @@ -87,7 +87,7 @@ and run the starter script > If you're getting warnings or errors about image's platform not matching host platform, raise an issue with the details and we'll add it shortly after. You can also use `docker-compose-build.sh` instead (see below) to build for your specific architecture. > [!CAUTION] -> Don't use the `main` branch code directly for production as it's the merge upstream and can have breaking changes during our developemnt. Either use the `tags` for stable versions or prebuilt images. +> Don't use the `main` branch code directly for production as it's the merge upstream and can have breaking changes during our development. Either use the `tags` for stable versions or prebuilt images. ## End-user Documentation @@ -149,6 +149,9 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant 52. NCSC Cyber Essentials 🇬🇧 53. Directive Nationale de la Sécurité des Systèmes d'Information (DNSSI) Maroc 🇲🇦 54. Part-IS ✈️🇪🇺 +55. ENS Esquema Nacional de seguridad 🇪🇸 +56. Korea ISA ISMS-P 🇰🇷 +57. Swiss ICT minimum standard 🇨🇭 ### Community contributions @@ -159,7 +162,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant 5. ANSSI : Recommandations pour la protection des systèmes d'information essentiels 🇫🇷 6. ANSSI : Recommandations de sécurité pour l'architecture d'un système de journalisation 🇫🇷 7. ANSSI : Recommandations de sécurité relatives à TLS 🇫🇷 -8. New Zealand Information Security Manual (NZISM) ɴᴢ +8. New Zealand Information Security Manual (NZISM) 🇳🇿
> [!NOTE] @@ -171,9 +174,7 @@ Checkout the [library](/backend/library/libraries/) and [tools](/tools/) for the ### Coming soon -- ENS Esquema Nacional de seguridad (español) - NIST 800-82 -- Korea ISA: ISMS-P - and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open standard, we'll do it for you, _free of charge_ 😉 @@ -480,6 +481,8 @@ Set DJANGO_DEBUG=False for security reason. - IT: Italian - PL: Polish - RO: Romanian +- HI: Hindi +- UR: Urdu ## Built With 💜 @@ -500,4 +503,12 @@ Great care has been taken to follow security best practices. Please report any i ## License -[AGPLv3](https://choosealicense.com/licenses/agpl-3.0/) +This repository contains the source code for both the Open Source edition of CISO Assistant (Community Edition), released under the AGPL v3, as well as the commercial edition of CISO Assistant (Pro and Enterprise Editions), released under the intuitem Commercial Software License. This mono-repository approach is adopted for simplicity. + +All the files within the top-level "enterprise" directory are released under the intuitem Commercial Software License. + +All the files outside the top-level "enterprise" directory are released under the [AGPLv3](https://choosealicense.com/licenses/agpl-3.0/). + +See [LICENSE.txt](./LICENSE.txt) for details. + +Unless otherwise noted, all files are © intuitem. diff --git a/backend/.gitignore b/backend/.gitignore index c7570ae91..252e8d460 100644 --- a/backend/.gitignore +++ b/backend/.gitignore @@ -17,3 +17,4 @@ db/pg_password.txt ./db/ .coverage pytest-report.html +enterprise/ diff --git a/backend/README.md b/backend/README.md new file mode 100644 index 000000000..e69de29bb diff --git a/backend/app_tests/api/test_api_applied_controls.py b/backend/app_tests/api/test_api_applied_controls.py index ae2e4895a..782f1dc4e 100644 --- a/backend/app_tests/api/test_api_applied_controls.py +++ b/backend/app_tests/api/test_api_applied_controls.py @@ -10,12 +10,14 @@ APPLIED_CONTROL_DESCRIPTION = "Test Description" APPLIED_CONTROL_CATEGORY = ("technical", "Technical") APPLIED_CONTROL_CATEGORY2 = ("process", "Process") -APPLIED_CONTROL_STATUS = ("planned", "Planned") -APPLIED_CONTROL_STATUS2 = ("active", "Active") +APPLIED_CONTROL_STATUS = AppliedControl.Status.IN_PROGRESS +APPLIED_CONTROL_STATUS2 = AppliedControl.Status.ACTIVE APPLIED_CONTROL_EFFORT = ("L", "Large") APPLIED_CONTROL_EFFORT2 = ("M", "Medium") APPLIED_CONTROL_LINK = "https://example.com" APPLIED_CONTROL_ETA = "2024-01-01" +APPLIED_CONTROL_COST = 24.42 +APPLIED_CONTROL_COST2 = 25.43 @pytest.mark.django_db @@ -100,17 +102,18 @@ def test_get_applied_controls(self, test): "name": APPLIED_CONTROL_NAME, "description": APPLIED_CONTROL_DESCRIPTION, "category": APPLIED_CONTROL_CATEGORY[0], - "status": APPLIED_CONTROL_STATUS[0], + "status": APPLIED_CONTROL_STATUS._value_, "link": APPLIED_CONTROL_LINK, "eta": APPLIED_CONTROL_ETA, "effort": APPLIED_CONTROL_EFFORT[0], + "cost": APPLIED_CONTROL_COST, "folder": test.folder, }, { "folder": {"id": str(test.folder.id), "str": test.folder.name}, "reference_control": None, "category": APPLIED_CONTROL_CATEGORY[1], - "status": APPLIED_CONTROL_STATUS[1], + "status": APPLIED_CONTROL_STATUS._value_, "effort": APPLIED_CONTROL_EFFORT[1], }, user_group=test.user_group, @@ -131,16 +134,17 @@ def test_create_applied_controls(self, test): "name": APPLIED_CONTROL_NAME, "description": APPLIED_CONTROL_DESCRIPTION, "category": APPLIED_CONTROL_CATEGORY[0], - "status": APPLIED_CONTROL_STATUS[0], + "status": APPLIED_CONTROL_STATUS._value_, "link": APPLIED_CONTROL_LINK, "eta": APPLIED_CONTROL_ETA, "effort": APPLIED_CONTROL_EFFORT[0], + "cost": APPLIED_CONTROL_COST, "folder": str(test.folder.id), }, { "folder": {"id": str(test.folder.id), "str": test.folder.name}, "category": APPLIED_CONTROL_CATEGORY[1], - "status": APPLIED_CONTROL_STATUS[1], + "status": APPLIED_CONTROL_STATUS._value_, "effort": APPLIED_CONTROL_EFFORT[1], }, user_group=test.user_group, @@ -163,26 +167,28 @@ def test_update_applied_controls(self, test): "name": APPLIED_CONTROL_NAME, "description": APPLIED_CONTROL_DESCRIPTION, "category": APPLIED_CONTROL_CATEGORY[0], - "status": APPLIED_CONTROL_STATUS[0], + "status": APPLIED_CONTROL_STATUS._value_, "link": APPLIED_CONTROL_LINK, "eta": APPLIED_CONTROL_ETA, "effort": APPLIED_CONTROL_EFFORT[0], + "cost": APPLIED_CONTROL_COST, "folder": test.folder, }, { "name": "new " + APPLIED_CONTROL_NAME, "description": "new " + APPLIED_CONTROL_DESCRIPTION, "category": APPLIED_CONTROL_CATEGORY2[0], - "status": APPLIED_CONTROL_STATUS2[0], + "status": APPLIED_CONTROL_STATUS2._value_, "link": "new " + APPLIED_CONTROL_LINK, "eta": "2025-01-01", "effort": APPLIED_CONTROL_EFFORT2[0], + "cost": APPLIED_CONTROL_COST2, "folder": str(folder.id), }, { "folder": {"id": str(test.folder.id), "str": test.folder.name}, "category": APPLIED_CONTROL_CATEGORY[1], - "status": APPLIED_CONTROL_STATUS[1], + "status": APPLIED_CONTROL_STATUS._value_, "effort": APPLIED_CONTROL_EFFORT[1], }, user_group=test.user_group, diff --git a/backend/app_tests/api/test_api_libraries.py b/backend/app_tests/api/test_api_libraries.py index 58a09b591..cddd132a8 100644 --- a/backend/app_tests/api/test_api_libraries.py +++ b/backend/app_tests/api/test_api_libraries.py @@ -66,7 +66,6 @@ def test_import_frameworks(self, test): ) lib_detail_response = lib_detail_response.content lib_detail_response = json.loads(lib_detail_response) - lib_detail_response = json.loads(lib_detail_response) lib_detail_response = lib_detail_response["framework"] # Asserts that the library is not already loaded @@ -135,7 +134,6 @@ def test_import_risk_matrix(self, test): ) lib_detail_response = lib_detail_response.content lib_detail_response = json.loads(lib_detail_response) - lib_detail_response = json.loads(lib_detail_response) lib_detail_response = lib_detail_response["risk_matrix"][0] # Asserts that the library is not already loaded diff --git a/backend/app_tests/api/test_api_policies.py b/backend/app_tests/api/test_api_policies.py index fcbe07f31..45c2c2b39 100644 --- a/backend/app_tests/api/test_api_policies.py +++ b/backend/app_tests/api/test_api_policies.py @@ -8,8 +8,8 @@ # Generic policy data for tests POLICY_NAME = "Test Policy" POLICY_DESCRIPTION = "Test Description" -POLICY_STATUS = ("planned", "Planned") -POLICY_STATUS2 = ("active", "Active") +POLICY_STATUS = Policy.Status.TO_DO +POLICY_STATUS2 = Policy.Status.ACTIVE POLICY_EFFORT = ("L", "Large") POLICY_EFFORT2 = ("M", "Medium") POLICY_LINK = "https://example.com" @@ -97,7 +97,7 @@ def test_get_policies(self, test): { "name": POLICY_NAME, "description": POLICY_DESCRIPTION, - "status": POLICY_STATUS[0], + "status": POLICY_STATUS._value_, "link": POLICY_LINK, "eta": POLICY_ETA, "effort": POLICY_EFFORT[0], @@ -106,7 +106,7 @@ def test_get_policies(self, test): { "folder": {"id": str(test.folder.id), "str": test.folder.name}, "reference_control": None, - "status": POLICY_STATUS[1], + "status": POLICY_STATUS._value_, "effort": POLICY_EFFORT[1], }, user_group=test.user_group, @@ -122,7 +122,7 @@ def test_create_policies(self, test): { "name": POLICY_NAME, "description": POLICY_DESCRIPTION, - "status": POLICY_STATUS[0], + "status": POLICY_STATUS._value_, "link": POLICY_LINK, "eta": POLICY_ETA, "effort": POLICY_EFFORT[0], @@ -130,7 +130,7 @@ def test_create_policies(self, test): }, { "folder": {"id": str(test.folder.id), "str": test.folder.name}, - "status": POLICY_STATUS[1], + "status": POLICY_STATUS._value_, "effort": POLICY_EFFORT[1], }, user_group=test.user_group, @@ -149,7 +149,7 @@ def test_update_policies(self, test): { "name": POLICY_NAME, "description": POLICY_DESCRIPTION, - "status": POLICY_STATUS[0], + "status": POLICY_STATUS._value_, "link": POLICY_LINK, "eta": POLICY_ETA, "effort": POLICY_EFFORT[0], @@ -158,7 +158,7 @@ def test_update_policies(self, test): { "name": "new " + POLICY_NAME, "description": "new " + POLICY_DESCRIPTION, - "status": POLICY_STATUS2[0], + "status": POLICY_STATUS2._value_, "link": "new " + POLICY_LINK, "eta": "2025-01-01", "effort": POLICY_EFFORT2[0], @@ -166,7 +166,7 @@ def test_update_policies(self, test): }, { "folder": {"id": str(test.folder.id), "str": test.folder.name}, - "status": POLICY_STATUS[1], + "status": POLICY_STATUS._value_, "effort": POLICY_EFFORT[1], }, user_group=test.user_group, diff --git a/backend/app_tests/api/test_api_risk_scenarios.py b/backend/app_tests/api/test_api_risk_scenarios.py index 5146359a2..d0c6a30ee 100644 --- a/backend/app_tests/api/test_api_risk_scenarios.py +++ b/backend/app_tests/api/test_api_risk_scenarios.py @@ -110,8 +110,8 @@ "description": "acceptable risk", "hexcolor": "#00FF00", } -RISK_SCENARIO_TREATMENT_STATUS = ("accept", "Accept") -RISK_SCENARIO_TREATMENT_STATUS2 = ("mitigate", "Mitigate") +RISK_SCENARIO_TREATMENT_STATUS = ("accept", "accept") +RISK_SCENARIO_TREATMENT_STATUS2 = ("mitigate", "mitigate") RISK_SCENARIO_JUSTIFICATION = "Test justification" diff --git a/backend/app_tests/api/test_utils.py b/backend/app_tests/api/test_utils.py index 0d8ba48ab..448c5073b 100644 --- a/backend/app_tests/api/test_utils.py +++ b/backend/app_tests/api/test_utils.py @@ -1,5 +1,5 @@ from django.db import models -from knox.auth import AuthToken +from knox.models import AuthToken import pytest import json import re @@ -1027,7 +1027,8 @@ def compare_results( ), "reference endpoint is not accessible" content = json.loads(reference.content) - content = json.loads(content) + if isinstance(content, str): + content = json.loads(content) for object in content["framework"][object_name.lower().replace(" ", "_")][ :count diff --git a/backend/app_tests/conftest.py b/backend/app_tests/conftest.py index 8cf15f291..e1aadae93 100644 --- a/backend/app_tests/conftest.py +++ b/backend/app_tests/conftest.py @@ -4,7 +4,7 @@ from test_vars import GROUPS_PERMISSIONS from iam.models import User, UserGroup from core.apps import startup -from knox.auth import AuthToken +from knox.models import AuthToken class Test(dict): diff --git a/backend/app_tests/test_vars.py b/backend/app_tests/test_vars.py index 4450f18ed..55e985a6e 100644 --- a/backend/app_tests/test_vars.py +++ b/backend/app_tests/test_vars.py @@ -1,5 +1,5 @@ from typing import Any -from core.apps import ( +from core.startup import ( READER_PERMISSIONS_LIST, APPROVER_PERMISSIONS_LIST, ANALYST_PERMISSIONS_LIST, diff --git a/backend/ciso_assistant/settings.py b/backend/ciso_assistant/settings.py index e97e8257d..aa6987b4e 100644 --- a/backend/ciso_assistant/settings.py +++ b/backend/ciso_assistant/settings.py @@ -81,6 +81,10 @@ def set_ciso_assistant_url(_, __, event_dict): logging.config.dictConfig(LOGGING) logger = structlog.getLogger(__name__) +FEATURE_FLAGS = {} +MODULE_PATHS = {} +ROUTES = {} + logger.info("BASE_DIR: %s", BASE_DIR) logger.info("VERSION: %s", VERSION) logger.info("BUILD: %s", BUILD) @@ -94,7 +98,7 @@ def set_ciso_assistant_url(_, __, event_dict): SECRET_KEY = os.environ.get("DJANGO_SECRET_KEY", get_random_secret_key()) # SECURITY WARNING: don't run with debug turned on in production! -DEBUG = os.environ.get("DJANGO_DEBUG") == "True" +DEBUG = os.environ.get("DJANGO_DEBUG", "False") == "True" logger.info("DEBUG mode: %s", DEBUG) logger.info("CISO_ASSISTANT_URL: %s", CISO_ASSISTANT_URL) @@ -200,7 +204,7 @@ def set_ciso_assistant_url(_, __, event_dict): } REST_KNOX = { - "SECURE_HASH_ALGORITHM": "cryptography.hazmat.primitives.hashes.SHA512", + "SECURE_HASH_ALGORITHM": "hashlib.sha512", "AUTH_TOKEN_CHARACTER_LENGTH": 64, "TOKEN_TTL": timedelta(seconds=AUTH_TOKEN_TTL), "TOKEN_LIMIT_PER_USER": None, @@ -292,6 +296,8 @@ def set_ciso_assistant_url(_, __, event_dict): ("pt", "Portuguese"), ("ar", "Arabic"), ("ro", "Romanian"), + ("hi", "Hindi"), + ("ur", "Urdu"), ] PROJECT_PATH = os.path.dirname(os.path.abspath(__file__)) diff --git a/backend/core/apps.py b/backend/core/apps.py index 20c023035..7d6a29bba 100644 --- a/backend/core/apps.py +++ b/backend/core/apps.py @@ -1,425 +1,8 @@ from django.apps import AppConfig from django.db.models.signals import post_migrate -from ciso_assistant.settings import CISO_ASSISTANT_SUPERUSER_EMAIL import os -from django.core.management import call_command -from structlog import get_logger - -logger = get_logger(__name__) - -READER_PERMISSIONS_LIST = [ - "view_project", - "view_riskassessment", - "view_appliedcontrol", - "view_policy", - "view_riskscenario", - "view_riskacceptance", - "view_asset", - "view_threat", - "view_referencecontrol", - "view_folder", - "view_usergroup", - "view_riskmatrix", - "view_complianceassessment", - "view_requirementassessment", - "view_requirementnode", - "view_evidence", - "view_framework", - "view_loadedlibrary", - "view_storedlibrary", - "view_user", - "view_requirementmappingset", - "view_requirementmapping", -] - -APPROVER_PERMISSIONS_LIST = [ - "view_project", - "view_riskassessment", - "view_appliedcontrol", - "view_policy", - "view_riskscenario", - "view_riskacceptance", - "approve_riskacceptance", - "view_asset", - "view_threat", - "view_referencecontrol", - "view_folder", - "view_usergroup", - "view_riskmatrix", - "view_complianceassessment", - "view_requirementassessment", - "view_requirementnode", - "view_evidence", - "view_framework", - "view_storedlibrary", - "view_loadedlibrary", - "view_user", - "view_requirementmappingset", - "view_requirementmapping", -] - -ANALYST_PERMISSIONS_LIST = [ - "add_project", - "view_project", - "change_project", - "delete_project", - "add_riskassessment", - "view_riskassessment", - "change_riskassessment", - "delete_riskassessment", - "add_appliedcontrol", - "view_appliedcontrol", - "change_appliedcontrol", - "delete_appliedcontrol", - "add_policy", - "view_policy", - "change_policy", - "delete_policy", - "add_riskscenario", - "view_riskscenario", - "change_riskscenario", - "delete_riskscenario", - "add_riskacceptance", - "view_riskacceptance", - "change_riskacceptance", - "delete_riskacceptance", - "add_complianceassessment", - "view_complianceassessment", - "change_complianceassessment", - "delete_complianceassessment", - "view_requirementassessment", - "change_requirementassessment", - "add_evidence", - "view_evidence", - "change_evidence", - "delete_evidence", - "add_asset", - "view_asset", - "change_asset", - "delete_asset", - "add_threat", - "view_threat", - "change_threat", - "delete_threat", - "view_referencecontrol", - "view_folder", - "view_usergroup", - "view_riskmatrix", - "view_requirementnode", - "view_framework", - "view_storedlibrary", - "view_loadedlibrary", - "view_user", - "view_requirementmappingset", - "view_requirementmapping", -] - -DOMAIN_MANAGER_PERMISSIONS_LIST = [ - "change_usergroup", - "view_usergroup", - "add_project", - "change_project", - "delete_project", - "view_project", - "add_riskassessment", - "view_riskassessment", - "change_riskassessment", - "delete_riskassessment", - "add_appliedcontrol", - "view_appliedcontrol", - "change_appliedcontrol", - "delete_appliedcontrol", - "add_policy", - "view_policy", - "change_policy", - "delete_policy", - "add_riskscenario", - "view_riskscenario", - "change_riskscenario", - "delete_riskscenario", - "add_riskacceptance", - "view_riskacceptance", - "change_riskacceptance", - "delete_riskacceptance", - "add_asset", - "view_asset", - "change_asset", - "delete_asset", - "add_threat", - "view_threat", - "change_threat", - "delete_threat", - "view_referencecontrol", - "view_folder", - "change_folder", - "add_riskmatrix", - "view_riskmatrix", - "change_riskmatrix", - "delete_riskmatrix", - "add_complianceassessment", - "view_complianceassessment", - "change_complianceassessment", - "delete_complianceassessment", - "view_requirementassessment", - "change_requirementassessment", - "add_evidence", - "view_evidence", - "change_evidence", - "delete_evidence", - "view_requirementnode", - "view_framework", - "view_storedlibrary", - "view_loadedlibrary", - "view_user", - "view_requirementmappingset", - "view_requirementmapping", -] - -ADMINISTRATOR_PERMISSIONS_LIST = [ - "add_user", - "view_user", - "change_user", - "delete_user", - "add_usergroup", - "view_usergroup", - "change_usergroup", - "delete_usergroup", - "add_event", - "view_event", - "change_event", - "delete_event", - "add_asset", - "view_asset", - "change_asset", - "delete_asset", - "add_threat", - "view_threat", - "change_threat", - "delete_threat", - "add_referencecontrol", - "view_referencecontrol", - "change_referencecontrol", - "delete_referencecontrol", - "add_folder", - "change_folder", - "view_folder", - "delete_folder", - "add_project", - "change_project", - "delete_project", - "view_project", - "add_riskassessment", - "view_riskassessment", - "change_riskassessment", - "delete_riskassessment", - "add_appliedcontrol", - "view_appliedcontrol", - "change_appliedcontrol", - "delete_appliedcontrol", - "add_policy", - "view_policy", - "change_policy", - "delete_policy", - "add_riskscenario", - "view_riskscenario", - "change_riskscenario", - "delete_riskscenario", - "add_riskacceptance", - "view_riskacceptance", - "change_riskacceptance", - "delete_riskacceptance", - "approve_riskacceptance", - "add_riskmatrix", - "view_riskmatrix", - "change_riskmatrix", - "delete_riskmatrix", - "add_complianceassessment", - "view_complianceassessment", - "change_complianceassessment", - "delete_complianceassessment", - "view_requirementassessment", - "change_requirementassessment", - "add_evidence", - "view_evidence", - "change_evidence", - "delete_evidence", - "add_framework", - "view_framework", - "delete_framework", - "view_requirementnode", - "view_storedlibrary", - "add_storedlibrary", - "delete_storedlibrary", - "view_loadedlibrary", - "add_loadedlibrary", - "delete_loadedlibrary", - "backup", - "restore", - "view_globalsettings", - "change_globalsettings", - "view_requirementmappingset", - "view_requirementmapping", -] - - -def startup(sender: AppConfig, **kwargs): - """ - Implement CISO Assistant 1.0 default Roles and User Groups during migrate - This makes sure root folder and global groups are defined before any other object is created - Create superuser if CISO_ASSISTANT_SUPERUSER_EMAIL defined - """ - from django.contrib.auth.models import Permission - from allauth.socialaccount.providers.saml.provider import SAMLProvider - from iam.models import Folder, Role, RoleAssignment, User, UserGroup - from global_settings.models import GlobalSettings - - print("startup handler: initialize database") - - reader_permissions = Permission.objects.filter(codename__in=READER_PERMISSIONS_LIST) - - approver_permissions = Permission.objects.filter( - codename__in=APPROVER_PERMISSIONS_LIST - ) - - analyst_permissions = Permission.objects.filter( - codename__in=ANALYST_PERMISSIONS_LIST - ) - - domain_manager_permissions = Permission.objects.filter( - codename__in=DOMAIN_MANAGER_PERMISSIONS_LIST - ) - - administrator_permissions = Permission.objects.filter( - codename__in=ADMINISTRATOR_PERMISSIONS_LIST - ) - - # if root folder does not exist, then create it - if not Folder.objects.filter(content_type=Folder.ContentType.ROOT).exists(): - Folder.objects.create( - name="Global", content_type=Folder.ContentType.ROOT, builtin=True - ) - # update builtin roles to facilitate migrations - reader, created = Role.objects.get_or_create(name="BI-RL-AUD", builtin=True) - reader.permissions.set(reader_permissions) - approver, created = Role.objects.get_or_create(name="BI-RL-APP", builtin=True) - approver.permissions.set(approver_permissions) - analyst, created = Role.objects.get_or_create(name="BI-RL-ANA", builtin=True) - analyst.permissions.set(analyst_permissions) - domain_manager, created = Role.objects.get_or_create(name="BI-RL-DMA", builtin=True) - domain_manager.permissions.set(domain_manager_permissions) - administrator, created = Role.objects.get_or_create(name="BI-RL-ADM", builtin=True) - administrator.permissions.set(administrator_permissions) - # if global administrators user group does not exist, then create it - if not UserGroup.objects.filter( - name="BI-UG-ADM", folder=Folder.get_root_folder() - ).exists(): - administrators = UserGroup.objects.create( - name="BI-UG-ADM", folder=Folder.get_root_folder(), builtin=True - ) - ra1 = RoleAssignment.objects.create( - user_group=administrators, - role=Role.objects.get(name="BI-RL-ADM"), - is_recursive=True, - builtin=True, - folder=Folder.get_root_folder(), - ) - ra1.perimeter_folders.add(administrators.folder) - # if global readers user group does not exist, then create it - if not UserGroup.objects.filter( - name="BI-UG-GAD", folder=Folder.get_root_folder() - ).exists(): - global_readers = UserGroup.objects.create( - name="BI-UG-GAD", - folder=Folder.objects.get(content_type=Folder.ContentType.ROOT), - builtin=True, - ) - ra2 = RoleAssignment.objects.create( - user_group=global_readers, - role=Role.objects.get(name="BI-RL-AUD"), - is_recursive=True, - builtin=True, - folder=Folder.get_root_folder(), - ) - ra2.perimeter_folders.add(global_readers.folder) - # if global approvers user group does not exist, then create it - if not UserGroup.objects.filter( - name="BI-UG-GAP", folder=Folder.get_root_folder() - ).exists(): - global_approvers = UserGroup.objects.create( - name="BI-UG-GAP", - folder=Folder.objects.get(content_type=Folder.ContentType.ROOT), - builtin=True, - ) - ra2 = RoleAssignment.objects.create( - user_group=global_approvers, - role=Role.objects.get(name="BI-RL-APP"), - is_recursive=True, - builtin=True, - folder=Folder.get_root_folder(), - ) - ra2.perimeter_folders.add(global_approvers.folder) - - # if superuser defined and does not exist, then create it - if ( - CISO_ASSISTANT_SUPERUSER_EMAIL - and not User.objects.filter(email=CISO_ASSISTANT_SUPERUSER_EMAIL).exists() - ): - try: - User.objects.create_superuser( - email=CISO_ASSISTANT_SUPERUSER_EMAIL, is_superuser=True - ) - except Exception as e: - print(e) # NOTE: Add this exception in the logger - - default_attribute_mapping = SAMLProvider.default_attribute_mapping - - settings = { - "attribute_mapping": { - "uid": default_attribute_mapping["uid"], - "email_verified": default_attribute_mapping["email_verified"], - "email": default_attribute_mapping["email"], - }, - "idp": { - "entity_id": "", - "metadata_url": "", - "sso_url": "", - "slo_url": "", - "x509cert": "", - }, - "sp": { - "entity_id": "ciso-assistant", - }, - "advanced": { - "allow_repeat_attribute_name": True, - "allow_single_label_domains": False, - "authn_request_signed": False, - "digest_algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", - "logout_request_signed": False, - "logout_response_signed": False, - "metadata_signed": False, - "name_id_encrypted": False, - "reject_deprecated_algorithm": True, - "reject_idp_initiated_sso": True, - "signature_algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", - "want_assertion_encrypted": False, - "want_assertion_signed": False, - "want_attribute_statement": True, - "want_message_signed": False, - "want_name_id": False, - "want_name_id_encrypted": False, - }, - } - - if not GlobalSettings.objects.filter(name=GlobalSettings.Names.SSO).exists(): - logger.info("SSO settings not found, creating default settings") - sso_settings = GlobalSettings.objects.create( - name=GlobalSettings.Names.SSO, - value={"client_id": "0", "settings": settings}, - ) - logger.info("SSO settings created", settings=sso_settings.value) - - call_command("storelibraries") +from .startup import startup class CoreConfig(AppConfig): diff --git a/backend/core/helpers.py b/backend/core/helpers.py index 86a106cb1..9302362ec 100644 --- a/backend/core/helpers.py +++ b/backend/core/helpers.py @@ -36,9 +36,10 @@ def flatten_dict( STATUS_COLOR_MAP = { # TODO: Move these kinds of color maps to frontend "undefined": "#CCC", - "planned": "#BFDBFE", + "--": "#CCC", + "to_do": "#BFDBFE", "active": "#46D39A", - "inactive": "#E55759", + "deprecated": "#E55759", "in_progress": "#5470c6", "in_review": "#BBF7D0", "done": "#46D39A", @@ -508,10 +509,12 @@ def applied_control_per_status(user: User): labels = list() local_lables = list() color_map = { - "undefined": "#CCC", - "planned": "#BFDBFE", - "active": "#46D39A", - "inactive": "#E55759", + AppliedControl.Status.UNDEFINED: "#CCC", + AppliedControl.Status.TO_DO: "#BFDBFE", + AppliedControl.Status.ACTIVE: "#46D39A", + AppliedControl.Status.IN_PROGRESS: "#392F5A", + AppliedControl.Status.ON_HOLD: "#F4D06F", + AppliedControl.Status.DEPRECATED: "#E55759", } ( object_ids_view, @@ -521,16 +524,11 @@ def applied_control_per_status(user: User): Folder.get_root_folder(), user, AppliedControl ) viewable_applied_controls = AppliedControl.objects.filter(id__in=object_ids_view) - undefined_count = viewable_applied_controls.filter(status__isnull=True).count() - values.append( - {"value": undefined_count, "itemStyle": {"color": color_map["undefined"]}} - ) for st in AppliedControl.Status.choices: count = viewable_applied_controls.filter(status=st[0]).count() v = {"value": count, "itemStyle": {"color": color_map[st[0]]}} values.append(v) labels.append(st[1]) - labels.insert(0, "undefined") local_lables = [camel_case(str(label)) for label in labels] return {"localLables": local_lables, "labels": labels, "values": values} @@ -748,7 +746,11 @@ def risks_per_project_groups(user: User): def get_counters(user: User): - print() + controls_count = len( + RoleAssignment.get_accessible_object_ids( + Folder.get_root_folder(), user, AppliedControl + )[0] + ) return { "domains": len( RoleAssignment.get_accessible_object_ids( @@ -760,11 +762,7 @@ def get_counters(user: User): Folder.get_root_folder(), user, Project )[0] ), - "applied_controls": len( - RoleAssignment.get_accessible_object_ids( - Folder.get_root_folder(), user, AppliedControl - )[0] - ), + "applied_controls": controls_count, "risk_assessments": len( RoleAssignment.get_accessible_object_ids( Folder.get_root_folder(), user, RiskAssessment @@ -783,6 +781,136 @@ def get_counters(user: User): } +def build_audits_tree_metrics(user): + (object_ids, _, _) = RoleAssignment.get_accessible_object_ids( + Folder.get_root_folder(), user, Folder + ) + viewable_domains = Folder.objects.filter(id__in=object_ids) + + tree = list() + domain_prj_children = list() + for domain in viewable_domains.exclude(name="Global"): + block_domain = {"name": domain.name, "children": []} + domain_prj_children = [] + for project in Project.objects.filter(folder=domain): + block_prj = {"name": project.name, "domain": domain.name, "children": []} + children = [] + for audit in ComplianceAssessment.objects.filter(project=project): + cnt_reqs = RequirementAssessment.objects.filter( + compliance_assessment=audit + ).count() + cnt_res = {} + for result in RequirementAssessment.Result.choices: + cnt_res[result[0]] = ( + RequirementAssessment.objects.filter( + requirement__assessable=True + ) + .filter(compliance_assessment=audit) + .filter(result=result[0]) + .count() + ) + blk_audit = { + "name": audit.name, + "children": [ + { + "name": "compliant", + "value": cnt_res["compliant"], + }, + { + "name": "not assessed", + "value": cnt_res["not_assessed"], + }, + { + "name": "Not Applicable", + "value": cnt_res["not_applicable"], + }, + { + "name": "partial", + "value": cnt_res["partially_compliant"], + }, + { + "name": "Non compliant", + "value": cnt_res["non_compliant"], + }, + ], + } + children.append(blk_audit) + block_prj["children"] = children + domain_prj_children.append(block_prj) + block_domain["children"] = domain_prj_children + tree.append(block_domain) + return tree + + +def csf_functions(user): + (object_ids, _, _) = RoleAssignment.get_accessible_object_ids( + Folder.get_root_folder(), user, AppliedControl + ) + viewable_controls = AppliedControl.objects.filter(id__in=object_ids) + cnt = dict() + for choice in ReferenceControl.CSF_FUNCTION: + cnt[choice[0]] = viewable_controls.filter(csf_function=choice[0]).count() + undefined = viewable_controls.filter(csf_function__isnull=True).count() + data = [ + {"name": "Govern", "value": cnt["govern"]}, + {"name": "Identify", "value": cnt["identify"]}, + {"name": "Protect", "value": cnt["protect"]}, + {"name": "Detect", "value": cnt["detect"]}, + {"name": "Respond", "value": cnt["respond"]}, + {"name": "Recover", "value": cnt["recover"]}, + ] + if undefined > 0: + data.append({"name": "(undefined)", "value": undefined}) + + return data + + +def get_metrics(user: User): + def viewable_items(model): + (object_ids, _, _) = RoleAssignment.get_accessible_object_ids( + Folder.get_root_folder(), user, model + ) + return model.objects.filter(id__in=object_ids) + + viewable_controls = viewable_items(AppliedControl) + controls_count = viewable_controls.count() + data = { + "controls": { + "total": controls_count, + "to_do": viewable_controls.filter(status="to_do").count(), + "in_progress": viewable_controls.filter(status="in_progress").count(), + "on_hold": viewable_controls.filter(status="on_hold").count(), + "active": viewable_controls.filter(status="active").count(), + "deprecated": viewable_controls.filter(status="deprecated").count(), + }, + "risk": { + "assessments": viewable_items(RiskAssessment).count(), + "scenarios": viewable_items(RiskScenario).count(), + "threats": viewable_items(Threat) + .filter(risk_scenarios__isnull=False) + .distinct() + .count(), + "acceptances": viewable_items(RiskAcceptance).count(), + }, + "compliance": { + "audits": viewable_items(ComplianceAssessment).count(), + "active_audits": viewable_items(ComplianceAssessment) + .filter(status__in=["in_progress", "in_review", "done"]) + .count(), + "evidences": viewable_items(Evidence).count(), + "compliant_items": viewable_items(RequirementAssessment) + .filter(result="compliant") + .count(), + "non_compliant_items": viewable_items(RequirementAssessment) + .filter(result="non_compliant") + .count(), + }, + "audits_tree": build_audits_tree_metrics(user), + "csf_functions": csf_functions(user), + } + return data + + def risk_status(user: User, risk_assessment_list): risk_color_map = get_risk_color_map(user) names = list() @@ -799,9 +927,11 @@ def risk_status(user: User, risk_assessment_list): } mtg_status_out = { "--": list(), - "planned": list(), + "to_do": list(), + "in_progress": list(), + "on_hold": list(), "active": list(), - "inactive": list(), + "deprecated": list(), } max_tmp = list() @@ -916,7 +1046,7 @@ def compile_risk_assessment_for_composer(user, risk_assessment_list: list): values = list() labels = list() - + # WARNING: this is wrong - FIX ME because we compute the controls multiple times if used accross multiple scenarios for st in AppliedControl.Status.choices: count = ( AppliedControl.objects.filter(status=st[0]) diff --git a/backend/core/locale/fr/LC_MESSAGES/django.mo b/backend/core/locale/fr/LC_MESSAGES/django.mo index 6c87f5edb..7de2ea138 100644 Binary files a/backend/core/locale/fr/LC_MESSAGES/django.mo and b/backend/core/locale/fr/LC_MESSAGES/django.mo differ diff --git a/backend/core/locale/fr/LC_MESSAGES/django.po b/backend/core/locale/fr/LC_MESSAGES/django.po index 707db4ebd..773fcfd3a 100644 --- a/backend/core/locale/fr/LC_MESSAGES/django.po +++ b/backend/core/locale/fr/LC_MESSAGES/django.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2024-06-24 08:37+0200\n" +"POT-Creation-Date: 2024-08-26 08:54+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -18,260 +18,312 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n > 1);\n" -#: admin_config.py:6 +#: core/admin_config.py:6 msgid "Editor" msgstr "Éditeur" -#: admin_config.py:7 +#: core/admin_config.py:7 msgid "Menu" msgstr "Menu" -#: base_models.py:10 filters.py:324 +#: core/base_models.py:10 core/filters.py:324 msgid "Created at" msgstr "Créé le" -#: base_models.py:11 +#: core/base_models.py:11 msgid "Updated at" msgstr "Mis à jour le" -#: base_models.py:12 +#: core/base_models.py:12 msgid "published" msgstr "publié" -#: base_models.py:110 models.py:52 templates/core/action_plan_pdf.html:42 -#: templates/snippets/mp_data.html:58 templates/snippets/ri_list_nested.html:16 +#: core/base_models.py:110 core/models.py:76 +#: core/templates/core/action_plan_pdf.html:42 +#: core/templates/snippets/mp_data.html:58 +#: core/templates/snippets/ri_list_nested.html:16 msgid "Name" msgstr "Nom" -#: base_models.py:111 models.py:54 templates/core/action_plan_pdf.html:43 -#: templates/snippets/mp_data.html:59 templates/snippets/ra_data.html:43 +#: core/base_models.py:111 core/models.py:78 +#: core/templates/core/action_plan_pdf.html:43 +#: core/templates/snippets/mp_data.html:59 +#: core/templates/snippets/ra_data.html:43 msgid "Description" msgstr "Description" -#: filters.py:28 filters.py:30 +#: core/base_models.py:126 core/models.py:1242 +#: core/templates/core/action_plan_pdf.html:46 +#: core/templates/snippets/mp_data.html:62 +msgid "ETA" +msgstr "ETA" + +#: core/base_models.py:127 +msgid "Due date" +msgstr "Date d'échéance" + +#: core/filters.py:28 core/filters.py:30 msgid "Order by" msgstr "Trier par" -#: filters.py:121 +#: core/filters.py:121 msgid "Search applied control..." msgstr "Rechercher un mesure appliquée..." -#: filters.py:137 filters.py:166 filters.py:194 filters.py:219 filters.py:251 -#: filters.py:347 filters.py:370 filters.py:398 filters.py:425 filters.py:452 -#: filters.py:479 +#: core/filters.py:137 core/filters.py:166 core/filters.py:194 +#: core/filters.py:219 core/filters.py:251 core/filters.py:347 +#: core/filters.py:370 core/filters.py:398 core/filters.py:425 +#: core/filters.py:452 core/filters.py:479 msgid "name" msgstr "nom" -#: filters.py:138 filters.py:167 filters.py:195 filters.py:220 filters.py:252 -#: filters.py:348 filters.py:371 filters.py:399 filters.py:426 filters.py:453 -#: filters.py:480 +#: core/filters.py:138 core/filters.py:167 core/filters.py:195 +#: core/filters.py:220 core/filters.py:252 core/filters.py:348 +#: core/filters.py:371 core/filters.py:399 core/filters.py:426 +#: core/filters.py:453 core/filters.py:480 msgid "Name (descending)" msgstr "Nom (décroissant)" -#: filters.py:139 filters.py:196 templates/core/action_plan_pdf.html:14 -#: templates/snippets/mp_data.html:5 +#: core/filters.py:139 core/filters.py:196 +#: core/templates/core/action_plan_pdf.html:14 +#: core/templates/snippets/mp_data.html:5 msgid "Domain" msgstr "Domaine" -#: filters.py:140 filters.py:197 +#: core/filters.py:140 core/filters.py:197 msgid "Domain (descending)" msgstr "Domaine (décroissant)" -#: filters.py:141 +#: core/filters.py:141 msgid "reference control" msgstr "mesure de référence" -#: filters.py:142 +#: core/filters.py:142 msgid "Reference control (descending)" msgstr "Mesure de référence (décroissant)" -#: filters.py:156 +#: core/filters.py:156 msgid "Search domain..." msgstr "Rechercher un domaine..." -#: filters.py:168 filters.py:372 filters.py:400 filters.py:427 filters.py:454 -#: filters.py:481 +#: core/filters.py:168 core/filters.py:372 core/filters.py:400 +#: core/filters.py:427 core/filters.py:454 core/filters.py:481 msgid "description" msgstr "description" -#: filters.py:169 filters.py:373 filters.py:401 filters.py:428 filters.py:455 -#: filters.py:482 +#: core/filters.py:169 core/filters.py:373 core/filters.py:401 +#: core/filters.py:428 core/filters.py:455 core/filters.py:482 msgid "Description (descending)" msgstr "Description (décroissant)" -#: filters.py:183 +#: core/filters.py:183 msgid "Search project..." msgstr "Rechercher un projet..." -#: filters.py:212 +#: core/filters.py:212 msgid "Search threat..." msgstr "Rechercher une menace..." -#: filters.py:240 +#: core/filters.py:240 msgid "Search function..." msgstr "Rechercher une fonction..." -#: filters.py:253 +#: core/filters.py:253 msgid "provider" msgstr "fournisseur" -#: filters.py:254 +#: core/filters.py:254 msgid "Provider (descending)" msgstr "Fournisseur (décroissant)" -#: filters.py:276 +#: core/filters.py:276 msgid "Yes" msgstr "Oui" -#: filters.py:277 +#: core/filters.py:277 msgid "No" msgstr "Non" -#: filters.py:305 +#: core/filters.py:305 msgid "Search user..." msgstr "Rechercher un utilisateur..." -#: filters.py:318 +#: core/filters.py:318 msgid "Email" msgstr "E-mail" -#: filters.py:319 +#: core/filters.py:319 msgid "Email (descending)" msgstr "E-mail (décroissant)" -#: filters.py:320 +#: core/filters.py:320 msgid "First name" msgstr "Prénom" -#: filters.py:321 +#: core/filters.py:321 msgid "First name (descending)" msgstr "Prénom (décroissant)" -#: filters.py:322 +#: core/filters.py:322 msgid "Last name" msgstr "Nom de famille" -#: filters.py:323 +#: core/filters.py:323 msgid "Last name (descending)" msgstr "Nom de famille (décroissant)" -#: filters.py:325 +#: core/filters.py:325 msgid "Created at (descending)" msgstr "Créé le (décroissant)" -#: filters.py:339 +#: core/filters.py:339 msgid "Search user group..." msgstr "Rechercher un groupe d'utilisateurs..." -#: filters.py:358 +#: core/filters.py:358 msgid "Search compliance assessment..." msgstr "Rechercher une évaluation de conformité..." -#: filters.py:388 +#: core/filters.py:388 msgid "Search requirement assessment..." msgstr "Rechercher une évaluation d'exigence..." -#: filters.py:415 +#: core/filters.py:415 msgid "Search requirement..." msgstr "Rechercher une exigence..." -#: filters.py:442 +#: core/filters.py:442 msgid "Search evidence..." msgstr "Rechercher une preuve..." -#: filters.py:469 +#: core/filters.py:469 msgid "Search framework..." msgstr "Rechercher un référentiel..." -#: models.py:39 models.py:93 +#: core/models.py:67 core/models.py:148 msgid "URN" msgstr "URN" -#: models.py:42 +#: core/models.py:70 msgid "Reference ID" msgstr "ID de référence" -#: models.py:45 -msgid "Locale" -msgstr "Locale" - -#: models.py:47 -msgid "Default locale" -msgstr "Locale par défaut" - -#: models.py:49 models.py:686 +#: core/models.py:73 core/models.py:772 msgid "Provider" msgstr "Fournisseur" -#: models.py:55 +#: core/models.py:79 core/models.py:1029 msgid "Annotation" msgstr "Annotation" -#: models.py:95 +#: core/models.py:81 +msgid "Translations" +msgstr "" + +#: core/models.py:135 +msgid "Locale" +msgstr "Locale" + +#: core/models.py:137 +msgid "Default locale" +msgstr "Locale par défaut" + +#: core/models.py:150 msgid "Copyright" msgstr "Copyright" -#: models.py:97 models.py:1153 +#: core/models.py:152 core/models.py:1371 msgid "Version" msgstr "Version" -#: models.py:102 +#: core/models.py:157 msgid "Packager of the library" msgstr "Responsable de l'empaquetage de la bibliothèque" -#: models.py:103 +#: core/models.py:158 msgid "Packager" msgstr "Empaqueteur" -#: models.py:491 +#: core/models.py:555 msgid "Dependencies" msgstr "Dépendances" -#: models.py:585 templates/snippets/ri_list_nested.html:19 +#: core/models.py:654 core/templates/snippets/ri_list_nested.html:19 msgid "Threat" msgstr "Menace" -#: models.py:586 models.py:810 models.py:1541 +#: core/models.py:655 core/models.py:903 core/models.py:1747 msgid "Threats" msgstr "Menaces" -#: models.py:606 models.py:1124 +#: core/models.py:675 core/models.py:1342 msgid "Policy" msgstr "Politique" -#: models.py:607 +#: core/models.py:676 msgid "Process" msgstr "Processus" -#: models.py:608 +#: core/models.py:677 msgid "Technical" msgstr "Technique" -#: models.py:609 +#: core/models.py:678 msgid "Physical" msgstr "Physique" -#: models.py:625 models.py:1013 templates/core/action_plan_pdf.html:44 +#: core/models.py:682 +msgid "Govern" +msgstr "" + +#: core/models.py:683 +msgid "Identify" +msgstr "" + +#: core/models.py:684 +msgid "Protect" +msgstr "" + +#: core/models.py:685 +msgid "Detect" +msgstr "" + +#: core/models.py:686 +msgid "Respond" +msgstr "" + +#: core/models.py:687 +msgid "Recover" +msgstr "" + +#: core/models.py:703 core/models.py:1222 +#: core/templates/core/action_plan_pdf.html:44 msgid "Category" msgstr "Catégorie" -#: models.py:629 models.py:836 +#: core/models.py:711 core/models.py:1229 +#, fuzzy +#| msgid "Search function..." +msgid "CSF Function" +msgstr "Rechercher une fonction..." + +#: core/models.py:715 core/models.py:929 msgid "Typical evidence" msgstr "Preuve type" -#: models.py:635 templates/snippets/mp_data.html:61 +#: core/models.py:721 core/templates/snippets/mp_data.html:61 msgid "Reference control" msgstr "Mesure de référence" -#: models.py:636 models.py:816 +#: core/models.py:722 core/models.py:909 msgid "Reference controls" msgstr "Mesures de référence" -#: models.py:671 +#: core/models.py:757 msgid "JSON definition" msgstr "Définition JSON" -#: models.py:673 +#: core/models.py:759 msgid "" "JSON definition of the risk matrix. See the documentation for more " "information." @@ -279,11 +331,11 @@ msgstr "" "Définition JSON de la matrice de risque. Consultez la documentation pour " "plus d'informations." -#: models.py:679 +#: core/models.py:765 msgid "enabled" msgstr "activé" -#: models.py:682 +#: core/models.py:768 msgid "" "If the risk matrix is set as disabled, it will not be available for " "selection for new risk assessments." @@ -291,305 +343,378 @@ msgstr "" "Si la matrice de risque est désactivée, elle ne sera pas disponible pour la " "sélection lors de nouvelles évaluations de risque." -#: models.py:744 models.py:1718 +#: core/models.py:837 core/models.py:1961 msgid "Minimum score" msgstr "Score minimum" -#: models.py:745 models.py:1719 +#: core/models.py:838 core/models.py:1962 msgid "Maximum score" msgstr "Score maximum" -#: models.py:747 models.py:1721 +#: core/models.py:840 core/models.py:1964 msgid "Score definition" msgstr "Définition du score" -#: models.py:750 +#: core/models.py:843 msgid "Implementation groups definition" msgstr "Définition des groupes d'implémentation" -#: models.py:761 models.py:824 models.py:1705 -#: templates/core/action_plan_pdf.html:20 +#: core/models.py:854 core/models.py:917 core/models.py:1955 +#: core/templates/core/action_plan_pdf.html:20 msgid "Framework" msgstr "Référentiel" -#: models.py:762 +#: core/models.py:855 msgid "Frameworks" msgstr "Référentiels" -#: models.py:828 +#: core/models.py:921 msgid "Parent URN" msgstr "URN parent" -#: models.py:830 +#: core/models.py:923 msgid "Order ID" msgstr "ID de commande" -#: models.py:832 +#: core/models.py:925 msgid "Implementation groups" msgstr "Groupes d'implémentation" -#: models.py:834 +#: core/models.py:927 msgid "Assessable" msgstr "Évaluable" -#: models.py:840 +#: core/models.py:933 #, fuzzy #| msgid "Requirement" msgid "RequirementNode" msgstr "Exigence" -#: models.py:841 +#: core/models.py:934 #, fuzzy #| msgid "Requirement" msgid "RequirementNodes" msgstr "Exigence" -#: models.py:849 +#: core/models.py:949 +#, fuzzy +#| msgid "Search framework..." +msgid "Source framework" +msgstr "Rechercher un référentiel..." + +#: core/models.py:955 +#, fuzzy +#| msgid "Search framework..." +msgid "Target framework" +msgstr "Rechercher un référentiel..." + +#: core/models.py:961 +msgid "Source and related frameworks must be different" +msgstr "" + +#: core/models.py:967 +msgid "Full" +msgstr "" + +#: core/models.py:968 +msgid "Partial" +msgstr "" + +#: core/models.py:969 core/models.py:976 +#, fuzzy +#| msgid "Created" +msgid "Not related" +msgstr "Créé" + +#: core/models.py:972 +msgid "Subset" +msgstr "" + +#: core/models.py:973 +msgid "Intersect" +msgstr "" + +#: core/models.py:974 +msgid "Equal" +msgstr "" + +#: core/models.py:975 +msgid "Superset" +msgstr "" + +#: core/models.py:979 +msgid "Syntactic" +msgstr "" + +#: core/models.py:980 +msgid "Semantic" +msgstr "" + +#: core/models.py:981 +#, fuzzy +#| msgid "Production" +msgid "Functional" +msgstr "Production" + +#: core/models.py:996 +msgid "Mapping set" +msgstr "" + +#: core/models.py:1002 +msgid "Target requirement" +msgstr "Exigence cible" + +#: core/models.py:1009 +msgid "Relationship" +msgstr "" + +#: core/models.py:1016 +msgid "Rationale" +msgstr "Raison" + +#: core/models.py:1021 +msgid "Source requirement" +msgstr "Exigence source" + +#: core/models.py:1026 +msgid "Strength of relationship" +msgstr "" + +#: core/models.py:1045 msgid "Undefined" msgstr "Non défini" -#: models.py:850 +#: core/models.py:1046 msgid "Design" msgstr "Conception" -#: models.py:851 +#: core/models.py:1047 msgid "Development" msgstr "Développement" -#: models.py:852 +#: core/models.py:1048 msgid "Production" msgstr "Production" -#: models.py:853 +#: core/models.py:1049 msgid "EndOfLife" msgstr "Fin de vie" -#: models.py:854 +#: core/models.py:1050 msgid "Dropped" msgstr "Abandonné" -#: models.py:857 +#: core/models.py:1053 msgid "Internal reference" msgstr "Référence interne" -#: models.py:863 models.py:1020 models.py:1160 models.py:2011 -#: templates/snippets/mp_data.html:65 templates/snippets/ri_list_nested.html:31 +#: core/models.py:1059 core/models.py:1236 core/models.py:1378 +#: core/models.py:2361 core/templates/snippets/mp_data.html:65 +#: core/templates/snippets/ri_list_nested.html:31 msgid "Status" msgstr "Statut" -#: models.py:868 models.py:1146 models.py:1613 -#: templates/core/action_plan_pdf.html:16 templates/snippets/mp_data.html:7 +#: core/models.py:1064 core/models.py:1364 core/models.py:1825 +#: core/templates/core/action_plan_pdf.html:16 +#: core/templates/snippets/mp_data.html:7 msgid "Project" msgstr "Projet" -#: models.py:869 +#: core/models.py:1065 msgid "Projects" msgstr "Projets" -#: models.py:902 +#: core/models.py:1098 msgid "Primary" msgstr "Primaire" -#: models.py:903 +#: core/models.py:1099 msgid "Support" msgstr "Support" -#: models.py:906 +#: core/models.py:1102 msgid "business value" msgstr "valeur métier" -#: models.py:909 +#: core/models.py:1105 msgid "type" msgstr "type" -#: models.py:912 +#: core/models.py:1108 msgid "parent assets" msgstr "actifs parents" -#: models.py:918 models.py:1528 +#: core/models.py:1114 core/models.py:1734 msgid "Assets" msgstr "Actifs" -#: models.py:919 +#: core/models.py:1115 msgid "Asset" msgstr "Actif" -#: models.py:949 +#: core/models.py:1145 msgid "Attachment for evidence (eg. screenshot, log file, etc.)" msgstr "" "Pièce jointe pour la preuve (par ex. capture d'écran, fichier journal, etc.)" -#: models.py:950 +#: core/models.py:1146 msgid "Attachment" msgstr "Pièce jointe" -#: models.py:956 +#: core/models.py:1152 msgid "Link to the evidence (eg. Jira ticket, etc.)" msgstr "Lien vers la preuve (par ex. billet Jira, etc.)" -#: models.py:957 models.py:1039 templates/snippets/mp_data.html:64 +#: core/models.py:1153 core/models.py:1255 +#: core/templates/snippets/mp_data.html:64 msgid "Link" msgstr "Lien" -#: models.py:963 +#: core/models.py:1159 msgid "Evidence" msgstr "Preuve" -#: models.py:964 models.py:1005 models.py:2025 +#: core/models.py:1160 core/models.py:1214 core/models.py:2381 msgid "Evidences" msgstr "Preuves" -#: models.py:980 models.py:1139 +#: core/models.py:1188 core/models.py:1357 msgid "Planned" msgstr "Planifié" -#: models.py:981 +#: core/models.py:1189 msgid "Active" msgstr "Actif" -#: models.py:982 +#: core/models.py:1190 msgid "Inactive" msgstr "Inactif" -#: models.py:987 +#: core/models.py:1196 msgid "Small" msgstr "Petit" -#: models.py:988 models.py:1505 tests/test_helpers.py:77 -#: tests/test_helpers.py:142 +#: core/models.py:1197 core/models.py:1711 core/tests/test_helpers.py:77 +#: core/tests/test_helpers.py:142 msgid "Medium" msgstr "Moyen" -#: models.py:989 +#: core/models.py:1198 msgid "Large" msgstr "Grand" -#: models.py:990 +#: core/models.py:1199 msgid "Extra Large" msgstr "Extra large" -#: models.py:1000 +#: core/models.py:1209 msgid "Reference Control" msgstr "Mesure de référence" -#: models.py:1025 +#: core/models.py:1241 msgid "Estimated Time of Arrival" msgstr "Heure d'arrivée estimée" -#: models.py:1026 models.py:1180 templates/core/action_plan_pdf.html:45 -#: templates/snippets/mp_data.html:62 -msgid "ETA" -msgstr "ETA" - -#: models.py:1031 +#: core/models.py:1247 msgid "Date after which the applied control is no longer valid" msgstr "Date à partir de laquelle la mesure appliquée n'est plus valide" -#: models.py:1032 models.py:2097 templates/core/action_plan_pdf.html:46 +#: core/models.py:1248 core/models.py:2484 +#: core/templates/core/action_plan_pdf.html:47 msgid "Expiry date" msgstr "Date d'expiration" -#: models.py:1038 +#: core/models.py:1254 msgid "External url for action follow-up (eg. Jira ticket)" msgstr "URL externe pour le suivi de l'action (par ex. billet Jira)" -#: models.py:1046 +#: core/models.py:1262 msgid "Relative effort of the measure (using T-Shirt sizing)" msgstr "Effort relatif de la mesure (en utilisant la taille des T-shirts)" -#: models.py:1047 templates/core/action_plan_pdf.html:47 -#: templates/snippets/mp_data.html:63 +#: core/models.py:1263 core/templates/core/action_plan_pdf.html:48 +#: core/templates/snippets/mp_data.html:63 msgid "Effort" msgstr "Effort" -#: models.py:1053 +#: core/models.py:1269 msgid "Applied control" msgstr "Mesure appliqué" -#: models.py:1054 models.py:1535 models.py:2041 +#: core/models.py:1270 core/models.py:1741 core/models.py:2397 msgid "Applied controls" msgstr "Mesures appliquées" -#: models.py:1125 +#: core/models.py:1343 msgid "Policies" msgstr "Politiques" -#: models.py:1140 models.py:2001 +#: core/models.py:1358 core/models.py:2346 msgid "In progress" msgstr "En cours" -#: models.py:1141 +#: core/models.py:1359 core/models.py:2347 msgid "In review" msgstr "En examen" -#: models.py:1142 +#: core/models.py:1360 core/models.py:2348 msgid "Done" msgstr "Terminé" -#: models.py:1143 +#: core/models.py:1361 msgid "Deprecated" msgstr "Déprécié" -#: models.py:1152 +#: core/models.py:1370 msgid "Version of the compliance assessment (eg. 1.0, 2.0, etc.)" msgstr "Version de l'évaluation de conformité (par ex. 1.0, 2.0, etc.)" -#: models.py:1167 +#: core/models.py:1385 msgid "Authors" msgstr "Auteurs" -#: models.py:1173 templates/core/audit_report.html:32 +#: core/models.py:1391 core/templates/core/audit_report.html:35 msgid "Reviewers" msgstr "Relecteurs" -#: models.py:1179 -#, fuzzy -#| msgid "estimated time of arrival" -msgid "Estimated time of arrival" -msgstr "heure d'arrivée estimée" - -#: models.py:1185 models.py:1186 -msgid "Due date" -msgstr "Date d'échéance" - -#: models.py:1199 +#: core/models.py:1405 msgid "WARNING! After choosing it, you will not be able to change it" msgstr "" "ATTENTION ! Une fois que vous l'aurez choisi, vous ne pourrez plus le " "modifier." -#: models.py:1200 +#: core/models.py:1406 msgid "Risk matrix" msgstr "Matrice de risque" -#: models.py:1204 templates/snippets/mp_data.html:9 -#: templates/snippets/ra_data.html:8 +#: core/models.py:1410 core/templates/snippets/mp_data.html:9 +#: core/templates/snippets/ra_data.html:8 msgid "Risk assessment" msgstr "Évaluation de risque" -#: models.py:1205 +#: core/models.py:1411 msgid "Risk assessments" msgstr "Évaluations de risque" -#: models.py:1229 +#: core/models.py:1435 msgid "{}: Risk assessment is still in progress" msgstr "{} : L'évaluation des risques est toujours en cours" -#: models.py:1240 +#: core/models.py:1446 msgid "{}: No author assigned to this risk assessment" msgstr "{} : Aucun auteur n'a été affecté à cette évaluation des risques" -#: models.py:1252 +#: core/models.py:1458 msgid "{}: RiskAssessment is empty. No risk scenario declared yet" msgstr "" "{} : L'évaluation des risques est vide. Aucun scénario de risque n'a encore " "été déclaré." -#: models.py:1273 +#: core/models.py:1479 msgid "{} current risk level has not been assessed" msgstr "{} : Le niveau de risque actuel n'a pas été évalué" -#: models.py:1286 +#: core/models.py:1492 msgid "" "{} residual risk level has not been assessed. If no additional measures are " "applied, it should be at the same level as the current risk" @@ -598,43 +723,43 @@ msgstr "" "mesures supplémentaires appliquées, il devrait être au même niveau que le " "risque actuel." -#: models.py:1297 +#: core/models.py:1503 msgid "{} residual risk level is higher than the current one" msgstr "{} : Le niveau de risque résiduel est supérieur à l'actuel" -#: models.py:1309 +#: core/models.py:1515 msgid "{} residual risk probability is higher than the current one" msgstr "{} : La probabilité de risque résiduel est supérieure à l'actuelle" -#: models.py:1321 +#: core/models.py:1527 msgid "{} residual risk impact is higher than the current one" msgstr "{} : L'impact du risque résiduel est supérieur à l'actuel" -#: models.py:1342 +#: core/models.py:1548 msgid "{}: residual risk level has been lowered without any specific measure" msgstr "" "{} : Le niveau de risque résiduel a été réduit sans aucune mesure spécifique" -#: models.py:1356 +#: core/models.py:1562 msgid "{} risk accepted but no risk acceptance attached" msgstr "{} : Risque accepté mais aucune acceptation de risque jointe" -#: models.py:1379 +#: core/models.py:1585 msgid "{} does not have an ETA" msgstr "{} : Pas d'ETA" -#: models.py:1391 +#: core/models.py:1597 msgid "{} ETA is in the past now. Consider updating its status or the date" msgstr "" "{} : L'ETA est dans le passé maintenant. Envisagez de mettre à jour son " "statut ou la date." -#: models.py:1404 +#: core/models.py:1610 msgid "" "{} does not have an estimated effort. This will help you for prioritization" msgstr "{} : Pas d'effort estimé. Cela vous aidera pour la prioritisation" -#: models.py:1417 +#: core/models.py:1623 msgid "" "{}: Applied control does not have an external link attached. This will help " "you for follow-up" @@ -642,72 +767,74 @@ msgstr "" "{} : La mesure appliquée ne comporte pas de lien externe joint. Cela vous " "aidera pour le suivi" -#: models.py:1440 +#: core/models.py:1646 msgid "{}: Acceptance has no expiry date" msgstr "{} : L'acceptation n'a pas de date d'expiration" -#: models.py:1454 +#: core/models.py:1660 msgid "{}: Acceptance has expired. Consider updating the status or the date" msgstr "" "{} : L'acceptation a expiré. Envisagez de mettre à jour le statut ou la date." -#: models.py:1483 +#: core/models.py:1689 msgid "Open" msgstr "Ouvert" -#: models.py:1484 +#: core/models.py:1690 msgid "Mitigate" msgstr "Atténuer" -#: models.py:1485 +#: core/models.py:1691 msgid "Accept" msgstr "Accepter" -#: models.py:1486 +#: core/models.py:1692 msgid "Avoid" msgstr "Éviter" -#: models.py:1487 +#: core/models.py:1693 msgid "Transfer" msgstr "Transférer" -#: models.py:1492 +#: core/models.py:1698 msgid "--" msgstr "--" -#: models.py:1494 +#: core/models.py:1700 msgid "The strength of the knowledge supporting the assessment is undefined" msgstr "La force de la connaissance soutenant l'évaluation est indéfinie" -#: models.py:1498 tests/test_helpers.py:76 tests/test_helpers.py:141 +#: core/models.py:1704 core/tests/test_helpers.py:76 +#: core/tests/test_helpers.py:141 msgid "Low" msgstr "Faible" -#: models.py:1500 +#: core/models.py:1706 msgid "The strength of the knowledge supporting the assessment is low" msgstr "La force de la connaissance soutenant l'évaluation est faible" -#: models.py:1507 +#: core/models.py:1713 msgid "The strength of the knowledge supporting the assessment is medium" msgstr "La force de la connaissance soutenant l'évaluation est moyenne" -#: models.py:1512 tests/test_helpers.py:78 tests/test_helpers.py:143 +#: core/models.py:1718 core/tests/test_helpers.py:78 +#: core/tests/test_helpers.py:143 msgid "High" msgstr "Élevé" -#: models.py:1514 +#: core/models.py:1720 msgid "The strength of the knowledge supporting the assessment is high" msgstr "La force de la connaissance soutenant l'évaluation est élevée" -#: models.py:1523 +#: core/models.py:1729 msgid "RiskAssessment" msgstr "ÉvaluationDesRisques" -#: models.py:1530 +#: core/models.py:1736 msgid "Assets impacted by the risk scenario" msgstr "Actifs impactés par le scénario de risque" -#: models.py:1548 +#: core/models.py:1754 msgid "" "The existing controls to manage this risk. Edit the risk scenario to add " "extra applied controls." @@ -715,24 +842,28 @@ msgstr "" "Les mesures existantes pour gérer ce risque. Modifiez le scénario de risque " "pour ajouter des mesures appliquées supplémentaires." -#: models.py:1550 templates/snippets/mp_data.html:48 -#: templates/snippets/ri_list_nested.html:22 +#: core/models.py:1756 core/templates/snippets/mp_data.html:48 +#: core/templates/snippets/ri_list_nested.html:22 msgid "Existing controls" msgstr "Mesures existantes" -#: models.py:1556 +#: core/models.py:1763 +msgid "Owner" +msgstr "Propriétaire" + +#: core/models.py:1768 msgid "Current probability" msgstr "Probabilité actuelle" -#: models.py:1559 +#: core/models.py:1771 msgid "Current impact" msgstr "Impact actuel" -#: models.py:1563 +#: core/models.py:1775 msgid "Current level" msgstr "Niveau actuel" -#: models.py:1565 +#: core/models.py:1777 msgid "" "The risk level given the current measures. Automatically updated on Save, " "based on the chosen risk matrix" @@ -741,19 +872,19 @@ msgstr "" "automatiquement lors de l'enregistrement, sur la base de la matrice de " "risque choisie." -#: models.py:1571 +#: core/models.py:1783 msgid "Residual probability" msgstr "Probabilité résiduelle" -#: models.py:1574 +#: core/models.py:1786 msgid "Residual impact" msgstr "Impact résiduel" -#: models.py:1578 +#: core/models.py:1790 msgid "Residual level" msgstr "Niveau résiduel" -#: models.py:1580 +#: core/models.py:1792 msgid "" "The risk level when all the extra measures are done. Automatically updated " "on Save, based on the chosen risk matrix" @@ -762,75 +893,55 @@ msgstr "" "œuvre. Mis à jour automatiquement lors de l'enregistrement, sur la base de " "la matrice de risque choisie." -#: models.py:1588 +#: core/models.py:1800 msgid "Treatment status" msgstr "Statut de traitement" -#: models.py:1593 +#: core/models.py:1805 msgid "Strength of Knowledge" msgstr "Force de la connaissance" -#: models.py:1594 +#: core/models.py:1806 msgid "The strength of the knowledge supporting the assessment" msgstr "La force de la connaissance soutenant l'évaluation" -#: models.py:1597 models.py:2109 +#: core/models.py:1809 core/models.py:2496 msgid "Justification" msgstr "Justification" -#: models.py:1603 +#: core/models.py:1815 msgid "Risk scenario" msgstr "Scénario de risque" -#: models.py:1604 models.py:2074 +#: core/models.py:1816 core/models.py:2461 msgid "Risk scenarios" msgstr "Scénarios de risque" -#: models.py:1670 +#: core/models.py:1926 msgid ": " msgstr ": " -#: models.py:1699 models.py:2004 -msgid "Compliant" -msgstr "Conforme" - -#: models.py:1700 -msgid "Non compliant (minor)" -msgstr "Non conforme (mineur)" - -#: models.py:1701 -msgid "Non compliant (major)" -msgstr "Non conforme (majeur)" - -#: models.py:1702 models.py:2005 -msgid "Not applicable" -msgstr "Non applicable" - -#: models.py:1712 -msgid "Result" -msgstr "Résultat" - -#: models.py:1715 templates/core/audit_report.html:40 +#: core/models.py:1958 core/templates/core/audit_report.html:43 msgid "Selected implementation groups" msgstr "Groupes d'implémentation sélectionnés" -#: models.py:1725 models.py:2032 +#: core/models.py:1968 core/models.py:2388 msgid "Compliance assessment" msgstr "Évaluation de conformité" -#: models.py:1726 +#: core/models.py:1969 msgid "Compliance assessments" msgstr "Évaluations de conformité" -#: models.py:1888 +#: core/models.py:2174 msgid "{}: Compliance assessment is still in progress" msgstr "{} : L'évaluation de la conformité est toujours en cours" -#: models.py:1901 +#: core/models.py:2187 msgid "{}: No author assigned to this compliance assessment" msgstr "{} : Aucun auteur n'a été affecté à cette évaluation de conformité" -#: models.py:1928 +#: core/models.py:2214 msgid "" "{}: Requirement assessment status is compliant or partially compliant with " "no applied control applied" @@ -838,76 +949,98 @@ msgstr "" "{} : Le statut de l'évaluation de l'exigence est conforme ou partiellement " "conforme, sans aucun mesure appliquée" -#: models.py:1953 +#: core/models.py:2239 msgid "{}: Applied control has no reference control selected" msgstr "" "{} : La mesure appliquée ne comporte pas de mesure de référence sélectionné" -#: models.py:1979 +#: core/models.py:2265 msgid "{}: Evidence has no file uploaded" msgstr "{} : La preuve ne comporte pas de fichier téléchargé" -#: models.py:2000 +#: core/models.py:2345 msgid "To do" msgstr "À faire" -#: models.py:2002 -msgid "Non compliant" -msgstr "Non conforme" +#: core/models.py:2351 +msgid "Not assessed" +msgstr "Non évalué" -#: models.py:2003 +#: core/models.py:2352 msgid "Partially compliant" msgstr "Partiellement conforme" -#: models.py:2016 +#: core/models.py:2353 +#, fuzzy +#| msgid "Non compliant" +msgid "Non-compliant" +msgstr "Non conforme" + +#: core/models.py:2354 +msgid "Compliant" +msgstr "Conforme" + +#: core/models.py:2355 +msgid "Not applicable" +msgstr "Non applicable" + +#: core/models.py:2366 +msgid "Result" +msgstr "Résultat" + +#: core/models.py:2372 msgid "Score" msgstr "Score" -#: models.py:2020 +#: core/models.py:2376 msgid "Is scored" msgstr "Est noté" -#: models.py:2028 +#: core/models.py:2384 msgid "Observation" msgstr "Observation" -#: models.py:2036 +#: core/models.py:2392 msgid "Requirement" msgstr "Exigence" -#: models.py:2046 +#: core/models.py:2402 msgid "Selected" msgstr "Sélectionné" -#: models.py:2056 +#: core/models.py:2406 +msgid "Mapping inference" +msgstr "Inference de mapping" + +#: core/models.py:2443 msgid "Requirement assessment" msgstr "Évaluation de l'exigence" -#: models.py:2057 +#: core/models.py:2444 msgid "Requirement assessments" msgstr "Évaluations de l'exigence" -#: models.py:2065 +#: core/models.py:2452 msgid "Created" msgstr "Créé" -#: models.py:2066 +#: core/models.py:2453 msgid "Submitted" msgstr "Soumis" -#: models.py:2067 +#: core/models.py:2454 msgid "Accepted" msgstr "Accepté" -#: models.py:2068 +#: core/models.py:2455 msgid "Rejected" msgstr "Rejeté" -#: models.py:2069 +#: core/models.py:2456 msgid "Revoked" msgstr "Révoqué" -#: models.py:2076 +#: core/models.py:2463 msgid "" "Select the risk scenarios to be accepted, attention they must be part of the " "chosen domain" @@ -915,88 +1048,96 @@ msgstr "" "Sélectionnez les scénarios de risque à accepter, faites attention, ils " "doivent faire partie du domaine choisi" -#: models.py:2082 +#: core/models.py:2469 msgid "Risk owner and approver identity" msgstr "Identité du propriétaire du risque et de l'approbateur" -#: models.py:2083 utils.py:48 utils.py:55 utils.py:58 +#: core/models.py:2470 core/utils.py:50 core/utils.py:57 core/utils.py:60 msgid "Approver" msgstr "Approbateur" -#: models.py:2092 +#: core/models.py:2479 msgid "State" msgstr "État" -#: models.py:2095 +#: core/models.py:2482 msgid "Specify when the risk acceptance will no longer apply" msgstr "Précisez quand l'acceptation du risque ne sera plus valable" -#: models.py:2100 +#: core/models.py:2487 msgid "Acceptance date" msgstr "Date d'acceptation" -#: models.py:2103 +#: core/models.py:2490 msgid "Rejection date" msgstr "Date de rejet" -#: models.py:2106 +#: core/models.py:2493 msgid "Revocation date" msgstr "Date de révocation" -#: models.py:2118 +#: core/models.py:2505 msgid "Risk acceptance" msgstr "Acceptation du risque" -#: models.py:2119 +#: core/models.py:2506 msgid "Risk acceptances" msgstr "Acceptations du risque" -#: templates/core/action_plan_pdf.html:12 +#: core/templates/core/action_plan_pdf.html:12 msgid "Action plan" msgstr "Plan d'action" -#: templates/core/action_plan_pdf.html:18 +#: core/templates/core/action_plan_pdf.html:18 msgid "Audit" msgstr "Audit" -#: templates/core/action_plan_pdf.html:22 +#: core/templates/core/action_plan_pdf.html:22 msgid "Associated applied controls" msgstr "Mesures appliquées associées" -#: templates/core/action_plan_pdf.html:23 +#: core/templates/core/action_plan_pdf.html:23 msgid "Separated by status and sorted by eta" msgstr "Séparés par statut et triés par ETA" -#: templates/core/action_plan_pdf.html:28 +#: core/templates/core/action_plan_pdf.html:28 msgid "No status" msgstr "Pas de statut" -#: templates/core/action_plan_pdf.html:48 +#: core/templates/core/action_plan_pdf.html:45 +msgid "CSF function" +msgstr "fonction CSF" + +#: core/templates/core/action_plan_pdf.html:49 msgid "Matching requirements" msgstr "Exigences correspondantes" -#: templates/core/action_plan_pdf.html:65 +#: core/templates/core/action_plan_pdf.html:67 msgid "No entries found" msgstr "Aucun résultat trouvé" -#: templates/core/audit_report.html:9 +#: core/templates/core/audit_report.html:9 msgid "Audit report" msgstr "Rapport d'audit" -#: templates/core/audit_report.html:24 +#: core/templates/core/audit_report.html:21 +msgid "Score:" +msgstr "Score:" + +#: core/templates/core/audit_report.html:27 msgid "Authors " msgstr "Auteurs" -#: templates/registration/first_connexion_email.html:14 +#: core/templates/registration/first_connexion_email.html:14 msgid "Welcome to CISO Assistant!" msgstr "Bienvenue sur CISO Assistant !" -#: templates/registration/first_connexion_email.html:15 -#: templates/registration/password_reset_email.html:23 +#: core/templates/registration/first_connexion_email.html:15 +#: core/templates/registration/password_reset_email.html:23 msgid "Your all-in-one GRC Management Platform" msgstr "Votre plateforme de gestion GRC tout-en-un" -#: templates/registration/first_connexion_email.html:33 +#: core/templates/registration/first_connexion_email.html:33 msgid "" "You have been granted access to CISO Assistant. To get started, use the link " "below to define your password:" @@ -1004,17 +1145,17 @@ msgstr "" "Vous avez été autorisé à accéder à CISO Assistant. Pour commencer, utilisez " "le lien ci-dessous pour définir votre mot de passe :" -#: templates/registration/first_connexion_email.html:38 +#: core/templates/registration/first_connexion_email.html:38 msgid "Set my password" msgstr "Définir mon mot de passe" -#: templates/registration/first_connexion_email.html:41 -#: templates/registration/password_reset_email.html:43 +#: core/templates/registration/first_connexion_email.html:41 +#: core/templates/registration/password_reset_email.html:43 msgid "An issue with the link? copy and paste the following in your browser" msgstr "" "Un problème avec le lien ? Copiez et collez le suivant dans votre navigateur" -#: templates/registration/first_connexion_email.html:49 +#: core/templates/registration/first_connexion_email.html:49 msgid "" "This link can only be used once. In case of an issue, you can access your " "instance" @@ -1022,18 +1163,18 @@ msgstr "" "Ce lien ne peut être utilisé qu'une seule fois. En cas de problème, vous " "pouvez accéder à votre instance" -#: templates/registration/first_connexion_email.html:49 -#: templates/registration/first_connexion_email.html:58 -#: templates/registration/password_reset_email.html:51 +#: core/templates/registration/first_connexion_email.html:49 +#: core/templates/registration/first_connexion_email.html:58 +#: core/templates/registration/password_reset_email.html:51 msgid "here" msgstr "ici" -#: templates/registration/first_connexion_email.html:49 +#: core/templates/registration/first_connexion_email.html:49 msgid "and request a password reset" msgstr "et demander une réinitialisation du mot de passe" -#: templates/registration/first_connexion_email.html:54 -#: templates/registration/password_reset_email.html:55 +#: core/templates/registration/first_connexion_email.html:54 +#: core/templates/registration/password_reset_email.html:55 msgid "" "If you, or your organization, did not make this request, you can simply " "ignore this email" @@ -1041,25 +1182,25 @@ msgstr "" "Si vous ou votre organisation n'avez pas fait cette demande, vous pouvez " "simplement ignorer cet e-mail." -#: templates/registration/first_connexion_email.html:58 +#: core/templates/registration/first_connexion_email.html:58 msgid "Learn more about CISO Assistant" msgstr "En savoir plus sur CISO Assistant" -#: templates/registration/first_connexion_email.html:63 -#: templates/registration/password_reset_email.html:58 +#: core/templates/registration/first_connexion_email.html:63 +#: core/templates/registration/password_reset_email.html:58 msgid "Sincerely" msgstr "Cordialement," -#: templates/registration/first_connexion_email.html:64 -#: templates/registration/password_reset_email.html:59 +#: core/templates/registration/first_connexion_email.html:64 +#: core/templates/registration/password_reset_email.html:59 msgid "CISO Assistant Team" msgstr "Équipe CISO Assistant" -#: templates/registration/password_reset_email.html:32 +#: core/templates/registration/password_reset_email.html:32 msgid "Hello" msgstr "Bonjour," -#: templates/registration/password_reset_email.html:36 +#: core/templates/registration/password_reset_email.html:36 msgid "" "We have received a password reset request for this email. Click below to " "proceed:" @@ -1067,165 +1208,182 @@ msgstr "" "Nous avons reçu une demande de réinitialisation de mot de passe pour cet e-" "mail. Cliquez ci-dessous pour continuer :" -#: templates/registration/password_reset_email.html:40 +#: core/templates/registration/password_reset_email.html:40 msgid "Reset my password" msgstr "Réinitialiser mon mot de passe" -#: templates/registration/password_reset_email.html:50 +#: core/templates/registration/password_reset_email.html:50 msgid "" "This link can only be used once. In case of an issue, go to your instance" msgstr "" "Ce lien ne peut être utilisé qu'une seule fois. En cas de problème, rendez-" "vous sur votre instance" -#: templates/registration/password_reset_email.html:51 +#: core/templates/registration/password_reset_email.html:51 msgid "and request a new password reset" msgstr "et demander une nouvelle réinitialisation de mot de passe" -#: templates/snippets/mp_data.html:11 +#: core/templates/snippets/mp_data.html:11 msgid "Associated risk scenarios" msgstr "Scénarios de risque associés" -#: templates/snippets/mp_data.html:20 +#: core/templates/snippets/mp_data.html:20 msgid "" "Risk risk_assessment seems to be empty. Measure Plan cannot be generated." msgstr "" "Le risque risk_assessment semble être vide. Le plan de mesure ne peut pas " "être généré." -#: templates/snippets/mp_data.html:43 +#: core/templates/snippets/mp_data.html:43 msgid "No associated measure" msgstr "Aucune mesure associée" -#: templates/snippets/mp_data.html:54 +#: core/templates/snippets/mp_data.html:54 msgid "Additional measures" msgstr "Mesures supplémentaires" -#: templates/snippets/mp_data.html:60 +#: core/templates/snippets/mp_data.html:60 msgid "Type" msgstr "Type" -#: templates/snippets/ra_data.html:13 +#: core/templates/snippets/ra_data.html:13 msgid "Risk matrix:" msgstr "Matrice de risque :" -#: templates/snippets/ra_data.html:18 +#: core/templates/snippets/ra_data.html:18 msgid "Authors:" msgstr "Auteurs :" -#: templates/snippets/ra_data.html:25 +#: core/templates/snippets/ra_data.html:25 msgid "Reviewers:" msgstr "Relecteurs :" -#: templates/snippets/ra_data.html:32 +#: core/templates/snippets/ra_data.html:32 msgid "Status:" msgstr "Statut :" -#: templates/snippets/ra_data.html:35 +#: core/templates/snippets/ra_data.html:35 msgid "ETA:" msgstr "ETA :" -#: templates/snippets/ra_data.html:36 +#: core/templates/snippets/ra_data.html:36 msgid "Due date:" msgstr "Date d'échéance :" -#: templates/snippets/ra_data.html:37 +#: core/templates/snippets/ra_data.html:37 msgid "Created at:" msgstr "Créé le :" -#: templates/snippets/ra_data.html:38 +#: core/templates/snippets/ra_data.html:38 msgid "Updated at:" msgstr "Mis à jour le :" -#: templates/snippets/ra_data.html:51 +#: core/templates/snippets/ra_data.html:51 msgid "Associated Risk scenarios" msgstr "Scénarios de risque associés" -#: templates/snippets/ra_data.html:56 +#: core/templates/snippets/ra_data.html:56 msgid "Risk matrix view" msgstr "Vue de la matrice de risque" -#: templates/snippets/ra_data.html:59 +#: core/templates/snippets/ra_data.html:59 msgid "Current" msgstr "Actuel" -#: templates/snippets/ra_data.html:67 +#: core/templates/snippets/ra_data.html:67 msgid "Residual" msgstr "Résiduel" -#: templates/snippets/req_node.html:27 +#: core/templates/snippets/req_node.html:27 +#, fuzzy +#| msgid "Observation" +msgid "Observation:" +msgstr "Observation" + +#: core/templates/snippets/req_node.html:36 msgid "Associated evidence:" msgstr "Preuves associées :" -#: templates/snippets/req_node.html:41 +#: core/templates/snippets/req_node.html:50 msgid "Applied controls:" msgstr "Mesures appliquées :" -#: templates/snippets/req_node.html:42 +#: core/templates/snippets/req_node.html:51 msgid "Evidence of applied controls:" msgstr "Preuves des mesures appliquées :" -#: templates/snippets/ri_list_nested.html:13 +#: core/templates/snippets/ri_list_nested.html:13 msgid "ID" msgstr "ID" -#: templates/snippets/ri_list_nested.html:25 +#: core/templates/snippets/ri_list_nested.html:25 msgid "Current risk level" msgstr "Niveau de risque actuel" -#: templates/snippets/ri_list_nested.html:28 +#: core/templates/snippets/ri_list_nested.html:28 msgid "Residual risk level" msgstr "Niveau de risque résiduel" -#: templates/snippets/ri_list_nested.html:34 +#: core/templates/snippets/ri_list_nested.html:34 msgid "Suggested measures" msgstr "Mesures suggérées" -#: templates/snippets/ri_list_nested.html:115 +#: core/templates/snippets/ri_list_nested.html:107 msgid "No scenario found." msgstr "Aucun scénario trouvé." -#: templates/snippets/risk_legend.html:4 +#: core/templates/snippets/risk_legend.html:4 msgid "Risk levels" msgstr "Niveaux de risque" -#: templates/snippets/risk_matrix.html:40 -#: templates/snippets/risk_matrix.html:86 +#: core/templates/snippets/risk_matrix.html:40 +#: core/templates/snippets/risk_matrix.html:86 msgid "Impact" msgstr "Impact" -#: templates/snippets/risk_matrix.html:46 +#: core/templates/snippets/risk_matrix.html:46 msgid "Probability" msgstr "Probabilité" -#: tests/test_helpers.py:75 tests/test_helpers.py:140 +#: core/tests/test_helpers.py:75 core/tests/test_helpers.py:140 msgid "Very Low" msgstr "Très faible" -#: tests/test_helpers.py:79 tests/test_helpers.py:144 +#: core/tests/test_helpers.py:79 core/tests/test_helpers.py:144 msgid "Very High" msgstr "Très élevé" -#: utils.py:45 utils.py:53 +#: core/utils.py:47 core/utils.py:55 msgid "Administrator" msgstr "Administrateur" -#: utils.py:46 utils.py:56 +#: core/utils.py:48 core/utils.py:58 msgid "Domain manager" msgstr "Gestionnaire de domaine" -#: utils.py:47 utils.py:57 +#: core/utils.py:49 core/utils.py:59 msgid "Analyst" msgstr "Analyste" -#: utils.py:49 utils.py:54 utils.py:59 +#: core/utils.py:51 core/utils.py:56 core/utils.py:61 msgid "Reader" msgstr "Lecteur" -#: utils.py:68 +#: core/utils.py:70 msgid "French" msgstr "Français" -#: utils.py:69 +#: core/utils.py:71 msgid "English" msgstr "Anglais" + +#, fuzzy +#~| msgid "estimated time of arrival" +#~ msgid "Estimated time of arrival" +#~ msgstr "Heure d'arrivée estimée" + +#~ msgid "Non compliant (minor)" +#~ msgstr "Non conforme (mineur)" + +#~ msgid "Non compliant (major)" +#~ msgstr "Non conforme (majeur)" diff --git a/backend/core/migrations/0022_riskscenario_qualifications.py b/backend/core/migrations/0022_riskscenario_qualifications.py new file mode 100644 index 000000000..668669cc5 --- /dev/null +++ b/backend/core/migrations/0022_riskscenario_qualifications.py @@ -0,0 +1,17 @@ +# Generated by Django 5.0.7 on 2024-08-26 10:43 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("core", "0021_alter_framework_urn_alter_loadedlibrary_urn_and_more"), + ] + + operations = [ + migrations.AddField( + model_name="riskscenario", + name="qualifications", + field=models.JSONField(default=list, verbose_name="Qualifications"), + ), + ] diff --git a/backend/core/migrations/0023_alter_appliedcontrol_status.py b/backend/core/migrations/0023_alter_appliedcontrol_status.py new file mode 100644 index 000000000..929ff5d37 --- /dev/null +++ b/backend/core/migrations/0023_alter_appliedcontrol_status.py @@ -0,0 +1,45 @@ +# Generated by Django 5.1 on 2024-08-29 13:41 + +from django.db import migrations, models + + +def update_status(apps, schema_editor): + AppliedControl = apps.get_model("core", "AppliedControl") + for control in AppliedControl.objects.all(): + if control.status == "planned": + control.status = "to_do" + control.save() + elif control.status == "inactive": + control.status = "deprecated" + control.save() + elif control.status is None: + control.status = "--" + control.save() + + +class Migration(migrations.Migration): + dependencies = [ + ("core", "0022_riskscenario_qualifications"), + ] + + operations = [ + migrations.AlterField( + model_name="appliedcontrol", + name="status", + field=models.CharField( + blank=True, + choices=[ + ("to_do", "To do"), + ("in_progress", "In progress"), + ("on_hold", "On hold"), + ("active", "Active"), + ("deprecated", "Deprecated"), + ("--", "Undefined"), + ], + default="--", + max_length=20, + verbose_name="Status", + ), + ), + migrations.RunPython(update_status), + ] diff --git a/backend/core/migrations/0024_appliedcontrol_owner.py b/backend/core/migrations/0024_appliedcontrol_owner.py new file mode 100644 index 000000000..a9540cb7f --- /dev/null +++ b/backend/core/migrations/0024_appliedcontrol_owner.py @@ -0,0 +1,24 @@ +# Generated by Django 5.1 on 2024-08-30 11:05 + +from django.conf import settings +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("core", "0023_alter_appliedcontrol_status"), + migrations.swappable_dependency(settings.AUTH_USER_MODEL), + ] + + operations = [ + migrations.AddField( + model_name="appliedcontrol", + name="owner", + field=models.ManyToManyField( + blank=True, + related_name="applied_controls", + to=settings.AUTH_USER_MODEL, + verbose_name="Owner", + ), + ), + ] diff --git a/backend/core/migrations/0025_complianceassessment_folder_riskassessment_folder_and_more.py b/backend/core/migrations/0025_complianceassessment_folder_riskassessment_folder_and_more.py new file mode 100644 index 000000000..7a49eeda9 --- /dev/null +++ b/backend/core/migrations/0025_complianceassessment_folder_riskassessment_folder_and_more.py @@ -0,0 +1,187 @@ +# Generated by Django 5.1.1 on 2024-09-12 15:00 + +import django.db.models.deletion +import iam.models +from django.db import migrations, models + + +def set_assessment_folder(apps, schema_editor): + RiskAssessment = apps.get_model("core", "RiskAssessment") + ComplianceAssessment = apps.get_model("core", "ComplianceAssessment") + for risk_assessment in RiskAssessment.objects.all(): + risk_assessment.folder = risk_assessment.project.folder + risk_assessment.save() + for compliance_assessment in ComplianceAssessment.objects.all(): + compliance_assessment.folder = compliance_assessment.project.folder + compliance_assessment.save() + + +class Migration(migrations.Migration): + dependencies = [ + ("core", "0024_appliedcontrol_owner"), + ("iam", "0006_alter_role_folder_alter_roleassignment_folder_and_more"), + ] + + operations = [ + migrations.AddField( + model_name="complianceassessment", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AddField( + model_name="riskassessment", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="appliedcontrol", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="asset", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="evidence", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="framework", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="loadedlibrary", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="project", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="referencecontrol", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="requirementassessment", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="requirementmappingset", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="requirementnode", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="riskacceptance", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="riskmatrix", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="storedlibrary", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="threat", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.RunPython(set_assessment_folder), + ] diff --git a/backend/core/migrations/0026_appliedcontrol_cost.py b/backend/core/migrations/0026_appliedcontrol_cost.py new file mode 100644 index 000000000..84b21c7c4 --- /dev/null +++ b/backend/core/migrations/0026_appliedcontrol_cost.py @@ -0,0 +1,21 @@ +# Generated by Django 5.1 on 2024-09-13 10:41 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("core", "0025_complianceassessment_folder_riskassessment_folder_and_more"), + ] + + operations = [ + migrations.AddField( + model_name="appliedcontrol", + name="cost", + field=models.FloatField( + help_text="Cost of the measure (using globally-chosen currency)", + null=True, + verbose_name="Cost", + ), + ), + ] diff --git a/backend/core/models.py b/backend/core/models.py index bcd7decf6..9907d1673 100644 --- a/backend/core/models.py +++ b/backend/core/models.py @@ -9,6 +9,19 @@ from django.apps import apps from django.contrib.auth import get_user_model from django.core import serializers +from django.utils.translation import get_language +from library.helpers import ( + update_translations_in_object, + update_translations_as_string, + update_translations, + get_referential_translation, +) + +import os +import json +import yaml +import re + from django.core.exceptions import ValidationError from django.core.validators import MaxValueValidator from django.db import models, transaction @@ -18,7 +31,7 @@ from django.utils.html import format_html from django.utils.translation import get_language from django.utils.translation import gettext_lazy as _ -from iam.models import FolderMixin, PublishInRootFolderMixin +from iam.models import Folder, FolderMixin, PublishInRootFolderMixin from library.helpers import update_translations, update_translations_in_object from structlog import get_logger @@ -774,6 +787,9 @@ def projects(self) -> list: def parse_json(self) -> dict: return json.loads(self.json_definition) + def parse_json_translated(self) -> dict: + return update_translations_in_object(json.loads(self.json_definition)) + @property def grid(self) -> list: risk_matrix = self.parse_json() @@ -811,7 +827,7 @@ def render_grid_as_colors(self): @property def get_json_translated(self): - return update_translations(self.json_definition, "fr") + return update_translations_as_string(self.json_definition, "fr") def __str__(self) -> str: return self.get_name_translated @@ -1172,9 +1188,12 @@ def get_size(self): class AppliedControl(NameDescriptionMixin, FolderMixin, PublishInRootFolderMixin): class Status(models.TextChoices): - PLANNED = "planned", _("Planned") + TO_DO = "to_do", _("To do") + IN_PROGRESS = "in_progress", _("In progress") + ON_HOLD = "on_hold", _("On hold") ACTIVE = "active", _("Active") - INACTIVE = "inactive", _("Inactive") + DEPRECATED = "deprecated", _("Deprecated") + UNDEFINED = "--", _("Undefined") CATEGORY = ReferenceControl.CATEGORY CSF_FUNCTION = ReferenceControl.CSF_FUNCTION @@ -1218,10 +1237,16 @@ class Status(models.TextChoices): status = models.CharField( max_length=20, choices=Status.choices, - null=True, + default=Status.UNDEFINED, blank=True, verbose_name=_("Status"), ) + owner = models.ManyToManyField( + User, + blank=True, + verbose_name=_("Owner"), + related_name="applied_controls", + ) eta = models.DateField( blank=True, null=True, @@ -1249,6 +1274,11 @@ class Status(models.TextChoices): help_text=_("Relative effort of the measure (using T-Shirt sizing)"), verbose_name=_("Effort"), ) + cost = models.FloatField( + null=True, + help_text=_("Cost of the measure (using globally-chosen currency)"), + verbose_name=_("Cost"), + ) fields_to_check = ["name"] @@ -1339,7 +1369,7 @@ def save(self, *args, **kwargs): ########################### Secondary objects ######################### -class Assessment(NameDescriptionMixin, ETADueDateMixin): +class Assessment(NameDescriptionMixin, ETADueDateMixin, FolderMixin): class Status(models.TextChoices): PLANNED = "planned", _("Planned") IN_PROGRESS = "in_progress", _("In progress") @@ -1384,6 +1414,11 @@ class Status(models.TextChoices): class Meta: abstract = True + def save(self, *args, **kwargs) -> None: + if not self.folder or self.folder == Folder.get_root_folder(): + self.folder = self.project.folder + return super().save(*args, **kwargs) + class RiskAssessment(Assessment): risk_matrix = models.ForeignKey( @@ -1603,6 +1638,19 @@ def quality_check(self) -> dict: } ) + if not mtg["cost"]: + warnings_lst.append( + { + "msg": _( + "{} does not have an estimated cost. This will help you for prioritization" + ).format(mtg["name"]), + "msgid": "appliedControlNoCost", + "link": f"applied-controls/{mtg['id']}", + "obj_type": "appliedcontrol", + "object": {"name": mtg["name"], "id": mtg["id"]}, + } + ) + if not mtg["link"]: info_lst.append( { @@ -1680,6 +1728,17 @@ class RiskScenario(NameDescriptionMixin): ("transfer", _("Transfer")), ] + QUALIFICATIONS = [ + ("Financial", _("Financial")), + ("Legal", _("Legal")), + ("Reputation", _("Reputation")), + ("Operational", _("Operational")), + ("Confidentiality", _("Confidentiality")), + ("Integrity", _("Integrity")), + ("Availability", _("Availability")), + ("Authenticity", _("Authenticity")), + ] + DEFAULT_SOK_OPTIONS = { -1: { "name": _("--"), @@ -1787,6 +1846,8 @@ class RiskScenario(NameDescriptionMixin): verbose_name=_("Treatment status"), ) + qualifications = models.JSONField(default=list, verbose_name=_("Qualifications")) + strength_of_knowledge = models.IntegerField( default=-1, verbose_name=_("Strength of Knowledge"), @@ -1812,7 +1873,7 @@ def parent_project(self): parent_project.short_description = _("Project") def get_matrix(self): - return self.risk_assessment.risk_matrix.parse_json() + return self.risk_assessment.risk_matrix.parse_json_translated() def get_current_risk(self): if self.current_level < 0: @@ -1824,7 +1885,12 @@ def get_current_risk(self): "value": -1, } risk_matrix = self.get_matrix() - return {**risk_matrix["risk"][self.current_level], "value": self.current_level} + current_risk = { + **risk_matrix["risk"][self.current_level], + "value": self.current_level, + } + update_translations_in_object(current_risk) + return current_risk def get_current_impact(self): if self.current_impact < 0: @@ -1864,10 +1930,12 @@ def get_residual_risk(self): "value": -1, } risk_matrix = self.get_matrix() - return { + residual_risk = { **risk_matrix["risk"][self.residual_level], "value": self.residual_level, } + update_translations_in_object(residual_risk) + return residual_risk def get_residual_impact(self): if self.residual_impact < 0: @@ -2390,7 +2458,13 @@ def __str__(self) -> str: return self.requirement.display_short def get_requirement_description(self) -> str: - return self.requirement.description + return get_referential_translation( + { + "description": self.requirement.description, + "translations": self.requirement.translations, + }, + "description", + ) def infer_result( self, mapping: RequirementMapping, source_requirement_assessment: Self diff --git a/backend/core/serializers.py b/backend/core/serializers.py index f1a9d7c86..969c9e314 100644 --- a/backend/core/serializers.py +++ b/backend/core/serializers.py @@ -1,3 +1,4 @@ +import importlib from typing import Any from ciso_assistant.settings import EMAIL_HOST, EMAIL_HOST_RESCUE @@ -18,6 +19,40 @@ User = get_user_model() +class SerializerFactory: + """Factory to get a serializer class from a list of modules. + + Attributes: + modules (list): List of module names to search for the serializer. + """ + + def __init__(self, *modules: str): + self.modules = list(reversed(modules)) # Reverse to prioritize later modules + + def get_serializer(self, base_name: str, action: str): + if action in ["list", "retrieve"]: + serializer_name = f"{base_name}ReadSerializer" + elif action in ["create", "update", "partial_update"]: + serializer_name = f"{base_name}WriteSerializer" + else: + return None + + return self._get_serializer_class(serializer_name) + + def _get_serializer_class(self, serializer_name: str): + for module_name in self.modules: + try: + serializer_module = importlib.import_module(module_name) + serializer_class = getattr(serializer_module, serializer_name) + return serializer_class + except (ModuleNotFoundError, AttributeError): + continue + + raise ValueError( + f"Serializer {serializer_name} not found in any provided modules" + ) + + class BaseModelSerializer(serializers.ModelSerializer): def update(self, instance: models.Model, validated_data: Any) -> models.Model: if hasattr(instance, "urn") and getattr(instance, "urn"): @@ -51,7 +86,7 @@ def create(self, validated_data: Any): return object_created except Exception as e: logger.error(e) - raise serializers.ValidationError(e.args[0]) + raise serializers.ValidationError() class Meta: model: models.Model @@ -153,6 +188,7 @@ class Meta: class RiskAssessmentReadSerializer(AssessmentReadSerializer): str = serializers.CharField(source="__str__") project = FieldsRelatedField(["id", "folder"]) + folder = FieldsRelatedField() risk_scenarios = FieldsRelatedField(many=True) risk_scenarios_count = serializers.IntegerField(source="risk_scenarios.count") risk_matrix = FieldsRelatedField() @@ -240,7 +276,7 @@ class RiskScenarioReadSerializer(RiskScenarioWriteSerializer): threats = FieldsRelatedField(many=True) assets = FieldsRelatedField(many=True) - treatment = serializers.CharField(source="get_treatment_display") + treatment = serializers.CharField() current_proba = serializers.JSONField(source="get_current_proba") current_impact = serializers.JSONField(source="get_current_impact") @@ -273,11 +309,12 @@ class AppliedControlReadSerializer(AppliedControlWriteSerializer): csf_function = serializers.CharField( source="get_csf_function_display" ) # type : get_type_display - status = serializers.CharField(source="get_status_display") evidences = FieldsRelatedField(many=True) effort = serializers.CharField(source="get_effort_display") + cost = serializers.FloatField() ranking_score = serializers.IntegerField(source="get_ranking_score") + owner = FieldsRelatedField(many=True) class PolicyWriteSerializer(AppliedControlWriteSerializer): @@ -431,7 +468,7 @@ class FolderReadSerializer(BaseModelSerializer): class Meta: model = Folder - exclude = [] + fields = "__all__" # Compliance Assessment @@ -500,6 +537,7 @@ class Meta: class ComplianceAssessmentReadSerializer(AssessmentReadSerializer): project = FieldsRelatedField(["id", "folder"]) + folder = FieldsRelatedField() framework = FieldsRelatedField( ["id", "min_score", "max_score", "implementation_groups_definition", "ref_id"] ) diff --git a/backend/core/startup.py b/backend/core/startup.py new file mode 100644 index 000000000..6d761413e --- /dev/null +++ b/backend/core/startup.py @@ -0,0 +1,386 @@ +import os + +from django.apps import AppConfig +from django.core.management import call_command +from django.db.models.signals import post_migrate +from structlog import get_logger + +from ciso_assistant.settings import CISO_ASSISTANT_SUPERUSER_EMAIL + +logger = get_logger(__name__) + +READER_PERMISSIONS_LIST = [ + "view_project", + "view_riskassessment", + "view_appliedcontrol", + "view_policy", + "view_riskscenario", + "view_riskacceptance", + "view_asset", + "view_threat", + "view_referencecontrol", + "view_folder", + "view_usergroup", + "view_riskmatrix", + "view_complianceassessment", + "view_requirementassessment", + "view_requirementnode", + "view_evidence", + "view_framework", + "view_loadedlibrary", + "view_storedlibrary", + "view_user", + "view_requirementmappingset", + "view_requirementmapping", +] + +APPROVER_PERMISSIONS_LIST = [ + "view_project", + "view_riskassessment", + "view_appliedcontrol", + "view_policy", + "view_riskscenario", + "view_riskacceptance", + "approve_riskacceptance", + "view_asset", + "view_threat", + "view_referencecontrol", + "view_folder", + "view_usergroup", + "view_riskmatrix", + "view_complianceassessment", + "view_requirementassessment", + "view_requirementnode", + "view_evidence", + "view_framework", + "view_storedlibrary", + "view_loadedlibrary", + "view_user", + "view_requirementmappingset", + "view_requirementmapping", +] + +ANALYST_PERMISSIONS_LIST = [ + "add_project", + "view_project", + "change_project", + "delete_project", + "add_riskassessment", + "view_riskassessment", + "change_riskassessment", + "delete_riskassessment", + "add_appliedcontrol", + "view_appliedcontrol", + "change_appliedcontrol", + "delete_appliedcontrol", + "add_policy", + "view_policy", + "change_policy", + "delete_policy", + "add_riskscenario", + "view_riskscenario", + "change_riskscenario", + "delete_riskscenario", + "add_riskacceptance", + "view_riskacceptance", + "change_riskacceptance", + "delete_riskacceptance", + "add_complianceassessment", + "view_complianceassessment", + "change_complianceassessment", + "delete_complianceassessment", + "view_requirementassessment", + "change_requirementassessment", + "add_evidence", + "view_evidence", + "change_evidence", + "delete_evidence", + "add_asset", + "view_asset", + "change_asset", + "delete_asset", + "add_threat", + "view_threat", + "change_threat", + "delete_threat", + "view_referencecontrol", + "view_folder", + "view_usergroup", + "view_riskmatrix", + "view_requirementnode", + "view_framework", + "view_storedlibrary", + "view_loadedlibrary", + "view_user", + "view_requirementmappingset", + "view_requirementmapping", +] + +DOMAIN_MANAGER_PERMISSIONS_LIST = [ + "change_usergroup", + "view_usergroup", + "add_project", + "change_project", + "delete_project", + "view_project", + "add_riskassessment", + "view_riskassessment", + "change_riskassessment", + "delete_riskassessment", + "add_appliedcontrol", + "view_appliedcontrol", + "change_appliedcontrol", + "delete_appliedcontrol", + "add_policy", + "view_policy", + "change_policy", + "delete_policy", + "add_riskscenario", + "view_riskscenario", + "change_riskscenario", + "delete_riskscenario", + "add_riskacceptance", + "view_riskacceptance", + "change_riskacceptance", + "delete_riskacceptance", + "add_asset", + "view_asset", + "change_asset", + "delete_asset", + "add_threat", + "view_threat", + "change_threat", + "delete_threat", + "view_referencecontrol", + "view_folder", + "change_folder", + "add_riskmatrix", + "view_riskmatrix", + "change_riskmatrix", + "delete_riskmatrix", + "add_complianceassessment", + "view_complianceassessment", + "change_complianceassessment", + "delete_complianceassessment", + "view_requirementassessment", + "change_requirementassessment", + "add_evidence", + "view_evidence", + "change_evidence", + "delete_evidence", + "view_requirementnode", + "view_framework", + "view_storedlibrary", + "view_loadedlibrary", + "view_user", + "view_requirementmappingset", + "view_requirementmapping", +] + +ADMINISTRATOR_PERMISSIONS_LIST = [ + "add_user", + "view_user", + "change_user", + "delete_user", + "add_usergroup", + "view_usergroup", + "change_usergroup", + "delete_usergroup", + "add_event", + "view_event", + "change_event", + "delete_event", + "add_asset", + "view_asset", + "change_asset", + "delete_asset", + "add_threat", + "view_threat", + "change_threat", + "delete_threat", + "add_referencecontrol", + "view_referencecontrol", + "change_referencecontrol", + "delete_referencecontrol", + "add_folder", + "change_folder", + "view_folder", + "delete_folder", + "add_project", + "change_project", + "delete_project", + "view_project", + "add_riskassessment", + "view_riskassessment", + "change_riskassessment", + "delete_riskassessment", + "add_appliedcontrol", + "view_appliedcontrol", + "change_appliedcontrol", + "delete_appliedcontrol", + "add_policy", + "view_policy", + "change_policy", + "delete_policy", + "add_riskscenario", + "view_riskscenario", + "change_riskscenario", + "delete_riskscenario", + "add_riskacceptance", + "view_riskacceptance", + "change_riskacceptance", + "delete_riskacceptance", + "approve_riskacceptance", + "add_riskmatrix", + "view_riskmatrix", + "change_riskmatrix", + "delete_riskmatrix", + "add_complianceassessment", + "view_complianceassessment", + "change_complianceassessment", + "delete_complianceassessment", + "view_requirementassessment", + "change_requirementassessment", + "add_evidence", + "view_evidence", + "change_evidence", + "delete_evidence", + "add_framework", + "view_framework", + "delete_framework", + "view_requirementnode", + "view_storedlibrary", + "add_storedlibrary", + "delete_storedlibrary", + "view_loadedlibrary", + "add_loadedlibrary", + "delete_loadedlibrary", + "backup", + "restore", + "view_globalsettings", + "change_globalsettings", + "view_requirementmappingset", + "view_requirementmapping", +] + + +def startup(sender: AppConfig, **kwargs): + """ + Implement CISO Assistant 1.0 default Roles and User Groups during migrate + This makes sure root folder and global groups are defined before any other object is created + Create superuser if CISO_ASSISTANT_SUPERUSER_EMAIL defined + """ + from django.contrib.auth.models import Permission + + from iam.models import Folder, Role, RoleAssignment, User, UserGroup + + print("startup handler: initialize database") + + reader_permissions = Permission.objects.filter(codename__in=READER_PERMISSIONS_LIST) + + approver_permissions = Permission.objects.filter( + codename__in=APPROVER_PERMISSIONS_LIST + ) + + analyst_permissions = Permission.objects.filter( + codename__in=ANALYST_PERMISSIONS_LIST + ) + + domain_manager_permissions = Permission.objects.filter( + codename__in=DOMAIN_MANAGER_PERMISSIONS_LIST + ) + + administrator_permissions = Permission.objects.filter( + codename__in=ADMINISTRATOR_PERMISSIONS_LIST + ) + + # if root folder does not exist, then create it + if not Folder.objects.filter(content_type=Folder.ContentType.ROOT).exists(): + Folder.objects.create( + name="Global", content_type=Folder.ContentType.ROOT, builtin=True + ) + # update builtin roles to facilitate migrations + reader, created = Role.objects.get_or_create(name="BI-RL-AUD", builtin=True) + reader.permissions.set(reader_permissions) + approver, created = Role.objects.get_or_create(name="BI-RL-APP", builtin=True) + approver.permissions.set(approver_permissions) + analyst, created = Role.objects.get_or_create(name="BI-RL-ANA", builtin=True) + analyst.permissions.set(analyst_permissions) + domain_manager, created = Role.objects.get_or_create(name="BI-RL-DMA", builtin=True) + domain_manager.permissions.set(domain_manager_permissions) + administrator, created = Role.objects.get_or_create(name="BI-RL-ADM", builtin=True) + administrator.permissions.set(administrator_permissions) + # if global administrators user group does not exist, then create it + if not UserGroup.objects.filter( + name="BI-UG-ADM", folder=Folder.get_root_folder() + ).exists(): + administrators = UserGroup.objects.create( + name="BI-UG-ADM", folder=Folder.get_root_folder(), builtin=True + ) + ra1 = RoleAssignment.objects.create( + user_group=administrators, + role=Role.objects.get(name="BI-RL-ADM"), + is_recursive=True, + builtin=True, + folder=Folder.get_root_folder(), + ) + ra1.perimeter_folders.add(administrators.folder) + # if global readers user group does not exist, then create it + if not UserGroup.objects.filter( + name="BI-UG-GAD", folder=Folder.get_root_folder() + ).exists(): + global_readers = UserGroup.objects.create( + name="BI-UG-GAD", + folder=Folder.objects.get(content_type=Folder.ContentType.ROOT), + builtin=True, + ) + ra2 = RoleAssignment.objects.create( + user_group=global_readers, + role=Role.objects.get(name="BI-RL-AUD"), + is_recursive=True, + builtin=True, + folder=Folder.get_root_folder(), + ) + ra2.perimeter_folders.add(global_readers.folder) + # if global approvers user group does not exist, then create it + if not UserGroup.objects.filter( + name="BI-UG-GAP", folder=Folder.get_root_folder() + ).exists(): + global_approvers = UserGroup.objects.create( + name="BI-UG-GAP", + folder=Folder.objects.get(content_type=Folder.ContentType.ROOT), + builtin=True, + ) + ra2 = RoleAssignment.objects.create( + user_group=global_approvers, + role=Role.objects.get(name="BI-RL-APP"), + is_recursive=True, + builtin=True, + folder=Folder.get_root_folder(), + ) + ra2.perimeter_folders.add(global_approvers.folder) + + # if superuser defined and does not exist, then create it + if ( + CISO_ASSISTANT_SUPERUSER_EMAIL + and not User.objects.filter(email=CISO_ASSISTANT_SUPERUSER_EMAIL).exists() + ): + try: + User.objects.create_superuser( + email=CISO_ASSISTANT_SUPERUSER_EMAIL, is_superuser=True + ) + except Exception as e: + print(e) # NOTE: Add this exception in the logger + + call_command("storelibraries") + + +class CoreConfig(AppConfig): + default_auto_field = "django.db.models.BigAutoField" + name = "core" + verbose_name = "Core" + + def ready(self): + # avoid post_migrate handler if we are in the main, as it interferes with restore + if not os.environ.get("RUN_MAIN"): + post_migrate.connect(startup, sender=self) diff --git a/backend/core/templates/core/action_plan_pdf.html b/backend/core/templates/core/action_plan_pdf.html index 3397130c3..e46c31fdb 100644 --- a/backend/core/templates/core/action_plan_pdf.html +++ b/backend/core/templates/core/action_plan_pdf.html @@ -46,6 +46,7 @@

{% trans "Action plan" %}

{% trans "ETA" %} {% trans "Expiry date" %} {% trans "Effort" %} + {% trans "Cost" %} {% trans "Matching requirements" %} @@ -59,6 +60,7 @@

{% trans "Action plan" %}

{{ applied_control.eta|default:"--" }} {{ applied_control.expiry_date|default:"--" }} {{ applied_control.get_effort_display|default:"--" }} + {{ applied_control.cost|default:"--" }} {% get_requirements_count applied_control compliance_assessment %} {% empty %} diff --git a/backend/core/templates/snippets/mp_data.html b/backend/core/templates/snippets/mp_data.html index ab5d70457..207186e9c 100644 --- a/backend/core/templates/snippets/mp_data.html +++ b/backend/core/templates/snippets/mp_data.html @@ -61,6 +61,7 @@ {% trans "Reference control" %} {% trans "ETA" %} {% trans "Effort" %} + {% trans "Cost" %} {% trans "Link" %} {% trans "Status" %} @@ -74,6 +75,7 @@ {% if appliedcontrol.reference_control %}{{ appliedcontrol.reference_control }}{% else %}--{% endif %} {% if appliedcontrol.eta %}{{ appliedcontrol.eta }}{% else %}--{%endif%} {% if appliedcontrol.effort %}{{ appliedcontrol.effort }}{% else %}--{%endif%} + {% if appliedcontrol.cost %}{{ appliedcontrol.cost }}{% else %}--{%endif%} {% if appliedcontrol.link %}{% else %}--{% endif %} diff --git a/backend/core/templates/snippets/req_node.html b/backend/core/templates/snippets/req_node.html index fa6e564e8..091e8439b 100644 --- a/backend/core/templates/snippets/req_node.html +++ b/backend/core/templates/snippets/req_node.html @@ -21,7 +21,7 @@ {% if node.assessments.requirement.description %} -
{{ node.assessments.requirement.description }}
+
{{ node.assessments.requirement.get_description_translated }}
{% endif %} {% if node.assessments.observation %}

{% trans "Observation:" %}

{{ node.assessments.observation }}

diff --git a/backend/core/templates/snippets/ri_list_nested.html b/backend/core/templates/snippets/ri_list_nested.html index 6a2e7254b..a4ee40e58 100644 --- a/backend/core/templates/snippets/ri_list_nested.html +++ b/backend/core/templates/snippets/ri_list_nested.html @@ -53,7 +53,7 @@ {% for threat in scenario.threats.all %}

- {{ threat }} + {{ threat.get_name_translated }}

{% empty %} -- @@ -63,14 +63,10 @@

{{ scenario.existing_controls|linebreaksbr }}

- {% for risk in risk_matrix.parse_json.risk %} - {% if risk.name == scenario.get_current_risk.name %} -

- {{ scenario.get_current_risk.name }} -

- - {% endif %} - {% endfor %} +

+ {{ scenario.get_current_risk.name }} +

+ {% if scenario.get_current_risk.name == '--' %}

{{ scenario.get_residual_risk.name }} @@ -78,14 +74,10 @@ {% endif %} - {% for risk in risk_matrix.parse_json.risk %} - {% if risk.name == scenario.get_residual_risk.name %} -

- {{ scenario.get_residual_risk.name }} -

- - {% endif %} - {% endfor %} +

+ {{ scenario.get_residual_risk.name }} +

+ {% if scenario.get_residual_risk.name == '--' %}

{{ scenario.get_residual_risk.name }} diff --git a/backend/core/templates/snippets/risk_legend.html b/backend/core/templates/snippets/risk_legend.html index bb4ceed62..72f20cdea 100644 --- a/backend/core/templates/snippets/risk_legend.html +++ b/backend/core/templates/snippets/risk_legend.html @@ -4,7 +4,7 @@

{% trans "Risk levels" %}

- {% for risk in risk_matrix.parse_json.risk %} + {% for risk in risk_matrix.parse_json_translated.risk %} diff --git a/backend/core/templates/snippets/risk_matrix.html b/backend/core/templates/snippets/risk_matrix.html index 45ed95bc0..6ff2359aa 100644 --- a/backend/core/templates/snippets/risk_matrix.html +++ b/backend/core/templates/snippets/risk_matrix.html @@ -7,7 +7,7 @@ {% with row_index=forloop.revcounter0 %} @@ -21,14 +21,14 @@ {% endfor %} - {% for probability in risk_matrix.parse_json.probability %} + {% for probability in risk_matrix.parse_json_translated.probability %} {% endfor %} - {% for probability in matrix.parse_json.probability %} + {% for probability in matrix.parse_json_translated.probability %} @@ -50,7 +50,7 @@ {% with row_index=forloop.revcounter0 %} - {% for impact in risk_matrix.parse_json.impact %} + {% for impact in risk_matrix.parse_json_translated.impact %}
- {% with impact=matrix.parse_json.impact|index:row_index %} + {% with impact=matrix.parse_json_translated.impact|index:row_index %} {{ impact.name }} {% endwith %}
{{ probability.name }}
{{ probability.name }}
- {% with probability=risk_matrix.parse_json.probability|index:row_index %} + {% with probability=risk_matrix.parse_json_translated.probability|index:row_index %} {{ probability.name }}: {{ probability.description|linebreaksbr }} {% endwith %} @@ -73,7 +73,7 @@ {% endfor %}
{{ impact.name }}: {{ impact.description|linebreaksbr }} diff --git a/backend/core/urls.py b/backend/core/urls.py index eee2be01e..b4290a221 100644 --- a/backend/core/urls.py +++ b/backend/core/urls.py @@ -2,12 +2,14 @@ from .views import * from library.views import StoredLibraryViewSet, LoadedLibraryViewSet from iam.sso.saml.views import FinishACSView +import importlib from django.urls import include, path from rest_framework import routers from ciso_assistant.settings import DEBUG +from django.conf import settings router = routers.DefaultRouter() router.register(r"folders", FolderViewSet, basename="folders") @@ -49,6 +51,16 @@ basename="requirement-mapping-sets", ) +ROUTES = settings.ROUTES + +for route in ROUTES: + view_module = importlib.import_module(ROUTES[route]["viewset"].rsplit(".", 1)[0]) + router.register( + route, + getattr(view_module, ROUTES[route]["viewset"].rsplit(".")[-1]), + basename=ROUTES[route].get("basename"), + ) + urlpatterns = [ path("", include(router.urls)), path("iam/", include("iam.urls")), @@ -59,6 +71,7 @@ path("license/", license, name="license"), path("evidences//upload/", UploadAttachmentView.as_view(), name="upload"), path("get_counters/", get_counters_view, name="get_counters_view"), + path("get_metrics/", get_metrics_view, name="get_metrics_view"), path("agg_data/", get_agg_data, name="get_agg_data"), path("composer_data/", get_composer_data, name="get_composer_data"), path("i18n/", include("django.conf.urls.i18n")), diff --git a/backend/core/views.py b/backend/core/views.py index dde1366d3..911acb72b 100644 --- a/backend/core/views.py +++ b/backend/core/views.py @@ -6,7 +6,7 @@ import uuid import zipfile from datetime import datetime -from typing import Any, Tuple, List +from typing import Any, Tuple from uuid import UUID from datetime import date, timedelta @@ -23,6 +23,7 @@ from django.middleware import csrf from django.template.loader import render_to_string from django.utils.functional import Promise +from django.utils import translation from django_filters.rest_framework import DjangoFilterBackend from iam.models import Folder, RoleAssignment, User, UserGroup from rest_framework import filters, permissions, status, viewsets @@ -40,13 +41,20 @@ from weasyprint import HTML from core.helpers import * -from core.models import AppliedControl, ComplianceAssessment, RequirementMappingSet +from core.models import ( + AppliedControl, + ComplianceAssessment, + RequirementMappingSet, + ReferentialObjectMixin, +) from core.serializers import ComplianceAssessmentReadSerializer from core.utils import RoleCodename, UserGroupCodename from .models import * from .serializers import * +from django.conf import settings + User = get_user_model() @@ -81,20 +89,14 @@ def get_queryset(self): queryset = self.model.objects.filter(id__in=object_ids_view) return queryset - def get_serializer_class(self): - base_name = self.model.__name__ - - if self.action in ["list", "retrieve"]: - serializer_name = f"{base_name}ReadSerializer" - elif self.action in ["create", "update", "partial_update"]: - serializer_name = f"{base_name}WriteSerializer" - else: - # Default to the parent class's implementation if action doesn't match - return super().get_serializer_class() - - # Dynamically import the serializer module and get the serializer class - serializer_module = importlib.import_module(self.serializers_module) - serializer_class = getattr(serializer_module, serializer_name) + def get_serializer_class(self, **kwargs): + MODULE_PATHS = settings.MODULE_PATHS + serializer_factory = SerializerFactory( + self.serializers_module, *MODULE_PATHS.get("serializers", []) + ) + serializer_class = serializer_factory.get_serializer( + self.model.__name__, kwargs.get("action", self.action) + ) return serializer_class @@ -136,9 +138,7 @@ class Meta: @action(detail=True, name="Get write data") def object(self, request, pk): - serializer_name = f"{self.model.__name__}WriteSerializer" - serializer_module = importlib.import_module(self.serializers_module) - serializer_class = getattr(serializer_module, serializer_name) + serializer_class = self.get_serializer_class(action="update") return Response(serializer_class(super().get_object()).data) @@ -431,6 +431,7 @@ def treatment_plan_csv(self, request, pk): "reference_control", "eta", "effort", + "cost", "link", "status", ] @@ -457,6 +458,7 @@ def treatment_plan_csv(self, request, pk): mtg.reference_control, mtg.eta, mtg.effort, + mtg.cost, mtg.link, mtg.status, ] @@ -585,6 +587,7 @@ def duplicate(self, request, pk): description=scenario.description, existing_controls=scenario.existing_controls, treatment=scenario.treatment, + qualifications=scenario.qualifications, current_proba=scenario.current_proba, current_impact=scenario.current_impact, residual_proba=scenario.residual_proba, @@ -614,6 +617,7 @@ class AppliedControlViewSet(BaseModelViewSet): "status", "reference_control", "effort", + "cost", "risk_scenarios", "requirement_assessments", "evidences", @@ -669,7 +673,7 @@ def todo(self, request): """measures = [{ key: getattr(mtg,key) for key in [ - "id","folder","reference_control","type","status","effort","name","description","eta","link","created_at","updated_at" + "id","folder","reference_control","type","status","effort", "cost", "name","description","eta","link","created_at","updated_at" ] } for mtg in measures] for i in range(len(measures)) : @@ -705,6 +709,43 @@ def to_review(self, request): return Response({"results": measures}) + @action(detail=False, name="Export controls as CSV") + def export_csv(self, request): + (viewable_controls_ids, _, _) = RoleAssignment.get_accessible_object_ids( + Folder.get_root_folder(), request.user, AppliedControl + ) + response = HttpResponse(content_type="text/csv") + response["Content-Disposition"] = 'attachment; filename="audit_export.csv"' + + writer = csv.writer(response, delimiter=";") + columns = [ + "internal_id", + "name", + "description", + "category", + "csf_function", + "status", + "eta", + "owner", + ] + writer.writerow(columns) + + for control in AppliedControl.objects.filter(id__in=viewable_controls_ids): + row = [ + control.id, + control.name, + control.description, + control.category, + control.csf_function, + control.status, + control.eta, + ] + if len(control.owner.all()) > 0: + owners = ",".join([o.email for o in control.owner.all()]) + row += [owners] + writer.writerow(row) + return response + class PolicyViewSet(AppliedControlViewSet): model = Policy @@ -745,15 +786,19 @@ class RiskScenarioViewSet(BaseModelViewSet): def treatment(self, request): return Response(dict(RiskScenario.TREATMENT_OPTIONS)) + @action(detail=False, name="Get qualification choices") + def qualifications(self, request): + return Response(dict(RiskScenario.QUALIFICATIONS)) + @action(detail=True, name="Get probability choices") def probability(self, request, pk): - undefined = dict([(-1, "--")]) - _choices = dict( - zip( - list(range(0, 64)), - [x["name"] for x in self.get_object().get_matrix()["probability"]], + undefined = {-1: "--"} + _choices = { + i: name + for i, name in enumerate( + x["name"] for x in self.get_object().get_matrix()["probability"] ) - ) + } choices = undefined | _choices return Response(choices) @@ -775,16 +820,13 @@ def strength_of_knowledge(self, request, pk): _sok_choices = self.get_object().get_matrix().get("strength_of_knowledge") if _sok_choices is not None: sok_choices = dict( - zip( - list(range(0, 64)), - [ - { - "name": x["name"], - "description": x.get("description"), - "symbol": x.get("symbol"), - } - for x in _sok_choices - ], + enumerate( + { + "name": x["name"], + "description": x.get("description"), + "symbol": x.get("symbol"), + } + for x in _sok_choices ) ) else: @@ -857,6 +899,13 @@ def revoke(self, request, pk): self.get_object().set_state("revoked") return Response({"results": "state updated to revoked"}) + @action(detail=False, methods=["get"], name="Get waiting risk acceptances") + def waiting(self, request): + acceptance_count = RiskAcceptance.objects.filter( + approver=request.user, state="submitted" + ).count() + return Response({"count": acceptance_count}) + def perform_create(self, serializer): risk_acceptance = serializer.validated_data submitted = False @@ -1029,6 +1078,50 @@ def perform_create(self, serializer): ) ra4.perimeter_folders.add(folder) + @action(detail=False, methods=["get"]) + def org_tree(self, request): + """ + Returns the tree of domains and projects + """ + tree = {"name": "Global", "children": []} + + (viewable_objects, _, _) = RoleAssignment.get_accessible_object_ids( + folder=Folder.get_root_folder(), + user=request.user, + object_type=Folder, + ) + folders_list = list() + for folder in Folder.objects.exclude(content_type="GL").filter( + id__in=viewable_objects + ): + entry = {"name": folder.name} + children = [] + for project in Project.objects.filter(folder=folder): + children.append( + { + "name": project.name, + "children": [ + { + "name": "audits", + "value": ComplianceAssessment.objects.filter( + project=project + ).count(), + }, + { + "name": "risk assessments", + "value": RiskAssessment.objects.filter( + project=project + ).count(), + }, + ], + } + ) + entry.update({"children": children}) + folders_list.append(entry) + tree.update({"children": folders_list}) + + return Response(tree) + @api_view(["GET"]) @permission_classes([permissions.IsAuthenticated]) @@ -1039,6 +1132,15 @@ def get_counters_view(request): return Response({"results": get_counters(request.user)}) +@api_view(["GET"]) +@permission_classes([permissions.IsAuthenticated]) +def get_metrics_view(request): + """ + API endpoint that returns the counters + """ + return Response({"results": get_metrics(request.user)}) + + # TODO: Add all the proper docstrings for the following list of functions @@ -1310,21 +1412,43 @@ def action_plan(self, request, pk): ) if UUID(pk) in viewable_objects: response = { - "planned": list(), - "active": list(), - "inactive": list(), - "none": list(), + "none": [], + "to_do": [], + "in_progress": [], + "on_hold": [], + "active": [], + "deprecated": [], } compliance_assessment_object = self.get_object() requirement_assessments_objects = ( compliance_assessment_object.get_requirement_assessments() ) - applied_controls = AppliedControlReadSerializer( - AppliedControl.objects.filter( + applied_controls = [ + { + "id": applied_control.id, + "name": applied_control.name, + "description": applied_control.description, + "status": applied_control.status, + "category": applied_control.category, + "csf_function": applied_control.csf_function, + "eta": applied_control.eta, + "expiry_date": applied_control.expiry_date, + "link": applied_control.link, + "effort": applied_control.effort, + "cost": applied_control.cost, + "owners": [ + { + "id": owner.id, + "email": owner.email, + } + for owner in applied_control.owner.all() + ], + } + for applied_control in AppliedControl.objects.filter( requirement_assessments__in=requirement_assessments_objects - ).distinct(), - many=True, - ).data + ).distinct() + ] + for applied_control in applied_controls: applied_control["requirements_count"] = ( RequirementAssessment.objects.filter( @@ -1333,13 +1457,60 @@ def action_plan(self, request, pk): .filter(applied_controls=applied_control["id"]) .count() ) - response[applied_control["status"].lower()].append( - applied_control - ) if applied_control["status"] else response["none"].append( - applied_control - ) + if applied_control["status"] == "--": + response["none"].append(applied_control) + else: + response[applied_control["status"].lower()].append(applied_control) + return Response(response) + @action(detail=True, name="Get compliance assessment (audit) CSV") + def compliance_assessment_csv(self, request, pk): + response = HttpResponse(content_type="text/csv") + response["Content-Disposition"] = 'attachment; filename="audit_export.csv"' + + (viewable_objects, _, _) = RoleAssignment.get_accessible_object_ids( + Folder.get_root_folder(), request.user, ComplianceAssessment + ) + + if UUID(pk) in viewable_objects: + writer = csv.writer(response, delimiter=";") + columns = [ + "ref_id", + "description", + "compliance_result", + "progress", + "score", + "observations", + ] + writer.writerow(columns) + + for req in RequirementAssessment.objects.filter(compliance_assessment=pk): + req_node = RequirementNode.objects.get(pk=req.requirement.id) + req_text = ( + req_node.get_description_translated + if req_node.description + else req_node.get_name_translated + ) + row = [ + req_node.ref_id, + req_text, + ] + if req_node.assessable: + row += [ + req.result, + req.status, + req.score, + req.observation, + ] + writer.writerow(row) + + return response + else: + return Response( + {"error": "Permission denied"}, status=status.HTTP_403_FORBIDDEN + ) + @action(detail=True, name="Get action plan PDF") def action_plan_pdf(self, request, pk): (object_ids_view, _, _) = RoleAssignment.get_accessible_object_ids( @@ -1347,15 +1518,19 @@ def action_plan_pdf(self, request, pk): ) if UUID(pk) in object_ids_view: context = { - "planned": list(), + "to_do": list(), + "in_progress": list(), + "on_hold": list(), "active": list(), - "inactive": list(), + "deprecated": list(), "no status": list(), } color_map = { - "planned": "#93c5fd", - "active": "#86efac", - "inactive": "#fca5a5", + "to_do": "#FFF8F0", + "in_progress": "#392F5A", + "on_hold": "#F4D06F", + "active": "#9DD9D2", + "deprecated": "#ff8811", "no status": "#e5e7eb", } status = AppliedControl.Status.choices @@ -1613,7 +1788,7 @@ def todo(self, request): """measures = [{ key: getattr(mtg,key) for key in [ - "id","folder","reference_control","type","status","effort","name","description","eta","link","created_at","updated_at" + "id","folder","reference_control","type","status","effort","cost","name","description","eta","link","created_at","updated_at" ] } for mtg in measures] for i in range(len(measures)) : @@ -1775,6 +1950,7 @@ def generate_data_rec(requirement_node: RequirementNode): return node_data, selected_evidences top_level_nodes = [req for req in requirement_nodes if not req.parent_urn] + update_translations_in_object(top_level_nodes) top_level_nodes_data = [] for requirement_node in top_level_nodes: node_data, node_evidences = generate_data_rec(requirement_node) @@ -1807,6 +1983,7 @@ def export_mp_csv(request): "reference_control", "eta", "effort", + "cost", "link", "status", ] @@ -1828,6 +2005,7 @@ def export_mp_csv(request): mtg.reference_control, mtg.eta, mtg.effort, + mtg.cost, mtg.link, mtg.status, ] diff --git a/backend/global_settings/migrations/0002_alter_globalsettings_folder.py b/backend/global_settings/migrations/0002_alter_globalsettings_folder.py new file mode 100644 index 000000000..c5c6fd351 --- /dev/null +++ b/backend/global_settings/migrations/0002_alter_globalsettings_folder.py @@ -0,0 +1,25 @@ +# Generated by Django 5.1.1 on 2024-09-12 15:00 + +import django.db.models.deletion +import iam.models +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("global_settings", "0001_initial"), + ("iam", "0006_alter_role_folder_alter_roleassignment_folder_and_more"), + ] + + operations = [ + migrations.AlterField( + model_name="globalsettings", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + ] diff --git a/backend/iam/migrations/0006_alter_role_folder_alter_roleassignment_folder_and_more.py b/backend/iam/migrations/0006_alter_role_folder_alter_roleassignment_folder_and_more.py new file mode 100644 index 000000000..9226e38b4 --- /dev/null +++ b/backend/iam/migrations/0006_alter_role_folder_alter_roleassignment_folder_and_more.py @@ -0,0 +1,54 @@ +# Generated by Django 5.1.1 on 2024-09-12 15:00 + +import django.db.models.deletion +import iam.models +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("iam", "0005_alter_user_managers"), + ] + + operations = [ + migrations.AlterField( + model_name="role", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="roleassignment", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="user", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + migrations.AlterField( + model_name="usergroup", + name="folder", + field=models.ForeignKey( + default=iam.models.Folder.get_root_folder_id, + on_delete=django.db.models.deletion.CASCADE, + related_name="%(class)s_folder", + to="iam.folder", + ), + ), + ] diff --git a/backend/iam/models.py b/backend/iam/models.py index 0d46c8f20..bb3d04abc 100644 --- a/backend/iam/models.py +++ b/backend/iam/models.py @@ -61,6 +61,14 @@ def get_root_folder() -> Self: """class function for general use""" return _get_root_folder() + @staticmethod + def get_root_folder_id() -> uuid.UUID: + """class function for general use""" + try: + return uuid.UUID(_get_root_folder().id) + except: + return _get_root_folder() + class ContentType(models.TextChoices): """content type for a folder""" @@ -173,7 +181,7 @@ class FolderMixin(models.Model): Folder, on_delete=models.CASCADE, related_name="%(class)s_folder", - default=Folder.get_root_folder, + default=Folder.get_root_folder_id, ) class Meta: @@ -227,9 +235,20 @@ def get_localization_dict(self) -> dict: class UserManager(BaseUserManager): use_in_migrations = True - def _create_user(self, email, password, mailing=True, **extra_fields): + def _create_user( + self, + email: str, + password: str, + mailing: bool, + initial_group: UserGroup, + **extra_fields, + ): """ Create and save a user with the given email, and password. + If mailing is set, send a welcome mail + If initial_group is given, put the new user in this group + On mail error, raise a corresponding exception, but the user is properly created + TODO: find a better way to manage mailing error """ validate_email(email) @@ -245,7 +264,8 @@ def _create_user(self, email, password, mailing=True, **extra_fields): user.user_groups.set(extra_fields.get("user_groups", [])) user.password = make_password(password if password else str(uuid.uuid4())) user.save(using=self._db) - + if initial_group: + initial_group.user_set.add(user) logger.info("user created sucessfully", user=user) if mailing: @@ -259,23 +279,31 @@ def _create_user(self, email, password, mailing=True, **extra_fields): raise exception return user - def create_user(self, email, password=None, **extra_fields): + def create_user(self, email: str, password: str = None, **extra_fields): + """create a normal user following Django convention""" logger.info("creating user", email=email) extra_fields.setdefault("is_superuser", False) - if not (EMAIL_HOST or EMAIL_HOST_RESCUE): - extra_fields.setdefault("mailing", False) - return self._create_user(email, password, **extra_fields) + return self._create_user( + email=email, + password=password, + mailing=(EMAIL_HOST or EMAIL_HOST_RESCUE), + initial_group=None, + **extra_fields, + ) - def create_superuser(self, email, password=None, **extra_fields): + def create_superuser(self, email: str, password: str = None, **extra_fields): + """create a superuser following Django convention""" logger.info("creating superuser", email=email) extra_fields.setdefault("is_superuser", True) if extra_fields.get("is_superuser") is not True: raise ValueError("Superuser must have is_superuser=True.") - extra_fields.setdefault( - "mailing", not (password) and (EMAIL_HOST or EMAIL_HOST_RESCUE) + superuser = self._create_user( + email=email, + password=password, + mailing=not (password) and (EMAIL_HOST or EMAIL_HOST_RESCUE), + initial_group=UserGroup.objects.get(name="BI-UG-ADM"), + **extra_fields, ) - superuser = self._create_user(email, password, **extra_fields) - UserGroup.objects.get(name="BI-UG-ADM").user_set.add(superuser) return superuser @@ -362,10 +390,7 @@ def get_full_name(self) -> str: def get_short_name(self) -> str: """get user's short name (i.e. first_name or email before @))""" - try: - return self.first_name if self.first_name else self.email.split("@")[0] - except: - return "" + return self.first_name if self.first_name else self.email.split("@")[0] def mailing(self, email_template_name, subject, pk=False): """ diff --git a/backend/iam/sso/models.py b/backend/iam/sso/models.py index c63d73713..1602b80ae 100644 --- a/backend/iam/sso/models.py +++ b/backend/iam/sso/models.py @@ -1,10 +1,14 @@ -from django.db import models -from django.utils.translation import gettext_lazy as _ +import structlog +from allauth.socialaccount.models import providers from django.core.exceptions import ObjectDoesNotExist +from django.db import models from django.db.models.query import QuerySet +from django.utils.translation import gettext_lazy as _ -from allauth.socialaccount.models import providers from global_settings.models import GlobalSettings +from iam.sso.saml.defaults import DEFAULT_SAML_SETTINGS + +logger = structlog.get_logger(__name__) class SSOSettingsQuerySet(QuerySet): @@ -15,27 +19,35 @@ def __init__(self, model=None, query=None, using=None, hints=None): def _fetch_all(self): if self._result_cache is None: - try: + if not GlobalSettings.objects.filter( + name=GlobalSettings.Names.SSO + ).exists(): + logger.info("SSO settings not found, creating default settings") + _settings = GlobalSettings.objects.create( + name=GlobalSettings.Names.SSO, + value={"client_id": "0", "settings": DEFAULT_SAML_SETTINGS}, + ) + logger.info("SSO settings created", settings=_settings.value) + else: _settings = GlobalSettings.objects.get(name=GlobalSettings.Names.SSO) - self._result_cache = [ - SSOSettings( - id=_settings.id, - name=_settings.name, - created_at=_settings.created_at, - updated_at=_settings.updated_at, - is_published=_settings.is_published, - is_enabled=_settings.value.get("is_enabled"), - provider=_settings.value.get("provider"), - client_id=_settings.value.get("client_id"), - provider_id=_settings.value.get("provider_id"), - provider_name=_settings.value.get("name"), - secret=_settings.value.get("secret"), - key=_settings.value.get("key"), - settings=_settings.value.get("settings"), - ) - ] - except ObjectDoesNotExist: - self._result_cache = [] + + self._result_cache = [ + SSOSettings( + id=_settings.id, + name=_settings.name, + created_at=_settings.created_at, + updated_at=_settings.updated_at, + is_published=_settings.is_published, + is_enabled=_settings.value.get("is_enabled"), + provider=_settings.value.get("provider"), + client_id=_settings.value.get("client_id"), + provider_id=_settings.value.get("provider_id"), + provider_name=_settings.value.get("name"), + secret=_settings.value.get("secret"), + key=_settings.value.get("key"), + settings=_settings.value.get("settings"), + ) + ] def iterator(self): self._fetch_all() diff --git a/backend/iam/sso/saml/defaults.py b/backend/iam/sso/saml/defaults.py new file mode 100644 index 000000000..d2ec799f2 --- /dev/null +++ b/backend/iam/sso/saml/defaults.py @@ -0,0 +1,41 @@ +from allauth.socialaccount.providers.saml.provider import SAMLProvider + + +DEFAULT_SAML_ATTRIBUTE_MAPPING = SAMLProvider.default_attribute_mapping + +DEFAULT_SAML_SETTINGS = { + "attribute_mapping": { + "uid": DEFAULT_SAML_ATTRIBUTE_MAPPING["uid"], + "email_verified": DEFAULT_SAML_ATTRIBUTE_MAPPING["email_verified"], + "email": DEFAULT_SAML_ATTRIBUTE_MAPPING["email"], + }, + "idp": { + "entity_id": "", + "metadata_url": "", + "sso_url": "", + "slo_url": "", + "x509cert": "", + }, + "sp": { + "entity_id": "ciso-assistant", + }, + "advanced": { + "allow_repeat_attribute_name": True, + "allow_single_label_domains": False, + "authn_request_signed": False, + "digest_algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", + "logout_request_signed": False, + "logout_response_signed": False, + "metadata_signed": False, + "name_id_encrypted": False, + "reject_deprecated_algorithm": True, + "reject_idp_initiated_sso": True, + "signature_algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", + "want_assertion_encrypted": False, + "want_assertion_signed": False, + "want_attribute_statement": True, + "want_message_signed": False, + "want_name_id": False, + "want_name_id_encrypted": False, + }, +} diff --git a/backend/iam/sso/saml/views.py b/backend/iam/sso/saml/views.py index 9cc69beca..82b9ccd3d 100644 --- a/backend/iam/sso/saml/views.py +++ b/backend/iam/sso/saml/views.py @@ -135,14 +135,14 @@ def dispatch(self, request, organization_slug): email = auth._nameid user = User.objects.get(email=email) idp_first_name = auth._attributes.get( - "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" + "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", [""] )[0] idp_last_name = auth._attributes.get( - "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" + "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", [""] )[0] - if user.first_name != idp_first_name: + if idp_first_name and user.first_name != idp_first_name: user.first_name = idp_first_name - if user.last_name != idp_last_name: + if idp_last_name and user.last_name != idp_last_name: user.last_name = idp_last_name user.is_sso = True user.save() diff --git a/backend/iam/utils.py b/backend/iam/utils.py index 1cda362ff..1466f8d60 100644 --- a/backend/iam/utils.py +++ b/backend/iam/utils.py @@ -1,4 +1,4 @@ -from knox.auth import AuthToken +from knox.models import AuthToken def generate_token(user): diff --git a/backend/library/helpers.py b/backend/library/helpers.py index 6fe2fbb39..7bca62e60 100644 --- a/backend/library/helpers.py +++ b/backend/library/helpers.py @@ -3,6 +3,8 @@ # from core.models import RequirementNode from django.utils.translation import get_language +from typing import Union + def get_referential_translation(object, parameter: str, locale=None) -> str: # NOTE: put get_language() as default value for locale doesn't work, default locale "en" is always returned. @@ -36,9 +38,9 @@ def get_referential_translation(object, parameter: str, locale=None) -> str: return locale_translations.get(parameter, fallback) -def update_translations_in_object(obj, locale=None): +def update_translations_in_object(obj: Union[dict, list], locale=None): """ - Recursively update the translations of 'name' and 'description' fields in an object. + Recursively update the translations of 'name' and 'description' fields in a dict or a list. Args: obj (dict): The object to update. @@ -57,6 +59,11 @@ def update_translations_in_object(obj, locale=None): elif isinstance(value, list): for item in value: update_translations_in_object(item, get_language() or locale) + + elif isinstance(obj, list): + for i in range(len(obj)): + obj[i] = update_translations_in_object(obj[i]) + return obj @@ -69,7 +76,7 @@ def update_translations(data_dict_str, locale=None) -> str: locale (str): The locale to get the translation for. Returns: - str: The updated dictionary as a JSON string. + str: The updated dictionary. """ if isinstance(data_dict_str, str): data_dict = json.loads(data_dict_str) @@ -77,8 +84,22 @@ def update_translations(data_dict_str, locale=None) -> str: if isinstance(objects_list, list): for obj in objects_list: update_translations_in_object(obj, get_language() or locale) + return data_dict elif isinstance(data_dict_str, list): for obj in data_dict_str: update_translations_in_object(obj, get_language() or locale) - return data_dict_str - return json.dumps(data_dict) + return data_dict_str + + +def update_translations_as_string(data_dict_str, locale=None) -> str: + """ + Update the translations of 'name' and 'description' fields in a dictionary of objects. + + Args: + data_dict_str (str): The JSON string of the dict of objects to update. + locale (str): The locale to get the translation for. + + Returns: + str: The updated dictionary as a JSON string. + """ + return json.dumps(update_translations(data_dict_str, locale)) diff --git a/backend/library/libraries/ccb-cff-2023-03-01.yaml b/backend/library/libraries/ccb-cff-2023-03-01.yaml index 5aba346d8..d51ba1dcc 100644 --- a/backend/library/libraries/ccb-cff-2023-03-01.yaml +++ b/backend/library/libraries/ccb-cff-2023-03-01.yaml @@ -7,7 +7,7 @@ description: 'Centre For Cybersecurity Belgium - CyberFundamentals Framework https://ccb.belgium.be' copyright: All texts, layouts, designs and other elements of any nature in this document are subject to copyright law. -version: 3 +version: 4 provider: CCB packager: intuitem objects: @@ -69,6 +69,15 @@ objects: - ref_id: E name: essential description: null + - ref_id: BK + name: basic - key measures + description: null + - ref_id: IK + name: important - key measures + description: null + - ref_id: EK + name: essential - key measures + description: null requirement_nodes: - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id assessable: false @@ -385,10 +394,9 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 ref_id: IMPORTANT_ID.AM-6.1 - description: Information security and cybersecurity roles, responsibilities + description: '[KEY MEASURE] Information security and cybersecurity roles, responsibilities and authorities within the organization shall be documented, reviewed, authorized, - and updated and alignment with organization-internal roles and external partners. Key - Measure + and updated and alignment with organization-internal roles and external partners.' annotation: "It should be considered to:\n\u2022\tDescribe security roles, responsibilities,\ \ and authorities: who in your organization should be consulted, informed,\ \ and held accountable for all or part of your assets.\n\u2022\tProvide security\ @@ -400,6 +408,8 @@ objects: implementation_groups: - I - E + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6.2 assessable: true depth: 4 @@ -1016,11 +1026,11 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 ref_id: ID.SC-3.2 - description: "Contractual information security and cybersecurity\u2019 requirements\ - \ for suppliers and third-party partners shall be implemented to ensure a\ - \ verifiable flaw remediation process, and to ensure the correction of flaws\ - \ identified during \u2018information security and cybersecurity\u2019 testing\ - \ and evaluation." + description: "[KEY MEASURE] Contractual information security and cybersecurity\u2019\ + \ requirements for suppliers and third-party partners shall be implemented\ + \ to ensure a verifiable flaw remediation process, and to ensure the correction\ + \ of flaws identified during \u2018information security and cybersecurity\u2019\ + \ testing and evaluation." annotation: "\u2022\tInformation systems containing software (or firmware) affected\ \ by recently announced software flaws (and potential vulnerabilities resulting\ \ from those flaws) should be identified.\n\u2022\tNewly released security\ @@ -1033,17 +1043,19 @@ objects: \ into configuration management as an emergency change." implementation_groups: - E + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.3 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 ref_id: ID.SC-3.3 - description: "The organization shall establish contractual requirements permitting\ - \ the organization to review the \u2018information security and cybersecurity\u2019\ - \ programs implemented by suppliers and third-party partners." + description: "[KEY MEASURE] The organization shall establish contractual requirements\ + \ permitting the organization to review the \u2018information security and\ + \ cybersecurity\u2019 programs implemented by suppliers and third-party partners." annotation: No additional guidance on this topic. implementation_groups: - E + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 assessable: false depth: 3 @@ -1135,8 +1147,8 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 ref_id: BASIC_PR.AC-1.1 - description: Identities and credentials for authorized devices and users shall - be managed. + description: '[KEY MEASURE] Identities and credentials for authorized devices + and users shall be managed.' annotation: "Identities and credentials for authorized devices and users could\ \ be managed through a password policy. A password policy is a set of rules\ \ designed to enhance ICT/OT security by encouraging organization\u2019s to:\n\ @@ -1153,6 +1165,9 @@ objects: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-1.2 assessable: true depth: 4 @@ -1308,22 +1323,25 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 ref_id: BASIC_PR.AC-3.2 - description: The organization's networks when accessed remotely shall be secured, - including through multi-factor authentication (MFA). + description: '[KEY MEASURE] The organization''s networks when accessed remotely + shall be secured, including through multi-factor authentication (MFA).' annotation: Enforce MFA (e.g. 2FA) on Internet-facing systems, such as email, remote desktop, and Virtual Private Network (VPNs). implementation_groups: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-3.3 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 ref_id: IMPORTANT_PR.AC-3.3 - description: "Usage restrictions, connection requirements, implementation guidance,\ - \ and authorizations for remote access to the organization\u2019s critical\ - \ systems environment shall be identified, documented and implemented. " + description: "[KEY MEASURE] Usage restrictions, connection requirements, implementation\ + \ guidance, and authorizations for remote access to the organization\u2019\ + s critical systems environment shall be identified, documented and implemented. " annotation: "Consider the following:\n\u2022\tRemote access methods include,\ \ for example, wireless, broadband, Virtual Private Network (VPN) connections,\ \ mobile device connections, and communications through external networks.\n\ @@ -1335,6 +1353,8 @@ objects: implementation_groups: - I - E + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.4 assessable: true depth: 4 @@ -1369,8 +1389,8 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 ref_id: BASIC_PR.AC-4.1 - description: "Access permissions for users to the organization\u2019s systems\ - \ shall be defined and managed." + description: "[KEY MEASURE] Access permissions for users to the organization\u2019\ + s systems shall be defined and managed." annotation: "The following should be considered:\n\u2022\tDraw up and review\ \ regularly access lists per system (files, servers, software, databases,\ \ etc.), possibly through analysis of the Active Directory in Windows-based\ @@ -1389,27 +1409,34 @@ objects: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.2 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 ref_id: BASIC_PR.AC-4.2 - description: It shall be identified who should have access to the organization's - business's critical information and technology and the means to get access. + description: '[KEY MEASURE] It shall be identified who should have access to + the organization''s business''s critical information and technology and the + means to get access.' annotation: 'Means to get access may include: a key, password, code, or administrative privilege.' implementation_groups: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.3 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 ref_id: BASIC_PR.AC-4.3 - description: Employee access to data and information shall be limited to the - systems and specific information they need to do their jobs (the principle - of Least Privilege). + description: '[KEY MEASURE] Employee access to data and information shall be + limited to the systems and specific information they need to do their jobs + (the principle of Least Privilege).' annotation: "The principle of Least Privilege should be understood as the principle\ \ that a security architecture should be designed so that each employee is\ \ granted the minimum system resources and authorizations that the employee\ @@ -1424,12 +1451,16 @@ objects: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.4 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 ref_id: BASIC_PR.AC-4.4 - description: Nobody shall have administrator privileges for daily tasks. + description: '[KEY MEASURE] Nobody shall have administrator privileges for daily + tasks.' annotation: "Consider the following:\n\u2022\tSeparate administrator accounts\ \ from user accounts.\n\u2022\tDo not privilege user accounts to effectuate\ \ administration tasks.\n\u2022\tCreate unique local administrator passwords\ @@ -1439,6 +1470,9 @@ objects: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.5 assessable: true depth: 4 @@ -1512,8 +1546,8 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 ref_id: BASIC_PR.AC-5.1 - description: Firewalls shall be installed and activated on all the organization's - networks. + description: '[KEY MEASURE] Firewalls shall be installed and activated on all + the organization''s networks.' annotation: "Consider the following:\n\u2022\tInstall and operate a firewall\ \ between your internal network and the Internet. This may be a function of\ \ a (wireless) access point/router, or it may be a function of a router provided\ @@ -1532,13 +1566,17 @@ objects: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.2 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 ref_id: BASIC_PR.AC-5.2 - description: Where appropriate, network integrity of the organization's critical - systems shall be protected by incorporating network segmentation and segregation. + description: '[KEY MEASURE] Where appropriate, network integrity of the organization''s + critical systems shall be protected by incorporating network segmentation + and segregation.' annotation: "\u2022\tConsider creating different security zones in the network\ \ (e.g. Basic network segmentation through VLAN\u2019s or other network access\ \ control mechanisms) and control/monitor the traffic between these zones.\n\ @@ -1548,13 +1586,16 @@ objects: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.3 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 ref_id: IMPORTANT_PR.AC-5.3 - description: 'Where appropriate, network integrity of the organization''s critical - systems shall be protected by + description: '[KEY MEASURE] Where appropriate, network integrity of the organization''s + critical systems shall be protected by (1) Identifying, documenting, and controlling connections between system components. @@ -1565,14 +1606,17 @@ objects: implementation_groups: - I - E + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.4 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 ref_id: IMPORTANT_PR.AC-5.4 - description: 'The organization shall monitor and control connections and communications - at the external boundary and at key internal boundaries within the organization''s - critical systems by implementing boundary protection devices where appropriate. ' + description: '[KEY MEASURE] The organization shall monitor and control connections + and communications at the external boundary and at key internal boundaries + within the organization''s critical systems by implementing boundary protection + devices where appropriate. ' annotation: "Consider implementing the following recommendations:\n\u2022\t\ Separate your public WIFI network from your business network.\n\u2022\tProtect\ \ your business WIFI with state-of-the-art encryption.\n\u2022\tImplement\ @@ -1585,6 +1629,8 @@ objects: implementation_groups: - I - E + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.5 assessable: true depth: 4 @@ -1650,16 +1696,17 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7 ref_id: IMPORTANT_PR.AC-7.1 - description: "The organization shall perform a documented risk assessment on\ - \ organization's critical system transactions and authenticate users, devices,\ - \ and other assets (e.g., single-factor, multi-factor) commensurate with the\ - \ risk of the transaction (e.g., individuals\u2019 security and privacy risks\ - \ and other organizational risks)." + description: "[KEY MEASURE for ESSENTIAL] The organization shall perform a documented\ + \ risk assessment on organization's critical system transactions and authenticate\ + \ users, devices, and other assets (e.g., single-factor, multi-factor) commensurate\ + \ with the risk of the transaction (e.g., individuals\u2019 security and privacy\ + \ risks and other organizational risks)." annotation: Consider a security-by-design approach for new systems; For existing systems a separate risk assessment should be used. implementation_groups: - I - E + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at assessable: false depth: 2 @@ -2012,10 +2059,10 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5 ref_id: IMPORTANT_PR.DS-5.1 - description: The organization shall take appropriate actions resulting in the - monitoring of its critical systems at external borders and critical internal - points when unauthorized access and activities, including data leakage, is - detected. + description: '[KEY MEASURE] The organization shall take appropriate actions + resulting in the monitoring of its critical systems at external borders and + critical internal points when unauthorized access and activities, including + data leakage, is detected.' annotation: "\u2022\tConsider implementing dedicated protection measures (restricted\ \ access rights, daily backups, data encryption, installation of firewalls,\ \ etc.) for the most sensitive data.\n\u2022\tConsider frequent audit of the\ @@ -2024,6 +2071,8 @@ objects: implementation_groups: - I - E + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 assessable: false depth: 3 @@ -2149,8 +2198,8 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 ref_id: IMPORTANT_PR.IP-1.1 - description: 'The organization shall develop, document, and maintain a baseline - configuration for the its business critical systems. ' + description: '[KEY MEASURE] The organization shall develop, document, and maintain + a baseline configuration for the its business critical systems. ' annotation: "\u2022\tThis control includes the concept of least functionality.\n\ \u2022\tBaseline configurations include for example, information about organization's\ \ business critical systems, current version numbers and patch information\ @@ -2162,6 +2211,8 @@ objects: implementation_groups: - I - E + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1.2 assessable: true depth: 4 @@ -2253,9 +2304,9 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 ref_id: BASIC_PR.IP-4.1 - description: Backups for organization's business critical data shall be conducted - and stored on a system different from the device on which the original data - resides + description: '[KEY MEASURE] Backups for organization''s business critical data + shall be conducted and stored on a system different from the device on which + the original data resides' annotation: "\u2022\tOrganization's business critical system's data includes\ \ for example software, configurations and settings, documentation, system\ \ configuration data including computer configuration backups, application\ @@ -2269,6 +2320,9 @@ objects: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.2 assessable: true depth: 4 @@ -2592,8 +2646,8 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 ref_id: BASIC_PR.MA-1.1 - description: Patches and security updates for Operating Systems and critical - system components shall be installed. + description: '[KEY MEASURE] Patches and security updates for Operating Systems + and critical system components shall be installed.' annotation: "The following should be considered:\n\u2022\tLimit yourself to\ \ only install those applications (operating systems, firmware, or plugins\ \ ) that you need to run your business and patch/update them regularly.\n\u2022\ @@ -2608,6 +2662,9 @@ objects: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.2 assessable: true depth: 4 @@ -2655,33 +2712,38 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 ref_id: PR.MA-1.5 - description: The organization shall prevent the unauthorized removal of maintenance - equipment containing organization's critical system information. + description: '[KEY MEASURE] The organization shall prevent the unauthorized + removal of maintenance equipment containing organization''s critical system + information.' annotation: This requirement maily focuses mainly on OT/ICS environments. implementation_groups: - E + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.6 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 ref_id: PR.MA-1.6 - description: 'Maintenance tools and portable storage devices shall be inspected - when brought into the facility and shall be protected by anti-malware solutions - so that they are scanned for malicious code before they are used on organization''s - systems. ' + description: '[KEY MEASURE] Maintenance tools and portable storage devices shall + be inspected when brought into the facility and shall be protected by anti-malware + solutions so that they are scanned for malicious code before they are used + on organization''s systems. ' annotation: No additional guidance on this topic. implementation_groups: - E + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.7 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 ref_id: PR.MA-1.7 - description: The organization shall verify security controls following hardware - and software maintenance or repairs/patching and take action as appropriate. + description: '[KEY MEASURE] The organization shall verify security controls + following hardware and software maintenance or repairs/patching and take action + as appropriate.' annotation: No additional guidance on this topic. implementation_groups: - E + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 assessable: false depth: 3 @@ -2745,7 +2807,7 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 ref_id: BASIC_PR.PT-1.1 - description: ' Logs shall be maintained, documented, and reviewed.' + description: '[KEY MEASURE] Logs shall be maintained, documented, and reviewed.' annotation: "\u2022\tEnsure the activity logging functionality of protection\ \ / detection hardware or software (e.g. firewalls, anti-virus) is enabled.\n\ \u2022\tLogs should be backed up and saved for a predefined period.\n\u2022\ @@ -2757,6 +2819,9 @@ objects: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-1.2 assessable: true depth: 4 @@ -2825,13 +2890,14 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 ref_id: PR.PT-2.3 - description: Portable storage devices containing system data shall be controlled - and protected while in transit and in storage. + description: '[KEY MEASURE] Portable storage devices containing system data + shall be controlled and protected while in transit and in storage.' annotation: Protection and control should include the scanning of all portable storage devices for malicious code before they are used on organization's systems. implementation_groups: - E + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 assessable: false depth: 3 @@ -2949,9 +3015,9 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1 ref_id: DE.AE-1.1 - description: The organization shall ensure that a baseline of network operations - and expected data flows for its critical systems is developed, documented - and maintained to track events. + description: '[KEY MEASURE] The organization shall ensure that a baseline of + network operations and expected data flows for its critical systems is developed, + documented and maintained to track events.' annotation: "\u2022\tConsider enabling local logging on all your systems and\ \ network devices and keep them for a certain period, for example up to 6\ \ months.\n\u2022\tEnsure that your logs contain enough information (source,\ @@ -2961,6 +3027,7 @@ objects: \ facilitate the correlation and analysis of your data." implementation_groups: - E + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 assessable: false depth: 3 @@ -3001,9 +3068,9 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 ref_id: BASIC_DE.AE-3.1 - description: "The activity logging functionality of protection / detection hardware\ - \ or software \n(e.g. firewalls, anti-virus) shall be enabled, backed-up and\ - \ reviewed." + description: "[KEY MEASURE] The activity logging functionality of protection\ + \ / detection hardware or software \n(e.g. firewalls, anti-virus) shall be\ + \ enabled, backed-up and reviewed." annotation: "\u2022\tLogs should be backed up and saved for a predefined period.\n\ \u2022\tThe logs should be reviewed for any unusual or unwanted trends, such\ \ as a large use of social media websites or an unusual number of viruses\ @@ -3014,6 +3081,9 @@ objects: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-3.2 assessable: true depth: 4 @@ -3118,9 +3188,9 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 ref_id: IMPORTANT_DE.CM-1.2 - description: The organization shall monitor and identify unauthorized use of - its business critical systems through the detection of unauthorized local - connections, network connections and remote connections. + description: '[KEY MEASURE] The organization shall monitor and identify unauthorized + use of its business critical systems through the detection of unauthorized + local connections, network connections and remote connections.' annotation: "\u2022\tMonitoring of network communications should happen at the\ \ external boundary of the organization's business critical systems and at\ \ key internal boundaries within the systems.\n\u2022\tWhen hosting internet\ @@ -3129,6 +3199,8 @@ objects: implementation_groups: - I - E + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1.3 assessable: true depth: 4 @@ -3233,8 +3305,8 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 ref_id: BASIC_DE.CM-4.1 - description: Anti-virus, -spyware, and other -malware programs shall be installed - and updated. + description: '[KEY MEASURE] Anti-virus, -spyware, and other -malware programs + shall be installed and updated.' annotation: "\u2022\tMalware includes viruses, spyware, and ransomware and should\ \ be countered by installing, using, and regularly updating anti-virus and\ \ anti-spyware software on every device used in company\u2019s business (including\ @@ -3248,6 +3320,9 @@ objects: - B - I - E + - BK + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4.2 assessable: true depth: 4 @@ -3781,14 +3856,16 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 ref_id: IMPORTANT_RS.AN-5.1 - description: 'The organization shall implement vulnerability management processes - and procedures that include processing, analyzing and remedying vulnerabilities - from internal and external sources. ' + description: '[KEY MEASURE] The organization shall implement vulnerability management + processes and procedures that include processing, analyzing and remedying + vulnerabilities from internal and external sources. ' annotation: Internal and external sources could be e.g. internal testing, security bulletins, or security researchers. implementation_groups: - I - E + - IK + - EK - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5.2 assessable: true depth: 4 diff --git a/backend/library/libraries/ens-decreto.yaml b/backend/library/libraries/ens-decreto.yaml new file mode 100644 index 000000000..79c69b7de --- /dev/null +++ b/backend/library/libraries/ens-decreto.yaml @@ -0,0 +1,10687 @@ +urn: urn:intuitem:risk:library:esquema-nacional-de-seguridad +locale: es +ref_id: ENS +name: Esquema Nacional de Seguridad(Real Decreto 311/2022) +description: "El Real Decreto 3/2010, de 8 de enero, por el que se regula el Esquema\ + \ Nacional de Seguridad en el \xE1mbito de la Administraci\xF3n Electr\xF3nica (en\ + \ adelante, ENS) ten\xEDa por objeto determinar la pol\xEDtica de seguridad en la\ + \ utilizaci\xF3n de medios electr\xF3nicos de las entidades de su \xE1mbito de aplicaci\xF3\ + n, estando constituido por los principios b\xE1sicos y requisitos m\xEDnimos que\ + \ han venido garantizando adecuadamente la seguridad de la informaci\xF3n tratada\ + \ y los servicios prestados por dichas entidades.\n\nHere is the link of the document\ + \ :\nhttps://www.boe.es/eli/es/rd/2022/05/03/311\n\nHere is the link of the CCN-STIC\ + \ Security Guides:\nhttps://www.ccn-cert.cni.es/es/guias.html" +copyright: "BOLET\xCDN OFICIAL DEL ESTADO" +version: 1 +provider: "Ministerio espa\xF1ol de Asuntos Econ\xF3micos y Transformaci\xF3n Digital " +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:esquema-nacional-de-seguridad + ref_id: ENS + name: Esquema Nacional de Seguridad + description: "El Real Decreto 3/2010, de 8 de enero, por el que se regula el Esquema\ + \ Nacional de Seguridad en el \xE1mbito de la Administraci\xF3n Electr\xF3nica\ + \ (en adelante, ENS) ten\xEDa por objeto determinar la pol\xEDtica de seguridad\ + \ en la utilizaci\xF3n de medios electr\xF3nicos de las entidades de su \xE1\ + mbito de aplicaci\xF3n, estando constituido por los principios b\xE1sicos y\ + \ requisitos m\xEDnimos que han venido garantizando adecuadamente la seguridad\ + \ de la informaci\xF3n tratada y los servicios prestados por dichas entidades.\n\ + \nHere is the link of the document :\nhttps://www.boe.es/eli/es/rd/2022/05/03/311\n\ + \nHere is the link of the CCN-STIC Security Guides:\nhttps://www.ccn-cert.cni.es/es/guias.html" + implementation_groups_definition: + - ref_id: "B\xC1SICA" + name: "B\xC1SICA" + description: "Categor\xEDa de seguridad del sistema\nUna medida que se aplica\ + \ en sistemas de categor\xEDa B\xC1SICA o superior \nUn sistema de informaci\xF3\ + n ser\xE1 de categor\xEDa B\xC1SICA si alguna de sus dimensiones de seguridad\ + \ alcanza el nivel BAJO, y ninguna alcanza un nivel superior.\n\nLos sistemas\ + \ de informaci\xF3n de categor\xEDa B\xC1SICA no necesitar\xE1n realizar una\ + \ auditor\xEDa. Bastar\xE1 una autoevaluaci\xF3n realizada por el mismo personal\ + \ que administra el sistema de informaci\xF3n o en quien \xE9ste delegue." + - ref_id: MEDIA + name: MEDIA + description: "Categor\xEDa de seguridad del sistema\nUna medida que se empiezan\ + \ a aplicar en categor\xEDa MEDIA o superior.\nUn sistema de informaci\xF3\ + n ser\xE1 de categor\xEDa MEDIA si alguna de sus dimensiones de seguridad\ + \ alcanza el nivel de seguridad MEDIO, y ninguna alcanza un nivel de seguridad\ + \ superior." + - ref_id: ALTA + name: ALTA + description: "Categor\xEDa de seguridad del sistema\nLos medidas o refuerzos\ + \ que son solo de aplicaci\xF3n en categor\xEDa ALTA o requieren un esfuerzo\ + \ en seguridad superior al de categor\xEDa MEDIA.\nUn sistema de informaci\xF3\ + n ser\xE1 de categor\xEDa ALTA si alguna de sus dimensiones de seguridad alcanza\ + \ el nivel de seguridad ALTO." + - ref_id: BAJO + name: BAJO + description: "Nivel de las dimensiones de seguridad\nUna medida que se aplica\ + \ en sistemas de categor\xEDa B\xC1SICA o superior \nUn sistema de informaci\xF3\ + n ser\xE1 de categor\xEDa B\xC1SICA si alguna de sus dimensiones de seguridad\ + \ alcanza el nivel BAJO, y ninguna alcanza un nivel superior.\"" + - ref_id: MEDIO + name: MEDIO + description: "Nivel de las dimensiones de seguridad\nUna medida que se empiezan\ + \ a aplicar en categor\xEDa MEDIA o superior.\nUn sistema de informaci\xF3\ + n ser\xE1 de categor\xEDa MEDIA si alguna de sus dimensiones de seguridad\ + \ alcanza el nivel de seguridad MEDIO, y ninguna alcanza un nivel de seguridad\ + \ superior." + - ref_id: ALTO + name: ALTO + description: "Nivel de las dimensiones de seguridad\nLos medidas o refuerzos\ + \ que son solo de aplicaci\xF3n en categor\xEDa ALTA o requieren un esfuerzo\ + \ en seguridad superior al de categor\xEDa MEDIA.\nUn sistema de informaci\xF3\ + n ser\xE1 de categor\xEDa ALTA si alguna de sus dimensiones de seguridad alcanza\ + \ el nivel de seguridad ALTO." + - ref_id: C + name: 'Confidencialidad ' + description: Dimensiones de la seguridad + - ref_id: I + name: Integridad + description: Dimensiones de la seguridad + - ref_id: T + name: Trazabilidad + description: Dimensiones de la seguridad + - ref_id: A + name: Autenticidad + description: Dimensiones de la seguridad + - ref_id: D + name: Disponibilidad + description: Dimensiones de la seguridad + requirement_nodes: + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xEDtulo-i" + assessable: false + depth: 1 + ref_id: "CAP\xCDTULO I" + name: Disposiciones generales + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-1" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-i" + ref_id: "Art\xEDculo 1" + name: Objeto. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:1.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-1" + ref_id: '1.1' + description: "Este real decreto tiene por objeto regular el Esquema Nacional\ + \ de Seguridad (en adelante, ENS), establecido en el art\xEDculo 156.2 de\ + \ la Ley 40/2015, de 1 de octubre, de R\xE9gimen Jur\xEDdico del Sector P\xFA\ + blico." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:1.2 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-1" + ref_id: '1.2' + description: " El ENS est\xE1 constituido por los principios b\xE1sicos y requisitos\ + \ m\xEDnimos necesarios para una protecci\xF3n adecuada de la informaci\xF3\ + n tratada y los servicios prestados por las entidades de su \xE1mbito de aplicaci\xF3\ + n, con objeto de asegurar el acceso, la confidencialidad, la integridad, la\ + \ trazabilidad, la autenticidad, la disponibilidad y la conservaci\xF3n de\ + \ los datos, la informaci\xF3n y los servicios utilizados por medios electr\xF3\ + nicos que gestionen en el ejercicio de sus competencias." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:1.3 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-1" + ref_id: '1.3' + description: "Lo dispuesto en este real decreto, por cuanto afecta a los sistemas\ + \ de informaci\xF3n utilizados para la prestaci\xF3n de los servicios p\xFA\ + blicos, deber\xE1 considerarse comprendido en los recursos y procedimientos\ + \ integrantes del Sistema de Seguridad Nacional recogidos en la Ley 36/2015,\ + \ de 28 de septiembre, de Seguridad Nacional." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-2" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-i" + ref_id: "Art\xEDculo 2" + name: "\xC1mbito de aplicaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:2.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-2" + ref_id: '2.1' + description: "El presente real decreto es de aplicaci\xF3n a todo el sector\ + \ p\xFAblico, en los t\xE9rminos en que este se define por el art\xEDculo\ + \ 2 de la Ley 40/2015, de 1 de octubre, y de acuerdo con lo previsto en el\ + \ art\xEDculo 156.2 de la misma" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:2.2 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-2" + ref_id: '2.2' + description: "Asimismo, sin perjuicio de la aplicaci\xF3n de la Ley 9/1968,\ + \ de 5 de abril, de Secretos Oficiales y otra normativa especial, este real\ + \ decreto ser\xE1 de aplicaci\xF3n a los sistemas que tratan informaci\xF3\ + n clasificada, pudiendo resultar necesario adoptar medidas complementarias\ + \ de seguridad, espec\xEDficas para dichos sistemas, derivadas de los compromisos\ + \ internacionales contra\xEDdos por Espa\xF1a o de su pertenencia a organismos\ + \ o foros internacionales" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:2.3 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-2" + ref_id: '2.3' + description: "Este real decreto tambi\xE9n se aplica a los sistemas de informaci\xF3\ + n de las entidades del sector privado, incluida la obligaci\xF3n de contar\ + \ con la pol\xEDtica de seguridad a que se refiere el art\xEDculo 12, cuando,\ + \ de acuerdo con la normativa aplicable y en virtud de una relaci\xF3n contractual,\ + \ presten servicios o provean soluciones a las entidades del sector p\xFA\ + blico para el ejercicio por estas de sus competencias y potestades administrativas" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node11 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-2" + description: "La pol\xEDtica de seguridad a que se refiere el art\xEDculo 12\ + \ ser\xE1 aprobada en el caso de estas entidades por el \xF3rgano que ostente\ + \ las m\xE1ximas competencias ejecutivas." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node12 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-2" + description: "Los pliegos de prescripciones administrativas o t\xE9cnicas de\ + \ los contratos que celebren las entidades del sector p\xFAblico incluidas\ + \ en el \xE1mbito de aplicaci\xF3n de este real decreto contemplar\xE1n todos\ + \ aquellos requisitos necesarios para asegurar la conformidad con el ENS de\ + \ los sistemas de informaci\xF3n en los que se sustenten los servicios prestados\ + \ por los contratistas, tales como la presentaci\xF3n de las correspondientes\ + \ Declaraciones o Certificaciones de Conformidad con el ENS" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node13 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-2" + description: "Esta cautela se extender\xE1 tambi\xE9n a la cadena de suministro\ + \ de dichos contratistas, en la medida que sea necesario y de acuerdo con\ + \ los resultados del correspondiente an\xE1lisis de riesgos." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:2.4 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-2" + ref_id: '2.4' + description: "Cuando las entidades del sector p\xFAblico lleven a cabo la instalaci\xF3\ + n, despliegue y explotaci\xF3n de redes 5G o la prestaci\xF3n de servicios\ + \ 5G, adem\xE1s de las previsiones de este real decreto ser\xE1 de aplicaci\xF3\ + n lo establecido en el Real Decreto-ley 7/2022, de 29 de marzo, sobre requisitos\ + \ para garantizar la seguridad de las redes y servicios de comunicaciones\ + \ electr\xF3nicas de quinta generaci\xF3n, en particular, lo dispuesto en\ + \ su art\xEDculo 17 relativo a la gesti\xF3n de seguridad por las administraciones\ + \ p\xFAblicas, as\xED como su normativa de desarrollo" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-3" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-i" + ref_id: "Art\xEDculo 3" + name: "Sistemas de informaci\xF3n que traten datos personales" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:3.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-3" + ref_id: '3.1' + description: "Cuando un sistema de informaci\xF3n trate datos personales le\ + \ ser\xE1 de aplicaci\xF3n lo dispuesto en el Reglamento (UE) 2016/679 del\ + \ Parlamento Europeo y del Consejo, de 27 de abril de 2016, relativo a la\ + \ protecci\xF3n de las personas f\xEDsicas en lo que respecta al tratamiento\ + \ de datos personales y a la libre circulaci\xF3n de estos datos y por el\ + \ que se deroga la Directiva 95/46/CE (Reglamento General de Protecci\xF3\ + n de Datos) y en la Ley Org\xE1nica 3/2018, de 5 de diciembre, de Protecci\xF3\ + n de Datos Personales y garant\xEDa de los derechos digitales, o, en su caso,\ + \ la Ley Org\xE1nica 7/2021, de 26 de mayo, de protecci\xF3n de datos personales\ + \ tratados para fines de prevenci\xF3n, detecci\xF3n, investigaci\xF3n y enjuiciamiento\ + \ de infracciones penales y de ejecuci\xF3n de sanciones penales, el resto\ + \ de normativa de aplicaci\xF3n, as\xED como los criterios que se establezcan\ + \ por la Agencia Espa\xF1ola de Protecci\xF3n de Datos o en su \xE1mbito competencial,\ + \ por las autoridades auton\xF3micas de protecci\xF3n de datos, sin perjuicio\ + \ de los requisitos establecidos en el presente real decreto" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:3.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-3" + ref_id: '3.2' + description: "En estos supuestos, el responsable o el encargado del tratamiento,\ + \ asesorado por el delegado de protecci\xF3n de datos, realizar\xE1n un an\xE1\ + lisis de riesgos conforme al art\xEDculo 24 del Reglamento General de Protecci\xF3\ + n de Datos y, en los supuestos de su art\xEDculo 35, una evaluaci\xF3n de\ + \ impacto en la protecci\xF3n de datos" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:3.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-3" + ref_id: '3.3' + description: "En todo caso, prevalecer\xE1n las medidas a implantar como consecuencia\ + \ del an\xE1lisis de riesgos y, en su caso, de la evaluaci\xF3n de impacto\ + \ a los que se refiere el apartado anterior, en caso de resultar agravadas\ + \ respecto de las previstas en el presente real decreto." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-4" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-i" + ref_id: "Art\xEDculo 4" + name: Definiciones + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node20 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-4" + description: "A los efectos previstos en este real decreto, las definiciones,\ + \ palabras, expresiones y t\xE9rminos han de ser entendidos en el sentido\ + \ indicado en el Glosario de t\xE9rminos incluido en el anexo IV" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xEDtulo-ii" + assessable: false + depth: 1 + ref_id: "CAP\xCDTULO II" + name: "Principios b\xE1sicos" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-5" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-ii" + ref_id: "Art\xEDculo 5" + name: "Principios b\xE1sicos del Esquema Nacional de Seguridad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node23 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-5" + description: "El objeto \xFAltimo de la seguridad de la informaci\xF3n es garantizar\ + \ que una organizaci\xF3n podr\xE1 cumplir sus objetivos, desarrollar sus\ + \ funciones y ejercer sus competencias utilizando sistemas de informaci\xF3\ + n. Por ello, en materia de seguridad de la informaci\xF3n deber\xE1n tenerse\ + \ en cuenta los siguientes principios b\xE1sicos" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:5.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node23 + ref_id: 5.a + description: Seguridad como proceso integral. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:5.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node23 + ref_id: 5.b + description: "Gesti\xF3n de la seguridad basada en los riesgos." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:5.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node23 + ref_id: 5.c + description: "Prevenci\xF3n, detecci\xF3n, respuesta y conservaci\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:5.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node23 + ref_id: 5.d + description: "Existencia de l\xEDneas de defensa." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:5.e + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node23 + ref_id: 5.e + description: Vigilancia continua. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:5.f + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node23 + ref_id: 5.f + description: "Reevaluaci\xF3n peri\xF3dica." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:5.g + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node23 + ref_id: 5.g + description: "Diferenciaci\xF3n de responsabilidades." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-6" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-ii" + ref_id: "Art\xEDculo 6" + name: La seguridad como un proceso integral + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:6.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-6" + ref_id: '6.1' + description: "La seguridad se entiende como un proceso integral constituido\ + \ por todos los elementos humanos, materiales, t\xE9cnicos, jur\xEDdicos y\ + \ organizativos relacionados con el sistema de informaci\xF3n. La aplicaci\xF3\ + n del ENS estar\xE1 presidida por este principio, que excluye cualquier actuaci\xF3\ + n puntual o tratamiento coyuntural" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:6.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-6" + ref_id: '6.2' + description: "Se prestar\xE1 la m\xE1xima atenci\xF3n a la concienciaci\xF3\ + n de las personas que intervienen en el proceso y la de los responsables jer\xE1\ + rquicos, para evitar que, la ignorancia, la falta de organizaci\xF3n y de\ + \ coordinaci\xF3n o de instrucciones adecuadas, constituyan fuentes de riesgo\ + \ para la seguridad" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-7" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-ii" + ref_id: "Art\xEDculo 7" + name: "Gesti\xF3n de la seguridad basada en los riesgos" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:7.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-7" + ref_id: '7.1' + description: "El an\xE1lisis y la gesti\xF3n de los riesgos es parte esencial\ + \ del proceso de seguridad, debiendo constituir una actividad continua y permanentemente\ + \ actualizada" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:7.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-7" + ref_id: '7.2' + description: "La gesti\xF3n de los riesgos permitir\xE1 el mantenimiento de\ + \ un entorno controlado, minimizando los riesgos a niveles aceptables. La\ + \ reducci\xF3n a estos niveles se realizar\xE1 mediante una apropiada aplicaci\xF3\ + n de medidas de seguridad, de manera equilibrada y proporcionada a la naturaleza\ + \ de la informaci\xF3n tratada, de los servicios a prestar y de los riesgos\ + \ a los que est\xE9n expuestos" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-8" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-ii" + ref_id: "Art\xEDculo 8" + name: "Prevenci\xF3n, detecci\xF3n, respuesta y conservaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:8.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-8" + ref_id: '8.1' + description: "La seguridad del sistema debe contemplar las acciones relativas\ + \ a los aspectos de prevenci\xF3n, detecci\xF3n y respuesta, al objeto de\ + \ minimizar sus vulnerabilidades y lograr que las amenazas sobre el mismo\ + \ no se materialicen o que, en el caso de hacerlo, no afecten gravemente a\ + \ la informaci\xF3n que maneja o a los servicios que presta" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:8.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-8" + ref_id: '8.2' + description: "Las medidas de prevenci\xF3n, que podr\xE1n incorporar componentes\ + \ orientados a la disuasi\xF3n o a la reducci\xF3n de la superficie de exposici\xF3\ + n, deben eliminar o reducir la posibilidad de que las amenazas lleguen a materializarse" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:8.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-8" + ref_id: '8.3' + description: "Las medidas de detecci\xF3n ir\xE1n dirigidas a descubrir la presencia\ + \ de un ciberincidente" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:8.4 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-8" + ref_id: '8.4' + description: "Las medidas de respuesta, que se gestionar\xE1n en tiempo oportuno,\ + \ estar\xE1n orientadas a la restauraci\xF3n de la informaci\xF3n y los servicios\ + \ que pudieran haberse visto afectados por un incidente de seguridad" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:8.5 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-8" + ref_id: '8.5' + description: "Sin merma de los restantes principios b\xE1sicos y requisitos\ + \ m\xEDnimos establecidos, el sistema de informaci\xF3n garantizar\xE1 la\ + \ conservaci\xF3n de los datos e informaci\xF3n en soporte electr\xF3nico" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node43 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-8" + description: "De igual modo, el sistema mantendr\xE1 disponibles los servicios\ + \ durante todo el ciclo vital de la informaci\xF3n digital, a trav\xE9s de\ + \ una concepci\xF3n y procedimientos que sean la base para la preservaci\xF3\ + n del patrimonio digital" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-9" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-ii" + ref_id: "Art\xEDculo 9" + name: "Existencia de l\xEDneas de defensa" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:9.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-9" + ref_id: '9.1' + description: "El sistema de informaci\xF3n ha de disponer de una estrategia\ + \ de protecci\xF3n constituida por m\xFAltiples capas de seguridad, dispuesta\ + \ de forma que, cuando una de las capas sea comprometida, permita" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:9.1.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:9.1 + ref_id: 9.1.a + description: "Desarrollar una reacci\xF3n adecuada frente a los incidentes que\ + \ no han podido evitarse, reduciendo la probabilidad de que el sistema sea\ + \ comprometido en su conjunto" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:9.1.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:9.1 + ref_id: 9.1.b + description: Minimizar el impacto final sobre el mismo + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:9.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-9" + ref_id: '9.2' + description: " Las l\xEDneas de defensa han de estar constituidas por medidas\ + \ de naturaleza organizativa, f\xEDsica y l\xF3gica" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-10" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-ii" + ref_id: "Art\xEDculo 10" + name: "Vigilancia continua y reevaluaci\xF3n peri\xF3dica" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:10.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-10" + ref_id: '10.1' + description: "La vigilancia continua permitir\xE1 la detecci\xF3n de actividades\ + \ o comportamientos an\xF3malos y su oportuna respuesta" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:10.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-10" + ref_id: '10.2' + description: "La evaluaci\xF3n permanente del estado de la seguridad de los\ + \ activos permitir\xE1 medir su evoluci\xF3n, detectando vulnerabilidades\ + \ e identificando deficiencias de configuraci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:10.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-10" + ref_id: '10.3' + description: "Las medidas de seguridad se reevaluar\xE1n y actualizar\xE1n peri\xF3\ + dicamente, adecuando su eficacia a la evoluci\xF3n de los riesgos y los sistemas\ + \ de protecci\xF3n, pudiendo llegar a un replanteamiento de la seguridad,\ + \ si fuese necesario" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-11" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-ii" + ref_id: "Art\xEDculo 11" + name: "Diferenciaci\xF3n de responsabilidades" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:11.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-11" + ref_id: '11.1' + description: "En los sistemas de informaci\xF3n se diferenciar\xE1 el responsable\ + \ de la informaci\xF3n, el responsable del servicio, el responsable de la\ + \ seguridad y el responsable del sistema" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:11.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-11" + ref_id: '11.2' + description: "La responsabilidad de la seguridad de los sistemas de informaci\xF3\ + n estar\xE1 diferenciada de la responsabilidad sobre la explotaci\xF3n de\ + \ los sistemas de informaci\xF3n concernidos" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:11.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-11" + ref_id: '11.3' + description: "La pol\xEDtica de seguridad de la organizaci\xF3n detallar\xE1\ + \ las atribuciones de cada responsable y los mecanismos de coordinaci\xF3\ + n y resoluci\xF3n de conflictos" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xEDtulo-iii" + assessable: false + depth: 1 + ref_id: "CAP\xCDTULO III" + name: "Pol\xEDtica de seguridad y requisitos m\xEDnimos de seguridad" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-12" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 12" + name: "Pol\xEDtica de seguridad y requisitos m\xEDnimos de seguridad" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-12" + ref_id: '12.1' + description: "La pol\xEDtica de seguridad de la informaci\xF3n es el conjunto\ + \ de directrices que rigen la forma en que una organizaci\xF3n gestiona y\ + \ protege la informaci\xF3n que trata y los servicios que presta. A tal efecto,\ + \ el instrumento que apruebe dicha pol\xEDtica de seguridad deber\xE1 incluir,\ + \ como m\xEDnimo, los siguientes extremos" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1 + ref_id: 12.1.a + description: "Los objetivos o misi\xF3n de la organizaci\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1 + ref_id: 12.1.b + description: "El marco regulatorio en el que se desarrollar\xE1n las actividades." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1.c + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1 + ref_id: 12.1.c + description: "Los roles o funciones de seguridad, definiendo para cada uno,\ + \ sus deberes y responsabilidades, as\xED como el procedimiento para su designaci\xF3\ + n y renovaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1.d + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1 + ref_id: 12.1.d + description: "La estructura y composici\xF3n del comit\xE9 o los comit\xE9s\ + \ para la gesti\xF3n y coordinaci\xF3n de la seguridad, detallando su \xE1\ + mbito de responsabilidad y la relaci\xF3n con otros elementos de la organizaci\xF3\ + n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1.e + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1 + ref_id: 12.1.e + description: "Las directrices para la estructuraci\xF3n de la documentaci\xF3\ + n de seguridad del sistema, su gesti\xF3n y acceso" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1.f + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.1 + ref_id: 12.1.f + description: Los riesgos que se derivan del tratamiento de los datos personales + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-12" + ref_id: '12.2' + description: "Cada administraci\xF3n p\xFAblica contar\xE1 con una pol\xEDtica\ + \ de seguridad formalmente aprobada por el \xF3rgano competente. Asimismo,\ + \ cada \xF3rgano o entidad con personalidad jur\xEDdica propia comprendido\ + \ en el \xE1mbito subjetivo del art\xEDculo 2 deber\xE1 contar con una pol\xED\ + tica de seguridad formalmente aprobada por el \xF3rgano competente" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node67 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-12" + description: "No obstante, la totalidad o una parte de los sujetos de un sector\ + \ p\xFAblico institucional podr\xE1n quedar incluidos en el \xE1mbito subjetivo\ + \ de la pol\xEDtica de seguridad aprobada por la Administraci\xF3n con la\ + \ que guarden relaci\xF3n de vinculaci\xF3n, dependencia o adscripci\xF3n,\ + \ cuando as\xED lo determinen los \xF3rganos competentes en el ejercicio de\ + \ las potestades de organizaci\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.3 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-12" + ref_id: '12.3' + description: "En la Administraci\xF3n General del Estado, cada ministerio contar\xE1\ + \ con su pol\xEDtica de seguridad, que aprobar\xE1 la persona titular del\ + \ Departamento. Los organismos p\xFAblicos y entidades pertenecientes al sector\ + \ p\xFAblico institucional estatal podr\xE1n contar con su propia pol\xED\ + tica de seguridad, aprobada por el \xF3rgano competente, que ser\xE1 coherente\ + \ con la del Departamento con el que mantenga la relaci\xF3n de vinculaci\xF3\ + n, dependencia o adscripci\xF3n, o bien quedar comprendidos en el \xE1mbito\ + \ subjetivo de la pol\xEDtica de seguridad de este. Tambi\xE9n podr\xE1n contar\ + \ con su propia pol\xEDtica de seguridad, aprobada por el \xF3rgano competente,\ + \ coherente con la del Departamento del que dependan o al que est\xE9n adscritos,\ + \ los centros directivos de la propia Administraci\xF3n General del Estado\ + \ que gestionen servicios bajo la declaraci\xF3n de servicios compartidos." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.4 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-12" + ref_id: '12.4' + description: "La Secretar\xEDa General de Administraci\xF3n Digital del Ministerio\ + \ de Asuntos Econ\xF3micos y Transformaci\xF3n Digital dispondr\xE1 de su\ + \ propia pol\xEDtica de seguridad, que ser\xE1 aprobada por la persona titular\ + \ de la misma." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.5 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-12" + ref_id: '12.5' + description: "Los municipios podr\xE1n disponer de una pol\xEDtica de seguridad\ + \ com\xFAn elaborada por la entidad local comarcal o provincial que asuma\ + \ la responsabilidad de la seguridad de la informaci\xF3n de los sistemas\ + \ municipales" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-12" + ref_id: '12.6' + description: "La pol\xEDtica de seguridad se establecer\xE1 de acuerdo con los\ + \ principios b\xE1sicos se\xF1alados en el cap\xEDtulo II y se desarrollar\xE1\ + \ aplicando los siguientes requisitos m\xEDnimos:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.a + description: "Organizaci\xF3n e implantaci\xF3n del proceso de seguridad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.b + description: "An\xE1lisis y gesti\xF3n de los riesgos." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.c + description: "Gesti\xF3n de personal." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.d + description: Profesionalidad. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.e + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.e + description: "Autorizaci\xF3n y control de los accesos." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.f + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.f + description: "Protecci\xF3n de las instalaciones." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.g + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.g + description: "Adquisici\xF3n de productos de seguridad y contrataci\xF3n de\ + \ servicios de seguridad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.h + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.h + description: "M\xEDnimo privilegio." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.i + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.i + description: "Integridad y actualizaci\xF3n del sistema." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.j + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.j + description: "Protecci\xF3n de la informaci\xF3n almacenada y en tr\xE1nsito." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.k + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.k + description: "Prevenci\xF3n ante otros sistemas de informaci\xF3n interconectados." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.l + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.l + description: "Registro de la actividad y detecci\xF3n de c\xF3digo da\xF1ino." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.m + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.m + description: Incidentes de seguridad. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.n + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: 12.6.n + description: Continuidad de la actividad. + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6.\xF1" + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.6 + ref_id: "12.6.\xF1" + description: Mejora continua del proceso de seguridad. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:12.7 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-12" + ref_id: '12.7' + description: "Los requisitos m\xEDnimos se exigir\xE1n en proporci\xF3n a los\ + \ riesgos identificados en cada sistema, de conformidad con lo dispuesto en\ + \ el art\xEDculo 28, alguno de los cuales podr\xE1 obviarse en sistemas sin\ + \ riesgos significativos" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-13" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 13" + name: "Organizaci\xF3n e implantaci\xF3n del proceso de seguridad" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-13" + ref_id: '13.1' + description: "La seguridad de los sistemas de informaci\xF3n deber\xE1 comprometer\ + \ a todos los miembros de la organizaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-13" + ref_id: '13.2' + description: "La pol\xEDtica de seguridad, en aplicaci\xF3n del principio de\ + \ diferenciaci\xF3n de responsabilidades a que se refiere el art\xEDculo 11\ + \ y seg\xFAn se detalla en la secci\xF3n 3.1 del anexo II, deber\xE1 ser conocida\ + \ por todas las personas que formen parte de la organizaci\xF3n e identificar\ + \ de forma inequ\xEDvoca a los responsables de velar por su cumplimiento,\ + \ los cuales tendr\xE1n las siguientes funciones" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.2.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.2 + ref_id: 13.2.a + description: "El responsable de la informaci\xF3n determinar\xE1 los requisitos\ + \ de la informaci\xF3n tratada" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.2.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.2 + ref_id: 13.2.b + description: "El responsable del servicio determinar\xE1 los requisitos de los\ + \ servicios prestados." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.2.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.2 + ref_id: 13.2.c + description: "El responsable de la seguridad determinar\xE1 las decisiones para\ + \ satisfacer los requisitos de seguridad de la informaci\xF3n y de los servicios,\ + \ supervisar\xE1 la implantaci\xF3n de las medidas necesarias para garantizar\ + \ que se satisfacen los requisitos y reportar\xE1 sobre estas cuestiones." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.2.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.2 + ref_id: 13.2.d + description: "El responsable del sistema, por s\xED o a trav\xE9s de recursos\ + \ propios o contratados, se encargar\xE1 de desarrollar la forma concreta\ + \ de implementar la seguridad en el sistema y de la supervisi\xF3n de la operaci\xF3\ + n diaria del mismo, pudiendo delegar en administradores u operadores bajo\ + \ su responsabilidad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-13" + ref_id: '13.3' + description: "El responsable de la seguridad ser\xE1 distinto del responsable\ + \ del sistema, no debiendo existir dependencia jer\xE1rquica entre ambos.\ + \ En aquellas situaciones excepcionales en las que la ausencia justificada\ + \ de recursos haga necesario que ambas funciones recaigan en la misma persona\ + \ o en distintas personas entre las que exista relaci\xF3n jer\xE1rquica,\ + \ deber\xE1n aplicarse medidas compensatorias para garantizar la finalidad\ + \ del principio de diferenciaci\xF3n de responsabilidades previsto en el art\xED\ + culo 11." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.4 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-13" + ref_id: '13.4' + description: "Una Instrucci\xF3n T\xE9cnica de Seguridad regular\xE1 el Esquema\ + \ de Certificaci\xF3n de Responsables de la Seguridad, que recoger\xE1 las\ + \ condiciones y requisitos exigibles a esta figura." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:13.5 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-13" + ref_id: '13.5' + description: "En el caso de servicios externalizados, salvo por causa justificada\ + \ y documentada, la organizaci\xF3n prestataria de dichos servicios deber\xE1\ + \ designar un POC (Punto o Persona de Contacto) para la seguridad de la informaci\xF3\ + n tratada y el servicio prestado, que cuente con el apoyo de los \xF3rganos\ + \ de direcci\xF3n, y que canalice y supervise, tanto el cumplimiento de los\ + \ requisitos de seguridad del servicio que presta o soluci\xF3n que provea,\ + \ como las comunicaciones relativas a la seguridad de la informaci\xF3n y\ + \ la gesti\xF3n de los incidentes para el \xE1mbito de dicho servicio." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node98 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-13" + description: "Dicho POC de seguridad ser\xE1 el propio Responsable de Seguridad\ + \ de la organizaci\xF3n contratada, formar\xE1 parte de su \xE1rea o tendr\xE1\ + \ comunicaci\xF3n directa con la misma. Todo ello sin perjuicio de que la\ + \ responsabilidad \xFAltima resida en la entidad del sector p\xFAblico destinataria\ + \ de los citados servicios." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-14" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 14" + name: "An\xE1lisis y gesti\xF3n de los riesgos" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:14.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-14" + ref_id: '14.1' + description: "Cada organizaci\xF3n que desarrolle e implante sistemas para el\ + \ tratamiento de la informaci\xF3n o la prestaci\xF3n de servicios realizar\xE1\ + \ su propia gesti\xF3n de riesgos." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:14.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-14" + ref_id: '14.2' + description: "Esta gesti\xF3n se realizar\xE1 por medio del an\xE1lisis y tratamiento\ + \ de los riesgos a los que est\xE1 expuesto el sistema. Sin perjuicio de lo\ + \ dispuesto en el anexo II, se emplear\xE1 alguna metodolog\xEDa reconocida\ + \ internacionalmente." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:14.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-14" + ref_id: '14.3' + description: "Las medidas adoptadas para mitigar o suprimir los riesgos deber\xE1\ + n estar justificadas y, en todo caso, existir\xE1 una proporcionalidad entre\ + \ ellas y los riesgos." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-15" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 15" + name: "Gesti\xF3n de personal" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:15.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-15" + ref_id: '15.1' + description: "El personal, propio o ajeno, relacionado con los sistemas de informaci\xF3\ + n sujetos a lo dispuesto en este real decreto, deber\xE1 ser formado e informado\ + \ de sus deberes, obligaciones y responsabilidades en materia de seguridad.\ + \ Su actuaci\xF3n, que deber\xE1 ser supervisada para verificar que se siguen\ + \ los procedimientos establecidos, aplicar\xE1 las normas y procedimientos\ + \ operativos de seguridad aprobados en el desempe\xF1o de sus cometidos." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:15.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-15" + ref_id: '15.2' + description: "El significado y alcance del uso seguro del sistema se concretar\xE1\ + \ y plasmar\xE1 en unas normas de seguridad que ser\xE1n aprobadas por la\ + \ direcci\xF3n o el \xF3rgano superior correspondiente." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-16" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 16" + name: Profesionalidad + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:16.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-16" + ref_id: '16.1' + description: "La seguridad de los sistemas de informaci\xF3n estar\xE1 atendida\ + \ y ser\xE1 revisada y auditada por personal cualificado, dedicado e instruido\ + \ en todas las fases de su ciclo de vida: planificaci\xF3n, dise\xF1o, adquisici\xF3\ + n, construcci\xF3n, despliegue, explotaci\xF3n, mantenimiento, gesti\xF3n\ + \ de incidencias y desmantelamiento." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:16.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-16" + ref_id: '16.2' + description: "Las entidades del \xE1mbito de aplicaci\xF3n de este real decreto\ + \ exigir\xE1n, de manera objetiva y no discriminatoria, que las organizaciones\ + \ que les presten servicios de seguridad cuenten con profesionales cualificados\ + \ y con unos niveles id\xF3neos de gesti\xF3n y madurez en los servicios prestados." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:16.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-16" + ref_id: '16.3' + description: "Las organizaciones determinar\xE1n los requisitos de formaci\xF3\ + n y experiencia necesaria del personal para el desarrollo de su puesto de\ + \ trabajo." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-17" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 17" + name: "Autorizaci\xF3n y control de los accesos" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node111 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-17" + description: "El acceso controlado a los sistemas de informaci\xF3n comprendidos\ + \ en el \xE1mbito de aplicaci\xF3n de este real decreto deber\xE1 estar limitado\ + \ a los usuarios, procesos, dispositivos u otros sistemas de informaci\xF3\ + n, debidamente autorizados, y exclusivamente a las funciones permitidas." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-18" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 18" + name: "Protecci\xF3n de las instalaciones" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node113 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-18" + description: "Los sistemas de informaci\xF3n y su infraestructura de comunicaciones\ + \ asociada deber\xE1n permanecer en \xE1reas controladas y disponer de los\ + \ mecanismos de acceso adecuados y proporcionales en funci\xF3n del an\xE1\ + lisis de riesgos, sin perjuicio de lo establecido en la Ley 8/2011, de 28\ + \ de abril, por la que se establecen medidas para la protecci\xF3n de las\ + \ infraestructuras cr\xEDticas y en el Real Decreto 704/2011, de 20 de mayo,\ + \ por el que se aprueba el Reglamento de protecci\xF3n de las infraestructuras\ + \ cr\xEDticas." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-19" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 19" + name: "Adquisici\xF3n de productos de seguridad y contrataci\xF3n de servicios\ + \ de seguridad" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:19.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-19" + ref_id: '19.1' + description: "En la adquisici\xF3n de productos de seguridad o contrataci\xF3\ + n de servicios de seguridad de las tecnolog\xEDas de la informaci\xF3n y la\ + \ comunicaci\xF3n que vayan a ser empleados en los sistemas de informaci\xF3\ + n del \xE1mbito de aplicaci\xF3n de este real decreto, se utilizar\xE1n, de\ + \ forma proporcionada a la categor\xEDa del sistema y el nivel de seguridad\ + \ determinados, aquellos que tengan certificada la funcionalidad de seguridad\ + \ relacionada con el objeto de su adquisici\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:19.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-19" + ref_id: '19.2' + description: "El Organismo de Certificaci\xF3n del Esquema Nacional de Evaluaci\xF3\ + n y Certificaci\xF3n de Seguridad de las Tecnolog\xEDas de la Informaci\xF3\ + n del Centro Criptol\xF3gico Nacional (en adelante, CCN), constituido al amparo\ + \ de lo dispuesto en el art\xEDculo 2.2.c) del Real Decreto 421/2004, de 12\ + \ de marzo, por el que se regula el Centro Criptol\xF3gico Nacional, teniendo\ + \ en cuenta los criterios y metodolog\xEDas de evaluaci\xF3n nacionales e\ + \ internacionales reconocidas por este organismo y en funci\xF3n del uso previsto\ + \ del producto o servicio concreto dentro de sus competencias, determinar\xE1\ + \ los siguientes aspectos:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:19.2.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:19.2 + ref_id: 19.2.a + description: "Los requisitos funcionales de seguridad y de aseguramiento de\ + \ la certificaci\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:19.2.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:19.2 + ref_id: 19.2.b + description: Otras certificaciones de seguridad adicionales que se requieran + normativamente. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:19.2.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:19.2 + ref_id: 19.2.c + description: Excepcionalmente, el criterio a seguir en los casos en que no existan + productos o servicios certificados. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:19.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-19" + ref_id: '19.3' + description: "Para la contrataci\xF3n de servicios de seguridad se estar\xE1\ + \ a lo se\xF1alado en los apartados anteriores y a lo dispuesto en el art\xED\ + culo 16." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-20" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 20" + name: "M\xEDnimo privilegio" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node122 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-20" + description: "Los sistemas de informaci\xF3n deben dise\xF1arse y configurarse\ + \ otorgando los m\xEDnimos privilegios necesarios para su correcto desempe\xF1\ + o, lo que implica incorporar los siguientes aspectos:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:20.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node122 + ref_id: 20.a + description: "El sistema proporcionar\xE1 la funcionalidad imprescindible para\ + \ que la organizaci\xF3n alcance sus objetivos competenciales o contractuales." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:20.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node122 + ref_id: 20.b + description: "Las funciones de operaci\xF3n, administraci\xF3n y registro de\ + \ actividad ser\xE1n las m\xEDnimas necesarias, y se asegurar\xE1 que s\xF3\ + lo son desarrolladas por las personas autorizadas, desde emplazamientos o\ + \ equipos asimismo autorizados; pudiendo exigirse, en su caso, restricciones\ + \ de horario y puntos de acceso facultados." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:20.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node122 + ref_id: 20.c + description: "Se eliminar\xE1n o desactivar\xE1n, mediante el control de la\ + \ configuraci\xF3n, las funciones que sean innecesarias o inadecuadas al fin\ + \ que se persigue. El uso ordinario del sistema ha de ser sencillo y seguro,\ + \ de forma que una utilizaci\xF3n insegura requiera de un acto consciente\ + \ por parte del usuario." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:20.d + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node122 + ref_id: 20.d + description: "Se aplicar\xE1n gu\xEDas de configuraci\xF3n de seguridad para\ + \ las diferentes tecnolog\xEDas, adaptadas a la categorizaci\xF3n del sistema,\ + \ al efecto de eliminar o desactivar las funciones que sean innecesarias o\ + \ inadecuadas." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-21" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 21" + name: "Integridad y actualizaci\xF3n del sistema" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:21.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-21" + ref_id: '21.1' + description: "La inclusi\xF3n de cualquier elemento f\xEDsico o l\xF3gico en\ + \ el cat\xE1logo actualizado de activos del sistema, o su modificaci\xF3n,\ + \ requerir\xE1 autorizaci\xF3n formal previa." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:21.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-21" + ref_id: '21.2' + description: "La evaluaci\xF3n y monitorizaci\xF3n permanentes permitir\xE1\ + n adecuar el estado de seguridad de los sistemas atendiendo a las deficiencias\ + \ de configuraci\xF3n, las vulnerabilidades identificadas y las actualizaciones\ + \ que les afecten, as\xED como la detecci\xF3n temprana de cualquier incidente\ + \ que tenga lugar sobre los mismos." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-22" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 22" + name: "Protecci\xF3n de informaci\xF3n almacenada y en tr\xE1nsito" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:22.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-22" + ref_id: '22.1' + description: "En la organizaci\xF3n e implantaci\xF3n de la seguridad se prestar\xE1\ + \ especial atenci\xF3n a la informaci\xF3n almacenada o en tr\xE1nsito a trav\xE9\ + s de los equipos o dispositivos port\xE1tiles o m\xF3viles, los dispositivos\ + \ perif\xE9ricos, los soportes de informaci\xF3n y las comunicaciones sobre\ + \ redes abiertas, que deber\xE1n analizarse especialmente para lograr una\ + \ adecuada protecci\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:22.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-22" + ref_id: '22.2' + description: "Se aplicar\xE1n procedimientos que garanticen la recuperaci\xF3\ + n y conservaci\xF3n a largo plazo de los documentos electr\xF3nicos producidos\ + \ por los sistemas de informaci\xF3n comprendidos en el \xE1mbito de aplicaci\xF3\ + n de este real decreto, cuando ello sea exigible." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:22.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-22" + ref_id: '22.3' + description: "Toda informaci\xF3n en soporte no electr\xF3nico que haya sido\ + \ causa o consecuencia directa de la informaci\xF3n electr\xF3nica a la que\ + \ se refiere este real decreto, deber\xE1 estar protegida con el mismo grado\ + \ de seguridad que \xE9sta. Para ello, se aplicar\xE1n las medidas que correspondan\ + \ a la naturaleza del soporte, de conformidad con las normas que resulten\ + \ de aplicaci\xF3n." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-23" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 23" + name: "Prevenci\xF3n ante otros sistemas de informaci\xF3n interconectados" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node135 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-23" + description: "Se proteger\xE1 el per\xEDmetro del sistema de informaci\xF3n,\ + \ especialmente, si se conecta a redes p\xFAblicas, tal y como se definen\ + \ en la Ley 9/2014, de 9 de mayo, General de Telecomunicaciones, reforz\xE1\ + ndose las tareas de prevenci\xF3n, detecci\xF3n y respuesta a incidentes de\ + \ seguridad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node136 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-23" + description: "En todo caso, se analizar\xE1n los riesgos derivados de la interconexi\xF3\ + n del sistema con otros sistemas y se controlar\xE1 su punto de uni\xF3n.\ + \ Para la adecuada interconexi\xF3n entre sistemas se estar\xE1 a lo dispuesto\ + \ en la Instrucci\xF3n T\xE9cnica de Seguridad correspondiente." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-24" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 24" + name: "Registro de actividad y detecci\xF3n de c\xF3digo da\xF1ino." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:24.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-24" + ref_id: '24.1' + description: "Con el prop\xF3sito de satisfacer el objeto de este real decreto,\ + \ con plenas garant\xEDas del derecho al honor, a la intimidad personal y\ + \ familiar y a la propia imagen de los afectados, y de acuerdo con la normativa\ + \ sobre protecci\xF3n de datos personales, de funci\xF3n p\xFAblica o laboral,\ + \ y dem\xE1s disposiciones que resulten de aplicaci\xF3n, se registrar\xE1\ + n las actividades de los usuarios, reteniendo la informaci\xF3n estrictamente\ + \ necesaria para monitorizar, analizar, investigar y documentar actividades\ + \ indebidas o no autorizadas, permitiendo identificar en cada momento a la\ + \ persona que act\xFAa." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:24.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-24" + ref_id: '24.2' + description: "Al objeto de preservar la seguridad de los sistemas de informaci\xF3\ + n, garantizando la rigurosa observancia de los principios de actuaci\xF3n\ + \ de las Administraciones p\xFAblicas, y de conformidad con lo dispuesto en\ + \ el Reglamento General de Protecci\xF3n de Datos y el respeto a los principios\ + \ de limitaci\xF3n de la finalidad, minimizaci\xF3n de los datos y limitaci\xF3\ + n del plazo de conservaci\xF3n all\xED enunciados, los sujetos comprendidos\ + \ en el art\xEDculo 2 podr\xE1n, en la medida estrictamente necesaria y proporcionada,\ + \ analizar las comunicaciones entrantes o salientes, y \xFAnicamente para\ + \ los fines de seguridad de la informaci\xF3n, de forma que sea posible impedir\ + \ el acceso no autorizado a las redes y sistemas de informaci\xF3n, detener\ + \ los ataques de denegaci\xF3n de servicio, evitar la distribuci\xF3n malintencionada\ + \ de c\xF3digo da\xF1ino as\xED como otros da\xF1os a las antedichas redes\ + \ y sistemas de informaci\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:24.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-24" + ref_id: '24.3' + description: "Para corregir o, en su caso, exigir responsabilidades, cada usuario\ + \ que acceda al sistema de informaci\xF3n deber\xE1 estar identificado de\ + \ forma \xFAnica, de modo que se sepa, en todo momento, qui\xE9n recibe derechos\ + \ de acceso, de qu\xE9 tipo son \xE9stos, y qui\xE9n ha realizado una determinada\ + \ actividad." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-25" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 25" + name: Incidentes de seguridad. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:25.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-25" + ref_id: '25.1' + description: "La entidad titular de los sistemas de informaci\xF3n del \xE1\ + mbito de este real decreto dispondr\xE1 de procedimientos de gesti\xF3n de\ + \ incidentes de seguridad de acuerdo con lo previsto en el art\xEDculo 33,\ + \ la Instrucci\xF3n T\xE9cnica de Seguridad correspondiente y, en caso de\ + \ tratarse de un operador de servicios esenciales o de un proveedor de servicios\ + \ digitales, de acuerdo con lo previsto en el anexo del Real Decreto 43/2021,\ + \ de 26 de enero, por el que se desarrolla el Real Decreto-ley 12/2018, de\ + \ 7 de septiembre, de seguridad de las redes y sistemas de informaci\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:25.2 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-25" + ref_id: '25.2' + description: "Asimismo, se dispondr\xE1 de mecanismos de detecci\xF3n, criterios\ + \ de clasificaci\xF3n, procedimientos de an\xE1lisis y resoluci\xF3n, as\xED\ + \ como de los cauces de comunicaci\xF3n a las partes interesadas y el registro\ + \ de las actuaciones. Este registro se emplear\xE1 para la mejora continua\ + \ de la seguridad del sistema." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-26" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 26" + name: Continuidad de la actividad. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node145 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-26" + description: "Los sistemas dispondr\xE1n de copias de seguridad y se establecer\xE1\ + n los mecanismos necesarios para garantizar la continuidad de las operaciones\ + \ en caso de p\xE9rdida de los medios habituales." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-27" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 27" + name: Mejora continua del proceso de seguridad + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node147 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-27" + description: "El proceso integral de seguridad implantado deber\xE1 ser actualizado\ + \ y mejorado de forma continua. Para ello, se aplicar\xE1n los criterios y\ + \ m\xE9todos reconocidos en la pr\xE1ctica nacional e internacional relativos\ + \ a la gesti\xF3n de la seguridad de las tecnolog\xEDas de la informaci\xF3\ + n" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-28" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 28" + name: "Cumplimiento de los requisitos m\xEDnimos" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:28.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-28" + ref_id: '28.1' + description: "Para dar cumplimiento a los requisitos m\xEDnimos establecidos\ + \ en el presente real decreto, las entidades comprendidas en su \xE1mbito\ + \ de aplicaci\xF3n adoptar\xE1n las medidas y refuerzos de seguridad correspondientes\ + \ indicados en el anexo II, teniendo en cuenta:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:28.1.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:28.1 + ref_id: 28.1.a + description: "Los activos que constituyen los sistemas de informaci\xF3n concernidos." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:28.1.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:28.1 + ref_id: 28.1.b + description: "La categor\xEDa del sistema, seg\xFAn lo previsto en el art\xED\ + culo 40 y en el anexo I." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:28.1.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:28.1 + ref_id: 28.1.c + description: Las decisiones que se adopten para gestionar los riesgos identificados. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:28.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-28" + ref_id: '28.2' + description: "Las medidas a las que se refiere el apartado 1 tendr\xE1n la condici\xF3\ + n de m\xEDnimos exigibles, siendo ampliables a criterio del responsable de\ + \ la seguridad, quien podr\xE1 incluir medidas adicionales, habida cuenta\ + \ del estado de la tecnolog\xEDa, la naturaleza de la informaci\xF3n tratada\ + \ o los servicios prestados y los riesgos a que est\xE1n expuestos los sistemas\ + \ de informaci\xF3n afectados. La relaci\xF3n de medidas de seguridad seleccionadas\ + \ se formalizar\xE1 en un documento denominado Declaraci\xF3n de Aplicabilidad,\ + \ firmado por el responsable de la seguridad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:28.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-28" + ref_id: '28.3' + description: "Las medidas de seguridad referenciadas en el anexo II podr\xE1\ + n ser reemplazadas por otras compensatorias, siempre y cuando se justifique\ + \ documentalmente que protegen, igual o mejor, del riesgo sobre los activos\ + \ (anexo I) y se satisfacen los principios b\xE1sicos y los requisitos m\xED\ + nimos previstos en los cap\xEDtulos II y III. Como parte integral de la Declaraci\xF3\ + n de Aplicabilidad se indicar\xE1, de forma detallada, la correspondencia\ + \ entre las medidas compensatorias implantadas y las medidas del anexo II\ + \ que compensan. El conjunto ser\xE1 objeto de la aprobaci\xF3n formal por\ + \ parte del responsable de la seguridad. Una Gu\xEDa CCN-STIC de las previstas\ + \ en la disposici\xF3n adicional segunda guiar\xE1 en la selecci\xF3n de dichas\ + \ medidas, as\xED como su registro e inclusi\xF3n en la Declaraci\xF3n de\ + \ Aplicabilidad." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-29" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 29" + name: Infraestructuras y servicios comunes + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node156 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-29" + description: "La utilizaci\xF3n de infraestructuras y servicios comunes de las\ + \ administraciones p\xFAblicas, incluidos los compartidos o transversales,\ + \ facilitar\xE1 el cumplimiento de lo dispuesto en este real decreto. Los\ + \ supuestos concretos de utilizaci\xF3n de estas infraestructuras y servicios\ + \ ser\xE1n determinados por cada administraci\xF3n p\xFAblica." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-30" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iii" + ref_id: "Art\xEDculo 30" + name: "Perfiles de cumplimiento espec\xEDficos y acreditaci\xF3n de entidades\ + \ de\nimplementaci\xF3n de configuraciones seguras." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:30.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-30" + ref_id: '30.1' + description: "En virtud del principio de proporcionalidad y buscando una eficaz\ + \ y eficiente aplicaci\xF3n del ENS a determinadas entidades o sectores de\ + \ actividad concretos, se podr\xE1n implementar perfiles de cumplimiento espec\xED\ + ficos que comprender\xE1n aquel conjunto de medidas de seguridad que, trayendo\ + \ causa del preceptivo an\xE1lisis de riesgos, resulten id\xF3neas para una\ + \ concreta categor\xEDa de seguridad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:30.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-30" + ref_id: '30.2' + description: "De forma an\xE1loga a lo dispuesto en el apartado anterior, para\ + \ posibilitar la adecuada implantaci\xF3n y configuraci\xF3n de soluciones\ + \ o plataformas suministradas por terceros, que vayan a ser usadas por las\ + \ entidades comprendidas en el \xE1mbito de aplicaci\xF3n de este real decreto,\ + \ se podr\xE1n implementar esquemas de acreditaci\xF3n de entidades y validaci\xF3\ + n de personas, que garanticen la seguridad de dichas soluciones o plataformas\ + \ y la conformidad con lo dispuesto en este real decreto." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:30.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-30" + ref_id: '30.3' + description: "El CCN, en el ejercicio de sus competencias, validar\xE1 y publicar\xE1\ + \ los correspondientes perfiles de cumplimiento espec\xEDficos que se definan\ + \ y los antedichos esquemas de acreditaci\xF3n y validaci\xF3n, de acuerdo\ + \ con las instrucciones t\xE9cnicas de seguridad y gu\xEDas de seguridad aprobadas\ + \ conforme a lo previsto en la disposici\xF3n adicional segunda." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:30.4 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-30" + ref_id: '30.4' + description: " Las correspondientes instrucciones t\xE9cnicas de seguridad o,\ + \ en su caso, las gu\xEDas de Seguridad CCN-STIC, precisar\xE1n las condiciones\ + \ a las que deber\xE1n sujetarse las implementaciones en modo local de productos,\ + \ sistemas o servicios originariamente prestados en la nube o en forma remota,\ + \ as\xED como las condiciones espec\xEDficas para su evaluaci\xF3n y auditor\xED\ + a." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xEDtulo-iv" + assessable: false + depth: 1 + ref_id: "CAP\xCDTULO IV" + name: "Seguridad de los sistemas: auditor\xEDa, informe e incidentes de seguridad" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-31" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iv" + ref_id: "Art\xEDculo 31" + name: "Auditor\xEDa de la seguridad" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:31.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-31" + ref_id: '31.1' + description: "Los sistemas de informaci\xF3n comprendidos en el \xE1mbito de\ + \ aplicaci\xF3n de este real decreto ser\xE1n objeto de una auditor\xEDa regular\ + \ ordinaria, al menos cada dos a\xF1os, que verifique el cumplimiento de los\ + \ requerimientos del ENS." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node165 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-31" + description: "Con car\xE1cter extraordinario, deber\xE1 realizarse dicha auditor\xED\ + a siempre que se produzcan modificaciones sustanciales en los sistemas de\ + \ informaci\xF3n, que puedan repercutir en las medidas de seguridad requeridas.\ + \ La realizaci\xF3n de la auditoria extraordinaria determinar\xE1 la fecha\ + \ de c\xF3mputo para el c\xE1lculo de los dos a\xF1os, establecidos para la\ + \ realizaci\xF3n de la siguiente auditor\xEDa regular ordinaria, indicados\ + \ en el p\xE1rrafo anterior." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node166 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-31" + description: "El plazo de dos a\xF1os se\xF1alado en los p\xE1rrafos anteriores\ + \ podr\xE1 extenderse durante tres meses cuando concurran impedimentos de\ + \ fuerza mayor no imputables a la entidad titular del sistema o sistemas de\ + \ informaci\xF3n concernidos." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:31.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-31" + ref_id: '31.2' + description: "La auditor\xEDa se realizar\xE1 en funci\xF3n de la categor\xED\ + a del sistema y, en su caso, del perfil de cumplimiento espec\xEDfico que\ + \ corresponda, seg\xFAn lo dispuesto en los anexos I y III y de conformidad\ + \ con lo regulado en la Instrucci\xF3n T\xE9cnica de Seguridad de Auditor\xED\ + a de la Seguridad de los Sistemas de Informaci\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:31.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-31" + ref_id: '31.3' + description: "En la realizaci\xF3n de las auditor\xEDas de la seguridad se utilizar\xE1\ + n los criterios, m\xE9todos de trabajo y de conducta generalmente reconocidos,\ + \ as\xED como la normalizaci\xF3n nacional e internacional aplicables a este\ + \ tipo de actividades." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:31.4 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-31" + ref_id: '31.4' + description: "El informe de auditor\xEDa deber\xE1 dictaminar sobre el grado\ + \ de cumplimiento de este real decreto identificando los hallazgos de cumplimiento\ + \ e incumplimiento detectados. Deber\xE1, igualmente, incluir los criterios\ + \ metodol\xF3gicos de auditor\xEDa utilizados, el alcance y el objetivo de\ + \ la auditor\xEDa, y los datos, hechos y observaciones en que se basen las\ + \ conclusiones formuladas, todo ello de conformidad con la citada Instrucci\xF3\ + n T\xE9cnica de Seguridad de Auditor\xEDa de la Seguridad de los Sistemas\ + \ de Informaci\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:31.5 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-31" + ref_id: '31.5' + description: "Los informes de auditor\xEDa ser\xE1n presentados al responsable\ + \ del sistema y al responsable de la seguridad. Estos informes ser\xE1n analizados\ + \ por este \xFAltimo que presentar\xE1 sus conclusiones al responsable del\ + \ sistema para que adopte las medidas correctoras adecuadas." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:31.6 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-31" + ref_id: '31.6' + description: "En el caso de los sistemas de categor\xEDa ALTA, visto el dictamen\ + \ de auditor\xEDa y atendiendo a una eventual gravedad de las deficiencias\ + \ encontradas, el responsable del sistema podr\xE1 suspender temporalmente\ + \ el tratamiento de informaciones, la prestaci\xF3n de servicios o la total\ + \ operaci\xF3n del sistema, hasta su adecuada subsanaci\xF3n o mitigaci\xF3\ + n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:31.7 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-31" + ref_id: '31.7' + description: "Los informes de auditor\xEDa podr\xE1n ser requeridos por los\ + \ responsables de cada organizaci\xF3n, con competencias sobre seguridad de\ + \ las tecnolog\xEDas de la informaci\xF3n, y por el CCN." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-32" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iv" + ref_id: "Art\xEDculo 32" + name: Informe del estado de la seguridad. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:32.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-32" + ref_id: '32.1' + description: "La Comisi\xF3n Sectorial de Administraci\xF3n Electr\xF3nica recoger\xE1\ + \ la informaci\xF3n relacionada con el estado de las principales variables\ + \ de la seguridad en los sistemas de informaci\xF3n a los que se refiere este\ + \ real decreto, de forma que permita elaborar un perfil general del estado\ + \ de la seguridad en las entidades titulares de los sistemas de informaci\xF3\ + n comprendidos en el \xE1mbito de aplicaci\xF3n del art\xEDculo 2, que se\ + \ plasmar\xE1 en el informe correspondiente." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:32.2 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-32" + ref_id: '32.2' + description: "El CCN articular\xE1 los procedimientos necesarios para la recogida\ + \ y consolidaci\xF3n de la informaci\xF3n, as\xED como los aspectos metodol\xF3\ + gicos para su tratamiento y explotaci\xF3n, a trav\xE9s de los correspondientes\ + \ grupos de trabajo que se constituyan al efecto en la Comisi\xF3n Sectorial\ + \ de Administraci\xF3n Electr\xF3nica y en los \xF3rganos colegiados competentes\ + \ en el \xE1mbito de la Administraci\xF3n General del Estado." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:32.3 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-32" + ref_id: '32.3' + description: "Los resultados del informe ser\xE1n utilizados por las autoridades\ + \ competentes que impulsar\xE1n las medidas oportunas que faciliten la mejora\ + \ continua del estado de la seguridad utilizando en su caso, cuadros de mando\ + \ e indicadores que contribuyan a la toma de decisiones mediante el uso de\ + \ las herramientas que el CCN provea para tal efecto." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-33" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iv" + ref_id: "Art\xEDculo 33" + name: Capacidad de respuesta a incidentes de seguridad + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:33.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-33" + ref_id: '33.1' + description: " El CCN articular\xE1 la respuesta a los incidentes de seguridad\ + \ en torno a la estructura denominada CCN-CERT (por su acr\xF3nimo en ingl\xE9\ + s de Computer Emergency Response Team), que actuar\xE1 sin perjuicio de las\ + \ capacidades de respuesta a incidentes de seguridad que pueda tener cada\ + \ administraci\xF3n p\xFAblica y de la funci\xF3n de coordinaci\xF3n a nivel\ + \ nacional e internacional del CCN." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:33.2 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-33" + ref_id: '33.2' + description: "Sin perjuicio de lo establecido en el art\xEDculo 19.4 del Real\ + \ Decreto-ley 12/2018, de 7 de septiembre, las entidades del sector p\xFA\ + blico notificar\xE1n al CCN aquellos incidentes que tengan un impacto significativo\ + \ en la seguridad de los sistemas de informaci\xF3n concernidos, de acuerdo\ + \ con la correspondiente Instrucci\xF3n T\xE9cnica de Seguridad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:33.3 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-33" + ref_id: '33.3' + description: "Cuando un operador esencial que haya sido designado como operador\ + \ cr\xEDtico sufra un incidente, los CSIRT de referencia se coordinar\xE1\ + n con el Ministerio del Interior, a trav\xE9s de su Oficina de Coordinaci\xF3\ + n de Ciberseguridad, seg\xFAn lo previsto en el art\xEDculo 11.2 del Real\ + \ Decreto-ley 12/2018, de 7 de septiembre." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:33.4 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-33" + ref_id: '33.4' + description: "Cuando un operador con incidencia en la Defensa Nacional sufra\ + \ un incidente deber\xE1 analizar si, por su alcance, \xE9ste pudiera tener\ + \ impacto en el funcionamiento del Ministerio de Defensa o en la operatividad\ + \ de las Fuerzas Armadas, lo pondr\xE1 de inmediato en conocimiento de su\ + \ CSIRT de referencia, quien informar\xE1 a la capacidad de respuesta e incidentes\ + \ de seguridad de referencia para el \xE1mbito de la Defensa nacional, denominada\ + \ ESPDEF-CERT, del Mando Conjunto del Ciberespacio (MCCE) a trav\xE9s de los\ + \ canales establecidos. En estos casos, el ESPDEF-CERT del Mando Conjunto\ + \ del Ciberespacio deber\xE1 ser oportunamente informado de la evoluci\xF3\ + n de la gesti\xF3n del incidente y podr\xE1 colaborar en la supervisi\xF3\ + n con la autoridad competente." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:33.5 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-33" + ref_id: '33.5' + description: "De conformidad con lo dispuesto en el Real Decreto-ley 12/2018,\ + \ de 7 de septiembre, el CCN ejercer\xE1 la coordinaci\xF3n nacional de la\ + \ respuesta t\xE9cnica de los equipos de respuesta a incidentes de seguridad\ + \ inform\xE1tica (denominados por su acr\xF3nimo en ingl\xE9s Computer Security\ + \ Incident Response Team, en adelante, CSIRT) en materia de seguridad de las\ + \ redes y sistemas de informaci\xF3n del sector p\xFAblico." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:33.6 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-33" + ref_id: '33.6' + description: "Tras un incidente de seguridad, el CCN-CERT determinar\xE1 t\xE9\ + cnicamente el riesgo de reconexi\xF3n del sistema o sistemas afectados, indicando\ + \ los procedimientos a seguir y las salvaguardas a implementar con objeto\ + \ de reducir el impacto para, en la medida de lo posible, evitar que vuelvan\ + \ a darse las circunstancias que lo propiciaron." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node184 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-33" + description: "Tras un incidente de seguridad, la Secretar\xEDa General de Administraci\xF3\ + n Digital, sin perjuicio de la normativa que regula la continuidad de los\ + \ sistemas de informaci\xF3n implicados en la seguridad p\xFAblica o la normativa\ + \ que regule la continuidad de los sistemas de informaci\xF3n militares implicados\ + \ en la Defensa Nacional que requieran la participaci\xF3n del ESPDEF-CERT\ + \ del Mando Conjunto del Ciberespacio, autorizar\xE1 la reconexi\xF3n a los\ + \ medios y servicios comunes comprendidos bajo su \xE1mbito de responsabilidad,\ + \ incluidos los compartidos o transversales, si un informe de superficie de\ + \ exposici\xF3n del CCN-CERT hubiere determinado que el riesgo es asumible." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node185 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-33" + description: "En caso de que se trate de un incidente de seguridad que afecte\ + \ a un medio o servicio com\xFAn bajo \xE1mbito de responsabilidad de la Intervenci\xF3\ + n General de la Administraci\xF3n del Estado, esta participar\xE1 en el proceso\ + \ de autorizaci\xF3n de la reconexi\xF3n a que se refiere el p\xE1rrafo anterior." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:33.7 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-33" + ref_id: '33.7' + description: "Las organizaciones del sector privado que presten servicios a\ + \ las entidades p\xFAblicas notificar\xE1n al INCIBE-CERT, centro de respuesta\ + \ a incidentes de seguridad de referencia para los ciudadanos y entidades\ + \ de derecho privado en Espa\xF1a operado por la S.M.E. Instituto Nacional\ + \ de Ciberseguridad de Espa\xF1a M.P., S.A. (INCIBE) dependiente del Ministerio\ + \ de Asuntos Econ\xF3micos y Transformaci\xF3n Digital, los incidentes que\ + \ les afecten a trav\xE9s de su equipo de respuesta a incidentes de seguridad\ + \ inform\xE1tica, quien, sin perjuicio de sus competencias y de lo previsto\ + \ en los art\xEDculos 9, 10 y 11 del Real Decreto 43/2021, de 26 de enero,\ + \ en relaci\xF3n con la Plataforma de Notificaci\xF3n y Seguimiento de Ciberincidentes,\ + \ lo pondr\xE1 inmediatamente en conocimiento del CCN-CERT." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-34" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-iv" + ref_id: "Art\xEDculo 34" + name: "Prestaci\xF3n de servicios de respuesta a incidentes de seguridad a las\ + \ entidades del sector p\xFAblico." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-34" + ref_id: '34.1' + description: "De acuerdo con lo previsto en el art\xEDculo 33, el CCN-CERT prestar\xE1\ + \ los siguientes servicios:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.1.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.1 + ref_id: 34.1.a + description: "Soporte y coordinaci\xF3n para el tratamiento de vulnerabilidades\ + \ y la resoluci\xF3n de incidentes de seguridad que tengan las entidades del\ + \ \xE1mbito de aplicaci\xF3n de este real decreto." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node190 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.1 + description: "El CCN-CERT, a trav\xE9s de su servicio de apoyo t\xE9cnico y\ + \ de coordinaci\xF3n, actuar\xE1 con la m\xE1xima celeridad ante cualquier\ + \ agresi\xF3n recibida en los sistemas de informaci\xF3n afectados" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node191 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.1 + description: "Para el cumplimiento de los fines indicados en los p\xE1rrafos\ + \ anteriores se podr\xE1n recabar informes, registros de auditor\xEDa y configuraciones\ + \ de los sistemas afectados y cualquier otra informaci\xF3n que se considere\ + \ relevante, as\xED como los soportes inform\xE1ticos que se estimen necesarios\ + \ para la investigaci\xF3n del incidente de los sistemas afectados, sin perjuicio\ + \ de lo dispuesto en la normativa de protecci\xF3n de datos que resulte de\ + \ aplicaci\xF3n, as\xED como de la posible confidencialidad de datos de car\xE1\ + cter institucional u organizativo." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.1.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.1 + ref_id: 34.1.b + description: "Investigaci\xF3n y divulgaci\xF3n de las mejores pr\xE1cticas\ + \ sobre seguridad de la informaci\xF3n entre todos los miembros de las entidades\ + \ del sector p\xFAblico. Con esta finalidad, las series de documentos CCN-STIC\ + \ (CCN-Seguridad de las Tecnolog\xEDas de Informaci\xF3n y la Comunicaci\xF3\ + n), elaboradas por el CCN, ofrecer\xE1n normas, instrucciones, gu\xEDas, recomendaciones\ + \ y mejores pr\xE1cticas para aplicar el ENS y para garantizar la seguridad\ + \ de los sistemas de informaci\xF3n del \xE1mbito de aplicaci\xF3n de este\ + \ real decreto." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.1.c + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.1 + ref_id: 34.1.c + description: "Formaci\xF3n destinada al personal del sector p\xFAblico especialista\ + \ en el campo de la seguridad de las tecnolog\xEDas de la informaci\xF3n,\ + \ al objeto de facilitar la actualizaci\xF3n de conocimientos y de lograr\ + \ la sensibilizaci\xF3n y mejora de sus capacidades para la prevenci\xF3n,\ + \ detecci\xF3n y gesti\xF3n de incidentes." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.1.d + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.1 + ref_id: 34.1.d + description: "Informaci\xF3n sobre vulnerabilidades, alertas y avisos de nuevas\ + \ amenazas a los sistemas de informaci\xF3n, recopiladas de diversas fuentes\ + \ de reconocido prestigio, incluidas las propias." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:34.2 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-34" + ref_id: '34.2' + description: "El CCN desarrollar\xE1 un programa que ofrezca la informaci\xF3\ + n, formaci\xF3n, recomendaciones y herramientas necesarias para que las entidades\ + \ del sector p\xFAblico puedan desarrollar sus propias capacidades de respuesta\ + \ a incidentes de seguridad, y en el que, aquel, ser\xE1 coordinador a nivel\ + \ p\xFAblico estatal." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xEDtulo-v" + assessable: false + depth: 1 + ref_id: "CAP\xCDTULO V" + name: Normas de conformida + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-35" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-v" + ref_id: "Art\xEDculo 35" + name: "Administraci\xF3n digital" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:35.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-35" + ref_id: '35.1' + description: "La seguridad de los sistemas de informaci\xF3n que sustentan la\ + \ administraci\xF3n digital se regir\xE1 por lo establecido en este real decreto." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:35.2 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-35" + ref_id: '35.2' + description: "El CCN es el \xF3rgano competente para garantizar la debida interoperabilidad\ + \ en materia de ciberseguridad y criptograf\xEDa, en relaci\xF3n con la aplicaci\xF3\ + n del Real Decreto 4/2010, de 8 de enero, por el que se regula el Esquema\ + \ Nacional de Interoperabilidad en el \xE1mbito de la administraci\xF3n electr\xF3\ + nica." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-36" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-v" + ref_id: "Art\xEDculo 36" + name: Ciclo de vida de servicios y sistemas + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node201 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-36" + description: "Las especificaciones de seguridad se incluir\xE1n en el ciclo\ + \ de vida de los servicios y sistemas, acompa\xF1adas de los correspondientes\ + \ procedimientos de control." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-37" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-v" + ref_id: "Art\xEDculo 37" + name: Mecanismos de control. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node203 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-37" + description: "Cada entidad titular de los sistemas de informaci\xF3n comprendidos\ + \ en el \xE1mbito de aplicaci\xF3n de este real decreto y, en su caso, sus\ + \ organismos, \xF3rganos, departamentos o unidades, establecer\xE1n sus mecanismos\ + \ de control para garantizar de forma real y efectiva el cumplimiento del\ + \ ENS." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-38" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-v" + ref_id: "Art\xEDculo 38" + name: "Procedimientos de determinaci\xF3n de la conformidad con el Esquema Nacional\ + \ de Seguridad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:38.1 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-38" + ref_id: '38.1' + description: "Los sistemas de informaci\xF3n comprendidos en el \xE1mbito del\ + \ art\xEDculo 2 ser\xE1n objeto de un proceso para determinar su conformidad\ + \ con el ENS. A tal efecto, los sistemas de categor\xEDa MEDIA o ALTA precisar\xE1\ + n de una auditor\xEDa para la certificaci\xF3n de su conformidad, sin perjuicio\ + \ de la auditor\xEDa de la seguridad prevista en el art\xEDculo 31 que podr\xE1\ + \ servir asimismo para los fines de la certificaci\xF3n, mientras que los\ + \ sistemas de categor\xEDa B\xC1SICA solo requerir\xE1n de una autoevaluaci\xF3\ + n para su declaraci\xF3n de la conformidad, sin perjuicio de que se puedan\ + \ someter igualmente a una auditoria de certificaci\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:38.2 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-38" + ref_id: '38.2' + description: "Tanto el procedimiento de autoevaluaci\xF3n como la auditor\xED\ + a de certificaci\xF3n se realizar\xE1n seg\xFAn lo dispuesto en el art\xED\ + culo 31 y el anexo III y en los t\xE9rminos que se determinen en la correspondiente\ + \ Instrucci\xF3n T\xE9cnica de Seguridad, que concretar\xE1 asimismo los requisitos\ + \ exigibles a las entidades certificadoras." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:38.3 + assessable: true + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-38" + ref_id: '38.3' + description: "Los sujetos responsables de los sistemas de informaci\xF3n a que\ + \ se refiere el apartado anterior dar\xE1n publicidad, en los correspondientes\ + \ portales de internet o sedes electr\xF3nicas a las declaraciones y certificaciones\ + \ de conformidad con el ENS, atendiendo a lo dispuesto en la mencionada Instrucci\xF3\ + n T\xE9cnica de Seguridad." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xEDtulo-vi" + assessable: false + depth: 1 + ref_id: "CAP\xCDTULO VI" + name: "Actualizaci\xF3n del Esquema Nacional de Seguridad" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-39" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-vi" + ref_id: "Art\xEDculo 39" + name: "Actualizaci\xF3n permanente" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node210 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-39" + description: "El ENS se mantendr\xE1 actualizado de manera permanente, desarroll\xE1\ + ndose y perfeccion\xE1ndose a lo largo del tiempo, en paralelo al avance de\ + \ los servicios prestados por las entidades del sector p\xFAblico, la evoluci\xF3\ + n tecnol\xF3gica, la aparici\xF3n o consolidaci\xF3n de nuevos est\xE1ndares\ + \ internacionales sobre seguridad y auditor\xEDa y los riesgos a los que est\xE9\ + n expuestos los sistemas de informaci\xF3n concernidos." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xEDtulo-vii" + assessable: false + depth: 1 + ref_id: "CAP\xCDTULO VII" + name: "Categorizaci\xF3n de los sistemas de informaci\xF3n" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-40" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-vii" + ref_id: "Art\xEDculo 40" + name: "Categor\xEDas de seguridad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:40.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-40" + ref_id: '40.1' + description: "La categor\xEDa de seguridad de un sistema de informaci\xF3n modular\xE1\ + \ el equilibrio entre la importancia de la informaci\xF3n que maneja y los\ + \ servicios que presta y el esfuerzo de seguridad requerido, en funci\xF3\ + n de los riesgos a los que est\xE1 expuesto, bajo el principio de proporcionalidad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:40.2 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-40" + ref_id: '40.2' + description: "La determinaci\xF3n de la categor\xEDa de seguridad se efectuar\xE1\ + \ en funci\xF3n de la valoraci\xF3n del impacto que tendr\xEDa un incidente\ + \ que afectase a la seguridad de la informaci\xF3n o de los servicios con\ + \ perjuicio para la disponibilidad, autenticidad, integridad, confidencialidad\ + \ o trazabilidad, siguiendo el procedimiento descrito en el anexo I." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xEDculo-41" + assessable: false + depth: 2 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:cap\xED\ + tulo-vii" + ref_id: "Art\xEDculo 41" + name: Facultades + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:41.1 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-41" + ref_id: '41.1' + description: "La facultad para efectuar las valoraciones a las que se refiere\ + \ el art\xEDculo 40, as\xED como, en su caso, su posterior modificaci\xF3\ + n, corresponder\xE1 al responsable o responsables de la informaci\xF3n o servicios\ + \ afectados." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:41.2 + assessable: false + depth: 3 + parent_urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:art\xED\ + culo-41" + ref_id: '41.2' + description: "Con base en las valoraciones se\xF1aladas en el apartado anterior,\ + \ la determinaci\xF3n de la categor\xEDa de seguridad del sistema corresponder\xE1\ + \ al responsable o responsables de la seguridad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i + assessable: false + depth: 1 + ref_id: ANEXO I + name: "Categor\xEDas de seguridad de los sistemas de informaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i + ref_id: ANEXO I-1 + name: "Fundamentos para la determinaci\xF3n de la categor\xEDa de seguridad\ + \ de un sistema de informaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node220 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-1 + description: "La determinaci\xF3n de la categor\xEDa de seguridad de un sistema\ + \ de informaci\xF3n se basar\xE1 en la valoraci\xF3n del impacto que tendr\xED\ + a sobre la organizaci\xF3n un incidente que afectase a la seguridad de la\ + \ informaci\xF3n tratada o de los servicios prestados para:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-1.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node220 + ref_id: ANEXO I-1.a + description: Alcanzar sus objetivos. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-1.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node220 + ref_id: ANEXO I-1.b + description: Proteger los activos a su cargo. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node223 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node220 + description: "Garantizar la conformidad con el ordenamiento jur\xEDdico." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node224 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-1 + description: "Anualmente, o siempre que se produzcan modificaciones significativas\ + \ en los citados criterios de determinaci\xF3n, deber\xE1 re-evaluarse la\ + \ categor\xEDa de seguridad de los sistemas de informaci\xF3n concernidos." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i + ref_id: ANEXO I-2 + name: Dimensiones de la seguridad + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node226 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-2 + description: "A fin de determinar el impacto que tendr\xEDa sobre la organizaci\xF3\ + n un incidente que afectara a la seguridad de la informaci\xF3n tratada o\ + \ de los servicios prestados y, en su consecuencia, establecer la categor\xED\ + a de seguridad del sistema de informaci\xF3n en cuesti\xF3n, se tendr\xE1\ + n en cuenta las siguientes dimensiones de la seguridad, que se identificar\xE1\ + n por sus correspondientes iniciales en may\xFAsculas:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-2.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node226 + ref_id: ANEXO I-2.a + description: "\_Confidencialidad [C]." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-2.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node226 + ref_id: ANEXO I-2.b + description: Integridad [I]. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-2.c + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node226 + ref_id: ANEXO I-2.c + description: Trazabilidad [T]. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-2.d + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node226 + ref_id: ANEXO I-2.d + description: Autenticidad [A]. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-2.e + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node226 + ref_id: ANEXO I-2.e + description: Disponibilidad [D]. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i + ref_id: ANEXO I-3 + name: "Determinaci\xF3n del nivel de seguridad requerido en una dimensi\xF3\ + n de seguridad" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node233 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3 + description: "Una informaci\xF3n o un servicio pueden verse afectados en una\ + \ o m\xE1s de sus dimensiones de seguridad. Cada dimensi\xF3n de seguridad\ + \ afectada se adscribir\xE1 a uno de los siguientes niveles de seguridad:\ + \ BAJO, MEDIO o ALTO. Si una dimensi\xF3n de seguridad no se ve afectada,\ + \ no se adscribir\xE1 a ning\xFAn nivel." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node233 + ref_id: ANEXO I-3.a + description: "Nivel BAJO. Se aplicar\xE1 cuando las consecuencias de un incidente\ + \ de seguridad que afecte a alguna de las dimensiones de seguridad supongan\ + \ un perjuicio limitado sobre las funciones de la organizaci\xF3n, sobre sus\ + \ activos o sobre los individuos afectados." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node235 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node233 + description: "Se entender\xE1 por perjuicio limitado:" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.a.1\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node235 + ref_id: "ANEXO I-3.a.1\xB0" + description: "La reducci\xF3n de forma apreciable de la capacidad de la organizaci\xF3\ + n para desarrollar eficazmente sus funciones y competencias, aunque estas\ + \ sigan desempe\xF1\xE1ndose." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.a.2\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node235 + ref_id: "ANEXO I-3.a.2\xB0" + description: "Causar un da\xF1o menor en los activos de la organizaci\xF3n." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.a.3\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node235 + ref_id: "ANEXO I-3.a.3\xB0" + description: "El incumplimiento formal de alguna ley o regulaci\xF3n, que tenga\ + \ car\xE1cter de subsanable." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.a.4\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node235 + ref_id: "ANEXO I-3.a.4\xB0" + description: "Causar un perjuicio menor a alg\xFAn individuo, que pese a resultar\ + \ molesto, pueda ser f\xE1cilmente reparable." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.a.5\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node235 + ref_id: "ANEXO I-3.a.5\xB0" + description: "Otros de naturaleza an\xE1loga." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node233 + ref_id: ANEXO I-3.b + description: "Nivel MEDIO. Se aplicar\xE1 cuando las consecuencias de un incidente\ + \ de seguridad que afecte a alguna de las dimensiones de seguridad supongan\ + \ un perjuicio grave sobre las funciones de la organizaci\xF3n, sobre sus\ + \ activos o sobre los individuos afectados." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node242 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node233 + description: "Se entender\xE1 por perjuicio grave:" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.b.1\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node242 + ref_id: "ANEXO I-3.b.1\xB0" + description: "La reducci\xF3n significativa de la capacidad de la organizaci\xF3\ + n para desarrollar eficazmente sus funciones y competencias, aunque estas\ + \ sigan desempe\xF1\xE1ndose." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.b.2\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node242 + ref_id: "ANEXO I-3.b.2\xB0" + description: "Causar un da\xF1o significativo en los activos de la organizaci\xF3\ + n." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.b.3\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node242 + ref_id: "ANEXO I-3.b.3\xB0" + description: "El incumplimiento material de alguna ley o regulaci\xF3n, o el\ + \ incumplimiento formal que no tenga car\xE1cter de subsanable." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.b.4\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node242 + ref_id: "ANEXO I-3.b.4\xB0" + description: "Causar un perjuicio significativo a alg\xFAn individuo, de dif\xED\ + cil reparaci\xF3n." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.b.5\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node242 + ref_id: "ANEXO I-3.b.5\xB0" + description: "Otros de naturaleza an\xE1loga." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.c + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node233 + ref_id: ANEXO I-3.c + description: "Nivel ALTO. Se aplicar\xE1 cuando las consecuencias de un incidente\ + \ de seguridad que afecte a alguna de las dimensiones de seguridad supongan\ + \ un perjuicio muy grave sobre las funciones de la organizaci\xF3n, sobre\ + \ sus activos o sobre los individuos afectados." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node249 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node233 + description: "Se entender\xE1 por perjuicio muy grave:" + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.c.1\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node249 + ref_id: "ANEXO I-3.c.1\xB0" + description: "La anulaci\xF3n efectiva de la capacidad de la organizaci\xF3\ + n para desarrollar eficazmente sus funciones y competencias." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.c.2\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node249 + ref_id: "ANEXO I-3.c.2\xB0" + description: "Causar un da\xF1o muy grave, e incluso irreparable, de los activos\ + \ de la organizaci\xF3n." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.c.3\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node249 + ref_id: "ANEXO I-3.c.3\xB0" + description: "El incumplimiento grave de alguna ley o regulaci\xF3n." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.c.4\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node249 + ref_id: "ANEXO I-3.c.4\xB0" + description: "Causar un perjuicio grave a alg\xFAn individuo, de dif\xEDcil\ + \ o imposible reparaci\xF3n." + - urn: "urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-3.c.5\xB0" + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node249 + ref_id: "ANEXO I-3.c.5\xB0" + description: "Otros de naturaleza an\xE1loga." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node255 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node233 + description: "Cuando un sistema de informaci\xF3n trate diferentes informaciones\ + \ y preste diferentes servicios, el nivel de seguridad del sistema en cada\ + \ dimensi\xF3n ser\xE1 el mayor de los establecidos para cada informaci\xF3\ + n y cada servicio" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i + ref_id: ANEXO I-4 + name: "Determinaci\xF3n de la categor\xEDa de seguridad de un sistema de informaci\xF3\ + n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-4.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-4 + ref_id: ANEXO I-4.1 + description: "Se definen tres categor\xEDas de seguridad: B\xC1SICA, MEDIA y\ + \ ALTA." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-4.1.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-4.1 + ref_id: ANEXO I-4.1.a + description: "Un sistema de informaci\xF3n ser\xE1 de categor\xEDa ALTA si alguna\ + \ de sus dimensiones de seguridad alcanza el nivel de seguridad ALTO." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-4.1.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-4.1 + ref_id: ANEXO I-4.1.b + description: "Un sistema de informaci\xF3n ser\xE1 de categor\xEDa MEDIA si\ + \ alguna de sus dimensiones de seguridad alcanza el nivel de seguridad MEDIO,\ + \ y ninguna alcanza un nivel de seguridad superior." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-4.1.c + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-4.1 + ref_id: ANEXO I-4.1.c + description: "Un sistema de informaci\xF3n ser\xE1 de categor\xEDa B\xC1SICA\ + \ si alguna de sus dimensiones de seguridad alcanza el nivel BAJO, y ninguna\ + \ alcanza un nivel superior." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-4.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-4 + ref_id: ANEXO I-4.2 + description: "La determinaci\xF3n de la categor\xEDa de seguridad de un sistema\ + \ de informaci\xF3n sobre la base de lo indicado en el apartado anterior,\ + \ no implicar\xE1 que se altere, por este hecho, el nivel de seguridad de\ + \ las dimensiones de seguridad que no han influido en la determinaci\xF3n\ + \ de la categor\xEDa de seguridad del mismo." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i + ref_id: ANEXO I-5 + name: "Secuencia de actuaciones para determinar la categor\xEDa de seguridad\ + \ de un sistema" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-5.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-5 + ref_id: ANEXO I-5.1 + description: "Identificaci\xF3n del nivel de seguridad correspondiente a cada\ + \ informaci\xF3n y servicio, en funci\xF3n de las dimensiones de seguridad,\ + \ teniendo en cuenta lo establecido en el apartado 3 anterior." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-5.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-5 + ref_id: ANEXO I-5.2 + description: "Determinaci\xF3n de la categor\xEDa de seguridad del sistema,\ + \ seg\xFAn lo establecido en el apartado 4 anterior." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node265 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-i-5 + description: "Las gu\xEDas CCN-STIC, del CCN, precisar\xE1n los criterios necesarios\ + \ para una adecuada categorizaci\xF3n de seguridad de los sistemas de informaci\xF3\ + n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii + assessable: false + depth: 1 + ref_id: ANEXO II + name: Medidas de Seguridad + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii + ref_id: ANEXO II-1 + name: Disposiciones generales + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1 + ref_id: ANEXO II-1.1 + description: "Para lograr el cumplimiento de los principios b\xE1sicos y requisitos\ + \ m\xEDnimos establecidos se aplicar\xE1n las medidas de seguridad indicadas\ + \ en este anexo, las cuales ser\xE1n proporcionales a:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.1.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.1 + ref_id: ANEXO II-1.1.a + description: Las dimensiones de seguridad relevantes en el sistema a proteger. + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.1.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.1 + ref_id: ANEXO II-1.1.b + description: "La categor\xEDa de seguridad del sistema de informaci\xF3n a proteger." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1 + ref_id: ANEXO II-1.2 + description: 'Las medidas de seguridad se dividen en tres grupos:' + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.2.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.2 + ref_id: ANEXO II-1.2.a + description: "Marco organizativo [org]. Constituido por el conjunto de medidas\ + \ relacionadas con la organizaci\xF3n global de la seguridad." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.2.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.2 + ref_id: ANEXO II-1.2.b + description: "Marco operacional [op]. Formado por las medidas a tomar para proteger\ + \ la operaci\xF3n del sistema como conjunto integral de componentes para un\ + \ fin." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.2.c + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-1.2 + ref_id: ANEXO II-1.2.c + description: "Medidas de protecci\xF3n [mp]. Se centran en proteger activos\ + \ concretos, seg\xFAn su naturaleza y la calidad exigida por el nivel de seguridad\ + \ de las dimensiones afectadas." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii + ref_id: ANEXO II-2 + name: "Selecci\xF3n de medidas de seguridad" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2 + ref_id: ANEXO II-2.1 + description: "Para la selecci\xF3n de las medidas de seguridad se seguir\xE1\ + n los pasos siguientes:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.1.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.1 + ref_id: ANEXO II-2.1.a + description: "Identificaci\xF3n de los tipos de activos presentes." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.1.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.1 + ref_id: ANEXO II-2.1.b + description: "Determinaci\xF3n de las dimensiones de seguridad relevantes, teniendo\ + \ en cuenta lo establecido en el anexo I." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.1.c + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.1 + ref_id: ANEXO II-2.1.c + description: "Determinaci\xF3n del nivel de seguridad correspondiente a cada\ + \ dimensi\xF3n de seguridad, teniendo en cuenta lo establecido en el anexo\ + \ I." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.1.d + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.1 + ref_id: ANEXO II-2.1.d + description: "Determinaci\xF3n de la categor\xEDa de seguridad del sistema,\ + \ seg\xFAn lo establecido en el anexo I." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.1.e + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.1 + ref_id: ANEXO II-2.1.e + description: "Selecci\xF3n de las medidas de seguridad, junto con los refuerzos\ + \ apropiados, de entre las contenidas en este anexo, de acuerdo con las dimensiones\ + \ y sus niveles de seguridad y para determinadas medidas de seguridad, de\ + \ acuerdo con la categor\xEDa de seguridad del sistema" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2 + ref_id: ANEXO II-2.2 + description: "A los efectos de facilitar el cumplimiento de lo dispuesto en\ + \ este anexo, cuando en un sistema de informaci\xF3n existan subsistemas que\ + \ requieran la aplicaci\xF3n de un nivel de medidas de seguridad diferente\ + \ al del sistema principal, podr\xE1n segregarse de este \xFAltimo, siendo\ + \ de aplicaci\xF3n en cada caso el nivel de medidas de seguridad con los refuerzos\ + \ correspondientes, y siempre que puedan delimitarse la informaci\xF3n y los\ + \ servicios afectados." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2 + ref_id: ANEXO II-2.3 + description: "Las gu\xEDas CCN-STIC, del CCN, podr\xE1n establecer perfiles\ + \ de cumplimiento espec\xEDficos, seg\xFAn el art\xEDculo 30 de este real\ + \ decreto, para entidades o sectores concretos, que incluir\xE1n la relaci\xF3\ + n de medidas y refuerzos que en cada caso resulten aplicables o los criterios\ + \ para su determinaci\xF3n." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2 + ref_id: ANEXO II-2.4 + description: "La correspondencia entre los niveles de seguridad exigidos en\ + \ cada dimensi\xF3n y las medidas de seguridad con sus refuerzos, es la que\ + \ se indica en la tabla siguiente:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2 + ref_id: ANEXO II-2.5 + description: 'En las tablas del presente anexo se han empleado las siguientes + convenciones:' + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5 + ref_id: ANEXO II-2.5.a + description: "La tercera columna indica si la medida se exige atendiendo al\ + \ nivel de seguridad de una o m\xE1s dimensiones de seguridad, o atendiendo\ + \ a la categor\xEDa de seguridad del sistema. Cuando se exija por nivel de\ + \ seguridad de las dimensiones, se indican cuales afectan utilizando sus iniciales." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5 + ref_id: ANEXO II-2.5.b + description: "Para indicar que una determinada medida de seguridad se debe aplicar\ + \ a una o varias dimensiones de seguridad, en alg\xFAn nivel de seguridad\ + \ determinado, se utiliza la voz \xABaplica\xBB." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5.c + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5 + ref_id: ANEXO II-2.5.c + description: "\xABn.a.\xBB significa \xABno aplica\xBB a efectos de cumplimiento\ + \ normativo, por lo que no es exigible, sin perjuicio de que su implantaci\xF3\ + n en el sistema pudiera ser beneficioso t\xE9cnicamente." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5.d + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5 + ref_id: ANEXO II-2.5.d + description: "Para indicar una mayor exigencia se emplean los refuerzos de seguridad\ + \ (R) que se suman (+) a los requisitos base de la medida pero que no siempre\ + \ son incrementales entre s\xED." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5.e + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5 + ref_id: ANEXO II-2.5.e + description: "Para se\xF1alar que se puede elegir entre aplicar un refuerzo\ + \ u otro, se indicar\xE1 entre corchetes y separados por \xABo\xBB [Rn o Rn+1]." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5.f + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.5 + ref_id: ANEXO II-2.5.f + description: "Se han empleado los colores verde, amarillo y rojo con el siguiente\ + \ c\xF3digo: verde para indicar que una medida se aplica en sistemas de categor\xED\ + a B\xC1SICA o superior; el amarillo para indicar qu\xE9 medidas y refuerzos\ + \ empiezan a aplicar en categor\xEDa MEDIA o superior; y el rojo para indicar\ + \ qu\xE9 medidas o refuerzos son solo de aplicaci\xF3n en categor\xEDa ALTA\ + \ o requieren un esfuerzo en seguridad superior al de categor\xEDa MEDIA." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2 + ref_id: ANEXO II-2.6 + description: "A continuaci\xF3n, se describen individualmente cada una de las\ + \ medidas organizadas de la siguiente forma:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.6.a + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.6 + ref_id: ANEXO II-2.6.a + description: "Primero, una tabla resumen con las exigencias de seguridad de\ + \ la medida en funci\xF3n de la categor\xEDa de seguridad del sistema y de\ + \ las dimensiones de seguridad afectadas." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.6.b + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.6 + ref_id: ANEXO II-2.6.b + description: "A continuaci\xF3n, una descripci\xF3n con el cuerpo de la medida\ + \ que desglosa los requisitos de base." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.6.c + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.6 + ref_id: ANEXO II-2.6.c + description: "Posteriormente, podr\xE1n aparecer una serie de refuerzos adicionales\ + \ que complementan a los requisitos de base, no en todos los casos requeridos\ + \ o exigidos, y que podr\xEDan aplicarse en determinados perfiles de cumplimiento\ + \ espec\xEDficos." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.6.d + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.6 + ref_id: ANEXO II-2.6.d + description: "Adem\xE1s, se indica el conjunto de requisitos y refuerzos exigidos\ + \ en funci\xF3n de los niveles de seguridad o de la categor\xEDa de seguridad\ + \ del sistema, seg\xFAn corresponda. En los casos en los que se pueda elegir\ + \ entre aplicar un refuerzo u otro, adem\xE1s de indicarlo entre corchetes\ + \ [Rm o Rn], se incluir\xE1 un diagrama de flujo explicativo." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.6.e + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-2.6 + ref_id: ANEXO II-2.6.e + description: "Por \xFAltimo, algunos refuerzos son de car\xE1cter opcional,\ + \ no siendo requeridos en todos los sistemas de informaci\xF3n. Se aplicar\xE1\ + n como medidas adicionales cuando el an\xE1lisis de riesgos as\xED lo recomiende." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii + ref_id: ANEXO II-3 + name: 'Marco organizativo [ORG] + + ' + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-3 + ref_id: org.1 + name: " Pol\xEDtica de seguridad" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node300 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.1 + description: "La pol\xEDtica de seguridad, que se aprobar\xE1 de conformidad\ + \ con lo dispuesto en el art\xEDculo 12 de este real decreto, se plasmar\xE1\ + \ en un documento en el que, de forma clara, se precise, al menos, lo siguiente:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node300 + ref_id: org.1.1 + description: "Los objetivos o misi\xF3n de la organizaci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.1.\n\ + \u2013 Categor\xEDa MEDIA: org.1.\n\u2013 Categor\xEDa ALTA: org.1\nP\xE1\ + gina 33" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.1.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node300 + ref_id: org.1.2 + description: "El marco legal y regulatorio en el que se desarrollar\xE1n las\ + \ actividades." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.1.\n\ + \u2013 Categor\xEDa MEDIA: org.1.\n\u2013 Categor\xEDa ALTA: org.1\nP\xE1\ + gina 33" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.1.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node300 + ref_id: org.1.3 + description: "Los roles o funciones de seguridad, definiendo para cada uno los\ + \ deberes y responsabilidades del cargo, as\xED como el procedimiento para\ + \ su designaci\xF3n y renovaci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.1.\n\ + \u2013 Categor\xEDa MEDIA: org.1.\n\u2013 Categor\xEDa ALTA: org.1\nP\xE1\ + gina 33" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.1.4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node300 + ref_id: org.1.4 + description: "La estructura del comit\xE9 o los comit\xE9s para la gesti\xF3\ + n y coordinaci\xF3n de la seguridad, detallando su \xE1mbito de responsabilidad,\ + \ las personas integrantes y la relaci\xF3n con otros elementos de la organizaci\xF3\ + n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.1.\n\ + \u2013 Categor\xEDa MEDIA: org.1.\n\u2013 Categor\xEDa ALTA: org.1\nP\xE1\ + gina 33" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.1.5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node300 + ref_id: org.1.5 + description: " Las directrices para la estructuraci\xF3n de la documentaci\xF3\ + n de seguridad del sistema, su gesti\xF3n y acceso." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.1.\n\ + \u2013 Categor\xEDa MEDIA: org.1.\n\u2013 Categor\xEDa ALTA: org.1\nP\xE1\ + gina 33" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-3 + ref_id: org.2 + name: 'Normativa de seguridad ' + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node307 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.2 + description: "Se dispondr\xE1 de una serie de documentos que describan:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.2.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node307 + ref_id: org.2.1 + description: "El uso correcto de equipos, servicios e instalaciones, as\xED\ + \ como lo que se considerar\xE1 uso indebido." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.2.\n\ + \u2013 Categor\xEDa MEDIA: org.2.\n\u2013 Categor\xEDa ALTA: org.2.\nRefuerzo\ + \ R1-Documentos espec\xEDficos.\n[org.2.r1.1] Se dispondr\xE1 de una documentaci\xF3\ + n de seguridad, desarrollada seg\xFAn lo reflejado en las gu\xEDas CCN-STIC\ + \ que resulten de aplicaci\xF3n.\nP\xE1gina 33" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.2.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node307 + ref_id: org.2.2 + description: "La responsabilidad del personal con respecto al cumplimiento o\ + \ violaci\xF3n de la normativa: derechos, deberes y medidas disciplinarias\ + \ de acuerdo con la legislaci\xF3n vigente." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.2.\n\ + \u2013 Categor\xEDa MEDIA: org.2.\n\u2013 Categor\xEDa ALTA: org.2.\nRefuerzo\ + \ R1-Documentos espec\xEDficos.\n[org.2.r1.1] Se dispondr\xE1 de una documentaci\xF3\ + n de seguridad, desarrollada seg\xFAn lo reflejado en las gu\xEDas CCN-STIC\ + \ que resulten de aplicaci\xF3n.\nP\xE1gina 33" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-3 + ref_id: org.3 + name: Procedimientos de seguridad + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node311 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3 + description: "Se dispondr\xE1 de una serie de documentos que detallen de forma\ + \ clara y precisa c\xF3mo operar los elementos del sistema de informaci\xF3\ + n:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node311 + ref_id: org.3.1 + description: "C\xF3mo llevar a cabo las tareas habituales." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.3.\n\ + \u2013 Categor\xEDa MEDIA: org.3.\n\u2013 Categor\xEDa ALTA: org.3.\nRefuerzo\ + \ R1-Validaci\xF3n de procedimientos.\n[org.3.r1.1] Se requerir\xE1 la validaci\xF3\ + n de los procedimientos de seguridad por la autoridad correspondiente.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node311 + ref_id: org.3.2 + description: "Qui\xE9n debe hacer cada tarea." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.3.\n\ + \u2013 Categor\xEDa MEDIA: org.3.\n\u2013 Categor\xEDa ALTA: org.3.\nRefuerzo\ + \ R1-Validaci\xF3n de procedimientos.\n[org.3.r1.1] Se requerir\xE1 la validaci\xF3\ + n de los procedimientos de seguridad por la autoridad correspondiente.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node311 + ref_id: org.3.3 + description: "C\xF3mo identificar y reportar comportamientos an\xF3malos." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.3.\n\ + \u2013 Categor\xEDa MEDIA: org.3.\n\u2013 Categor\xEDa ALTA: org.3.\nRefuerzo\ + \ R1-Validaci\xF3n de procedimientos.\n[org.3.r1.1] Se requerir\xE1 la validaci\xF3\ + n de los procedimientos de seguridad por la autoridad correspondiente.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node311 + ref_id: org.3.4 + description: "La forma en que se ha de tratar la informaci\xF3n en consideraci\xF3\ + n al nivel de seguridad que requiere, precisando c\xF3mo efectuar:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.3.\n\ + \u2013 Categor\xEDa MEDIA: org.3.\n\u2013 Categor\xEDa ALTA: org.3.\nRefuerzo\ + \ R1-Validaci\xF3n de procedimientos.\n[org.3.r1.1] Se requerir\xE1 la validaci\xF3\ + n de los procedimientos de seguridad por la autoridad correspondiente.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4 + ref_id: org.3.4.a + description: Su control de acceso. + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.3.\n\ + \u2013 Categor\xEDa MEDIA: org.3.\n\u2013 Categor\xEDa ALTA: org.3.\nRefuerzo\ + \ R1-Validaci\xF3n de procedimientos.\n[org.3.r1.1] Se requerir\xE1 la validaci\xF3\ + n de los procedimientos de seguridad por la autoridad correspondiente.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4 + ref_id: org.3.4.b + description: Su almacenamiento. + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.3.\n\ + \u2013 Categor\xEDa MEDIA: org.3.\n\u2013 Categor\xEDa ALTA: org.3.\nRefuerzo\ + \ R1-Validaci\xF3n de procedimientos.\n[org.3.r1.1] Se requerir\xE1 la validaci\xF3\ + n de los procedimientos de seguridad por la autoridad correspondiente.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4 + ref_id: org.3.4.c + description: "La realizaci\xF3n de copias." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.3.\n\ + \u2013 Categor\xEDa MEDIA: org.3.\n\u2013 Categor\xEDa ALTA: org.3.\nRefuerzo\ + \ R1-Validaci\xF3n de procedimientos.\n[org.3.r1.1] Se requerir\xE1 la validaci\xF3\ + n de los procedimientos de seguridad por la autoridad correspondiente.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4 + ref_id: org.3.4.d + description: El etiquetado de soportes. + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.3.\n\ + \u2013 Categor\xEDa MEDIA: org.3.\n\u2013 Categor\xEDa ALTA: org.3.\nRefuerzo\ + \ R1-Validaci\xF3n de procedimientos.\n[org.3.r1.1] Se requerir\xE1 la validaci\xF3\ + n de los procedimientos de seguridad por la autoridad correspondiente.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4 + ref_id: org.3.4.e + description: "Su transmisi\xF3n telem\xE1tica." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.3.\n\ + \u2013 Categor\xEDa MEDIA: org.3.\n\u2013 Categor\xEDa ALTA: org.3.\nRefuerzo\ + \ R1-Validaci\xF3n de procedimientos.\n[org.3.r1.1] Se requerir\xE1 la validaci\xF3\ + n de los procedimientos de seguridad por la autoridad correspondiente.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.3.4 + ref_id: org.3.4.f + description: "Cualquier otra actividad relacionada con dicha informaci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.3.\n\ + \u2013 Categor\xEDa MEDIA: org.3.\n\u2013 Categor\xEDa ALTA: org.3.\nRefuerzo\ + \ R1-Validaci\xF3n de procedimientos.\n[org.3.r1.1] Se requerir\xE1 la validaci\xF3\ + n de los procedimientos de seguridad por la autoridad correspondiente.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-3 + ref_id: org.4 + name: "Proceso de autorizaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node323 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.4 + description: "Se establecer\xE1 un proceso formal de autorizaciones que cubra\ + \ todos los elementos del sistema de informaci\xF3n concernidos:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.4.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node323 + ref_id: org.4.1 + description: "Utilizaci\xF3n de instalaciones, habituales y alternativas." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.4.\n\ + \u2013 Categor\xEDa MEDIA: org.4.\n\u2013 Categor\xEDa ALTA: org.4.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.4.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node323 + ref_id: org.4.2 + description: " Entrada de equipos en producci\xF3n, en particular, equipos que\ + \ involucren criptograf\xEDa." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.4.\n\ + \u2013 Categor\xEDa MEDIA: org.4.\n\u2013 Categor\xEDa ALTA: org.4.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.4.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node323 + ref_id: org.4.3 + description: "Entrada de aplicaciones en producci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.4.\n\ + \u2013 Categor\xEDa MEDIA: org.4.\n\u2013 Categor\xEDa ALTA: org.4.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.4.4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node323 + ref_id: org.4.4 + description: Establecimiento de enlaces de comunicaciones con otros sistemas. + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.4.\n\ + \u2013 Categor\xEDa MEDIA: org.4.\n\u2013 Categor\xEDa ALTA: org.4.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.4.5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node323 + ref_id: org.4.5 + description: "Utilizaci\xF3n de medios de comunicaci\xF3n, habituales y alternativos." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.4.\n\ + \u2013 Categor\xEDa MEDIA: org.4.\n\u2013 Categor\xEDa ALTA: org.4.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.4.6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node323 + ref_id: org.4.6 + description: "Utilizaci\xF3n de soportes de informaci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.4.\n\ + \u2013 Categor\xEDa MEDIA: org.4.\n\u2013 Categor\xEDa ALTA: org.4.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.4.7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node323 + ref_id: org.4.7 + description: "Utilizaci\xF3n de equipos m\xF3viles. Se entender\xE1 por equipos\ + \ m\xF3viles ordenadores port\xE1tiles, tabletas, tel\xE9fonos m\xF3viles\ + \ u otros de naturaleza an\xE1loga." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.4.\n\ + \u2013 Categor\xEDa MEDIA: org.4.\n\u2013 Categor\xEDa ALTA: org.4.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:org.4.8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node323 + ref_id: org.4.8 + description: "Utilizaci\xF3n de servicios de terceros, bajo contrato o convenio,\ + \ concesi\xF3n, encargo, etc." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: org.4.\n\ + \u2013 Categor\xEDa MEDIA: org.4.\n\u2013 Categor\xEDa ALTA: org.4.\nP\xE1\ + gina 34" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii + ref_id: ANEXO II-4 + name: Marco operacional [op] + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-4 + ref_id: op.pl + name: "Planificaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl + ref_id: op.pl.1 + name: "An\xE1lisis de riesgos" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node335 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.1 + description: "Se realizar\xE1 un an\xE1lisis de riesgos informal, realizado\ + \ en lenguaje natural. Es decir, una exposici\xF3n textual que:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.1.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node335 + ref_id: op.pl.1.1 + description: "Identifique los activos m\xE1s valiosos del sistema. (Ver op.exp.1)." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.pl.1.\n\ + \u2013 Categor\xEDa MEDIA: op.pl.1 + R1.\n\u2013 Categor\xEDa ALTA: op.pl.1\ + \ + R2.\nRefuerzo R1-An\xE1lisis de riesgos semiformal.\nSe deber\xE1 realizar\ + \ un an\xE1lisis de riesgos semiformal, usando un lenguaje espec\xEDfico,\ + \ con un cat\xE1logo b\xE1sico de amenazas y una sem\xE1ntica definida. Es\ + \ decir, una presentaci\xF3n con tablas que:\n\u2013 [op.pl.1.r1.1] Valore\ + \ cualitativamente los activos m\xE1s valiosos del sistema.\n\u2013 [op.pl.1.r1.2]\ + \ Cuantifique las amenazas m\xE1s probables.\n\u2013 [op.pl.1.r1.3] Valore\ + \ las salvaguardas que protegen de dichas amenazas.\n\u2013 [op.pl.1.r1.4]\ + \ Valore el riesgo residual.\nRefuerzo R2-An\xE1lisis de riesgos formal.\n\ + Se deber\xE1 realizar un an\xE1lisis formal, usando un lenguaje espec\xED\ + fico, con un fundamento matem\xE1tico reconocido internacionalmente, que:\n\ + \u2013 [op.pl.1.r2.1] Valore cualitativamente los activos m\xE1s valiosos\ + \ del sistema.\n\u2013 [op.pl.1.r2.2] Cuantifique las amenazas posibles.\n\ + \u2013 [op.pl.1.r2.3] Valore y priorice las salvaguardas adecuadas.\n\u2013\ + \ [op.pl.1.r2.4] Valore y asuma formalmente el riesgo residual.\nP\xE1gina\ + \ 35" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.1.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node335 + ref_id: op.pl.1.2 + description: "Identifique las amenazas m\xE1s probables." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.pl.1.\n\ + \u2013 Categor\xEDa MEDIA: op.pl.1 + R1.\n\u2013 Categor\xEDa ALTA: op.pl.1\ + \ + R2.\nRefuerzo R1-An\xE1lisis de riesgos semiformal.\nSe deber\xE1 realizar\ + \ un an\xE1lisis de riesgos semiformal, usando un lenguaje espec\xEDfico,\ + \ con un cat\xE1logo b\xE1sico de amenazas y una sem\xE1ntica definida. Es\ + \ decir, una presentaci\xF3n con tablas que:\n\u2013 [op.pl.1.r1.1] Valore\ + \ cualitativamente los activos m\xE1s valiosos del sistema.\n\u2013 [op.pl.1.r1.2]\ + \ Cuantifique las amenazas m\xE1s probables.\n\u2013 [op.pl.1.r1.3] Valore\ + \ las salvaguardas que protegen de dichas amenazas.\n\u2013 [op.pl.1.r1.4]\ + \ Valore el riesgo residual.\nRefuerzo R2-An\xE1lisis de riesgos formal.\n\ + Se deber\xE1 realizar un an\xE1lisis formal, usando un lenguaje espec\xED\ + fico, con un fundamento matem\xE1tico reconocido internacionalmente, que:\n\ + \u2013 [op.pl.1.r2.1] Valore cualitativamente los activos m\xE1s valiosos\ + \ del sistema.\n\u2013 [op.pl.1.r2.2] Cuantifique las amenazas posibles.\n\ + \u2013 [op.pl.1.r2.3] Valore y priorice las salvaguardas adecuadas.\n\u2013\ + \ [op.pl.1.r2.4] Valore y asuma formalmente el riesgo residual.\nP\xE1gina\ + \ 35" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.1.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node335 + ref_id: op.pl.1.3 + description: Identifique las salvaguardas que protegen de dichas amenazas. + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.pl.1.\n\ + \u2013 Categor\xEDa MEDIA: op.pl.1 + R1.\n\u2013 Categor\xEDa ALTA: op.pl.1\ + \ + R2.\nRefuerzo R1-An\xE1lisis de riesgos semiformal.\nSe deber\xE1 realizar\ + \ un an\xE1lisis de riesgos semiformal, usando un lenguaje espec\xEDfico,\ + \ con un cat\xE1logo b\xE1sico de amenazas y una sem\xE1ntica definida. Es\ + \ decir, una presentaci\xF3n con tablas que:\n\u2013 [op.pl.1.r1.1] Valore\ + \ cualitativamente los activos m\xE1s valiosos del sistema.\n\u2013 [op.pl.1.r1.2]\ + \ Cuantifique las amenazas m\xE1s probables.\n\u2013 [op.pl.1.r1.3] Valore\ + \ las salvaguardas que protegen de dichas amenazas.\n\u2013 [op.pl.1.r1.4]\ + \ Valore el riesgo residual.\nRefuerzo R2-An\xE1lisis de riesgos formal.\n\ + Se deber\xE1 realizar un an\xE1lisis formal, usando un lenguaje espec\xED\ + fico, con un fundamento matem\xE1tico reconocido internacionalmente, que:\n\ + \u2013 [op.pl.1.r2.1] Valore cualitativamente los activos m\xE1s valiosos\ + \ del sistema.\n\u2013 [op.pl.1.r2.2] Cuantifique las amenazas posibles.\n\ + \u2013 [op.pl.1.r2.3] Valore y priorice las salvaguardas adecuadas.\n\u2013\ + \ [op.pl.1.r2.4] Valore y asuma formalmente el riesgo residual.\nP\xE1gina\ + \ 35" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.1.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node335 + ref_id: op.pl.1.4 + description: Identifique los principales riesgos residuales. + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.pl.1.\n\ + \u2013 Categor\xEDa MEDIA: op.pl.1 + R1.\n\u2013 Categor\xEDa ALTA: op.pl.1\ + \ + R2.\nRefuerzo R1-An\xE1lisis de riesgos semiformal.\nSe deber\xE1 realizar\ + \ un an\xE1lisis de riesgos semiformal, usando un lenguaje espec\xEDfico,\ + \ con un cat\xE1logo b\xE1sico de amenazas y una sem\xE1ntica definida. Es\ + \ decir, una presentaci\xF3n con tablas que:\n\u2013 [op.pl.1.r1.1] Valore\ + \ cualitativamente los activos m\xE1s valiosos del sistema.\n\u2013 [op.pl.1.r1.2]\ + \ Cuantifique las amenazas m\xE1s probables.\n\u2013 [op.pl.1.r1.3] Valore\ + \ las salvaguardas que protegen de dichas amenazas.\n\u2013 [op.pl.1.r1.4]\ + \ Valore el riesgo residual.\nRefuerzo R2-An\xE1lisis de riesgos formal.\n\ + Se deber\xE1 realizar un an\xE1lisis formal, usando un lenguaje espec\xED\ + fico, con un fundamento matem\xE1tico reconocido internacionalmente, que:\n\ + \u2013 [op.pl.1.r2.1] Valore cualitativamente los activos m\xE1s valiosos\ + \ del sistema.\n\u2013 [op.pl.1.r2.2] Cuantifique las amenazas posibles.\n\ + \u2013 [op.pl.1.r2.3] Valore y priorice las salvaguardas adecuadas.\n\u2013\ + \ [op.pl.1.r2.4] Valore y asuma formalmente el riesgo residual.\nP\xE1gina\ + \ 35" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl + ref_id: op.pl.2 + name: Arquitectura de seguridad + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node341 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.2 + description: "La seguridad del sistema ser\xE1 objeto de un planteamiento integral\ + \ detallando, al menos, los siguientes aspectos:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.2.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node341 + ref_id: op.pl.2.1 + description: "Documentaci\xF3n de las instalaciones, incluyendo \xE1reas y puntos\ + \ de acceso." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.pl.2.\n\ + \u2013 Categor\xEDa MEDIA: op.pl.2 + R1.\n\u2013 Categor\xEDa ALTA: op.pl.2\ + \ + R1 + R2 + R3.\nRefuerzo R1-Sistema de gesti\xF3n.\n[op.pl.2.r1.1] Sistema\ + \ de gesti\xF3n, relativo a la planificaci\xF3n, organizaci\xF3n y control\ + \ de los recursos relativos a la seguridad de la informaci\xF3n.\nRefuerzo\ + \ R2-Sistema de gesti\xF3n de la seguridad con mejora continua.\n[op.pl.2.r2.1]\ + \ Sistema de gesti\xF3n de la seguridad de la informaci\xF3n, con actualizaci\xF3\ + n y aprobaci\xF3n peri\xF3dica.\nRefuerzo R3-Validaci\xF3n de datos.\n[op.pl.2.r3.1]\ + \ Controles t\xE9cnicos internos, incluyendo la validaci\xF3n de datos de\ + \ entrada, salida y datos intermedios.\nP\xE1gina 36" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.2.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node341 + ref_id: op.pl.2.2 + description: "Documentaci\xF3n del sistema, incluyendo equipos, redes internas\ + \ y conexiones al exterior, y puntos de acceso al sistema (puestos de trabajo\ + \ y consolas de administraci\xF3n)." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.pl.2.\n\ + \u2013 Categor\xEDa MEDIA: op.pl.2 + R1.\n\u2013 Categor\xEDa ALTA: op.pl.2\ + \ + R1 + R2 + R3.\nRefuerzo R1-Sistema de gesti\xF3n.\n[op.pl.2.r1.1] Sistema\ + \ de gesti\xF3n, relativo a la planificaci\xF3n, organizaci\xF3n y control\ + \ de los recursos relativos a la seguridad de la informaci\xF3n.\nRefuerzo\ + \ R2-Sistema de gesti\xF3n de la seguridad con mejora continua.\n[op.pl.2.r2.1]\ + \ Sistema de gesti\xF3n de la seguridad de la informaci\xF3n, con actualizaci\xF3\ + n y aprobaci\xF3n peri\xF3dica.\nRefuerzo R3-Validaci\xF3n de datos.\n[op.pl.2.r3.1]\ + \ Controles t\xE9cnicos internos, incluyendo la validaci\xF3n de datos de\ + \ entrada, salida y datos intermedios.\nP\xE1gina 36" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.2.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node341 + ref_id: op.pl.2.3 + description: "Esquema de l\xEDneas de defensa, incluyendo puntos de interconexi\xF3\ + n a otros sistemas o a otras redes (en especial, si se trata de internet o\ + \ redes p\xFAblicas en general); cortafuegos, DMZ, etc.; y la utilizaci\xF3\ + n de tecnolog\xEDas diferentes para prevenir vulnerabilidades que pudieran\ + \ perforar simult\xE1neamente varias l\xEDneas de defensa." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.pl.2.\n\ + \u2013 Categor\xEDa MEDIA: op.pl.2 + R1.\n\u2013 Categor\xEDa ALTA: op.pl.2\ + \ + R1 + R2 + R3.\nRefuerzo R1-Sistema de gesti\xF3n.\n[op.pl.2.r1.1] Sistema\ + \ de gesti\xF3n, relativo a la planificaci\xF3n, organizaci\xF3n y control\ + \ de los recursos relativos a la seguridad de la informaci\xF3n.\nRefuerzo\ + \ R2-Sistema de gesti\xF3n de la seguridad con mejora continua.\n[op.pl.2.r2.1]\ + \ Sistema de gesti\xF3n de la seguridad de la informaci\xF3n, con actualizaci\xF3\ + n y aprobaci\xF3n peri\xF3dica.\nRefuerzo R3-Validaci\xF3n de datos.\n[op.pl.2.r3.1]\ + \ Controles t\xE9cnicos internos, incluyendo la validaci\xF3n de datos de\ + \ entrada, salida y datos intermedios.\nP\xE1gina 36" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.2.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node341 + ref_id: op.pl.2.4 + description: "Sistema de identificaci\xF3n y autenticaci\xF3n de usuarios, incluyendo\ + \ el uso de claves concertadas, contrase\xF1as, tarjetas de identificaci\xF3\ + n, biometr\xEDa, u otras de naturaleza an\xE1loga, y el uso de ficheros o\ + \ directorios para autenticar al usuario y determinar sus derechos de acceso." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.pl.2.\n\ + \u2013 Categor\xEDa MEDIA: op.pl.2 + R1.\n\u2013 Categor\xEDa ALTA: op.pl.2\ + \ + R1 + R2 + R3.\nRefuerzo R1-Sistema de gesti\xF3n.\n[op.pl.2.r1.1] Sistema\ + \ de gesti\xF3n, relativo a la planificaci\xF3n, organizaci\xF3n y control\ + \ de los recursos relativos a la seguridad de la informaci\xF3n.\nRefuerzo\ + \ R2-Sistema de gesti\xF3n de la seguridad con mejora continua.\n[op.pl.2.r2.1]\ + \ Sistema de gesti\xF3n de la seguridad de la informaci\xF3n, con actualizaci\xF3\ + n y aprobaci\xF3n peri\xF3dica.\nRefuerzo R3-Validaci\xF3n de datos.\n[op.pl.2.r3.1]\ + \ Controles t\xE9cnicos internos, incluyendo la validaci\xF3n de datos de\ + \ entrada, salida y datos intermedios.\nP\xE1gina 36" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl + ref_id: op.pl.3 + name: "Adquisici\xF3n de nuevos componentes" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node347 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.3 + description: "Se establecer\xE1 un proceso formal para planificar la adquisici\xF3\ + n de nuevos componentes del sistema, proceso que:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.3.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node347 + ref_id: op.pl.3.1 + description: "Atender\xE1 a las conclusiones del an\xE1lisis de riesgos ([op.pl.1])." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.pl.3.\n\ + \u2013 Categor\xEDa MEDIA: op.pl.3.\n\u2013 Categor\xEDa ALTA: op.pl.3.\n\ + P\xE1gina 37" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.3.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node347 + ref_id: op.pl.3.2 + description: "Ser\xE1 acorde a la arquitectura de seguridad escogida ([op.pl.2])." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.pl.3.\n\ + \u2013 Categor\xEDa MEDIA: op.pl.3.\n\u2013 Categor\xEDa ALTA: op.pl.3.\n\ + P\xE1gina 37" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.3.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node347 + ref_id: op.pl.3.3 + description: "Contemplar\xE1 las necesidades t\xE9cnicas, de formaci\xF3n y\ + \ de financiaci\xF3n, de forma conjunta." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.pl.3.\n\ + \u2013 Categor\xEDa MEDIA: op.pl.3.\n\u2013 Categor\xEDa ALTA: op.pl.3.\n\ + P\xE1gina 37" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl + ref_id: op.pl.4 + name: "Dimensionamiento / gesti\xF3n de la capacidad " + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node352 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.4 + description: "Con car\xE1cter previo a la puesta en explotaci\xF3n, se realizar\xE1\ + \ un estudio que cubrir\xE1 los siguientes aspectos:" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.4.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node352 + ref_id: op.pl.4.1 + description: Necesidades de procesamiento. + annotation: "Aplicaci\xF3n de la medida (por disponibilidad):\n\u2013 Nivel\ + \ BAJO: op.pl.4.\n\u2013 Nivel MEDIO: op.pl.4 + R1.\n\u2013 Nivel ALTO: op.pl.4\ + \ + R1.\n\u2013 [op.pl.4.5] Necesidades de instalaciones y medios auxiliares.\n\ + Refuerzo R1 \u2013Mejora continua de la gesti\xF3n de la capacidad.\n\u2013\ + \ [op.pl.4.r1.1] Se realizar\xE1 una previsi\xF3n de la capacidad y se mantendr\xE1\ + \ actualizada durante todo el ciclo de vida del sistema.\n\u2013 [op.pl.4.r1.2]\ + \ Se emplear\xE1n herramientas y recursos para la monitorizaci\xF3n de la\ + \ capacidad.\nP\xE1gina 37" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.4.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node352 + ref_id: op.pl.4.2 + description: "Necesidades de almacenamiento de informaci\xF3n: durante su procesamiento\ + \ y durante el periodo que deba retenerse." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad):\n\u2013 Nivel\ + \ BAJO: op.pl.4.\n\u2013 Nivel MEDIO: op.pl.4 + R1.\n\u2013 Nivel ALTO: op.pl.4\ + \ + R1.\n\u2013 [op.pl.4.5] Necesidades de instalaciones y medios auxiliares.\n\ + Refuerzo R1 \u2013Mejora continua de la gesti\xF3n de la capacidad.\n\u2013\ + \ [op.pl.4.r1.1] Se realizar\xE1 una previsi\xF3n de la capacidad y se mantendr\xE1\ + \ actualizada durante todo el ciclo de vida del sistema.\n\u2013 [op.pl.4.r1.2]\ + \ Se emplear\xE1n herramientas y recursos para la monitorizaci\xF3n de la\ + \ capacidad.\nP\xE1gina 37" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.4.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node352 + ref_id: op.pl.4.3 + description: "Necesidades de comunicaci\xF3n." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad):\n\u2013 Nivel\ + \ BAJO: op.pl.4.\n\u2013 Nivel MEDIO: op.pl.4 + R1.\n\u2013 Nivel ALTO: op.pl.4\ + \ + R1.\n\u2013 [op.pl.4.5] Necesidades de instalaciones y medios auxiliares.\n\ + Refuerzo R1 \u2013Mejora continua de la gesti\xF3n de la capacidad.\n\u2013\ + \ [op.pl.4.r1.1] Se realizar\xE1 una previsi\xF3n de la capacidad y se mantendr\xE1\ + \ actualizada durante todo el ciclo de vida del sistema.\n\u2013 [op.pl.4.r1.2]\ + \ Se emplear\xE1n herramientas y recursos para la monitorizaci\xF3n de la\ + \ capacidad.\nP\xE1gina 37" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.4.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node352 + ref_id: op.pl.4.4 + description: "Necesidades de personal: cantidad y cualificaci\xF3n profesional." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad):\n\u2013 Nivel\ + \ BAJO: op.pl.4.\n\u2013 Nivel MEDIO: op.pl.4 + R1.\n\u2013 Nivel ALTO: op.pl.4\ + \ + R1.\n\u2013 [op.pl.4.5] Necesidades de instalaciones y medios auxiliares.\n\ + Refuerzo R1 \u2013Mejora continua de la gesti\xF3n de la capacidad.\n\u2013\ + \ [op.pl.4.r1.1] Se realizar\xE1 una previsi\xF3n de la capacidad y se mantendr\xE1\ + \ actualizada durante todo el ciclo de vida del sistema.\n\u2013 [op.pl.4.r1.2]\ + \ Se emplear\xE1n herramientas y recursos para la monitorizaci\xF3n de la\ + \ capacidad.\nP\xE1gina 37" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.4.5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node352 + ref_id: op.pl.4.5 + description: Necesidades de instalaciones y medios auxiliares. + annotation: "Aplicaci\xF3n de la medida (por disponibilidad):\n\u2013 Nivel\ + \ BAJO: op.pl.4.\n\u2013 Nivel MEDIO: op.pl.4 + R1.\n\u2013 Nivel ALTO: op.pl.4\ + \ + R1.\n\u2013 [op.pl.4.5] Necesidades de instalaciones y medios auxiliares.\n\ + Refuerzo R1 \u2013Mejora continua de la gesti\xF3n de la capacidad.\n\u2013\ + \ [op.pl.4.r1.1] Se realizar\xE1 una previsi\xF3n de la capacidad y se mantendr\xE1\ + \ actualizada durante todo el ciclo de vida del sistema.\n\u2013 [op.pl.4.r1.2]\ + \ Se emplear\xE1n herramientas y recursos para la monitorizaci\xF3n de la\ + \ capacidad.\nP\xE1gina 37" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl + ref_id: op.pl.5 + name: Componentes certificados + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.5.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.5 + ref_id: op.pl.5.1 + description: " Se utilizar\xE1 el Cat\xE1logo de Productos y Servicios de Seguridad\ + \ de las Tecnolog\xEDas de la Informaci\xF3n y Comunicaci\xF3n (CPSTIC) del\ + \ CCN, para seleccionar los productos o servicios suministrados por un tercero\ + \ que formen parte de la arquitectura de seguridad del sistema y aquellos\ + \ que se referencien expresamente en las medidas de este real decreto." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.pl.5.\n\u2013 Categor\xEDa ALTA:\ + \ op.pl.5.\nRefuerzo R1-Protecci\xF3n de emisiones electromagn\xE9ticas.\n\ + [op.pl.5.r1.1] La informaci\xF3n deber\xE1 ser protegida frente a las amenazas\ + \ TEMPEST de acuerdo con la normativa en vigor.\nRefuerzo R2 - Lista de componentes\ + \ software.\n[op.pl.5.r2.1] Cada producto y servicio incluir\xE1 en su descripci\xF3\ + n una lista de componentes software, acorde a lo especificado en [mp.sw.1.r5].\n\ + P\xE1gina 38" + implementation_groups: + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node360 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.5 + description: "En caso de que no existan productos o servicios en el CPSTIC que\ + \ implementen las funcionalidades requeridas, se utilizar\xE1n productos certificados\ + \ de acuerdo a lo descrito en el art\xEDculo 19" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.pl.5.\n\u2013 Categor\xEDa ALTA:\ + \ op.pl.5.\nRefuerzo R1-Protecci\xF3n de emisiones electromagn\xE9ticas.\n\ + [op.pl.5.r1.1] La informaci\xF3n deber\xE1 ser protegida frente a las amenazas\ + \ TEMPEST de acuerdo con la normativa en vigor.\nRefuerzo R2 - Lista de componentes\ + \ software.\n[op.pl.5.r2.1] Cada producto y servicio incluir\xE1 en su descripci\xF3\ + n una lista de componentes software, acorde a lo especificado en [mp.sw.1.r5].\n\ + P\xE1gina 38" + implementation_groups: + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node361 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.5 + description: "Una Instrucci\xF3n T\xE9cnica de Seguridad detallar\xE1 los criterios\ + \ relativos a la adquisici\xF3n de productos de seguridad." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.pl.5.\n\u2013 Categor\xEDa ALTA:\ + \ op.pl.5.\nRefuerzo R1-Protecci\xF3n de emisiones electromagn\xE9ticas.\n\ + [op.pl.5.r1.1] La informaci\xF3n deber\xE1 ser protegida frente a las amenazas\ + \ TEMPEST de acuerdo con la normativa en vigor.\nRefuerzo R2 - Lista de componentes\ + \ software.\n[op.pl.5.r2.1] Cada producto y servicio incluir\xE1 en su descripci\xF3\ + n una lista de componentes software, acorde a lo especificado en [mp.sw.1.r5].\n\ + P\xE1gina 38" + implementation_groups: + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.5.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.pl.5 + ref_id: op.pl.5.2 + description: "Si el sistema suministra un servicio de seguridad a un tercero\ + \ bajo el alcance del ENS, el producto o productos que en los que se sustente\ + \ dicho servicio debe superar un proceso de cualificaci\xF3n y ser incluido\ + \ en el CPSTIC, o aportar una certificaci\xF3n que cumpla con los requisitos\ + \ funcionales de seguridad y de aseguramiento de acuerdo a lo establecido\ + \ en el art\xEDculo 19." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.pl.5.\n\u2013 Categor\xEDa ALTA:\ + \ op.pl.5.\nRefuerzo R1-Protecci\xF3n de emisiones electromagn\xE9ticas.\n\ + [op.pl.5.r1.1] La informaci\xF3n deber\xE1 ser protegida frente a las amenazas\ + \ TEMPEST de acuerdo con la normativa en vigor.\nRefuerzo R2 - Lista de componentes\ + \ software.\n[op.pl.5.r2.1] Cada producto y servicio incluir\xE1 en su descripci\xF3\ + n una lista de componentes software, acorde a lo especificado en [mp.sw.1.r5].\n\ + P\xE1gina 38" + implementation_groups: + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-4 + ref_id: op.acc + name: 'Control de acceso ' + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node364 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc + description: "El control de acceso comprende el conjunto de actividades preparatorias\ + \ y ejecutivas tendentes a permitir o denegar a una entidad, usuario o proceso,\ + \ el acceso a un recurso del sistema para la realizaci\xF3n de una acci\xF3\ + n concreta." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node365 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc + description: "Los mecanismos de control de acceso deber\xE1n equilibrar la facilidad\ + \ de uso y la protecci\xF3n de la informaci\xF3n y los servicios, primando\ + \ una u otra caracter\xEDstica atendiendo a la categor\xEDa de seguridad del\ + \ sistema." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node366 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc + description: "torizaci\xF3n tengan lugar en diferentes dominios de seguridad,\ + \ bajo distintas responsabilidades, en los casos en que sea necesario, las\ + \ medidas de seguridad locales se acompa\xF1ar\xE1n de los correspondientes\ + \ acuerdos de colaboraci\xF3n que delimiten mecanismos y procedimientos para\ + \ la atribuci\xF3n y ejercicio efectivos de las responsabilidades de cada\ + \ sistema ([op.ext])." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc + ref_id: op.acc.1 + name: "Identificaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node368 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1 + description: "La identificaci\xF3n de los usuarios del sistema se realizar\xE1\ + \ de acuerdo con lo que se indica a continuaci\xF3n:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node368 + ref_id: op.acc.1.1 + description: "Se podr\xE1 utilizar como identificador \xFAnico los sistemas\ + \ de identificaci\xF3n previstos en la normativa de aplicaci\xF3n, entre ellos,\ + \ los sistemas de clave concertada y cualquier otro sistema que las administraciones\ + \ consideren v\xE1lido en los t\xE9rminos y condiciones establecidos en la\ + \ Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Com\xFAn\ + \ de las Administraciones P\xFAblicas." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad y autenticidad).\n\ + \u2013 Nivel BAJO: op.acc.1.\n\u2013 Nivel MEDIO: op.acc.1 +R1.\n\u2013 Nivel\ + \ ALTO: op.acc.1+ R1.\nRefuerzo R1-Identificaci\xF3n avanzada.\n\u2013 [op.acc.1.r1.1]\ + \ La identificaci\xF3n del usuario permitir\xE1 al Responsable del Sistema,\ + \ al Responsable de la Seguridad o a sus respectivos administradores delegados,\ + \ singularizar a la persona asociada al mismo, as\xED como sus responsabilidades\ + \ en el sistema.\n\u2013 [op.acc.1.r1.2] Los datos de identificaci\xF3n ser\xE1\ + n utilizados por el sistema para determinar los privilegios del usuario conforme\ + \ a los requisitos de control de acceso establecidos en la documentaci\xF3\ + n de seguridad.\n\u2013 [op.acc.1.r1.3] Se asegurar\xE1 la existencia de una\ + \ lista actualizada de usuarios autorizados y mantenida por el administrador\ + \ del sistema/de la seguridad del sistema.\nP\xE1gina 39" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node368 + ref_id: op.acc.1.2 + description: "Cuando el usuario tenga diferentes roles frente al sistema (como\ + \ ciudadano o usuario final, como trabajador del organismo o como administrador\ + \ de los sistemas, por ejemplo) recibir\xE1 identificadores singulares para\ + \ cada perfil, de forma que se recaben siempre los correspondientes registros\ + \ de actividad, delimit\xE1ndose los privilegios correspondientes a cada perfil." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad y autenticidad).\n\ + \u2013 Nivel BAJO: op.acc.1.\n\u2013 Nivel MEDIO: op.acc.1 +R1.\n\u2013 Nivel\ + \ ALTO: op.acc.1+ R1.\nRefuerzo R1-Identificaci\xF3n avanzada.\n\u2013 [op.acc.1.r1.1]\ + \ La identificaci\xF3n del usuario permitir\xE1 al Responsable del Sistema,\ + \ al Responsable de la Seguridad o a sus respectivos administradores delegados,\ + \ singularizar a la persona asociada al mismo, as\xED como sus responsabilidades\ + \ en el sistema.\n\u2013 [op.acc.1.r1.2] Los datos de identificaci\xF3n ser\xE1\ + n utilizados por el sistema para determinar los privilegios del usuario conforme\ + \ a los requisitos de control de acceso establecidos en la documentaci\xF3\ + n de seguridad.\n\u2013 [op.acc.1.r1.3] Se asegurar\xE1 la existencia de una\ + \ lista actualizada de usuarios autorizados y mantenida por el administrador\ + \ del sistema/de la seguridad del sistema.\nP\xE1gina 39" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node368 + ref_id: op.acc.1.3 + description: " Cada entidad (entidad, usuario o proceso) que accede al sistema,\ + \ contar\xE1 con un identificador singular que permita conocer el destinatario\ + \ de los mismos y los derechos de acceso que recibe, as\xED como las acciones\ + \ realizadas por cada entidad." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad y autenticidad).\n\ + \u2013 Nivel BAJO: op.acc.1.\n\u2013 Nivel MEDIO: op.acc.1 +R1.\n\u2013 Nivel\ + \ ALTO: op.acc.1+ R1.\nRefuerzo R1-Identificaci\xF3n avanzada.\n\u2013 [op.acc.1.r1.1]\ + \ La identificaci\xF3n del usuario permitir\xE1 al Responsable del Sistema,\ + \ al Responsable de la Seguridad o a sus respectivos administradores delegados,\ + \ singularizar a la persona asociada al mismo, as\xED como sus responsabilidades\ + \ en el sistema.\n\u2013 [op.acc.1.r1.2] Los datos de identificaci\xF3n ser\xE1\ + n utilizados por el sistema para determinar los privilegios del usuario conforme\ + \ a los requisitos de control de acceso establecidos en la documentaci\xF3\ + n de seguridad.\n\u2013 [op.acc.1.r1.3] Se asegurar\xE1 la existencia de una\ + \ lista actualizada de usuarios autorizados y mantenida por el administrador\ + \ del sistema/de la seguridad del sistema.\nP\xE1gina 39" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node368 + ref_id: op.acc.1.4 + description: "Las cuentas de usuario se gestionar\xE1n de la siguiente forma:" + annotation: "Aplicaci\xF3n de la medida (por trazabilidad y autenticidad).\n\ + \u2013 Nivel BAJO: op.acc.1.\n\u2013 Nivel MEDIO: op.acc.1 +R1.\n\u2013 Nivel\ + \ ALTO: op.acc.1+ R1.\nRefuerzo R1-Identificaci\xF3n avanzada.\n\u2013 [op.acc.1.r1.1]\ + \ La identificaci\xF3n del usuario permitir\xE1 al Responsable del Sistema,\ + \ al Responsable de la Seguridad o a sus respectivos administradores delegados,\ + \ singularizar a la persona asociada al mismo, as\xED como sus responsabilidades\ + \ en el sistema.\n\u2013 [op.acc.1.r1.2] Los datos de identificaci\xF3n ser\xE1\ + n utilizados por el sistema para determinar los privilegios del usuario conforme\ + \ a los requisitos de control de acceso establecidos en la documentaci\xF3\ + n de seguridad.\n\u2013 [op.acc.1.r1.3] Se asegurar\xE1 la existencia de una\ + \ lista actualizada de usuarios autorizados y mantenida por el administrador\ + \ del sistema/de la seguridad del sistema.\nP\xE1gina 39" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.4.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.4 + ref_id: op.acc.1.4.a + description: "Cada cuenta (de entidad, usuario o proceso) estar\xE1 asociada\ + \ a un identificador \xFAnico." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad y autenticidad).\n\ + \u2013 Nivel BAJO: op.acc.1.\n\u2013 Nivel MEDIO: op.acc.1 +R1.\n\u2013 Nivel\ + \ ALTO: op.acc.1+ R1.\nRefuerzo R1-Identificaci\xF3n avanzada.\n\u2013 [op.acc.1.r1.1]\ + \ La identificaci\xF3n del usuario permitir\xE1 al Responsable del Sistema,\ + \ al Responsable de la Seguridad o a sus respectivos administradores delegados,\ + \ singularizar a la persona asociada al mismo, as\xED como sus responsabilidades\ + \ en el sistema.\n\u2013 [op.acc.1.r1.2] Los datos de identificaci\xF3n ser\xE1\ + n utilizados por el sistema para determinar los privilegios del usuario conforme\ + \ a los requisitos de control de acceso establecidos en la documentaci\xF3\ + n de seguridad.\n\u2013 [op.acc.1.r1.3] Se asegurar\xE1 la existencia de una\ + \ lista actualizada de usuarios autorizados y mantenida por el administrador\ + \ del sistema/de la seguridad del sistema.\nP\xE1gina 39" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.4.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.4 + ref_id: op.acc.1.4.b + description: "Las cuentas deben ser inhabilitadas en los siguientes casos: cuando\ + \ el usuario deja la organizaci\xF3n; cuando el usuario cesa en la funci\xF3\ + n para la cual se requer\xEDa la cuenta de usuario; o, cuando la persona que\ + \ la autoriz\xF3 da orden en sentido contrario." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad y autenticidad).\n\ + \u2013 Nivel BAJO: op.acc.1.\n\u2013 Nivel MEDIO: op.acc.1 +R1.\n\u2013 Nivel\ + \ ALTO: op.acc.1+ R1.\nRefuerzo R1-Identificaci\xF3n avanzada.\n\u2013 [op.acc.1.r1.1]\ + \ La identificaci\xF3n del usuario permitir\xE1 al Responsable del Sistema,\ + \ al Responsable de la Seguridad o a sus respectivos administradores delegados,\ + \ singularizar a la persona asociada al mismo, as\xED como sus responsabilidades\ + \ en el sistema.\n\u2013 [op.acc.1.r1.2] Los datos de identificaci\xF3n ser\xE1\ + n utilizados por el sistema para determinar los privilegios del usuario conforme\ + \ a los requisitos de control de acceso establecidos en la documentaci\xF3\ + n de seguridad.\n\u2013 [op.acc.1.r1.3] Se asegurar\xE1 la existencia de una\ + \ lista actualizada de usuarios autorizados y mantenida por el administrador\ + \ del sistema/de la seguridad del sistema.\nP\xE1gina 39" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.4.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.4 + ref_id: op.acc.1.4.c + description: "Las cuentas se retendr\xE1n durante el periodo necesario para\ + \ atender a las necesidades de trazabilidad de los registros de actividad\ + \ asociados a las mismas. A este periodo se le denominar\xE1 \xABperiodo de\ + \ retenci\xF3n\xBB." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad y autenticidad).\n\ + \u2013 Nivel BAJO: op.acc.1.\n\u2013 Nivel MEDIO: op.acc.1 +R1.\n\u2013 Nivel\ + \ ALTO: op.acc.1+ R1.\nRefuerzo R1-Identificaci\xF3n avanzada.\n\u2013 [op.acc.1.r1.1]\ + \ La identificaci\xF3n del usuario permitir\xE1 al Responsable del Sistema,\ + \ al Responsable de la Seguridad o a sus respectivos administradores delegados,\ + \ singularizar a la persona asociada al mismo, as\xED como sus responsabilidades\ + \ en el sistema.\n\u2013 [op.acc.1.r1.2] Los datos de identificaci\xF3n ser\xE1\ + n utilizados por el sistema para determinar los privilegios del usuario conforme\ + \ a los requisitos de control de acceso establecidos en la documentaci\xF3\ + n de seguridad.\n\u2013 [op.acc.1.r1.3] Se asegurar\xE1 la existencia de una\ + \ lista actualizada de usuarios autorizados y mantenida por el administrador\ + \ del sistema/de la seguridad del sistema.\nP\xE1gina 39" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node368 + ref_id: op.acc.1.5 + description: "En los supuestos de comunicaciones electr\xF3nicas, las partes\ + \ intervinientes se identificar\xE1n atendiendo a los mecanismos previstos\ + \ en la legislaci\xF3n europea y nacional en la materia, con la siguiente\ + \ correspondencia entre los niveles de la dimensi\xF3n de autenticidad de\ + \ los sistemas de informaci\xF3n a los que se tiene acceso y los niveles de\ + \ seguridad (bajo, sustancial, alto) de los sistemas de identificaci\xF3n\ + \ electr\xF3nica previstos en el Reglamento (UE) n.\xBA 910/2014, del Parlamento\ + \ Europeo y del Consejo, de 23 de julio de 2014, relativo a la identificaci\xF3\ + n electr\xF3nica y los servicios de confianza para las transacciones electr\xF3\ + nicas en el mercado interior y por el que se deroga la Directiva 1999/93/CE\ + \ y sus normas de desarrollo o ejecuci\xF3n que resulten de aplicaci\xF3n:" + annotation: "Aplicaci\xF3n de la medida (por trazabilidad y autenticidad).\n\ + \u2013 Nivel BAJO: op.acc.1.\n\u2013 Nivel MEDIO: op.acc.1 +R1.\n\u2013 Nivel\ + \ ALTO: op.acc.1+ R1.\nRefuerzo R1-Identificaci\xF3n avanzada.\n\u2013 [op.acc.1.r1.1]\ + \ La identificaci\xF3n del usuario permitir\xE1 al Responsable del Sistema,\ + \ al Responsable de la Seguridad o a sus respectivos administradores delegados,\ + \ singularizar a la persona asociada al mismo, as\xED como sus responsabilidades\ + \ en el sistema.\n\u2013 [op.acc.1.r1.2] Los datos de identificaci\xF3n ser\xE1\ + n utilizados por el sistema para determinar los privilegios del usuario conforme\ + \ a los requisitos de control de acceso establecidos en la documentaci\xF3\ + n de seguridad.\n\u2013 [op.acc.1.r1.3] Se asegurar\xE1 la existencia de una\ + \ lista actualizada de usuarios autorizados y mantenida por el administrador\ + \ del sistema/de la seguridad del sistema.\nP\xE1gina 39" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.5.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.5 + ref_id: op.acc.1.5.a + description: "Si se requiere un nivel BAJO en la dimensi\xF3n de autenticidad\ + \ (anexo I): Nivel de seguridad bajo, sustancial o alto (art\xEDculo 8 del\ + \ Reglamento (UE) n.\xBA 910/2014)." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad y autenticidad).\n\ + \u2013 Nivel BAJO: op.acc.1.\n\u2013 Nivel MEDIO: op.acc.1 +R1.\n\u2013 Nivel\ + \ ALTO: op.acc.1+ R1.\nRefuerzo R1-Identificaci\xF3n avanzada.\n\u2013 [op.acc.1.r1.1]\ + \ La identificaci\xF3n del usuario permitir\xE1 al Responsable del Sistema,\ + \ al Responsable de la Seguridad o a sus respectivos administradores delegados,\ + \ singularizar a la persona asociada al mismo, as\xED como sus responsabilidades\ + \ en el sistema.\n\u2013 [op.acc.1.r1.2] Los datos de identificaci\xF3n ser\xE1\ + n utilizados por el sistema para determinar los privilegios del usuario conforme\ + \ a los requisitos de control de acceso establecidos en la documentaci\xF3\ + n de seguridad.\n\u2013 [op.acc.1.r1.3] Se asegurar\xE1 la existencia de una\ + \ lista actualizada de usuarios autorizados y mantenida por el administrador\ + \ del sistema/de la seguridad del sistema.\nP\xE1gina 39" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.5.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.5 + ref_id: op.acc.1.5.b + description: "Si se requiere un nivel MEDIO en la dimensi\xF3n de autenticidad\ + \ (anexo I): Nivel de seguridad sustancial o alto (art\xEDculo 8 del Reglamento\ + \ (UE) n.\xBA 910/2014)." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad y autenticidad).\n\ + \u2013 Nivel BAJO: op.acc.1.\n\u2013 Nivel MEDIO: op.acc.1 +R1.\n\u2013 Nivel\ + \ ALTO: op.acc.1+ R1.\nRefuerzo R1-Identificaci\xF3n avanzada.\n\u2013 [op.acc.1.r1.1]\ + \ La identificaci\xF3n del usuario permitir\xE1 al Responsable del Sistema,\ + \ al Responsable de la Seguridad o a sus respectivos administradores delegados,\ + \ singularizar a la persona asociada al mismo, as\xED como sus responsabilidades\ + \ en el sistema.\n\u2013 [op.acc.1.r1.2] Los datos de identificaci\xF3n ser\xE1\ + n utilizados por el sistema para determinar los privilegios del usuario conforme\ + \ a los requisitos de control de acceso establecidos en la documentaci\xF3\ + n de seguridad.\n\u2013 [op.acc.1.r1.3] Se asegurar\xE1 la existencia de una\ + \ lista actualizada de usuarios autorizados y mantenida por el administrador\ + \ del sistema/de la seguridad del sistema.\nP\xE1gina 39" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.5.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.1.5 + ref_id: op.acc.1.5.c + description: "Si se requiere un nivel ALTO en la dimensi\xF3n de autenticidad\ + \ (anexo I): Nivel de seguridad alto (art\xEDculo 8 del Reglamento (UE) n.\xBA\ + \ 910/2014)." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad y autenticidad).\n\ + \u2013 Nivel BAJO: op.acc.1.\n\u2013 Nivel MEDIO: op.acc.1 +R1.\n\u2013 Nivel\ + \ ALTO: op.acc.1+ R1.\nRefuerzo R1-Identificaci\xF3n avanzada.\n\u2013 [op.acc.1.r1.1]\ + \ La identificaci\xF3n del usuario permitir\xE1 al Responsable del Sistema,\ + \ al Responsable de la Seguridad o a sus respectivos administradores delegados,\ + \ singularizar a la persona asociada al mismo, as\xED como sus responsabilidades\ + \ en el sistema.\n\u2013 [op.acc.1.r1.2] Los datos de identificaci\xF3n ser\xE1\ + n utilizados por el sistema para determinar los privilegios del usuario conforme\ + \ a los requisitos de control de acceso establecidos en la documentaci\xF3\ + n de seguridad.\n\u2013 [op.acc.1.r1.3] Se asegurar\xE1 la existencia de una\ + \ lista actualizada de usuarios autorizados y mantenida por el administrador\ + \ del sistema/de la seguridad del sistema.\nP\xE1gina 39" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc + ref_id: op.acc.2 + name: Requisitos de acceso + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.2.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.2 + ref_id: op.acc.2.1 + description: "Los recursos del sistema se proteger\xE1n con alg\xFAn mecanismo\ + \ que impida su utilizaci\xF3n, salvo a las entidades que disfruten de derechos\ + \ de acceso suficientes." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.2.\n\u2013 Nivel MEDIO: op.acc.2.\n\ + \u2013 Nivel ALTO: op.acc.2+ R1.\nRefuerzo R1-Privilegios de acceso.\n\u2013\ + \ [op.acc.2.r1.1] Todos los usuarios autorizados deben tener un conjunto de\ + \ atributos de seguridad (privilegios) que puedan ser mantenidos individualmente.\n\ + \u2013 [op.acc.2.r1.2] Los privilegios de acceso se implementar\xE1n para\ + \ restringir el tipo de acceso que un usuario puede tener (lectura, escritura,\ + \ modificaci\xF3n, borrado, etc.).\nRefuerzo R2-Control de acceso a dispositivos.\n\ + \u2013 [op.acc.2.r2.1] Se dispondr\xE1 de soluciones que permitan establecer\ + \ controles de acceso a los dispositivos en funci\xF3n de la pol\xEDtica de\ + \ seguridad de la organizaci\xF3n.\nP\xE1gina 40" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.2.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.2 + ref_id: op.acc.2.2 + description: " Los derechos de acceso de cada recurso, se establecer\xE1n seg\xFA\ + n las decisiones de la persona responsable del recurso, ateni\xE9ndose a la\ + \ pol\xEDtica y normativa de seguridad del sistema." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.2.\n\u2013 Nivel MEDIO: op.acc.2.\n\ + \u2013 Nivel ALTO: op.acc.2+ R1.\nRefuerzo R1-Privilegios de acceso.\n\u2013\ + \ [op.acc.2.r1.1] Todos los usuarios autorizados deben tener un conjunto de\ + \ atributos de seguridad (privilegios) que puedan ser mantenidos individualmente.\n\ + \u2013 [op.acc.2.r1.2] Los privilegios de acceso se implementar\xE1n para\ + \ restringir el tipo de acceso que un usuario puede tener (lectura, escritura,\ + \ modificaci\xF3n, borrado, etc.).\nRefuerzo R2-Control de acceso a dispositivos.\n\ + \u2013 [op.acc.2.r2.1] Se dispondr\xE1 de soluciones que permitan establecer\ + \ controles de acceso a los dispositivos en funci\xF3n de la pol\xEDtica de\ + \ seguridad de la organizaci\xF3n.\nP\xE1gina 40" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.2.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.2 + ref_id: op.acc.2.3 + description: "Particularmente, se controlar\xE1 el acceso a los componentes\ + \ del sistema operativo y a sus ficheros o registros de configuraci\xF3n." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.2.\n\u2013 Nivel MEDIO: op.acc.2.\n\ + \u2013 Nivel ALTO: op.acc.2+ R1.\nRefuerzo R1-Privilegios de acceso.\n\u2013\ + \ [op.acc.2.r1.1] Todos los usuarios autorizados deben tener un conjunto de\ + \ atributos de seguridad (privilegios) que puedan ser mantenidos individualmente.\n\ + \u2013 [op.acc.2.r1.2] Los privilegios de acceso se implementar\xE1n para\ + \ restringir el tipo de acceso que un usuario puede tener (lectura, escritura,\ + \ modificaci\xF3n, borrado, etc.).\nRefuerzo R2-Control de acceso a dispositivos.\n\ + \u2013 [op.acc.2.r2.1] Se dispondr\xE1 de soluciones que permitan establecer\ + \ controles de acceso a los dispositivos en funci\xF3n de la pol\xEDtica de\ + \ seguridad de la organizaci\xF3n.\nP\xE1gina 40" + implementation_groups: + - BAJO + - ' MEDIO' + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc + ref_id: op.acc.3 + name: "Segregaci\xF3n de funciones y tareas" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node385 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.3 + description: "El sistema de control de acceso se organizar\xE1 de forma que\ + \ se exija la concurrencia de dos o m\xE1s personas para realizar tareas cr\xED\ + ticas, anulando la posibilidad de que un solo individuo autorizado pueda abusar\ + \ de sus derechos para cometer alguna acci\xF3n il\xEDcita o no autorizada." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.3.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.3 + ref_id: op.acc.3.1 + description: "Siempre que sea posible, las capacidades de desarrollo y operaci\xF3\ + n no recaer\xE1n en la misma persona." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: no aplica.\n\u2013 Nivel MEDIO: op.acc.3.\n\ + \u2013 Nivel ALTO: op.acc.3 + R1.\nRefuerzo R1-Segregaci\xF3n rigurosa.\n\u2013\ + \ [op.acc.3.r1.1] Siempre que sea posible, la misma persona no aunar\xE1 funciones\ + \ de configuraci\xF3n y mantenimiento del sistema.\n\u2013 [op.acc.3.r1.2]\ + \ La misma persona no puede aunar funciones de auditor\xEDa o supervisi\xF3\ + n con cualquier otra funci\xF3n.\nRefuerzo R2-Privilegios de auditor\xEDa.\n\ + \u2013 [op.acc.3.r2.1] Existir\xE1n cuentas con privilegios de auditor\xED\ + a estrictamente controladas y personalizadas.\nRefuerzo R3-Acceso a la informaci\xF3\ + n de seguridad.\n\u2013 [op.acc.3.r3.1] El acceso a la informaci\xF3n de seguridad\ + \ del sistema estar\xE1 permitido \xFAnicamente a los administradores de seguridad/sistema\ + \ autorizados, utilizando los mecanismos de acceso imprescindibles (consola,\ + \ interfaz web, acceso remoto, etc.).\nP\xE1ginas 40-41" + implementation_groups: + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.3.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.3 + ref_id: op.acc.3.2 + description: "Siempre que sea posible, las personas que autorizan y controlan\ + \ el uso ser\xE1n distintas." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: no aplica.\n\u2013 Nivel MEDIO: op.acc.3.\n\ + \u2013 Nivel ALTO: op.acc.3 + R1.\nRefuerzo R1-Segregaci\xF3n rigurosa.\n\u2013\ + \ [op.acc.3.r1.1] Siempre que sea posible, la misma persona no aunar\xE1 funciones\ + \ de configuraci\xF3n y mantenimiento del sistema.\n\u2013 [op.acc.3.r1.2]\ + \ La misma persona no puede aunar funciones de auditor\xEDa o supervisi\xF3\ + n con cualquier otra funci\xF3n.\nRefuerzo R2-Privilegios de auditor\xEDa.\n\ + \u2013 [op.acc.3.r2.1] Existir\xE1n cuentas con privilegios de auditor\xED\ + a estrictamente controladas y personalizadas.\nRefuerzo R3-Acceso a la informaci\xF3\ + n de seguridad.\n\u2013 [op.acc.3.r3.1] El acceso a la informaci\xF3n de seguridad\ + \ del sistema estar\xE1 permitido \xFAnicamente a los administradores de seguridad/sistema\ + \ autorizados, utilizando los mecanismos de acceso imprescindibles (consola,\ + \ interfaz web, acceso remoto, etc.).\nP\xE1ginas 40-41" + implementation_groups: + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc + ref_id: op.acc.4 + name: "Proceso de gesti\xF3n de derechos de acceso " + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node389 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.4 + description: "Los derechos de acceso de cada entidad, usuario o proceso se limitar\xE1\ + n atendiendo a los siguientes principios:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.4.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node389 + ref_id: op.acc.4.1 + description: "Todo acceso estar\xE1 prohibido, salvo autorizaci\xF3n expresa." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\nNivel BAJO: op.acc.4.\nNivel MEDIO: op.acc.4.\nNivel ALTO:\ + \ op.acc.4.\nP\xE1gina 41" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.4.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node389 + ref_id: op.acc.4.2 + description: "M\xEDnimo privilegio: los privilegios de cada entidad, usuario\ + \ o proceso se reducir\xE1n al m\xEDnimo imprescindible para cumplir sus obligaciones\ + \ o funciones." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\nNivel BAJO: op.acc.4.\nNivel MEDIO: op.acc.4.\nNivel ALTO:\ + \ op.acc.4.\nP\xE1gina 41" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.4.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node389 + ref_id: op.acc.4.3 + description: "Necesidad de conocer y responsabilidad de compartir: los privilegios\ + \ se asignar\xE1n de forma que las entidades, usuarios o procesos s\xF3lo\ + \ acceder\xE1n al conocimiento de aquella informaci\xF3n requerida para cumplir\ + \ sus obligaciones o funciones. La informaci\xF3n es patrimonio del organismo\ + \ y toda aquella que resulte necesaria para el usuario estar\xE1 a su disposici\xF3\ + n." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\nNivel BAJO: op.acc.4.\nNivel MEDIO: op.acc.4.\nNivel ALTO:\ + \ op.acc.4.\nP\xE1gina 41" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.4.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node389 + ref_id: op.acc.4.4 + description: "Capacidad de autorizar: Exclusivamente el personal con competencia\ + \ para ello podr\xE1 conceder, alterar o anular la autorizaci\xF3n de acceso\ + \ a los recursos, conforme a los criterios establecidos por su responsable.\ + \ Los permisos de acceso se revisar\xE1n de forma peri\xF3dica." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\nNivel BAJO: op.acc.4.\nNivel MEDIO: op.acc.4.\nNivel ALTO:\ + \ op.acc.4.\nP\xE1gina 41" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.4.5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node389 + ref_id: op.acc.4.5 + description: "Se establecer\xE1 una pol\xEDtica espec\xEDfica de acceso remoto,\ + \ requiri\xE9ndose autorizaci\xF3n expresa." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\nNivel BAJO: op.acc.4.\nNivel MEDIO: op.acc.4.\nNivel ALTO:\ + \ op.acc.4.\nP\xE1gina 41" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc + ref_id: op.acc.5 + name: "Mecanismo de autenticaci\xF3n (usuarios externos)" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node396 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.5 + description: "Referente a usuarios que no son usuarios de la organizaci\xF3\ + n. Las gu\xEDas CCN-STIC desarrollar\xE1n los mecanismos y calidades exigibles\ + \ a cada tipo de factor de autenticaci\xF3n en funci\xF3n de los niveles de\ + \ seguridad requeridos por el sistema de informaci\xF3n el que se accede y\ + \ los privilegios concedidos al usuario." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.5 + [R1 o R2 o R3 o R4].\n\u2013\ + \ Nivel MEDIO: op.acc.5 + [R2 o R3 o R4] + R5.\n\u2013 Nivel ALTO: op.acc.5\ + \ + [R2 o R3 o R4] + R5.\nRefuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.5.r1.1]\ + \ Se emplear\xE1 una contrase\xF1a como mecanismo de autenticaci\xF3n.\n\u2013\ + \ [op.acc.5.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + OTP.\n\u2013 [op.acc.5.r2.1] Se requerir\xE1 una contrase\xF1a de un solo\ + \ uso (OTP, en ingl\xE9s) como complemento a la contrase\xF1a de usuario.\n\ + Refuerzo R3-Certificados.\n\u2013 [op.acc.5.r3.1] Se emplear\xE1n certificados\ + \ cualificados como mecanismo de autenticaci\xF3n.\n\u2013 [op.acc.5.r3.2]\ + \ El uso del certificado estar\xE1 protegido por un segundo factor, del tipo\ + \ PIN o biom\xE9trico.\n\u2013 [op.acc.5.r3.3] Las credenciales utilizadas\ + \ deber\xE1n haber sido obtenidas tras un registro previo presencial, o bien\ + \ telem\xE1tico, usando un certificado electr\xF3nico cualificado.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.5.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.5.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\n\u2013 [op.acc.5.r4.3]\ + \ Las credenciales utilizadas deber\xE1n haber sido obtenidas tras un registro\ + \ previo presencial, o bien telem\xE1tico, usando certificado electr\xF3nico\ + \ cualificado.\nRefuerzo R5-Registro.\n\u2013 [op.acc.5.r5.1] Se registrar\xE1\ + n los accesos con \xE9xito y los fallidos.\n\u2013 [op.acc.5.r5.2] Se informar\xE1\ + \ al usuario del \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3\ + n de la ventana de acceso.\n\u2013 [op.acc.5.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.5.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nP\xE1ginas 42-43" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.5.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node396 + ref_id: op.acc.5.1 + description: "Antes de proporcionar las credenciales de autenticaci\xF3n a las\ + \ entidades, usuarios o procesos, estos deber\xE1n haberse identificado y\ + \ registrado de manera fidedigna ante el sistema o ante un Prestador Cualificado\ + \ de Servicios de Confianza o un proveedor de identidad electr\xF3nica reconocido\ + \ por las administraciones p\xFAblicas, de conformidad con lo dispuesto en\ + \ la Ley 39/2015, de 1 de octubre." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.5 + [R1 o R2 o R3 o R4].\n\u2013\ + \ Nivel MEDIO: op.acc.5 + [R2 o R3 o R4] + R5.\n\u2013 Nivel ALTO: op.acc.5\ + \ + [R2 o R3 o R4] + R5.\nRefuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.5.r1.1]\ + \ Se emplear\xE1 una contrase\xF1a como mecanismo de autenticaci\xF3n.\n\u2013\ + \ [op.acc.5.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + OTP.\n\u2013 [op.acc.5.r2.1] Se requerir\xE1 una contrase\xF1a de un solo\ + \ uso (OTP, en ingl\xE9s) como complemento a la contrase\xF1a de usuario.\n\ + Refuerzo R3-Certificados.\n\u2013 [op.acc.5.r3.1] Se emplear\xE1n certificados\ + \ cualificados como mecanismo de autenticaci\xF3n.\n\u2013 [op.acc.5.r3.2]\ + \ El uso del certificado estar\xE1 protegido por un segundo factor, del tipo\ + \ PIN o biom\xE9trico.\n\u2013 [op.acc.5.r3.3] Las credenciales utilizadas\ + \ deber\xE1n haber sido obtenidas tras un registro previo presencial, o bien\ + \ telem\xE1tico, usando un certificado electr\xF3nico cualificado.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.5.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.5.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\n\u2013 [op.acc.5.r4.3]\ + \ Las credenciales utilizadas deber\xE1n haber sido obtenidas tras un registro\ + \ previo presencial, o bien telem\xE1tico, usando certificado electr\xF3nico\ + \ cualificado.\nRefuerzo R5-Registro.\n\u2013 [op.acc.5.r5.1] Se registrar\xE1\ + n los accesos con \xE9xito y los fallidos.\n\u2013 [op.acc.5.r5.2] Se informar\xE1\ + \ al usuario del \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3\ + n de la ventana de acceso.\n\u2013 [op.acc.5.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.5.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nP\xE1ginas 42-43" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.5.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node396 + ref_id: op.acc.5.2 + description: "Antes de activar el mecanismo de autenticaci\xF3n, el usuario\ + \ reconocer\xE1 que las ha recibido y que conoce y acepta las obligaciones\ + \ que implica su tenencia, en particular, el deber de custodia diligente,\ + \ la protecci\xF3n de su confidencialidad y el deber de notificaci\xF3n inmediata\ + \ en caso de p\xE9rdida" + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.5 + [R1 o R2 o R3 o R4].\n\u2013\ + \ Nivel MEDIO: op.acc.5 + [R2 o R3 o R4] + R5.\n\u2013 Nivel ALTO: op.acc.5\ + \ + [R2 o R3 o R4] + R5.\nRefuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.5.r1.1]\ + \ Se emplear\xE1 una contrase\xF1a como mecanismo de autenticaci\xF3n.\n\u2013\ + \ [op.acc.5.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + OTP.\n\u2013 [op.acc.5.r2.1] Se requerir\xE1 una contrase\xF1a de un solo\ + \ uso (OTP, en ingl\xE9s) como complemento a la contrase\xF1a de usuario.\n\ + Refuerzo R3-Certificados.\n\u2013 [op.acc.5.r3.1] Se emplear\xE1n certificados\ + \ cualificados como mecanismo de autenticaci\xF3n.\n\u2013 [op.acc.5.r3.2]\ + \ El uso del certificado estar\xE1 protegido por un segundo factor, del tipo\ + \ PIN o biom\xE9trico.\n\u2013 [op.acc.5.r3.3] Las credenciales utilizadas\ + \ deber\xE1n haber sido obtenidas tras un registro previo presencial, o bien\ + \ telem\xE1tico, usando un certificado electr\xF3nico cualificado.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.5.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.5.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\n\u2013 [op.acc.5.r4.3]\ + \ Las credenciales utilizadas deber\xE1n haber sido obtenidas tras un registro\ + \ previo presencial, o bien telem\xE1tico, usando certificado electr\xF3nico\ + \ cualificado.\nRefuerzo R5-Registro.\n\u2013 [op.acc.5.r5.1] Se registrar\xE1\ + n los accesos con \xE9xito y los fallidos.\n\u2013 [op.acc.5.r5.2] Se informar\xE1\ + \ al usuario del \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3\ + n de la ventana de acceso.\n\u2013 [op.acc.5.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.5.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nP\xE1ginas 42-43" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.5.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node396 + ref_id: op.acc.5.3 + description: "Las credenciales estar\xE1n bajo el control exclusivo del usuario\ + \ y se activar\xE1n una vez est\xE9n bajo su control efectivo." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.5 + [R1 o R2 o R3 o R4].\n\u2013\ + \ Nivel MEDIO: op.acc.5 + [R2 o R3 o R4] + R5.\n\u2013 Nivel ALTO: op.acc.5\ + \ + [R2 o R3 o R4] + R5.\nRefuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.5.r1.1]\ + \ Se emplear\xE1 una contrase\xF1a como mecanismo de autenticaci\xF3n.\n\u2013\ + \ [op.acc.5.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + OTP.\n\u2013 [op.acc.5.r2.1] Se requerir\xE1 una contrase\xF1a de un solo\ + \ uso (OTP, en ingl\xE9s) como complemento a la contrase\xF1a de usuario.\n\ + Refuerzo R3-Certificados.\n\u2013 [op.acc.5.r3.1] Se emplear\xE1n certificados\ + \ cualificados como mecanismo de autenticaci\xF3n.\n\u2013 [op.acc.5.r3.2]\ + \ El uso del certificado estar\xE1 protegido por un segundo factor, del tipo\ + \ PIN o biom\xE9trico.\n\u2013 [op.acc.5.r3.3] Las credenciales utilizadas\ + \ deber\xE1n haber sido obtenidas tras un registro previo presencial, o bien\ + \ telem\xE1tico, usando un certificado electr\xF3nico cualificado.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.5.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.5.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\n\u2013 [op.acc.5.r4.3]\ + \ Las credenciales utilizadas deber\xE1n haber sido obtenidas tras un registro\ + \ previo presencial, o bien telem\xE1tico, usando certificado electr\xF3nico\ + \ cualificado.\nRefuerzo R5-Registro.\n\u2013 [op.acc.5.r5.1] Se registrar\xE1\ + n los accesos con \xE9xito y los fallidos.\n\u2013 [op.acc.5.r5.2] Se informar\xE1\ + \ al usuario del \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3\ + n de la ventana de acceso.\n\u2013 [op.acc.5.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.5.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nP\xE1ginas 42-43" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.5.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node396 + ref_id: op.acc.5.4 + description: "Las credenciales se cambiar\xE1n con una periodicidad marcada\ + \ por la pol\xEDtica de seguridad de la organizaci\xF3n." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.5 + [R1 o R2 o R3 o R4].\n\u2013\ + \ Nivel MEDIO: op.acc.5 + [R2 o R3 o R4] + R5.\n\u2013 Nivel ALTO: op.acc.5\ + \ + [R2 o R3 o R4] + R5.\nRefuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.5.r1.1]\ + \ Se emplear\xE1 una contrase\xF1a como mecanismo de autenticaci\xF3n.\n\u2013\ + \ [op.acc.5.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + OTP.\n\u2013 [op.acc.5.r2.1] Se requerir\xE1 una contrase\xF1a de un solo\ + \ uso (OTP, en ingl\xE9s) como complemento a la contrase\xF1a de usuario.\n\ + Refuerzo R3-Certificados.\n\u2013 [op.acc.5.r3.1] Se emplear\xE1n certificados\ + \ cualificados como mecanismo de autenticaci\xF3n.\n\u2013 [op.acc.5.r3.2]\ + \ El uso del certificado estar\xE1 protegido por un segundo factor, del tipo\ + \ PIN o biom\xE9trico.\n\u2013 [op.acc.5.r3.3] Las credenciales utilizadas\ + \ deber\xE1n haber sido obtenidas tras un registro previo presencial, o bien\ + \ telem\xE1tico, usando un certificado electr\xF3nico cualificado.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.5.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.5.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\n\u2013 [op.acc.5.r4.3]\ + \ Las credenciales utilizadas deber\xE1n haber sido obtenidas tras un registro\ + \ previo presencial, o bien telem\xE1tico, usando certificado electr\xF3nico\ + \ cualificado.\nRefuerzo R5-Registro.\n\u2013 [op.acc.5.r5.1] Se registrar\xE1\ + n los accesos con \xE9xito y los fallidos.\n\u2013 [op.acc.5.r5.2] Se informar\xE1\ + \ al usuario del \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3\ + n de la ventana de acceso.\n\u2013 [op.acc.5.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.5.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nP\xE1ginas 42-43" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.5.5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node396 + ref_id: op.acc.5.5 + description: "Las credenciales ser\xE1n inhabilitadas -pudiendo ser regeneradas,\ + \ en su caso-, cuando conste o se sospeche su p\xE9rdida, compromiso o revelaci\xF3\ + n a entidades (personas, equipos o procesos) no autorizadas" + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.5 + [R1 o R2 o R3 o R4].\n\u2013\ + \ Nivel MEDIO: op.acc.5 + [R2 o R3 o R4] + R5.\n\u2013 Nivel ALTO: op.acc.5\ + \ + [R2 o R3 o R4] + R5.\nRefuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.5.r1.1]\ + \ Se emplear\xE1 una contrase\xF1a como mecanismo de autenticaci\xF3n.\n\u2013\ + \ [op.acc.5.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + OTP.\n\u2013 [op.acc.5.r2.1] Se requerir\xE1 una contrase\xF1a de un solo\ + \ uso (OTP, en ingl\xE9s) como complemento a la contrase\xF1a de usuario.\n\ + Refuerzo R3-Certificados.\n\u2013 [op.acc.5.r3.1] Se emplear\xE1n certificados\ + \ cualificados como mecanismo de autenticaci\xF3n.\n\u2013 [op.acc.5.r3.2]\ + \ El uso del certificado estar\xE1 protegido por un segundo factor, del tipo\ + \ PIN o biom\xE9trico.\n\u2013 [op.acc.5.r3.3] Las credenciales utilizadas\ + \ deber\xE1n haber sido obtenidas tras un registro previo presencial, o bien\ + \ telem\xE1tico, usando un certificado electr\xF3nico cualificado.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.5.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.5.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\n\u2013 [op.acc.5.r4.3]\ + \ Las credenciales utilizadas deber\xE1n haber sido obtenidas tras un registro\ + \ previo presencial, o bien telem\xE1tico, usando certificado electr\xF3nico\ + \ cualificado.\nRefuerzo R5-Registro.\n\u2013 [op.acc.5.r5.1] Se registrar\xE1\ + n los accesos con \xE9xito y los fallidos.\n\u2013 [op.acc.5.r5.2] Se informar\xE1\ + \ al usuario del \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3\ + n de la ventana de acceso.\n\u2013 [op.acc.5.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.5.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nP\xE1ginas 42-43" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.5.6 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node396 + ref_id: op.acc.5.6 + description: "Las credenciales ser\xE1n inhabilitadas cuando la entidad (persona,\ + \ equipo o proceso) que autentican termina su relaci\xF3n con el sistema." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.5 + [R1 o R2 o R3 o R4].\n\u2013\ + \ Nivel MEDIO: op.acc.5 + [R2 o R3 o R4] + R5.\n\u2013 Nivel ALTO: op.acc.5\ + \ + [R2 o R3 o R4] + R5.\nRefuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.5.r1.1]\ + \ Se emplear\xE1 una contrase\xF1a como mecanismo de autenticaci\xF3n.\n\u2013\ + \ [op.acc.5.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + OTP.\n\u2013 [op.acc.5.r2.1] Se requerir\xE1 una contrase\xF1a de un solo\ + \ uso (OTP, en ingl\xE9s) como complemento a la contrase\xF1a de usuario.\n\ + Refuerzo R3-Certificados.\n\u2013 [op.acc.5.r3.1] Se emplear\xE1n certificados\ + \ cualificados como mecanismo de autenticaci\xF3n.\n\u2013 [op.acc.5.r3.2]\ + \ El uso del certificado estar\xE1 protegido por un segundo factor, del tipo\ + \ PIN o biom\xE9trico.\n\u2013 [op.acc.5.r3.3] Las credenciales utilizadas\ + \ deber\xE1n haber sido obtenidas tras un registro previo presencial, o bien\ + \ telem\xE1tico, usando un certificado electr\xF3nico cualificado.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.5.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.5.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\n\u2013 [op.acc.5.r4.3]\ + \ Las credenciales utilizadas deber\xE1n haber sido obtenidas tras un registro\ + \ previo presencial, o bien telem\xE1tico, usando certificado electr\xF3nico\ + \ cualificado.\nRefuerzo R5-Registro.\n\u2013 [op.acc.5.r5.1] Se registrar\xE1\ + n los accesos con \xE9xito y los fallidos.\n\u2013 [op.acc.5.r5.2] Se informar\xE1\ + \ al usuario del \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3\ + n de la ventana de acceso.\n\u2013 [op.acc.5.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.5.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nP\xE1ginas 42-43" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.5.7 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node396 + ref_id: op.acc.5.7 + description: "Antes de autorizar el acceso, la informaci\xF3n presentada por\ + \ el sistema ser\xE1 la m\xEDnima imprescindible para que el usuario se autentique,\ + \ evitando todo aquello que pueda, directa o indirectamente, revelar informaci\xF3\ + n sobre el sistema o la cuenta, sus caracter\xEDsticas, su operaci\xF3n o\ + \ su estado. Las credenciales solamente se validar\xE1n cuando se tengan todos\ + \ los datos necesarios y, si se rechaza, no se informar\xE1 del motivo del\ + \ rechazo." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.5 + [R1 o R2 o R3 o R4].\n\u2013\ + \ Nivel MEDIO: op.acc.5 + [R2 o R3 o R4] + R5.\n\u2013 Nivel ALTO: op.acc.5\ + \ + [R2 o R3 o R4] + R5.\nRefuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.5.r1.1]\ + \ Se emplear\xE1 una contrase\xF1a como mecanismo de autenticaci\xF3n.\n\u2013\ + \ [op.acc.5.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + OTP.\n\u2013 [op.acc.5.r2.1] Se requerir\xE1 una contrase\xF1a de un solo\ + \ uso (OTP, en ingl\xE9s) como complemento a la contrase\xF1a de usuario.\n\ + Refuerzo R3-Certificados.\n\u2013 [op.acc.5.r3.1] Se emplear\xE1n certificados\ + \ cualificados como mecanismo de autenticaci\xF3n.\n\u2013 [op.acc.5.r3.2]\ + \ El uso del certificado estar\xE1 protegido por un segundo factor, del tipo\ + \ PIN o biom\xE9trico.\n\u2013 [op.acc.5.r3.3] Las credenciales utilizadas\ + \ deber\xE1n haber sido obtenidas tras un registro previo presencial, o bien\ + \ telem\xE1tico, usando un certificado electr\xF3nico cualificado.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.5.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.5.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\n\u2013 [op.acc.5.r4.3]\ + \ Las credenciales utilizadas deber\xE1n haber sido obtenidas tras un registro\ + \ previo presencial, o bien telem\xE1tico, usando certificado electr\xF3nico\ + \ cualificado.\nRefuerzo R5-Registro.\n\u2013 [op.acc.5.r5.1] Se registrar\xE1\ + n los accesos con \xE9xito y los fallidos.\n\u2013 [op.acc.5.r5.2] Se informar\xE1\ + \ al usuario del \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3\ + n de la ventana de acceso.\n\u2013 [op.acc.5.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.5.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nP\xE1ginas 42-43" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.5.8 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node396 + ref_id: op.acc.5.8 + description: "El n\xFAmero de intentos permitidos ser\xE1 limitado, bloqueando\ + \ la oportunidad de acceso una vez superado tal n\xFAmero, y requiriendo una\ + \ intervenci\xF3n espec\xEDfica para reactivar la cuenta, que se describir\xE1\ + \ en la documentaci\xF3n." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.5 + [R1 o R2 o R3 o R4].\n\u2013\ + \ Nivel MEDIO: op.acc.5 + [R2 o R3 o R4] + R5.\n\u2013 Nivel ALTO: op.acc.5\ + \ + [R2 o R3 o R4] + R5.\nRefuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.5.r1.1]\ + \ Se emplear\xE1 una contrase\xF1a como mecanismo de autenticaci\xF3n.\n\u2013\ + \ [op.acc.5.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + OTP.\n\u2013 [op.acc.5.r2.1] Se requerir\xE1 una contrase\xF1a de un solo\ + \ uso (OTP, en ingl\xE9s) como complemento a la contrase\xF1a de usuario.\n\ + Refuerzo R3-Certificados.\n\u2013 [op.acc.5.r3.1] Se emplear\xE1n certificados\ + \ cualificados como mecanismo de autenticaci\xF3n.\n\u2013 [op.acc.5.r3.2]\ + \ El uso del certificado estar\xE1 protegido por un segundo factor, del tipo\ + \ PIN o biom\xE9trico.\n\u2013 [op.acc.5.r3.3] Las credenciales utilizadas\ + \ deber\xE1n haber sido obtenidas tras un registro previo presencial, o bien\ + \ telem\xE1tico, usando un certificado electr\xF3nico cualificado.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.5.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.5.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\n\u2013 [op.acc.5.r4.3]\ + \ Las credenciales utilizadas deber\xE1n haber sido obtenidas tras un registro\ + \ previo presencial, o bien telem\xE1tico, usando certificado electr\xF3nico\ + \ cualificado.\nRefuerzo R5-Registro.\n\u2013 [op.acc.5.r5.1] Se registrar\xE1\ + n los accesos con \xE9xito y los fallidos.\n\u2013 [op.acc.5.r5.2] Se informar\xE1\ + \ al usuario del \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3\ + n de la ventana de acceso.\n\u2013 [op.acc.5.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.5.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nP\xE1ginas 42-43" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.5.9 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node396 + ref_id: op.acc.5.9 + description: "El sistema informar\xE1 al usuario de sus derechos u obligaciones\ + \ inmediatamente despu\xE9s de obtener el acceso." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.5 + [R1 o R2 o R3 o R4].\n\u2013\ + \ Nivel MEDIO: op.acc.5 + [R2 o R3 o R4] + R5.\n\u2013 Nivel ALTO: op.acc.5\ + \ + [R2 o R3 o R4] + R5.\nRefuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.5.r1.1]\ + \ Se emplear\xE1 una contrase\xF1a como mecanismo de autenticaci\xF3n.\n\u2013\ + \ [op.acc.5.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + OTP.\n\u2013 [op.acc.5.r2.1] Se requerir\xE1 una contrase\xF1a de un solo\ + \ uso (OTP, en ingl\xE9s) como complemento a la contrase\xF1a de usuario.\n\ + Refuerzo R3-Certificados.\n\u2013 [op.acc.5.r3.1] Se emplear\xE1n certificados\ + \ cualificados como mecanismo de autenticaci\xF3n.\n\u2013 [op.acc.5.r3.2]\ + \ El uso del certificado estar\xE1 protegido por un segundo factor, del tipo\ + \ PIN o biom\xE9trico.\n\u2013 [op.acc.5.r3.3] Las credenciales utilizadas\ + \ deber\xE1n haber sido obtenidas tras un registro previo presencial, o bien\ + \ telem\xE1tico, usando un certificado electr\xF3nico cualificado.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.5.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.5.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\n\u2013 [op.acc.5.r4.3]\ + \ Las credenciales utilizadas deber\xE1n haber sido obtenidas tras un registro\ + \ previo presencial, o bien telem\xE1tico, usando certificado electr\xF3nico\ + \ cualificado.\nRefuerzo R5-Registro.\n\u2013 [op.acc.5.r5.1] Se registrar\xE1\ + n los accesos con \xE9xito y los fallidos.\n\u2013 [op.acc.5.r5.2] Se informar\xE1\ + \ al usuario del \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3\ + n de la ventana de acceso.\n\u2013 [op.acc.5.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.5.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nP\xE1ginas 42-43" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.6 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc + ref_id: op.acc.6 + name: "Mecanismo de autenticaci\xF3n (usuarios de la organizaci\xF3n)" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node407 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.6 + description: "Esta medida se refiere a personal del organismo, propio o contratado,\ + \ estable o circunstancial, que pueda tener acceso a informaci\xF3n contenida\ + \ en el sistema. Las gu\xEDas CCN-STIC desarrollar\xE1n los mecanismos y calidades\ + \ exigibles a cada tipo de factor de autenticaci\xF3n, en funci\xF3n de los\ + \ niveles de seguridad requeridos por el sistema de informaci\xF3n el que\ + \ se accede y los privilegios concedidos al usuario." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.6 + [R1 o R2 o R3 o R4] + R8\ + \ + R9.\n\u2013 Nivel MEDIO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R8 + R9.\n\ + \u2013 Nivel ALTO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R6 + R7 + R8 + R9.\n\ + Refuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.6.r1.1] Se emplear\xE1 una contrase\xF1\ + a como mecanismo de autenticaci\xF3n cuando el acceso se realiza desde zonas\ + \ controladas y sin atravesar zonas no controladas (v\xE9ase refuerzo R8).\n\ + \u2013 [op.acc.6.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + otro factor de autenticaci\xF3n.\n\u2013 [op.acc.6.r2.1] Se requerir\xE1\ + \ un segundo factor tal como \xABalgo que se tiene\xBB, es decir, un dispositivo,\ + \ una contrase\xF1a de un solo uso (OTP, en ingl\xE9s) como complemento a\ + \ la contrase\xF1a de usuario, o \xABalgo que se es\xBB.\nRefuerzo R3-Certificados.\n\ + \u2013 [op.acc.6.r3.1] Se emplear\xE1n certificados cualificados como mecanismo\ + \ de autenticaci\xF3n.\n\u2013 [op.acc.6.r3.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.6.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.6.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R5-Registro.\n\u2013 [op.acc.6.r5.1] Se registrar\xE1n los accesos con \xE9\ + xito y los fallidos.\n\u2013 [op.acc.6.r5.2] Se informar\xE1 al usuario del\ + \ \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3n\ + \ de la ventana de acceso.\n\u2013 [op.acc.6.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.6.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nRefuerzo R8-Doble factor para acceso desde o a trav\xE9s de zonas no controladas.\n\ + Se denomina \xABzona controlada\xBB aquella que no es de acceso p\xFAblico,\ + \ requiri\xE9ndose que el usuario, antes de tener acceso al equipo, se haya\ + \ autenticado previamente de alguna forma (control de acceso a las instalaciones),\ + \ diferente del mecanismo de autenticaci\xF3n l\xF3gica frente al sistema.\ + \ Un ejemplo de zona no controlada es Internet.\n\u2013 [op.acc.6.r8.1] Para\ + \ el acceso desde o a trav\xE9s de zonas no controladas se requerir\xE1 un\ + \ doble factor de autenticaci\xF3n: R2, R3 o R4.\nRefuerzo R9-Acceso remoto\ + \ (todos los niveles).\n\u2013 [op.acc.6.r9.1] Ser\xE1 de aplicaci\xF3n la\ + \ ITS de Interconexi\xF3n de sistemas de informaci\xF3n.\n\u2013 [op.acc.6.r9.2]\ + \ El acceso remoto deber\xE1 considerar los siguientes aspectos:\na) Ser autorizado\ + \ por la autoridad correspondiente.\nb) El tr\xE1fico deber\xE1 ser cifrado.\n\ + c) Si la utilizaci\xF3n no se produce de manera constante, el acceso remoto\ + \ deber\xE1 encontrarse inhabilitado y habilitarse \xFAnicamente cuando sea\ + \ necesario.\nd) Deber\xE1n recogerse registros de auditor\xEDa de este tipo\ + \ de conexiones.\nP\xE1ginas 44-45" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.6.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node407 + ref_id: op.acc.6.1 + description: "Antes de proporcionar las credenciales a los usuarios, estos deber\xE1\ + n conocer y aceptar la pol\xEDtica de seguridad del organismo en los aspectos\ + \ que les afecten." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.6 + [R1 o R2 o R3 o R4] + R8\ + \ + R9.\n\u2013 Nivel MEDIO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R8 + R9.\n\ + \u2013 Nivel ALTO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R6 + R7 + R8 + R9.\n\ + Refuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.6.r1.1] Se emplear\xE1 una contrase\xF1\ + a como mecanismo de autenticaci\xF3n cuando el acceso se realiza desde zonas\ + \ controladas y sin atravesar zonas no controladas (v\xE9ase refuerzo R8).\n\ + \u2013 [op.acc.6.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + otro factor de autenticaci\xF3n.\n\u2013 [op.acc.6.r2.1] Se requerir\xE1\ + \ un segundo factor tal como \xABalgo que se tiene\xBB, es decir, un dispositivo,\ + \ una contrase\xF1a de un solo uso (OTP, en ingl\xE9s) como complemento a\ + \ la contrase\xF1a de usuario, o \xABalgo que se es\xBB.\nRefuerzo R3-Certificados.\n\ + \u2013 [op.acc.6.r3.1] Se emplear\xE1n certificados cualificados como mecanismo\ + \ de autenticaci\xF3n.\n\u2013 [op.acc.6.r3.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.6.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.6.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R5-Registro.\n\u2013 [op.acc.6.r5.1] Se registrar\xE1n los accesos con \xE9\ + xito y los fallidos.\n\u2013 [op.acc.6.r5.2] Se informar\xE1 al usuario del\ + \ \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3n\ + \ de la ventana de acceso.\n\u2013 [op.acc.6.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.6.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nRefuerzo R8-Doble factor para acceso desde o a trav\xE9s de zonas no controladas.\n\ + Se denomina \xABzona controlada\xBB aquella que no es de acceso p\xFAblico,\ + \ requiri\xE9ndose que el usuario, antes de tener acceso al equipo, se haya\ + \ autenticado previamente de alguna forma (control de acceso a las instalaciones),\ + \ diferente del mecanismo de autenticaci\xF3n l\xF3gica frente al sistema.\ + \ Un ejemplo de zona no controlada es Internet.\n\u2013 [op.acc.6.r8.1] Para\ + \ el acceso desde o a trav\xE9s de zonas no controladas se requerir\xE1 un\ + \ doble factor de autenticaci\xF3n: R2, R3 o R4.\nRefuerzo R9-Acceso remoto\ + \ (todos los niveles).\n\u2013 [op.acc.6.r9.1] Ser\xE1 de aplicaci\xF3n la\ + \ ITS de Interconexi\xF3n de sistemas de informaci\xF3n.\n\u2013 [op.acc.6.r9.2]\ + \ El acceso remoto deber\xE1 considerar los siguientes aspectos:\na) Ser autorizado\ + \ por la autoridad correspondiente.\nb) El tr\xE1fico deber\xE1 ser cifrado.\n\ + c) Si la utilizaci\xF3n no se produce de manera constante, el acceso remoto\ + \ deber\xE1 encontrarse inhabilitado y habilitarse \xFAnicamente cuando sea\ + \ necesario.\nd) Deber\xE1n recogerse registros de auditor\xEDa de este tipo\ + \ de conexiones.\nP\xE1ginas 44-45" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.6.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node407 + ref_id: op.acc.6.2 + description: "Antes de activar el mecanismo de autenticaci\xF3n, el usuario\ + \ reconocer\xE1 que ha recibido las credenciales de acceso y que conoce y\ + \ acepta las obligaciones que implica su tenencia, en particular, el deber\ + \ de custodia diligente, la protecci\xF3n de su confidencialidad y el deber\ + \ de notificaci\xF3n inmediata en caso de p\xE9rdida." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.6 + [R1 o R2 o R3 o R4] + R8\ + \ + R9.\n\u2013 Nivel MEDIO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R8 + R9.\n\ + \u2013 Nivel ALTO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R6 + R7 + R8 + R9.\n\ + Refuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.6.r1.1] Se emplear\xE1 una contrase\xF1\ + a como mecanismo de autenticaci\xF3n cuando el acceso se realiza desde zonas\ + \ controladas y sin atravesar zonas no controladas (v\xE9ase refuerzo R8).\n\ + \u2013 [op.acc.6.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + otro factor de autenticaci\xF3n.\n\u2013 [op.acc.6.r2.1] Se requerir\xE1\ + \ un segundo factor tal como \xABalgo que se tiene\xBB, es decir, un dispositivo,\ + \ una contrase\xF1a de un solo uso (OTP, en ingl\xE9s) como complemento a\ + \ la contrase\xF1a de usuario, o \xABalgo que se es\xBB.\nRefuerzo R3-Certificados.\n\ + \u2013 [op.acc.6.r3.1] Se emplear\xE1n certificados cualificados como mecanismo\ + \ de autenticaci\xF3n.\n\u2013 [op.acc.6.r3.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.6.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.6.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R5-Registro.\n\u2013 [op.acc.6.r5.1] Se registrar\xE1n los accesos con \xE9\ + xito y los fallidos.\n\u2013 [op.acc.6.r5.2] Se informar\xE1 al usuario del\ + \ \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3n\ + \ de la ventana de acceso.\n\u2013 [op.acc.6.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.6.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nRefuerzo R8-Doble factor para acceso desde o a trav\xE9s de zonas no controladas.\n\ + Se denomina \xABzona controlada\xBB aquella que no es de acceso p\xFAblico,\ + \ requiri\xE9ndose que el usuario, antes de tener acceso al equipo, se haya\ + \ autenticado previamente de alguna forma (control de acceso a las instalaciones),\ + \ diferente del mecanismo de autenticaci\xF3n l\xF3gica frente al sistema.\ + \ Un ejemplo de zona no controlada es Internet.\n\u2013 [op.acc.6.r8.1] Para\ + \ el acceso desde o a trav\xE9s de zonas no controladas se requerir\xE1 un\ + \ doble factor de autenticaci\xF3n: R2, R3 o R4.\nRefuerzo R9-Acceso remoto\ + \ (todos los niveles).\n\u2013 [op.acc.6.r9.1] Ser\xE1 de aplicaci\xF3n la\ + \ ITS de Interconexi\xF3n de sistemas de informaci\xF3n.\n\u2013 [op.acc.6.r9.2]\ + \ El acceso remoto deber\xE1 considerar los siguientes aspectos:\na) Ser autorizado\ + \ por la autoridad correspondiente.\nb) El tr\xE1fico deber\xE1 ser cifrado.\n\ + c) Si la utilizaci\xF3n no se produce de manera constante, el acceso remoto\ + \ deber\xE1 encontrarse inhabilitado y habilitarse \xFAnicamente cuando sea\ + \ necesario.\nd) Deber\xE1n recogerse registros de auditor\xEDa de este tipo\ + \ de conexiones.\nP\xE1ginas 44-45" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.6.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node407 + ref_id: op.acc.6.3 + description: "Las credenciales estar\xE1n bajo el control exclusivo del usuario\ + \ y se activar\xE1n una vez est\xE9n bajo su control efectivo." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.6 + [R1 o R2 o R3 o R4] + R8\ + \ + R9.\n\u2013 Nivel MEDIO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R8 + R9.\n\ + \u2013 Nivel ALTO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R6 + R7 + R8 + R9.\n\ + Refuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.6.r1.1] Se emplear\xE1 una contrase\xF1\ + a como mecanismo de autenticaci\xF3n cuando el acceso se realiza desde zonas\ + \ controladas y sin atravesar zonas no controladas (v\xE9ase refuerzo R8).\n\ + \u2013 [op.acc.6.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + otro factor de autenticaci\xF3n.\n\u2013 [op.acc.6.r2.1] Se requerir\xE1\ + \ un segundo factor tal como \xABalgo que se tiene\xBB, es decir, un dispositivo,\ + \ una contrase\xF1a de un solo uso (OTP, en ingl\xE9s) como complemento a\ + \ la contrase\xF1a de usuario, o \xABalgo que se es\xBB.\nRefuerzo R3-Certificados.\n\ + \u2013 [op.acc.6.r3.1] Se emplear\xE1n certificados cualificados como mecanismo\ + \ de autenticaci\xF3n.\n\u2013 [op.acc.6.r3.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.6.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.6.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R5-Registro.\n\u2013 [op.acc.6.r5.1] Se registrar\xE1n los accesos con \xE9\ + xito y los fallidos.\n\u2013 [op.acc.6.r5.2] Se informar\xE1 al usuario del\ + \ \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3n\ + \ de la ventana de acceso.\n\u2013 [op.acc.6.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.6.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nRefuerzo R8-Doble factor para acceso desde o a trav\xE9s de zonas no controladas.\n\ + Se denomina \xABzona controlada\xBB aquella que no es de acceso p\xFAblico,\ + \ requiri\xE9ndose que el usuario, antes de tener acceso al equipo, se haya\ + \ autenticado previamente de alguna forma (control de acceso a las instalaciones),\ + \ diferente del mecanismo de autenticaci\xF3n l\xF3gica frente al sistema.\ + \ Un ejemplo de zona no controlada es Internet.\n\u2013 [op.acc.6.r8.1] Para\ + \ el acceso desde o a trav\xE9s de zonas no controladas se requerir\xE1 un\ + \ doble factor de autenticaci\xF3n: R2, R3 o R4.\nRefuerzo R9-Acceso remoto\ + \ (todos los niveles).\n\u2013 [op.acc.6.r9.1] Ser\xE1 de aplicaci\xF3n la\ + \ ITS de Interconexi\xF3n de sistemas de informaci\xF3n.\n\u2013 [op.acc.6.r9.2]\ + \ El acceso remoto deber\xE1 considerar los siguientes aspectos:\na) Ser autorizado\ + \ por la autoridad correspondiente.\nb) El tr\xE1fico deber\xE1 ser cifrado.\n\ + c) Si la utilizaci\xF3n no se produce de manera constante, el acceso remoto\ + \ deber\xE1 encontrarse inhabilitado y habilitarse \xFAnicamente cuando sea\ + \ necesario.\nd) Deber\xE1n recogerse registros de auditor\xEDa de este tipo\ + \ de conexiones.\nP\xE1ginas 44-45" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.6.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node407 + ref_id: op.acc.6.4 + description: "Las credenciales se cambiar\xE1n con una periodicidad marcada\ + \ por la pol\xEDtica de seguridad de la organizaci\xF3n." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.6 + [R1 o R2 o R3 o R4] + R8\ + \ + R9.\n\u2013 Nivel MEDIO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R8 + R9.\n\ + \u2013 Nivel ALTO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R6 + R7 + R8 + R9.\n\ + Refuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.6.r1.1] Se emplear\xE1 una contrase\xF1\ + a como mecanismo de autenticaci\xF3n cuando el acceso se realiza desde zonas\ + \ controladas y sin atravesar zonas no controladas (v\xE9ase refuerzo R8).\n\ + \u2013 [op.acc.6.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + otro factor de autenticaci\xF3n.\n\u2013 [op.acc.6.r2.1] Se requerir\xE1\ + \ un segundo factor tal como \xABalgo que se tiene\xBB, es decir, un dispositivo,\ + \ una contrase\xF1a de un solo uso (OTP, en ingl\xE9s) como complemento a\ + \ la contrase\xF1a de usuario, o \xABalgo que se es\xBB.\nRefuerzo R3-Certificados.\n\ + \u2013 [op.acc.6.r3.1] Se emplear\xE1n certificados cualificados como mecanismo\ + \ de autenticaci\xF3n.\n\u2013 [op.acc.6.r3.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.6.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.6.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R5-Registro.\n\u2013 [op.acc.6.r5.1] Se registrar\xE1n los accesos con \xE9\ + xito y los fallidos.\n\u2013 [op.acc.6.r5.2] Se informar\xE1 al usuario del\ + \ \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3n\ + \ de la ventana de acceso.\n\u2013 [op.acc.6.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.6.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nRefuerzo R8-Doble factor para acceso desde o a trav\xE9s de zonas no controladas.\n\ + Se denomina \xABzona controlada\xBB aquella que no es de acceso p\xFAblico,\ + \ requiri\xE9ndose que el usuario, antes de tener acceso al equipo, se haya\ + \ autenticado previamente de alguna forma (control de acceso a las instalaciones),\ + \ diferente del mecanismo de autenticaci\xF3n l\xF3gica frente al sistema.\ + \ Un ejemplo de zona no controlada es Internet.\n\u2013 [op.acc.6.r8.1] Para\ + \ el acceso desde o a trav\xE9s de zonas no controladas se requerir\xE1 un\ + \ doble factor de autenticaci\xF3n: R2, R3 o R4.\nRefuerzo R9-Acceso remoto\ + \ (todos los niveles).\n\u2013 [op.acc.6.r9.1] Ser\xE1 de aplicaci\xF3n la\ + \ ITS de Interconexi\xF3n de sistemas de informaci\xF3n.\n\u2013 [op.acc.6.r9.2]\ + \ El acceso remoto deber\xE1 considerar los siguientes aspectos:\na) Ser autorizado\ + \ por la autoridad correspondiente.\nb) El tr\xE1fico deber\xE1 ser cifrado.\n\ + c) Si la utilizaci\xF3n no se produce de manera constante, el acceso remoto\ + \ deber\xE1 encontrarse inhabilitado y habilitarse \xFAnicamente cuando sea\ + \ necesario.\nd) Deber\xE1n recogerse registros de auditor\xEDa de este tipo\ + \ de conexiones.\nP\xE1ginas 44-45" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.6.5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node407 + ref_id: op.acc.6.5 + description: "Las credenciales ser\xE1n inhabilitadas -pudiendo ser regeneradas,\ + \ en su caso-, cuando conste o se sospeche su p\xE9rdida, compromiso o revelaci\xF3\ + n a entidades (personas, equipos o procesos) no autorizadas." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.6 + [R1 o R2 o R3 o R4] + R8\ + \ + R9.\n\u2013 Nivel MEDIO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R8 + R9.\n\ + \u2013 Nivel ALTO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R6 + R7 + R8 + R9.\n\ + Refuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.6.r1.1] Se emplear\xE1 una contrase\xF1\ + a como mecanismo de autenticaci\xF3n cuando el acceso se realiza desde zonas\ + \ controladas y sin atravesar zonas no controladas (v\xE9ase refuerzo R8).\n\ + \u2013 [op.acc.6.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + otro factor de autenticaci\xF3n.\n\u2013 [op.acc.6.r2.1] Se requerir\xE1\ + \ un segundo factor tal como \xABalgo que se tiene\xBB, es decir, un dispositivo,\ + \ una contrase\xF1a de un solo uso (OTP, en ingl\xE9s) como complemento a\ + \ la contrase\xF1a de usuario, o \xABalgo que se es\xBB.\nRefuerzo R3-Certificados.\n\ + \u2013 [op.acc.6.r3.1] Se emplear\xE1n certificados cualificados como mecanismo\ + \ de autenticaci\xF3n.\n\u2013 [op.acc.6.r3.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.6.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.6.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R5-Registro.\n\u2013 [op.acc.6.r5.1] Se registrar\xE1n los accesos con \xE9\ + xito y los fallidos.\n\u2013 [op.acc.6.r5.2] Se informar\xE1 al usuario del\ + \ \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3n\ + \ de la ventana de acceso.\n\u2013 [op.acc.6.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.6.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nRefuerzo R8-Doble factor para acceso desde o a trav\xE9s de zonas no controladas.\n\ + Se denomina \xABzona controlada\xBB aquella que no es de acceso p\xFAblico,\ + \ requiri\xE9ndose que el usuario, antes de tener acceso al equipo, se haya\ + \ autenticado previamente de alguna forma (control de acceso a las instalaciones),\ + \ diferente del mecanismo de autenticaci\xF3n l\xF3gica frente al sistema.\ + \ Un ejemplo de zona no controlada es Internet.\n\u2013 [op.acc.6.r8.1] Para\ + \ el acceso desde o a trav\xE9s de zonas no controladas se requerir\xE1 un\ + \ doble factor de autenticaci\xF3n: R2, R3 o R4.\nRefuerzo R9-Acceso remoto\ + \ (todos los niveles).\n\u2013 [op.acc.6.r9.1] Ser\xE1 de aplicaci\xF3n la\ + \ ITS de Interconexi\xF3n de sistemas de informaci\xF3n.\n\u2013 [op.acc.6.r9.2]\ + \ El acceso remoto deber\xE1 considerar los siguientes aspectos:\na) Ser autorizado\ + \ por la autoridad correspondiente.\nb) El tr\xE1fico deber\xE1 ser cifrado.\n\ + c) Si la utilizaci\xF3n no se produce de manera constante, el acceso remoto\ + \ deber\xE1 encontrarse inhabilitado y habilitarse \xFAnicamente cuando sea\ + \ necesario.\nd) Deber\xE1n recogerse registros de auditor\xEDa de este tipo\ + \ de conexiones.\nP\xE1ginas 44-45" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.6.6 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node407 + ref_id: op.acc.6.6 + description: " Las credenciales ser\xE1n inhabilitadas cuando el usuario que\ + \ autentican termina su relaci\xF3n con el sistema." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.6 + [R1 o R2 o R3 o R4] + R8\ + \ + R9.\n\u2013 Nivel MEDIO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R8 + R9.\n\ + \u2013 Nivel ALTO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R6 + R7 + R8 + R9.\n\ + Refuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.6.r1.1] Se emplear\xE1 una contrase\xF1\ + a como mecanismo de autenticaci\xF3n cuando el acceso se realiza desde zonas\ + \ controladas y sin atravesar zonas no controladas (v\xE9ase refuerzo R8).\n\ + \u2013 [op.acc.6.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + otro factor de autenticaci\xF3n.\n\u2013 [op.acc.6.r2.1] Se requerir\xE1\ + \ un segundo factor tal como \xABalgo que se tiene\xBB, es decir, un dispositivo,\ + \ una contrase\xF1a de un solo uso (OTP, en ingl\xE9s) como complemento a\ + \ la contrase\xF1a de usuario, o \xABalgo que se es\xBB.\nRefuerzo R3-Certificados.\n\ + \u2013 [op.acc.6.r3.1] Se emplear\xE1n certificados cualificados como mecanismo\ + \ de autenticaci\xF3n.\n\u2013 [op.acc.6.r3.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.6.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.6.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R5-Registro.\n\u2013 [op.acc.6.r5.1] Se registrar\xE1n los accesos con \xE9\ + xito y los fallidos.\n\u2013 [op.acc.6.r5.2] Se informar\xE1 al usuario del\ + \ \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3n\ + \ de la ventana de acceso.\n\u2013 [op.acc.6.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.6.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nRefuerzo R8-Doble factor para acceso desde o a trav\xE9s de zonas no controladas.\n\ + Se denomina \xABzona controlada\xBB aquella que no es de acceso p\xFAblico,\ + \ requiri\xE9ndose que el usuario, antes de tener acceso al equipo, se haya\ + \ autenticado previamente de alguna forma (control de acceso a las instalaciones),\ + \ diferente del mecanismo de autenticaci\xF3n l\xF3gica frente al sistema.\ + \ Un ejemplo de zona no controlada es Internet.\n\u2013 [op.acc.6.r8.1] Para\ + \ el acceso desde o a trav\xE9s de zonas no controladas se requerir\xE1 un\ + \ doble factor de autenticaci\xF3n: R2, R3 o R4.\nRefuerzo R9-Acceso remoto\ + \ (todos los niveles).\n\u2013 [op.acc.6.r9.1] Ser\xE1 de aplicaci\xF3n la\ + \ ITS de Interconexi\xF3n de sistemas de informaci\xF3n.\n\u2013 [op.acc.6.r9.2]\ + \ El acceso remoto deber\xE1 considerar los siguientes aspectos:\na) Ser autorizado\ + \ por la autoridad correspondiente.\nb) El tr\xE1fico deber\xE1 ser cifrado.\n\ + c) Si la utilizaci\xF3n no se produce de manera constante, el acceso remoto\ + \ deber\xE1 encontrarse inhabilitado y habilitarse \xFAnicamente cuando sea\ + \ necesario.\nd) Deber\xE1n recogerse registros de auditor\xEDa de este tipo\ + \ de conexiones.\nP\xE1ginas 44-45" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.6.7 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node407 + ref_id: op.acc.6.7 + description: "Antes de autorizar el acceso, la informaci\xF3n presentada por\ + \ el sistema ser\xE1 la m\xEDnima imprescindible para que el usuario se autentique,\ + \ evitando todo aquello que pueda, directa o indirectamente, revelar informaci\xF3\ + n sobre el sistema o la cuenta, sus caracter\xEDsticas, su operaci\xF3n o\ + \ su estado. Las credenciales solamente se validar\xE1n cuando se tengan todos\ + \ los datos necesarios y, si se rechaza, no se informar\xE1 del motivo del\ + \ rechazo." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.6 + [R1 o R2 o R3 o R4] + R8\ + \ + R9.\n\u2013 Nivel MEDIO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R8 + R9.\n\ + \u2013 Nivel ALTO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R6 + R7 + R8 + R9.\n\ + Refuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.6.r1.1] Se emplear\xE1 una contrase\xF1\ + a como mecanismo de autenticaci\xF3n cuando el acceso se realiza desde zonas\ + \ controladas y sin atravesar zonas no controladas (v\xE9ase refuerzo R8).\n\ + \u2013 [op.acc.6.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + otro factor de autenticaci\xF3n.\n\u2013 [op.acc.6.r2.1] Se requerir\xE1\ + \ un segundo factor tal como \xABalgo que se tiene\xBB, es decir, un dispositivo,\ + \ una contrase\xF1a de un solo uso (OTP, en ingl\xE9s) como complemento a\ + \ la contrase\xF1a de usuario, o \xABalgo que se es\xBB.\nRefuerzo R3-Certificados.\n\ + \u2013 [op.acc.6.r3.1] Se emplear\xE1n certificados cualificados como mecanismo\ + \ de autenticaci\xF3n.\n\u2013 [op.acc.6.r3.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.6.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.6.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R5-Registro.\n\u2013 [op.acc.6.r5.1] Se registrar\xE1n los accesos con \xE9\ + xito y los fallidos.\n\u2013 [op.acc.6.r5.2] Se informar\xE1 al usuario del\ + \ \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3n\ + \ de la ventana de acceso.\n\u2013 [op.acc.6.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.6.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nRefuerzo R8-Doble factor para acceso desde o a trav\xE9s de zonas no controladas.\n\ + Se denomina \xABzona controlada\xBB aquella que no es de acceso p\xFAblico,\ + \ requiri\xE9ndose que el usuario, antes de tener acceso al equipo, se haya\ + \ autenticado previamente de alguna forma (control de acceso a las instalaciones),\ + \ diferente del mecanismo de autenticaci\xF3n l\xF3gica frente al sistema.\ + \ Un ejemplo de zona no controlada es Internet.\n\u2013 [op.acc.6.r8.1] Para\ + \ el acceso desde o a trav\xE9s de zonas no controladas se requerir\xE1 un\ + \ doble factor de autenticaci\xF3n: R2, R3 o R4.\nRefuerzo R9-Acceso remoto\ + \ (todos los niveles).\n\u2013 [op.acc.6.r9.1] Ser\xE1 de aplicaci\xF3n la\ + \ ITS de Interconexi\xF3n de sistemas de informaci\xF3n.\n\u2013 [op.acc.6.r9.2]\ + \ El acceso remoto deber\xE1 considerar los siguientes aspectos:\na) Ser autorizado\ + \ por la autoridad correspondiente.\nb) El tr\xE1fico deber\xE1 ser cifrado.\n\ + c) Si la utilizaci\xF3n no se produce de manera constante, el acceso remoto\ + \ deber\xE1 encontrarse inhabilitado y habilitarse \xFAnicamente cuando sea\ + \ necesario.\nd) Deber\xE1n recogerse registros de auditor\xEDa de este tipo\ + \ de conexiones.\nP\xE1ginas 44-45" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.6.8 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node407 + ref_id: op.acc.6.8 + description: "El n\xFAmero de intentos permitidos ser\xE1 limitado, bloqueando\ + \ la oportunidad de acceso una vez superado tal n\xFAmero, y requiriendo una\ + \ intervenci\xF3n espec\xEDfica para reactivar la cuenta, que se describir\xE1\ + \ en la documentaci\xF3n." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.6 + [R1 o R2 o R3 o R4] + R8\ + \ + R9.\n\u2013 Nivel MEDIO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R8 + R9.\n\ + \u2013 Nivel ALTO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R6 + R7 + R8 + R9.\n\ + Refuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.6.r1.1] Se emplear\xE1 una contrase\xF1\ + a como mecanismo de autenticaci\xF3n cuando el acceso se realiza desde zonas\ + \ controladas y sin atravesar zonas no controladas (v\xE9ase refuerzo R8).\n\ + \u2013 [op.acc.6.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + otro factor de autenticaci\xF3n.\n\u2013 [op.acc.6.r2.1] Se requerir\xE1\ + \ un segundo factor tal como \xABalgo que se tiene\xBB, es decir, un dispositivo,\ + \ una contrase\xF1a de un solo uso (OTP, en ingl\xE9s) como complemento a\ + \ la contrase\xF1a de usuario, o \xABalgo que se es\xBB.\nRefuerzo R3-Certificados.\n\ + \u2013 [op.acc.6.r3.1] Se emplear\xE1n certificados cualificados como mecanismo\ + \ de autenticaci\xF3n.\n\u2013 [op.acc.6.r3.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.6.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.6.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R5-Registro.\n\u2013 [op.acc.6.r5.1] Se registrar\xE1n los accesos con \xE9\ + xito y los fallidos.\n\u2013 [op.acc.6.r5.2] Se informar\xE1 al usuario del\ + \ \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3n\ + \ de la ventana de acceso.\n\u2013 [op.acc.6.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.6.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nRefuerzo R8-Doble factor para acceso desde o a trav\xE9s de zonas no controladas.\n\ + Se denomina \xABzona controlada\xBB aquella que no es de acceso p\xFAblico,\ + \ requiri\xE9ndose que el usuario, antes de tener acceso al equipo, se haya\ + \ autenticado previamente de alguna forma (control de acceso a las instalaciones),\ + \ diferente del mecanismo de autenticaci\xF3n l\xF3gica frente al sistema.\ + \ Un ejemplo de zona no controlada es Internet.\n\u2013 [op.acc.6.r8.1] Para\ + \ el acceso desde o a trav\xE9s de zonas no controladas se requerir\xE1 un\ + \ doble factor de autenticaci\xF3n: R2, R3 o R4.\nRefuerzo R9-Acceso remoto\ + \ (todos los niveles).\n\u2013 [op.acc.6.r9.1] Ser\xE1 de aplicaci\xF3n la\ + \ ITS de Interconexi\xF3n de sistemas de informaci\xF3n.\n\u2013 [op.acc.6.r9.2]\ + \ El acceso remoto deber\xE1 considerar los siguientes aspectos:\na) Ser autorizado\ + \ por la autoridad correspondiente.\nb) El tr\xE1fico deber\xE1 ser cifrado.\n\ + c) Si la utilizaci\xF3n no se produce de manera constante, el acceso remoto\ + \ deber\xE1 encontrarse inhabilitado y habilitarse \xFAnicamente cuando sea\ + \ necesario.\nd) Deber\xE1n recogerse registros de auditor\xEDa de este tipo\ + \ de conexiones.\nP\xE1ginas 44-45" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.acc.6.9 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node407 + ref_id: op.acc.6.9 + description: "El sistema informar\xE1 al usuario de sus derechos u obligaciones\ + \ inmediatamente despu\xE9s de obtener el acceso." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad, integridad, trazabilidad\ + \ y autenticidad).\n\u2013 Nivel BAJO: op.acc.6 + [R1 o R2 o R3 o R4] + R8\ + \ + R9.\n\u2013 Nivel MEDIO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R8 + R9.\n\ + \u2013 Nivel ALTO: op.acc.6 + [R1 o R2 o R3 o R4] + R5 + R6 + R7 + R8 + R9.\n\ + Refuerzo R1-Contrase\xF1as.\n\u2013 [op.acc.6.r1.1] Se emplear\xE1 una contrase\xF1\ + a como mecanismo de autenticaci\xF3n cuando el acceso se realiza desde zonas\ + \ controladas y sin atravesar zonas no controladas (v\xE9ase refuerzo R8).\n\ + \u2013 [op.acc.6.r1.2] Se impondr\xE1n normas de complejidad m\xEDnima y robustez\ + \ frente a ataques de adivinaci\xF3n (ver gu\xEDas CCN-STIC).\nRefuerzo R2-Contrase\xF1\ + a + otro factor de autenticaci\xF3n.\n\u2013 [op.acc.6.r2.1] Se requerir\xE1\ + \ un segundo factor tal como \xABalgo que se tiene\xBB, es decir, un dispositivo,\ + \ una contrase\xF1a de un solo uso (OTP, en ingl\xE9s) como complemento a\ + \ la contrase\xF1a de usuario, o \xABalgo que se es\xBB.\nRefuerzo R3-Certificados.\n\ + \u2013 [op.acc.6.r3.1] Se emplear\xE1n certificados cualificados como mecanismo\ + \ de autenticaci\xF3n.\n\u2013 [op.acc.6.r3.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R4-Certificados en dispositivo f\xEDsico.\n\u2013 [op.acc.6.r4.1] Se emplear\xE1\ + n certificados cualificados como mecanismo de autenticaci\xF3n, en soporte\ + \ f\xEDsico (tarjeta o similar) usando algoritmos, par\xE1metros y dispositivos\ + \ autorizados por el CCN.\n\u2013 [op.acc.6.r4.2] El uso del certificado estar\xE1\ + \ protegido por un segundo factor, del tipo PIN o biom\xE9trico.\nRefuerzo\ + \ R5-Registro.\n\u2013 [op.acc.6.r5.1] Se registrar\xE1n los accesos con \xE9\ + xito y los fallidos.\n\u2013 [op.acc.6.r5.2] Se informar\xE1 al usuario del\ + \ \xFAltimo acceso efectuado con su identidad.\nRefuerzo R6-Limitaci\xF3n\ + \ de la ventana de acceso.\n\u2013 [op.acc.6.r6.1] Se definir\xE1n aquellos\ + \ puntos en los que el sistema requerir\xE1 una renovaci\xF3n de la autenticaci\xF3\ + n del usuario, mediante identificaci\xF3n singular, no bastando con la sesi\xF3\ + n establecida.\nRefuerzo R7-Suspensi\xF3n por no utilizaci\xF3n.\n\u2013 [op.acc.6.r7.1]\ + \ Las credenciales se suspender\xE1n tras un periodo definido de no utilizaci\xF3\ + n.\nRefuerzo R8-Doble factor para acceso desde o a trav\xE9s de zonas no controladas.\n\ + Se denomina \xABzona controlada\xBB aquella que no es de acceso p\xFAblico,\ + \ requiri\xE9ndose que el usuario, antes de tener acceso al equipo, se haya\ + \ autenticado previamente de alguna forma (control de acceso a las instalaciones),\ + \ diferente del mecanismo de autenticaci\xF3n l\xF3gica frente al sistema.\ + \ Un ejemplo de zona no controlada es Internet.\n\u2013 [op.acc.6.r8.1] Para\ + \ el acceso desde o a trav\xE9s de zonas no controladas se requerir\xE1 un\ + \ doble factor de autenticaci\xF3n: R2, R3 o R4.\nRefuerzo R9-Acceso remoto\ + \ (todos los niveles).\n\u2013 [op.acc.6.r9.1] Ser\xE1 de aplicaci\xF3n la\ + \ ITS de Interconexi\xF3n de sistemas de informaci\xF3n.\n\u2013 [op.acc.6.r9.2]\ + \ El acceso remoto deber\xE1 considerar los siguientes aspectos:\na) Ser autorizado\ + \ por la autoridad correspondiente.\nb) El tr\xE1fico deber\xE1 ser cifrado.\n\ + c) Si la utilizaci\xF3n no se produce de manera constante, el acceso remoto\ + \ deber\xE1 encontrarse inhabilitado y habilitarse \xFAnicamente cuando sea\ + \ necesario.\nd) Deber\xE1n recogerse registros de auditor\xEDa de este tipo\ + \ de conexiones.\nP\xE1ginas 44-45" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - I + - T + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-4 + ref_id: op.exp + name: "Explotaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp + ref_id: op.exp.1 + name: Inventario de activos + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.1 + ref_id: op.exp.1.1 + description: "Se mantendr\xE1 un inventario actualizado de todos los elementos\ + \ del sistema, detallando su naturaleza e identificando a su responsable;\ + \ es decir, la persona que toma las decisiones relativas al mismo." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.1.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.1.\n\u2013 Categor\xEDa ALTA: op.exp.1.\n\ + Refuerzo R1-Inventario de etiquetado.\n\u2013 [op.exp.1.r1.1] El etiquetado\ + \ del equipamiento y del cableado formar\xE1 parte del inventario.\nRefuerzo\ + \ R2-Identificaci\xF3n peri\xF3dica de activos.\n\u2013 [op.exp.1.r2.1] Se\ + \ dispondr\xE1 de herramientas que permitan visualizar de forma continua el\ + \ estado de todos los equipos en la red, en particular, los servidores y los\ + \ dispositivos de red y de comunicaciones.\nRefuerzo R3-Identificaci\xF3n\ + \ de activos cr\xEDticos.\n\u2013 [op.exp.1.r3.1] Se dispondr\xE1 de herramientas\ + \ que permitan categorizar los activos cr\xEDticos por contexto de la organizaci\xF3\ + n y riesgos de seguridad.\nRefuerzo R4-Lista de componentes software.\n\u2013\ + \ [op.exp.1.r4.1] Se mantendr\xE1 actualizada una relaci\xF3n formal de los\ + \ componentes software de terceros empleados en el despliegue del sistema.\ + \ Esta lista incluir\xE1 librer\xEDas software y los servicios requeridos\ + \ para su despliegue (plataforma o entorno operacional). El contenido de la\ + \ lista de componentes ser\xE1 equivalente a lo requerido en [mp.sw.1.r5].\n\ + P\xE1ginas 45-46" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp + ref_id: op.exp.2 + name: " Configuraci\xF3n de seguridad " + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node421 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2 + description: "Se configurar\xE1n los equipos previamente a su entrada en operaci\xF3\ + n, de forma que:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node421 + ref_id: op.exp.2.1 + description: "Se retiren cuentas y contrase\xF1as est\xE1ndar." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.2.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.2.\n\u2013 Categor\xEDa ALTA: op.exp.2.\n\ + P\xE1gina 46" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node421 + ref_id: op.exp.2.2 + description: "Se aplicar\xE1 la regla de \xABm\xEDnima funcionalidad\xBB, es\ + \ decir:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.2.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.2.\n\u2013 Categor\xEDa ALTA: op.exp.2.\n\ + P\xE1gina 46" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.2.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.2 + ref_id: op.exp.2.2.a + description: "El sistema debe proporcionar la funcionalidad m\xEDnima imprescindible\ + \ para que la organizaci\xF3n alcance sus objetivos." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.2.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.2.\n\u2013 Categor\xEDa ALTA: op.exp.2.\n\ + P\xE1gina 46" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.2.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.2 + ref_id: op.exp.2.2.b + description: "No proporcionar\xE1 funciones injustificadas (de operaci\xF3n,\ + \ administraci\xF3n o auditor\xEDa) al objeto de reducir al m\xEDnimo su per\xED\ + metro de exposici\xF3n, elimin\xE1ndose o desactiv\xE1ndose aquellas funciones\ + \ que sean innecesarias o inadecuadas al fin que se persigue." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.2.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.2.\n\u2013 Categor\xEDa ALTA: op.exp.2.\n\ + P\xE1gina 46" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node421 + ref_id: op.exp.2.3 + description: "Se aplicar\xE1 la regla de \xABseguridad por defecto\xBB, es decir:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.2.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.2.\n\u2013 Categor\xEDa ALTA: op.exp.2.\n\ + P\xE1gina 46" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.3.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.3 + ref_id: op.exp.2.3.a + description: "Las medidas de seguridad ser\xE1n respetuosas con el usuario y\ + \ proteger\xE1n a \xE9ste, salvo que se exponga conscientemente a un riesgo." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.2.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.2.\n\u2013 Categor\xEDa ALTA: op.exp.2.\n\ + P\xE1gina 46" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.3.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.3 + ref_id: op.exp.2.3.b + description: "Para reducir la seguridad, el usuario tendr\xE1 que realizar acciones\ + \ conscientes" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.2.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.2.\n\u2013 Categor\xEDa ALTA: op.exp.2.\n\ + P\xE1gina 46" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.3.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.3 + ref_id: op.exp.2.3.c + description: "El uso natural, en los casos que el usuario no ha consultado el\ + \ manual, ser\xE1 un uso seguro." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.2.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.2.\n\u2013 Categor\xEDa ALTA: op.exp.2.\n\ + P\xE1gina 46" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.2.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node421 + ref_id: op.exp.2.4 + description: "Las m\xE1quinas virtuales estar\xE1n configuradas y gestionadas\ + \ de un modo seguro. La gesti\xF3n del parcheado, cuentas de usuarios, software\ + \ antivirus, etc. se realizar\xE1 como si se tratara de m\xE1quinas f\xED\ + sicas, incluyendo la m\xE1quina anfitriona." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.2.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.2.\n\u2013 Categor\xEDa ALTA: op.exp.2.\n\ + P\xE1gina 46" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp + ref_id: op.exp.3 + name: "Gesti\xF3n de la configuraci\xF3n de seguridad" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node432 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.3 + description: "Se gestionar\xE1 de forma continua la configuraci\xF3n de los\ + \ componentes del sistema, de forma que:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.3.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.3 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.3\ + \ + R1 + R2 + R3.\nRefuerzo R1-Mantenimiento regular de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r1.1] Existir\xE1n configuraciones hardware/software,\ + \ autorizadas y mantenidas regularmente, para los servidores, elementos de\ + \ red y estaciones de trabajo.\n\u2013 [op.exp.3.r1.2] Se verificar\xE1 peri\xF3\ + dicamente la configuraci\xF3n hardware/software del sistema para asegurar\ + \ que no se han introducido ni instalado elementos no autorizados.\n\u2013\ + \ [op.exp.3.r1.3] Se mantendr\xE1 una lista de servicios autorizados para\ + \ servidores y estaciones de trabajo.\nRefuerzo R2-Responsabilidad de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r2.1] La configuraci\xF3n de seguridad del sistema operativo\ + \ y aplicaciones, tanto de estaciones y servidores como de la electr\xF3nica\ + \ de red del sistema, ser\xE1 responsabilidad de un n\xFAmero muy limitado\ + \ de administradores del sistema.\nRefuerzo R3-Copias de seguridad.\n\u2013\ + \ [op.exp.3.r3.1] Se realizar\xE1n copias de seguridad de la configuraci\xF3\ + n del sistema de forma que sea posible reconstruirlo en parte o en su totalidad\ + \ tras un incidente.\nRefuerzo R4-Aplicaci\xF3n de la configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r4.1] La configuraci\xF3n de seguridad del sistema operativo y\ + \ de las aplicaciones se mantendr\xE1 actualizada a trav\xE9s de una aplicaci\xF3\ + n o procedimiento manual que permita la instalaci\xF3n de las correspondientes\ + \ modificaciones de versi\xF3n y actualizaciones de seguridad oportunas.\n\ + Refuerzo R5-Control del estado de seguridad de la Configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r5.1] Se dispondr\xE1 de herramientas que permitan conocer de\ + \ forma peri\xF3dica el estado de seguridad de la configuraci\xF3n de los\ + \ dispositivos de red y, en el caso de que resulte deficiente, permitir su\ + \ correcci\xF3n.\nP\xE1gina 47" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.3.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node432 + ref_id: op.exp.3.1 + description: "Se mantenga en todo momento la regla de \"funcionalidad m\xED\ + nima\" ([op.exp.2])." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.3.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.3 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.3\ + \ + R1 + R2 + R3.\nRefuerzo R1-Mantenimiento regular de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r1.1] Existir\xE1n configuraciones hardware/software,\ + \ autorizadas y mantenidas regularmente, para los servidores, elementos de\ + \ red y estaciones de trabajo.\n\u2013 [op.exp.3.r1.2] Se verificar\xE1 peri\xF3\ + dicamente la configuraci\xF3n hardware/software del sistema para asegurar\ + \ que no se han introducido ni instalado elementos no autorizados.\n\u2013\ + \ [op.exp.3.r1.3] Se mantendr\xE1 una lista de servicios autorizados para\ + \ servidores y estaciones de trabajo.\nRefuerzo R2-Responsabilidad de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r2.1] La configuraci\xF3n de seguridad del sistema operativo\ + \ y aplicaciones, tanto de estaciones y servidores como de la electr\xF3nica\ + \ de red del sistema, ser\xE1 responsabilidad de un n\xFAmero muy limitado\ + \ de administradores del sistema.\nRefuerzo R3-Copias de seguridad.\n\u2013\ + \ [op.exp.3.r3.1] Se realizar\xE1n copias de seguridad de la configuraci\xF3\ + n del sistema de forma que sea posible reconstruirlo en parte o en su totalidad\ + \ tras un incidente.\nRefuerzo R4-Aplicaci\xF3n de la configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r4.1] La configuraci\xF3n de seguridad del sistema operativo y\ + \ de las aplicaciones se mantendr\xE1 actualizada a trav\xE9s de una aplicaci\xF3\ + n o procedimiento manual que permita la instalaci\xF3n de las correspondientes\ + \ modificaciones de versi\xF3n y actualizaciones de seguridad oportunas.\n\ + Refuerzo R5-Control del estado de seguridad de la Configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r5.1] Se dispondr\xE1 de herramientas que permitan conocer de\ + \ forma peri\xF3dica el estado de seguridad de la configuraci\xF3n de los\ + \ dispositivos de red y, en el caso de que resulte deficiente, permitir su\ + \ correcci\xF3n.\nP\xE1gina 47" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.3.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node432 + ref_id: op.exp.3.2 + description: "Se mantenga en todo momento la regla de \"m\xEDnimo privilegio\"\ + \ ([op.exp.2])." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.3.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.3 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.3\ + \ + R1 + R2 + R3.\nRefuerzo R1-Mantenimiento regular de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r1.1] Existir\xE1n configuraciones hardware/software,\ + \ autorizadas y mantenidas regularmente, para los servidores, elementos de\ + \ red y estaciones de trabajo.\n\u2013 [op.exp.3.r1.2] Se verificar\xE1 peri\xF3\ + dicamente la configuraci\xF3n hardware/software del sistema para asegurar\ + \ que no se han introducido ni instalado elementos no autorizados.\n\u2013\ + \ [op.exp.3.r1.3] Se mantendr\xE1 una lista de servicios autorizados para\ + \ servidores y estaciones de trabajo.\nRefuerzo R2-Responsabilidad de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r2.1] La configuraci\xF3n de seguridad del sistema operativo\ + \ y aplicaciones, tanto de estaciones y servidores como de la electr\xF3nica\ + \ de red del sistema, ser\xE1 responsabilidad de un n\xFAmero muy limitado\ + \ de administradores del sistema.\nRefuerzo R3-Copias de seguridad.\n\u2013\ + \ [op.exp.3.r3.1] Se realizar\xE1n copias de seguridad de la configuraci\xF3\ + n del sistema de forma que sea posible reconstruirlo en parte o en su totalidad\ + \ tras un incidente.\nRefuerzo R4-Aplicaci\xF3n de la configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r4.1] La configuraci\xF3n de seguridad del sistema operativo y\ + \ de las aplicaciones se mantendr\xE1 actualizada a trav\xE9s de una aplicaci\xF3\ + n o procedimiento manual que permita la instalaci\xF3n de las correspondientes\ + \ modificaciones de versi\xF3n y actualizaciones de seguridad oportunas.\n\ + Refuerzo R5-Control del estado de seguridad de la Configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r5.1] Se dispondr\xE1 de herramientas que permitan conocer de\ + \ forma peri\xF3dica el estado de seguridad de la configuraci\xF3n de los\ + \ dispositivos de red y, en el caso de que resulte deficiente, permitir su\ + \ correcci\xF3n.\nP\xE1gina 47" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.3.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node432 + ref_id: op.exp.3.3 + description: El sistema se adapte a las nuevas necesidades, previamente autorizadas. + (Ver [op.acc.4]). + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.3.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.3 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.3\ + \ + R1 + R2 + R3.\nRefuerzo R1-Mantenimiento regular de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r1.1] Existir\xE1n configuraciones hardware/software,\ + \ autorizadas y mantenidas regularmente, para los servidores, elementos de\ + \ red y estaciones de trabajo.\n\u2013 [op.exp.3.r1.2] Se verificar\xE1 peri\xF3\ + dicamente la configuraci\xF3n hardware/software del sistema para asegurar\ + \ que no se han introducido ni instalado elementos no autorizados.\n\u2013\ + \ [op.exp.3.r1.3] Se mantendr\xE1 una lista de servicios autorizados para\ + \ servidores y estaciones de trabajo.\nRefuerzo R2-Responsabilidad de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r2.1] La configuraci\xF3n de seguridad del sistema operativo\ + \ y aplicaciones, tanto de estaciones y servidores como de la electr\xF3nica\ + \ de red del sistema, ser\xE1 responsabilidad de un n\xFAmero muy limitado\ + \ de administradores del sistema.\nRefuerzo R3-Copias de seguridad.\n\u2013\ + \ [op.exp.3.r3.1] Se realizar\xE1n copias de seguridad de la configuraci\xF3\ + n del sistema de forma que sea posible reconstruirlo en parte o en su totalidad\ + \ tras un incidente.\nRefuerzo R4-Aplicaci\xF3n de la configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r4.1] La configuraci\xF3n de seguridad del sistema operativo y\ + \ de las aplicaciones se mantendr\xE1 actualizada a trav\xE9s de una aplicaci\xF3\ + n o procedimiento manual que permita la instalaci\xF3n de las correspondientes\ + \ modificaciones de versi\xF3n y actualizaciones de seguridad oportunas.\n\ + Refuerzo R5-Control del estado de seguridad de la Configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r5.1] Se dispondr\xE1 de herramientas que permitan conocer de\ + \ forma peri\xF3dica el estado de seguridad de la configuraci\xF3n de los\ + \ dispositivos de red y, en el caso de que resulte deficiente, permitir su\ + \ correcci\xF3n.\nP\xE1gina 47" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.3.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node432 + ref_id: op.exp.3.4 + description: El sistema reaccione a vulnerabilidades notificadas. (Ver [op.exp.4]). + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.3.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.3 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.3\ + \ + R1 + R2 + R3.\nRefuerzo R1-Mantenimiento regular de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r1.1] Existir\xE1n configuraciones hardware/software,\ + \ autorizadas y mantenidas regularmente, para los servidores, elementos de\ + \ red y estaciones de trabajo.\n\u2013 [op.exp.3.r1.2] Se verificar\xE1 peri\xF3\ + dicamente la configuraci\xF3n hardware/software del sistema para asegurar\ + \ que no se han introducido ni instalado elementos no autorizados.\n\u2013\ + \ [op.exp.3.r1.3] Se mantendr\xE1 una lista de servicios autorizados para\ + \ servidores y estaciones de trabajo.\nRefuerzo R2-Responsabilidad de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r2.1] La configuraci\xF3n de seguridad del sistema operativo\ + \ y aplicaciones, tanto de estaciones y servidores como de la electr\xF3nica\ + \ de red del sistema, ser\xE1 responsabilidad de un n\xFAmero muy limitado\ + \ de administradores del sistema.\nRefuerzo R3-Copias de seguridad.\n\u2013\ + \ [op.exp.3.r3.1] Se realizar\xE1n copias de seguridad de la configuraci\xF3\ + n del sistema de forma que sea posible reconstruirlo en parte o en su totalidad\ + \ tras un incidente.\nRefuerzo R4-Aplicaci\xF3n de la configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r4.1] La configuraci\xF3n de seguridad del sistema operativo y\ + \ de las aplicaciones se mantendr\xE1 actualizada a trav\xE9s de una aplicaci\xF3\ + n o procedimiento manual que permita la instalaci\xF3n de las correspondientes\ + \ modificaciones de versi\xF3n y actualizaciones de seguridad oportunas.\n\ + Refuerzo R5-Control del estado de seguridad de la Configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r5.1] Se dispondr\xE1 de herramientas que permitan conocer de\ + \ forma peri\xF3dica el estado de seguridad de la configuraci\xF3n de los\ + \ dispositivos de red y, en el caso de que resulte deficiente, permitir su\ + \ correcci\xF3n.\nP\xE1gina 47" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.3.5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node432 + ref_id: op.exp.3.5 + description: El sistema reaccione a incidentes. (Ver [op.exp.7]). + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.3.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.3 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.3\ + \ + R1 + R2 + R3.\nRefuerzo R1-Mantenimiento regular de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r1.1] Existir\xE1n configuraciones hardware/software,\ + \ autorizadas y mantenidas regularmente, para los servidores, elementos de\ + \ red y estaciones de trabajo.\n\u2013 [op.exp.3.r1.2] Se verificar\xE1 peri\xF3\ + dicamente la configuraci\xF3n hardware/software del sistema para asegurar\ + \ que no se han introducido ni instalado elementos no autorizados.\n\u2013\ + \ [op.exp.3.r1.3] Se mantendr\xE1 una lista de servicios autorizados para\ + \ servidores y estaciones de trabajo.\nRefuerzo R2-Responsabilidad de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r2.1] La configuraci\xF3n de seguridad del sistema operativo\ + \ y aplicaciones, tanto de estaciones y servidores como de la electr\xF3nica\ + \ de red del sistema, ser\xE1 responsabilidad de un n\xFAmero muy limitado\ + \ de administradores del sistema.\nRefuerzo R3-Copias de seguridad.\n\u2013\ + \ [op.exp.3.r3.1] Se realizar\xE1n copias de seguridad de la configuraci\xF3\ + n del sistema de forma que sea posible reconstruirlo en parte o en su totalidad\ + \ tras un incidente.\nRefuerzo R4-Aplicaci\xF3n de la configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r4.1] La configuraci\xF3n de seguridad del sistema operativo y\ + \ de las aplicaciones se mantendr\xE1 actualizada a trav\xE9s de una aplicaci\xF3\ + n o procedimiento manual que permita la instalaci\xF3n de las correspondientes\ + \ modificaciones de versi\xF3n y actualizaciones de seguridad oportunas.\n\ + Refuerzo R5-Control del estado de seguridad de la Configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r5.1] Se dispondr\xE1 de herramientas que permitan conocer de\ + \ forma peri\xF3dica el estado de seguridad de la configuraci\xF3n de los\ + \ dispositivos de red y, en el caso de que resulte deficiente, permitir su\ + \ correcci\xF3n.\nP\xE1gina 47" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.3.6 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node432 + ref_id: op.exp.3.6 + description: "La configuraci\xF3n de seguridad solamente podr\xE1 editarse por\ + \ personal debidamente autorizado." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.3.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.3 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.3\ + \ + R1 + R2 + R3.\nRefuerzo R1-Mantenimiento regular de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r1.1] Existir\xE1n configuraciones hardware/software,\ + \ autorizadas y mantenidas regularmente, para los servidores, elementos de\ + \ red y estaciones de trabajo.\n\u2013 [op.exp.3.r1.2] Se verificar\xE1 peri\xF3\ + dicamente la configuraci\xF3n hardware/software del sistema para asegurar\ + \ que no se han introducido ni instalado elementos no autorizados.\n\u2013\ + \ [op.exp.3.r1.3] Se mantendr\xE1 una lista de servicios autorizados para\ + \ servidores y estaciones de trabajo.\nRefuerzo R2-Responsabilidad de la configuraci\xF3\ + n.\n\u2013 [op.exp.3.r2.1] La configuraci\xF3n de seguridad del sistema operativo\ + \ y aplicaciones, tanto de estaciones y servidores como de la electr\xF3nica\ + \ de red del sistema, ser\xE1 responsabilidad de un n\xFAmero muy limitado\ + \ de administradores del sistema.\nRefuerzo R3-Copias de seguridad.\n\u2013\ + \ [op.exp.3.r3.1] Se realizar\xE1n copias de seguridad de la configuraci\xF3\ + n del sistema de forma que sea posible reconstruirlo en parte o en su totalidad\ + \ tras un incidente.\nRefuerzo R4-Aplicaci\xF3n de la configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r4.1] La configuraci\xF3n de seguridad del sistema operativo y\ + \ de las aplicaciones se mantendr\xE1 actualizada a trav\xE9s de una aplicaci\xF3\ + n o procedimiento manual que permita la instalaci\xF3n de las correspondientes\ + \ modificaciones de versi\xF3n y actualizaciones de seguridad oportunas.\n\ + Refuerzo R5-Control del estado de seguridad de la Configuraci\xF3n.\n\u2013\ + \ [op.exp.3.r5.1] Se dispondr\xE1 de herramientas que permitan conocer de\ + \ forma peri\xF3dica el estado de seguridad de la configuraci\xF3n de los\ + \ dispositivos de red y, en el caso de que resulte deficiente, permitir su\ + \ correcci\xF3n.\nP\xE1gina 47" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp + ref_id: op.exp.4 + name: Mantenimiento y actualizaciones de seguridad + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node440 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.4 + description: "Para mantener el equipamiento f\xEDsico y l\xF3gico que constituye\ + \ el sistema, se aplicar\xE1 lo siguiente:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.4.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node440 + ref_id: op.exp.4.1 + description: "Se atender\xE1 a las especificaciones de los fabricantes en lo\ + \ relativo a instalaci\xF3n y mantenimiento de los sistemas, lo que incluir\xE1\ + \ un seguimiento continuo de los anuncios de defectos" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.4.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.4 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.4\ + \ + R1 + R2.\nRefuerzo R1-Pruebas en preproducci\xF3n.\n[op.exp.4.r1.1] Antes\ + \ de poner en producci\xF3n una nueva versi\xF3n o una versi\xF3n parcheada,\ + \ se comprobar\xE1 en un entorno de prueba controlado y consistente en configuraci\xF3\ + n al entorno de producci\xF3n, que la nueva instalaci\xF3n funciona correctamente\ + \ y no disminuye la eficacia de las funciones necesarias para el trabajo diario.\n\ + Refuerzo R2-Prevenci\xF3n de fallos.\n[op.exp.4.r2.1] Antes de la aplicaci\xF3\ + n de las configuraciones, parches y actualizaciones de seguridad se prever\xE1\ + \ un mecanismo para revertirlos en caso de aparici\xF3n de efectos adversos.\n\ + Refuerzo R3-Actualizaciones y pruebas peri\xF3dicas.\n[op.exp.4.r3.1] Se deber\xE1\ + \ comprobar de forma peri\xF3dica la integridad del firmware utilizado en\ + \ los dispositivos hardware del sistema (infraestructura de red, BIOS, etc.).\ + \ La periodicidad de estas comprobaciones seguir\xE1 las recomendaciones de\ + \ la Gu\xEDa CCN-STIC que sea de aplicaci\xF3n.\nRefuerzo R4 - Monitorizaci\xF3\ + n continua.\n[op.exp.4.r4.1] Se desplegar\xE1 a nivel de sistema una estrategia\ + \ de monitorizaci\xF3n continua de amenazas y vulnerabilidades. Esta estrategia\ + \ detallar\xE1:\n1. Los indicadores cr\xEDticos de seguridad a emplear.\n\ + 2. La pol\xEDtica de aplicaci\xF3n de parches de seguridad de los componentes\ + \ software relacionados en las listas de [op.exp.1.r4], [op.ext.3.r3] y [mp.sw.1.r5]).\n\ + 3. Los criterios de revisi\xF3n regular y excepcional de las amenazas sobre\ + \ el sistema.\nP\xE1gina 48" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.4.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node440 + ref_id: op.exp.4.2 + description: "Se dispondr\xE1 de un procedimiento para analizar, priorizar y\ + \ determinar cu\xE1ndo aplicar las actualizaciones de seguridad, parches,\ + \ mejoras y nuevas versiones. La priorizaci\xF3n tendr\xE1 en cuenta la variaci\xF3\ + n del riesgo en funci\xF3n de la implantaci\xF3n o no de la actualizaci\xF3\ + n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.4.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.4 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.4\ + \ + R1 + R2.\nRefuerzo R1-Pruebas en preproducci\xF3n.\n[op.exp.4.r1.1] Antes\ + \ de poner en producci\xF3n una nueva versi\xF3n o una versi\xF3n parcheada,\ + \ se comprobar\xE1 en un entorno de prueba controlado y consistente en configuraci\xF3\ + n al entorno de producci\xF3n, que la nueva instalaci\xF3n funciona correctamente\ + \ y no disminuye la eficacia de las funciones necesarias para el trabajo diario.\n\ + Refuerzo R2-Prevenci\xF3n de fallos.\n[op.exp.4.r2.1] Antes de la aplicaci\xF3\ + n de las configuraciones, parches y actualizaciones de seguridad se prever\xE1\ + \ un mecanismo para revertirlos en caso de aparici\xF3n de efectos adversos.\n\ + Refuerzo R3-Actualizaciones y pruebas peri\xF3dicas.\n[op.exp.4.r3.1] Se deber\xE1\ + \ comprobar de forma peri\xF3dica la integridad del firmware utilizado en\ + \ los dispositivos hardware del sistema (infraestructura de red, BIOS, etc.).\ + \ La periodicidad de estas comprobaciones seguir\xE1 las recomendaciones de\ + \ la Gu\xEDa CCN-STIC que sea de aplicaci\xF3n.\nRefuerzo R4 - Monitorizaci\xF3\ + n continua.\n[op.exp.4.r4.1] Se desplegar\xE1 a nivel de sistema una estrategia\ + \ de monitorizaci\xF3n continua de amenazas y vulnerabilidades. Esta estrategia\ + \ detallar\xE1:\n1. Los indicadores cr\xEDticos de seguridad a emplear.\n\ + 2. La pol\xEDtica de aplicaci\xF3n de parches de seguridad de los componentes\ + \ software relacionados en las listas de [op.exp.1.r4], [op.ext.3.r3] y [mp.sw.1.r5]).\n\ + 3. Los criterios de revisi\xF3n regular y excepcional de las amenazas sobre\ + \ el sistema.\nP\xE1gina 48" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.4.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node440 + ref_id: op.exp.4.3 + description: "El mantenimiento solo podr\xE1 realizarse por personal debidamente\ + \ autorizado." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.4.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.4 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.4\ + \ + R1 + R2.\nRefuerzo R1-Pruebas en preproducci\xF3n.\n[op.exp.4.r1.1] Antes\ + \ de poner en producci\xF3n una nueva versi\xF3n o una versi\xF3n parcheada,\ + \ se comprobar\xE1 en un entorno de prueba controlado y consistente en configuraci\xF3\ + n al entorno de producci\xF3n, que la nueva instalaci\xF3n funciona correctamente\ + \ y no disminuye la eficacia de las funciones necesarias para el trabajo diario.\n\ + Refuerzo R2-Prevenci\xF3n de fallos.\n[op.exp.4.r2.1] Antes de la aplicaci\xF3\ + n de las configuraciones, parches y actualizaciones de seguridad se prever\xE1\ + \ un mecanismo para revertirlos en caso de aparici\xF3n de efectos adversos.\n\ + Refuerzo R3-Actualizaciones y pruebas peri\xF3dicas.\n[op.exp.4.r3.1] Se deber\xE1\ + \ comprobar de forma peri\xF3dica la integridad del firmware utilizado en\ + \ los dispositivos hardware del sistema (infraestructura de red, BIOS, etc.).\ + \ La periodicidad de estas comprobaciones seguir\xE1 las recomendaciones de\ + \ la Gu\xEDa CCN-STIC que sea de aplicaci\xF3n.\nRefuerzo R4 - Monitorizaci\xF3\ + n continua.\n[op.exp.4.r4.1] Se desplegar\xE1 a nivel de sistema una estrategia\ + \ de monitorizaci\xF3n continua de amenazas y vulnerabilidades. Esta estrategia\ + \ detallar\xE1:\n1. Los indicadores cr\xEDticos de seguridad a emplear.\n\ + 2. La pol\xEDtica de aplicaci\xF3n de parches de seguridad de los componentes\ + \ software relacionados en las listas de [op.exp.1.r4], [op.ext.3.r3] y [mp.sw.1.r5]).\n\ + 3. Los criterios de revisi\xF3n regular y excepcional de las amenazas sobre\ + \ el sistema.\nP\xE1gina 48" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp + ref_id: op.exp.5 + name: "Gesti\xF3n de cambios" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node445 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.5 + description: "Se mantendr\xE1 un control continuo de los cambios realizados\ + \ en el sistema, de forma que:" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.5.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node445 + ref_id: op.exp.5.1 + description: "Los cambios se planificar\xE1n para reducir el impacto sobre la\ + \ prestaci\xF3n de los servicios afectados. Para ello, todas las peticiones\ + \ de cambio se registrar\xE1n asignando un n\xFAmero de referencia que permita\ + \ su seguimiento, de forma equivalente al registro de los incidentes." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.exp.5.\n\u2013 Categor\xEDa ALTA:\ + \ op.exp.5+ R1.\nRefuerzo R1-Prevenci\xF3n de fallos.\n\u2013 [op.exp.5.r1.1]\ + \ Antes de la aplicaci\xF3n de los cambios, se deber\xE1 tener en cuenta la\ + \ posibilidad de revertirlos en caso de la aparici\xF3n de efectos adversos.\n\ + \u2013 [op.exp.5.r1.2] Todos los fallos en el software y hardware deber\xE1\ + n ser comunicados al responsable designado en la organizaci\xF3n de la seguridad.\n\ + \u2013 [op.exp.5.r1.3] Todos los cambios en el sistema deber\xE1n documentarse,\ + \ incluyendo una valoraci\xF3n del impacto que dicho cambio supone en la seguridad\ + \ del sistema.\nP\xE1gina 49" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.5.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node445 + ref_id: op.exp.5.2 + description: " La informaci\xF3n a registrar para cada petici\xF3n de cambio\ + \ ser\xE1 suficiente para que quien deba autorizarlos no tenga dudas al respecto\ + \ y permita gestionarlo hasta su desestimaci\xF3n o implementaci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.exp.5.\n\u2013 Categor\xEDa ALTA:\ + \ op.exp.5+ R1.\nRefuerzo R1-Prevenci\xF3n de fallos.\n\u2013 [op.exp.5.r1.1]\ + \ Antes de la aplicaci\xF3n de los cambios, se deber\xE1 tener en cuenta la\ + \ posibilidad de revertirlos en caso de la aparici\xF3n de efectos adversos.\n\ + \u2013 [op.exp.5.r1.2] Todos los fallos en el software y hardware deber\xE1\ + n ser comunicados al responsable designado en la organizaci\xF3n de la seguridad.\n\ + \u2013 [op.exp.5.r1.3] Todos los cambios en el sistema deber\xE1n documentarse,\ + \ incluyendo una valoraci\xF3n del impacto que dicho cambio supone en la seguridad\ + \ del sistema.\nP\xE1gina 49" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.5.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node445 + ref_id: op.exp.5.3 + description: "Las pruebas de preproducci\xF3n, siempre que sea posible realizarlas,\ + \ se efectuar\xE1n en equipos equivalentes a los de producci\xF3n, al menos\ + \ en los aspectos espec\xEDficos del cambio." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.exp.5.\n\u2013 Categor\xEDa ALTA:\ + \ op.exp.5+ R1.\nRefuerzo R1-Prevenci\xF3n de fallos.\n\u2013 [op.exp.5.r1.1]\ + \ Antes de la aplicaci\xF3n de los cambios, se deber\xE1 tener en cuenta la\ + \ posibilidad de revertirlos en caso de la aparici\xF3n de efectos adversos.\n\ + \u2013 [op.exp.5.r1.2] Todos los fallos en el software y hardware deber\xE1\ + n ser comunicados al responsable designado en la organizaci\xF3n de la seguridad.\n\ + \u2013 [op.exp.5.r1.3] Todos los cambios en el sistema deber\xE1n documentarse,\ + \ incluyendo una valoraci\xF3n del impacto que dicho cambio supone en la seguridad\ + \ del sistema.\nP\xE1gina 49" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.5.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node445 + ref_id: op.exp.5.4 + description: "Mediante un an\xE1lisis de riesgos se determinar\xE1 si los cambios\ + \ son relevantes para la seguridad del sistema. Aquellos cambios que impliquen\ + \ un riesgo de nivel ALTO deber\xE1n ser aprobados, expl\xEDcitamente, de\ + \ forma previa a su implantaci\xF3n, por el Responsable de la Seguridad." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.exp.5.\n\u2013 Categor\xEDa ALTA:\ + \ op.exp.5+ R1.\nRefuerzo R1-Prevenci\xF3n de fallos.\n\u2013 [op.exp.5.r1.1]\ + \ Antes de la aplicaci\xF3n de los cambios, se deber\xE1 tener en cuenta la\ + \ posibilidad de revertirlos en caso de la aparici\xF3n de efectos adversos.\n\ + \u2013 [op.exp.5.r1.2] Todos los fallos en el software y hardware deber\xE1\ + n ser comunicados al responsable designado en la organizaci\xF3n de la seguridad.\n\ + \u2013 [op.exp.5.r1.3] Todos los cambios en el sistema deber\xE1n documentarse,\ + \ incluyendo una valoraci\xF3n del impacto que dicho cambio supone en la seguridad\ + \ del sistema.\nP\xE1gina 49" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.5.5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node445 + ref_id: op.exp.5.5 + description: "Una vez implementado el cambio, se realizar\xE1n las pruebas de\ + \ aceptaci\xF3n convenientes. Si son positivas, se actualizar\xE1 la documentaci\xF3\ + n de configuraci\xF3n (diagramas de red, manuales, el inventario, etc.), siempre\ + \ que proceda." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.exp.5.\n\u2013 Categor\xEDa ALTA:\ + \ op.exp.5+ R1.\nRefuerzo R1-Prevenci\xF3n de fallos.\n\u2013 [op.exp.5.r1.1]\ + \ Antes de la aplicaci\xF3n de los cambios, se deber\xE1 tener en cuenta la\ + \ posibilidad de revertirlos en caso de la aparici\xF3n de efectos adversos.\n\ + \u2013 [op.exp.5.r1.2] Todos los fallos en el software y hardware deber\xE1\ + n ser comunicados al responsable designado en la organizaci\xF3n de la seguridad.\n\ + \u2013 [op.exp.5.r1.3] Todos los cambios en el sistema deber\xE1n documentarse,\ + \ incluyendo una valoraci\xF3n del impacto que dicho cambio supone en la seguridad\ + \ del sistema.\nP\xE1gina 49" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.6 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp + ref_id: op.exp.6 + name: "Protecci\xF3n frente a c\xF3digo da\xF1ino" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.6.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.6 + ref_id: op.exp.6.1 + description: "Se dispondr\xE1 de mecanismos de prevenci\xF3n y reacci\xF3n frente\ + \ a c\xF3digo da\xF1ino, incluyendo el correspondiente mantenimiento de acuerdo\ + \ a las recomendaciones del fabricante." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.6.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.6+ R1 + R2.\n\u2013 Categor\xEDa ALTA: op.exp.6+\ + \ R1 + R2 + R3 + R4.\nRefuerzo R1-Escaneo peri\xF3dico.\n\u2013 [op.exp.6.r1.1]\ + \ Todo el sistema se escanear\xE1 regularmente para detectar c\xF3digo da\xF1\ + ino.\nRefuerzo R2-Revisi\xF3n preventiva del sistema.\n\u2013 [op.exp.6.r2.1]\ + \ Las funciones cr\xEDticas se analizar\xE1n al arrancar el sistema en prevenci\xF3\ + n de modificaciones no autorizadas.\nRefuerzo R3 - Lista blanca.\n\u2013 [op.exp.6.r3.1]\ + \ Solamente se podr\xE1n ejecutar aquellas aplicaciones previamente autorizadas.\ + \ Se implementar\xE1 una lista blanca para impedir la ejecuci\xF3n de aplicaciones\ + \ no autorizadas.\nRefuerzo R4-Capacidad de respuesta en caso de incidente.\n\ + \u2013 [op.exp.6.r4.1] Se emplear\xE1n herramientas de seguridad orientadas\ + \ a detectar,investigar y resolver actividades sospechosas en puestos de usuario\ + \ y servidores (EDR - Endpoint Detection and Response).\nRefuerzo R5-Configuraci\xF3\ + n de la herramienta de detecci\xF3n de c\xF3digo da\xF1ino.\n\u2013 [op.exp.6.r5.1]\ + \ El software de detecci\xF3n de c\xF3digo da\xF1ino permitir\xE1 realizar\ + \ configuraciones avanzadas y revisar el sistema en el arranque y cada vez\ + \ que se conecte un dispositivo extra\xEDble.\n\u2013 [op.exp.6.r5.2] El software\ + \ de detecci\xF3n de c\xF3digo da\xF1ino instalado en servidores y elementos\ + \ perimetrales deber\xE1 estar configurado de forma adecuada e implementar\xE1\ + \ protecci\xF3n en tiempo real de acuerdo a las recomendaciones del fabricante.\n\ + P\xE1gina 50" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.6.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.6 + ref_id: op.exp.6.2 + description: "Se instalar\xE1 software de protecci\xF3n frente a c\xF3digo da\xF1\ + ino en todos los equipos: puestos de usuario, servidores y elementos perimetrales." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.6.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.6+ R1 + R2.\n\u2013 Categor\xEDa ALTA: op.exp.6+\ + \ R1 + R2 + R3 + R4.\nRefuerzo R1-Escaneo peri\xF3dico.\n\u2013 [op.exp.6.r1.1]\ + \ Todo el sistema se escanear\xE1 regularmente para detectar c\xF3digo da\xF1\ + ino.\nRefuerzo R2-Revisi\xF3n preventiva del sistema.\n\u2013 [op.exp.6.r2.1]\ + \ Las funciones cr\xEDticas se analizar\xE1n al arrancar el sistema en prevenci\xF3\ + n de modificaciones no autorizadas.\nRefuerzo R3 - Lista blanca.\n\u2013 [op.exp.6.r3.1]\ + \ Solamente se podr\xE1n ejecutar aquellas aplicaciones previamente autorizadas.\ + \ Se implementar\xE1 una lista blanca para impedir la ejecuci\xF3n de aplicaciones\ + \ no autorizadas.\nRefuerzo R4-Capacidad de respuesta en caso de incidente.\n\ + \u2013 [op.exp.6.r4.1] Se emplear\xE1n herramientas de seguridad orientadas\ + \ a detectar,investigar y resolver actividades sospechosas en puestos de usuario\ + \ y servidores (EDR - Endpoint Detection and Response).\nRefuerzo R5-Configuraci\xF3\ + n de la herramienta de detecci\xF3n de c\xF3digo da\xF1ino.\n\u2013 [op.exp.6.r5.1]\ + \ El software de detecci\xF3n de c\xF3digo da\xF1ino permitir\xE1 realizar\ + \ configuraciones avanzadas y revisar el sistema en el arranque y cada vez\ + \ que se conecte un dispositivo extra\xEDble.\n\u2013 [op.exp.6.r5.2] El software\ + \ de detecci\xF3n de c\xF3digo da\xF1ino instalado en servidores y elementos\ + \ perimetrales deber\xE1 estar configurado de forma adecuada e implementar\xE1\ + \ protecci\xF3n en tiempo real de acuerdo a las recomendaciones del fabricante.\n\ + P\xE1gina 50" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.6.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.6 + ref_id: op.exp.6.3 + description: "Todo fichero procedente de fuentes externas ser\xE1 analizado\ + \ antes de trabajar con \xE9l." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.6.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.6+ R1 + R2.\n\u2013 Categor\xEDa ALTA: op.exp.6+\ + \ R1 + R2 + R3 + R4.\nRefuerzo R1-Escaneo peri\xF3dico.\n\u2013 [op.exp.6.r1.1]\ + \ Todo el sistema se escanear\xE1 regularmente para detectar c\xF3digo da\xF1\ + ino.\nRefuerzo R2-Revisi\xF3n preventiva del sistema.\n\u2013 [op.exp.6.r2.1]\ + \ Las funciones cr\xEDticas se analizar\xE1n al arrancar el sistema en prevenci\xF3\ + n de modificaciones no autorizadas.\nRefuerzo R3 - Lista blanca.\n\u2013 [op.exp.6.r3.1]\ + \ Solamente se podr\xE1n ejecutar aquellas aplicaciones previamente autorizadas.\ + \ Se implementar\xE1 una lista blanca para impedir la ejecuci\xF3n de aplicaciones\ + \ no autorizadas.\nRefuerzo R4-Capacidad de respuesta en caso de incidente.\n\ + \u2013 [op.exp.6.r4.1] Se emplear\xE1n herramientas de seguridad orientadas\ + \ a detectar,investigar y resolver actividades sospechosas en puestos de usuario\ + \ y servidores (EDR - Endpoint Detection and Response).\nRefuerzo R5-Configuraci\xF3\ + n de la herramienta de detecci\xF3n de c\xF3digo da\xF1ino.\n\u2013 [op.exp.6.r5.1]\ + \ El software de detecci\xF3n de c\xF3digo da\xF1ino permitir\xE1 realizar\ + \ configuraciones avanzadas y revisar el sistema en el arranque y cada vez\ + \ que se conecte un dispositivo extra\xEDble.\n\u2013 [op.exp.6.r5.2] El software\ + \ de detecci\xF3n de c\xF3digo da\xF1ino instalado en servidores y elementos\ + \ perimetrales deber\xE1 estar configurado de forma adecuada e implementar\xE1\ + \ protecci\xF3n en tiempo real de acuerdo a las recomendaciones del fabricante.\n\ + P\xE1gina 50" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.6.4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.6 + ref_id: op.exp.6.4 + description: "Las bases de datos de detecci\xF3n de c\xF3digo da\xF1ino permanecer\xE1\ + n permanentemente actualizadas." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.6.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.6+ R1 + R2.\n\u2013 Categor\xEDa ALTA: op.exp.6+\ + \ R1 + R2 + R3 + R4.\nRefuerzo R1-Escaneo peri\xF3dico.\n\u2013 [op.exp.6.r1.1]\ + \ Todo el sistema se escanear\xE1 regularmente para detectar c\xF3digo da\xF1\ + ino.\nRefuerzo R2-Revisi\xF3n preventiva del sistema.\n\u2013 [op.exp.6.r2.1]\ + \ Las funciones cr\xEDticas se analizar\xE1n al arrancar el sistema en prevenci\xF3\ + n de modificaciones no autorizadas.\nRefuerzo R3 - Lista blanca.\n\u2013 [op.exp.6.r3.1]\ + \ Solamente se podr\xE1n ejecutar aquellas aplicaciones previamente autorizadas.\ + \ Se implementar\xE1 una lista blanca para impedir la ejecuci\xF3n de aplicaciones\ + \ no autorizadas.\nRefuerzo R4-Capacidad de respuesta en caso de incidente.\n\ + \u2013 [op.exp.6.r4.1] Se emplear\xE1n herramientas de seguridad orientadas\ + \ a detectar,investigar y resolver actividades sospechosas en puestos de usuario\ + \ y servidores (EDR - Endpoint Detection and Response).\nRefuerzo R5-Configuraci\xF3\ + n de la herramienta de detecci\xF3n de c\xF3digo da\xF1ino.\n\u2013 [op.exp.6.r5.1]\ + \ El software de detecci\xF3n de c\xF3digo da\xF1ino permitir\xE1 realizar\ + \ configuraciones avanzadas y revisar el sistema en el arranque y cada vez\ + \ que se conecte un dispositivo extra\xEDble.\n\u2013 [op.exp.6.r5.2] El software\ + \ de detecci\xF3n de c\xF3digo da\xF1ino instalado en servidores y elementos\ + \ perimetrales deber\xE1 estar configurado de forma adecuada e implementar\xE1\ + \ protecci\xF3n en tiempo real de acuerdo a las recomendaciones del fabricante.\n\ + P\xE1gina 50" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.6.5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.6 + ref_id: op.exp.6.5 + description: "El software de detecci\xF3n de c\xF3digo da\xF1ino instalado en\ + \ los puestos de usuario deber\xE1 estar configurado de forma adecuada e implementar\xE1\ + \ protecci\xF3n en tiempo real de acuerdo a las recomendaciones del fabricante." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.6.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.6+ R1 + R2.\n\u2013 Categor\xEDa ALTA: op.exp.6+\ + \ R1 + R2 + R3 + R4.\nRefuerzo R1-Escaneo peri\xF3dico.\n\u2013 [op.exp.6.r1.1]\ + \ Todo el sistema se escanear\xE1 regularmente para detectar c\xF3digo da\xF1\ + ino.\nRefuerzo R2-Revisi\xF3n preventiva del sistema.\n\u2013 [op.exp.6.r2.1]\ + \ Las funciones cr\xEDticas se analizar\xE1n al arrancar el sistema en prevenci\xF3\ + n de modificaciones no autorizadas.\nRefuerzo R3 - Lista blanca.\n\u2013 [op.exp.6.r3.1]\ + \ Solamente se podr\xE1n ejecutar aquellas aplicaciones previamente autorizadas.\ + \ Se implementar\xE1 una lista blanca para impedir la ejecuci\xF3n de aplicaciones\ + \ no autorizadas.\nRefuerzo R4-Capacidad de respuesta en caso de incidente.\n\ + \u2013 [op.exp.6.r4.1] Se emplear\xE1n herramientas de seguridad orientadas\ + \ a detectar,investigar y resolver actividades sospechosas en puestos de usuario\ + \ y servidores (EDR - Endpoint Detection and Response).\nRefuerzo R5-Configuraci\xF3\ + n de la herramienta de detecci\xF3n de c\xF3digo da\xF1ino.\n\u2013 [op.exp.6.r5.1]\ + \ El software de detecci\xF3n de c\xF3digo da\xF1ino permitir\xE1 realizar\ + \ configuraciones avanzadas y revisar el sistema en el arranque y cada vez\ + \ que se conecte un dispositivo extra\xEDble.\n\u2013 [op.exp.6.r5.2] El software\ + \ de detecci\xF3n de c\xF3digo da\xF1ino instalado en servidores y elementos\ + \ perimetrales deber\xE1 estar configurado de forma adecuada e implementar\xE1\ + \ protecci\xF3n en tiempo real de acuerdo a las recomendaciones del fabricante.\n\ + P\xE1gina 50" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.7 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp + ref_id: op.exp.7 + name: "Gesti\xF3n de incidentes" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.7.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.7 + ref_id: op.exp.7.1 + description: "Se dispondr\xE1 de un proceso integral para hacer frente a los\ + \ incidentes que puedan tener un impacto en la seguridad del sistema, que\ + \ incluya el informe de eventos de seguridad y debilidades, detallando los\ + \ criterios de clasificaci\xF3n y el escalado de la notificaci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.7.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.7+ R1 + R2.\n\u2013 Categor\xEDa ALTA: op.exp.7+\ + \ R1 + R2 + R3.\nRefuerzo R1-Notificaci\xF3n.\n\u2013 [op.exp.7.r1.1] Se dispondr\xE1\ + \ de soluciones de ventanilla \xFAnica para la notificaci\xF3n de incidentes\ + \ al CCN-CERT, que permita la distribuci\xF3n de notificaciones a las diferentes\ + \ entidades de manera federada, utilizando para ello dependencias administrativas\ + \ jer\xE1rquicas.\nRefuerzo R2 \u2013Detecci\xF3n y Respuesta.\nEl proceso\ + \ integral para hacer frente a los incidentes que puedan tener un impacto\ + \ en la seguridad del sistema ([op.exp.7.1]) deber\xE1 incluir:\n\u2013 [op.exp.7.r2.1]\ + \ Implantaci\xF3n de medidas urgentes, incluyendo la detenci\xF3n de servicios,\ + \ el aislamiento del sistema afectado, la recogida de evidencias y protecci\xF3\ + n de los registros, seg\xFAn convenga al caso.\n\u2013 [op.exp.7.r2.2] Asignaci\xF3\ + n de recursos para investigar las causas, analizar las consecuencias y resolver\ + \ el incidente.\n\u2013 [op.exp.7.r2.3] Informar del incidente a los responsables\ + \ de la informaci\xF3n y servicios afectados y de las actuaciones llevadas\ + \ a cabo para su resoluci\xF3n.\n\u2013 [op.exp.7.r2.4] Medidas para:\na)\ + \ Prevenir que se repita el incidente.\nb) Incluir en los procedimientos de\ + \ usuario la identificaci\xF3n y forma de tratar el incidente.\nc) Actualizar,\ + \ extender, mejorar u optimizar los procedimientos de resoluci\xF3n de incidentes.\n\ + Refuerzo R3-Reconfiguraci\xF3n din\xE1mica.\nLa reconfiguraci\xF3n din\xE1\ + mica del sistema persigue detener, desviar o limitar ataques, acotando los\ + \ da\xF1os.\n\u2013 [op.exp.7.r3.1] La reconfiguraci\xF3n din\xE1mica incluye,\ + \ por ejemplo, cambios en las reglas de los enrutadores (routers), listas\ + \ de control de acceso, par\xE1metros del sistema de detecci\xF3n / prevenci\xF3\ + n de intrusiones y reglas en los cortafuegos y puertas de enlace,aislamiento\ + \ de elementos cr\xEDticos y aislamiento de las copias de seguridad.\n\u2013\ + \ [op.exp.7.r3.2] El organismo adaptar\xE1 los procedimientos de reconfiguraci\xF3\ + n din\xE1mica reaccionando a los anuncios recibidos del CCN-CERT relativos\ + \ a ciberamenazas sofisticadas y campa\xF1as de ataques.\nRefuerzo R4-Prevenci\xF3\ + n y Respuesta Autom\xE1tica.\n\u2013 [op.exp.7.r4.1] Se dispondr\xE1 de herramientas\ + \ que automaticen el proceso de prevenci\xF3n y respuesta mediante la detecci\xF3\ + n e identificaci\xF3n de anomal\xEDas, la segmentaci\xF3n din\xE1mica de la\ + \ red para reducir la superficie de ataque, el aislamiento de dispositivos\ + \ cr\xEDticos, etc.\nP\xE1gina 51" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.7.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.7 + ref_id: op.exp.7.2 + description: "La gesti\xF3n de incidentes que afecten a datos personales tendr\xE1\ + \ en cuenta lo dispuesto en el Reglamento General de Protecci\xF3n de Datos;\ + \ la Ley Org\xE1nica 3/2018, de 5 de diciembre, en especial su disposici\xF3\ + n adicional primera, as\xED como el resto de normativa de aplicaci\xF3n, sin\ + \ perjuicio de los requisitos establecidos en este real decreto." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.7.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.7+ R1 + R2.\n\u2013 Categor\xEDa ALTA: op.exp.7+\ + \ R1 + R2 + R3.\nRefuerzo R1-Notificaci\xF3n.\n\u2013 [op.exp.7.r1.1] Se dispondr\xE1\ + \ de soluciones de ventanilla \xFAnica para la notificaci\xF3n de incidentes\ + \ al CCN-CERT, que permita la distribuci\xF3n de notificaciones a las diferentes\ + \ entidades de manera federada, utilizando para ello dependencias administrativas\ + \ jer\xE1rquicas.\nRefuerzo R2 \u2013Detecci\xF3n y Respuesta.\nEl proceso\ + \ integral para hacer frente a los incidentes que puedan tener un impacto\ + \ en la seguridad del sistema ([op.exp.7.1]) deber\xE1 incluir:\n\u2013 [op.exp.7.r2.1]\ + \ Implantaci\xF3n de medidas urgentes, incluyendo la detenci\xF3n de servicios,\ + \ el aislamiento del sistema afectado, la recogida de evidencias y protecci\xF3\ + n de los registros, seg\xFAn convenga al caso.\n\u2013 [op.exp.7.r2.2] Asignaci\xF3\ + n de recursos para investigar las causas, analizar las consecuencias y resolver\ + \ el incidente.\n\u2013 [op.exp.7.r2.3] Informar del incidente a los responsables\ + \ de la informaci\xF3n y servicios afectados y de las actuaciones llevadas\ + \ a cabo para su resoluci\xF3n.\n\u2013 [op.exp.7.r2.4] Medidas para:\na)\ + \ Prevenir que se repita el incidente.\nb) Incluir en los procedimientos de\ + \ usuario la identificaci\xF3n y forma de tratar el incidente.\nc) Actualizar,\ + \ extender, mejorar u optimizar los procedimientos de resoluci\xF3n de incidentes.\n\ + Refuerzo R3-Reconfiguraci\xF3n din\xE1mica.\nLa reconfiguraci\xF3n din\xE1\ + mica del sistema persigue detener, desviar o limitar ataques, acotando los\ + \ da\xF1os.\n\u2013 [op.exp.7.r3.1] La reconfiguraci\xF3n din\xE1mica incluye,\ + \ por ejemplo, cambios en las reglas de los enrutadores (routers), listas\ + \ de control de acceso, par\xE1metros del sistema de detecci\xF3n / prevenci\xF3\ + n de intrusiones y reglas en los cortafuegos y puertas de enlace,aislamiento\ + \ de elementos cr\xEDticos y aislamiento de las copias de seguridad.\n\u2013\ + \ [op.exp.7.r3.2] El organismo adaptar\xE1 los procedimientos de reconfiguraci\xF3\ + n din\xE1mica reaccionando a los anuncios recibidos del CCN-CERT relativos\ + \ a ciberamenazas sofisticadas y campa\xF1as de ataques.\nRefuerzo R4-Prevenci\xF3\ + n y Respuesta Autom\xE1tica.\n\u2013 [op.exp.7.r4.1] Se dispondr\xE1 de herramientas\ + \ que automaticen el proceso de prevenci\xF3n y respuesta mediante la detecci\xF3\ + n e identificaci\xF3n de anomal\xEDas, la segmentaci\xF3n din\xE1mica de la\ + \ red para reducir la superficie de ataque, el aislamiento de dispositivos\ + \ cr\xEDticos, etc.\nP\xE1gina 51" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.8 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp + ref_id: op.exp.8 + name: Registro de la actividad + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node461 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.8 + description: "Se registrar\xE1n las actividades en el sistema, de forma que:" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.8.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node461 + ref_id: op.exp.8.1 + description: "Se generar\xE1 un registro de auditor\xEDa, que incluir\xE1, al\ + \ menos, el identificador del usuario o entidad asociado al evento, fecha\ + \ y hora, sobre qu\xE9 informaci\xF3n se realiza el evento, tipo de evento\ + \ y el resultado del evento (fallo o \xE9xito), seg\xFAn la pol\xEDtica de\ + \ seguridad y los procedimientos asociados a la misma." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad).\n\u2013 Nivel BAJO:\ + \ op.exp.8.\n\u2013 Nivel MEDIO: op.exp.8 + R1 + R2 + R3 + R4.\n\u2013 Nivel\ + \ ALTO: op.exp.8 + R1 + R2 + R3 + R4 + R5.\nRefuerzo R1-Revisi\xF3n de los\ + \ registros.\n\u2013 [op.exp.8.r1.1] Se revisar\xE1n informalmente, de forma\ + \ peri\xF3dica, los registros de actividad, buscando patrones anormales.\n\ + Refuerzo R2-Sincronizaci\xF3n del reloj del sistema.\n\u2013 [op.exp.8.r2.1]\ + \ El sistema deber\xE1 disponer de una referencia de tiempo (timestamp) para\ + \ facilitar las funciones de registro de eventos y auditor\xEDa. La modificaci\xF3\ + n de la referencia de tiempo del sistema ser\xE1 una funci\xF3n de administraci\xF3\ + n y, en caso de realizarse su sincronizaci\xF3n con otros dispositivos, deber\xE1\ + n utilizarse mecanismos de autenticaci\xF3n e integridad.\nRefuerzo R3-Retenci\xF3\ + n de registros.\n\u2013 [op.exp.8.r3.1] En la documentaci\xF3n de seguridad\ + \ del sistema se deber\xE1n indicar los eventos de seguridad que ser\xE1n\ + \ auditados y el tiempo de retenci\xF3n de los registros antes de ser eliminados.\n\ + Refuerzo R4-Control de acceso.\n\u2013 [op.exp.8.r4.1] Los registros de actividad\ + \ y, en su caso, las copias de seguridad de los mismos, solamente podr\xE1\ + n ser accedidos o eliminarse por personal debidamente autorizado.\nRefuerzo\ + \ R5-Revisi\xF3n autom\xE1tica y correlaci\xF3n de eventos.\n\u2013 [op.exp.8.r5.1]\ + \ El sistema deber\xE1 implementar herramientas para analizar y revisar la\ + \ actividad del sistema y la informaci\xF3n de auditor\xEDa, en b\xFAsqueda\ + \ de comprometimientos de la seguridad posibles o reales.\n\u2013 [op.exp.8.r5.2]\ + \ Se dispondr\xE1 de un sistema autom\xE1tico de recolecci\xF3n de registros,\ + \ correlaci\xF3n de eventos y respuesta autom\xE1tica ante los mismos.\nP\xE1\ + gina 52" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - T + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.8.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node461 + ref_id: op.exp.8.2 + description: "Se activar\xE1n los registros de actividad en los servidores." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad).\n\u2013 Nivel BAJO:\ + \ op.exp.8.\n\u2013 Nivel MEDIO: op.exp.8 + R1 + R2 + R3 + R4.\n\u2013 Nivel\ + \ ALTO: op.exp.8 + R1 + R2 + R3 + R4 + R5.\nRefuerzo R1-Revisi\xF3n de los\ + \ registros.\n\u2013 [op.exp.8.r1.1] Se revisar\xE1n informalmente, de forma\ + \ peri\xF3dica, los registros de actividad, buscando patrones anormales.\n\ + Refuerzo R2-Sincronizaci\xF3n del reloj del sistema.\n\u2013 [op.exp.8.r2.1]\ + \ El sistema deber\xE1 disponer de una referencia de tiempo (timestamp) para\ + \ facilitar las funciones de registro de eventos y auditor\xEDa. La modificaci\xF3\ + n de la referencia de tiempo del sistema ser\xE1 una funci\xF3n de administraci\xF3\ + n y, en caso de realizarse su sincronizaci\xF3n con otros dispositivos, deber\xE1\ + n utilizarse mecanismos de autenticaci\xF3n e integridad.\nRefuerzo R3-Retenci\xF3\ + n de registros.\n\u2013 [op.exp.8.r3.1] En la documentaci\xF3n de seguridad\ + \ del sistema se deber\xE1n indicar los eventos de seguridad que ser\xE1n\ + \ auditados y el tiempo de retenci\xF3n de los registros antes de ser eliminados.\n\ + Refuerzo R4-Control de acceso.\n\u2013 [op.exp.8.r4.1] Los registros de actividad\ + \ y, en su caso, las copias de seguridad de los mismos, solamente podr\xE1\ + n ser accedidos o eliminarse por personal debidamente autorizado.\nRefuerzo\ + \ R5-Revisi\xF3n autom\xE1tica y correlaci\xF3n de eventos.\n\u2013 [op.exp.8.r5.1]\ + \ El sistema deber\xE1 implementar herramientas para analizar y revisar la\ + \ actividad del sistema y la informaci\xF3n de auditor\xEDa, en b\xFAsqueda\ + \ de comprometimientos de la seguridad posibles o reales.\n\u2013 [op.exp.8.r5.2]\ + \ Se dispondr\xE1 de un sistema autom\xE1tico de recolecci\xF3n de registros,\ + \ correlaci\xF3n de eventos y respuesta autom\xE1tica ante los mismos.\nP\xE1\ + gina 52" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - T + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.9 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp + ref_id: op.exp.9 + name: "Registro de la gesti\xF3n de incidentes" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node465 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.9 + description: "Se registrar\xE1n todas las actuaciones relacionadas con la gesti\xF3\ + n de incidentes, de forma que:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.9.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node465 + ref_id: op.exp.9.1 + description: "Se registrar\xE1n los reportes iniciales, intermedios y finales\ + \ de los incidentes, las actuaciones de emergencia y las modificaciones del\ + \ sistema derivadas del incidente." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.9.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.9.\n\u2013 Categor\xEDa ALTA: op.exp.9.\n\ + P\xE1gina 53" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.9.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node465 + ref_id: op.exp.9.2 + description: "Se registrar\xE1 aquella evidencia que pueda dirimirse en un \xE1\ + mbito jurisdiccional, especialmente cuando el incidente pueda comportar acciones\ + \ disciplinarias sobre el personal interno, sobre proveedores externos o en\ + \ la persecuci\xF3n de delitos. En la determinaci\xF3n de la composici\xF3\ + n y detalle de estas evidencias, se recurrir\xE1 a asesoramiento legal especializado." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.9.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.9.\n\u2013 Categor\xEDa ALTA: op.exp.9.\n\ + P\xE1gina 53" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.9.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node465 + ref_id: op.exp.9.3 + description: "Como consecuencia del an\xE1lisis de los incidentes, se revisar\xE1\ + \ la determinaci\xF3n de los eventos auditables." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.9.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.9.\n\u2013 Categor\xEDa ALTA: op.exp.9.\n\ + P\xE1gina 53" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.10 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp + ref_id: op.exp.10 + name: "Protecci\xF3n de claves criptogr\xE1ficas" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.10.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.10 + ref_id: op.exp.10.1 + description: "Las claves criptogr\xE1ficas se proteger\xE1n durante todo su\ + \ ciclo de vida: (1) generaci\xF3n, (2) transporte al punto de explotaci\xF3\ + n, (3) custodia durante la explotaci\xF3n, (4) archivo posterior a su retirada\ + \ de explotaci\xF3n activa y (5) destrucci\xF3n final." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.10.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.10 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.10\ + \ + R1.\nRefuerzo R1-Algoritmos autorizados.\n\u2013 [op.exp.10.r1.1] Se emplear\xE1\ + n algoritmos y par\xE1metros autorizados por el CCN.\nRefuerzo R2-Protecci\xF3\ + n avanzada de claves criptogr\xE1ficas.\n\u2013 [op.exp.10.r2.1] Se emplear\xE1\ + n cifradores que cumplan con los requisitos establecidos en la gu\xEDa CCN-STIC\ + \ que sea de aplicaci\xF3n.\nP\xE1gina 53" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.10.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.10 + ref_id: op.exp.10.2 + description: "Los medios de generaci\xF3n estar\xE1n aislados de los medios\ + \ de explotaci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.10.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.10 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.10\ + \ + R1.\nRefuerzo R1-Algoritmos autorizados.\n\u2013 [op.exp.10.r1.1] Se emplear\xE1\ + n algoritmos y par\xE1metros autorizados por el CCN.\nRefuerzo R2-Protecci\xF3\ + n avanzada de claves criptogr\xE1ficas.\n\u2013 [op.exp.10.r2.1] Se emplear\xE1\ + n cifradores que cumplan con los requisitos establecidos en la gu\xEDa CCN-STIC\ + \ que sea de aplicaci\xF3n.\nP\xE1gina 53" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.10.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.exp.10 + ref_id: op.exp.10.3 + description: "Las claves retiradas de operaci\xF3n que deban ser archivadas,\ + \ lo ser\xE1n en medios aislados de los de explotaci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.exp.10.\n\ + \u2013 Categor\xEDa MEDIA: op.exp.10 + R1.\n\u2013 Categor\xEDa ALTA: op.exp.10\ + \ + R1.\nRefuerzo R1-Algoritmos autorizados.\n\u2013 [op.exp.10.r1.1] Se emplear\xE1\ + n algoritmos y par\xE1metros autorizados por el CCN.\nRefuerzo R2-Protecci\xF3\ + n avanzada de claves criptogr\xE1ficas.\n\u2013 [op.exp.10.r2.1] Se emplear\xE1\ + n cifradores que cumplan con los requisitos establecidos en la gu\xEDa CCN-STIC\ + \ que sea de aplicaci\xF3n.\nP\xE1gina 53" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-4 + ref_id: op.ext + name: Recursos externos + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node474 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext + description: "Cuando la organizaci\xF3n utilice recursos externos (servicios,\ + \ productos, instalaciones o personal), mantendr\xE1 la plena responsabilidad\ + \ de los riesgos para la informaci\xF3n tratada o los servicios prestados,\ + \ debiendo adoptar las medidas necesarias para ejercer su responsabilidad\ + \ y mantener el control en todo momento.tratada o los servicios prestados,\ + \ debiendo adoptar las medidas necesarias para ejercer su responsabilidad\ + \ y mantener el control en todo momento." + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext + ref_id: op.ext.1 + name: "Contrataci\xF3n y acuerdos de nivel de servicio" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.1 + ref_id: op.ext.1.1 + description: "Con anterioridad a la efectiva utilizaci\xF3n de los recursos\ + \ externos se establecer\xE1 contractualmente un Acuerdo de Nivel de Servicio,\ + \ que incluir\xE1 las caracter\xEDsticas del servicio prestado, lo que debe\ + \ entenderse como \xABservicio m\xEDnimo admisible\xBB, as\xED como, la responsabilidad\ + \ del prestador y las consecuencias de eventuales incumplimientos." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.ext.1.\n\u2013 Categor\xEDa ALTA:\ + \ op.ext.1.\nP\xE1gina 54" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext + ref_id: op.ext.2 + name: "Gesti\xF3n diaria" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.2.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.2 + ref_id: op.ext.2.1 + description: "Un sistema rutinario para medir el cumplimiento de las obligaciones\ + \ de servicio, incluyendo el procedimiento para neutralizar cualquier desviaci\xF3\ + n fuera del margen de tolerancia acordado ([op.ext.1])." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.ext.2.\n\u2013 Categor\xEDa ALTA:\ + \ op.ext.2.\nP\xE1gina 54" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.2.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.2 + ref_id: op.ext.2.2 + description: "El mecanismo y los procedimientos de coordinaci\xF3n para llevar\ + \ a cabo las tareas de mantenimiento de los sistemas comprendidos en el acuerdo,\ + \ que contemplar\xE1n los supuestos de incidentes y desastres (ver [op.exp.7])." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.ext.2.\n\u2013 Categor\xEDa ALTA:\ + \ op.ext.2.\nP\xE1gina 54" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext + ref_id: op.ext.3 + name: "Protecci\xF3n de la cadena de suministro" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.3.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.3 + ref_id: op.ext.3.1 + description: "Se analizar\xE1 el impacto que puede tener sobre el sistema un\ + \ incidente accidental o deliberado que tenga su origen en la cadena de suministro." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: no aplica.\n\u2013 Categor\xEDa ALTA:\ + \ op.ext.3.\nRefuerzo R1-Plan de contingencia.\n\u2013 [op.ext.3.r1.1] El\ + \ plan de continuidad de la organizaci\xF3n deber\xE1 tener en cuenta la dependencia\ + \ de proveedores externos cr\xEDticos.\n\u2013 [op.ext.3.r1.2] Se deber\xE1\ + n realizar pruebas o ejercicios de continuidad, incluyendo escenarios en los\ + \ que falla un proveedor.\nRefuerzo R2-Sistema de gesti\xF3n de la seguridad.\n\ + \u2013 [op.ext.3.r2.1] Se implementar\xE1 un sistema de protecci\xF3n de los\ + \ procesos y flujos de informaci\xF3n en las relaciones en l\xEDnea (online)\ + \ entre los distintos integrantes de la cadena de suministro.\nRefuerzo R3-Lista\ + \ de componentes software.\n\u2013 [op.ext.3.r3.1] Se mantendr\xE1 actualizado\ + \ un registro formal que contenga los detalles y las relaciones de la cadena\ + \ de suministro de los diversos componentes utilizados en la construcci\xF3\ + n de programas inform\xE1ticos, acorde a lo especificado en [mp.sw.1.r5].\ + \ Esta lista ser\xE1 proporcionada por el proveedor de la aplicaci\xF3n, librer\xED\ + a o producto suministrado.\nP\xE1gina 55 " + implementation_groups: + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.3.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.3 + ref_id: op.ext.3.2 + description: "Se estimar\xE1 el riesgo sobre el sistema por causa del impacto\ + \ estimado en el punto anterior." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: no aplica.\n\u2013 Categor\xEDa ALTA:\ + \ op.ext.3.\nRefuerzo R1-Plan de contingencia.\n\u2013 [op.ext.3.r1.1] El\ + \ plan de continuidad de la organizaci\xF3n deber\xE1 tener en cuenta la dependencia\ + \ de proveedores externos cr\xEDticos.\n\u2013 [op.ext.3.r1.2] Se deber\xE1\ + n realizar pruebas o ejercicios de continuidad, incluyendo escenarios en los\ + \ que falla un proveedor.\nRefuerzo R2-Sistema de gesti\xF3n de la seguridad.\n\ + \u2013 [op.ext.3.r2.1] Se implementar\xE1 un sistema de protecci\xF3n de los\ + \ procesos y flujos de informaci\xF3n en las relaciones en l\xEDnea (online)\ + \ entre los distintos integrantes de la cadena de suministro.\nRefuerzo R3-Lista\ + \ de componentes software.\n\u2013 [op.ext.3.r3.1] Se mantendr\xE1 actualizado\ + \ un registro formal que contenga los detalles y las relaciones de la cadena\ + \ de suministro de los diversos componentes utilizados en la construcci\xF3\ + n de programas inform\xE1ticos, acorde a lo especificado en [mp.sw.1.r5].\ + \ Esta lista ser\xE1 proporcionada por el proveedor de la aplicaci\xF3n, librer\xED\ + a o producto suministrado.\nP\xE1gina 55 " + implementation_groups: + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.3.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.3 + ref_id: op.ext.3.3 + description: "Se tomar\xE1n medidas de contenci\xF3n de los impactos estimados\ + \ en los puntos anteriores." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: no aplica.\n\u2013 Categor\xEDa ALTA:\ + \ op.ext.3.\nRefuerzo R1-Plan de contingencia.\n\u2013 [op.ext.3.r1.1] El\ + \ plan de continuidad de la organizaci\xF3n deber\xE1 tener en cuenta la dependencia\ + \ de proveedores externos cr\xEDticos.\n\u2013 [op.ext.3.r1.2] Se deber\xE1\ + n realizar pruebas o ejercicios de continuidad, incluyendo escenarios en los\ + \ que falla un proveedor.\nRefuerzo R2-Sistema de gesti\xF3n de la seguridad.\n\ + \u2013 [op.ext.3.r2.1] Se implementar\xE1 un sistema de protecci\xF3n de los\ + \ procesos y flujos de informaci\xF3n en las relaciones en l\xEDnea (online)\ + \ entre los distintos integrantes de la cadena de suministro.\nRefuerzo R3-Lista\ + \ de componentes software.\n\u2013 [op.ext.3.r3.1] Se mantendr\xE1 actualizado\ + \ un registro formal que contenga los detalles y las relaciones de la cadena\ + \ de suministro de los diversos componentes utilizados en la construcci\xF3\ + n de programas inform\xE1ticos, acorde a lo especificado en [mp.sw.1.r5].\ + \ Esta lista ser\xE1 proporcionada por el proveedor de la aplicaci\xF3n, librer\xED\ + a o producto suministrado.\nP\xE1gina 55 " + implementation_groups: + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext + ref_id: op.ext.4 + name: "Interconexi\xF3n de sistemas" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node485 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.4 + description: "Se denomina interconexi\xF3n al establecimiento de enlaces con\ + \ otros sistemas de informaci\xF3n para el intercambio de informaci\xF3n y\ + \ servicios." + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.4.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node485 + ref_id: op.ext.4.1 + description: "Todos los intercambios de informaci\xF3n y prestaci\xF3n de servicios\ + \ con otros sistemas deber\xE1n ser objeto de una autorizaci\xF3n previa.\ + \ Todo flujo de informaci\xF3n estar\xE1 prohibido salvo autorizaci\xF3n expresa." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.ext.4.\n\u2013 Categor\xEDa ALTA:\ + \ op.ext.4 + R1.\nRefuerzo R1-Coordinaci\xF3n de actividades.\n\u2013 [op.ext.4.r1.1]\ + \ Cuando se interconecten sistemas en los que la identificaci\xF3n, autenticaci\xF3\ + n y autorizaci\xF3n tengan lugar en diferentes dominios de seguridad, bajo\ + \ distintas responsabilidades, las medidas de seguridad locales se acompa\xF1\ + ar\xE1n de los correspondientes mecanismos y procedimientos de coordinaci\xF3\ + n para la atribuci\xF3n y ejercicio efectivos de las responsabilidades de\ + \ cada sistema.\nP\xE1gina 56" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.ext.4.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node485 + ref_id: op.ext.4.2 + description: "Para cada interconexi\xF3n se documentar\xE1 expl\xEDcitamente:\ + \ las caracter\xEDsticas de la interfaz, los requisitos de seguridad y protecci\xF3\ + n de datos y la naturaleza de la informaci\xF3n intercambiada." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: op.ext.4.\n\u2013 Categor\xEDa ALTA:\ + \ op.ext.4 + R1.\nRefuerzo R1-Coordinaci\xF3n de actividades.\n\u2013 [op.ext.4.r1.1]\ + \ Cuando se interconecten sistemas en los que la identificaci\xF3n, autenticaci\xF3\ + n y autorizaci\xF3n tengan lugar en diferentes dominios de seguridad, bajo\ + \ distintas responsabilidades, las medidas de seguridad locales se acompa\xF1\ + ar\xE1n de los correspondientes mecanismos y procedimientos de coordinaci\xF3\ + n para la atribuci\xF3n y ejercicio efectivos de las responsabilidades de\ + \ cada sistema.\nP\xE1gina 56" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-4 + ref_id: op.nub + name: Servicios en la nube + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub + ref_id: op.nub.1 + name: "Protecci\xF3n de servicios en la nube" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1 + ref_id: op.nub.1.1 + description: "Los sistemas que suministran un servicio en la nube a organismos\ + \ del sector p\xFAblico deber\xE1n cumplir con el conjunto de medidas de seguridad\ + \ en funci\xF3n del modelo de servicio en la nube que presten: Software como\ + \ Servicio (Software as a Service, SaaS), Plataforma como Servicio (Platform\ + \ as a Service, PaaS) e Infraestructura como Servicio (Infrastructure as a\ + \ Service, IaaS) definidas en las gu\xEDas CCN-STIC que sean de aplicaci\xF3\ + n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.nub.1.\n\ + \u2013 Categor\xEDa MEDIA: op.nub.1 + R1.\n\u2013 Categor\xEDa ALTA: op.nub.1+\ + \ R1 + R2.\nRefuerzo R1- Servicios certificados.\n\u2013 [op.nub.1.r1.1] Cuando\ + \ se utilicen servicios en la nube suministrados por terceros, estos deber\xE1\ + n estar certificados bajo una metodolog\xEDa de certificaci\xF3n reconocida\ + \ por el Organismo de Certificaci\xF3n del Esquema Nacional de Evaluaci\xF3\ + n y Certificaci\xF3n de Seguridad de las Tecnolog\xEDas de la Informaci\xF3\ + n.\n\u2013 [op.nub.1.r1.2] Si el servicio en la nube es un servicio de seguridad\ + \ deber\xE1 cumplir con los requisitos establecidos en [op.pl.5].\nRefuerzo\ + \ R2-Gu\xEDas de Configuraci\xF3n de Seguridad Espec\xEDficas.\n\u2013 [op.nub.1.r2.1]\ + \ La configuraci\xF3n de seguridad de los sistemas que proporcionan estos\ + \ servicios deber\xE1 realizarse seg\xFAn la correspondiente gu\xEDa CCN-STIC\ + \ de Configuraci\xF3n de Seguridad Espec\xEDfica, orientadas tanto al usuario\ + \ como al proveedor.\nP\xE1gina 56" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1 + ref_id: op.nub.1.2 + description: "Cuando se utilicen servicios en la nube suministrados por terceros,\ + \ los sistemas de informaci\xF3n que los soportan deber\xE1n ser conformes\ + \ con el ENS o cumplir con las medidas desarrolladas en una gu\xEDa CCN-STIC\ + \ que incluir\xE1, entre otros, requisitos relativos a:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.nub.1.\n\ + \u2013 Categor\xEDa MEDIA: op.nub.1 + R1.\n\u2013 Categor\xEDa ALTA: op.nub.1+\ + \ R1 + R2.\nRefuerzo R1- Servicios certificados.\n\u2013 [op.nub.1.r1.1] Cuando\ + \ se utilicen servicios en la nube suministrados por terceros, estos deber\xE1\ + n estar certificados bajo una metodolog\xEDa de certificaci\xF3n reconocida\ + \ por el Organismo de Certificaci\xF3n del Esquema Nacional de Evaluaci\xF3\ + n y Certificaci\xF3n de Seguridad de las Tecnolog\xEDas de la Informaci\xF3\ + n.\n\u2013 [op.nub.1.r1.2] Si el servicio en la nube es un servicio de seguridad\ + \ deber\xE1 cumplir con los requisitos establecidos en [op.pl.5].\nRefuerzo\ + \ R2-Gu\xEDas de Configuraci\xF3n de Seguridad Espec\xEDficas.\n\u2013 [op.nub.1.r2.1]\ + \ La configuraci\xF3n de seguridad de los sistemas que proporcionan estos\ + \ servicios deber\xE1 realizarse seg\xFAn la correspondiente gu\xEDa CCN-STIC\ + \ de Configuraci\xF3n de Seguridad Espec\xEDfica, orientadas tanto al usuario\ + \ como al proveedor.\nP\xE1gina 56" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1.2 + ref_id: op.nub.1.2.a + description: "Auditor\xEDa de pruebas de penetraci\xF3n (pentesting)." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.nub.1.\n\ + \u2013 Categor\xEDa MEDIA: op.nub.1 + R1.\n\u2013 Categor\xEDa ALTA: op.nub.1+\ + \ R1 + R2.\nRefuerzo R1- Servicios certificados.\n\u2013 [op.nub.1.r1.1] Cuando\ + \ se utilicen servicios en la nube suministrados por terceros, estos deber\xE1\ + n estar certificados bajo una metodolog\xEDa de certificaci\xF3n reconocida\ + \ por el Organismo de Certificaci\xF3n del Esquema Nacional de Evaluaci\xF3\ + n y Certificaci\xF3n de Seguridad de las Tecnolog\xEDas de la Informaci\xF3\ + n.\n\u2013 [op.nub.1.r1.2] Si el servicio en la nube es un servicio de seguridad\ + \ deber\xE1 cumplir con los requisitos establecidos en [op.pl.5].\nRefuerzo\ + \ R2-Gu\xEDas de Configuraci\xF3n de Seguridad Espec\xEDficas.\n\u2013 [op.nub.1.r2.1]\ + \ La configuraci\xF3n de seguridad de los sistemas que proporcionan estos\ + \ servicios deber\xE1 realizarse seg\xFAn la correspondiente gu\xEDa CCN-STIC\ + \ de Configuraci\xF3n de Seguridad Espec\xEDfica, orientadas tanto al usuario\ + \ como al proveedor.\nP\xE1gina 56" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1.2 + ref_id: op.nub.1.2.b + description: Transparencia. + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.nub.1.\n\ + \u2013 Categor\xEDa MEDIA: op.nub.1 + R1.\n\u2013 Categor\xEDa ALTA: op.nub.1+\ + \ R1 + R2.\nRefuerzo R1- Servicios certificados.\n\u2013 [op.nub.1.r1.1] Cuando\ + \ se utilicen servicios en la nube suministrados por terceros, estos deber\xE1\ + n estar certificados bajo una metodolog\xEDa de certificaci\xF3n reconocida\ + \ por el Organismo de Certificaci\xF3n del Esquema Nacional de Evaluaci\xF3\ + n y Certificaci\xF3n de Seguridad de las Tecnolog\xEDas de la Informaci\xF3\ + n.\n\u2013 [op.nub.1.r1.2] Si el servicio en la nube es un servicio de seguridad\ + \ deber\xE1 cumplir con los requisitos establecidos en [op.pl.5].\nRefuerzo\ + \ R2-Gu\xEDas de Configuraci\xF3n de Seguridad Espec\xEDficas.\n\u2013 [op.nub.1.r2.1]\ + \ La configuraci\xF3n de seguridad de los sistemas que proporcionan estos\ + \ servicios deber\xE1 realizarse seg\xFAn la correspondiente gu\xEDa CCN-STIC\ + \ de Configuraci\xF3n de Seguridad Espec\xEDfica, orientadas tanto al usuario\ + \ como al proveedor.\nP\xE1gina 56" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1.2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1.2 + ref_id: op.nub.1.2.c + description: "Cifrado y gesti\xF3n de claves." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.nub.1.\n\ + \u2013 Categor\xEDa MEDIA: op.nub.1 + R1.\n\u2013 Categor\xEDa ALTA: op.nub.1+\ + \ R1 + R2.\nRefuerzo R1- Servicios certificados.\n\u2013 [op.nub.1.r1.1] Cuando\ + \ se utilicen servicios en la nube suministrados por terceros, estos deber\xE1\ + n estar certificados bajo una metodolog\xEDa de certificaci\xF3n reconocida\ + \ por el Organismo de Certificaci\xF3n del Esquema Nacional de Evaluaci\xF3\ + n y Certificaci\xF3n de Seguridad de las Tecnolog\xEDas de la Informaci\xF3\ + n.\n\u2013 [op.nub.1.r1.2] Si el servicio en la nube es un servicio de seguridad\ + \ deber\xE1 cumplir con los requisitos establecidos en [op.pl.5].\nRefuerzo\ + \ R2-Gu\xEDas de Configuraci\xF3n de Seguridad Espec\xEDficas.\n\u2013 [op.nub.1.r2.1]\ + \ La configuraci\xF3n de seguridad de los sistemas que proporcionan estos\ + \ servicios deber\xE1 realizarse seg\xFAn la correspondiente gu\xEDa CCN-STIC\ + \ de Configuraci\xF3n de Seguridad Espec\xEDfica, orientadas tanto al usuario\ + \ como al proveedor.\nP\xE1gina 56" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1.2.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.nub.1.2 + ref_id: op.nub.1.2.d + description: "Jurisdicci\xF3n de los datos." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.nub.1.\n\ + \u2013 Categor\xEDa MEDIA: op.nub.1 + R1.\n\u2013 Categor\xEDa ALTA: op.nub.1+\ + \ R1 + R2.\nRefuerzo R1- Servicios certificados.\n\u2013 [op.nub.1.r1.1] Cuando\ + \ se utilicen servicios en la nube suministrados por terceros, estos deber\xE1\ + n estar certificados bajo una metodolog\xEDa de certificaci\xF3n reconocida\ + \ por el Organismo de Certificaci\xF3n del Esquema Nacional de Evaluaci\xF3\ + n y Certificaci\xF3n de Seguridad de las Tecnolog\xEDas de la Informaci\xF3\ + n.\n\u2013 [op.nub.1.r1.2] Si el servicio en la nube es un servicio de seguridad\ + \ deber\xE1 cumplir con los requisitos establecidos en [op.pl.5].\nRefuerzo\ + \ R2-Gu\xEDas de Configuraci\xF3n de Seguridad Espec\xEDficas.\n\u2013 [op.nub.1.r2.1]\ + \ La configuraci\xF3n de seguridad de los sistemas que proporcionan estos\ + \ servicios deber\xE1 realizarse seg\xFAn la correspondiente gu\xEDa CCN-STIC\ + \ de Configuraci\xF3n de Seguridad Espec\xEDfica, orientadas tanto al usuario\ + \ como al proveedor.\nP\xE1gina 56" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-4 + ref_id: op.cont + name: Continuidad del servicio + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont + ref_id: op.cont.1 + name: "An\xE1lisis de impacto" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.1 + ref_id: op.cont.1.1 + description: "Se realizar\xE1 un an\xE1lisis de impacto que permita determinar\ + \ los requisitos de disponibilidad de cada servicio (impacto de una interrupci\xF3\ + n durante un periodo de tiempo determinado), as\xED como los elementos que\ + \ son cr\xEDticos para la prestaci\xF3n de cada servicio." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: op.cont.1.\n\u2013 Nivel ALTO: op.cont.1.\n\ + P\xE1gina 57" + implementation_groups: + - MEDIO + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont + ref_id: op.cont.2 + name: Plan de continuidad + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node500 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.2 + description: "Se desarrollar\xE1 un plan de continuidad que establezca las acciones\ + \ a ejecutar en caso de interrupci\xF3n de los servicios prestados con los\ + \ medios habituales. Dicho plan contemplar\xE1 los siguientes aspectos:" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.2.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node500 + ref_id: op.cont.2.1 + description: "Se identificar\xE1n funciones, responsabilidades y actividades\ + \ a realizar." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.2.\n\ + Refuerzo R1-Plan de emergencia y contingencia.\n\u2013 [op.cont.2.r1.1] Cuando\ + \ se determine la necesidad de continuidad de los sistemas, deber\xE1 existir\ + \ un plan de emergencia y contingencia en consonancia. En funci\xF3n del an\xE1\ + lisis de Impacto, se determinar\xE1n los aspectos a cubrir.\nRefuerzo R2-Comprobaci\xF3\ + n de integridad.\n\u2013 [op.cont.2.r2.1] Ante una ca\xEDda o discontinuidad\ + \ del sistema, se deber\xE1 comprobar la integridad del sistema operativo,\ + \ del firmware y de los ficheros de configuraci\xF3n.\nP\xE1ginas 57-58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.2.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node500 + ref_id: op.cont.2.2 + description: "Existir\xE1 una previsi\xF3n para coordinar la entrada en servicio\ + \ de los medios alternativos de forma que se garantice poder seguir prestando\ + \ los servicios esenciales de la organizaci\xF3n." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.2.\n\ + Refuerzo R1-Plan de emergencia y contingencia.\n\u2013 [op.cont.2.r1.1] Cuando\ + \ se determine la necesidad de continuidad de los sistemas, deber\xE1 existir\ + \ un plan de emergencia y contingencia en consonancia. En funci\xF3n del an\xE1\ + lisis de Impacto, se determinar\xE1n los aspectos a cubrir.\nRefuerzo R2-Comprobaci\xF3\ + n de integridad.\n\u2013 [op.cont.2.r2.1] Ante una ca\xEDda o discontinuidad\ + \ del sistema, se deber\xE1 comprobar la integridad del sistema operativo,\ + \ del firmware y de los ficheros de configuraci\xF3n.\nP\xE1ginas 57-58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.2.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node500 + ref_id: op.cont.2.3 + description: "Todos los medios alternativos estar\xE1n planificados y materializados\ + \ en acuerdos o contratos con los proveedores correspondientes." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.2.\n\ + Refuerzo R1-Plan de emergencia y contingencia.\n\u2013 [op.cont.2.r1.1] Cuando\ + \ se determine la necesidad de continuidad de los sistemas, deber\xE1 existir\ + \ un plan de emergencia y contingencia en consonancia. En funci\xF3n del an\xE1\ + lisis de Impacto, se determinar\xE1n los aspectos a cubrir.\nRefuerzo R2-Comprobaci\xF3\ + n de integridad.\n\u2013 [op.cont.2.r2.1] Ante una ca\xEDda o discontinuidad\ + \ del sistema, se deber\xE1 comprobar la integridad del sistema operativo,\ + \ del firmware y de los ficheros de configuraci\xF3n.\nP\xE1ginas 57-58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.2.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node500 + ref_id: op.cont.2.4 + description: "Las personas afectadas por el plan recibir\xE1n formaci\xF3n espec\xED\ + fica relativa a su papel en dicho plan." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.2.\n\ + Refuerzo R1-Plan de emergencia y contingencia.\n\u2013 [op.cont.2.r1.1] Cuando\ + \ se determine la necesidad de continuidad de los sistemas, deber\xE1 existir\ + \ un plan de emergencia y contingencia en consonancia. En funci\xF3n del an\xE1\ + lisis de Impacto, se determinar\xE1n los aspectos a cubrir.\nRefuerzo R2-Comprobaci\xF3\ + n de integridad.\n\u2013 [op.cont.2.r2.1] Ante una ca\xEDda o discontinuidad\ + \ del sistema, se deber\xE1 comprobar la integridad del sistema operativo,\ + \ del firmware y de los ficheros de configuraci\xF3n.\nP\xE1ginas 57-58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.2.5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node500 + ref_id: op.cont.2.5 + description: "El plan de continuidad ser\xE1 parte integral y arm\xF3nica de\ + \ los planes de continuidad de la organizaci\xF3n en otras materias ajenas\ + \ a la seguridad." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.2.\n\ + Refuerzo R1-Plan de emergencia y contingencia.\n\u2013 [op.cont.2.r1.1] Cuando\ + \ se determine la necesidad de continuidad de los sistemas, deber\xE1 existir\ + \ un plan de emergencia y contingencia en consonancia. En funci\xF3n del an\xE1\ + lisis de Impacto, se determinar\xE1n los aspectos a cubrir.\nRefuerzo R2-Comprobaci\xF3\ + n de integridad.\n\u2013 [op.cont.2.r2.1] Ante una ca\xEDda o discontinuidad\ + \ del sistema, se deber\xE1 comprobar la integridad del sistema operativo,\ + \ del firmware y de los ficheros de configuraci\xF3n.\nP\xE1ginas 57-58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont + ref_id: op.cont.3 + name: "Pruebas peri\xF3dicas" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.3.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.3 + ref_id: op.cont.3.1 + description: "Se realizar\xE1n pruebas peri\xF3dicas para localizar y, en su\ + \ caso, corregir los errores o deficiencias que puedan existir en el plan\ + \ de continuidad." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.3.\n\ + P\xE1gina 58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont + ref_id: op.cont.4 + name: Medios alternativos + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4 + ref_id: op.cont.4.1 + description: "Estar\xE1 prevista la disponibilidad de medios alternativos para\ + \ poder seguir prestando servicio cuando los medios habituales no est\xE9\ + n disponibles. En concreto, se cubrir\xE1n los siguientes elementos del sistema:" + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.4.\n\ + Refuerzo R1-Automatizaci\xF3n de la transici\xF3n a medios alternativos.\n\ + \u2013 [op.cont.4.r1.1] El sistema dispondr\xE1 de elementos hardware o software\ + \ que permitan la transferencia de los servicios autom\xE1ticamente a los\ + \ medios alternativos.\nP\xE1gina 58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.1 + ref_id: op.cont.4.1.a + description: Servicios contratados a terceros. + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.4.\n\ + Refuerzo R1-Automatizaci\xF3n de la transici\xF3n a medios alternativos.\n\ + \u2013 [op.cont.4.r1.1] El sistema dispondr\xE1 de elementos hardware o software\ + \ que permitan la transferencia de los servicios autom\xE1ticamente a los\ + \ medios alternativos.\nP\xE1gina 58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.1 + ref_id: op.cont.4.1.b + description: Instalaciones alternativas. + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.4.\n\ + Refuerzo R1-Automatizaci\xF3n de la transici\xF3n a medios alternativos.\n\ + \u2013 [op.cont.4.r1.1] El sistema dispondr\xE1 de elementos hardware o software\ + \ que permitan la transferencia de los servicios autom\xE1ticamente a los\ + \ medios alternativos.\nP\xE1gina 58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.1 + ref_id: op.cont.4.1.c + description: Personal alternativo. + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.4.\n\ + Refuerzo R1-Automatizaci\xF3n de la transici\xF3n a medios alternativos.\n\ + \u2013 [op.cont.4.r1.1] El sistema dispondr\xE1 de elementos hardware o software\ + \ que permitan la transferencia de los servicios autom\xE1ticamente a los\ + \ medios alternativos.\nP\xE1gina 58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.1.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.1 + ref_id: op.cont.4.1.d + description: "Equipamiento inform\xE1tico alternativo." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.4.\n\ + Refuerzo R1-Automatizaci\xF3n de la transici\xF3n a medios alternativos.\n\ + \u2013 [op.cont.4.r1.1] El sistema dispondr\xE1 de elementos hardware o software\ + \ que permitan la transferencia de los servicios autom\xE1ticamente a los\ + \ medios alternativos.\nP\xE1gina 58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.1.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.1 + ref_id: op.cont.4.1.e + description: "Medios de comunicaci\xF3n alternativos." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.4.\n\ + Refuerzo R1-Automatizaci\xF3n de la transici\xF3n a medios alternativos.\n\ + \u2013 [op.cont.4.r1.1] El sistema dispondr\xE1 de elementos hardware o software\ + \ que permitan la transferencia de los servicios autom\xE1ticamente a los\ + \ medios alternativos.\nP\xE1gina 58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4 + ref_id: op.cont.4.2 + description: "Se establecer\xE1 un tiempo m\xE1ximo para que los medios alternativos\ + \ entren en funcionamiento." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.4.\n\ + Refuerzo R1-Automatizaci\xF3n de la transici\xF3n a medios alternativos.\n\ + \u2013 [op.cont.4.r1.1] El sistema dispondr\xE1 de elementos hardware o software\ + \ que permitan la transferencia de los servicios autom\xE1ticamente a los\ + \ medios alternativos.\nP\xE1gina 58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.cont.4 + ref_id: op.cont.4.3 + description: "Los medios alternativos estar\xE1n sometidos a las mismas garant\xED\ + as de seguridad que los originales." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: op.cont.4.\n\ + Refuerzo R1-Automatizaci\xF3n de la transici\xF3n a medios alternativos.\n\ + \u2013 [op.cont.4.r1.1] El sistema dispondr\xE1 de elementos hardware o software\ + \ que permitan la transferencia de los servicios autom\xE1ticamente a los\ + \ medios alternativos.\nP\xE1gina 58" + implementation_groups: + - ALTO + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-4 + ref_id: op.mon + name: "Monitorizaci\xF3n del sistema" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon + ref_id: op.mon.1 + name: "Detecci\xF3n de intrusi\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon.1 + ref_id: op.mon.1.1 + description: "Se dispondr\xE1 de herramientas de detecci\xF3n o prevenci\xF3\ + n de intrusiones." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.mon.1.\n\ + \u2013 Categor\xEDa MEDIA: op.mon.1 + R1.\n\u2013 Categor\xEDa ALTA: op.mon.1+\ + \ R1 + R2.\nRefuerzo R1-Detecci\xF3n basada en reglas.\n\u2013 [op.mon.1.r1.1]\ + \ El sistema dispondr\xE1 de herramientas de detecci\xF3n o prevenci\xF3n\ + \ de intrusiones basadas en reglas.\nRefuerzo R2-Procedimientos de respuesta.\n\ + \u2013 [op.mon.1.r2.1] Existir\xE1n procedimientos de respuesta a las alertas\ + \ generadas por el sistema de detecci\xF3n o prevenci\xF3n de intrusiones.\n\ + Refuerzo R3-Acciones predeterminadas.\n\u2013 [op.mon.1.r3.1] El sistema ejecutar\xE1\ + \ autom\xE1ticamente acciones predeterminadas de respuesta a las alertas generadas.\ + \ Esto puede incluir la finalizaci\xF3n del proceso que est\xE1 ocasionando\ + \ la alerta, la inhabilitaci\xF3n de determinados servicios, la desconexi\xF3\ + n de usuarios y el bloqueo de cuentas.\nP\xE1gina 59" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon + ref_id: op.mon.2 + name: "Sistema de m\xE9tricas " + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon.2.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon.2 + ref_id: op.mon.2.1 + description: "Atendiendo a la categor\xEDa de seguridad del sistema, se recopilar\xE1\ + n los datos necesarios para conocer el grado de implantaci\xF3n de las medidas\ + \ de seguridad que resulten aplicables y, en su caso, para proveer el informe\ + \ anual requerido por el art\xEDculo 32." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.mon.2.\n\ + \u2013 Categor\xEDa MEDIA: op.mon.2 + R1+ R2.\n\u2013 Categor\xEDa ALTA: op.mon.2\ + \ + R1 + R2.\nRefuerzo R1-Efectividad del sistema de gesti\xF3n de incidentes.\n\ + \u2013 [op.mon.2.r1.1] Se recopilar\xE1n los datos precisos que posibiliten\ + \ evaluar el comportamiento del sistema de gesti\xF3n de incidentes, de acuerdo\ + \ con la Instrucci\xF3n T\xE9cnica de Seguridad de Notificaci\xF3n de Incidentes\ + \ de Seguridad y con la correspondiente gu\xEDa CCN-STIC.\nRefuerzo R2-Eficiencia\ + \ del sistema de gesti\xF3n de la seguridad.\n\u2013 [op.mon.2.r2.1] Se recopilar\xE1\ + n los datos precisos para conocer la eficiencia del sistema de seguridad,\ + \ en relaci\xF3n con los recursos consumidos, en t\xE9rminos de horas y presupuesto.\n\ + P\xE1gina 60" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon + ref_id: op.mon.3 + name: 'Vigilancia ' + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon.3.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:op.mon.3 + ref_id: op.mon.3.1 + description: "Se dispondr\xE1 de un sistema autom\xE1tico de recolecci\xF3n\ + \ de eventos de seguridad." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: op.mon.3.\n\ + \u2013 Categor\xEDa MEDIA: op.mon.3 + R1 + R2.\n\u2013 Categor\xEDa ALTA:\ + \ op.mon.3 + R1 + R2 + R3 + R4 + R5 + R6.\nRefuerzo R1-Correlaci\xF3n de eventos.\n\ + \u2013 [op.mon.3.r1.1] Se dispondr\xE1 de un sistema autom\xE1tico de recolecci\xF3\ + n de eventos de seguridad que permita la correlaci\xF3n de los mismos.\nRefuerzo\ + \ R2-An\xE1lisis din\xE1mico.\n\u2013 [op.mon.3.r2.1] Se dispondr\xE1 de soluciones\ + \ de vigilancia que permitan determinar la superficie de exposici\xF3n con\ + \ relaci\xF3n a vulnerabilidades y deficiencias de configuraci\xF3n.\nRefuerzo\ + \ R3-Ciberamenazas avanzadas.\n\u2013 [op.mon.3.r3.1] Se dispondr\xE1 de sistemas\ + \ para detecci\xF3n de amenazas avanzadas y comportamientos an\xF3malos.\n\ + \u2013 [op.mon.3.r3.2] Se dispondr\xE1 de sistemas para la detecci\xF3n de\ + \ amenazas persistentes avanzadas (Advanced Persistent Threat, APT) mediante\ + \ la detecci\xF3n de anomal\xEDas significativas en el tr\xE1fico de la red.\n\ + Refuerzo R4-Observatorios digitales.\n\u2013 [op.mon.3.r4.1] Se dispondr\xE1\ + \ de observatorios digitales con fines de cibervigilancia dedicados a la detecci\xF3\ + n y seguimiento de anomal\xEDas que pudieran representar indicadores de amenaza\ + \ en contenidos digitales.\nRefuerzo R5-Miner\xEDa de datos.\nSe aplicar\xE1\ + n medidas para prevenir, detectar y reaccionar frente a intentos de miner\xED\ + a de datos:\n\u2013 [op.mon.3.r5.1] Limitaci\xF3n de las consultas, monitorizando\ + \ volumen y frecuencia.\n\u2013 [op.mon.3.r5.2] Alerta a los administradores\ + \ de seguridad de comportamientos sospechosos en tiempo real.\nRefuerzo R6-Inspecciones\ + \ de seguridad.\nPeri\xF3dicamente, o tras incidentes que hayan desvelado\ + \ vulnerabilidades del sistema nuevas o subestimadas, se realizar\xE1n las\ + \ siguientes inspecciones:\n\u2013 [op.mon.3.r6.1] Verificaci\xF3n de configuraci\xF3\ + n.\n\u2013 [op.mon.3.r6.2] An\xE1lisis de vulnerabilidades.\n\u2013 [op.mon.3.r6.3]\ + \ Pruebas de penetraci\xF3n.\nRefuerzo R7-Interconexiones.\n\u2013 [op.mon.3.r7.1]\ + \ En las interconexiones que lo requieran se aplicar\xE1n controles en los\ + \ flujos de intercambio de informaci\xF3n a trav\xE9s del uso de metadatos.\n\ + P\xE1gina 61" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ' ALTA' + - '' + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii + ref_id: ANEXO II-5 + name: "Medidas de protecci\xF3n [mp]" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-5 + ref_id: mp.if + name: "Protecci\xF3n de las instalaciones e infraestructuras" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if + ref_id: mp.if.1 + name: "\xC1reas separadas y con control de acceso" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.1 + ref_id: mp.if.1.1 + description: "El equipamiento del Centro de Proceso de Datos (CPD) se instalar\xE1\ + , en la medida de lo posible, en \xE1reas separadas, espec\xEDficas para su\ + \ funci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.if.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.if.1.\n\u2013 Categor\xEDa ALTA: mp.if.1.\n\ + P\xE1gina 62" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.1.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.1 + ref_id: mp.if.1.2 + description: "Se controlar\xE1n los accesos a las \xE1reas indicadas de forma\ + \ que s\xF3lo se pueda acceder por las entradas previstas." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.if.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.if.1.\n\u2013 Categor\xEDa ALTA: mp.if.1.\n\ + P\xE1gina 62" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if + ref_id: mp.if.2 + name: "Identificaci\xF3n de las personas" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.2.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.2 + ref_id: mp.if.2.1 + description: "El procedimiento de control de acceso identificar\xE1 a las personas\ + \ que accedan a los locales donde hay equipamiento esencial que forme parte\ + \ del sistema de informaci\xF3n del CPD, registrando las correspondientes\ + \ entradas y salidas." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.if.2.\n\ + \u2013 Categor\xEDa MEDIA: mp.if.2.\n\u2013 Categor\xEDa ALTA: mp.if.2.\n\ + P\xE1gina 62" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if + ref_id: mp.if.3 + name: Acondicionamiento de los locales + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node532 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.3 + description: "Los locales donde se ubiquen los sistemas de informaci\xF3n y\ + \ sus componentes esenciales dispondr\xE1n de elementos adecuados para el\ + \ eficaz funcionamiento del equipamiento all\xED instalado, y, en especial,\ + \ para asegurar:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.if.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.if.3.\n\u2013 Categor\xEDa ALTA: mp.if.3.\n\ + P\xE1gina 63" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.3.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node532 + ref_id: mp.if.3.1 + description: Las condiciones de temperatura y humedad. + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.if.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.if.3.\n\u2013 Categor\xEDa ALTA: mp.if.3.\n\ + P\xE1gina 63" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.3.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node532 + ref_id: mp.if.3.2 + description: "La protecci\xF3n frente a las amenazas identificadas en el an\xE1\ + lisis de riesgos." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.if.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.if.3.\n\u2013 Categor\xEDa ALTA: mp.if.3.\n\ + P\xE1gina 63" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.3.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node532 + ref_id: mp.if.3.3 + description: "La protecci\xF3n del cableado frente a incidentes fortuitos o\ + \ deliberados." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.if.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.if.3.\n\u2013 Categor\xEDa ALTA: mp.if.3.\n\ + P\xE1gina 63" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if + ref_id: mp.if.4 + name: "Energ\xEDa el\xE9ctrica" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.4.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.4 + ref_id: mp.if.4.1 + description: "Los locales donde se ubiquen los sistemas de informaci\xF3n y\ + \ sus componentes esenciales dispondr\xE1n de tomas de energ\xEDa el\xE9ctrica,\ + \ de modo que se garantice el suministro y el correcto funcionamiento de las\ + \ luces de emergencia." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: mp.if.4.\n\u2013 Nivel MEDIO: mp.if.4 + R1.\n\u2013 Nivel ALTO: mp.if.4\ + \ + R1.\nP\xE1gina 63" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if + ref_id: mp.if.5 + name: "Protecci\xF3n frente a incendios" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.5.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.5 + ref_id: mp.if.5.1 + description: "Los locales donde se ubiquen los sistemas de informaci\xF3n y\ + \ sus componentes esenciales se proteger\xE1n frente a incendios atendiendo,\ + \ al menos, a la normativa industrial de aplicaci\xF3n." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: mp.if.5.\n\u2013 Nivel MEDIO: mp.if.5.\n\u2013 Nivel ALTO: mp.if.5.\n\ + P\xE1gina 63" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.6 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if + ref_id: mp.if.6 + name: "Protecci\xF3n frente a inundaciones" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.6.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.6 + ref_id: mp.if.6.1 + description: "Los locales donde se ubiquen los sistemas de informaci\xF3n y\ + \ sus componentes esenciales se proteger\xE1n frente a incidentes causados\ + \ por el agua." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: mp.if.6.\n\u2013 Nivel ALTO: mp.if.6.\n\ + P\xE1gina 64" + implementation_groups: + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.7 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.6 + ref_id: mp.if.7 + name: Registro de entrada y salida de equipamiento + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.7.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.if.7 + ref_id: mp.if.7.1 + description: "Se llevar\xE1 un registro pormenorizado de cualquier entrada y\ + \ salida de equipamiento esencial, incluyendo la identificaci\xF3n de la persona\ + \ que autoriza el movimiento." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.if.7.\n\ + \u2013 Categor\xEDa MEDIA: mp.if.7.\n\u2013 Categor\xEDa ALTA: mp.if.7.\n\ + P\xE1gina 64" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-5 + ref_id: mp.per + name: "Gesti\xF3n del personal" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per + ref_id: mp.per.1 + name: "Caracterizaci\xF3n del puesto de trabajo" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.1 + ref_id: mp.per.1.1 + description: "Para cada puesto de trabajo, relacionado directamente con el manejo\ + \ de informaci\xF3n o servicios, se definir\xE1n las responsabilidades en\ + \ materia de seguridad, que estar\xE1n basadas en el an\xE1lisis de riesgos." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: mp.per.1.\n\u2013 Categor\xEDa ALTA:\ + \ mp.per.1.\nRefuerzo R1-Habilitaci\xF3n Personal de Seguridad.\n\u2013 [mp.per.1.r1.1]\ + \ Los administradores de seguridad/sistema tendr\xE1n una Habilitaci\xF3n\ + \ Personal de Seguridad (HPS) otorgada por la autoridad competente, como consecuencia\ + \ de los resultados del an\xE1lisis de riesgos previo o como requisito de\ + \ seguridad de un sistema espec\xEDfico.\nP\xE1gina 65" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.1.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.1 + ref_id: mp.per.1.2 + description: "Se definir\xE1n los requisitos que deben satisfacer las personas\ + \ que vayan a ocupar el puesto de trabajo, en particular, en t\xE9rminos de\ + \ confidencialidad. Dichos requisitos se tendr\xE1n en cuenta en la selecci\xF3\ + n de la persona que vaya a ocupar el puesto, incluyendo la verificaci\xF3\ + n de sus antecedentes laborales, formaci\xF3n y otras referencias, de conformidad\ + \ con el ordenamiento jur\xEDdico y el respeto a los derechos fundamentales." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: mp.per.1.\n\u2013 Categor\xEDa ALTA:\ + \ mp.per.1.\nRefuerzo R1-Habilitaci\xF3n Personal de Seguridad.\n\u2013 [mp.per.1.r1.1]\ + \ Los administradores de seguridad/sistema tendr\xE1n una Habilitaci\xF3n\ + \ Personal de Seguridad (HPS) otorgada por la autoridad competente, como consecuencia\ + \ de los resultados del an\xE1lisis de riesgos previo o como requisito de\ + \ seguridad de un sistema espec\xEDfico.\nP\xE1gina 65" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per + ref_id: mp.per.2 + name: Deberes y obligaciones + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node549 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.2 + description: "Se informar\xE1 a cada persona que trabaje en el sistema de los\ + \ deberes y responsabilidades de su puesto de trabajo en materia de seguridad,\ + \ contemplando:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.2.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node549 + ref_id: mp.per.2.1 + description: Las medidas disciplinarias a que haya lugar + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.2.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.2 + R1.\n\u2013 Categor\xEDa ALTA: mp.per.2\ + \ + R1.\nRefuerzo R1-Confirmaci\xF3n expresa.\n\u2013 [mp.per.2.r1.1] Se ha\ + \ de obtener la confirmaci\xF3n expresa de que los usuarios conocen las instrucciones\ + \ de seguridad necesarias y obligatorias y su aceptaci\xF3n, as\xED como los\ + \ procedimientos necesarios para llevarlas a cabo de manera adecuada.\nP\xE1\ + gina 65" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.2.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node549 + ref_id: mp.per.2.2 + description: "Contemplando tanto el periodo durante el cual se desempe\xF1a\ + \ el puesto, como las obligaciones en caso de t\xE9rmino de la asignaci\xF3\ + n, o traslado a otro puesto de trabajo." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.2.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.2 + R1.\n\u2013 Categor\xEDa ALTA: mp.per.2\ + \ + R1.\nRefuerzo R1-Confirmaci\xF3n expresa.\n\u2013 [mp.per.2.r1.1] Se ha\ + \ de obtener la confirmaci\xF3n expresa de que los usuarios conocen las instrucciones\ + \ de seguridad necesarias y obligatorias y su aceptaci\xF3n, as\xED como los\ + \ procedimientos necesarios para llevarlas a cabo de manera adecuada.\nP\xE1\ + gina 65" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.2.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node549 + ref_id: mp.per.2.3 + description: " El deber de confidencialidad respecto de los datos a los que\ + \ tenga acceso, tanto durante el periodo que est\xE9 adscrito al puesto de\ + \ trabajo, como posteriormente a su terminaci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.2.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.2 + R1.\n\u2013 Categor\xEDa ALTA: mp.per.2\ + \ + R1.\nRefuerzo R1-Confirmaci\xF3n expresa.\n\u2013 [mp.per.2.r1.1] Se ha\ + \ de obtener la confirmaci\xF3n expresa de que los usuarios conocen las instrucciones\ + \ de seguridad necesarias y obligatorias y su aceptaci\xF3n, as\xED como los\ + \ procedimientos necesarios para llevarlas a cabo de manera adecuada.\nP\xE1\ + gina 65" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.2.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node549 + ref_id: mp.per.2.4 + description: "En caso de personal contratado a trav\xE9s de un tercero:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.2.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.2 + R1.\n\u2013 Categor\xEDa ALTA: mp.per.2\ + \ + R1.\nRefuerzo R1-Confirmaci\xF3n expresa.\n\u2013 [mp.per.2.r1.1] Se ha\ + \ de obtener la confirmaci\xF3n expresa de que los usuarios conocen las instrucciones\ + \ de seguridad necesarias y obligatorias y su aceptaci\xF3n, as\xED como los\ + \ procedimientos necesarios para llevarlas a cabo de manera adecuada.\nP\xE1\ + gina 65" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.2.4.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.2.4 + ref_id: mp.per.2.4.a + description: "Se establecer\xE1n los deberes y obligaciones de cada parte y\ + \ del personal contratado." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.2.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.2 + R1.\n\u2013 Categor\xEDa ALTA: mp.per.2\ + \ + R1.\nRefuerzo R1-Confirmaci\xF3n expresa.\n\u2013 [mp.per.2.r1.1] Se ha\ + \ de obtener la confirmaci\xF3n expresa de que los usuarios conocen las instrucciones\ + \ de seguridad necesarias y obligatorias y su aceptaci\xF3n, as\xED como los\ + \ procedimientos necesarios para llevarlas a cabo de manera adecuada.\nP\xE1\ + gina 65" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.2.4.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.2.4 + ref_id: mp.per.2.4.b + description: "Se establecer\xE1 el procedimiento de resoluci\xF3n de incidentes\ + \ relacionados con el incumplimiento de las obligaciones." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.2.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.2 + R1.\n\u2013 Categor\xEDa ALTA: mp.per.2\ + \ + R1.\nRefuerzo R1-Confirmaci\xF3n expresa.\n\u2013 [mp.per.2.r1.1] Se ha\ + \ de obtener la confirmaci\xF3n expresa de que los usuarios conocen las instrucciones\ + \ de seguridad necesarias y obligatorias y su aceptaci\xF3n, as\xED como los\ + \ procedimientos necesarios para llevarlas a cabo de manera adecuada.\nP\xE1\ + gina 65" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per + ref_id: mp.per.3 + name: "Concienciaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node557 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.3 + description: "Se realizar\xE1n las acciones necesarias para concienciar regularmente\ + \ al personal acerca de su papel y responsabilidad para que la seguridad del\ + \ sistema alcance los niveles exigidos. En particular, se recordar\xE1 peri\xF3\ + dicamente:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.3.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node557 + ref_id: mp.per.3.1 + description: " La normativa de seguridad relativa al buen uso de los equipos\ + \ o sistemas y las t\xE9cnicas de ingenier\xEDa social m\xE1s habituales." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.3.\n\u2013 Categor\xEDa ALTA: mp.per.3.\n\ + P\xE1gina 66" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.3.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node557 + ref_id: mp.per.3.2 + description: "La identificaci\xF3n de incidentes, actividades o comportamientos\ + \ sospechosos que deban ser reportados para su tratamiento por personal especializado." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.3.\n\u2013 Categor\xEDa ALTA: mp.per.3.\n\ + P\xE1gina 66" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.3.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node557 + ref_id: mp.per.3.3 + description: El procedimiento para informar sobre incidentes de seguridad, sean + reales o falsas alarmas. + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.3.\n\u2013 Categor\xEDa ALTA: mp.per.3.\n\ + P\xE1gina 66" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per + ref_id: mp.per.4 + name: "Formaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.4.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.4 + ref_id: mp.per.4.1 + description: "Se formar\xE1 regularmente al personal en aquellas materias relativas\ + \ a seguridad de la informaci\xF3n que requiera el desempe\xF1o de sus funciones,\ + \ en particular en lo relativo a:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.4.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.4.\n\u2013 Categor\xEDa ALTA: mp.per.4.\n\ + P\xE1gina 66" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.4.1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.4.1 + ref_id: mp.per.4.1.a + description: "Configuraci\xF3n de sistemas." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.4.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.4.\n\u2013 Categor\xEDa ALTA: mp.per.4.\n\ + P\xE1gina 66" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.4.1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.4.1 + ref_id: mp.per.4.1.b + description: "Detecci\xF3n y reacci\xF3n ante incidentes." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.4.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.4.\n\u2013 Categor\xEDa ALTA: mp.per.4.\n\ + P\xE1gina 66" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.4.1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.4.1 + ref_id: mp.per.4.1.c + description: "Gesti\xF3n de la informaci\xF3n en cualquier soporte en el que\ + \ se encuentre. Se cubrir\xE1n al menos las siguientes actividades: almacenamiento,\ + \ transferencia, copias, distribuci\xF3n y destrucci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.per.4.\n\ + \u2013 Categor\xEDa MEDIA: mp.per.4.\n\u2013 Categor\xEDa ALTA: mp.per.4.\n\ + P\xE1gina 66" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node566 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.per.4 + description: "Adem\xE1s, se evaluar\xE1 la eficacia de las acciones formativas\ + \ llevadas a cabo." + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-5 + ref_id: mp.eq + name: "Protecci\xF3n de los equipos" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq + ref_id: mp.eq.1 + name: Puesto de trabajo despejado + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.1 + ref_id: mp.eq.1.1 + description: "Los puestos de trabajo permanecer\xE1n despejados, sin que exista\ + \ material distinto del necesario en cada momento." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.eq.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.eq.1 + R1.\n\u2013 Categor\xEDa ALTA: mp.eq.1\ + \ + R1.\nRefuerzo R1-Almacenamiento del material.\n\u2013 [mp.eq.1.r1.1] Una\ + \ vez usado, y siempre que sea factible, el material se almacenar\xE1 en lugar\ + \ cerrado.\nP\xE1gina 67" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq + ref_id: mp.eq.2 + name: Bloqueo de puesto de trabajo + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.2.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.2 + ref_id: mp.eq.2.1 + description: " El puesto de trabajo se bloquear\xE1 al cabo de un tiempo prudencial\ + \ de inactividad, requiriendo una nueva autenticaci\xF3n del usuario para\ + \ reanudar la actividad en curso." + annotation: "Aplicaci\xF3n de la medida (por autenticidad).\n\u2013 Nivel BAJO:\ + \ no aplica.\n\u2013 Nivel MEDIO: mp.eq.2.\n\u2013 Nivel ALTO: mp.eq.2 + R1.\n\ + Refuerzo R1-Cierre de sesiones.\n\u2013 [mp.eq.2.r1.1] Pasado un cierto tiempo,\ + \ superior al anterior, se cancelar\xE1n las sesiones abiertas desde dicho\ + \ puesto de trabajo.\nUna Gu\xEDa CCN-STIC concretar\xE1 la implementaci\xF3\ + n de la configuraci\xF3n de seguridad adaptada a la categorizaci\xF3n del\ + \ sistema o perfil de cumplimiento asociado.\nP\xE1gina 67" + implementation_groups: + - MEDIO + - ' ALTO' + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq + ref_id: mp.eq.3 + name: "Protecci\xF3n de dispositivos port\xE1tiles" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node573 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.3 + description: "Los equipos (ordenadores port\xE1tiles, tabletas, etc.) que sean\ + \ susceptibles de salir de las instalaciones de la organizaci\xF3n y no puedan\ + \ beneficiarse de la protecci\xF3n f\xEDsica correspondiente, con un riesgo\ + \ manifiesto de p\xE9rdida o robo, ser\xE1n protegidos adecuadamente." + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - '' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node574 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.3 + description: "Sin perjuicio de las medidas generales que les afecten, se adoptar\xE1\ + n las siguientes:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - '' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.3.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node574 + ref_id: mp.eq.3.1 + description: "Se llevar\xE1 un inventario de dispositivos port\xE1tiles junto\ + \ con una identificaci\xF3n de la persona responsable de cada uno de ellos\ + \ y un control regular de que est\xE1 positivamente bajo su control." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.eq.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.eq.3.\n\u2013 Categor\xEDa ALTA: mp.eq.3 + R1\ + \ + R2.\nRefuerzo R1\u2013 Cifrado del disco.\n\u2013 [mp.eq.3.r1.1] Se proteger\xE1\ + \ el dispositivo port\xE1til mediante cifrado del disco duro cuando el nivel\ + \ de confidencialidad de la informaci\xF3n almacenada en el mismo sea de nivel\ + \ MEDIO.\nRefuerzo R2\u2013 Entornos protegidos.\n\u2013 [mp.eq.3.r2.1] El\ + \ uso de dispositivos port\xE1tiles fuera de las instalaciones de la organizaci\xF3\ + n se restringir\xE1 a entornos protegidos, donde el acceso sea controlado\ + \ y a salvo de hurtos y miradas indiscretas.\nP\xE1gina 68" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - '' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.3.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node574 + ref_id: mp.eq.3.2 + description: " Se establecer\xE1 un procedimiento operativo de seguridad para\ + \ informar al servicio de gesti\xF3n de incidentes de p\xE9rdidas o sustracciones." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.eq.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.eq.3.\n\u2013 Categor\xEDa ALTA: mp.eq.3 + R1\ + \ + R2.\nRefuerzo R1\u2013 Cifrado del disco.\n\u2013 [mp.eq.3.r1.1] Se proteger\xE1\ + \ el dispositivo port\xE1til mediante cifrado del disco duro cuando el nivel\ + \ de confidencialidad de la informaci\xF3n almacenada en el mismo sea de nivel\ + \ MEDIO.\nRefuerzo R2\u2013 Entornos protegidos.\n\u2013 [mp.eq.3.r2.1] El\ + \ uso de dispositivos port\xE1tiles fuera de las instalaciones de la organizaci\xF3\ + n se restringir\xE1 a entornos protegidos, donde el acceso sea controlado\ + \ y a salvo de hurtos y miradas indiscretas.\nP\xE1gina 68" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - '' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.3.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node574 + ref_id: mp.eq.3.3 + description: "Cuando un dispositivo port\xE1til se conecte remotamente a trav\xE9\ + s de redes que no est\xE1n bajo el estricto control de la organizaci\xF3n,\ + \ el \xE1mbito de operaci\xF3n del servidor limitar\xE1 la informaci\xF3n\ + \ y los servicios accesibles a los m\xEDnimos imprescindibles, requiriendo\ + \ autorizaci\xF3n previa de los responsables de la informaci\xF3n y los servicios\ + \ afectados. Este punto es de aplicaci\xF3n a conexiones a trav\xE9s de internet\ + \ y otras redes que no sean de confianza." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.eq.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.eq.3.\n\u2013 Categor\xEDa ALTA: mp.eq.3 + R1\ + \ + R2.\nRefuerzo R1\u2013 Cifrado del disco.\n\u2013 [mp.eq.3.r1.1] Se proteger\xE1\ + \ el dispositivo port\xE1til mediante cifrado del disco duro cuando el nivel\ + \ de confidencialidad de la informaci\xF3n almacenada en el mismo sea de nivel\ + \ MEDIO.\nRefuerzo R2\u2013 Entornos protegidos.\n\u2013 [mp.eq.3.r2.1] El\ + \ uso de dispositivos port\xE1tiles fuera de las instalaciones de la organizaci\xF3\ + n se restringir\xE1 a entornos protegidos, donde el acceso sea controlado\ + \ y a salvo de hurtos y miradas indiscretas.\nP\xE1gina 68" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - '' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.3.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node574 + ref_id: mp.eq.3.4 + description: "Se evitar\xE1, en la medida de lo posible, que el dispositivo\ + \ port\xE1til contenga claves de acceso remoto a la organizaci\xF3n que no\ + \ sean imprescindibles. Se considerar\xE1n claves de acceso remoto aquellas\ + \ que sean capaces de habilitar un acceso a otros equipos de la organizaci\xF3\ + n u otras de naturaleza an\xE1log" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.eq.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.eq.3.\n\u2013 Categor\xEDa ALTA: mp.eq.3 + R1\ + \ + R2.\nRefuerzo R1\u2013 Cifrado del disco.\n\u2013 [mp.eq.3.r1.1] Se proteger\xE1\ + \ el dispositivo port\xE1til mediante cifrado del disco duro cuando el nivel\ + \ de confidencialidad de la informaci\xF3n almacenada en el mismo sea de nivel\ + \ MEDIO.\nRefuerzo R2\u2013 Entornos protegidos.\n\u2013 [mp.eq.3.r2.1] El\ + \ uso de dispositivos port\xE1tiles fuera de las instalaciones de la organizaci\xF3\ + n se restringir\xE1 a entornos protegidos, donde el acceso sea controlado\ + \ y a salvo de hurtos y miradas indiscretas.\nP\xE1gina 68" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - '' + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq + ref_id: mp.eq.4 + name: Otros dispositivos conectados a la red + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node580 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.4 + description: "Esta medida afecta a todo tipo de dispositivos conectados a la\ + \ red y que puedan tener en alg\xFAn momento acceso a la informaci\xF3n, tales\ + \ como: Esta medida afecta a todo tipo de dispositivos conectados a la red\ + \ y que puedan tener en alg\xFAn momento acceso a la informaci\xF3n, tales\ + \ como: a) Dispositivos multifunci\xF3n: impresoras, esc\xE1neres, etc. b)\ + \ Dispositivos multimedia: proyectores, altavoces inteligentes, etc. c) Dispositivos\ + \ internet de las cosas, en ingl\xE9s Internet of Things (IoT). d) Dispositivos\ + \ de invitados y los personales de los propios empleados, en ingl\xE9s Bring\ + \ Your Own Device (BYOD). e) Otros." + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.4.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.4 + ref_id: mp.eq.4.1 + description: "Los dispositivos presentes en el sistema deber\xE1n contar con\ + \ una configuraci\xF3n de seguridad adecuada de manera que se garantice el\ + \ control del flujo definido de entrada y salida de la informaci\xF3n." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: mp.eq.4.\n\u2013 Nivel MEDIO: mp.eq.4 + R1.\n\u2013 Nivel ALTO: mp.eq.4+\ + \ R1\nRefuerzo R1-Productos certificados.\n\u2013 [mp.eq.4.r1.1] Se usar\xE1\ + n, cuando sea posible, productos o servicios que cumplan lo establecido en\ + \ [op.pl.5].\nRefuerzo R2-Control de dispositivos conectados a la red.\n\u2013\ + \ [mp.eq.4.r2.1] Se dispondr\xE1 de soluciones que permitan visualizar los\ + \ dispositivos presentes en la red, controlar su conexi\xF3n/desconexi\xF3\ + n a la misma y verificar su configuraci\xF3n de seguridad.\nP\xE1ginas 68-69" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.4.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.eq.4 + ref_id: mp.eq.4.2 + description: "Los dispositivos presentes en la red que dispongan de alg\xFA\ + n tipo de almacenamiento temporal o permanente de informaci\xF3n proporcionar\xE1\ + n la funcionalidad necesaria para eliminar informaci\xF3n de soportes de informaci\xF3\ + n. (Ver [mp.si.5])." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: mp.eq.4.\n\u2013 Nivel MEDIO: mp.eq.4 + R1.\n\u2013 Nivel ALTO: mp.eq.4+\ + \ R1\nRefuerzo R1-Productos certificados.\n\u2013 [mp.eq.4.r1.1] Se usar\xE1\ + n, cuando sea posible, productos o servicios que cumplan lo establecido en\ + \ [op.pl.5].\nRefuerzo R2-Control de dispositivos conectados a la red.\n\u2013\ + \ [mp.eq.4.r2.1] Se dispondr\xE1 de soluciones que permitan visualizar los\ + \ dispositivos presentes en la red, controlar su conexi\xF3n/desconexi\xF3\ + n a la misma y verificar su configuraci\xF3n de seguridad.\nP\xE1ginas 68-69" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-5 + ref_id: mp.com + name: "Protecci\xF3n de las comunicaciones" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com + ref_id: mp.com.1 + name: "Per\xEDmetro seguro" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.1 + ref_id: mp.com.1.1 + description: "Se dispondr\xE1 de un sistema de protecci\xF3n perimetral que\ + \ separe la red interna del exterior. Todo el tr\xE1fico deber\xE1 atravesar\ + \ dicho sistema." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.com.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.com.1.\n\u2013 Categor\xEDa ALTA: mp.com.1.\n\ + P\xE1gina 69" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.1.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.1 + ref_id: mp.com.1.2 + description: "Todos los flujos de informaci\xF3n a trav\xE9s del per\xEDmetro\ + \ deben estar autorizados previamente." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.com.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.com.1.\n\u2013 Categor\xEDa ALTA: mp.com.1.\n\ + P\xE1gina 69" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node587 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.1 + description: "La Instrucci\xF3n T\xE9cnica de Seguridad de Interconexi\xF3n\ + \ de Sistemas de Informaci\xF3n determinar\xE1 los requisitos establecidos\ + \ en el per\xEDmetro que han de cumplir todos los componentes del sistema\ + \ en funci\xF3n de la categor\xEDa." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.com.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.com.1.\n\u2013 Categor\xEDa ALTA: mp.com.1.\n\ + P\xE1gina 69" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com + ref_id: mp.com.2 + name: "Protecci\xF3n de la confidencialidad" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.2.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.2 + ref_id: mp.com.2.1 + description: "Se emplear\xE1n redes privadas virtuales cifradas cuando la comunicaci\xF3\ + n discurra por redes fuera del propio dominio de seguridad." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: mp.com.2.\n\u2013 Nivel MEDIO: mp.com.2 + R1.\n\u2013 Nivel ALTO:\ + \ mp.com.2 + R1 + R2+ R3.\nRefuerzo R1-Algoritmos y par\xE1metros autorizados.\n\ + \u2013 [mp.com.2.r1.1] Se emplear\xE1n algoritmos y par\xE1metros autorizados\ + \ por el CCN.\nRefuerzo R2-Dispositivos hardware.\n\u2013 [mp.com.2.r2.1]\ + \ Se emplear\xE1n, dispositivos hardware en el establecimiento y utilizaci\xF3\ + n de la red privada virtual.\nRefuerzo R3-Productos certificados.\n\u2013\ + \ [mp.com.2.r3.1] Se usar\xE1n productos o servicios que cumplan lo establecido\ + \ en [op.pl.5].\nRefuerzo R4-Cifradores.\n\u2013 [mp.com.2.r4.1] Se emplear\xE1\ + n cifradores que cumplan con los requisitos establecidos en la gu\xEDa CCN-STIC\ + \ que sea de aplicaci\xF3n.\nRefuerzo R5-Cifrado de informaci\xF3n especialmente\ + \ sensible.\n\u2013 [mp.com.2.r5.1] Se cifrar\xE1 toda la informaci\xF3n transmitida.\n\ + P\xE1ginas 69-70" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com + ref_id: mp.com.3 + name: "Protecci\xF3n de la integridad y de la autenticidad" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3 + ref_id: mp.com.3.1 + description: "En comunicaciones con puntos exteriores al dominio propio de seguridad,\ + \ se asegurar\xE1 la autenticidad del otro extremo del canal de comunicaci\xF3\ + n antes de intercambiar informaci\xF3n. (Ver [op.acc.5])." + annotation: "Aplicaci\xF3n de la medida (por integridad y autenticidad).\n\u2013\ + \ Nivel BAJO: mp.com.3.\n\u2013 Nivel MEDIO: mp.com.3 + R1 + R2.\n\u2013 Nivel\ + \ ALTO: mp.com.3 + R1 + R2 + R3 + R4.\nRefuerzo R1-Redes privadas virtuales.\n\ + \u2013 [mp.com.3.r1.1] Se emplear\xE1n redes privadas virtuales cifradas cuando\ + \ la comunicaci\xF3n discurra por redes fuera del propio dominio de seguridad.\n\ + Refuerzo R2-Algoritmos y par\xE1metros autorizados.\n\u2013 [mp.com.3.r2.1]\ + \ Se emplear\xE1n algoritmos y par\xE1metros autorizados por el CCN.\nRefuerzo\ + \ R3-Dispositivos hardware.\n\u2013 [mp.com.3.r3.1] Se recomienda emplear\ + \ dispositivos hardware en el establecimiento y utilizaci\xF3n de la red privada\ + \ virtual.\nRefuerzo R4-Productos certificados.\n\u2013 [mp.com.3.r4.1] Se\ + \ emplear\xE1n productos certificados conforme a lo establecido en [op.pl.5].\n\ + Refuerzo R5-Cifradores.\n\u2013 [mp.com.3.r5.1] Se emplear\xE1n cifradores\ + \ que cumplan con los requisitos establecidos en la gu\xEDa CCN-STIC que sea\ + \ de aplicaci\xF3n.\nP\xE1gina 70-71" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - I + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3 + ref_id: mp.com.3.2 + description: "Se prevendr\xE1n ataques activos garantizando que al ser detectados\ + \ se activar\xE1n los procedimientos previstos de tratamiento del incidente.\ + \ Se considerar\xE1n ataques activos:" + annotation: "Aplicaci\xF3n de la medida (por integridad y autenticidad).\n\u2013\ + \ Nivel BAJO: mp.com.3.\n\u2013 Nivel MEDIO: mp.com.3 + R1 + R2.\n\u2013 Nivel\ + \ ALTO: mp.com.3 + R1 + R2 + R3 + R4.\nRefuerzo R1-Redes privadas virtuales.\n\ + \u2013 [mp.com.3.r1.1] Se emplear\xE1n redes privadas virtuales cifradas cuando\ + \ la comunicaci\xF3n discurra por redes fuera del propio dominio de seguridad.\n\ + Refuerzo R2-Algoritmos y par\xE1metros autorizados.\n\u2013 [mp.com.3.r2.1]\ + \ Se emplear\xE1n algoritmos y par\xE1metros autorizados por el CCN.\nRefuerzo\ + \ R3-Dispositivos hardware.\n\u2013 [mp.com.3.r3.1] Se recomienda emplear\ + \ dispositivos hardware en el establecimiento y utilizaci\xF3n de la red privada\ + \ virtual.\nRefuerzo R4-Productos certificados.\n\u2013 [mp.com.3.r4.1] Se\ + \ emplear\xE1n productos certificados conforme a lo establecido en [op.pl.5].\n\ + Refuerzo R5-Cifradores.\n\u2013 [mp.com.3.r5.1] Se emplear\xE1n cifradores\ + \ que cumplan con los requisitos establecidos en la gu\xEDa CCN-STIC que sea\ + \ de aplicaci\xF3n.\nP\xE1gina 70-71" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - I + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3.2 + ref_id: mp.com.3.2.a + description: "La alteraci\xF3n de la informaci\xF3n en tr\xE1nsito." + annotation: "Aplicaci\xF3n de la medida (por integridad y autenticidad).\n\u2013\ + \ Nivel BAJO: mp.com.3.\n\u2013 Nivel MEDIO: mp.com.3 + R1 + R2.\n\u2013 Nivel\ + \ ALTO: mp.com.3 + R1 + R2 + R3 + R4.\nRefuerzo R1-Redes privadas virtuales.\n\ + \u2013 [mp.com.3.r1.1] Se emplear\xE1n redes privadas virtuales cifradas cuando\ + \ la comunicaci\xF3n discurra por redes fuera del propio dominio de seguridad.\n\ + Refuerzo R2-Algoritmos y par\xE1metros autorizados.\n\u2013 [mp.com.3.r2.1]\ + \ Se emplear\xE1n algoritmos y par\xE1metros autorizados por el CCN.\nRefuerzo\ + \ R3-Dispositivos hardware.\n\u2013 [mp.com.3.r3.1] Se recomienda emplear\ + \ dispositivos hardware en el establecimiento y utilizaci\xF3n de la red privada\ + \ virtual.\nRefuerzo R4-Productos certificados.\n\u2013 [mp.com.3.r4.1] Se\ + \ emplear\xE1n productos certificados conforme a lo establecido en [op.pl.5].\n\ + Refuerzo R5-Cifradores.\n\u2013 [mp.com.3.r5.1] Se emplear\xE1n cifradores\ + \ que cumplan con los requisitos establecidos en la gu\xEDa CCN-STIC que sea\ + \ de aplicaci\xF3n.\nP\xE1gina 70-71" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - I + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3.2 + ref_id: mp.com.3.2.b + description: "La inyecci\xF3n de informaci\xF3n espuria." + annotation: "Aplicaci\xF3n de la medida (por integridad y autenticidad).\n\u2013\ + \ Nivel BAJO: mp.com.3.\n\u2013 Nivel MEDIO: mp.com.3 + R1 + R2.\n\u2013 Nivel\ + \ ALTO: mp.com.3 + R1 + R2 + R3 + R4.\nRefuerzo R1-Redes privadas virtuales.\n\ + \u2013 [mp.com.3.r1.1] Se emplear\xE1n redes privadas virtuales cifradas cuando\ + \ la comunicaci\xF3n discurra por redes fuera del propio dominio de seguridad.\n\ + Refuerzo R2-Algoritmos y par\xE1metros autorizados.\n\u2013 [mp.com.3.r2.1]\ + \ Se emplear\xE1n algoritmos y par\xE1metros autorizados por el CCN.\nRefuerzo\ + \ R3-Dispositivos hardware.\n\u2013 [mp.com.3.r3.1] Se recomienda emplear\ + \ dispositivos hardware en el establecimiento y utilizaci\xF3n de la red privada\ + \ virtual.\nRefuerzo R4-Productos certificados.\n\u2013 [mp.com.3.r4.1] Se\ + \ emplear\xE1n productos certificados conforme a lo establecido en [op.pl.5].\n\ + Refuerzo R5-Cifradores.\n\u2013 [mp.com.3.r5.1] Se emplear\xE1n cifradores\ + \ que cumplan con los requisitos establecidos en la gu\xEDa CCN-STIC que sea\ + \ de aplicaci\xF3n.\nP\xE1gina 70-71" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - I + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3.2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3.2 + ref_id: mp.com.3.2.c + description: "El secuestro de la sesi\xF3n por una tercera parte." + annotation: "Aplicaci\xF3n de la medida (por integridad y autenticidad).\n\u2013\ + \ Nivel BAJO: mp.com.3.\n\u2013 Nivel MEDIO: mp.com.3 + R1 + R2.\n\u2013 Nivel\ + \ ALTO: mp.com.3 + R1 + R2 + R3 + R4.\nRefuerzo R1-Redes privadas virtuales.\n\ + \u2013 [mp.com.3.r1.1] Se emplear\xE1n redes privadas virtuales cifradas cuando\ + \ la comunicaci\xF3n discurra por redes fuera del propio dominio de seguridad.\n\ + Refuerzo R2-Algoritmos y par\xE1metros autorizados.\n\u2013 [mp.com.3.r2.1]\ + \ Se emplear\xE1n algoritmos y par\xE1metros autorizados por el CCN.\nRefuerzo\ + \ R3-Dispositivos hardware.\n\u2013 [mp.com.3.r3.1] Se recomienda emplear\ + \ dispositivos hardware en el establecimiento y utilizaci\xF3n de la red privada\ + \ virtual.\nRefuerzo R4-Productos certificados.\n\u2013 [mp.com.3.r4.1] Se\ + \ emplear\xE1n productos certificados conforme a lo establecido en [op.pl.5].\n\ + Refuerzo R5-Cifradores.\n\u2013 [mp.com.3.r5.1] Se emplear\xE1n cifradores\ + \ que cumplan con los requisitos establecidos en la gu\xEDa CCN-STIC que sea\ + \ de aplicaci\xF3n.\nP\xE1gina 70-71" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - I + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.3 + ref_id: mp.com.3.3 + description: "Se aceptar\xE1 cualquier mecanismo de identificaci\xF3n y autenticaci\xF3\ + n de los previstos en el ordenamiento jur\xEDdico y en la normativa de aplicaci\xF3\ + n." + annotation: "Aplicaci\xF3n de la medida (por integridad y autenticidad).\n\u2013\ + \ Nivel BAJO: mp.com.3.\n\u2013 Nivel MEDIO: mp.com.3 + R1 + R2.\n\u2013 Nivel\ + \ ALTO: mp.com.3 + R1 + R2 + R3 + R4.\nRefuerzo R1-Redes privadas virtuales.\n\ + \u2013 [mp.com.3.r1.1] Se emplear\xE1n redes privadas virtuales cifradas cuando\ + \ la comunicaci\xF3n discurra por redes fuera del propio dominio de seguridad.\n\ + Refuerzo R2-Algoritmos y par\xE1metros autorizados.\n\u2013 [mp.com.3.r2.1]\ + \ Se emplear\xE1n algoritmos y par\xE1metros autorizados por el CCN.\nRefuerzo\ + \ R3-Dispositivos hardware.\n\u2013 [mp.com.3.r3.1] Se recomienda emplear\ + \ dispositivos hardware en el establecimiento y utilizaci\xF3n de la red privada\ + \ virtual.\nRefuerzo R4-Productos certificados.\n\u2013 [mp.com.3.r4.1] Se\ + \ emplear\xE1n productos certificados conforme a lo establecido en [op.pl.5].\n\ + Refuerzo R5-Cifradores.\n\u2013 [mp.com.3.r5.1] Se emplear\xE1n cifradores\ + \ que cumplan con los requisitos establecidos en la gu\xEDa CCN-STIC que sea\ + \ de aplicaci\xF3n.\nP\xE1gina 70-71" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - I + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com + ref_id: mp.com.4 + name: "Separaci\xF3n de flujos de informaci\xF3n en la red" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node598 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.4 + description: "La segmentaci\xF3n acota el acceso a la informaci\xF3n y, consiguientemente,\ + \ la propagaci\xF3n de los incidentes de seguridad, que quedan restringidos\ + \ al entorno donde ocurren." + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node599 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.4 + description: "Cuando la transmisi\xF3n de informaci\xF3n por la red se restringe\ + \ a ciertos segmentos, se acota el acceso a la informaci\xF3n y los incidentes\ + \ de seguridad quedan encapsulados en su segmento." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: mp.com.4+ [R1o R2 o R3]\n\u2013 Categor\xED\ + a ALTA: mp.com.4+[R2 o R3] + R4.\nRefuerzo R1-Segmentaci\xF3n l\xF3gica b\xE1\ + sica.\n\u2013 [mp.com.4.r1.1] Los segmentos de red se implementar\xE1n por\ + \ medio de redes de \xE1rea local virtuales (Virtual Local Area Network, VLAN).\n\ + \u2013 [mp.com.4.r1.2] La red que conforma el sistema deber\xE1 segregarse\ + \ en distintas subredes contemplando como m\xEDnimo:\n\u2022 Usuarios.\n\u2022\ + \ Servicios.\n\u2022 Administraci\xF3n.\nRefuerzo R2-Segmentaci\xF3n l\xF3\ + gica avanzada.\n\u2013 [mp.com.4.r2.1] Los segmentos de red se implementar\xE1\ + n por medio de redes privadas virtuales (Virtual Private Network, VPN).\n\ + Refuerzo R3-Segmentaci\xF3n f\xEDsica.\n\u2013 [mp.com.4.r3.1] Los segmentos\ + \ de red se implementar\xE1n con medios f\xEDsicos separados.\nRefuerzo R4-Puntos\ + \ de interconexi\xF3n.\n\u2013 [mp.com.4.r4.1] Control de entrada de los usuarios\ + \ que llegan a cada segmento y control de entrada y salida de la informaci\xF3\ + n disponible en cada segmento. \u2013 [mp.com.4.r4.2] El punto de interconexi\xF3\ + n estar\xE1 particularmente asegurado, mantenido y monitorizado, (como en\ + \ [mp.com.1]).\nP\xE1gina 71" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node600 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.4 + description: "Los flujos de informaci\xF3n se separar\xE1n en segmentos de forma\ + \ que:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: mp.com.4+ [R1o R2 o R3]\n\u2013 Categor\xED\ + a ALTA: mp.com.4+[R2 o R3] + R4.\nRefuerzo R1-Segmentaci\xF3n l\xF3gica b\xE1\ + sica.\n\u2013 [mp.com.4.r1.1] Los segmentos de red se implementar\xE1n por\ + \ medio de redes de \xE1rea local virtuales (Virtual Local Area Network, VLAN).\n\ + \u2013 [mp.com.4.r1.2] La red que conforma el sistema deber\xE1 segregarse\ + \ en distintas subredes contemplando como m\xEDnimo:\n\u2022 Usuarios.\n\u2022\ + \ Servicios.\n\u2022 Administraci\xF3n.\nRefuerzo R2-Segmentaci\xF3n l\xF3\ + gica avanzada.\n\u2013 [mp.com.4.r2.1] Los segmentos de red se implementar\xE1\ + n por medio de redes privadas virtuales (Virtual Private Network, VPN).\n\ + Refuerzo R3-Segmentaci\xF3n f\xEDsica.\n\u2013 [mp.com.4.r3.1] Los segmentos\ + \ de red se implementar\xE1n con medios f\xEDsicos separados.\nRefuerzo R4-Puntos\ + \ de interconexi\xF3n.\n\u2013 [mp.com.4.r4.1] Control de entrada de los usuarios\ + \ que llegan a cada segmento y control de entrada y salida de la informaci\xF3\ + n disponible en cada segmento. \u2013 [mp.com.4.r4.2] El punto de interconexi\xF3\ + n estar\xE1 particularmente asegurado, mantenido y monitorizado, (como en\ + \ [mp.com.1]).\nP\xE1gina 71" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.4.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node600 + ref_id: mp.com.4.1 + description: "El tr\xE1fico por la red se segregar\xE1 para que cada equipo\ + \ solamente tenga acceso a la informaci\xF3n que necesita." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: mp.com.4+ [R1o R2 o R3]\n\u2013 Categor\xED\ + a ALTA: mp.com.4+[R2 o R3] + R4.\nRefuerzo R1-Segmentaci\xF3n l\xF3gica b\xE1\ + sica.\n\u2013 [mp.com.4.r1.1] Los segmentos de red se implementar\xE1n por\ + \ medio de redes de \xE1rea local virtuales (Virtual Local Area Network, VLAN).\n\ + \u2013 [mp.com.4.r1.2] La red que conforma el sistema deber\xE1 segregarse\ + \ en distintas subredes contemplando como m\xEDnimo:\n\u2022 Usuarios.\n\u2022\ + \ Servicios.\n\u2022 Administraci\xF3n.\nRefuerzo R2-Segmentaci\xF3n l\xF3\ + gica avanzada.\n\u2013 [mp.com.4.r2.1] Los segmentos de red se implementar\xE1\ + n por medio de redes privadas virtuales (Virtual Private Network, VPN).\n\ + Refuerzo R3-Segmentaci\xF3n f\xEDsica.\n\u2013 [mp.com.4.r3.1] Los segmentos\ + \ de red se implementar\xE1n con medios f\xEDsicos separados.\nRefuerzo R4-Puntos\ + \ de interconexi\xF3n.\n\u2013 [mp.com.4.r4.1] Control de entrada de los usuarios\ + \ que llegan a cada segmento y control de entrada y salida de la informaci\xF3\ + n disponible en cada segmento. \u2013 [mp.com.4.r4.2] El punto de interconexi\xF3\ + n estar\xE1 particularmente asegurado, mantenido y monitorizado, (como en\ + \ [mp.com.1]).\nP\xE1gina 71" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.com.4.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node600 + ref_id: mp.com.4.2 + description: "Si se emplean comunicaciones inal\xE1mbricas, ser\xE1 en un segmento\ + \ separado." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: mp.com.4+ [R1o R2 o R3]\n\u2013 Categor\xED\ + a ALTA: mp.com.4+[R2 o R3] + R4.\nRefuerzo R1-Segmentaci\xF3n l\xF3gica b\xE1\ + sica.\n\u2013 [mp.com.4.r1.1] Los segmentos de red se implementar\xE1n por\ + \ medio de redes de \xE1rea local virtuales (Virtual Local Area Network, VLAN).\n\ + \u2013 [mp.com.4.r1.2] La red que conforma el sistema deber\xE1 segregarse\ + \ en distintas subredes contemplando como m\xEDnimo:\n\u2022 Usuarios.\n\u2022\ + \ Servicios.\n\u2022 Administraci\xF3n.\nRefuerzo R2-Segmentaci\xF3n l\xF3\ + gica avanzada.\n\u2013 [mp.com.4.r2.1] Los segmentos de red se implementar\xE1\ + n por medio de redes privadas virtuales (Virtual Private Network, VPN).\n\ + Refuerzo R3-Segmentaci\xF3n f\xEDsica.\n\u2013 [mp.com.4.r3.1] Los segmentos\ + \ de red se implementar\xE1n con medios f\xEDsicos separados.\nRefuerzo R4-Puntos\ + \ de interconexi\xF3n.\n\u2013 [mp.com.4.r4.1] Control de entrada de los usuarios\ + \ que llegan a cada segmento y control de entrada y salida de la informaci\xF3\ + n disponible en cada segmento. \u2013 [mp.com.4.r4.2] El punto de interconexi\xF3\ + n estar\xE1 particularmente asegurado, mantenido y monitorizado, (como en\ + \ [mp.com.1]).\nP\xE1gina 71" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-5 + ref_id: mp.si + name: "Protecci\xF3n de los soportes de informaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si + ref_id: mp.si.1 + name: Marcado de soportes + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.1 + ref_id: mp.si.1.1 + description: "Los soportes de informaci\xF3n (papel impreso, documentos electr\xF3\ + nicos, contenidos multimedia -v\xEDdeos, cursos, presentaciones- etc.) que\ + \ contengan informaci\xF3n que seg\xFAn [mp.info.2] deba protegerse con medidas\ + \ de seguridad espec\xEDficas, llevar\xE1n las marcas o metadatos correspondientes\ + \ que indiquen el nivel de seguridad de la informaci\xF3n contenida de mayor\ + \ calificaci\xF3n." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: mp.si.1.\n\u2013 Nivel ALTO: mp.si.1.\n\ + Refuerzo R1-Marca de agua digital.\n\u2013 [mp.si.1.r1.1] La pol\xEDtica de\ + \ seguridad de la organizaci\xF3n definir\xE1 marcas de agua para asegurar\ + \ el uso adecuado de la informaci\xF3n que se maneja.\n\u2013 [mp.si.1.r1.2]\ + \ Los soportes de informaci\xF3n digital (documentos electr\xF3nicos, material\ + \ multimedia, etc.) podr\xE1n incluir una marca de agua seg\xFAn la pol\xED\ + tica de seguridad.\n\u2013 [mp.si.1.r1.3] Los equipos o dispositivos a trav\xE9\ + s de los que se accede a aplicaciones, escritorios remotos o virtuales, datos,\ + \ etc., presentar\xE1n una marca de agua en pantalla seg\xFAn la pol\xEDtica\ + \ de seguridad.\nP\xE1gina 72" + implementation_groups: + - MEDIO + - ' ALTO' + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si + ref_id: mp.si.2 + name: "Criptograf\xEDa" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node607 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.2 + description: "Esta medida se aplica, en particular, a todos los dispositivos\ + \ removibles cuando salen de un \xE1rea controlada. Se entender\xE1n por dispositivos\ + \ removibles, los CD, DVD, discos extra\xEDbles, pendrives, memorias USB u\ + \ otros de naturaleza an\xE1loga." + implementation_groups: + - MEDIO + - ' ALTO' + - C + - I + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.2.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.2 + ref_id: mp.si.2.1 + description: "Se usar\xE1n mecanismos criptogr\xE1ficos que garanticen la confidencialidad\ + \ y la integridad de la informaci\xF3n contenida." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad e integridad).\n\ + \u2013 Nivel BAJO: no aplica.\n\u2013 Nivel MEDIO: mp.si.2.\n\u2013 Nivel\ + \ ALTO: mp.si.2 + R1 + R2.\nRefuerzo R1\u2013 Productos certificados.\n\u2013\ + \ [mp.si.2.r1.1] Se emplear\xE1n productos certificados conforme a lo establecido\ + \ en [op.pl.5].\nRefuerzo R2-Copias de seguridad.\n\u2013 [mp.si.2.r2.1] Las\ + \ copias se seguridad se cifrar\xE1n utilizando algoritmos y par\xE1metros\ + \ autorizados por el CCN.\nP\xE1gina 73" + implementation_groups: + - MEDIO + - ' ALTO' + - C + - I + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.2.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.2 + ref_id: mp.si.2.2 + description: "Se emplear\xE1n algoritmos y par\xE1metros autorizados por el\ + \ CCN." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad e integridad).\n\ + \u2013 Nivel BAJO: no aplica.\n\u2013 Nivel MEDIO: mp.si.2.\n\u2013 Nivel\ + \ ALTO: mp.si.2 + R1 + R2.\nRefuerzo R1\u2013 Productos certificados.\n\u2013\ + \ [mp.si.2.r1.1] Se emplear\xE1n productos certificados conforme a lo establecido\ + \ en\n[op.pl.5].\nRefuerzo R2-Copias de seguridad.\n\u2013 [mp.si.2.r2.1]\ + \ Las copias se seguridad se cifrar\xE1n utilizando algoritmos y\npar\xE1\ + metros autorizados por el CCN.\nP\xE1gina 73" + implementation_groups: + - MEDIO + - ' ALTO' + - C + - I + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si + ref_id: mp.si.3 + name: Custodia + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.3.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.3 + ref_id: mp.si.3.1 + description: "Se aplicar\xE1 la debida diligencia y control a los soportes de\ + \ informaci\xF3n que permanecen bajo la responsabilidad de la organizaci\xF3\ + n, garantizando el control de acceso con medidas f\xEDsicas ([mp.if.1] y [mp.if.7])\ + \ o l\xF3gicas ([mp.si.2])." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.si.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.si.3.\n\u2013 Categor\xEDa ALTA: mp.si.3.\n\ + P\xE1gina 74" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.3.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.3 + ref_id: mp.si.3.2 + description: "Se respetar\xE1n las exigencias de mantenimiento del fabricante,\ + \ en especial, en lo referente a temperatura, humedad y otros agentes medioambientales." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.si.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.si.3.\n\u2013 Categor\xEDa ALTA: mp.si.3.\n\ + P\xE1gina 74" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si + ref_id: mp.si.4 + name: Transporte + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node614 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.4 + description: "El responsable del sistema garantizar\xE1 que los dispositivos\ + \ permanecen bajo control y que satisfacen sus requisitos de seguridad mientras\ + \ est\xE1n siendo desplazados de un lugar a otro, fuera de las zonas controladas\ + \ por la organizaci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.si.4.\n\ + \u2013 Categor\xEDa MEDIA: mp.si.4.\n\u2013 Categor\xEDa ALTA: mp.si.4." + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.4.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node614 + ref_id: mp.si.4.1 + description: "Se dispondr\xE1 de un registro de entrada/salida que identifique\ + \ al transportista que entrega/recibe el soporte." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.si.4.\n\ + \u2013 Categor\xEDa MEDIA: mp.si.4.\n\u2013 Categor\xEDa ALTA: mp.si.4." + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.4.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node614 + ref_id: mp.si.4.2 + description: "Se dispondr\xE1 de un procedimiento rutinario que coteje las salidas\ + \ con las llegadas y levante las alarmas pertinentes cuando se detecte alg\xFA\ + n incidente." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.si.4.\n\ + \u2013 Categor\xEDa MEDIA: mp.si.4.\n\u2013 Categor\xEDa ALTA: mp.si.4." + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.4.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node614 + ref_id: mp.si.4.3 + description: "Se utilizar\xE1n los medios de protecci\xF3n criptogr\xE1fica\ + \ ([mp.si.2]) correspondientes al mayor nivel de seguridad de la informaci\xF3\ + n contenida." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.si.4.\n\ + \u2013 Categor\xEDa MEDIA: mp.si.4.\n\u2013 Categor\xEDa ALTA: mp.si.4." + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.4.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node614 + ref_id: mp.si.4.4 + description: "Se gestionar\xE1n las claves seg\xFAn [op.exp.10]." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.si.4.\n\ + \u2013 Categor\xEDa MEDIA: mp.si.4.\n\u2013 Categor\xEDa ALTA: mp.si.4." + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si + ref_id: mp.si.5 + name: "Borrado y destrucci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node620 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.5 + description: "La medida de borrado y destrucci\xF3n de soportes de informaci\xF3\ + n se aplicar\xE1 a todo tipo de equipos y soportes susceptibles de almacenar\ + \ informaci\xF3n, incluyendo medios electr\xF3nicos y no electr\xF3nicos." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: mp.si.5.\n\u2013 Nivel MEDIO: mp.si.5 + R1.\n\u2013 Nivel ALTO: mp.si.5\ + \ + R1.\nRefuerzo R1-Productos certificados.\n\u2013 [mp.si.5.r1.1] Se usar\xE1\ + n productos o servicios que cumplan lo establecido en [op.pl.5].\nRefuerzo\ + \ R2 - Destrucci\xF3n de soportes.\n\u2013 [mp.si.5.r2.1] Una vez finalizado\ + \ el ciclo de vida del soporte de informaci\xF3n, deber\xE1 ser destruido\ + \ de forma segura conforme a los criterios establecidos por el CCN.\nP\xE1\ + gina 74" + implementation_groups: + - BAJO + - MEDIO + - ALTO + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.5.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.5 + ref_id: mp.si.5.1 + description: "Los soportes que vayan a ser reutilizados para otra informaci\xF3\ + n o liberados a otra organizaci\xF3n ser\xE1n objeto del borrado seguro de\ + \ su contenido que no permita su recuperaci\xF3n. Cuando la naturaleza del\ + \ soporte no permita un borrado seguro, el soporte no podr\xE1 ser reutilizado\ + \ en ning\xFAn otro sistema." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: mp.si.5.\n\u2013 Nivel MEDIO: mp.si.5 + R1.\n\u2013 Nivel ALTO: mp.si.5\ + \ + R1.\nRefuerzo R1-Productos certificados.\n\u2013 [mp.si.5.r1.1] Se usar\xE1\ + n productos o servicios que cumplan lo establecido en [op.pl.5].\nRefuerzo\ + \ R2 - Destrucci\xF3n de soportes.\n\u2013 [mp.si.5.r2.1] Una vez finalizado\ + \ el ciclo de vida del soporte de informaci\xF3n, deber\xE1 ser destruido\ + \ de forma segura conforme a los criterios establecidos por el CCN.\nP\xE1\ + gina 74" + implementation_groups: + - BAJO + - MEDIO + - ALTO + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node622 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.si.5 + description: "Las gu\xEDas CCN-STIC del CCN precisar\xE1n los criterios para\ + \ definir como seguro un mecanismo de borrado o de destrucci\xF3n, en funci\xF3\ + n de la sensibilidad de la informaci\xF3n almacenada en el dispositivo." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: mp.si.5.\n\u2013 Nivel MEDIO: mp.si.5 + R1.\n\u2013 Nivel ALTO: mp.si.5\ + \ + R1.\nRefuerzo R1-Productos certificados.\n\u2013 [mp.si.5.r1.1] Se usar\xE1\ + n productos o servicios que cumplan lo establecido en [op.pl.5].\nRefuerzo\ + \ R2 - Destrucci\xF3n de soportes.\n\u2013 [mp.si.5.r2.1] Una vez finalizado\ + \ el ciclo de vida del soporte de informaci\xF3n, deber\xE1 ser destruido\ + \ de forma segura conforme a los criterios establecidos por el CCN.\nP\xE1\ + gina 74" + implementation_groups: + - BAJO + - MEDIO + - ALTO + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-5 + ref_id: mp.sw + name: "Protecci\xF3n de las aplicaciones inform\xE1ticas" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw + ref_id: mp.sw.1 + name: Desarrollo de aplicaciones + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw.1 + ref_id: mp.sw.1.1 + description: "El desarrollo de aplicaciones se realizar\xE1 sobre un sistema\ + \ diferente y separado del de producci\xF3n, no debiendo existir herramientas\ + \ o datos de desarrollo en el entorno de producci\xF3n, ni datos de producci\xF3\ + n en el de desarrollo." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: no\ + \ aplica.\n\u2013 Categor\xEDa MEDIA: mp.sw.1 + R1 + R2 + R3 + R4.\n\u2013\ + \ Categor\xEDa ALTA: mp.sw.1 + R1 + R2 + R3 + R4.\nRefuerzo R1-M\xEDnimo privilegio.\n\ + \u2013 [mp.sw.1.r1.1] Las aplicaciones se desarrollar\xE1n respetando el principio\ + \ de m\xEDnimo privilegio, accediendo \xFAnicamente a los recursos imprescindibles\ + \ para su funci\xF3n, y con los privilegios que sean indispensables.\nRefuerzo\ + \ R2-Metodolog\xEDa de desarrollo seguro.\n\u2013 [mp.sw.1.r2.1] Se aplicar\xE1\ + \ una metodolog\xEDa de desarrollo seguro reconocida que:\na) Tendr\xE1 en\ + \ consideraci\xF3n los aspectos de seguridad a lo largo de todo el ciclo de\ + \ vida.\nb) Incluir\xE1 normas de programaci\xF3n segura, especialmente: control\ + \ de asignaci\xF3n y liberaci\xF3n de memoria, desbordamiento de memoria (overflow).\n\ + c) Tratar\xE1 espec\xEDficamente los datos usados en pruebas.\nd) Permitir\xE1\ + \ la inspecci\xF3n del c\xF3digo fuente.\nRefuerzo R3-Seguridad desde el dise\xF1\ + o.\n\u2013 [mp.sw.1.r3.1] Los siguientes elementos ser\xE1n parte integral\ + \ del dise\xF1o del sistema:\na) Los mecanismos de identificaci\xF3n y autenticaci\xF3\ + n.\nb) Los mecanismos de protecci\xF3n de la informaci\xF3n tratada.\nc) La\ + \ generaci\xF3n y tratamiento de pistas de auditor\xEDa.\nRefuerzo R4-Datos\ + \ de pruebas.\n\u2013 [mp.sw.1.r4.1] Preferiblemente, las pruebas previas\ + \ a la implantaci\xF3n o modificaci\xF3n de los sistemas de informaci\xF3\ + n no se realizar\xE1n con datos reales. En caso de que fuese necesario recurrir\ + \ a datos reales se garantizar\xE1 el nivel de seguridad correspondiente.\n\ + Refuerzo R5-Lista de componentes software.\n\u2013 [mp.sw.1.r5.1] El desarrollador\ + \ elaborar\xE1 y mantendr\xE1 actualizada una relaci\xF3n formal de los componentes\ + \ software de terceros empleados en la aplicaci\xF3n o producto.\nSe mantendr\xE1\ + \ un hist\xF3rico de los componentes utilizados en las diferentes versiones\ + \ del software. El contenido m\xEDnimo de la lista de componentes, que contendr\xE1\ + , al menos, la identificaci\xF3n del componente, el fabricante y la versi\xF3\ + n empleada, se concretar\xE1 en una gu\xEDa CCN-STIC del CCN.\nP\xE1gina 75" + implementation_groups: + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw + ref_id: mp.sw.2 + name: "Aceptaci\xF3n y puesta en servicio" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node627 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw.2 + description: "Antes de pasar a producci\xF3n se comprobar\xE1 el correcto funcionamiento\ + \ de la aplicaci\xF3n." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.sw.2.\n\ + \u2013 Categor\xEDa MEDIA: mp.sw.2 + R1.\n\u2013 Categor\xEDa ALTA: mp.sw.2\ + \ + R1.\nRefuerzo R1- Pruebas.\n\u2013 [mp.sw.2.r1.1] Las pruebas se realizar\xE1\ + n en un entorno aislado (pre-producci\xF3n).\nRefuerzo R2-Inspecci\xF3n de\ + \ c\xF3digo fuente.\n\u2013 [mp.sw.2.r2.1] Se realizar\xE1 una auditor\xED\ + a de c\xF3digo fuente.\nP\xE1gina 76" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw.2.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node627 + ref_id: mp.sw.2.1 + description: "Se comprobar\xE1 que:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.sw.2.\n\ + \u2013 Categor\xEDa MEDIA: mp.sw.2 + R1.\n\u2013 Categor\xEDa ALTA: mp.sw.2\ + \ + R1.\nRefuerzo R1- Pruebas.\n\u2013 [mp.sw.2.r1.1] Las pruebas se realizar\xE1\ + n en un entorno aislado (pre-producci\xF3n).\nRefuerzo R2-Inspecci\xF3n de\ + \ c\xF3digo fuente.\n\u2013 [mp.sw.2.r2.1] Se realizar\xE1 una auditor\xED\ + a de c\xF3digo fuente.\nP\xE1gina 76" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw.2.1.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw.2.1 + ref_id: mp.sw.2.1.a + description: "Se cumplen los criterios de aceptaci\xF3n en materia de seguridad." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.sw.2.\n\ + \u2013 Categor\xEDa MEDIA: mp.sw.2 + R1.\n\u2013 Categor\xEDa ALTA: mp.sw.2\ + \ + R1.\nRefuerzo R1- Pruebas.\n\u2013 [mp.sw.2.r1.1] Las pruebas se realizar\xE1\ + n en un entorno aislado (pre-producci\xF3n).\nRefuerzo R2-Inspecci\xF3n de\ + \ c\xF3digo fuente.\n\u2013 [mp.sw.2.r2.1] Se realizar\xE1 una auditor\xED\ + a de c\xF3digo fuente.\nP\xE1gina 76" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw.2.1.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.sw.2.1 + ref_id: mp.sw.2.1.b + description: No se deteriora la seguridad de otros componentes del servicio. + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.sw.2.\n\ + \u2013 Categor\xEDa MEDIA: mp.sw.2 + R1.\n\u2013 Categor\xEDa ALTA: mp.sw.2\ + \ + R1.\nRefuerzo R1- Pruebas.\n\u2013 [mp.sw.2.r1.1] Las pruebas se realizar\xE1\ + n en un entorno aislado (pre-producci\xF3n).\nRefuerzo R2-Inspecci\xF3n de\ + \ c\xF3digo fuente.\n\u2013 [mp.sw.2.r2.1] Se realizar\xE1 una auditor\xED\ + a de c\xF3digo fuente.\nP\xE1gina 76" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-5 + ref_id: mp.info + name: "Protecci\xF3n de la informaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info + ref_id: mp.info.1 + name: Datos personales + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.1.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.1 + ref_id: mp.info.1.1 + description: "Cuando el sistema trate datos personales, el responsable de seguridad\ + \ recoger\xE1 los requisitos de protecci\xF3n de datos que sean fijados por\ + \ el responsable o por el encargado del tratamiento, contando con el asesoramiento\ + \ del DPD, y que sean necesarios implementar en los sistemas de acuerdo a\ + \ la naturaleza, alcance, contexto y fines del mismo, as\xED como de los riesgos\ + \ para los derechos y libertades de acuerdo a lo establecido en los art\xED\ + culos 24 y 32 del RGPD, y de acuerdo a la evaluaci\xF3n de impacto en la protecci\xF3\ + n de datos, si se ha llevado a cabo" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.info.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.info.1.\n\u2013 Categor\xEDa ALTA: mp.info.1.\n\ + P\xE1gina 77" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info + ref_id: mp.info.2 + name: "Calificaci\xF3n de la informaci\xF3n" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.2.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.2 + ref_id: mp.info.2.1 + description: "Para calificar la informaci\xF3n se estar\xE1 a lo establecido\ + \ legalmente por las leyes y tratados internacionales de los que Espa\xF1\ + a es miembro y su normativa de aplicaci\xF3n cuando se trate de materias clasificadas.\ + \ El valor a emplear en el caso de informaci\xF3n de materias no clasificadas\ + \ ser\xEDa USO OFICIAL para informaci\xF3n con alg\xFAn tipo de restricci\xF3\ + n en su manejo por su sensibilidad y confidencialidad" + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: mp.info.2.\n\u2013 Nivel ALTO: mp.info.2.\n\ + P\xE1gina 77" + implementation_groups: + - MEDIO + - ALTO + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.2.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.2 + ref_id: mp.info.2.2 + description: "La pol\xEDtica de seguridad establecer\xE1 qui\xE9n es el responsable\ + \ de cada informaci\xF3n manejada por el sistema." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: mp.info.2.\n\u2013 Nivel ALTO: mp.info.2.\n\ + P\xE1gina 77" + implementation_groups: + - MEDIO + - ALTO + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.2.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.2 + ref_id: mp.info.2.3 + description: "La pol\xEDtica de seguridad recoger\xE1, directa o indirectamente,\ + \ los criterios que, en cada organizaci\xF3n, determinar\xE1n el nivel de\ + \ seguridad requerido, dentro del marco establecido en el art\xEDculo 40 y\ + \ los criterios generales se\xF1alados en el anexo I." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: mp.info.2.\n\u2013 Nivel ALTO: mp.info.2.\n\ + P\xE1gina 77" + implementation_groups: + - MEDIO + - ALTO + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.2.4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.2 + ref_id: mp.info.2.4 + description: "El responsable de cada informaci\xF3n seguir\xE1 los criterios\ + \ determinados en el apartado anterior para asignar a cada informaci\xF3n\ + \ el nivel de seguridad requerido, y ser\xE1 responsable de su documentaci\xF3\ + n y aprobaci\xF3n formal." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: mp.info.2.\n\u2013 Nivel ALTO: mp.info.2.\n\ + P\xE1gina 77" + implementation_groups: + - MEDIO + - ALTO + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.2.5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.2 + ref_id: mp.info.2.5 + description: "El responsable de cada informaci\xF3n en cada momento tendr\xE1\ + \ en exclusiva la potestad de modificar el nivel de seguridad requerido, de\ + \ acuerdo a los apartados anteriores." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: mp.info.2.\n\u2013 Nivel ALTO: mp.info.2.\n\ + P\xE1gina 77" + implementation_groups: + - MEDIO + - ALTO + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info + ref_id: mp.info.3 + name: "Firma electr\xF3nica" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.3.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.3 + ref_id: mp.info.3.1 + description: "Se emplear\xE1 cualquier tipo de firma electr\xF3nica de los previstos\ + \ en el vigente ordenamiento jur\xEDdico, entre ellos, los sistemas de c\xF3\ + digo seguro de verificaci\xF3n vinculados a la Administraci\xF3n P\xFAblica,\ + \ \xF3rgano, organismo p\xFAblico o entidad de derecho p\xFAblico, en los\ + \ t\xE9rminos y condiciones establecidos en la Ley 39/2015, de 1 de octubre,\ + \ del Procedimiento Administrativo Com\xFAn de las Administraciones P\xFA\ + blicas, y en la Ley 40/2015, de 1 de octubre." + annotation: "Aplicaci\xF3n de la medida (por integridad y autenticidad).\n\u2013\ + \ Nivel BAJO: mp.info.3.\n\u2013 Nivel MEDIO: mp.info.3 + R1 + R2 + R3.\n\u2013\ + \ Nivel ALTO: mp.info.3 + R1 + R2 + R3 + R4.\nP\xE1gina 78" + implementation_groups: + - BAJO + - MEDIO + - ALTO + - I + - A + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info + ref_id: mp.info.4 + name: Sellos de tiempo + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node643 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.4 + description: "La utilizaci\xF3n de sellos de tiempo exigir\xE1 adoptar las siguientes\ + \ cautelas:" + implementation_groups: + - ALTO + - T + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.4.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node643 + ref_id: mp.info.4.1 + description: "Los sellos de tiempo se aplicar\xE1n a aquella informaci\xF3n\ + \ que sea susceptible de ser utilizada como evidencia electr\xF3nica en el\ + \ futuro." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad).\n\u2013 Nivel BAJO:\ + \ no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: mp.info.4.\n\ + Refuerzo R1-Productos certificados.\n\u2013 [mp.info.4.r1.1.] Se utilizar\xE1\ + n productos certificados seg\xFAn [op.pl.5].\n\u2013 [mp.info.4.r1.2] Se asignar\xE1\ + \ una fecha y hora a un documento electr\xF3nico, conforme a lo establecido\ + \ en la gu\xEDa CCN-STIC Criptolog\xEDa de empleo en el ENS.\nP\xE1gina 79" + implementation_groups: + - ALTO + - T + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.4.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node643 + ref_id: mp.info.4.2 + description: " Los datos pertinentes para la verificaci\xF3n posterior de la\ + \ fecha ser\xE1n tratados con la misma seguridad que la informaci\xF3n fechada\ + \ a efectos de disponibilidad, integridad y confidencialidad." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad).\n\u2013 Nivel BAJO:\ + \ no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: mp.info.4.\n\ + Refuerzo R1-Productos certificados.\n\u2013 [mp.info.4.r1.1.] Se utilizar\xE1\ + n productos certificados seg\xFAn [op.pl.5].\n\u2013 [mp.info.4.r1.2] Se asignar\xE1\ + \ una fecha y hora a un documento electr\xF3nico, conforme a lo establecido\ + \ en la gu\xEDa CCN-STIC Criptolog\xEDa de empleo en el ENS.\nP\xE1gina 79" + implementation_groups: + - ALTO + - T + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.4.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node643 + ref_id: mp.info.4.3 + description: "Se renovar\xE1n regularmente los sellos de tiempo hasta que la\ + \ informaci\xF3n protegida ya no sea requerida por el proceso administrativo\ + \ al que da soporte, en su caso." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad).\n\u2013 Nivel BAJO:\ + \ no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: mp.info.4.\n\ + Refuerzo R1-Productos certificados.\n\u2013 [mp.info.4.r1.1.] Se utilizar\xE1\ + n productos certificados seg\xFAn [op.pl.5].\n\u2013 [mp.info.4.r1.2] Se asignar\xE1\ + \ una fecha y hora a un documento electr\xF3nico, conforme a lo establecido\ + \ en la gu\xEDa CCN-STIC Criptolog\xEDa de empleo en el ENS.\nP\xE1gina 79" + implementation_groups: + - ALTO + - T + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.4.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node643 + ref_id: mp.info.4.4 + description: "Se emplear\xE1n \"sellos cualificados de tiempo electr\xF3nicos\"\ + \ atendiendo a lo dispuesto en el Reglamento (UE) n.\xBA 910/2014 y normativa\ + \ de desarrollo." + annotation: "Aplicaci\xF3n de la medida (por trazabilidad).\n\u2013 Nivel BAJO:\ + \ no aplica.\n\u2013 Nivel MEDIO: no aplica.\n\u2013 Nivel ALTO: mp.info.4.\n\ + Refuerzo R1-Productos certificados.\n\u2013 [mp.info.4.r1.1.] Se utilizar\xE1\ + n productos certificados seg\xFAn [op.pl.5].\n\u2013 [mp.info.4.r1.2] Se asignar\xE1\ + \ una fecha y hora a un documento electr\xF3nico, conforme a lo establecido\ + \ en la gu\xEDa CCN-STIC Criptolog\xEDa de empleo en el ENS.\nP\xE1gina 79" + implementation_groups: + - ALTO + - T + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info + ref_id: mp.info.5 + name: Limpieza de documentos + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.5.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.5 + ref_id: mp.info.5.1 + description: "En el proceso de limpieza de documentos, se retirar\xE1 de estos\ + \ toda la informaci\xF3n adicional contenida en campos ocultos, metadatos,\ + \ comentarios o revisiones anteriores, salvo cuando dicha informaci\xF3n sea\ + \ pertinente para el receptor del documento." + annotation: "Aplicaci\xF3n de la medida (por confidencialidad).\n\u2013 Nivel\ + \ BAJO: mp.info.5.\n\u2013 Nivel MEDIO: mp.info.5.\n\u2013 Nivel ALTO: mp.info.5.\n\ + P\xE1gina 79" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node650 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.5 + description: "Esta medida es especialmente relevante cuando el documento se\ + \ difunde ampliamente, como ocurre cuando se ofrece al p\xFAblico en un servidor\ + \ web u otro tipo de repositorio de informaci\xF3n." + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - C + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info + ref_id: mp.info.6 + name: Copias de seguridad + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6.1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6 + ref_id: mp.info.6.1 + description: "Se realizar\xE1n copias de seguridad que permitan recuperar datos\ + \ perdidos, accidental o intencionadamente. La periodicidad y los plazos de\ + \ retenci\xF3n de estas copias de seguridad se determinar\xE1n en la normativa\ + \ interna de la organizaci\xF3n relativa a copias de seguridad." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad)\n\u2013 Nivel BAJO:\ + \ mp.info.6.\n\u2013 Nivel MEDIO: mp.info.6+ R1.\n\u2013 Nivel ALTO: mp.info.6+\ + \ R1 + R2.\nRefuerzo R1-Pruebas de recuperaci\xF3n.\n\u2013 [mp.info.6.r1.1]\ + \ Los procedimientos de copia de seguridad y restauraci\xF3n deben probarse\ + \ regularmente. Su frecuencia depender\xE1 de la criticidad de los datos y\ + \ del impacto que cause la falta de disponibilidad.\nRefuerzo R2-Protecci\xF3\ + n de las copias de seguridad.\n\u2013 [mp.info.6.r2.1] Al menos, una de las\ + \ copias de seguridad se almacenar\xE1 de forma separada en lugar diferente,\ + \ de tal manera que un incidente no pueda afectar tanto al repositorio original\ + \ como a la copia simult\xE1neamente.\nP\xE1gina 80" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6.2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6 + ref_id: mp.info.6.2 + description: "Los procedimientos de respaldo establecidos indicar\xE1n:" + annotation: "Aplicaci\xF3n de la medida (por disponibilidad)\n\u2013 Nivel BAJO:\ + \ mp.info.6.\n\u2013 Nivel MEDIO: mp.info.6+ R1.\n\u2013 Nivel ALTO: mp.info.6+\ + \ R1 + R2.\nRefuerzo R1-Pruebas de recuperaci\xF3n.\n\u2013 [mp.info.6.r1.1]\ + \ Los procedimientos de copia de seguridad y restauraci\xF3n deben probarse\ + \ regularmente. Su frecuencia depender\xE1 de la criticidad de los datos y\ + \ del impacto que cause la falta de disponibilidad.\nRefuerzo R2-Protecci\xF3\ + n de las copias de seguridad.\n\u2013 [mp.info.6.r2.1] Al menos, una de las\ + \ copias de seguridad se almacenar\xE1 de forma separada en lugar diferente,\ + \ de tal manera que un incidente no pueda afectar tanto al repositorio original\ + \ como a la copia simult\xE1neamente.\nP\xE1gina 80" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6.2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6.2 + ref_id: mp.info.6.2.a + description: Frecuencia de las copias. + annotation: "Aplicaci\xF3n de la medida (por disponibilidad)\n\u2013 Nivel BAJO:\ + \ mp.info.6.\n\u2013 Nivel MEDIO: mp.info.6+ R1.\n\u2013 Nivel ALTO: mp.info.6+\ + \ R1 + R2.\nRefuerzo R1-Pruebas de recuperaci\xF3n.\n\u2013 [mp.info.6.r1.1]\ + \ Los procedimientos de copia de seguridad y restauraci\xF3n deben probarse\ + \ regularmente. Su frecuencia depender\xE1 de la criticidad de los datos y\ + \ del impacto que cause la falta de disponibilidad.\nRefuerzo R2-Protecci\xF3\ + n de las copias de seguridad.\n\u2013 [mp.info.6.r2.1] Al menos, una de las\ + \ copias de seguridad se almacenar\xE1 de forma separada en lugar diferente,\ + \ de tal manera que un incidente no pueda afectar tanto al repositorio original\ + \ como a la copia simult\xE1neamente.\nP\xE1gina 80" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6.2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6.2 + ref_id: mp.info.6.2.b + description: Requisitos de almacenamiento en el propio lugar. + annotation: "Aplicaci\xF3n de la medida (por disponibilidad)\n\u2013 Nivel BAJO:\ + \ mp.info.6.\n\u2013 Nivel MEDIO: mp.info.6+ R1.\n\u2013 Nivel ALTO: mp.info.6+\ + \ R1 + R2.\nRefuerzo R1-Pruebas de recuperaci\xF3n.\n\u2013 [mp.info.6.r1.1]\ + \ Los procedimientos de copia de seguridad y restauraci\xF3n deben probarse\ + \ regularmente. Su frecuencia depender\xE1 de la criticidad de los datos y\ + \ del impacto que cause la falta de disponibilidad.\nRefuerzo R2-Protecci\xF3\ + n de las copias de seguridad.\n\u2013 [mp.info.6.r2.1] Al menos, una de las\ + \ copias de seguridad se almacenar\xE1 de forma separada en lugar diferente,\ + \ de tal manera que un incidente no pueda afectar tanto al repositorio original\ + \ como a la copia simult\xE1neamente.\nP\xE1gina 80" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6.2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6.2 + ref_id: mp.info.6.2.c + description: Requisitos de almacenamiento en otros lugares. + annotation: "Aplicaci\xF3n de la medida (por disponibilidad)\n\u2013 Nivel BAJO:\ + \ mp.info.6.\n\u2013 Nivel MEDIO: mp.info.6+ R1.\n\u2013 Nivel ALTO: mp.info.6+\ + \ R1 + R2.\nRefuerzo R1-Pruebas de recuperaci\xF3n.\n\u2013 [mp.info.6.r1.1]\ + \ Los procedimientos de copia de seguridad y restauraci\xF3n deben probarse\ + \ regularmente. Su frecuencia depender\xE1 de la criticidad de los datos y\ + \ del impacto que cause la falta de disponibilidad.\nRefuerzo R2-Protecci\xF3\ + n de las copias de seguridad.\n\u2013 [mp.info.6.r2.1] Al menos, una de las\ + \ copias de seguridad se almacenar\xE1 de forma separada en lugar diferente,\ + \ de tal manera que un incidente no pueda afectar tanto al repositorio original\ + \ como a la copia simult\xE1neamente.\nP\xE1gina 80" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6.2.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.info.6.2 + ref_id: mp.info.6.2.d + description: Controles para el acceso autorizado a las copias de respaldo. + annotation: "Aplicaci\xF3n de la medida (por disponibilidad)\n\u2013 Nivel BAJO:\ + \ mp.info.6.\n\u2013 Nivel MEDIO: mp.info.6+ R1.\n\u2013 Nivel ALTO: mp.info.6+\ + \ R1 + R2.\nRefuerzo R1-Pruebas de recuperaci\xF3n.\n\u2013 [mp.info.6.r1.1]\ + \ Los procedimientos de copia de seguridad y restauraci\xF3n deben probarse\ + \ regularmente. Su frecuencia depender\xE1 de la criticidad de los datos y\ + \ del impacto que cause la falta de disponibilidad.\nRefuerzo R2-Protecci\xF3\ + n de las copias de seguridad.\n\u2013 [mp.info.6.r2.1] Al menos, una de las\ + \ copias de seguridad se almacenar\xE1 de forma separada en lugar diferente,\ + \ de tal manera que un incidente no pueda afectar tanto al repositorio original\ + \ como a la copia simult\xE1neamente.\nP\xE1gina 80" + implementation_groups: + - BAJO + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:anexo-ii-5 + ref_id: mp.s + name: "Protecci\xF3n de los servicios" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s + ref_id: mp.s.1 + name: "Protecci\xF3n del correo electr\xF3nico" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node660 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.1 + description: "El correo electr\xF3nico se proteger\xE1 frente a las amenazas\ + \ que le son propias, actuando del siguiente modo:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.1.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node660 + ref_id: mp.s.1.1 + description: "La informaci\xF3n distribuida por medio de correo electr\xF3nico\ + \ se proteger\xE1, tanto en el cuerpo de los mensajes como en los anexos" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.1.\n\u2013 Categor\xEDa ALTA: mp.s.1.\nP\xE1\ + gina 80" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.1.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node660 + ref_id: mp.s.1.2 + description: "Se proteger\xE1 la informaci\xF3n de encaminamiento de mensajes\ + \ y establecimiento de conexiones." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.1.\n\u2013 Categor\xEDa ALTA: mp.s.1.\nP\xE1\ + gina 80" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node663 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.1 + description: "Se proteger\xE1 a la organizaci\xF3n frente a problemas que se\ + \ materializan por medio del correo electr\xF3nico, en concreto:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.1.\n\u2013 Categor\xEDa ALTA: mp.s.1.\nP\xE1\ + gina 80" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.1.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node663 + ref_id: mp.s.1.3 + description: "Correo no solicitado, en su expresi\xF3n inglesa \xABspam\xBB." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.1.\n\u2013 Categor\xEDa ALTA: mp.s.1.\nP\xE1\ + gina 80" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.1.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node663 + ref_id: mp.s.1.4 + description: "C\xF3digo da\xF1ino, constituidos por virus, gusanos, troyanos,\ + \ esp\xEDas, u otros de naturaleza an\xE1loga." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.1.\n\u2013 Categor\xEDa ALTA: mp.s.1.\nP\xE1\ + gina 80" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.1.5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node663 + ref_id: mp.s.1.5 + description: "C\xF3digo m\xF3vil de tipo micro-aplicaci\xF3n, en su expresi\xF3\ + n inglesa \xABapplet\xBB." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.1.\n\u2013 Categor\xEDa ALTA: mp.s.1.\nP\xE1\ + gina 80" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node667 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.1 + description: "Se establecer\xE1n normas de uso del correo electr\xF3nico para\ + \ el personal. (Ver [org.2]). Estas normas de uso contendr\xE1n:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.1.\n\u2013 Categor\xEDa ALTA: mp.s.1.\nP\xE1\ + gina 80" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.1.6 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node667 + ref_id: mp.s.1.6 + description: Limitaciones al uso como soporte de comunicaciones privadas. + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.1.\n\u2013 Categor\xEDa ALTA: mp.s.1.\nP\xE1\ + gina 80" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.1.7 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node667 + ref_id: mp.s.1.7 + description: "Actividades de concienciaci\xF3n y formaci\xF3n relativas al uso\ + \ del correo electr\xF3nico." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.1.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.1.\n\u2013 Categor\xEDa ALTA: mp.s.1.\nP\xE1\ + gina 80" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s + ref_id: mp.s.2 + name: "Protecci\xF3n de servicios y aplicaciones web" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node671 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2 + description: "Los sistemas que prestan servicios web deber\xE1n ser protegidos\ + \ frente a las siguientes amenazas:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node671 + ref_id: mp.s.2.1 + description: "Cuando la informaci\xF3n requiera control de acceso se garantizar\xE1\ + \ la imposibilidad de acceder a la informaci\xF3n obviando la autenticaci\xF3\ + n, en particular, tomando medidas en los siguientes aspectos:" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.2\ + \ + [R1 o R2].\n\u2013 Categor\xEDa MEDIA: mp.s.2 + [R1 o R2].\n\u2013 Categor\xED\ + a ALTA: mp.s.2 + R2 + R3.\nRefuerzo R1-Auditor\xEDas de seguridad.\n\u2013\ + \ [mp.s.2.r1.1] Se realizar\xE1n auditor\xEDas continuas de seguridad de \xAB\ + caja negra\xBB sobre las aplicaciones web durante la fase de desarrollo y\ + \ antes de la fase de producci\xF3n.\n\u2013 [mp.s.2.r1.2] La frecuencia de\ + \ estas auditor\xEDas de seguridad quedar\xE1 definida en el procedimiento\ + \ de auditor\xEDa.\nRefuerzo R2-Auditor\xEDas de seguridad avanzada.\n\u2013\ + \ [mp.s.2.r2.1] Se realizar\xE1n auditor\xEDas de seguridad de \xABcaja blanca\xBB\ + \ sobre las aplicaciones web durante la fase de desarrollo.\n\u2013 [mp.s.2.r2.2]\ + \ Se emplear\xE1n metodolog\xEDas definidas y herramientas autom\xE1ticas\ + \ de detecci\xF3n de vulnerabilidades en la realizaci\xF3n de las auditor\xED\ + as de seguridad sobre las aplicaciones web.\n\u2013 [mp.s.2.r2.3] Una vez\ + \ finalizada una auditor\xEDa de seguridad, se analizar\xE1n los resultados\ + \ y se solventar\xE1n las vulnerabilidades encontradas mediante los procedimientos\ + \ definidos [op.exp.5].\nRefuerzo R3-Protecci\xF3n de las cach\xE9s.\n\u2013\ + \ [mp.s.2.r3.1] Se prevendr\xE1n ataques de manipulaci\xF3n de programas o\ + \ dispositivos que realizan una acci\xF3n en representaci\xF3n de otros, conocidos\ + \ en terminolog\xEDa inglesa como \"proxies\" y, sistemas especiales de almacenamiento\ + \ de alta velocidad, conocidos en terminolog\xEDa inglesa como \"cach\xE9\ + s\".\nP\xE1gina 81" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2.1.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2.1 + ref_id: mp.s.2.1.a + description: "Se evitar\xE1 que el servidor ofrezca acceso a los documentos\ + \ por v\xEDas alternativas al protocolo determinado." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.2\ + \ + [R1 o R2].\n\u2013 Categor\xEDa MEDIA: mp.s.2 + [R1 o R2].\n\u2013 Categor\xED\ + a ALTA: mp.s.2 + R2 + R3.\nRefuerzo R1-Auditor\xEDas de seguridad.\n\u2013\ + \ [mp.s.2.r1.1] Se realizar\xE1n auditor\xEDas continuas de seguridad de \xAB\ + caja negra\xBB sobre las aplicaciones web durante la fase de desarrollo y\ + \ antes de la fase de producci\xF3n.\n\u2013 [mp.s.2.r1.2] La frecuencia de\ + \ estas auditor\xEDas de seguridad quedar\xE1 definida en el procedimiento\ + \ de auditor\xEDa.\nRefuerzo R2-Auditor\xEDas de seguridad avanzada.\n\u2013\ + \ [mp.s.2.r2.1] Se realizar\xE1n auditor\xEDas de seguridad de \xABcaja blanca\xBB\ + \ sobre las aplicaciones web durante la fase de desarrollo.\n\u2013 [mp.s.2.r2.2]\ + \ Se emplear\xE1n metodolog\xEDas definidas y herramientas autom\xE1ticas\ + \ de detecci\xF3n de vulnerabilidades en la realizaci\xF3n de las auditor\xED\ + as de seguridad sobre las aplicaciones web.\n\u2013 [mp.s.2.r2.3] Una vez\ + \ finalizada una auditor\xEDa de seguridad, se analizar\xE1n los resultados\ + \ y se solventar\xE1n las vulnerabilidades encontradas mediante los procedimientos\ + \ definidos [op.exp.5].\nRefuerzo R3-Protecci\xF3n de las cach\xE9s.\n\u2013\ + \ [mp.s.2.r3.1] Se prevendr\xE1n ataques de manipulaci\xF3n de programas o\ + \ dispositivos que realizan una acci\xF3n en representaci\xF3n de otros, conocidos\ + \ en terminolog\xEDa inglesa como \"proxies\" y, sistemas especiales de almacenamiento\ + \ de alta velocidad, conocidos en terminolog\xEDa inglesa como \"cach\xE9\ + s\".\nP\xE1gina 81" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2.1.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2.1 + ref_id: mp.s.2.1.b + description: "Se prevendr\xE1n ataques de manipulaci\xF3n del localizador uniforme\ + \ de recursos (Uniform Resource Locator, URL)." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.2\ + \ + [R1 o R2].\n\u2013 Categor\xEDa MEDIA: mp.s.2 + [R1 o R2].\n\u2013 Categor\xED\ + a ALTA: mp.s.2 + R2 + R3.\nRefuerzo R1-Auditor\xEDas de seguridad.\n\u2013\ + \ [mp.s.2.r1.1] Se realizar\xE1n auditor\xEDas continuas de seguridad de \xAB\ + caja negra\xBB sobre las aplicaciones web durante la fase de desarrollo y\ + \ antes de la fase de producci\xF3n.\n\u2013 [mp.s.2.r1.2] La frecuencia de\ + \ estas auditor\xEDas de seguridad quedar\xE1 definida en el procedimiento\ + \ de auditor\xEDa.\nRefuerzo R2-Auditor\xEDas de seguridad avanzada.\n\u2013\ + \ [mp.s.2.r2.1] Se realizar\xE1n auditor\xEDas de seguridad de \xABcaja blanca\xBB\ + \ sobre las aplicaciones web durante la fase de desarrollo.\n\u2013 [mp.s.2.r2.2]\ + \ Se emplear\xE1n metodolog\xEDas definidas y herramientas autom\xE1ticas\ + \ de detecci\xF3n de vulnerabilidades en la realizaci\xF3n de las auditor\xED\ + as de seguridad sobre las aplicaciones web.\n\u2013 [mp.s.2.r2.3] Una vez\ + \ finalizada una auditor\xEDa de seguridad, se analizar\xE1n los resultados\ + \ y se solventar\xE1n las vulnerabilidades encontradas mediante los procedimientos\ + \ definidos [op.exp.5].\nRefuerzo R3-Protecci\xF3n de las cach\xE9s.\n\u2013\ + \ [mp.s.2.r3.1] Se prevendr\xE1n ataques de manipulaci\xF3n de programas o\ + \ dispositivos que realizan una acci\xF3n en representaci\xF3n de otros, conocidos\ + \ en terminolog\xEDa inglesa como \"proxies\" y, sistemas especiales de almacenamiento\ + \ de alta velocidad, conocidos en terminolog\xEDa inglesa como \"cach\xE9\ + s\".\nP\xE1gina 81" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2.1.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2.1 + ref_id: mp.s.2.1.c + description: "Se prevendr\xE1n ataques de manipulaci\xF3n de fragmentos de informaci\xF3\ + n que se almacena en el disco duro del visitante de una p\xE1gina web a trav\xE9\ + s de su navegador, a petici\xF3n del servidor de la p\xE1gina, conocido en\ + \ terminolog\xEDa inglesa como cookies." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.2\ + \ + [R1 o R2].\n\u2013 Categor\xEDa MEDIA: mp.s.2 + [R1 o R2].\n\u2013 Categor\xED\ + a ALTA: mp.s.2 + R2 + R3.\nRefuerzo R1-Auditor\xEDas de seguridad.\n\u2013\ + \ [mp.s.2.r1.1] Se realizar\xE1n auditor\xEDas continuas de seguridad de \xAB\ + caja negra\xBB sobre las aplicaciones web durante la fase de desarrollo y\ + \ antes de la fase de producci\xF3n.\n\u2013 [mp.s.2.r1.2] La frecuencia de\ + \ estas auditor\xEDas de seguridad quedar\xE1 definida en el procedimiento\ + \ de auditor\xEDa.\nRefuerzo R2-Auditor\xEDas de seguridad avanzada.\n\u2013\ + \ [mp.s.2.r2.1] Se realizar\xE1n auditor\xEDas de seguridad de \xABcaja blanca\xBB\ + \ sobre las aplicaciones web durante la fase de desarrollo.\n\u2013 [mp.s.2.r2.2]\ + \ Se emplear\xE1n metodolog\xEDas definidas y herramientas autom\xE1ticas\ + \ de detecci\xF3n de vulnerabilidades en la realizaci\xF3n de las auditor\xED\ + as de seguridad sobre las aplicaciones web.\n\u2013 [mp.s.2.r2.3] Una vez\ + \ finalizada una auditor\xEDa de seguridad, se analizar\xE1n los resultados\ + \ y se solventar\xE1n las vulnerabilidades encontradas mediante los procedimientos\ + \ definidos [op.exp.5].\nRefuerzo R3-Protecci\xF3n de las cach\xE9s.\n\u2013\ + \ [mp.s.2.r3.1] Se prevendr\xE1n ataques de manipulaci\xF3n de programas o\ + \ dispositivos que realizan una acci\xF3n en representaci\xF3n de otros, conocidos\ + \ en terminolog\xEDa inglesa como \"proxies\" y, sistemas especiales de almacenamiento\ + \ de alta velocidad, conocidos en terminolog\xEDa inglesa como \"cach\xE9\ + s\".\nP\xE1gina 81" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2.1.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2.1 + ref_id: mp.s.2.1.d + description: "Se prevendr\xE1n ataques de inyecci\xF3n de c\xF3digo." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.2\ + \ + [R1 o R2].\n\u2013 Categor\xEDa MEDIA: mp.s.2 + [R1 o R2].\n\u2013 Categor\xED\ + a ALTA: mp.s.2 + R2 + R3.\nRefuerzo R1-Auditor\xEDas de seguridad.\n\u2013\ + \ [mp.s.2.r1.1] Se realizar\xE1n auditor\xEDas continuas de seguridad de \xAB\ + caja negra\xBB sobre las aplicaciones web durante la fase de desarrollo y\ + \ antes de la fase de producci\xF3n.\n\u2013 [mp.s.2.r1.2] La frecuencia de\ + \ estas auditor\xEDas de seguridad quedar\xE1 definida en el procedimiento\ + \ de auditor\xEDa.\nRefuerzo R2-Auditor\xEDas de seguridad avanzada.\n\u2013\ + \ [mp.s.2.r2.1] Se realizar\xE1n auditor\xEDas de seguridad de \xABcaja blanca\xBB\ + \ sobre las aplicaciones web durante la fase de desarrollo.\n\u2013 [mp.s.2.r2.2]\ + \ Se emplear\xE1n metodolog\xEDas definidas y herramientas autom\xE1ticas\ + \ de detecci\xF3n de vulnerabilidades en la realizaci\xF3n de las auditor\xED\ + as de seguridad sobre las aplicaciones web.\n\u2013 [mp.s.2.r2.3] Una vez\ + \ finalizada una auditor\xEDa de seguridad, se analizar\xE1n los resultados\ + \ y se solventar\xE1n las vulnerabilidades encontradas mediante los procedimientos\ + \ definidos [op.exp.5].\nRefuerzo R3-Protecci\xF3n de las cach\xE9s.\n\u2013\ + \ [mp.s.2.r3.1] Se prevendr\xE1n ataques de manipulaci\xF3n de programas o\ + \ dispositivos que realizan una acci\xF3n en representaci\xF3n de otros, conocidos\ + \ en terminolog\xEDa inglesa como \"proxies\" y, sistemas especiales de almacenamiento\ + \ de alta velocidad, conocidos en terminolog\xEDa inglesa como \"cach\xE9\ + s\".\nP\xE1gina 81" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node671 + ref_id: mp.s.2.2 + description: "Se prevendr\xE1n intentos de escalado de privilegios." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.2\ + \ + [R1 o R2].\n\u2013 Categor\xEDa MEDIA: mp.s.2 + [R1 o R2].\n\u2013 Categor\xED\ + a ALTA: mp.s.2 + R2 + R3.\nRefuerzo R1-Auditor\xEDas de seguridad.\n\u2013\ + \ [mp.s.2.r1.1] Se realizar\xE1n auditor\xEDas continuas de seguridad de \xAB\ + caja negra\xBB sobre las aplicaciones web durante la fase de desarrollo y\ + \ antes de la fase de producci\xF3n.\n\u2013 [mp.s.2.r1.2] La frecuencia de\ + \ estas auditor\xEDas de seguridad quedar\xE1 definida en el procedimiento\ + \ de auditor\xEDa.\nRefuerzo R2-Auditor\xEDas de seguridad avanzada.\n\u2013\ + \ [mp.s.2.r2.1] Se realizar\xE1n auditor\xEDas de seguridad de \xABcaja blanca\xBB\ + \ sobre las aplicaciones web durante la fase de desarrollo.\n\u2013 [mp.s.2.r2.2]\ + \ Se emplear\xE1n metodolog\xEDas definidas y herramientas autom\xE1ticas\ + \ de detecci\xF3n de vulnerabilidades en la realizaci\xF3n de las auditor\xED\ + as de seguridad sobre las aplicaciones web.\n\u2013 [mp.s.2.r2.3] Una vez\ + \ finalizada una auditor\xEDa de seguridad, se analizar\xE1n los resultados\ + \ y se solventar\xE1n las vulnerabilidades encontradas mediante los procedimientos\ + \ definidos [op.exp.5].\nRefuerzo R3-Protecci\xF3n de las cach\xE9s.\n\u2013\ + \ [mp.s.2.r3.1] Se prevendr\xE1n ataques de manipulaci\xF3n de programas o\ + \ dispositivos que realizan una acci\xF3n en representaci\xF3n de otros, conocidos\ + \ en terminolog\xEDa inglesa como \"proxies\" y, sistemas especiales de almacenamiento\ + \ de alta velocidad, conocidos en terminolog\xEDa inglesa como \"cach\xE9\ + s\".\nP\xE1gina 81" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.2.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node671 + ref_id: mp.s.2.3 + description: "Se prevendr\xE1n ataques de cross site scripting." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.2\ + \ + [R1 o R2].\n\u2013 Categor\xEDa MEDIA: mp.s.2 + [R1 o R2].\n\u2013 Categor\xED\ + a ALTA: mp.s.2 + R2 + R3.\nRefuerzo R1-Auditor\xEDas de seguridad.\n\u2013\ + \ [mp.s.2.r1.1] Se realizar\xE1n auditor\xEDas continuas de seguridad de \xAB\ + caja negra\xBB sobre las aplicaciones web durante la fase de desarrollo y\ + \ antes de la fase de producci\xF3n.\n\u2013 [mp.s.2.r1.2] La frecuencia de\ + \ estas auditor\xEDas de seguridad quedar\xE1 definida en el procedimiento\ + \ de auditor\xEDa.\nRefuerzo R2-Auditor\xEDas de seguridad avanzada.\n\u2013\ + \ [mp.s.2.r2.1] Se realizar\xE1n auditor\xEDas de seguridad de \xABcaja blanca\xBB\ + \ sobre las aplicaciones web durante la fase de desarrollo.\n\u2013 [mp.s.2.r2.2]\ + \ Se emplear\xE1n metodolog\xEDas definidas y herramientas autom\xE1ticas\ + \ de detecci\xF3n de vulnerabilidades en la realizaci\xF3n de las auditor\xED\ + as de seguridad sobre las aplicaciones web.\n\u2013 [mp.s.2.r2.3] Una vez\ + \ finalizada una auditor\xEDa de seguridad, se analizar\xE1n los resultados\ + \ y se solventar\xE1n las vulnerabilidades encontradas mediante los procedimientos\ + \ definidos [op.exp.5].\nRefuerzo R3-Protecci\xF3n de las cach\xE9s.\n\u2013\ + \ [mp.s.2.r3.1] Se prevendr\xE1n ataques de manipulaci\xF3n de programas o\ + \ dispositivos que realizan una acci\xF3n en representaci\xF3n de otros, conocidos\ + \ en terminolog\xEDa inglesa como \"proxies\" y, sistemas especiales de almacenamiento\ + \ de alta velocidad, conocidos en terminolog\xEDa inglesa como \"cach\xE9\ + s\".\nP\xE1gina 81" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s + ref_id: mp.s.3 + name: "Protecci\xF3n de la navegaci\xF3n web" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node680 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.3 + description: "El acceso de los usuarios internos a la navegaci\xF3n por internet\ + \ se proteger\xE1 frente a las amenazas que le son propias, actuando del siguiente\ + \ modo:" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.3.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node680 + ref_id: mp.s.3.1 + description: "Se establecer\xE1 una normativa de utilizaci\xF3n, definiendo\ + \ el uso que se autoriza y las limitaciones de uso personal. En particular,\ + \ se concretar\xE1 el uso permitido de conexiones cifradas." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.3.\n\u2013 Categor\xEDa ALTA: mp.s.3 + R1.\n\ + Refuerzo R1 - Monitorizaci\xF3n.\n\u2013 [mp.s.3.r1.1] Se registrar\xE1 el\ + \ uso de la navegaci\xF3n web, estableciendo los elementos que se registran,\ + \ el periodo de retenci\xF3n de estos registros y el uso que el organismo\ + \ prev\xE9 hacer de ellos. [mp.s.3.r1.2] Se establecer\xE1 una funci\xF3\ + n para la ruptura de canales cifrados a fin de inspeccionar su contenido,\ + \ indicando qu\xE9 se analiza, qu\xE9 se registra, durante cu\xE1nto tiempo\ + \ se retienen los registros y qu\xE9 uso prev\xE9 hacer el organismo de estas\ + \ inspecciones. Todo ello sin perjuicio de que se puedan autorizar accesos\ + \ cifrados singulares a destinos de confianza.\n\u2013 [mp.s.3.r1.3] Se establecer\xE1\ + \ una lista negra de destinos vetados.\nRefuerzo R2-Destinos autorizados.\n\ + \u2013 [mp.s.3.r2.1] Se establecer\xE1 una lista blanca de destinos accesibles.\ + \ Todo acceso fuera de los lugares se\xF1alados en la lista blanca estar\xE1\ + \ vetado, salvo autorizaci\xF3n singular expresa.\nP\xE1ginas 82-83" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.3.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node680 + ref_id: mp.s.3.2 + description: "Se llevar\xE1n a cabo regularmente actividades de concienciaci\xF3\ + n sobre higiene en la navegaci\xF3n web, fomentando el uso seguro y alertando\ + \ de usos incorrectos." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.3.\n\u2013 Categor\xEDa ALTA: mp.s.3 + R1.\n\ + Refuerzo R1 - Monitorizaci\xF3n.\n\u2013 [mp.s.3.r1.1] Se registrar\xE1 el\ + \ uso de la navegaci\xF3n web, estableciendo los elementos que se registran,\ + \ el periodo de retenci\xF3n de estos registros y el uso que el organismo\ + \ prev\xE9 hacer de ellos. [mp.s.3.r1.2] Se establecer\xE1 una funci\xF3\ + n para la ruptura de canales cifrados a fin de inspeccionar su contenido,\ + \ indicando qu\xE9 se analiza, qu\xE9 se registra, durante cu\xE1nto tiempo\ + \ se retienen los registros y qu\xE9 uso prev\xE9 hacer el organismo de estas\ + \ inspecciones. Todo ello sin perjuicio de que se puedan autorizar accesos\ + \ cifrados singulares a destinos de confianza.\n\u2013 [mp.s.3.r1.3] Se establecer\xE1\ + \ una lista negra de destinos vetados.\nRefuerzo R2-Destinos autorizados.\n\ + \u2013 [mp.s.3.r2.1] Se establecer\xE1 una lista blanca de destinos accesibles.\ + \ Todo acceso fuera de los lugares se\xF1alados en la lista blanca estar\xE1\ + \ vetado, salvo autorizaci\xF3n singular expresa.\nP\xE1ginas 82-83" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.3.3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node680 + ref_id: mp.s.3.3 + description: "Se formar\xE1 al personal encargado de la administraci\xF3n del\ + \ sistema en monitorizaci\xF3n del servicio y respuesta a incidentes." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.3.\n\u2013 Categor\xEDa ALTA: mp.s.3 + R1.\n\ + Refuerzo R1 - Monitorizaci\xF3n.\n\u2013 [mp.s.3.r1.1] Se registrar\xE1 el\ + \ uso de la navegaci\xF3n web, estableciendo los elementos que se registran,\ + \ el periodo de retenci\xF3n de estos registros y el uso que el organismo\ + \ prev\xE9 hacer de ellos. [mp.s.3.r1.2] Se establecer\xE1 una funci\xF3\ + n para la ruptura de canales cifrados a fin de inspeccionar su contenido,\ + \ indicando qu\xE9 se analiza, qu\xE9 se registra, durante cu\xE1nto tiempo\ + \ se retienen los registros y qu\xE9 uso prev\xE9 hacer el organismo de estas\ + \ inspecciones. Todo ello sin perjuicio de que se puedan autorizar accesos\ + \ cifrados singulares a destinos de confianza.\n\u2013 [mp.s.3.r1.3] Se establecer\xE1\ + \ una lista negra de destinos vetados.\nRefuerzo R2-Destinos autorizados.\n\ + \u2013 [mp.s.3.r2.1] Se establecer\xE1 una lista blanca de destinos accesibles.\ + \ Todo acceso fuera de los lugares se\xF1alados en la lista blanca estar\xE1\ + \ vetado, salvo autorizaci\xF3n singular expresa.\nP\xE1ginas 82-83" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.3.4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node680 + ref_id: mp.s.3.4 + description: "Se proteger\xE1 la informaci\xF3n de resoluci\xF3n de direcciones\ + \ web y de establecimiento de conexiones." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.3.\n\u2013 Categor\xEDa ALTA: mp.s.3 + R1.\n\ + Refuerzo R1 - Monitorizaci\xF3n.\n\u2013 [mp.s.3.r1.1] Se registrar\xE1 el\ + \ uso de la navegaci\xF3n web, estableciendo los elementos que se registran,\ + \ el periodo de retenci\xF3n de estos registros y el uso que el organismo\ + \ prev\xE9 hacer de ellos. [mp.s.3.r1.2] Se establecer\xE1 una funci\xF3\ + n para la ruptura de canales cifrados a fin de inspeccionar su contenido,\ + \ indicando qu\xE9 se analiza, qu\xE9 se registra, durante cu\xE1nto tiempo\ + \ se retienen los registros y qu\xE9 uso prev\xE9 hacer el organismo de estas\ + \ inspecciones. Todo ello sin perjuicio de que se puedan autorizar accesos\ + \ cifrados singulares a destinos de confianza.\n\u2013 [mp.s.3.r1.3] Se establecer\xE1\ + \ una lista negra de destinos vetados.\nRefuerzo R2-Destinos autorizados.\n\ + \u2013 [mp.s.3.r2.1] Se establecer\xE1 una lista blanca de destinos accesibles.\ + \ Todo acceso fuera de los lugares se\xF1alados en la lista blanca estar\xE1\ + \ vetado, salvo autorizaci\xF3n singular expresa.\nP\xE1ginas 82-83" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.3.5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node680 + ref_id: mp.s.3.5 + description: "Se proteger\xE1 a la organizaci\xF3n en general y al puesto de\ + \ trabajo en particular frente a problemas que se materializan v\xEDa navegaci\xF3\ + n web." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.3.\n\u2013 Categor\xEDa ALTA: mp.s.3 + R1.\n\ + Refuerzo R1 - Monitorizaci\xF3n.\n\u2013 [mp.s.3.r1.1] Se registrar\xE1 el\ + \ uso de la navegaci\xF3n web, estableciendo los elementos que se registran,\ + \ el periodo de retenci\xF3n de estos registros y el uso que el organismo\ + \ prev\xE9 hacer de ellos. [mp.s.3.r1.2] Se establecer\xE1 una funci\xF3\ + n para la ruptura de canales cifrados a fin de inspeccionar su contenido,\ + \ indicando qu\xE9 se analiza, qu\xE9 se registra, durante cu\xE1nto tiempo\ + \ se retienen los registros y qu\xE9 uso prev\xE9 hacer el organismo de estas\ + \ inspecciones. Todo ello sin perjuicio de que se puedan autorizar accesos\ + \ cifrados singulares a destinos de confianza.\n\u2013 [mp.s.3.r1.3] Se establecer\xE1\ + \ una lista negra de destinos vetados.\nRefuerzo R2-Destinos autorizados.\n\ + \u2013 [mp.s.3.r2.1] Se establecer\xE1 una lista blanca de destinos accesibles.\ + \ Todo acceso fuera de los lugares se\xF1alados en la lista blanca estar\xE1\ + \ vetado, salvo autorizaci\xF3n singular expresa.\nP\xE1ginas 82-83" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.3.6 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node680 + ref_id: mp.s.3.6 + description: "Se proteger\xE1 contra la actuaci\xF3n de programas da\xF1inos\ + \ tales como p\xE1ginas activas, descargas de c\xF3digo ejecutable, etc.,\ + \ previniendo la exposici\xF3n del sistema a vectores de ataque del tipo spyware,\ + \ ransomware, etc" + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.3.\n\u2013 Categor\xEDa ALTA: mp.s.3 + R1.\n\ + Refuerzo R1 - Monitorizaci\xF3n.\n\u2013 [mp.s.3.r1.1] Se registrar\xE1 el\ + \ uso de la navegaci\xF3n web, estableciendo los elementos que se registran,\ + \ el periodo de retenci\xF3n de estos registros y el uso que el organismo\ + \ prev\xE9 hacer de ellos. [mp.s.3.r1.2] Se establecer\xE1 una funci\xF3\ + n para la ruptura de canales cifrados a fin de inspeccionar su contenido,\ + \ indicando qu\xE9 se analiza, qu\xE9 se registra, durante cu\xE1nto tiempo\ + \ se retienen los registros y qu\xE9 uso prev\xE9 hacer el organismo de estas\ + \ inspecciones. Todo ello sin perjuicio de que se puedan autorizar accesos\ + \ cifrados singulares a destinos de confianza.\n\u2013 [mp.s.3.r1.3] Se establecer\xE1\ + \ una lista negra de destinos vetados.\nRefuerzo R2-Destinos autorizados.\n\ + \u2013 [mp.s.3.r2.1] Se establecer\xE1 una lista blanca de destinos accesibles.\ + \ Todo acceso fuera de los lugares se\xF1alados en la lista blanca estar\xE1\ + \ vetado, salvo autorizaci\xF3n singular expresa.\nP\xE1ginas 82-83" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.3.7 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node680 + ref_id: mp.s.3.7 + description: "Se establecer\xE1 una pol\xEDtica ejecutiva de control de cookies,\ + \ en particular, para evitar la contaminaci\xF3n entre uso personal y uso\ + \ organizativo." + annotation: "Aplicaci\xF3n de la medida.\n\u2013 Categor\xEDa B\xC1SICA: mp.s.3.\n\ + \u2013 Categor\xEDa MEDIA: mp.s.3.\n\u2013 Categor\xEDa ALTA: mp.s.3 + R1.\n\ + Refuerzo R1 - Monitorizaci\xF3n.\n\u2013 [mp.s.3.r1.1] Se registrar\xE1 el\ + \ uso de la navegaci\xF3n web, estableciendo los elementos que se registran,\ + \ el periodo de retenci\xF3n de estos registros y el uso que el organismo\ + \ prev\xE9 hacer de ellos. [mp.s.3.r1.2] Se establecer\xE1 una funci\xF3\ + n para la ruptura de canales cifrados a fin de inspeccionar su contenido,\ + \ indicando qu\xE9 se analiza, qu\xE9 se registra, durante cu\xE1nto tiempo\ + \ se retienen los registros y qu\xE9 uso prev\xE9 hacer el organismo de estas\ + \ inspecciones. Todo ello sin perjuicio de que se puedan autorizar accesos\ + \ cifrados singulares a destinos de confianza.\n\u2013 [mp.s.3.r1.3] Se establecer\xE1\ + \ una lista negra de destinos vetados.\nRefuerzo R2-Destinos autorizados.\n\ + \u2013 [mp.s.3.r2.1] Se establecer\xE1 una lista blanca de destinos accesibles.\ + \ Todo acceso fuera de los lugares se\xF1alados en la lista blanca estar\xE1\ + \ vetado, salvo autorizaci\xF3n singular expresa.\nP\xE1ginas 82-83" + implementation_groups: + - "B\xC1SICA" + - MEDIA + - ALTA + - C + - I + - T + - A + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s + ref_id: mp.s.4 + name: "Protecci\xF3n frente a la denegaci\xF3n de servicio" + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node689 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s.4 + description: "Se establecer\xE1n medidas preventivas frente a ataques de denegaci\xF3\ + n de servicio y denegaci\xF3n de servicio distribuido (Denial of Service,\ + \ DoS y Distributed Denial of Service, DDoS). Para ello:" + implementation_groups: + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s-4.1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node689 + ref_id: mp.s 4.1 + description: " Se planificar\xE1 y dotar\xE1 al sistema de capacidad suficiente\ + \ para atender con holgura a la carga prevista." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: mp.s.4.\n\u2013 Nivel ALTO: mp.s.4+\ + \ R1.\nRefuerzo R1-Detecci\xF3n y reacci\xF3n.\n\u2013 [mp.s.4.r1.1] Se establecer\xE1\ + \ un sistema de detecci\xF3n y tratamiento de ataques de denegaci\xF3n de\ + \ servicio (DoS y DDoS).\n\u2013 [mp.s. 4.r1.2] Se establecer\xE1n procedimientos\ + \ de reacci\xF3n a los ataques, incluyendo la comunicaci\xF3n con el proveedor\ + \ de comunicaciones.\nRefuerzo R2-Ataques propios.\n\u2013 [mp.s.4.r2.1] Se\ + \ detectar\xE1 y se evitar\xE1 el lanzamiento de ataques desde las propias\ + \ instalaciones perjudicando a terceros.\nP\xE1gina 83" + implementation_groups: + - MEDIO + - ' ALTO' + - D + - urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:mp.s-4.2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esquema-nacional-de-seguridad:node689 + ref_id: mp.s 4.2 + description: "Se desplegar\xE1n tecnolog\xEDas para prevenir los ataques conocidos." + annotation: "Aplicaci\xF3n de la medida (por disponibilidad).\n\u2013 Nivel\ + \ BAJO: no aplica.\n\u2013 Nivel MEDIO: mp.s.4.\n\u2013 Nivel ALTO: mp.s.4+\ + \ R1.\nRefuerzo R1-Detecci\xF3n y reacci\xF3n.\n\u2013 [mp.s.4.r1.1] Se establecer\xE1\ + \ un sistema de detecci\xF3n y tratamiento de ataques de denegaci\xF3n de\ + \ servicio (DoS y DDoS).\n\u2013 [mp.s. 4.r1.2] Se establecer\xE1n procedimientos\ + \ de reacci\xF3n a los ataques, incluyendo la comunicaci\xF3n con el proveedor\ + \ de comunicaciones.\nRefuerzo R2-Ataques propios.\n\u2013 [mp.s.4.r2.1] Se\ + \ detectar\xE1 y se evitar\xE1 el lanzamiento de ataques desde las propias\ + \ instalaciones perjudicando a terceros.\nP\xE1gina 83" + implementation_groups: + - MEDIO + - ' ALTO' + - D diff --git a/backend/library/libraries/esrs-p1.yaml b/backend/library/libraries/esrs-p1.yaml new file mode 100644 index 000000000..881774b54 --- /dev/null +++ b/backend/library/libraries/esrs-p1.yaml @@ -0,0 +1,5586 @@ +urn: urn:intuitem:risk:library:esrs_p1 +locale: en +ref_id: ESRS 1/ESRS 2 +name: European sustainability reporting standards (ESRS 1/ESRS 2) +description: 'The Commission adopted today the European Sustainability Reporting Standards + (ESRS) for use by all companies subject to the Corporate Sustainability Reporting + Directive (CSRD). + + ESRS 1:General requirements / ESRS 2: General disclosures + + Current consolidated version: 22/12/2023 + + https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02023R2772-20231222' +copyright: EUROPEAN COMMISSION +version: 1 +provider: EUROPEAN COMMISSION +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:esrs_p1 + ref_id: ESRS 1/ESRS 2 + name: European sustainability reporting standards (ESRS 1/ESRS 2) + description: "The Commission adopted today the European Sustainability Reporting\ + \ Standards (ESRS) for use by all companies subject to the Corporate Sustainability\ + \ Reporting Directive (CSRD).\nESRS 1:General requirements / ESRS 2: General\ + \ disclosures \nCurrent consolidated version: 22/12/2023\nhttps://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02023R2772-20231222" + requirement_nodes: + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1 + assessable: false + depth: 1 + ref_id: ESRS 1 + description: 'GENERAL REQUIREMENTS ' + - urn: urn:intuitem:risk:req_node:esrs_p1:node3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1 + name: 'Objective ' + - urn: urn:intuitem:risk:req_node:esrs_p1:node4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1 + description: The objective of European Sustainability Reporting Standards (ESRS) + is to specify the sustainability information that an undertaking shall disclose + in accordance with Directive 2013/34/EU of the European Parliament and of + the Council ( 1 ), as amended by Directive (EU) 2022/2464 of the European + Parliament and of the Council. ( 2 ) Reporting in accordance with ESRS does + not exempt undertakings from other obligations laid down in Union law + - urn: urn:intuitem:risk:req_node:esrs_p1:node5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1 + description: "Specifically, ESRS specify the information that an undertaking\ + \ shall disclose about its material impacts, risks and opportunities in relation\ + \ to environmental, social, and governance sustainability matters. ESRS do\ + \ not require undertakings to disclose any information on environmental, social\ + \ and governance topics covered by ESRS when the undertaking has assessed\ + \ the topic in question as non-material (See Appendix E of this Standard \u2018\ + Flowchart for determining disclosures to be included\u2019).The information\ + \ disclosed in accordance with ESRS enables users of the sustainability statement\ + \ to understand the undertaking\u2019s material impacts on people and environment\ + \ and the material effects of sustainability matters on the undertaking\u2019\ + s development, performance and position. " + - urn: urn:intuitem:risk:req_node:esrs_p1:node6 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1 + description: 'The objective of this Standard (ESRS 1) is to provide an understanding + of the architecture of ESRS, the drafting conventions and fundamental concepts + used, and the general requirements for preparing and presenting sustainability + information in accordance with Directive 2013/34/EU, as amended by Directive + (EU) 2022/2464. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node6 + ref_id: '1' + name: 'Categories of ESRS Standards, reporting areas and drafting conventions ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1 + ref_id: '1.1' + name: 'Categories of ESRS standards ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1.4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1 + ref_id: 1.1.4 + description: 'There are three categories of ESRS:' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1.4.a + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1.4 + ref_id: 1.1.4.a + description: cross-cutting standards; + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1.4.b + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1.4 + ref_id: 1.1.4.b + description: topical standards (Environmental, Social and Governance standards); + and + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1.4.c + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1.4 + ref_id: 1.1.4.c + description: sector-specific standards. + - urn: urn:intuitem:risk:req_node:esrs_p1:node13 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1.4 + description: Cross-cutting standards and topical standards are sector-agnostic, + meaning that they apply to all undertakings regardless of which sector or + sectors the undertaking operates in. + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1.5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1 + ref_id: 1.1.5 + description: 'The cross-cutting standards ESRS 1 General requirements and ESRS + 2 General disclosures apply to the sustainability matters covered by topical + standards and sector-specific standards. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1.6 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1 + ref_id: 1.1.6 + description: 'This standard (ESRS 1) describes the architecture of ESRS standards, + explains drafting conventions and fundamental concepts, and sets out general + requirements for preparing and presenting sustainability-related information. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1.7 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1 + ref_id: 1.1.7 + description: 'ESRS 2 establishes Disclosure Requirements on the information + that the undertaking shall provide at a general level across all material + sustainability matters on the reporting areas governance, strategy, impact, + risk and opportunity management, and metrics and targets. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1.8 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1 + ref_id: 1.1.8 + description: "Topical ESRS cover a sustainability topic and are structured into\ + \ topics and sub-topics, and where necessary sub-sub-topics. The table in\ + \ Application Requirement 16 (AR 16) to this standard provides an overview\ + \ of the sustainability topics, sub-topics and sub-sub-topics (collectively\ + \ \u2018sustainability matters\u2019) covered by topical ESRS. " + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1.9 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1 + ref_id: 1.1.9 + description: 'Topical ESRS can include specific requirements that complement + the general level Disclosure Requirements of ESRS 2. ESRS 2 Appendix C Disclosure/Application + Requirements in topical ESRS that are applicable jointly with ESRS 2 General + Disclosures provides a list of the additional requirements in topical ESRS + that the undertaking shall apply in conjunction with the general level disclosure + requirements of ESRS 2. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1.10 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1 + ref_id: 1.1.10 + description: 'Sector-specific standards are applicable to all undertakings within + a sector. They address impacts, risks and opportunities that are likely to + be material for all undertakings in a specific sector and that are not covered, + or not sufficiently covered, by topical standards. Sector-specific standards + are multi-topical and cover the topics that are most relevant to the sector + in question. Sector-specific standards achieve a high degree of comparability. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.1.11 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.1 + ref_id: 1.1.11 + description: "In addition to the disclosure requirements laid down in the three\ + \ categories of ESRS, when an undertaking concludes that an impact, risk or\ + \ opportunity is not covered or not covered with sufficient granularity by\ + \ an ESRS but is material due to its specific facts and circumstances, it\ + \ shall provide additional entity-specific disclosures to enable users to\ + \ understand the undertaking\u2019s sustainability-related impacts, risks\ + \ or opportunities. Application requirements AR 1 to AR 5 provide further\ + \ guidance regarding entity-specific disclosures. " + - urn: urn:intuitem:risk:req_node:esrs_p1:1.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1 + ref_id: '1.2' + name: 'Reporting areas and minimum content disclosure requirements on policies, + actions, targets and metrics ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.2.12 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.2 + ref_id: 1.2.12 + description: "The Disclosure Requirements in ESRS 2, in topical ESRS and in\ + \ sector- specific ESRS are structured into the following reporting areas:\ + \ \n(a)\tGovernance (GOV): the governance processes, controls and procedures\ + \ used to monitor, manage and oversee impacts, risks and opportunities (see\ + \ ESRS 2, chapter 2 Governance); \n(b)\tStrategy (SBM): how the undertaking\u2019\ + s strategy and business model interact with its material impacts, risks and\ + \ opportunities, including how the undertaking addresses those impacts, risks\ + \ and opportunities (see ESRS 2, chapter 3 Strategy); \n(c)\tImpact, risk\ + \ and opportunity management (IRO): the process(es) by which the undertaking:\ + \ \ni.\tidentifies impacts, risks and opportunities and assesses their materiality\ + \ (see IRO-1 in section 4.1 of ESRS 2), \nii.\tmanages material sustainability\ + \ matters through policies and actions (see section 4.2 of ESRS 2). \n(d)\ + \ Metrics and targets (MT): the undertaking\u2019s performance, including\ + \ targets it has set and progress towards meeting them (see ESRS 2, chapter\ + \ 5 Metrics and targets)." + - urn: urn:intuitem:risk:req_node:esrs_p1:1.2.13 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.2 + ref_id: 1.2.13 + description: "ESRS 2 includes: \n(a)\tin section 4.2 Minimum Disclosure Requirements\ + \ regarding policies (MDR-P) and actions (MDR-A); \n(b)\tin section 5 Minimum\ + \ Disclosure Requirements regarding metrics (MDR-M) and targets (MDR-T). " + - urn: urn:intuitem:risk:req_node:esrs_p1:node24 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.2 + description: 'The undertaking shall apply the minimum disclosure requirements + regarding policies, actions, metrics and targets together with the corresponding + Disclosure Requirements in topical and sector-specific ESRS. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1 + ref_id: '1.3' + name: 'Drafting conventions ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.3.14 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.3 + ref_id: 1.3.14 + description: 'In all ESRS: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.3.14.a + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.3.14 + ref_id: 1.3.14.a + description: "the term \u2018impacts\u2019 refers to positive and negative sustainability-related\ + \ impacts that are connected with the undertaking\u2019s business, as identified\ + \ through an impact materiality assessment (see section 3.4 Impact materiality).\ + \ It refers both to actual impacts and to potential future impacts. " + - urn: urn:intuitem:risk:req_node:esrs_p1:1.3.14.b + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.3.14 + ref_id: 1.3.14.b + description: "The term \u2018risks and opportunities\u2019 refers to the undertaking\u2019\ + s sustainability-related financial risks and opportunities, including those\ + \ deriving from dependencies on natural, human and social resources, as identified\ + \ through a financial materiality assessment (see section 3.5). " + - urn: urn:intuitem:risk:req_node:esrs_p1:node29 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.3 + description: "Collectively, these are referred to as \u2018impacts, risks and\ + \ opportunities\u2019 (IROs). They reflect the double materiality perspective\ + \ of ESRS described in section 3. " + - urn: urn:intuitem:risk:req_node:esrs_p1:1.3.15 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.3 + ref_id: 1.3.15 + description: 'Throughout ESRS, the terms that are defined in the glossary of + definitions (Annex II) are put in bold italic, except when a defined term + is used more than once in the same paragraph. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.3.16 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.3 + ref_id: 1.3.16 + description: "ESRS structure the information to be disclosed under Disclosure\ + \ Requirements. Each Disclosure Requirement consists of one or more distinct\ + \ datapoints. The term \u2018datapoint\u2019 can also refer to a narrative\ + \ sub-element of a Disclosure Requirement. " + - urn: urn:intuitem:risk:req_node:esrs_p1:1.3.17 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.3 + ref_id: 1.3.17 + description: 'In addition to Disclosure Requirements most ESRS also contain + Application Requirements. Application Requirements support the application + of Disclosure Requirements and have the same authority as other parts of an + ESRS. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:1.3.18 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:1.3 + ref_id: 1.3.18 + description: "ESRS use the following terms to distinguish between different\ + \ degrees of obligation on the undertaking to disclose information: \n(a)\t\ + \u2018shall disclose\u2019 \u2013 indicates that the provision is prescribed\ + \ by a Disclosure Requirement or datapoint; \n(b)\t\u2018may disclose\u2019\ + \ \u2013 indicates voluntary disclosure to encourage good practice. In addition,\ + \ ESRS use the term \u2018shall consider\u2019 when referring to issues, resources\ + \ or methodologies that the undertaking is expected to take into account or\ + \ to use in the preparation of a given disclosure if applicable. " + - urn: urn:intuitem:risk:req_node:esrs_p1:2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node6 + ref_id: '2' + name: 'Qualitative characteristics of information ' + - urn: urn:intuitem:risk:req_node:esrs_p1:2.19 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:2 + ref_id: '2.19' + description: 'When preparing its sustainability statement, the undertaking shall + apply: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:2.19.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:2.19 + ref_id: 2.19.a + description: the fundamental qualitative characteristics of information, i.e. + relevance and faithful representation; and + - urn: urn:intuitem:risk:req_node:esrs_p1:2.19.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:2.19 + ref_id: 2.19.b + description: 'the enhancing qualitative characteristics of information, i.e. + comparability, verifiability and understandability. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:2.20 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:2 + ref_id: '2.20' + description: 'These qualitative characteristics of information are defined and + described in Appendix B of this Standard. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node6 + ref_id: '3' + name: 'Double materiality as the basis for sustainability disclosures ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.21 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3 + ref_id: '3.21' + description: The undertaking shall report on sustainability matters based on + the double materiality principle as defined and explained in this chapter + - urn: urn:intuitem:risk:req_node:esrs_p1:3.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3 + ref_id: '3.1' + name: 'Stakeholders and their relevance to the materiality assessment process ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.1.22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.1 + ref_id: 3.1.22 + description: "Stakeholders and their relevance to the materiality assessment\ + \ process : \n(a)\taffected stakeholders: individuals or groups whose interests\ + \ are affected or could be affected \u2013 positively or negatively \u2013\ + \ by the undertaking\u2019s activities and its direct and indirect business\ + \ relationships across its value chain; and \n(b)\tusers of sustainability\ + \ statements: primary users of general-purpose financial reporting (existing\ + \ and potential investors, lenders and other creditors, including asset managers,\ + \ credit institutions, insurance undertakings), and other users of sustainability\ + \ statements, including the undertaking\u2019s business partners, trade unions\ + \ and social partners, civil society and non-governmental organisations, governments,\ + \ analysts and academics. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.1.23 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.1 + ref_id: 3.1.23 + description: 'Some, but not all, stakeholders may belong to both groups referred + to in paragraph 22. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.1.24 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.1 + ref_id: 3.1.24 + description: "Engagement with affected stakeholders is central to the undertaking\u2019\ + s on- going due diligence process (see chapter 4 Due diligence) and sustainability\ + \ materiality assessment. This includes its processes to identify and assess\ + \ actual and potential negative impacts, which then inform the assessment\ + \ process to identify the material impacts for the purposes of sustainability\ + \ reporting (see section 3.4 of this Standard). " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3 + ref_id: '3.2' + name: 'Material matters and materiality of information ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.25 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.25 + description: 'Performing a materiality assessment (see sections 3.4 Impact materiality + and 3.5 Financial materiality) is necessary for the undertaking to identify + the material impacts, risks and opportunities to be reported. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.26 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.26 + description: "Materiality assessment is the starting point for sustainability\ + \ reporting under ESRS. IRO-1 in section 4.1 of ESRS 2, includes general disclosure\ + \ requirements about the undertaking\u2019s process to identify impacts, risks\ + \ and opportunities and assess their materiality. SBM-3 of ESRS 2 provides\ + \ general disclosure requirements on the material impacts, risks and opportunities\ + \ resulting from the undertaking\u2019s materiality assessment. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.27 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.27 + description: 'The Application Requirements in Appendix A of this Standard include + a list of sustainability matters covered in topical ESRS, categorised by topics, + sub-topics and sub-sub-topics, to support the materiality assessment. Appendix + E Flowchart for determining disclosures to be included of this Standard provides + an illustration of the materiality assessment described in this section. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.28 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.28 + description: "A sustainability matter is \u2018material\u2019 when it meets\ + \ the criteria defined for impact materiality (see section 3.4 of this Standard)\ + \ or financial materiality (see section 3.5 of this Standard), or both. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.29 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.29 + description: 'Irrespective of the outcome of its materiality assessment, the + undertaking shall always disclose the information required by: ESRS 2 General + Disclosures (i.e. all the Disclosure Requirements and data points specified + in ESRS 2) and the Disclosure Requirements (including their datapoints) in + topical ESRS related to the Disclosure Requirement IRO-1 Description of the + process to identify and assess material impacts, risks and opportunities, + as listed in ESRS 2 Appendix C Disclosure/Application Requirements in topical + ESRS that are applicable jointly with ESRS 2 General Disclosures. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.30 + description: 'When the undertaking concludes that a sustainability matter is + material as a result of its materiality assessment, on which ESRS 2 IRO-1, + IRO-2 and SBM-3 set disclosure requirements, it shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.30.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2.30 + ref_id: 3.2.30.a + description: 'disclose information according to the Disclosure Requirements + (including Application Requirements) related to that specific sustainability + matter in the corresponding topical and sector-specific ESRS; and ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.30.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2.30 + ref_id: 3.2.30.b + description: 'disclose additional entity-specific disclosures (see paragraph + 11 and AR 1 to AR 5 of this Standard) when the material sustainability matter + is not covered by an ESRS or is covered with insufficient granularity. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.31 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.31 + description: "The applicable information prescribed within a Disclosure Requirement,\ + \ including its datapoints, or an entity-specific disclosure, shall be disclosed\ + \ when the undertaking assesses, as part of its assessment of material information,\ + \ that the information is relevant from one or more of the following perspectives:\ + \ \n(a)the significance of the information in relation to the matter it purports\ + \ to depict or explain; or \n(b)the capacity of such information to meet the\ + \ users\u2019 decision-making needs, including the needs of primary users\ + \ of general-purpose financial reporting described in paragraph 48 and/or\ + \ the needs of users whose principal interest is in information about the\ + \ undertaking\u2019s impacts. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.32 + description: "If the undertaking concludes that climate change is not material\ + \ and therefore omits all disclosure requirements in ESRS E1 Climate change,\ + \ it shall disclose a detailed explanation of the conclusions of its materiality\ + \ assessment with regard to climate change (see ESRS 2 IRO-2 Disclosure Requirements\ + \ in ESRS covered by the undertaking\u2019s sustainability statement), including\ + \ a forward-looking analysis of the conditions that could lead the undertaking\ + \ to conclude that climate change is material in the future. If the undertaking\ + \ concludes that a topic other than climate change is not material and therefore\ + \ it omits all the Disclosure Requirements in the corresponding topical ESRS,\ + \ it may briefly explain the conclusions of its materiality assessment for\ + \ that topic. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.33 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.33 + description: 'When disclosing information on policies, actions and targets in + relation to a sustainability matter that has been assessed to be material, + the undertaking shall include the information prescribed by all the Disclosure + Requirements and datapoints in the topical and sector-specific ESRS related + to that matter and in the corresponding Minimum Disclosure Requirement on + policies, actions, and targets required under ESRS 2. If the undertaking cannot + disclose the information prescribed by either the Disclosure Requirements + and datapoints in the topical or sector-specific ESRS, or the Minimum Disclosure + Requirements in ESRS 2 on policies, actions and targets, because it has not + adopted the respective policies, implemented the respective actions or set + the respective targets, it shall disclose this to be the case and it may report + a timeframe in which it aims to have these in place. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.34 + description: 'When disclosing information on metrics for a material sustainability + matter according to the Metrics and Targets section of the relevant topical + ESRS, the undertaking: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.34.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2.34 + ref_id: 3.2.34.a + description: 'shall include the information prescribed by a Disclosure Requirement + if it assesses such information to be material; and ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.34.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2.34 + ref_id: 3.2.34.b + description: 'may omit the information prescribed by a datapoint of a Disclosure + Requirement if it assesses such information to be not material and concludes + that such information is not needed to meet the objective of the Disclosure + Requirement. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.35 + description: "If the undertaking omits the information prescribed by a datapoint\ + \ that derives from other EU legislation listed in Appendix B of ESRS 2, it\ + \ shall explicitly state that the information in question is \u2018not material\u2019\ + . " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.36 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2 + ref_id: 3.2.36 + description: 'The undertaking shall establish how it applies criteria, including + appropriate thresholds, to determine: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.36.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2.36 + ref_id: 3.2.36.a + description: 'the information it discloses on metrics for a material sustainability + matter according to the Metrics and Targets section of the relevant topical + ESRS, in accordance with paragraph 34; and ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.2.36.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.2.36 + ref_id: 3.2.36.b + description: 'the information to be disclosed as entity-specific disclosures. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3 + ref_id: '3.3' + name: 'Double materiality ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.3.37 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.3 + ref_id: 3.3.37 + description: "Double materiality has two dimensions, namely: impact materiality\ + \ and financial materiality. Unless specified otherwise, the terms \u2018\ + material\u2019 and \u2018materiality\u2019 are used throughout ESRS to refer\ + \ to double materiality. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.3.38 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.3 + ref_id: 3.3.38 + description: "Impact materiality and financial materiality assessments are inter-related\ + \ and the interdependencies between these two dimensions shall be considered.\ + \ In general, the starting point is the assessment of impacts, although there\ + \ may also be material risks and opportunities that are not related to the\ + \ undertaking\u2019s impacts. A sustainability impact may be financially material\ + \ from inception or become financially material, when it could reasonably\ + \ be expected to affect the undertaking\u2019s financial position, financial\ + \ performance, cash flows, its access to finance or cost of capital over the\ + \ short-, medium- or long-term. Impacts are captured by the impact materiality\ + \ perspective irrespective of whether or not they are financially material. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.3.39 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.3 + ref_id: 3.3.39 + description: "In identifying and assessing the impacts, risks and opportunities\ + \ in the undertaking\u2019s value chain to determine their materiality, the\ + \ undertaking shall focus on areas where impacts, risks and opportunities\ + \ are deemed likely to arise, based on the nature of the activities, business\ + \ relationships, geographies or other factors concerned. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.3.40 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.3 + ref_id: 3.3.40 + description: 'The undertaking shall consider how it is affected by its dependencies + on the availability of natural, human and social resources at appropriate + prices and quality, irrespective of its potential impacts on those resources. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.3.41 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.3 + ref_id: 3.3.41 + description: "An undertaking\u2019s principal impacts, risks and opportunities\ + \ are understood to be the same as the material impacts, risks and opportunities\ + \ identified under the double materiality principle and therefore reported\ + \ on in its sustainability statement. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.3.42 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.3 + ref_id: 3.3.42 + description: 'The undertaking shall apply the criteria set under sections 3.4 + and 3.5 in this Standard, using appropriate quantitative and/or qualitative + thresholds. Appropriate thresholds are necessary to determine which impacts, + risks and opportunities are identified and addressed by the undertaking as + material and to determine which sustainability matters are material for reporting + purposes. Some existing standards and frameworks use the term "most significant + impacts" when referring to the threshold used to identify the impacts that + are described in ESRS as "material impacts." ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3 + ref_id: '3.4' + name: 'Impact materiality ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.4.43 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.4 + ref_id: 3.4.43 + description: "A sustainability matter is material from an impact perspective\ + \ when it pertains to the undertaking\u2019s material actual or potential,\ + \ positive or negative impacts on people or the environment over the short-,\ + \ medium- or long-term. Impacts include those connected with the undertaking\u2019\ + s own operations and upstream and downstream value chain, including through\ + \ its products and services, as well as through its business relationships.\ + \ Business relationships include those in the undertaking\u2019s upstream\ + \ and downstream value chain and are not limited to direct contractual relationships. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.4.44 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.4 + ref_id: 3.4.44 + description: 'In this context, impacts on people or the environment include + impacts in relation to environmental, social and governance matters. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.4.45 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.4 + ref_id: 3.4.45 + description: "The materiality assessment of a negative impact is informed by\ + \ the due diligence process defined in the international instruments of the\ + \ UN Guiding Principles on Business and Human Rights and the OECD Guidelines\ + \ for Multinational Enterprises. For actual negative impacts, materiality\ + \ is based on the severity of the impact, while for potential negative impacts\ + \ it is based on the severity and likelihood of the impact. Severity is based\ + \ on the following factors: \n(a)\tthe scale; \n(b)\tscope; and \n(c)\tirremediable\ + \ character of the impact. \nIn the case of a potential negative human rights\ + \ impact, the severity of the impact takes precedence over its likelihood. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.4.46 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.4 + ref_id: 3.4.46 + description: "For positive impacts, materiality is based on: (a)\tthe scale\ + \ and scope of the impact for actual impacts; and (b)\tthe scale, scope and\ + \ likelihood of the impact for potential impacts" + - urn: urn:intuitem:risk:req_node:esrs_p1:3.5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3 + ref_id: '3.5' + name: 'Financial materiality ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.5.47 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.5 + ref_id: 3.5.47 + description: "The scope of financial materiality for sustainability reporting\ + \ is an expansion of the scope of materiality used in the process of determining\ + \ which information should be included in the undertaking\u2019s financial\ + \ statements" + - urn: urn:intuitem:risk:req_node:esrs_p1:3.5.48 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.5 + ref_id: 3.5.48 + description: "The financial materiality assessment corresponds to the identification\ + \ of information that is considered material for primary users of general-\ + \ purpose financial reports in making decisions relating to providing resources\ + \ to the entity. In particular, information is considered material for primary\ + \ users of general-purpose financial reports if omitting, misstating or obscuring\ + \ that information could reasonably be expected to influence decisions that\ + \ they make on the basis of the undertaking\u2019s sustainability statement. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.5.49 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.5 + ref_id: 3.5.49 + description: "A sustainability matter is material from a financial perspective\ + \ if it triggers or could reasonably be expected to trigger material financial\ + \ effects on the undertaking. This is the case when a sustainability matter\ + \ generates risks or opportunities that have a material influence, or could\ + \ reasonably be expected to have a material influence, on the undertaking\u2019\ + s development, financial position, financial performance, cash flows, access\ + \ to finance or cost of capital over the short-, medium- or long-term. Risks\ + \ and opportunities may derive from past events or future events. The financial\ + \ materiality of a sustainability matter is not constrained to matters that\ + \ are within the control of the undertaking but includes information on material\ + \ risks and opportunities attributable to business relationships beyond the\ + \ scope of consolidation used in the preparation of financial statements. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.5.50 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.5 + ref_id: 3.5.50 + description: "Dependencies on natural, human and social resources can be sources\ + \ of financial risks or opportunities. Dependencies may trigger effects in\ + \ two possible ways: \n(a)\tthey may influence the undertaking\u2019s ability\ + \ to continue to use or obtain the resources needed in its business processes,\ + \ as well as the quality and pricing of those resources; and \n(b)\tthey may\ + \ affect the undertaking\u2019s ability to rely on relationships needed in\ + \ its business processes on acceptable terms. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.5.51 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.5 + ref_id: 3.5.51 + description: 'The materiality of risks and opportunities is assessed based on + a combination of the likelihood of occurrence and the potential magnitude + of the financial effects. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3 + ref_id: '3.6' + name: 'Material impacts or risks arising from actions to address sustainability + matters ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.6.52 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.6 + ref_id: 3.6.52 + description: "The undertaking\u2019s materiality assessment may lead to the\ + \ identification of situations in which its actions to address certain impacts\ + \ or risks, or to benefit from certain opportunities in relation to a sustainability\ + \ matter, might have material negative impacts or cause material risks in\ + \ relation to one or more other sustainability matters. For example: \n(a)\t\ + an action plan to decarbonise production that involves abandoning certain\ + \ products might have material negative impacts on the undertaking\u2019s\ + \ own workforce and result in material risks due to redundancy payments; or\ + \ \n(b)\tan action plan of an automotive supplier to focus on the supply of\ + \ e- vehicles might lead to stranded assets for the production of supply parts\ + \ for conventional vehicles. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.6.53 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.6 + ref_id: 3.6.53 + description: "In such situations, the undertaking shall: (a)\tdisclose the\ + \ existence of material negative impacts or material risks together with the\ + \ actions that generate them, with a cross-reference to the topic to which\ + \ the impacts or risks relate; and (b)\tprovide a description of how the\ + \ material negative impacts or material risks are addressed under the topic\ + \ to which they relate. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.7 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3 + ref_id: '3.7' + name: 'Level of disaggregation ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.7.54 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.7 + ref_id: 3.7.54 + description: 'When needed for a proper understanding of its material impacts, + risks and opportunities, the undertaking shall disaggregate the reported information: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.7.54.a + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.7.54 + ref_id: 3.7.54.a + description: 'by country, when there are significant variations of material + impacts, risks and opportunities across countries and when presenting the + information at a higher level of aggregation would obscure material information + about impacts, risks or opportunities; or ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.7.54.b + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.7.54 + ref_id: 3.7.54.b + description: 'by significant site or by significant asset, when material impacts, + risks and opportunities are highly dependent on a specific location or asset. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.7.55 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.7 + ref_id: 3.7.55 + description: "When defining the appropriate level of disaggregation for reporting,\ + \ the undertaking shall consider the disaggregation adopted in its materiality\ + \ assessment. Depending on the undertaking\u2019s specific facts and circumstances,\ + \ a disaggregation by subsidiary may be necessary. " + - urn: urn:intuitem:risk:req_node:esrs_p1:3.7.56 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.7 + ref_id: 3.7.56 + description: 'Where data from different levels, or multiple locations within + a level, is aggregated, the undertaking shall ensure that this aggregation + does not obscure the specificity and context necessary to interpret the information. + The undertaking shall not aggregate material items that differ in nature. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:3.7.57 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:3.7 + ref_id: 3.7.57 + description: 'When the undertaking presents information disaggregated by sectors, + it shall adopt the ESRS sector classification to be specified in a delegated + act adopted by the Commission pursuant to article 29b(1) third subparagraph, + point (ii), of Directive 2013/34/EU. When a topical or sector- specific ESRS + requires that a specific level of disaggregation is adopted in preparing a + specific item of information, the requirement in the topical or sector-specific + ESRS shall prevail. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node6 + ref_id: '4' + name: Due diligence + - urn: urn:intuitem:risk:req_node:esrs_p1:4.58 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:4 + ref_id: '4.58' + description: "The outcome of the undertaking\u2019s sustainability due diligence\ + \ process (referred to as \u2018due diligence\u2019 in the international instruments\ + \ mentioned below) informs the undertaking\u2019s assessment of its material\ + \ impacts, risks and opportunities. ESRS do not impose any conduct requirements\ + \ in relation to due diligence; nor do they extend or modify the role of the\ + \ administrative, management or supervisory bodies of the undertaking with\ + \ regard to the conduct of due diligence" + - urn: urn:intuitem:risk:req_node:esrs_p1:4.59 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:4 + ref_id: '4.59' + description: "Due diligence is the process by which undertakings identify, prevent,\ + \ mitigate and account for how they address the actual and potential negative\ + \ impacts on the environment and people connected with their business. These\ + \ include negative impacts connected with the undertaking\u2019s own operations\ + \ and its upstream and downstream value chain, including through its products\ + \ or services, as well as through its business relationships. Due diligence\ + \ is an on-going practice that responds to and may trigger changes in the\ + \ undertaking\u2019s strategy, business model, activities, business relationships,\ + \ operating, sourcing and selling contexts. This process is described in the\ + \ international instruments of the UN Guiding Principles on Business and Human\ + \ Rights and the OECD Guidelines for Multinational Enterprises. " + - urn: urn:intuitem:risk:req_node:esrs_p1:4.60 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:4 + ref_id: '4.60' + description: "These international instruments identify a number of steps in\ + \ the due diligence process, including the identification and assessment of\ + \ negative impacts connected with the undertaking\u2019s own operations and\ + \ its upstream and downstream value chain, including through its products\ + \ or services, as well as through its business relationships. Where the undertaking\ + \ cannot address all impacts at once, the due diligence process allows for\ + \ action to be prioritised based on the severity and likelihood of the impacts.\ + \ It is this aspect of the due diligence process that informs the assessment\ + \ of material impacts (see section 3.4 of this Standard). The identification\ + \ of material impacts also supports the identification of material sustainability\ + \ risks and opportunities, which are often a product of such impacts." + - urn: urn:intuitem:risk:req_node:esrs_p1:4.61 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:4 + ref_id: '4.61' + description: "The core elements of due diligence are reflected directly in Disclosure\ + \ Requirements set out in ESRS 2 and in the topical ESRS, as illustrated below:\ + \ \n(a)\tembedding due diligence in governance, strategy and business model\ + \ ( 3 ). This is addressed under: \ni.\tESRS 2 GOV-2: Information provided\ + \ to and sustainability matters addressed by the undertaking\u2019s administrative,\ + \ management and supervisory bodies; \nii.\tESRS 2 GOV-3: Integration of sustainability-related\ + \ performance in incentive schemes; and \niii.\tESRS 2 SBM-3: Material impacts,\ + \ risks and opportunities and their interaction with strategy and business\ + \ model. \n(b)\tengaging with affected stakeholders ( 4 ). This is addressed\ + \ under: \ni.\tESRS 2 GOV-2; \nii.\tESRS 2 SBM-2: Interests and views of stakeholders;\ + \ \niii.\tESRS 2 IRO-1; \niv.\tESRS 2 MDR-P; and \nv.\tTopical ESRS: reflecting\ + \ the different stages and purposes of stakeholder engagement throughout the\ + \ due diligence process.\n(c) identifying and assessing negative impacts on\ + \ people and the environment ( 5 ). This is addressed under: \ni.\tESRS 2\ + \ IRO-1 (including Application Requirements related to specific sustainability\ + \ matters in the relevant ESRS); and \nii.\tESRS 2 SBM-3; \n(d)\ttaking action\ + \ to address negative impacts on people and the environment ( 6 ). This is\ + \ addressed under: \ni.\tESRS 2 MDR-A; and \nii.\tTopical ESRS: reflecting\ + \ the range of actions, including transition plans, through which impacts\ + \ are addressed. \n(e)\ttracking the effectiveness of these efforts ( 7 ).\ + \ This is addressed under: \ni.\tESRS 2 MDR-M; \nii.\tESRS 2 MDR-T; and \n\ + iii.\tTopical ESRS: regarding metrics and targets. " + - urn: urn:intuitem:risk:req_node:esrs_p1:5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node6 + ref_id: '5' + name: 'Value chain ' + - urn: urn:intuitem:risk:req_node:esrs_p1:5.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5 + ref_id: '5.1' + name: 'Reporting undertaking and value chain ' + - urn: urn:intuitem:risk:req_node:esrs_p1:5.1.62 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.1 + ref_id: 5.1.62 + description: 'The sustainability statement shall be for the same reporting undertaking + as the financial statements. For example, if the reporting undertaking is + a parent company required to prepare consolidated financial statements, the + sustainability statement will be for the group. This requirement does not + apply where the reporting undertaking is not required to draw-up financial + statements or where the reporting undertaking is preparing consolidated sustainability + reporting pursuant to Article 48i of Directive 2013/34/EU. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:5.1.63 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.1 + ref_id: 5.1.63 + description: "The information about the reporting undertaking provided in the\ + \ sustainability statement shall be extended to include information on the\ + \ material impacts, risks and opportunities connected with the undertaking\ + \ through its direct and indirect business relationships in the upstream and/or\ + \ downstream value chain (\u2018value chain information\u2019). In extending\ + \ the information about the reporting undertaking, the undertaking shall include\ + \ material impacts, risks and opportunities connected with its upstream and\ + \ downstream value chain: \n(a)\tfollowing the outcome of its due diligence\ + \ process and of its materiality assessment; and \n(b)\tin accordance with\ + \ any specific requirements related to the value chain in other ESRS. " + - urn: urn:intuitem:risk:req_node:esrs_p1:5.1.64 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.1 + ref_id: 5.1.64 + description: "Paragraph 63 does not require information on each and every actor\ + \ in the value chain, but only the inclusion of material upstream and downstream\ + \ value chain information. Different sustainability matters can be material\ + \ in relation to different parts of the undertaking\u2019s upstream and downstream\ + \ value chain. The information shall be extended to include value chain information\ + \ only in relation to the parts of the value chain for which the matter is\ + \ material. " + - urn: urn:intuitem:risk:req_node:esrs_p1:5.1.65 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.1 + ref_id: 5.1.65 + description: 'The undertaking shall include material value chain information + when this is necessary to: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:5.1.65.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.1.65 + ref_id: 5.1.65.a + description: "allow users of sustainability statements to understand the undertaking\u2019\ + s material impacts, risks and opportunities; and/or " + - urn: urn:intuitem:risk:req_node:esrs_p1:5.1.65.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.1.65 + ref_id: 5.1.65.b + description: 'produce a set of information that meets the qualitative characteristics + of information (see Appendix B of this Standard). ' + - urn: urn:intuitem:risk:req_node:esrs_p1:5.1.66 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.1 + ref_id: 5.1.66 + description: 'When determining at which level within its own operations and + its upstream and downstream value chain a material sustainability matter arises, + the undertaking shall use its assessment of impacts, risks and opportunities + following the double materiality principle (see chapter 3 of this Standard). ' + - urn: urn:intuitem:risk:req_node:esrs_p1:5.1.67 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.1 + ref_id: 5.1.67 + description: "When associates or joint ventures, accounted for under the equity\ + \ method or proportionally consolidated in the financial statements, are part\ + \ of the undertaking\u2019s value chain, for example as suppliers, the undertaking\ + \ shall include information related to those associates or joint ventures\ + \ in accordance with paragraph 63 consistent with the approach adopted for\ + \ the other business relationships in the value chain. In this case, when\ + \ determining impact metrics, the data of the associate or joint venture are\ + \ not limited to the share of equity held, but shall be taken into account\ + \ on the basis of the impacts that are connected with the undertaking\u2019\ + s products and services through its business relationships. " + - urn: urn:intuitem:risk:req_node:esrs_p1:5.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5 + ref_id: '5.2' + name: 'Estimation using sector averages and proxies ' + - urn: urn:intuitem:risk:req_node:esrs_p1:5.2.68 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.2 + ref_id: 5.2.68 + description: "The undertaking\u2019s ability to obtain the necessary upstream\ + \ and downstream value chain information may vary depending on various factors,\ + \ such as the undertaking\u2019s contractual arrangements, the level of control\ + \ that it exercises on the operations outside the consolidation scope and\ + \ its buying power. When the undertaking does not have the ability to control\ + \ the activities of its upstream and/or downstream value chain and its business\ + \ relationships, obtaining value chain information may be more challenging. " + - urn: urn:intuitem:risk:req_node:esrs_p1:5.2.69 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.2 + ref_id: 5.2.69 + description: 'There are circumstances where the undertaking cannot collect the + information about its upstream and downstream value chain as required by paragraph + 63 after making reasonable efforts to do so. In these circumstances, the undertaking + shall estimate the information to be reported about its upstream and downstream + value chain, by using all reasonable and supportable information, such as + sector-average data and other proxies. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:5.2.70 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.2 + ref_id: 5.2.70 + description: 'Obtaining value chain information could also be challenging in + the case of SMEs and other upstream and/or downstream value chain entities + that are not in the scope of the sustainability reporting required by Articles + 19a and 29a of Directive 2013/34/EU (see ESRS 2 BP-2 Disclosures in relation + to specific circumstances). ' + - urn: urn:intuitem:risk:req_node:esrs_p1:5.2.71 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.2 + ref_id: 5.2.71 + description: "With reference to policies, actions and targets, the undertaking\u2019\ + s reporting shall include upstream and/or downstream value chain information\ + \ to the extent that those policies, actions and targets involve actors in\ + \ the value chain. With reference to metrics, in many cases, in particular\ + \ for environmental matters for which proxies are available, the undertaking\ + \ may be able to comply with the reporting requirements without collecting\ + \ data from the actors in its upstream and downstream value chain, especially\ + \ from SMEs, for example, when calculating the undertaking\u2019s GHG Scope\ + \ 3 emissions. " + - urn: urn:intuitem:risk:req_node:esrs_p1:5.2.72 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:5.2 + ref_id: 5.2.72 + description: 'The incorporation of estimates made using sector-average data + or other proxies shall not result in information that does not meet the qualitative + characteristics of information (see chapter 2 and section 7.2 Sources of estimation + and outcome uncertainty of this Standard). ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node6 + ref_id: '6' + name: 'Time horizons ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6 + ref_id: '6.1' + name: 'Reporting period ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.1.73 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.1 + ref_id: 6.1.73 + description: "The reporting period for the undertaking\u2019s sustainability\ + \ statement shall be consistent with that of its financial statements. " + - urn: urn:intuitem:risk:req_node:esrs_p1:6.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6 + ref_id: '6.2' + name: 'Linking past, present and future ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.2.74 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.2 + ref_id: 6.2.74 + description: 'The undertaking shall establish appropriate linkages in its sustainability + statement between retrospective and forward-looking information, when relevant, + to foster a clear understanding of how historical information relates to future-oriented + information. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6 + ref_id: '6.3' + name: 'Reporting progress against the base year ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.3.75 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.3 + ref_id: 6.3.75 + description: 'A base year is the historical reference date or period for which + information is available and against which subsequent information can be compared + over time. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.3.76 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.3 + ref_id: 6.3.76 + description: 'The undertaking shall present comparative information in respect + of the base year for amounts reported in the current period when reporting + the developments and progress towards a target, unless the relevant Disclosure + Requirement already defines how to report progress. The undertaking may also + include historical information about achieved milestones between the base + year and the reporting period when this is relevant information. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6 + ref_id: '6.4' + name: 'Definition of short-, medium- and long-term for reporting purposes ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.4.77 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.4 + ref_id: 6.4.77 + description: 'When preparing its sustainability statement, the undertaking shall + adopt the following time intervals as of the end of the reporting period: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.4.77.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.4.77 + ref_id: 6.4.77.a + description: 'for the short-term time horizon: the period adopted by the undertaking + as the reporting period in its financial statements; ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.4.77.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.4.77 + ref_id: 6.4.77.b + description: 'for the medium-term time horizon: from the end of the short-term + reporting period defined in (a) up to 5 years; and ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.4.77.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.4.77 + ref_id: 6.4.77.c + description: 'for the long-term time horizon: more than 5 years. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.4.78 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.4 + ref_id: 6.4.78 + description: 'The undertaking shall use an additional breakdown for the long-term + time horizon when impacts or actions are expected in a period longer than + 5 years if necessary to provide relevant information to users of sustainability + statements. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.4.79 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.4 + ref_id: 6.4.79 + description: 'If different definitions of medium- or long-term time horizons + are required for specific items of disclosure in other ESRS, the definitions + in those ESRS shall prevail. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:6.4.80 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.4 + ref_id: 6.4.80 + description: "There may be circumstances where the use of the medium- or long-term\ + \ time horizons defined in paragraph 77 results in non-relevant information,\ + \ as the undertaking uses a different definition for (i) its processes of\ + \ identification and management of material impacts, risks and opportunities\ + \ or (ii) the definition of its actions and setting targets. These circumstances\ + \ may be due to industry-specific characteristics, such as cash flow and business\ + \ cycles, the expected duration of capital investments, the time horizons\ + \ over which the users of sustainability statements conduct their assessments\ + \ or the planning horizons typically used in the undertaking\u2019s industry\ + \ for decision-making. In these circumstances, the undertaking may adopt a\ + \ different definition of medium- and/or long- term time horizons (see ESRS\ + \ 2 BP\u20132, paragraph 9)" + - urn: urn:intuitem:risk:req_node:esrs_p1:6.4.81 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:6.4 + ref_id: 6.4.81 + description: "References to \u2018short-term\u2019, \u2018medium-term\u2019\ + , and \u2018long-term\u2019 in ESRS refer to the time horizon as determined\ + \ by the undertaking according to the provisions in paragraphs 77 to 80" + - urn: urn:intuitem:risk:req_node:esrs_p1:7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node6 + ref_id: '7' + name: 'Preparation and presentation of sustainability information ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7 + ref_id: '7.1' + name: Presenting comparative information + - urn: urn:intuitem:risk:req_node:esrs_p1:7.1.83 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.1 + ref_id: 7.1.83 + description: "The undertaking shall disclose comparative information in respect\ + \ of the previous period for all quantitative metrics and monetary amounts\ + \ disclosed in the current period. When relevant to an understanding of the\ + \ current period\u2019s sustainability statement, the undertaking shall also\ + \ disclose comparative information for narrative disclosures. " + - urn: urn:intuitem:risk:req_node:esrs_p1:7.1.84 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.1 + ref_id: 7.1.84 + description: 'When the undertaking reports comparative information that differs + from the information reported in the previous period it shall disclose: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.1.84.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.1.84 + ref_id: 7.1.84.a + description: 'the difference between the figure reported in the previous period + and the revised comparative figure; and ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.1.84.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.1.84 + ref_id: 7.1.84.b + description: 'the reasons for the revision of the figure. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.1.85 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.1 + ref_id: 7.1.85 + description: 'Sometimes, it is impracticable to adjust comparative information + for one or more prior periods to achieve comparability with the current period. + For example, data might not have been collected in the prior period(s) in + a way that allows either retrospective application of a new definition of + a metric or target, or retrospective restatement to correct a prior period + error, and it may be impracticable to recreate the information (see ESRS 2 + BP-2). When it is impracticable to adjust comparative information for one + or more prior periods, the undertaking shall disclose this fact. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.1.86 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.1 + ref_id: 7.1.86 + description: 'When an ESRS requires the undertaking to present more than one + comparative period for a metric or datapoint, the requirements of that ESRS + shall prevail. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7 + ref_id: '7.2' + name: 'Sources of estimation and outcome uncertainty ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.2.87 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.2 + ref_id: 7.2.87 + description: 'When quantitative metrics and monetary amounts, including upstream + and downstream value chain information (see chapter 5 of this Standard), cannot + be measured directly and can only be estimated, measurement uncertainty may + arise. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.2.88 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.2 + ref_id: 7.2.88 + description: 'An undertaking shall disclose information to enable users to understand + the most significant uncertainties affecting the quantitative metrics and + monetary amounts reported in its sustainability statement. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.2.89 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.2 + ref_id: 7.2.89 + description: 'The use of reasonable assumptions and estimates, including scenario + or sensitivity analysis, is an essential part of preparing sustainability-related + information and does not undermine the usefulness of that information, provided + that the assumptions and estimates are accurately described and explained. + Even a high level of measurement uncertainty would not necessarily prevent + such an assumption or estimate from providing useful information or meeting + the qualitative characteristics of information (see Appendix B of this Standard). ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.2.90 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.2 + ref_id: 7.2.90 + description: "Data and assumptions used in preparing the sustainability statement\ + \ shall be consistent to the extent possible with the corresponding financial\ + \ data and assumptions used in the undertaking\u2019s financial statements. " + - urn: urn:intuitem:risk:req_node:esrs_p1:7.2.91 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.2 + ref_id: 7.2.91 + description: "Some ESRS require the disclosure of information such as explanations\ + \ about possible future events that have uncertain outcomes. In judging whether\ + \ information about such possible future events is material, the undertaking\ + \ shall refer to the criteria in Chapter 3 of this Standard and consider:\ + \ \n(a)\t the anticipated financial effects of the events (the possible outcome);\ + \ \n(b)\tthe severity and likelihood of the impacts on people or the environment\ + \ resulting from the possible events, taking account of the factors of severity\ + \ specified in paragraph 45; and \n(c)\tthe full range of possible outcomes\ + \ and the likelihood of the possible outcomes within that range." + - urn: urn:intuitem:risk:req_node:esrs_p1:7.2.92 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.2 + ref_id: 7.2.92 + description: "When assessing the possible outcomes, the undertaking shall consider\ + \ all relevant facts and circumstances, including information about low-probability\ + \ and high-impact outcomes, which, when aggregated, could become material.\ + \ For example, the undertaking might be exposed to several impacts or risks,\ + \ each of which could cause the same type of disruption, such as disruptions\ + \ to the undertaking\u2019s supply chain. Information about an individual\ + \ source of risk might not be material if disruption from that source is highly\ + \ unlikely to occur. However, information about the aggregate risk of supply\ + \ chain disruption from all sources might be material (see ESRS 2 BP-2). " + - urn: urn:intuitem:risk:req_node:esrs_p1:7.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7 + ref_id: '7.3' + name: 'Updating disclosures about events after the end of the reporting period ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.3.93 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.3 + ref_id: 7.3.93 + description: In some cases, the undertaking may receive information after the + reporting period but before the management report is approved for issuance. + If such information provides evidence or insights about conditions existing + at period end, the undertaking shall, where appropriate, update estimates + and sustainability disclosures, in the light of the new information + - urn: urn:intuitem:risk:req_node:esrs_p1:7.3.94 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.3 + ref_id: 7.3.94 + description: 'When such information provides evidence or insights about material + transactions, other events and conditions that arise after the end of the + reporting period, the undertaking shall, where appropriate, provide narrative + information indicating the existence, nature and potential consequences of + these post-year end events. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7 + ref_id: '7.4' + name: 'Changes in preparation or presentation of sustainability information ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.4.95 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.4 + ref_id: 7.4.95 + description: "The definition and calculation of metrics, including metrics used\ + \ to set targets and monitor progress towards them, shall be consistent over\ + \ time. The undertaking shall provide restated comparative figures, unless\ + \ it is impracticable to do so (see ESRS 2 BP-2), when it has: (a)\tredefined\ + \ or replaced a metric or target; (b)\tidentified new information in relation\ + \ to the estimated figures disclosed in the preceding period and the new information\ + \ provides evidence of circumstances that existed in that period. " + - urn: urn:intuitem:risk:req_node:esrs_p1:7.5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7 + ref_id: '7.5' + name: 'Reporting errors in prior periods ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.5.96 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.5 + ref_id: 7.5.96 + description: 'The undertaking shall correct material prior period errors by + restating the comparative amounts for the prior period(s) disclosed, unless + it is impracticable to do so. This requirement does not extend to reporting + periods before the first year of application of ESRS by the undertaking. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.5.97 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.5 + ref_id: 7.5.97 + description: "Prior period errors are omissions from, and misstatements in,\ + \ the undertaking\u2019s sustainability statement for one or more prior periods.\ + \ Such errors arise from a failure to use, or misuse of, reliable information\ + \ that: \n(a)\twas available when the management report that includes the\ + \ sustainability statement for those periods was authorised for issuance;\ + \ and \n(b)\tcould reasonably be expected to have been obtained and considered\ + \ in the preparation of sustainability disclosures included in these reports." + - urn: urn:intuitem:risk:req_node:esrs_p1:7.5.98 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.5 + ref_id: 7.5.98 + description: 'Such errors include: the effects of mathematical mistakes, mistakes + in applying the definitions for metrics or targets, oversights or misinterpretations + of facts, and fraud. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.5.99 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.5 + ref_id: 7.5.99 + description: 'Potential errors in the current period discovered in that period + are corrected before the management report is authorised for issuance. However, + material errors are sometimes only discovered in a subsequent period. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.5.100 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.5 + ref_id: 7.5.100 + description: "When it is impracticable to determine the effect of an error on\ + \ all prior periods presented, the undertaking shall restate the comparative\ + \ information to correct the error from the earliest date practicable. When\ + \ correcting disclosures for a prior period, the undertaking shall not use\ + \ hindsight either in making assumptions about what the management\u2019s\ + \ intentions would have been in a prior period or in estimating the amounts\ + \ disclosed in a prior period. This requirement applies to correction of both\ + \ backward-looking and forward- looking disclosures. " + - urn: urn:intuitem:risk:req_node:esrs_p1:7.5.101 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.5 + ref_id: 7.5.101 + description: 'Corrections of errors are distinguished from changes in estimates. + Estimates may need to be revised as additional information becomes known (see + ESRS 2 BP-2). ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.6 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7 + ref_id: '7.6' + name: 'Consolidated reporting and subsidiary exemption ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.6.102 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.6 + ref_id: 7.6.102 + description: 'When the undertaking is reporting at a consolidated level, it + shall perform its assessment of material impacts, risks and opportunities + for the entire consolidated group, regardless of its group legal structure. + It shall ensure that all subsidiaries are covered in a way that allows for + the unbiased identification of material impacts, risks and opportunities. + Criteria and thresholds for assessing an impact, risk or opportunity as material + shall be determined based on chapter 3 of this Standard. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.6.103 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.6 + ref_id: 7.6.103 + description: 'Where the undertaking identifies significant differences between + material impacts, risks or opportunities at group level and material impacts, + risks or opportunities of one or more of its subsidiaries, the undertaking + shall provide an adequate description of the impacts, risks and opportunities, + as appropriate, of the subsidiary or subsidiaries concerned. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.6.104 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.6 + ref_id: 7.6.104 + description: 'When assessing whether the differences between material impacts, + risks or opportunities at group level and material impacts, risks or opportunities + of one or more of its subsidiaries are significant, the undertaking may consider + different circumstances, such as whether the subsidiary or subsidiaries operate + in a different sector than the rest of the group or the circumstances reflected + in section 3.7 Level of disaggregation. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.7 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7 + ref_id: '7.7' + name: 'Classified and sensitive information, and information on intellectual + property, know-how or results of innovation ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.7.105 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.7 + ref_id: 7.7.105 + description: 'The undertaking is not required to disclose classified information + or sensitive information, even if such information is considered material. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.7.106 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.7 + ref_id: 7.7.106 + description: 'When disclosing information about its strategy, plans and actions, + where a specific piece of information corresponding to intellectual property, + know- how or the results of innovation is relevant to meet the objective of + a Disclosure Requirement, the undertaking may nevertheless omit that specific + piece of information if it: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.7.106.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.7.106 + ref_id: 7.7.106.a + description: 'is secret in the sense that it is not, as a body or in the precise + configuration and assembly of its components, generally known among or readily + accessible to persons within the circles that normally deal with the kind + of information in question; ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.7.106.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.7.106 + ref_id: 7.7.106.b + description: 'has commercial value because it is secret; and ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.7.106.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.7.106 + ref_id: 7.7.106.c + description: 'has been subject to reasonable steps by the undertaking to keep + it secret. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.7.107 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.7 + ref_id: 7.7.107 + description: 'If the undertaking omits classified information or sensitive information, + or a specific piece of information corresponding to intellectual property, + know-how or the results of innovation because it meets the criteria established + in the previous paragraph, it shall comply with the disclosure requirement + in question by disclosing all other required information. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.7.108 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.7 + ref_id: 7.7.108 + description: 'The undertaking shall make every reasonable effort to ensure that + beyond the omission of the classified information or sensitive information, + or of the specific piece of information corresponding to intellectual property, + know-how or the results of innovation, the overall relevance of the disclosure + in question is not impaired. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.8 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7 + ref_id: '7.8' + name: 'Reporting on opportunities ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.8.109 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.8 + ref_id: 7.8.109 + description: 'When reporting on opportunities, the disclosure should consist + of descriptive information allowing the reader to understand the opportunity + for the undertaking or the entire sector. When reporting on opportunities, + the undertaking shall consider the materiality of the information to be disclosed. + In this context, it shall consider, among other factors: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.8.109.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.8.109 + ref_id: 7.8.109.a + description: 'whether the opportunity is currently being pursued and is incorporated + in its general strategy, as opposed to a general opportunity for the undertaking + or the sector; and ' + - urn: urn:intuitem:risk:req_node:esrs_p1:7.8.109.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:7.8.109 + ref_id: 7.8.109.b + description: 'whether the inclusion of quantitative measures of anticipated + financial effects is appropriate, taking into account the number of assumptions + that it could require and consequential uncertainty. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node6 + ref_id: '8' + name: 'Structure of the sustainability statement ' + - urn: urn:intuitem:risk:req_node:esrs_p1:8.110 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:8 + ref_id: '8.110' + description: "This chapter provides the basis for the presentation of the information\ + \ about sustainability matters prepared in compliance with Articles 19a and\ + \ 29a of Directive 2013/34/EU (i.e., the sustainability statement) within\ + \ the undertaking\u2019s management report. Such information is presented\ + \ in a dedicated section of the management report identified as the sustainability\ + \ statement. Appendix F Example of structure of ESRS sustainability statement\ + \ of this Standard provides an illustrative example of a sustainability statement\ + \ structured according to the requirements of this chapter. " + - urn: urn:intuitem:risk:req_node:esrs_p1:8.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:8 + ref_id: '8.1' + name: 'General presentation requirement ' + - urn: urn:intuitem:risk:req_node:esrs_p1:8.1.111 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:8.1 + ref_id: 8.1.111 + description: "Sustainability information shall be presented: \n(a) in a way\ + \ that allows a distinction between information required by disclosures in\ + \ ESRS and other information included in the management report; and \n(b)under\ + \ a structure that facilitates access to and understanding of the sustainability\ + \ statement, in a format that is both human-readable and machine-readable. " + - urn: urn:intuitem:risk:req_node:esrs_p1:8.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:8 + ref_id: '8.2' + name: 'Content and structure of the sustainability statement ' + - urn: urn:intuitem:risk:req_node:esrs_p1:8.2.112 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:8.2 + ref_id: 8.2.112 + description: 'Except for the possibility to incorporate information by reference + in accordance with section 9.1 Incorporation by reference of this Standard, + the undertaking shall report all the applicable disclosures required by ESRS + in accordance with chapter 1 of this Standard, within a dedicated section + of the management report. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:8.2.113 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:8.2 + ref_id: 8.2.113 + description: 'The undertaking shall include in its sustainability statement + the disclosures pursuant to Article 8 of Regulation (EU) 2020/852 of the European + Parliament and the Council ( 8 ) and to the Commission Delegated Regulations + that specify the content and other modalities of those disclosures. The undertaking + shall ensure that these disclosures are separately identifiable within the + sustainability statement. The disclosures relating to each of the environmental + objectives defined in the Taxonomy Regulation shall be presented together + in a clearly identifiable part of the environmental section of the sustainability + statement. These disclosures are not subject to the provisions of ESRS, with + the exception of this paragraph and the first sentence of paragraph 115 of + this standard. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:8.2.114 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:8.2 + ref_id: 8.2.114 + description: "When the undertaking includes in its sustainability statement\ + \ additional disclosures stemming from (i) other legislation which requires\ + \ the undertaking to disclose sustainability information, or (ii) generally\ + \ accepted sustainability reporting standards and frameworks, including non-\ + \ mandatory guidance and sector-specific guidance, published by other standard-setting\ + \ bodies (such as technical material issued by the International Sustainability\ + \ Standards Board or the Global Reporting Initiative), such disclosures shall:\ + \ \n(a)\tbe clearly identified with an appropriate reference to the related\ + \ legislation, standard or framework (see ESRS 2 BP-2, paragraph 15); \n(b)\t\ + meet the requirements for qualitative characteristics of information specified\ + \ in chapter 2 and Appendix B of this standard. " + - urn: urn:intuitem:risk:req_node:esrs_p1:8.2.115 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:8.2 + ref_id: 8.2.115 + description: 'The undertaking shall structure its sustainability statement in + four parts, in the following order: general information, environmental information + (including disclosures pursuant to Article 8 of Regulation (EU) 2020/852), + social information and governance information. Respecting the provision in + section 3.6 Material impacts or risks arising from actions to address sustainability + matters of this Standard, when information provided in one part contains information + to be reported in another part, the undertaking may refer in one part to information + presented in another part, avoiding duplications. The undertaking may apply + the detailed structure illustrated in Appendix F of this Standard. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:8.2.116 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:8.2 + ref_id: 8.2.116 + description: 'The disclosures required by sector-specific ESRS shall be grouped + by reporting area and, where applicable, by sustainability topic. They shall + be presented alongside the disclosures required by ESRS 2 and the corresponding + topical ESRS. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:8.2.117 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:8.2 + ref_id: 8.2.117 + description: 'Where the undertaking develops material entity-specific disclosures + in accordance with paragraph 11 it shall report those disclosures alongside + the most relevant sector-agnostic and sector-specific disclosures. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:9 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node6 + ref_id: '9' + name: 'Linkages with other parts of corporate reporting and connected information ' + - urn: urn:intuitem:risk:req_node:esrs_p1:9.118 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9 + ref_id: '9.118' + description: 'The undertaking shall provide information that enables users of + its sustainability statement to understand the connections between different + pieces of information in the statement, and the connections between the information + in the sustainability statement and other information that the undertaking + discloses in other parts of its corporate reporting. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:9.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9 + ref_id: '9.1' + name: 'Incorporation by reference ' + - urn: urn:intuitem:risk:req_node:esrs_p1:9.1.119 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.1 + ref_id: 9.1.119 + description: "Provided that the conditions in paragraph 120 are met, information\ + \ prescribed by a Disclosure Requirement of an ESRS, including a specific\ + \ datapoint prescribed by a Disclosure Requirement, may be incorporated in\ + \ the sustainability statement by reference to: \n(a)\tanother section of\ + \ the management report; \n(b)\tthe financial statements; \n(c)\tthe corporate\ + \ governance statement (if not part of the management report); \n(d)\tthe\ + \ remuneration report required by Directive 2007/36/EC of the European Parliament\ + \ and of the Council ( 9 ); \n(e)\tthe universal registration document, as\ + \ referred to in Article 9 of Regulation (EU) 2017/1129 ( 10 ); and \n(f)\t\ + public disclosures under Regulation (EU) No 575/2013 of the European Parliament\ + \ and of the Council (Pillar 3 disclosures) ( 11 ). If the undertaking incorporates\ + \ by reference information from Pillar 3 disclosures, it shall ensure that\ + \ the information matches the scope of consolidation used for the sustainability\ + \ statement by complementing the incorporated information with additional\ + \ elements as necessary. " + - urn: urn:intuitem:risk:req_node:esrs_p1:9.1.120 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.1 + ref_id: 9.1.120 + description: 'The undertaking may incorporate information by reference to the + documents, or part of the documents, listed in paragraph 119, provided that + the disclosures incorporated by reference: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:9.1.120.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.1.120 + ref_id: 9.1.120.a + description: 'constitute a separate element of information and are clearly identified + in the document concerned as addressing the relevant Disclosure Requirement, + or the relevant specific datapoint prescribed by a Disclosure Requirement; ' + - urn: urn:intuitem:risk:req_node:esrs_p1:9.1.120.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.1.120 + ref_id: 9.1.120.b + description: are published before or at the same time as the management report; + - urn: urn:intuitem:risk:req_node:esrs_p1:9.1.120.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.1.120 + ref_id: 9.1.120.c + description: are in the same language as the sustainability statement; + - urn: urn:intuitem:risk:req_node:esrs_p1:9.1.120.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.1.120 + ref_id: 9.1.120.d + description: are subject to at least the same level of assurance as the sustainability + statement; and + - urn: urn:intuitem:risk:req_node:esrs_p1:9.1.120.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.1.120 + ref_id: 9.1.120.e + description: meet the same technical digitalisation requirements as the sustainability + statement. + - urn: urn:intuitem:risk:req_node:esrs_p1:9.121 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.1 + ref_id: '9.121' + description: "Provided that the conditions established in paragraph 120 are\ + \ met, information prescribed by a Disclosure Requirement of an ESRS, including\ + \ a specific datapoint prescribed by a Disclosure Requirement, may be incorporated\ + \ in the sustainability statement by reference to the undertaking\u2019s report\ + \ prepared according to EU Eco-Management and Audit Scheme (EMAS) Regulation\ + \ (EU) No 1221/2009 ( 12 ). In this case, the undertaking shall ensure that\ + \ the information incorporated by reference is produced using the same basis\ + \ for preparation of ESRS information, including scope of consolidation and\ + \ treatment of value chain information. " + - urn: urn:intuitem:risk:req_node:esrs_p1:9.122 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.1 + ref_id: '9.122' + description: 'In the preparation of its sustainability statement using incorporation + by reference, the undertaking shall consider the overall cohesiveness of the + reported information and ensure that the incorporation by reference does not + impair the readability of the sustainability statement. Appendix G Example + of incorporation by reference of this Standard is an illustrative example + of incorporation by reference (See ESRS 2 BP-2). ' + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9 + ref_id: '9.2' + name: 'Connected information and connectivity with financial statements ' + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2.123 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.2 + ref_id: 9.2.123 + description: 'The undertaking shall describe the relationships between different + pieces of information. Doing so could require connecting narrative information + on governance, strategy and risk management to related metrics and targets. + For example, in providing connected information, the undertaking may need + to explain the effect or likely effect of its strategy on its financial statements + or financial plans, or explain how its strategy relates to metrics and targets + used to measure progress against performance. Furthermore, the undertaking + may need to explain how its use of natural resources and changes within its + supply chain could amplify, change or reduce its material impacts, risks and + opportunities. It may need to link this information to information about current + or anticipated financial effects on its production costs, to its strategic + response to mitigate such impacts or risks, and to its related investment + in new assets. The undertaking may also need to link narrative information + to the related metrics and targets and to information in the financial statements. + Information that describes connections shall be clear and concise. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2.124 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.2 + ref_id: 9.2.124 + description: 'When the sustainability statement includes monetary amounts or + other quantitative data points that exceed a threshold of materiality and + that are presented in the financial statements (direct connectivity between + information disclosed in sustainability statement and information disclosed + in financial statements), the undertaking shall include a reference to the + relevant paragraph of its financial statements where the corresponding information + can be found. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2.125 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.2 + ref_id: 9.2.125 + description: "The sustainability statement may include monetary amounts or other\ + \ quantitative datapoints that exceed a threshold of materiality and that\ + \ are either an aggregation of, or a part of, monetary amounts or quantitative\ + \ data presented in the undertaking\u2019s financial statements (indirect\ + \ connectivity between information disclosed in sustainability statement and\ + \ information disclosed in financial statements). If this is the case, the\ + \ undertaking shall explain how these amounts or datapoints in the sustainability\ + \ statement relate to the most relevant amounts presented in the financial\ + \ statements. This disclosure shall include a reference to the line item and/or\ + \ to the relevant paragraphs of its financial statements where the corresponding\ + \ information can be found. Where appropriate, a reconciliation may be provided,\ + \ and it may be presented in a tabular form." + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2.126 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.2 + ref_id: 9.2.126 + description: 'In the case of information not covered by paragraphs 124 and 125, + the undertaking shall explain, based on a threshold of materiality, the consistency + of significant data, assumptions, and qualitative information included in + its sustainability statement with the corresponding data, assumptions and + qualitative information included in the financial statements. This may occur + when the sustainability statement includes:' + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2.126.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.2.126 + ref_id: 9.2.126.a + description: monetary amounts or other quantitative data linked to monetary + amounts or other quantitative data presented in the financial statements; + or + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2.126.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.2.126 + ref_id: 9.2.126.b + description: qualitative information linked to qualitative information presented + in the financial statements. + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2.127 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.2 + ref_id: 9.2.127 + description: Consistency as required by paragraph 126 shall be at the level + of a single datapoint and shall include a reference to the relevant line item + or paragraph of notes to the financial statements. When significant data, + assumptions and qualitative information are not consistent, the undertaking + shall state that fact and explain the reason. + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2.128 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.2 + ref_id: 9.2.128 + description: 'Examples of items for which the explanation in paragraph 126 is + required, are:' + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2.128.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.2.128 + ref_id: 9.2.128.a + description: when the same metric is presented as of the reporting date in financial + statements and as a forecast for future periods in the sustainability statement; + and + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2.128.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.2.128 + ref_id: 9.2.128.b + description: when macroeconomic or business projections are used to develop + metrics in the sustainability statement and they are also relevant in estimating + the recoverable amount of assets, the amount of liabilities or provisions + in financial statements. + - urn: urn:intuitem:risk:req_node:esrs_p1:9.2.129 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:9.2 + ref_id: 9.2.129 + description: Topical and sector-specific ESRS may include requirements to include + reconciliations or to illustrate consistency of data and assumptions for specific + Disclosure Requirements. In such cases, the requirements in those ESRS shall + prevail. + - urn: urn:intuitem:risk:req_node:esrs_p1:10 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node6 + ref_id: '10' + name: Transitional provisions + - urn: urn:intuitem:risk:req_node:esrs_p1:10.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10 + ref_id: '10.1' + name: Transitional provision related to entity-specific disclosures + - urn: urn:intuitem:risk:req_node:esrs_p1:10.1.130 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.1 + ref_id: 10.1.130 + description: The extent to which sustainability matters are covered by ESRS + is expected to evolve as further Disclosure Requirements are developed. Therefore, + the need for entity-specific disclosures is likely to decrease over time, + in particular as a result of the future adoption of sector specific standards. + - urn: urn:intuitem:risk:req_node:esrs_p1:10.1.131 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.1 + ref_id: 10.1.131 + description: 'When defining its entity-specific disclosures, the undertaking + may adopt transitional measures for their preparation in the first three annual + sustainability statements under which it may as a priority:' + - urn: urn:intuitem:risk:req_node:esrs_p1:10.3.131.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.1.131 + ref_id: 10.3.131.a + description: introduce in its reporting those entity-specific disclosures that + it reported in prior periods, if these disclosures meet or are adapted to + meet the qualitative characteristics of information referred to under chapter + 2 of this Standard; and + - urn: urn:intuitem:risk:req_node:esrs_p1:10.3.131.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.1.131 + ref_id: 10.3.131.b + description: complement its disclosures prepared on the basis of the topical + ESRS with an appropriate set of additional disclosures to cover sustainability + matters that are material for the undertaking in its sector(s), using available + best practice and/or available frameworks or reporting standards, such as + IFRS industry-based guidance and GRI Sector Standards. + - urn: urn:intuitem:risk:req_node:esrs_p1:10.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10 + ref_id: '10.2' + name: Transitional provision related to chapter 5 Value chain + - urn: urn:intuitem:risk:req_node:esrs_p1:10.2.132 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.2 + ref_id: 10.2.132 + description: "For the first 3 years of the undertaking\u2019s sustainability\ + \ reporting under the ESRS, in the event that not all the necessary information\ + \ regarding its upstream and downstream value chain is available, the undertaking\ + \ shall explain the efforts made to obtain the necessary information about\ + \ its upstream and downstream value chain, the reasons why not all of the\ + \ necessary information could be obtained, and its plans to obtain the necessary\ + \ information in the future." + - urn: urn:intuitem:risk:req_node:esrs_p1:10.2.133 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.2 + ref_id: 10.2.133 + description: 'For the first 3 years of its sustainability reporting under the + ESRS, in order to take account of the difficulties that undertakings may encounter + in gathering information from actors throughout their value chain and in order + to limit the burden for SMEs in the value chain:' + - urn: urn:intuitem:risk:req_node:esrs_p1:10.2.133.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.2.133 + ref_id: 10.2.133.a + description: when disclosing information on policies, actions and targets in + accordance with ESRS2 and other ESRS, the undertaking may limit upstream and + downstream value chain information to information available in-house, such + as data already available to the undertaking and publicly available information; + and + - urn: urn:intuitem:risk:req_node:esrs_p1:10.2.133.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.2.133 + ref_id: 10.2.133.b + description: when disclosing metrics, the undertaking is not required to include + upstream and downstream value chain information, except for datapoints derived + from other EU legislation, as listed in ESRS 2 Appendix B. + - urn: urn:intuitem:risk:req_node:esrs_p1:10.2.134 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.2 + ref_id: 10.2.134 + description: Paragraphs 132 and 133 apply irrespective of whether or not the + relevant actor in the value chain is an SME. + - urn: urn:intuitem:risk:req_node:esrs_p1:10.2.135 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.2 + ref_id: 10.2.135 + description: "Starting from the fourth year of its reporting under the ESRS,\ + \ the undertaking shall include upstream and/or downstream value chain information\ + \ according to paragraph 63. In this context, the information required by\ + \ ESRS to be obtained from SME undertakings in the undertaking\u2019s upstream\ + \ and/or downstream value chain will not exceed the content of the future\ + \ ESRS for listed SMEs." + - urn: urn:intuitem:risk:req_node:esrs_p1:10.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10 + ref_id: '10.3' + name: Transitional provision related to section 7.1 Presenting comparative information + - urn: urn:intuitem:risk:req_node:esrs_p1:10.3.136 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.3 + ref_id: 10.3.136 + description: To ease the first-time application of this Standard, the undertaking + is not required to disclose the comparative information required by section + 7.1 Presenting comparative information in the first year of preparation of + the sustainability statement under the ESRS. For disclosure requirements listed + in Appendix C List of phased-in Disclosure Requirements, this transitional + provision applies with reference to the first year of mandatory application + of the phased-in disclosure requirement. + - urn: urn:intuitem:risk:req_node:esrs_p1:10.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10 + ref_id: '10.4' + name: 'Transitional provision: List of Disclosure Requirements that are phased-in' + - urn: urn:intuitem:risk:req_node:esrs_p1:10.4.137 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:10.4 + ref_id: 10.4.137 + description: Appendix C List of phased-in Disclosure Requirements in this Standard + sets phase-in provisions for the Disclosure Requirements or datapoints of + Disclosure Requirements in ESRS that may be omitted or that are not applicable + in the first year(s) of preparation of the sustainability statement under + the ESRS. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-a + assessable: false + depth: 1 + ref_id: ESRS 1-Appendix A + description: Application Requirements + - urn: urn:intuitem:risk:req_node:esrs_p1:node226 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-a + name: Entity specific disclosures + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node226 + ref_id: ESRS 1-AR 1 + description: "The entity-specific disclosures shall enable users to understand\ + \ the undertaking\u2019s impacts, risks and opportunities in relation to environmental,\ + \ social or governance matters." + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node226 + ref_id: ESRS 1-AR 2 + description: When developing entity-specific disclosures, the undertaking shall + ensure that + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-2.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-2 + ref_id: ESRS 1-AR 2.a + description: the disclosures meet the qualitative characteristics of information + as set out in chapter 2 Qualitative characteristics of information; and + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-2.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-2 + ref_id: ESRS 1-AR 2.b + description: its disclosures include, where applicable, all material information + related to the reporting areas of governance; strategy; impact, risk and opportunity + management; and metrics and targets (see ESRS 2 chapters 2 to 5). + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node226 + ref_id: ESRS 1-AR 3 + description: 'When determining the usefulness of metrics for inclusion in its + entity-specific disclosures, the undertaking shall consider whether:' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-3.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-3 + ref_id: ESRS 1-AR 3.a + description: its chosen performance metrics provide insight into + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-3.a.i + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-3.a + ref_id: ESRS 1-AR 3.a.i + description: how effective its practices are in reducing negative outcomes and/or + increasing positive outcomes for people and the environment (for impacts); + and/or + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-3.a.ii + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-3.a + ref_id: ESRS 1-AR 3.a.ii + description: the likelihood that its practices result in financial effects on + the undertaking (for risks and opportunities); + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-3.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-3 + ref_id: ESRS 1-AR 3.b + description: the measured outcomes are sufficiently reliable, meaning that they + do not involve an excessive number of assumptions and unknowns that would + render the metrics too arbitrary to provide a faithful representation; and + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-3.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-3 + ref_id: ESRS 1-AR 3.c + description: it has provided sufficient contextual information to interpret + performance metrics appropriately, and whether variations in such contextual + information may impact the comparability of the metrics over time. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node226 + ref_id: ESRS 1-AR 4 + description: 'When developing its entity-specific disclosures, the undertaking + shall carefully consider:' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-4.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-4 + ref_id: ESRS 1-AR 4.a + description: comparability between undertakings, while still ensuring relevance + of the information provided, recognising that comparability may be limited + for entity- specific disclosures. The undertaking shall consider whether the + available and relevant frameworks, initiatives, reporting standards and benchmarks + (such as technical material issued by the International Sustainability Standards + Board or the Global Reporting Initiative) provide elements that can support + comparability to the maximum extent possible; and + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-4.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-4 + ref_id: ESRS 1-AR 4.b + description: 'comparability over time: consistency of methodologies and disclosures + is a key factor for achieving comparability over time.' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node226 + ref_id: ESRS 1-AR 5 + description: Further guidance for developing entity-specific disclosures can + be found by considering the information required under topical ESRS that addresses + similar sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p1:node241 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-a + name: Double materiality + - urn: urn:intuitem:risk:req_node:esrs_p1:node242 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node241 + name: Stakeholders and their relevance to the materiality assessment process + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node242 + ref_id: ESRS 1-AR 6 + description: 'In addition to the categories of stakeholder listed in paragraph + 22, common categories of stakeholders are: employees and other workers, suppliers, + consumers, customers, end- users, local communities and persons in vulnerable + situations, and public authorities, including regulators, supervisors and + central banks.' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node242 + ref_id: ESRS 1-AR 7 + description: "Nature may be considered as a silent stakeholder. In this case,\ + \ ecological data and data on the conservation of species may support the\ + \ undertaking\u2019s materiality assessment." + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node242 + ref_id: ESRS 1-AR 8 + description: Materiality assessment is informed by dialogue with affected stakeholders.The + undertaking may engage with affected stakeholders or their representatives + (such as employees or trade unions), along with users of sustainability reporting + and other experts, to provide inputs or feedback on its conclusions regarding + its material impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p1:node246 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node241 + name: Assessment of impact materiality + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node246 + ref_id: ESRS 1-AR 9 + description: 'In assessing impact materiality and determining the material matters + to be reported, the undertaking shall consider the following three steps:' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-9.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-9 + ref_id: ESRS 1-AR 9.a + description: understanding of the context in relation to its impacts including + its activities, business relationships, and stakeholders; + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-9.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-9 + ref_id: ESRS 1-AR 9.b + description: identification of actual and potential impacts (both negative and + positive), including through engaging with stakeholders and experts. In this + step, the undertaking may rely on scientific and analytical research on impacts + on sustainability matters; + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-9.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-9 + ref_id: ESRS 1-AR 9.c + description: assessment of the materiality of its actual and potential impacts + and determination of the material matters. In this step, the undertaking shall + adopt thresholds to determine which of the impacts will be covered in its + sustainability statement. + - urn: urn:intuitem:risk:req_node:esrs_p1:node251 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node241 + name: Characteristics of severity + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-10 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node251 + ref_id: ESRS 1-AR 10 + description: 'The severity is determined by the following factors:' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-10.a + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-10 + ref_id: ESRS 1-AR 10.a + description: 'scale: how grave the negative impact is or how beneficial the + positive impact is for people or the environment;' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-10.b + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-10 + ref_id: ESRS 1-AR 10.b + description: 'scope: how widespread the negative or positive impacts are. In + the case of environmental impacts, the scope may be understood as the extent + of environmental damage or a geographical perimeter. In the case of impacts + on people, the scope may be understood as the number of people adversely affected; + and' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-10.c + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-10 + ref_id: ESRS 1-AR 10.c + description: 'irremediable character: whether and to what extent the negative + impacts could be remediated, i.e., restoring the environment or affected people + to their prior state.' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node251 + ref_id: ESRS 1-AR 11 + description: Any of the three characteristics (scale, scope, and irremediable + character) can make a negative impact severe. In the case of a potential negative + human rights impact, the severity of the impact takes precedence over its + likelihood. + - urn: urn:intuitem:risk:req_node:esrs_p1:node257 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node241 + name: Impacts connected with the undertaking + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-12 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node257 + ref_id: ESRS 1-AR 12 + description: 'As an illustration:' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-12.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-12 + ref_id: ESRS 1-AR 12.a + description: "if the undertaking uses cobalt in its products that is mined using\ + \ child labour, the negative impact (i.e., child labour) is connected with\ + \ the undertaking\u2019s products through the tiers of business relationships\ + \ in its upstream value chain. These relationships include the smelter and\ + \ minerals trader and the mining enterprise that uses child labour; and" + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-12.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-12 + ref_id: ESRS 1-AR 12.b + description: if the undertaking provides financial loans to an enterprise for + business activities that, in breach of agreed standards, result in the contamination + of water and land surrounding the operations, this negative impact is connected + with the undertaking through its relationship with the enterprise it provides + the loans to. + - urn: urn:intuitem:risk:req_node:esrs_p1:node261 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node241 + name: Assessment of financial materiality + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-13 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node261 + ref_id: ESRS 1-AR 13 + description: 'The following are examples of how impacts and dependencies are + sources of risks or opportunities:' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-13.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-13 + ref_id: ESRS 1-AR 13.a + description: "when the undertaking\u2019s business model depends on a natural\ + \ resource \u2013 for example water \u2013 it is likely to be affected by\ + \ changes in the quality, availability and pricing of that resource;" + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-13.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-13 + ref_id: ESRS 1-AR 13.b + description: "when the undertaking\u2019s activities result in negative impacts,\ + \ e.g., on local communities, the activities could become subject to stricter\ + \ government regulation and/or the impact could trigger consequences of a\ + \ reputational nature. These might have negative effects on the undertaking\u2019\ + s brand and higher recruitment costs might arise; and" + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-13.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-13 + ref_id: ESRS 1-AR 13.c + description: "when the undertaking\u2019s business partners face material sustainability-related\ + \ risks, the undertaking could be exposed to related consequences as well." + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-14 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node261 + ref_id: ESRS 1-AR 14 + description: "The identification of risks and opportunities that affect or could\ + \ reasonably be expected to affect the undertaking\u2019s financial position,\ + \ financial performance, cash flows, access to finance or cost of capital\ + \ over the short-, medium- or long-term is the starting point for financial\ + \ materiality assessment. In this context, the undertaking shall consider:" + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-14.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-14 + ref_id: ESRS 1-AR 14.a + description: the existence of dependencies on natural and social resources as + sources of financial effects (see paragraph 50); + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-14.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-14 + ref_id: ESRS 1-AR 14.b + description: 'their classification as sources of:' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-14.b.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-14.b + ref_id: ESRS 1-AR 14.b.i + description: risks (contributing to negative deviation in future expected cash + inflows or increase in deviation in future expected cash outflows and/or negative + deviation from an expected change in capitals not recognised in the financial + statements); or + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-14.b.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-14.b + ref_id: ESRS 1-AR 14.b.ii + description: opportunities (contributing to positive deviation in future expected + cash inflows or decrease in deviation in future cash outflows and/or positive + deviation from expected change in capitals not recognised in financial statements). + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-15 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node261 + ref_id: ESRS 1-AR 15 + description: 'Once the undertaking has identified its risks and opportunities, + it shall determine which of them are material for reporting. This shall be + based on a combination of (i) the likelihood of occurrence and (ii) the potential + magnitude of financial effects determined on the basis of appropriate thresholds. + In this step it shall consider the contribution of those risks and opportunities + to financial effects in the short-, medium- and long-term based on:' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-15.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-15 + ref_id: ESRS 1-AR 15.a + description: scenarios/forecasts that are deemed likely to materialise; and + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-15.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-15 + ref_id: ESRS 1-AR 15.b + description: "anticipated financial effects related to sustainability matters\ + \ deriving either from situations with a below the \u2018more likely than\ + \ not\u2019 threshold or assets/liabilities not, or not yet, reflected in\ + \ financial statements. This includes:" + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-15.b.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-15.b + ref_id: ESRS 1-AR 15.b.i + description: potential situations that following the occurrence of future events + may affect cash flow generation potential; + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-15.b.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-15.b + ref_id: ESRS 1-AR 15.b.ii + description: capitals that are not recognised as assets from an accounting and + financial reporting perspective but have a significant influence on financial + performance, such as natural, intellectual (organisational), human, social + and relationship capitals; and + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar.15.b.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-15.b + ref_id: ESRS 1-AR.15.b.iii + description: possible future events that may have an influence on the evolution + of such capitals. + - urn: urn:intuitem:risk:req_node:esrs_p1:node277 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node241 + name: Sustainability matters to be included in the materiality assessment + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-16 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node277 + ref_id: ESRS 1-AR 16 + description: "When performing its materiality assessment, the undertaking shall\ + \ consider the following list of sustainability matters covered in the topical\ + \ ESRS. When, as a result of the undertaking\u2019s materiality assessment\ + \ (see ESRS 2 IRO-1), a given sustainability matter in this list is assessed\ + \ to be material, the undertaking shall report according to the corresponding\ + \ Disclosure Requirements of the relevant topical ESRS. Using this list is\ + \ not a substitute for the process of determining material matters. This list\ + \ is a tool to support the undertaking\u2019s materiality assessment. The\ + \ undertaking still needs to consider its own specific circumstances when\ + \ determining its material matters. The undertaking, where necessary, also\ + \ shall develop entity-specific disclosures on material impacts, risks and\ + \ opportunities not covered by ESRS as described in paragraph 11 of this Standard." + - urn: urn:intuitem:risk:req_node:esrs_p1:node279 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node241 + name: Estimation using sector averages and proxies + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-17 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node279 + ref_id: ESRS 1-AR 17 + description: When the undertaking cannot collect upstream and downstream value + chain information as required by paragraph 63 after making reasonable efforts + to do so, it shall estimate the information to be reported using all reasonable + and supportable information that is available to the undertaking at the reporting + date without undue cost or effort. This includes, but is not limited to, internal + and external information, such as data from indirect sources, sector-average + data, sample analyses, market and peer groups data, other proxies or spend-based + data. + - urn: urn:intuitem:risk:req_node:esrs_p1:node281 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node241 + name: Content and structure of the sustainability statement + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-ar-18 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node281 + ref_id: ESRS 1-AR 18 + description: As an illustration for paragraph 115 in section 8.2 Content and + structure of the sustainability statement of this Standard, the undertaking + that covers environmental and social matters in the same policy may cross-refer. + That means that the undertaking may report on the policy in its environmental + disclosures and cross-refer to it from the relevant social disclosures or + vice versa. Consolidated presentation of policies across topics is allowed. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-b + assessable: false + depth: 1 + ref_id: ESRS 1-Appendix B + description: Qualitative characteristics of information + - urn: urn:intuitem:risk:req_node:esrs_p1:node284 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-b + name: Relevance + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node284 + ref_id: ESRS 1-QC 1 + description: Sustainability information is relevant when it may make a difference + in the decisions of users under a double materiality approach (see chapter + 3 of this Standard). + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node284 + ref_id: ESRS 1-QC 2 + description: Information may make a difference in a decision even if some users + choose not to take advantage of it or are already aware of it from other sources. + Sustainability information may impact decisions of users if it has predictive + value, confirmatory value or both. Information has predictive value if it + can be used as an input to processes employed by users to predict future outcomes. + Sustainability information does not need to be a prediction or forecast to + have predictive value, but rather has predictive value if employed by users + in making their own predictions. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node284 + ref_id: ESRS 1-QC 3 + description: Information has confirmatory value if it provides feedback about + (confirms or changes) previous evaluations. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node284 + ref_id: ESRS 1-QC 4 + description: "Materiality is an entity-specific aspect of relevance based on\ + \ the nature or magnitude, or both, of the items to which the information\ + \ relates, as assessed in the context of the undertaking\u2019s sustainability\ + \ reporting (see chapter 3 of this Standard)." + - urn: urn:intuitem:risk:req_node:esrs_p1:node289 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-b + name: Faithful representation + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node289 + ref_id: ESRS 1-QC 5 + description: To be useful, the information must not only represent relevant + phenomena, it must also faithfully represent the substance of the phenomena + that it purports to represent. Faithful representation requires information + to be (i) complete, (ii) neutral and (iii) accurate. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node289 + ref_id: ESRS 1-QC 6 + description: A complete depiction of an impact, a risk or an opportunity includes + all material information necessary for the users to understand that impact, + risk or opportunity. This includes how the undertaking has adapted its strategy, + risk management and governance in response to that impact, risk or opportunity, + as well as the metrics identified to set targets and measure performance. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node289 + ref_id: ESRS 1-QC 7 + description: A neutral depiction is without bias in its selection or disclosure + of information. Information is neutral if it is not slanted, weighted, emphasised, + de-emphasised or otherwise manipulated to make it more likely that the users + will receive that information favourably or unfavourably. It shall be balanced, + so as to cover favourable/positive and unfavourable/negative aspects. Both + negative and positive material impacts from an impact materiality perspective + as well as material risks and opportunities from a financial materiality perspective + shall receive equal attention. Any aspirational sustainability information, + for example targets or plans, shall cover both aspirations and factors that + could prevent the undertaking from achieving these aspirations in order to + have a neutral depiction. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node289 + ref_id: ESRS 1-QC 8 + description: Neutrality is supported by the exercise of prudence which is the + exercise of caution when making judgements under conditions of uncertainty. + Information shall not be netted or compensated to be neutral. The exercise + of prudence means that opportunities are not overstated and risks are not + understated. Equally, the exercise of prudence does not allow for the understatement + of opportunities or the overstatement of risks. The undertaking may present + net information, in addition to gross values, if such presentation does not + obscure relevant information and includes a clear explanation about the effects + of the netting and the reasons for the netting. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node289 + ref_id: ESRS 1-QC 9 + description: 'Information can be accurate without being perfectly precise in + all respects. Accurate information implies that the undertaking has implemented + adequate processes and internal controls to avoid material errors or material + misstatements. As such, estimates shall be presented with a clear emphasis + on their possible limitations and associated uncertainty (see section 7.2 + of this Standard). The amount of precision needed and attainable, and the + factors that make information accurate, depend on the nature of the information + and the nature of the matters it addresses. For example, accuracy requires + that:' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9 + ref_id: ESRS 1-QC 9.a + description: factual information is free from material error + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9 + ref_id: ESRS 1-QC 9.b + description: descriptions are precise + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9 + ref_id: ESRS 1-QC 9.c + description: estimates, approximations and forecasts are clearly identified + as such + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9.d + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9 + ref_id: ESRS 1-QC 9.d + description: no material errors have been made in selecting and applying an + appropriate process for developing an estimate, approximation or forecast, + and the inputs to that process are reasonable and supportable + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9.e + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9 + ref_id: ESRS 1-QC 9.e + description: assertions are reasonable and based on information of sufficient + quality and quantity; and + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9.f + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-9 + ref_id: ESRS 1-QC 9.f + description: information about judgements about the future faithfully reflects + both those judgements and the information on which they are based. + - urn: urn:intuitem:risk:req_node:esrs_p1:node301 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-b + name: Comparability + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node301 + ref_id: ESRS 1-QC 10 + description: Sustainability information is comparable when it can be compared + with information provided by the undertaking in previous periods and, can + be compared with information provided by other undertakings, in particular + those with similar activities or operating within the same industry. A point + of reference for comparison can be a target, a baseline, an industry benchmark, + comparable information from either other undertakings or from an internationally + recognised organisation,etc + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node301 + ref_id: ESRS 1-QC 11 + description: Consistency is related to, but is not the same as, comparability. + Consistency refers to the use of the same approaches or methods for the same + sustainability matter, from period to period by the undertaking and other + undertakings. Consistency helps to achieve the goal of comparability + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node301 + ref_id: ESRS 1-QC 12 + description: Comparability is not uniformity. For information to be comparable, + like components shall look alike and different components shall look different. + Comparability of sustainability information is not enhanced by making unlike + things look alike any more than it is enhanced by making like things look + different. + - urn: urn:intuitem:risk:req_node:esrs_p1:node305 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-b + name: Verifiability + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-13 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node305 + ref_id: ESRS 1-QC 13 + description: Verifiability helps to give users confidence that information is + complete, neutral and accurate. Sustainability information is verifiable if + it is possible to corroborate the information itself or the inputs used to + derive it. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-14 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node305 + ref_id: ESRS 1-QC 14 + description: 'Verifiability means that various knowledgeable and independent + observers could reach consensus, although not necessarily complete agreement, + that a particular depiction is a faithful representation. Sustainability information + shall be provided in a way that enhances its verifiability, for example:' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-14.a + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-14 + ref_id: ESRS 1-QC 14.a + description: "including information that can be corroborated by comparing it\ + \ with other information available to users about the undertaking\u2019s business,\ + \ about other businesses or about the external environment;" + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-14.b + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-14 + ref_id: ESRS 1-QC 14.b + description: providing information about inputs and methods of calculation used + to produce estimates or approximations; and + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-14.c + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-14 + ref_id: ESRS 1-QC 14.c + description: providing information reviewed and agreed by the administrative, + management and supervisory bodies or their committees + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-15 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node305 + ref_id: ESRS 1-QC 15 + description: Some sustainability information will be in the form of explanations + or forward-looking information. Those disclosures can be supportable by faithfully + representing on a factual basis for example the strategies, plans and risk + analyses of the undertaking. To help users decide whether to use such information, + the undertaking shall describe the underlying assumptions and methods of producing + the information, as well as other factors that provide evidence that it reflects + the actual plans or decisions made by the undertaking. + - urn: urn:intuitem:risk:req_node:esrs_p1:node312 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-b + name: Understandability + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-16 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node312 + ref_id: ESRS 1-QC 16 + description: Sustainability information is understandable when it is clear and + concise. Understandable information enables any reasonably knowledgeable user + to readily comprehend the information being communicated + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-17 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node312 + ref_id: ESRS 1-QC 17 + description: "For sustainability disclosures to be concise, they need to (a)\ + \ avoid generic \u2018boilerplate\u2019 information, which is not specific\ + \ to the undertaking; (b) avoid unnecessary duplication of information, including\ + \ information also provided in financial statements; and (c) use clear language\ + \ and well-structured sentences and paragraphs. Concise disclosures shall\ + \ only include material information. Complementary information presented pursuant\ + \ to paragraph 114 shall be provided in a way that avoids obscuring material\ + \ information." + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-18 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node312 + ref_id: ESRS 1-QC 18 + description: "Clarity might be enhanced by distinguishing information about\ + \ developments in the reporting period from \u2018standing\u2019 information\ + \ that remains relatively unchanged from one period to the next. This can\ + \ be done, for example, by separately describing features of the undertaking\u2019\ + s sustainability-related governance and risk management processes that have\ + \ changed since the previous reporting period compared to those that remain\ + \ unchanged" + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-19 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node312 + ref_id: ESRS 1-QC 19 + description: "The completeness, clarity and comparability of sustainability\ + \ disclosures all rely on information being presented as a coherent whole.\ + \ For sustainability disclosures to be coherent, they shall be presented in\ + \ a way that explains the context and the connections between the related\ + \ information. Coherence also requires the undertaking to provide information\ + \ in a way that allows users to relate information about its sustainability-related\ + \ impacts, risks and opportunities to information in the undertaking\u2019\ + s financial statements." + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-qc-20 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node312 + ref_id: ESRS 1-QC 20 + description: If sustainability-related risks and opportunities discussed in + the financial statements have implications for sustainability reporting, the + undertaking shall include in the sustainability statement the information + necessary for users to assess those implications and present appropriate links + to the financial statements (see chapter 9 of this Standard). The level of + information, granularity and technicality shall be aligned with the needs + and expectations of users. Abbreviations shall be avoided and the units of + measure shall be defined and disclosed. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-c + assessable: true + depth: 1 + ref_id: ESRS 1-Appendix C + description: List of phased-in Disclosure Requirements + - urn: urn:intuitem:risk:req_node:esrs_p1:node319 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-c + description: This appendix is an integral part of ESRS 1 and has the same authority + as the other parts of the Standard. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-d + assessable: true + depth: 1 + ref_id: ESRS 1-Appendix D + description: Structure of the ESRS sustainability statement + - urn: urn:intuitem:risk:req_node:esrs_p1:node321 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-d + description: This appendix is an integral part of ESRS 1 and has the same authority + as the other parts of the Standard with respect to reporting in four parts + as outlined in paragraph 115. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-e + assessable: true + depth: 1 + ref_id: ESRS 1-Appendix E + description: Flowchart for determining disclosures under ESRS + - urn: urn:intuitem:risk:req_node:esrs_p1:node323 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-e + description: "Materiality assessment is the starting point for sustainability\ + \ reporting under ESRS. This appendix provides a non-binding illustration\ + \ of the impact- and financial materiality assessment outlined in chapter\ + \ 3. IRO-1 in section 4.1 of ESRS 2 includes general disclosure requirements\ + \ (DR) about the undertaking\u2019s process to identify impacts, risks and\ + \ opportunities and assess their materiality. SBM-3 of ESRS 2 provides general\ + \ disclosures requirements on the material impact, risks and opportunities\ + \ resulting from the undertaking\u2019s materiality assessment. The undertaking\ + \ can omit all disclosure requirements in a topical standard if it assessed\ + \ that the topic in question is not material. In that case it may disclose\ + \ a brief explanation of the conclusions of the materiality assessment for\ + \ that topic but shall disclose a detailed explanation in the case of ESRS\ + \ E1 climate change (IRO-2 ESRS 2). ESRS set disclosure requirements, not\ + \ behavioral requirements. Disclosure requirements in relation to action plans,\ + \ targets, policies, scenario analysis and transition plans are proportionate\ + \ because they are contingent on the undertaking having these, which may depend\ + \ on the size, capacity, resources, and skills of the undertaking. Note: The\ + \ flowchart below does not cover the situation in which the undertaking assesses\ + \ a sustainability matter as material but it is not covered by a topical standard,\ + \ in which case the undertaking shall make additional entity specific disclosures\ + \ (ESRS 1 (30 (b))." + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-f + assessable: true + depth: 1 + ref_id: ESRS 1-Appendix F + description: Example of structure of ESRS sustainability statement + - urn: urn:intuitem:risk:req_node:esrs_p1:node325 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-f + description: This appendix complements ESRS 1. It provides a non-binding illustration + of the structure of the sustainability statement outlined in section 8.2 of + this Standard. In this illustration, the undertaking has concluded that biodiversity + and ecosystems, pollution, and affected communities, are not material. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-g + assessable: true + depth: 1 + ref_id: ESRS 1-Appendix G + description: Example of incorporation by reference + - urn: urn:intuitem:risk:req_node:esrs_p1:node327 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-1-appendix-g + description: This appendix complements ESRS 1. It provides non-binding illustrations + of incorporation by reference of another section of the management report + into the sustainability statement as outlined in section 9.1 of this Standard. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2 + assessable: false + depth: 1 + ref_id: ESRS 2 + description: GENERAL DISCLOSURES + - urn: urn:intuitem:risk:req_node:esrs_p1:node329 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2 + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p1:node330 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node329 + description: 'This ESRS sets out the disclosure requirements that apply to all + undertakings regardless of their sector of activity (i.e., sector agnostic) + and apply across sustainability topics (i.e., cross-cutting).This ESRS covers + the reporting areas defined in ESRS 1 General requirements section 1.2 Reporting + areas and minimum content disclosure requirements on policies, actions, targets + and metrics. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:node331 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node329 + description: 'In the preparation of disclosures under this Standard, the undertaking + shall apply the Disclosure Requirements (including their datapoints) set in + topical ESRS, as listed in Appendix C of this Standard Disclosure/ Application + Requirements in topical ESRS that are applicable jointly with ESRS 2 General + Disclosures. The undertaking shall apply the requirements listed in Appendix + C:' + - urn: urn:intuitem:risk:req_node:esrs_p1:node332 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node331 + description: (a) in all instances for the requirements in topical standards + related to Disclosure Requirement IRO-1 Description of the processes to identify + and assess material impacts, risks and opportunities; and + - urn: urn:intuitem:risk:req_node:esrs_p1:node333 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node331 + description: "(b) for all other requirements listed in appendix C, only if the\ + \ sustainability topic is material based on the undertaking\u2019s materiality\ + \ assessment (see ESRS 1 chapter 3 Double materiality as the basis for sustainability\ + \ disclosures)." + - urn: urn:intuitem:risk:req_node:esrs_p1:node334 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node329 + name: 1. Basis for preparation + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node334 + ref_id: BP-1 + name: "Disclosure Requirement BP-1 \u2013 General basis for preparation of the\ + \ sustainability statement" + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1 + ref_id: BP-1.3 + description: The undertaking shall disclose the general basis for preparation + of its sustainability statement. + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1 + ref_id: BP-1.4 + description: The objective of this Disclosure Requirement is to provide an understanding + of how the undertaking prepares its sustainability statement, including the + scope of consolidation, the upstream and downstream value chain information + and, where relevant, whether the undertaking has used any of the options for + omitting information referred to in points d) and e) in the following paragraph. + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1 + ref_id: BP-1.5 + description: 'The undertaking shall disclose the following information:' + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5 + ref_id: BP-1.5.a + description: whether the sustainability statement has been prepared on a consolidated + or individual basis; + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5 + ref_id: BP-1.5.b + description: 'for consolidated sustainability statements:' + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5.b.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5.b + ref_id: BP-1.5.b.i + description: a confirmation that the scope of consolidation is the same as for + the financial statements, or, where applicable, a declaration that the reporting + undertaking is not required to draw-up financial statements or that the reporting + undertaking is preparing consolidated sustainability reporting pursuant to + Article 48i of Directive 2013/34/EU; and + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5.b.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5.b + ref_id: BP-1.5.b.ii + description: where applicable, an indication of which subsidiary undertakings + included in the consolidation are exempted from individual or consolidated + sustainability reporting pursuant to Articles 19a(9) or 29a(8) of Directive + 2013/34/EU; + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5 + ref_id: BP-1.5.c + description: "to what extent the sustainability statement covers the undertaking\u2019\ + s upstream and downstream value chain (see ESRS 1 section 5.1 Reporting undertaking\ + \ and value chain);" + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5 + ref_id: BP-1.5.d + description: whether the undertaking has used the option to omit a specific + piece of information corresponding to intellectual property, know-how or the + results of innovation (see ESRS 1 section 7.7 Classified and sensitive information + and information on intellectual property, know-how or results of innovation); + and + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1.5 + ref_id: BP-1.5.e + description: for undertakings based in an EU member state that allows for the + exemption from disclosure of impending developments or matters in the course + of negotiation, as provided for in articles 19a(3) and 29a(3) of Directive + 2013/34/EU, whether the undertaking has used that exemption. + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node334 + ref_id: BP-2 + name: "Disclosure Requirement BP-2 \u2013 Disclosures in relation to specific\ + \ circumstances" + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + ref_id: BP-2.6 + description: The undertaking shall provide disclosures in relation to specific + circumstances. + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + ref_id: BP-2.7 + description: The objective of this Disclosure Requirement is to provide an understanding + of the effect of these specific circumstances on the preparation of the sustainability + statement. + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + ref_id: BP-2.8 + description: The undertaking may report this information alongside the disclosures + to which they refer. + - urn: urn:intuitem:risk:req_node:esrs_p1:node350 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + name: Time horizons + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.9 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node350 + ref_id: BP-2.9 + description: 'When the undertaking has deviated from the medium- or long-term + time horizons defined by ESRS 1 section 6.4 Definition of short-, medium-and + long-term for reporting purposes, it shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.9.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.9 + ref_id: BP-2.9.a + description: its definitions of medium- or long-term time horizons; and + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.9.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.9 + ref_id: BP-2.9.b + description: the reasons for applying those definitions. + - urn: urn:intuitem:risk:req_node:esrs_p1:node354 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + name: Value chain estimation + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.10 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node354 + ref_id: BP-2.10 + description: 'When metrics include upstream and/or downstream value chain data + estimated using indirect sources, such as sector-average data or other proxies, + the undertaking shall:' + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.10.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.10 + ref_id: BP-2.10.a + description: identify the metrics; + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.10.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.10 + ref_id: BP-2.10.b + description: describe the basis for preparation; + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.10.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.10 + ref_id: BP-2.10.c + description: describe the resulting level of accuracy; and + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.10.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.10 + ref_id: BP-2.10.d + description: where applicable, describe the planned actions to improve the accuracy + in the future (see ESRS 1 chapter 5 Value chain). + - urn: urn:intuitem:risk:req_node:esrs_p1:node360 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + name: Sources of estimation and outcome uncertainty + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.11 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node360 + ref_id: BP-2.11 + description: 'In accordance with ESRS 1 section 7.2 Sources of estimation and + outcome uncertainty, the undertaking shall:' + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.11.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.11 + ref_id: BP-2.11.a + description: identify the quantitative metrics and monetary amounts it has disclosed + that are subject to a high level of measurement uncertainty; + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.11.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.11 + ref_id: BP-2.11.b + description: 'in relation to each quantitative metric and monetary amount identified:' + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.11.b.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.11.b + ref_id: BP-2.11.b.i + description: "disclose information about the sources of measurement uncertainty\ + \ (for example, the dependence of the amount on the outcome of a future event,\ + \ on a measurement technique or on the availability and quality of data from\ + \ the entity\u2019s upstream and/or downstream value chain); and" + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.11.b.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.11.b + ref_id: BP-2.11.b.ii + description: disclose the assumptions, approximations and judgements the entity + has made in measuring it. + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node360 + ref_id: BP-2.12 + description: When disclosing forward-looking information, the undertaking may + indicate that it considers such information to be uncertain. + - urn: urn:intuitem:risk:req_node:esrs_p1:node367 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + name: Changes in preparation or presentation of sustainability information + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node367 + ref_id: BP-2.13 + description: 'When changes in the preparation and presentation of sustainability + information occur compared to the previous reporting period(s), (see ESRS + 1 section 7.4 Changes in preparation or presentation in sustainability information), + the undertaking shall:' + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.13.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.13 + ref_id: BP-2.13.a + description: explain the changes and the reasons for them, including why the + replaced metric provides more useful information; + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.13.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.13 + ref_id: BP-2.13.b + description: disclose revised comparative figures, unless it is impracticable + to do so. When it is impracticable to adjust comparative information for one + or more prior periods, the undertaking shall disclose that fact; and + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.13.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.13 + ref_id: BP-2.13.c + description: disclose the difference between the figure disclosed in the preceding + period and the revised comparative figure. + - urn: urn:intuitem:risk:req_node:esrs_p1:node372 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + name: Reporting errors in prior periods + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node372 + ref_id: BP-2.14 + description: 'When the undertaking identifies material prior period errors (see + ESRS 1 section 7.5 Reporting errors in prior periods), it shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.14.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.14 + ref_id: BP-2.14.a + description: the nature of the prior period material error; + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.14.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.14 + ref_id: BP-2.14.b + description: to the extent practicable, the correction for each prior period + included in the sustainability statement; and + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.14.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.14 + ref_id: BP-2.14.c + description: if correction of the error is not practicable, the circumstances + that led to the existence of that condition. + - urn: urn:intuitem:risk:req_node:esrs_p1:node377 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + name: Disclosures stemming from other legislation or generally accepted sustainability + reporting pronouncements + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + ref_id: BP-2.15 + description: When the undertaking includes in its sustainability statement information + stemming from other legislation which requires the undertaking to disclose + sustainability information or from generally accepted sustainability reporting + standards and frameworks (see ESRS 1 section 8.2 Content and structure of + the sustainability statement), in addition to the information prescribed by + ESRS, it shall disclose this fact. In case of partial application of other + reporting standards or frameworks, the undertaking shall provide a precise + reference to the paragraphs of the standard or framework applied. + - urn: urn:intuitem:risk:req_node:esrs_p1:node379 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + name: Incorporation by reference + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node379 + ref_id: BP-2.16 + description: When the undertaking incorporates information by reference (see + ESRS 1 section 9.1 Incorporation by reference), it shall disclose a list of + the disclosure requirements of ESRS, or the specific datapoints mandated by + a Disclosure Requirement, that have been incorporated by reference. + - urn: urn:intuitem:risk:req_node:esrs_p1:node381 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2 + name: Use of phase-in provisions in accordance with Appendix C of ESRS 1 + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node381 + ref_id: BP-2.17 + description: "If an undertaking or group not exceeding on its balance sheet\ + \ date the average number of 750 employees during the financial year decides\ + \ to omit the information required by ESRS E4, ESRS S1, ESRS S2, ESRS S3 or\ + \ ESRS S4 in accordance with Appendix C of ESRS 1, it shall nevertheless disclose\ + \ whether the sustainability topics covered respectively by ESRS E4, ESRS\ + \ S1, ESRS S2, ESRS S3 and ESRS S4 have been assessed to be material as a\ + \ result of the undertaking\u2019s materiality assessment. In addition, if\ + \ one or more of these topics has been assessed to be material, the undertaking\ + \ shall, for each material topic:" + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.17.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.17 + ref_id: BP-2.17.a + description: "disclose the list of matters (i.e. topic, sub-topic or sub-sub-topic)\ + \ in AR 16 ESRS 1 Appendix A that are assessed to be material and briefly\ + \ describe how the undertaking\u2019s business model and strategy take account\ + \ of the impacts of the undertaking related to those matters. The undertaking\ + \ may identify the matter at the level of topic, sub-topic or sub-sub-topic;" + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.17.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.17 + ref_id: BP-2.17.b + description: briefly describe any time-bound targets it has set related to the + matters in question, the progress it has made towards achieving those targets, + and whether its targets related to biodiversity and ecosystems are based on + conclusive scientific evidence; + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.17.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.17 + ref_id: BP-2.17.c + description: briefly describe its policies in relation to the matters in question; + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.17.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.17 + ref_id: BP-2.17.d + description: briefly describe actions it has taken to identify, monitor, prevent, + mitigate, remediate or bring an end to actual or potential adverse impacts + related to the matters in question, and the result of such actions; and + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.17.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2.17 + ref_id: BP-2.17.e + description: disclose metrics relevant to the matters in question. + - urn: urn:intuitem:risk:req_node:esrs_p1:node388 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node329 + name: 2.Governance + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node388 + ref_id: GOV-1 + name: "Disclosure Requirement GOV-1 \u2013 The role of the administrative, management\ + \ and supervisory bodies" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1 + ref_id: GOV-1.19 + description: The undertaking shall disclose the composition of the administrative, + management and supervisory bodies, their roles and responsibilities and access + to expertise and skills with regard to sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1 + ref_id: GOV-1.20 + description: 'The objective of this Disclosure Requirement is to provide an + understanding of:' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.20.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.20 + ref_id: GOV-1.20.a + description: the composition and diversity of the administrative, management + and supervisory bodies; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.20.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.20 + ref_id: GOV-1.20.b + description: "the roles and responsibilities of the administrative, management\ + \ and supervisory bodies in exercising oversight of the process to manage\ + \ material impacts, risks and opportunities, including management\u2019s role\ + \ in these processes; and" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.20.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.20 + ref_id: GOV-1.20.c + description: the expertise and skills of its administrative, management and + supervisory bodies on sustainability matters or access to such expertise and + skills. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1 + ref_id: GOV-1.21 + description: "The undertaking shall disclose the following information about\ + \ the composition and diversity of the members of the undertaking\u2019s administrative,\ + \ management and supervisory bodies:" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.21.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.21 + ref_id: GOV-1.21.a + description: the number of executive and non-executive members; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.21.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.21 + ref_id: GOV-1.21.b + description: representation of employees and other workers; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.21.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.21 + ref_id: GOV-1.21.c + description: experience relevant to the sectors, products and geographic locations + of the undertaking; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.21.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.21 + ref_id: GOV-1.21.d + description: percentage by gender and other aspects of diversity that the undertaking + considers. The board's gender diversity ( 13 ) shall be calculated as an average + ratio of female to male board members; and + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.21.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.21 + ref_id: GOV-1.21.e + description: the percentage of independent board members ( 14 ). For undertakings + with a unitary board, this corresponds to the percentage of independent non-executive + board members. For undertakings with a dual board, it corresponds to the percentage + of independent members of the supervisory body. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1 + ref_id: GOV-1.22 + description: 'The undertaking shall disclose the following information about + the roles and responsibilities of the administrative, management and supervisory + bodies:' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22 + ref_id: GOV-1.22.a + description: the identity of the administrative, management and supervisory + bodies (such as a board committee or similar) or individual(s) within a body + responsible for oversight of impacts, risks and opportunities; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22 + ref_id: GOV-1.22.b + description: "how each body\u2019s or individual\u2019s responsibilities for\ + \ impacts, risks and opportunities are reflected in the undertaking\u2019\ + s terms of reference, board mandates and other related policies;" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22 + ref_id: GOV-1.22.c + description: "a description of management\u2019s role in the governance processes,\ + \ controls and procedures used to monitor, manage and oversee impacts, risks\ + \ and opportunities, including:" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22.c + ref_id: GOV-1.22.c.i + description: whether that role is delegated to a specific management-level position + or committee and how oversight is exercised over that position or committee; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22.c + ref_id: GOV-1.22.c.ii + description: information about the reporting lines to the administrative, management + and supervisory bodies; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22.c.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22.c + ref_id: GOV-1.22.c.iii + description: whether dedicated controls and procedures are applied to the management + of impacts, risks and opportunities and, if so, how they are integrated with + other internal functions; and + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.22 + ref_id: GOV-1.22.d + description: how the administrative, management and supervisory bodies and senior + executive management oversee the setting of targets related to material impacts, + risks and opportunities, and how they monitor progress towards them. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1 + ref_id: GOV-1.23 + description: 'The disclosure shall include a description of how the administrative, + management and supervisory bodies determine whether appropriate skills and + expertise are available or will be developed to oversee sustainability matters, + including:' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.23.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.23 + ref_id: GOV-1.23.a + description: the sustainability-related expertise that the bodies, as a whole, + either directly possess or can leverage, for example through access to experts + or training; and + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.23.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1.23 + ref_id: GOV-1.23.b + description: how those skills and expertise relate to the undertaking's material + impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node388 + ref_id: GOV-2 + name: "Disclosure Requirement GOV-2 \u2013 Information provided to and sustainability\ + \ matters addressed by the undertaking\u2019s administrative, management and\ + \ supervisory bodies" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-2.24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-2 + ref_id: GOV-2.24 + description: The undertaking shall disclose how the administrative, management + and supervisory bodies are informed about sustainability matters and how these + matters were addressed during the reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-2.25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-2 + ref_id: GOV-2.25 + description: The objective of this Disclosure Requirement is to provide an understanding + of how administrative, management and supervisory bodies are informed about + sustainability matters, as well as what information and matters they addressed + during the reporting period. This in turn allows an understanding of whether + the members of these bodies were adequately informed and whether they were + able to fulfil their roles. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-2.26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-2 + ref_id: GOV-2.26 + description: 'The undertaking shall disclose the following information:' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-2.26.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-2.26 + ref_id: GOV-2.26.a + description: "whether, by whom and how frequently the administrative, management\ + \ and supervisory bodies, including their relevant committees, are informed\ + \ about material impacts, risks and opportunities (see Disclosure Requirement\ + \ IRO\u20131 - Description of the processes to identify and assess material\ + \ impacts, risks and opportunities of this Standard), the implementation of\ + \ due diligence, and the results and effectiveness of policies, actions, metrics\ + \ and targets adopted to address them;" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-2.26.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-2.26 + ref_id: GOV-2.26.b + description: "how the administrative, management and supervisory bodies consider\ + \ impacts, risks and opportunities when overseeing the undertaking\u2019s\ + \ strategy, its decisions on major transactions, and its risk management process,\ + \ including whether they have considered trade-offs associated with those\ + \ impacts, risks and opportunities; and" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-2.26.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-2.26 + ref_id: GOV-2.26.c + description: a list of the material impacts, risks and opportunities addressed + by the administrative, management and supervisory bodies, or their relevant + committees during the reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node388 + ref_id: GOV-3 + name: "Disclosure Requirement GOV-3 \u2013 Integration of sustainability-related\ + \ performance in incentive schemes" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-3 + ref_id: GOV-3.27 + description: The undertaking shall disclose information about the integration + of its sustainability-related performance in incentive schemes. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-3 + ref_id: GOV-3.28 + description: The objective of this Disclosure Requirement is to provide an understanding + of whether incentive schemes are offered to members of the administrative, + management and supervisory bodies that are linked to sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.29 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-3 + ref_id: GOV-3.29 + description: 'The undertaking shall disclose the following information about + the incentive schemes and remuneration policies linked to sustainability matters + for members of the undertaking''s administrative, management and supervisory + bodies, where they exist:' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.29.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.29 + ref_id: GOV-3.29.a + description: a description of the key characteristics of the incentive schemes; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.29.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.29 + ref_id: GOV-3.29.b + description: whether performance is being assessed against specific sustainability-related + targets and/or impacts, and if so, which ones; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.29.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.29 + ref_id: GOV-3.29.c + description: whether and how sustainability-related performance metrics are + considered as performance benchmarks or included in remuneration policies; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.29.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.29 + ref_id: GOV-3.29.d + description: the proportion of variable remuneration dependent on sustainability- + related targets and/or impacts; and + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.29.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-3.29 + ref_id: GOV-3.29.e + description: the level in the undertaking at which the terms of incentive schemes + are approved and updated. + - urn: "urn:intuitem:risk:req_node:esrs_p1:gov\u20134" + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node388 + ref_id: "GOV\u20134" + name: "Disclosure Requirement GOV\u20134 - Statement on due diligence" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-4.30 + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:gov\u20134" + ref_id: GOV-4.30 + description: The undertaking shall disclose a mapping of the information provided + in its sustainability statement about the due diligence process. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-4.31 + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:gov\u20134" + ref_id: GOV-4.31 + description: "The objective of this Disclosure Requirement is to facilitate\ + \ an understanding of the undertaking\u2019s due diligence process with regard\ + \ to sustainability matters." + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-4.32 + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:gov\u20134" + ref_id: GOV-4.32 + description: The main aspects and steps of due diligence referred to under ESRS + 1 chapter 4 Due diligence are related to a number of cross-cutting and topical + Disclosure Requirements under the ESRS. The undertaking shall provide a mapping + that explains how and where its application of the main aspects and steps + of the due diligence process are reflected in its sustainability statement, + to allow a depiction of the actual practices of the undertaking with regard + to due diligence. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-4.33 + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:gov\u20134" + ref_id: GOV-4.33 + description: This disclosure requirement does not mandate any specific behavioural + requirements with regard to due diligence actions and does not extend or modify + the role of administrative, management and supervisory bodies as mandated + by other legislation or regulation. + - urn: "urn:intuitem:risk:req_node:esrs_p1:gov\u20135" + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node388 + ref_id: "GOV\u20135" + name: "Disclosure Requirement GOV\u20135 - Risk management and internal controls\ + \ over sustainability reporting" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.34 + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:gov\u20135" + ref_id: GOV-5.34 + description: The undertaking shall disclose the main features of its risk management + and internal control system in relation to the sustainability reporting process. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.35 + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:gov\u20135" + ref_id: GOV-5.35 + description: "The objective of this Disclosure Requirement is to provide an\ + \ understanding of the undertaking\u2019s risk management and internal control\ + \ processes in relation to sustainability reporting." + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.36 + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:gov\u20135" + ref_id: GOV-5.36 + description: 'The undertaking shall disclose the following information:' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.36.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.36 + ref_id: GOV-5.36.a + description: the scope, main features and components of the risk management + and internal control processes and systems in relation to sustainability reporting; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.36.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.36 + ref_id: GOV-5.36.b + description: the risk assessment approach followed, including the risk prioritisation + methodology; + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.36.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.36 + ref_id: GOV-5.36.c + description: the main risks identified and their mitigation strategies including + related controls + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.36.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.36 + ref_id: GOV-5.36.d + description: a description of how the undertaking integrates the findings of + its risk assessment and internal controls as regards the sustainability reporting + process into relevant internal functions and processes; and + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.36.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-5.36 + ref_id: GOV-5.36.e + description: a description of the periodic reporting of the findings referred + to in point (d) to the administrative, management and supervisory bodies. + - urn: urn:intuitem:risk:req_node:esrs_p1:node442 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node329 + name: 3.Strategy + - urn: urn:intuitem:risk:req_node:esrs_p1:node443 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node442 + description: 'This chapter sets disclosure requirements that enable an understanding + of:' + - urn: urn:intuitem:risk:req_node:esrs_p1:node444 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node443 + description: "(a)the elements of the undertaking\u2019s strategy that relate\ + \ to or affect sustainability matters, its business model and its value chain;" + - urn: urn:intuitem:risk:req_node:esrs_p1:node445 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node443 + description: "(b)how the interests and views of the undertaking\u2019s stakeholders\ + \ are taken into account by the undertaking\u2019s strategy and business model;\ + \ and" + - urn: urn:intuitem:risk:req_node:esrs_p1:node446 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node443 + description: "(c) the outcome of the undertaking\u2019s assessment of material\ + \ impacts, risks and opportunities, including how they inform its strategy\ + \ and business model." + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node442 + ref_id: SBM-1 + name: "Disclosure Requirement SBM-1 \u2013 Strategy, business model and value\ + \ chain" + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.38 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1 + ref_id: SBM-1.38 + description: The undertaking shall disclose the elements of its strategy that + relate to or impact sustainability matters, its business model and its value + chain. + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.39 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1 + ref_id: SBM-1.39 + description: "The objective of this Disclosure Requirement is to describe the\ + \ key elements of the undertaking\u2019s general strategy that relate to or\ + \ affect sustainability matters, and the key elements of the undertaking\u2019\ + s business model and value chain, in order to provide an understanding of\ + \ its exposure to impacts, risks and opportunities and where they originate." + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1 + ref_id: SBM-1.40 + description: 'The undertaking shall disclose the following information about + the key elements of its general strategy that relate to or affect sustainability + matters:' + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40 + ref_id: SBM-1.40.a + description: 'a description of:' + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.a.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.a + ref_id: SBM-1.40.a.i + description: significant groups of products and/or services offered, including + changes in the reporting period (new/removed products and/or services); + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.a.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.a + ref_id: SBM-1.40.a.ii + description: significant markets and/or customer groups served, including changes + in the reporting period (new/removed markets and/or customer groups); + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.a.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.a + ref_id: SBM-1.40.a.iii + description: headcount of employees by geographical areas; and + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.a + ref_id: SBM-1.40.iv + description: where applicable and material, products and services that are banned + in certain markets; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40 + ref_id: SBM-1.40.b + description: a breakdown of total revenue, as included in its financial statements, + by significant ESRS sectors. When the undertaking provides segment reporting + as required by IFRS 8 Operating segments in its financial statements, this + sector revenue information shall be, as far as possible, reconciled with IFRS + 8 information; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40 + ref_id: SBM-1.40.c + description: a list of the additional significant ESRS sectors beyond the ones + reflected under paragraph 40(b), such as activities that give rise to intercompany + revenues, in which the undertaking develops significant activities, or in + which it is or may be connected to material impacts. The identification of + these additional ESRS sectors shall be consistent with the way they have been + considered by the undertaking when performing its materiality assessment and + with the way it discloses material sector-specific information; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40 + ref_id: SBM-1.40.d + description: 'where applicable, a statement indicating, together with the related + revenues, that the undertaking is active in:' + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.d.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.d + ref_id: SBM-1.40.d.i + description: the fossil fuel (coal, oil and gas) sector ( 16 ), (i.e., it derives + revenues from exploration, mining, extraction, production, processing, storage, + refining or distribution, including transportation, storage and trade, of + fossil fuels as defined in Article 2, point (62), of Regulation (EU) 2018/1999 + of the European Parliament and the Council ( 17 )), including a disaggregation + of revenues derived from coal, from oil and from gas, as well as the revenues + derived from Taxonomy-aligned economic activities related to fossil gas as + required under Article 8(7)(a) of Commission Delegated Regulation 2021/2178 + ( 18 ); + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.d.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.d + ref_id: SBM-1.40.d.ii + description: chemicals production ( 19 ), i.e., its activities fall under Division + 20.2 of Annex I to Regulation (EC) No 1893/2006; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.d.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.d + ref_id: SBM-1.40.d.iii + description: controversial weapons ( 20 ) (anti-personnel mines, cluster munitions, + chemical weapons and biological weapons); and/or + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.d.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.d + ref_id: SBM-1.40.d.iv + description: the cultivation and production of tobacco ( 21 ); + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40 + ref_id: SBM-1.40.e + description: its sustainability-related goals in terms of significant groups + of products and services, customer categories, geographical areas and relationships + with stakeholders; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40 + ref_id: SBM-1.40.f + description: ' an assessment of its current significant products and/or services, + and significant markets and customer groups, in relation to its sustainability-related + goals; and' + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.40 + ref_id: SBM-1.40.g + description: "the elements of the undertaking\u2019s strategy that relate to\ + \ or impact sustainability matters, including the main challenges ahead, critical\ + \ solutions or projects to be put in place, when relevant for sustainability\ + \ reporting." + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.41 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1 + ref_id: SBM-1.41 + description: If the undertaking is based in an EU Member State that allows for + an exemption from the disclosure of the information referred to in Article + 18, paragraph 1, sub-point (a) of Directive 2013/34/EU ( 22 ), and if the + undertaking has made use of that exemption, it may omit the breakdown of revenue + by significant ESRS sector required by paragraph 40(b). In this case the undertaking + shall nevertheless disclose the list of ESRS sectors that are significant + for the undertaking. + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.42 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1 + ref_id: SBM-1.42 + description: 'The undertaking shall disclose a description of its business model + and value chain, including:' + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.42.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.42 + ref_id: SBM-1.42.a + description: its inputs and its approach to gathering, developing and securing + those inputs; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.42.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.42 + ref_id: SBM-1.42.b + description: its outputs and outcomes in terms of current and expected benefits + for customers, investors and other stakeholders; and + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.42.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-1.42 + ref_id: SBM-1.42.c + description: "the main features of its upstream and downstream value chain and\ + \ the undertaking\u2019s position in its value chain, including a description\ + \ of the main business actors (such as key suppliers, customers, distribution\ + \ channels and end-users) and their relationship to the undertaking. When\ + \ the undertaking has multiple value chains, the disclosure shall cover the\ + \ key value chains." + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node442 + ref_id: SBM-2 + name: "Disclosure Requirement SBM-2 \u2013 Interests and views of stakeholders" + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.43 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2 + ref_id: SBM-2.43 + description: "The undertaking shall disclose how the interests and views of\ + \ its stakeholders are taken into account by the undertaking\u2019s strategy\ + \ and business model." + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.44 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2 + ref_id: SBM-2.44 + description: "The objective of this Disclosure Requirement is to provide an\ + \ understanding of how stakeholders\u2019 interests and views inform the undertaking\u2019\ + s strategy and business model." + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2 + ref_id: SBM-2.45 + description: 'The undertaking shall disclose a summarised description of:' + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45 + ref_id: SBM-2.45.a + description: 'its stakeholder engagement, including:' + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.a.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.a + ref_id: SBM-2.45.a.i + description: "the undertaking\u2019s key stakeholders;" + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.a.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.a + ref_id: SBM-2.45.a.ii + description: whether engagement with them occurs and for which categories of + stakeholders; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.a.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.a + ref_id: SBM-2.45.a.iii + description: how it is organised; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.a.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.a + ref_id: SBM-2.45.a.iv + description: its purpose; and + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.a.v + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.a + ref_id: SBM-2.45.a.v + description: how its outcome is taken into account by the undertaking; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45 + ref_id: SBM-2.45.b + description: "the undertaking\u2019s understanding of the interests and views\ + \ of its key stakeholders as they relate to the undertaking\u2019s strategy\ + \ and business model, to the extent that these were analysed during the undertaking\u2019\ + s due diligence process and/or materiality assessment process (see Disclosure\ + \ Requirement IRO-1 of this Standard);" + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45 + ref_id: SBM-2.45.c + description: 'where applicable, amendments to its strategy and/or business model, + including:' + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.c.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45 + ref_id: SBM-2.45.c.i + description: how the undertaking has amended or expects to amend its strategy + and/or business model to address the interests and views of its stakeholders; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.c.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45 + ref_id: SBM-2.45.c.ii + description: any further steps that are being planned and in what timeline; + and + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.c.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45 + ref_id: SBM-2.45.c.iii + description: whether these steps are likely to modify the relationship with + and views of stakeholders; and + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-2.45 + ref_id: SBM-2.45.d + description: " whether and how the administrative, management and supervisory\ + \ bodies are informed about the views and interests of affected stakeholders\ + \ with regard to the undertaking\u2019s sustainability-related impacts." + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node442 + ref_id: SBM-3 + name: Disclosure Requirement SBM-3 - Material impacts, risks and opportunities + and their interaction with strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.46 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3 + ref_id: SBM-3.46 + description: The undertaking shall disclose its material impacts, risks and + opportunities and how they interact with its strategy and business model. + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.47 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3 + ref_id: SBM-3.47 + description: "The objective of this Disclosure Requirement is to provide an\ + \ understanding of the material impacts, risks and opportunities as they result\ + \ from the undertaking\u2019s materiality assessment and how they originate\ + \ from and trigger adaptation of the undertaking\u2019s strategy and business\ + \ model including its resources allocation. The information to be disclosed\ + \ about the management of the undertaking\u2019s material impacts, risks and\ + \ opportunities is prescribed in topical ESRS and in sector-specific standards,\ + \ which shall be applied in conjunction with the Minimum Disclosure Requirements\ + \ on policies, actions and targets established in this Standard." + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3 + ref_id: SBM-3.48 + description: 'The undertaking shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48 + ref_id: SBM-3.48.a + description: a brief description of its material impacts, risks and opportunities + resulting from its materiality assessment (see Disclosure Requirement IRO-1 + of this standard), including a description of where in its business model, + its own operations and its upstream and downstream value chain these material + impacts, risks and opportunities are concentrated; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48 + ref_id: SBM-3.48.b + description: the current and anticipated effects of its material impacts, risks + and opportunities on its business model, value chain, strategy and decision-making, + and how it has responded or plans to respond to these effects, including any + changes it has made or plans to make to its strategy or business model as + part of its actions to address particular material impacts or risks, or to + pursue particular material opportunities; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48 + ref_id: SBM-3.48.c + description: "with reference to the undertaking\u2019s material impacts:" + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48.c + ref_id: SBM-3.48.c.i + description: "how the undertaking\u2019s material negative and positive impacts\ + \ affect (or, in the case of potential impacts, are likely to affect) people\ + \ or the environment;" + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48.c + ref_id: SBM-3.48.c.ii + description: whether and how the impacts originate from or are connected to + the undertaking's strategy and business model; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48.c.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48.c + ref_id: SBM-3.48.c.iii + description: the reasonably expected time horizons of the impacts; and + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48.c.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48.c + ref_id: SBM-3.48.c.iv + description: whether the undertaking is involved with the material impacts through + its activities or because of its business relationships, describing the nature + of the activities or business relationships concerned; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48 + ref_id: SBM-3.d + description: "the current financial effects of the undertaking\u2019s material\ + \ risks and opportunities on its financial position, financial performance\ + \ and cash flows and the material risks and opportunities for which there\ + \ is a significant risk of a material adjustment within the next annual reporting\ + \ period to the carrying amounts of assets and liabilities reported in the\ + \ related financial statements;" + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48 + ref_id: SBM-3.e + description: "the anticipated financial effects of the undertaking\u2019s material\ + \ risks and opportunities on its financial position, financial performance\ + \ and cash flows over the short-, medium- and long term, including the reasonably\ + \ expected time horizons for those effects. This shall include how the undertaking\ + \ expects its financial position, financial performance and cash flows to\ + \ change over the short, medium- and long-term, given its strategy to manage\ + \ risks and opportunities, taking into consideration:" + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.e.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.e + ref_id: SBM-3.e.i + description: its investment and disposal plans (for example, capital expenditure, + major acquisitions and divestments, joint ventures, business transformation, + innovation, new business areas and asset retirements), including plans the + undertaking is not contractually committed to; and + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.e.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.e + ref_id: SBM-3.e.ii + description: its planned sources of funding to implement its strategy. + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48 + ref_id: SBM-3.f + description: information about the resilience of the undertaking's strategy + and business model regarding its capacity to address its material impacts + and risks and to take advantage of its material opportunities. The undertaking + shall disclose a qualitative and, when applicable, a quantitative analysis + of the resilience, including how the analysis was conducted and the time horizons + that were applied as defined in ESRS 1 (see ESRS 1 chapter 6 Time horizons). + When providing quantitative information, the undertaking may disclose single + amounts or ranges; + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48 + ref_id: SBM-3.g + description: changes to the material impacts, risks and opportunities compared + to the previous reporting period; and + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.48 + ref_id: SBM-3.h + description: a specification of those impacts, risks and opportunities that + are covered by ESRS Disclosure Requirements as opposed to those covered by + the undertaking using additional entity-specific disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3.49 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:sbm-3 + ref_id: SBM-3.49 + description: The undertaking may disclose the descriptive information required + in paragraph 46 alongside the disclosures provided under the corresponding + topical ESRS, in which case it shall still present a statement of its material + impacts, risks and opportunities alongside its disclosures prepared under + this chapter of ESRS 2. + - urn: urn:intuitem:risk:req_node:esrs_p1:node506 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node329 + name: 4.Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p1:node507 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node506 + name: 4.1 Disclosures on the materiality assessment process + - urn: urn:intuitem:risk:req_node:esrs_p1:node508 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node507 + description: '50.This chapter sets disclosure requirements that enable an understanding + of:' + - urn: urn:intuitem:risk:req_node:esrs_p1:node509 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node508 + description: (a)the process to identify material impacts, risks and opportunities; + and + - urn: urn:intuitem:risk:req_node:esrs_p1:node510 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node508 + description: (b)the information that, as a result of its materiality assessment, + the undertaking has included in its sustainability statement. + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node507 + ref_id: IRO-1 + name: Disclosure Requirement IRO-1 - Description of the process to identify + and assess material impacts, risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-51 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1 + ref_id: IRO-1-51 + description: The undertaking shall disclose its process to identify its impacts,risks + and opportunities and to assess which ones are material. + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-52 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1 + ref_id: IRO-1-52 + description: The objective of this Disclosure Requirement is to provide an understanding + of the process through which the undertaking identifies impacts, risks and + opportunities and assesses their materiality, as the basis for determining + the disclosures in its sustainability statement (see ESRS 1 chapter 3 and + its related Application Requirements, which set out requirements and principles + regarding the process to identify and assess material impacts, risks and opportunities + based on the principle of double materiality). + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1 + ref_id: IRO-1-53 + description: 'The undertaking shall disclose the following information:' + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53 + ref_id: IRO-1-53.a + description: a description of the methodologies and assumptions applied in the + described process; + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53 + ref_id: IRO-1-53.b + description: "an overview of the process to identify, assess, prioritise and\ + \ monitor the undertaking\u2019s potential and actual impacts on people and\ + \ the environment, informed by the undertaking\u2019s due diligence process,\ + \ including an explanation of whether and how the process:" + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.b.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.b + ref_id: IRO-1-53.b.i + description: focusses on specific activities, business relationships, geographies + or other factors that give rise to heightened risk of adverse impacts; + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.b.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.b + ref_id: IRO-1-53.b.ii + description: considers the impacts with which the undertaking is involved through + its own operations or as a result of its business relationships; + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.b.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.b + ref_id: IRO-1-53.b.iii + description: includes consultation with affected stakeholders to understand + how they may be impacted and with external experts; + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.b.iv + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.b + ref_id: IRO-1-53.b.iv + description: prioritises negative impacts based on their relative severity and + likelihood, (see ESRS 1 section 3.4 Impact materiality) and, if applicable, + positive impacts on their relative scale, scope and likelihood, and determines + which sustainability matters are material for reporting purposes, including + the qualitative or quantitative thresholds and other criteria used as prescribed + by ESRS 1 section 3.4 Impact materiality; + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53 + ref_id: IRO-1-53.c + description: 'an overview of the process used to identify, assess, prioritise + and monitor risks and opportunities that have or may have financial effects. + The disclosure shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.c.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.c + ref_id: IRO-1-53.c.i + description: how the undertaking has considered the connections of its impacts + and dependencies with the risks and opportunities that may arise from those + impacts and dependencies; + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.c.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.c + ref_id: IRO-1-53.c.ii + description: how the undertaking assesses the likelihood, magnitude, and nature + of effects of the identified risk and opportunities (such as the qualitative + or quantitative thresholds and other criteria used as prescribed by ESRS 1 + section 3.5 Financial materiality); + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.c.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.c + ref_id: IRO-1-53.c.iii + description: how the undertaking prioritises sustainability-related risks relative + to other types of risks, including its use of risk-assessment tools; + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53 + ref_id: IRO-1-53.d + description: a description of the decision-making process and the related internal + control procedures; + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53 + ref_id: IRO-1-53.e + description: "the extent to which and how the process to identify, assess and\ + \ manage impacts and risks is integrated into the undertaking\u2019s overall\ + \ risk management process and used to evaluate the undertaking\u2019s overall\ + \ risk profile and risk management processes;" + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53 + ref_id: IRO-1-53.f + description: "the extent to which and how the process to identify, assess and\ + \ manage opportunities is integrated into the undertaking\u2019s overall management\ + \ process where applicable;" + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.g + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53 + ref_id: IRO-1-53.g + description: the input parameters it uses (for example, data sources, the scope + of operations covered and the detail used in assumptions); and + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53.h + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-1-53 + ref_id: IRO-1-53.h + description: whether and how the process has changed compared to the prior reporting + period, when the process was modified for the last time and future revision + dates of the materiality assessment. + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node507 + ref_id: IRO-2 + name: "Disclosure Requirement IRO-2 \u2013 Disclosure Requirements in ESRS covered\ + \ by the undertaking\u2019s sustainability statement" + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-2.54 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-2 + ref_id: IRO-2.54 + description: The undertaking shall report on the Disclosure Requirements complied + with in its sustainability statements. + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-2.55 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-2 + ref_id: IRO-2.55 + description: "The objective of this Disclosure Requirement is to provide an\ + \ understanding of the Disclosure Requirements included in the undertaking\u2019\ + s sustainability statement and of the topics that have been omitted as not\ + \ material, as a result of the materiality assessment." + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-2.56 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-2 + ref_id: IRO-2.56 + description: "The undertaking shall include a list of the Disclosure Requirements\ + \ complied with in preparing the sustainability statement, following the outcome\ + \ of the materiality assessment (see ESRS 1 chapter 3), including the page\ + \ numbers and/or paragraphs where the related disclosures are located in the\ + \ sustainability statement. This may be presented as a content index. The\ + \ undertaking shall also include a table of all the datapoints that derive\ + \ from other EU legislation as listed in Appendix B of this standard, indicating\ + \ where they can be found in the sustainability statement and including those\ + \ that the undertaking has assessed as not material, in which case the undertaking\ + \ shall indicate \u2018Not material\u2019 in the table in accordance with\ + \ ESRS 1 paragraph 35." + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-2.57 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-2 + ref_id: IRO-2.57 + description: "If the undertaking concludes that climate change is not material\ + \ and therefore omits all disclosure requirements in ESRS E1 Climate change,\ + \ it shall disclose a detailed explanation of the conclusions of its materiality\ + \ assessment with regard to climate change (see ESRS 2 IRO-2 Disclosure Requirements\ + \ in ESRS covered by the undertaking\u2019s sustainability statement), including\ + \ a forward-looking analysis of the conditions that could lead the undertaking\ + \ to conclude that climate change is material in the future." + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-2.58 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-2 + ref_id: IRO-2.58 + description: If the undertaking concludes that a topic other than climate change + is not material and therefore omits all the Disclosure Requirements in the + corresponding topical ESRS, it may provide a brief explanation of the conclusions + of its materiality assessment for that topic. + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-2.59 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-2 + ref_id: IRO-2.59 + description: ' The undertaking shall provide an explanation of how it has determined + the material information to be disclosed in relation to the impacts, risks + and opportunities that it has assessed to be material, including the use of + thresholds and/or how it has implemented the criteria in ESRS 1 section 3.2 + Material matters and materiality of information.' + - urn: urn:intuitem:risk:req_node:esrs_p1:node537 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node506 + name: 4.2 Minimum disclosure requirements on policies and actions + - urn: urn:intuitem:risk:req_node:esrs_p1:node538 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node537 + description: "60.This section sets out minimum disclosure requirements to be\ + \ included when the undertaking discloses information on its policies and\ + \ actions to prevent, mitigate and remediate actual and potential material\ + \ impacts, to address material risks and/or to pursue material opportunities\ + \ (collectively, to \u2018manage material sustainability matters\u2019). They\ + \ shall be applied together with the Disclosure Requirements, including Application\ + \ Requirements, provided in the relevant topical and sector- specific ESRS.\ + \ They shall also be applied when the undertaking prepares entity-specific\ + \ disclosures." + - urn: urn:intuitem:risk:req_node:esrs_p1:node539 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node537 + description: 61.The corresponding disclosures shall be located alongside disclosures + prescribed by the relevant ESRS. When a single policy or same actions address + several interconnected sustainability matters, the undertaking may disclose + the required information in its reporting under one topical ESRS and cross + reference to it in its reporting under other topical ESRS. + - urn: urn:intuitem:risk:req_node:esrs_p1:node540 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node537 + description: 62.If the undertaking cannot disclose the information on policies + and actions required under relevant ESRS, because it has not adopted policies + and/or actions with reference to the specific sustainability matter concerned, + it shall disclose this to be the case, and provide reasons for not having + adopted policies and/or actions. The undertaking may disclose a timeframe + in which it aims to adopt them. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node537 + ref_id: MDR-P + name: "Minimum Disclosure Requirement \u2013 Policies MDR-P \u2013 Policies\ + \ adopted to manage material sustainability matters" + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.63 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p + ref_id: MDR-P.63 + description: The undertaking shall apply the minimum disclosure requirements + defined in this provision when it discloses the policies it has in place with + regard to each sustainability matter identified as material. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.64 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p + ref_id: MDR-P.64 + description: The objective of this Minimum Disclosure Requirement is to provide + an understanding of the policies that the undertaking has in place to prevent, + mitigate and remediate actual and potential impacts, to address risks and + to pursue opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p + ref_id: MDR-P.65 + description: 'The undertaking shall disclose information about policies adopted + to manage material sustainability matters. The disclosure shall include the + following information:' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65 + ref_id: MDR-P.65.a + description: a description of the key contents of the policy, including its + general objectives and which material impacts, risks or opportunities the + policy relates to and the process for monitoring; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65 + ref_id: MDR-P.65.b + description: a description of the scope of the policy, or of its exclusions, + in terms of activities, upstream and/or downstream value chain,geographies + and if relevant, affected stakeholder groups; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65 + ref_id: MDR-P.65.c + description: "the most senior level in the undertaking\u2019s organisation that\ + \ is accountable for the implementation of the policy;" + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65 + ref_id: MDR-P.65.d + description: a reference, if relevant, to the third-party standards or initiatives + the undertaking commits to respect through the implementation of the policy; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65 + ref_id: MDR-P.65.e + description: if relevant, a description of the consideration given to the interests + of key stakeholders in setting the policy; and + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p.65 + ref_id: MDR-P.65.f + description: if relevant, whether and how the undertaking makes the policy available + to potentially affected stakeholders, and stakeholders who need to help implement + it. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node537 + ref_id: MDR-A + name: "Minimum Disclosure Requirement \u2013 Actions MDR-A \u2013 Actions and\ + \ resources in relation to material sustainability matters" + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.66 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a + ref_id: MDR-A.66 + description: The undertaking shall apply the requirements for the content of + disclosures in this provision when it describes the actions through which + it manages each material sustainability matter including action plans and + resources allocated and/or planned. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.67 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a + ref_id: MDR-A.67 + description: The objective of this Minimum Disclosure Requirement is to provide + an understanding of the key actions taken and/or planned to prevent, mitigate + and remediate actual and potential impacts, and to address risks and opportunities, + and where applicable achieve the objectives and targets of related policies. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.68 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a + ref_id: MDR-A.68 + description: 'Where the implementation of a policy requires actions, or a comprehensive + action plan, to achieve its objectives, as well as when actions are implemented + without a specific policy, the undertaking shall disclose the following information:' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.68.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.68 + ref_id: MDR-A.68.a + description: the list of key actions taken in the reporting year and planned + for the future, their expected outcomes and, where relevant, how their implementation + contributes to the achievement of policy objectives and targets; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.68.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.68 + ref_id: MDR-A.68.b + description: the scope of the key actions (i.e., coverage in terms of activities, + upstream and/or downstream value chain, geographies and, where applicable, + affected stakeholder groups); + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.68.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.68 + ref_id: MDR-A.68.c + description: the time horizons under which the undertaking intends to complete + each key action; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.68.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.68 + ref_id: MDR-A.68.d + description: if applicable, key actions taken (along with results) to provide + for and cooperate in or support the provision of remedy for those harmed by + actual material impacts; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.68.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.68 + ref_id: MDR-A.68.e + description: if applicable, quantitative and qualitative information regarding + the progress of actions or action plans disclosed in prior periods. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.69 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a + ref_id: MDR-A.69 + description: 'Where the implementation of an action plan requires significant + operational expenditures (Opex) and/or capital expenditures (Capex) the undertaking + shall:' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.69.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.69 + ref_id: MDR-A.69.a + description: describe the type of current and future financial and other resources + allocated to the action plan, including if applicable, the relevant terms + of sustainable finance instruments, such as green bonds, social bonds and + green loans, the environmental or social objectives, and whether the ability + to implement the actions or action plan depends on specific preconditions, + e.g., granting of financial support or public policy and market developments; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.69.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.69 + ref_id: MDR-A.69.b + description: provide the amount of current financial resources and explain how + they relate to the most relevant amounts presented in the financial statements; + and + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.69.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a.69 + ref_id: MDR-A.69.c + description: provide the amount of future financial resources. + - urn: urn:intuitem:risk:req_node:esrs_p1:node564 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node329 + name: 5.Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p1:node565 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node564 + description: This chapter sets out Minimum Disclosure Requirements that shall + be included when the undertaking discloses information on its metrics and + targets related to each material sustainability matter. They shall be applied + together with the Disclosure Requirements, including Application Requirements, + provided in the relevant topical ESRS. They shall also be applied when the + undertaking prepares entity-specific disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p1:node566 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node564 + description: The corresponding disclosures shall be located alongside disclosures + prescribed by the topical ESRS. + - urn: urn:intuitem:risk:req_node:esrs_p1:node567 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node564 + description: If the undertaking cannot disclose the information on targets required + under the relevant topical ESRS, because it has not set targets with reference + to the specific sustainability matter concerned, it shall disclose this to + be the case, and provide reasons for not having adopted targets. The undertaking + may disclose a timeframe in which it aims to adopt them. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node567 + ref_id: MDR-M + name: "Minimum disclosure requirement \u2013 Metrics MDR-M \u2013 Metrics in\ + \ relation to material sustainability matters" + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.73 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m + ref_id: MDR-M.73 + description: The undertaking shall apply the requirements for the content of + disclosures in this provision when it discloses on the metrics it has in place + with regard to each material sustainability matter. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.74 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m + ref_id: MDR-M.74 + description: The objective of this Minimum Disclosure Requirement is to provide + an understanding of the metrics the undertaking uses to track the effectiveness + of its actions to manage material sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.75 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m + ref_id: MDR-M.75 + description: The undertaking shall disclose any metrics that it uses to evaluate + performance and effectiveness, in relation to a material impact, risk or opportunity. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.76 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m + ref_id: MDR-M.76 + description: Metrics shall include those defined in ESRS, as well as metrics + identified on an entity-specific basis, whether taken from other sources or + developed by the undertaking itself. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.77 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m + ref_id: MDR-M.77 + description: 'For each metric, the undertaking shall:' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.77.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.77 + ref_id: MDR-M.77.a + description: disclose the methodologies and significant assumptions behind the + metric, including the limitations of the methodologies used; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.77.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.77 + ref_id: MDR-M.77.b + description: disclose whether the measurement of the metric is validated by + an external body other than the assurance provider and, if so, which body; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.77.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.77 + ref_id: MDR-M.77.c + description: label and define the metric using meaningful, clear and precise + names and descriptions; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.77.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-m.77 + ref_id: MDR-M.77.d + description: when currency is specified as the unit of measure, use the presentation + currency of its financial statements. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node567 + ref_id: MDR-T + name: "Minimum Disclosure Requirement \u2013 Targets MDR-T \u2013 Tracking effectiveness\ + \ of policies and actions through targets" + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.78 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t + ref_id: MDR-T.78 + description: The undertaking shall apply the requirements for the content of + disclosures in this provision when it discloses information about the targets + it has set with regard to each material sustainability matter. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.79 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t + ref_id: MDR-T.79 + description: 'The objective of this Minimum Disclosure Requirement is to provide + for each material sustainability matter an understanding of:' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.79.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.79 + ref_id: MDR-T.79.a + description: whether and how the undertaking tracks the effectiveness of its + actions to address material impacts, risks and opportunities, including the + metrics it uses to do so; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.79.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.79 + ref_id: MDR-T.79.b + description: measurable time-bound outcome-oriented targets set by the undertaking + to meet the policy s objectives, defined in terms of expected results for + people, the environment or the undertaking regarding material impacts, risks + and opportunities; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.79.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.79 + ref_id: MDR-T.79.c + description: the overall progress towards the adopted targets over time; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.79.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.79 + ref_id: MDR-T.79.d + description: in the case that the undertaking has not set measurable time-bound + outcome-oriented targets, whether and how it nevertheless tracks the effectiveness + of its actions to address material impacts, risks and opportunities and measures + the progress in achieving its policy objectives; and + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.79.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.79 + ref_id: MDR-T.79.e + description: whether and how stakeholders have been involved in target setting + for each material sustainability matter. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t + ref_id: MDR-T.80 + description: 'The undertaking shall disclose the measurable, outcome-oriented + and time-bound targets on material sustainability matters it has set to assess + progress. For each target, the disclosure shall include the following information:' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80 + ref_id: MDR-T.80.a + description: a description of the relationship of the target to the policy objectives; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80 + ref_id: MDR-T.80.b + description: the defined target level to be achieved, including, where applicable, + whether the target is absolute or relative and in which unit it is measured; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80 + ref_id: MDR-T.80.c + description: " the scope of the target, including the undertaking\u2019s activities\ + \ and/or its upstream and/or downstream value chain where applicable and geographical\ + \ boundaries;" + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80 + ref_id: MDR-T.80.d + description: the baseline value and base year from which progress is measured; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80 + ref_id: MDR-T.80.e + description: the period to which the target applies and if applicable, any milestones + or interim targets; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80 + ref_id: MDR-T.80.f + description: the methodologies and significant assumptions used to define targets, + including where applicable, the selected scenario, data sources, alignment + with national, EU or international policy goals and how the targets consider + the wider context of sustainable development and/or local situation in which + impacts take place; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80.g + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80 + ref_id: MDR-T.80.g + description: "whether the undertaking\u2019s targets related to environmental\ + \ matters are based on conclusive scientific evidence;" + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80.h + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80 + ref_id: MDR-T.80.h + description: whether and how stakeholders have been involved in target setting + for each material sustainability matter; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80 + ref_id: MDR-T.80.i + description: any changes in targets and corresponding metrics or underlying + measurement methodologies, significant assumptions, limitations, sources and + processes to collect data adopted within the defined time horizon. This includes + an explanation of the rationale for those changes and their effect on comparability + (see Disclosure Requirement BP-2 Disclosures in relation to specific circumstances + of this Standard); and + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80.j + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.80 + ref_id: MDR-T.80.j + description: the performance against its disclosed targets, including information + on how the target is monitored and reviewed and the metrics used, whether + the progress is in line with what had been initially planned, and an analysis + of trends or significant changes in the performance of the undertaking towards + achieving the target. + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.81 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t + ref_id: MDR-T.81 + description: 'If the undertaking has not set any measurable outcome-oriented + targets:' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.81.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.81 + ref_id: MDR-T.81.a + description: it may disclose whether such targets will be set and the timeframe + for setting them, or the reasons why the undertaking does not plan to set + such targets; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.81.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.81 + ref_id: MDR-T.81.b + description: 'it shall disclose whether it nevertheless tracks the effectiveness + of its policies and actions in relation to the material sustainability-related + impact, risk and opportunity, and if so:' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.81.b.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.81.b + ref_id: MDR-T.81.b.i + description: any processes through which it does so; + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.81.b.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t.81.b + ref_id: MDR-T.81.b.ii + description: the defined level of ambition to be achieved and any qualitative + or quantitative indicators it uses to evaluate progress, including the base + period from which progress is measured. + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-appendix-a + assessable: false + depth: 1 + ref_id: ESRS 2 Appendix A + description: Application Requirements + - urn: urn:intuitem:risk:req_node:esrs_p1:node603 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-appendix-a + name: 1. Basis for preparation + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node603 + ref_id: BP-1 AR + name: "Disclosure Requirement BP-1 \u2013 General basis for preparation of sustainability\ + \ statements" + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-1-ar-1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1-ar + ref_id: BP-1 AR 1 + description: "When describing to what extent the sustainability statement covers\ + \ the undertaking\u2019s upstream and downstream value chain (see ESRS 1 section\ + \ 5.1 Reporting undertaking and value chain), the undertaking may distinguish\ + \ between:" + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-ar-1.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1-ar-1 + ref_id: ESRS 2-AR 1.a + description: the extent to which its materiality assessment of impacts, risks + and opportunities extends to its upstream and/or downstream value chain; + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-ar-1.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1-ar-1 + ref_id: ESRS 2-AR 1.b + description: the extent to which its policies, actions and targets extend to + its value chain; and + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-ar-1.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-1-ar-1 + ref_id: ESRS 2-AR 1.c + description: the extent to which it includes upstream and/or downstream value + chain data when disclosing on metrics. + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node603 + ref_id: BP-2 AR + name: "Disclosure Requirement BP-2 \u2013 Disclosures in relation to specific\ + \ circumstances" + - urn: urn:intuitem:risk:req_node:esrs_p1:bp-2-ar-2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:bp-2-ar + ref_id: BP-2 AR 2 + description: The undertaking may disclose whether it relies on any European + standards approved by the European Standardisation System (ISO/IEC or CEN/CENELEC + standards), as well as the extent to which data and processes that are used + for sustainability reporting purposes have been verified by an external assurance + provider and found to conform to the corresponding ISO/IEC or CEN/CENELEC + standard. + - urn: urn:intuitem:risk:req_node:esrs_p1:node611 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-appendix-a + name: 2. Governance + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node611 + ref_id: GOV-1 AR + name: "Disclosure Requirement GOV-1 \u2013 The role of the administrative, management\ + \ and supervisory bodies" + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar + ref_id: GOV-1 AR 3 + description: 'In describing the role and responsibilities of the administrative, + management and supervisory bodies with regard to sustainability matters, the + undertaking may specify:' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3 + ref_id: GOV-1 AR 3.a + description: 'the aspects of sustainability over which oversight is exercised + with regard to the environmental, social and governance matters the undertaking + may be facing, including: ' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3.a.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3.a + ref_id: GOV-1 AR 3.a.i + description: "any assessment of and changes to sustainability-related aspects\ + \ of the undertaking\u2019s strategy and business model; " + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3.a.ii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3.a + ref_id: GOV-1 AR 3.a.ii + description: 'the identification and assessment of material risks, opportunities + and impacts; ' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3.a.iii + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3.a + ref_id: GOV-1 AR 3.a.iii + description: 'related policies and targets, action plans and dedicated resources; + and ' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3.a.iv + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3.a + ref_id: GOV-1 AR 3.a.iv + description: 'sustainability reporting; ' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3 + ref_id: GOV-1 AR 3.b + description: 'the form such oversight takes for each of the above aspects: i.e., + information, consultation or decision-making; and ' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-3 + ref_id: GOV-1 AR 3.c + description: 'the way such oversight is organised and formalised, i.e., processes + by which the administrative, management and supervisory bodies engage with + these aspects of sustainability. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar + ref_id: GOV-1 AR 4 + description: "In describing the undertaking\u2019s organisation of governance\ + \ regarding sustainability matters, a description of complex governance structure\ + \ may be complemented by their presentation in the form of a diagram. " + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar-5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-1-ar + ref_id: GOV-1 AR 5 + description: "The description of the level of expertise or access to expertise\ + \ of the administrative, management and supervisory bodies may be substantiated\ + \ by illustrating the composition of the bodies, including members on whom\ + \ these bodies rely for expertise to oversee sustainability matters, and how\ + \ they leverage that expertise as a body. In the description, the undertaking\ + \ shall consider how the expertise and skills are relevant to the undertaking\u2019\ + s material impacts, risks and opportunities and whether the bodies and/or\ + \ its members have access to other sources of expertise, such as specific\ + \ experts and training and other educational initiatives to update and develop\ + \ sustainability-related expertise within these bodies. " + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-2-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node611 + ref_id: GOV-2 AR + name: "Disclosure Requirement GOV-2 \u2013 Information provided to and sustainability\ + \ matters addressed by the undertaking\u2019s administrative, management and\ + \ supervisory bodies " + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-2-ar-6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-2-ar + ref_id: GOV-2 AR 6 + description: "Depending on the undertaking\u2019s structure, the administrative,\ + \ management and supervisory bodies may focus on overarching targets, while\ + \ management focuses on the more detailed targets. In this case, the undertaking\ + \ may disclose how the governance bodies ensure that an appropriate mechanism\ + \ for performance monitoring is in place. " + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-3-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node611 + ref_id: GOV-3 AR + name: "Disclosure Requirement GOV-3 \u2013 Integration of sustainability-related\ + \ performance in incentive schemes " + description: 'For listed undertakings, this Disclosure Requirement should be + consistent with the remuneration report prescribed in articles 9a and 9b of + Directive 2007/36/EC on the exercise of certain rights of shareholders in + listed companies. Subject to the provisions of ESRS 1, paragraphs 119, 120 + and 122, a listed undertaking may make a reference to its remuneration report. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-3-ar-7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-3-ar + ref_id: GOV-3 AR 7 + description: For listed undertakings, this Disclosure Requirement should be + consistent with the remuneration report prescribed in articles 9a and 9b of + Directive 2007/36/EC on the exercise of certain rights of shareholders in + listed companies. Subject to the provisions of ESRS 1, paragraphs 119, 120 + and 122, a listed undertaking may make a reference to its remuneration report. + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-4-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node611 + ref_id: GOV-4 AR + name: "Disclosure Requirement GOV-4 \u2013 Statement on due diligence " + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-4-ar-8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-4-ar + ref_id: GOV-4 AR 8 + description: "The mapping required by paragraph 30 may be presented in the form\ + \ of a table, cross-referencing the core elements of due diligence, for impacts\ + \ on people and the environment, to the relevant disclosures in the undertaking\u2019\ + s sustainability statement, as set out below. " + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-4-ar-9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-4-ar + ref_id: GOV-4 AR 9 + description: 'The undertaking may include additional columns to the table below + to clearly identify those disclosures that relate to impacts on people and/or + the environment given that, in some cases, more than one disclosure may provide + information about the same due diligence step. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-4-ar-10 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-4-ar + ref_id: GOV-4 AR 10 + description: The main references in the international instruments of the UN + Guiding Principles on Business and Human Rights and the OECD Guidelines for + Multinational Enterprises to the core elements of the due diligence process + are listed in ESRS 1 chapter 4 + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-5-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node611 + ref_id: GOV-5 AR + name: "Disclosure Requirement GOV-5 \u2013 Risk management and internal controls\ + \ over sustainability reporting " + - urn: urn:intuitem:risk:req_node:esrs_p1:gov-5-ar-11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:gov-5-ar + ref_id: GOV-5 AR 11 + description: 'This Disclosure Requirement focuses solely on the internal control + processes over the sustainability reporting process. The undertaking may consider + risks such as the completeness and integrity of the data, the accuracy of + estimation results, the availability of upstream and/or downstream value chain + data, and the timing of the availability of the information. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:node633 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-appendix-a + name: '3.Strategy ' + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar" + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node633 + ref_id: "SBM\u20131 AR" + name: "Disclosure Requirement SBM\u20131 Strategy, business model and value\ + \ chain " + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-12" + assessable: true + depth: 4 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar" + ref_id: "SBM\u20131 AR 12" + description: "To provide the information on sectors required by paragraph 40,\ + \ the undertaking shall map its significant activities in accordance with\ + \ ESRS sectors. If a code for a sub-sector does not exist, the caption \u2018\ + others\u2019 shall be used. " + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-13" + assessable: true + depth: 4 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar" + ref_id: "SBM\u20131 AR 13" + description: 'For the purposes of the disclosures required in paragraph 40, + a group of products and/or services offered, a group of markets and/or customer + groups served, or an ESRS sector, is significant for the undertaking if it + meets one or both of the following criteria: ' + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-13.a" + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-13" + ref_id: "SBM\u20131 AR 13.a" + description: "it accounts for more than 10 per cent of the undertaking\u2019\ + s revenue; " + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-13.b" + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-13" + ref_id: "SBM\u20131 AR 13.b" + description: 'it is connected with material actual impacts or material potential + negative impacts of the undertaking. ' + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-14" + assessable: true + depth: 4 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar" + ref_id: "SBM\u20131 AR 14" + description: In preparing disclosures relating to its business model and value + chain, the undertaking shall consider + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-14.a" + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-14" + ref_id: "SBM\u20131 AR 14.a" + description: 'its key activities, resources, distribution channels and customer + segments; ' + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-14.b" + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-14" + ref_id: "SBM\u20131 AR 14.b" + description: 'its key business relationships and their key characteristics, + including relationships with customers and suppliers; ' + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-14.c" + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-14" + ref_id: "SBM\u20131 AR 14.c" + description: 'the cost structure and revenue of its business segments, in line + with IFRS 8 disclosure requirements in the financial statement, where applicable; ' + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-14.d" + assessable: true + depth: 5 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-14" + ref_id: "SBM\u20131 AR 14.d" + description: 'the potential impacts, risks and opportunities in its significant + sector(s) and their possible relationship to its own business model or value + chain. ' + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar-15" + assessable: true + depth: 4 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20131-ar" + ref_id: "SBM\u20131 AR 15" + description: "Contextual information may be particularly relevant for users\ + \ of the undertaking\u2019s sustainability statement, to understand to what\ + \ extent the disclosures include upstream and/or downstream value chain information.\ + \ The description of the main features of the upstream and/or downstream value\ + \ chain and where applicable the identification of key value chains should\ + \ support an understanding of how the undertaking applies the requirements\ + \ of ESRS 1 chapter 5 and the materiality assessment performed by the undertaking\ + \ in line with ESRS 1 chapter 3. The description may provide a high-level\ + \ overview of the key features of upstream and/or downstream value chain entities\ + \ indicating their relative contribution to the undertaking\u2019s performance\ + \ and position and explaining how they contribute to the value creation of\ + \ the undertaking. " + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20132-ar" + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node633 + ref_id: "SBM\u20132 AR" + name: "Disclosure Requirement SBM-2 \u2013 Interests and views of stakeholders " + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20132-ar-16" + assessable: true + depth: 4 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20132-ar" + ref_id: "SBM\u20132 AR 16" + description: "The views and interests of stakeholders that are expressed as\ + \ part of the undertaking\u2019s engagement with stakeholders through its\ + \ due diligence process may be relevant to one or more aspects of its strategy\ + \ or business model. As such, they may affect the undertaking\u2019s decisions\ + \ regarding the future direction of the strategy or business model. " + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20133-ar" + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node633 + ref_id: "SBM\u20133 AR" + name: "Disclosure Requirement SBM-3 \u2013 Material impacts, risks and opportunities\ + \ and their interaction with strategy and business model " + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20133-ar-17" + assessable: true + depth: 4 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20133-ar" + ref_id: "SBM\u20133 AR 17" + description: 'When describing where in its upstream and/or downstream value + chain material impacts, risks and opportunities are concentrated, the undertaking + shall consider: geographical areas, facilities or types of assets, inputs, + outputs and distribution channels. ' + - urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20133-ar-18" + assessable: true + depth: 4 + parent_urn: "urn:intuitem:risk:req_node:esrs_p1:sbm\u20133-ar" + ref_id: "SBM\u20133 AR 18" + description: 'This disclosure may be expressed in terms of a single impact, + risk or opportunity or by aggregating groups of material impacts, risks and + opportunities, when this provides more relevant information and does not obscure + material information. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:node650 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-appendix-a + name: '4.Impact, risk and opportunity management ' + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-2-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node650 + ref_id: IRO-2 AR + name: "Disclosure Requirement IRO-2 \u2013 Disclosure Requirements in ESRS covered\ + \ by the undertaking\u2019s sustainability statement " + - urn: urn:intuitem:risk:req_node:esrs_p1:iro-2-ar-19 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:iro-2-ar + ref_id: IRO-2 AR 19 + description: 'Notwithstanding the basis for the presentation of the information + about sustainability matters included in ESRS 1 chapter 8 Structure of sustainability + statement, the undertaking may disclose the list of the Disclosure Requirements + complied with in preparing the sustainability statement (see paragraph 54) + in the general information part or in other parts of the sustainability statement + as it deems appropriate. The undertaking may use a content index, i.e., a + tabular list of the Disclosure Requirements included in the sustainability + statement, with the indication of where they are located (page/paragraphs). ' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node650 + ref_id: MDR-P AR + name: "Minimum Disclosure Requirement \u2013 Policies MDR-P \u2013 Policies\ + \ adopted to manage material sustainability matters " + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p-ar-20 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p-ar + ref_id: MDR-P AR 20 + description: 'Due to the interdependency between impacts on people and the environment, + risks and opportunities, a single policy may apply to several material sustainability + matters, including matters addressed by more than one topical ESRS. For example, + if a single policy covers both an environmental matter and a social matter, + the undertaking may report on the policy in the environmental section of its + sustainability statement. In this case, it should include in the social section + a cross- reference to the environmental section where the policy is reported. + Equally a policy may be reported in the social section with a cross- reference + to it in the environmental section. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p-ar-21 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-p-ar + ref_id: MDR-P AR 21 + description: "The description of the scope of the policy may explain which activities\ + \ and/or segments of the undertaking\u2019s own operations or upstream and\ + \ downstream value chain it concerns. The description may also explain further\ + \ boundaries relevant to the specific topic or the undertaking\u2019s circumstances,\ + \ which may include geographies, life cycles, etc. In certain cases, such\ + \ as if the policy does not cover the full value chain, the undertaking may\ + \ provide clear information regarding the extent of the value chain covered\ + \ by the policy. " + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node650 + ref_id: MDR-A AR + name: "Minimum disclosure requirement \u2013 Actions MDR-A \u2013 Actions and\ + \ resources in relation to material sustainability matters " + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a-ar-22 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a-ar + ref_id: MDR-A AR 22 + description: "Key actions in the context of this Minimum Disclosure Requirement\ + \ are those actions that materially contribute to achieving the undertaking\u2019\ + s objectives in addressing material impacts, risks and opportunities. For\ + \ reasons of understandability, key actions may be aggregated where appropriate. " + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a-ar-23 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-a-ar + ref_id: MDR-A AR 23 + description: 'Information on resource allocation may be presented in the form + of a table and broken down between capital expenditure and operating expenditure, + and across the relevant time horizons, and between resources applied in the + current reporting year and the planned allocation of resources over specific + time horizons. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:node659 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-appendix-a + name: '5.Metrics and targets ' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:node659 + ref_id: MDR-T AR + name: "Minimum Disclosure Requirement \u2013 Targets MDR-T \u2013 Tracking effectiveness\ + \ of policies and actions through targets " + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t-ar-24 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t-ar + ref_id: MDR-T AR 24 + description: 'When disclosing targets related to the prevention or mitigation + of environmental impacts, the undertaking shall prioritise targets related + to the reduction of the impacts in absolute terms rather than in relative + terms. When targets address the prevention or mitigation of social impacts, + they may be specified in terms of the effects on human rights, welfare or + positive outcomes for affected stakeholders. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t-ar-25 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t-ar + ref_id: MDR-T AR 25 + description: 'The information on progress made towards achieving the targets + may be presented in a comprehensive table, including information on the baseline + and target value, milestones, and achieved performance over the prior periods. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t-ar-26 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:mdr-t-ar + ref_id: MDR-T AR 26 + description: 'Where the undertaking describes progress in achieving the objectives + of a policy in the absence of a measurable target, it may specify a baseline + against which the progress is considered. For example, the undertaking may + assess an increase of wages by a certain percentage for those below a fair + wage; or may assess the quality of its relationships with local communities + by reference to the proportion of issues raised by communities that were resolved + to their satisfaction. The baseline and the assessment of the progress shall + be related to the impacts, risks and opportunities which underpin the materiality + of the matter addressed by the policy. ' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-appendix-b + assessable: false + depth: 1 + ref_id: ESRS 2-Appendix B + description: List of datapoints in cross-cutting and topical standards that + derive from other EU legislation + - urn: urn:intuitem:risk:req_node:esrs_p1:node665 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-appendix-b + description: 'This appendix is an integral part of the ESRS 2. The table below + illustrates the + + datapoints in ESRS 2 and topical ESRS that derive from other EU legislation.' + - urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-appendix-c + assessable: false + depth: 1 + ref_id: ESRS 2-Appendix C + description: Disclosure and Application Requirements in Topical ESRS that are + applicable in conjunction with ESRS 2 General disclosures + - urn: urn:intuitem:risk:req_node:esrs_p1:node667 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p1:esrs-2-appendix-c + description: This appendix is an integral part of ESRS 2 and has the same authority + as the other parts of the standard. The following table outlines the requirements + in topical ESRS that need to be taken into account when reporting against + the Disclosure Requirements in ESRS 2. diff --git a/backend/library/libraries/esrs-p2.yaml b/backend/library/libraries/esrs-p2.yaml new file mode 100644 index 000000000..566a1bc88 --- /dev/null +++ b/backend/library/libraries/esrs-p2.yaml @@ -0,0 +1,10071 @@ +urn: urn:intuitem:risk:library:esrs_p2 +locale: en +ref_id: ESRS E1/ESRS E2/ESRS E3/ESRS E4/ESRS E5 +name: European sustainability reporting standards (ESRS E1/ESRS E2/ESRS E3/ESRS E4/ESRS + E5) +description: 'The Commission adopted today the European Sustainability Reporting Standards + (ESRS) for use by all companies subject to the Corporate Sustainability Reporting + Directive (CSRD). + + ESRS E1 Climate change-ESRS E2 Pollution-ESRS E3 Water and marine resources-ESRS + E4 Biodiversity and ecosystems-ESRS E5 Resource use and circular economy + + Current consolidated version: 22/12/2023 + + https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02023R2772-20231222' +copyright: EUROPEAN COMMISSION +version: 1 +provider: EUROPEAN COMMISSION +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:esrs_p2 + ref_id: ESRS E1/ESRS E2/ESRS E3/ESRS E4/ESRS E5 + name: European sustainability reporting standards (ESRS E1/ESRS E2/ESRS E3/ESRS + E4/ESRS E5) + description: 'The Commission adopted today the European Sustainability Reporting + Standards (ESRS) for use by all companies subject to the Corporate Sustainability + Reporting Directive (CSRD). + + ESRS E1 Climate change-ESRS E2 Pollution-ESRS E3 Water and marine resources-ESRS + E4 Biodiversity and ecosystems-ESRS E5 Resource use and circular economy + + Current consolidated version: 22/12/2023 + + https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02023R2772-20231222' + requirement_nodes: + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e1 + assessable: false + depth: 1 + ref_id: ESRS E1 + name: 'CLIMATE CHANGE ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e1 + name: 'Objective ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node3 + description: "1.The objective of this Standard is to specify Disclosure Requirements\ + \ which will enable users of sustainability statements to understand: \n(a)\t\ + how the undertaking affects climate change, in terms of material positive\ + \ and negative actual and potential impacts; \n(b)\tthe undertaking\u2019\ + s past, current, and future mitigation efforts in line with the Paris Agreement\ + \ (or an updated international agreement on climate change) and compatible\ + \ with limiting global warming to 1.5\xB0C; \n(c)\tthe plans and capacity\ + \ of the undertaking to adapt its strategy and business model, in line with\ + \ the transition to a sustainable economy and to contribute to limiting global\ + \ warming to 1.5\xB0C; \n(d)\tany other actions taken by the undertaking,\ + \ and the result of such actions to prevent, mitigate or remediate actual\ + \ or potential negative impacts, and to address risks and opportunities; \n\ + (e)\tthe nature, type and extent of the undertaking\u2019s material risks\ + \ and opportunities arising from the undertaking\u2019s impacts and dependencies\ + \ on climate change, and how the undertaking manages them; and \n(f)\tthe\ + \ financial effects on the undertaking over the short-, medium- and long-term\ + \ of risks and opportunities arising from the undertaking\u2019s impacts and\ + \ dependencies on climate change. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node3 + description: '2.The Disclosure Requirements of this Standard take into account + the requirements of related EU legislation and regulation (i.e., EU Climate + Law ( 23 ), Climate Benchmark Standards Regulation ( 24 ), Sustainable Finance + Disclosure Regulation (SFDR) ( 25 ), EU Taxonomy ( 26 ), and EBA Pillar 3 + disclosure requirements ( 27 )). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node3 + description: "3.This Standard covers Disclosure Requirements related to the\ + \ following sustainability matters: \u2018Climate change mitigation\u2019\ + \ and \u2018Climate change adaptation\u2019. It also covers energy-related\ + \ matters, to the extent that they are relevant to climate change. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node3 + description: "4.Climate change mitigation relates to the undertaking\u2019s\ + \ endeavours to the general process of limiting the increase in the global\ + \ average temperature to 1,5 \xB0C above pre-industrial levels in line with\ + \ the Paris Agreement. This Standard covers disclosure requirements related\ + \ but not limited to the seven Greenhouse gases (GHG) carbon dioxide (CO2),\ + \ methane (CH4), nitrous oxide (N2O), hydrofluorocarbons (HFCs), perfluorocarbons\ + \ (PFCs), sulphur hexafluoride (SF6) and nitrogen trifluoride (NF3). It also\ + \ covers Disclosure Requirements on how the undertaking addresses its GHG\ + \ emissions as well as the associated transition risks. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node3 + description: "5.Climate change adaptation relates to the undertaking\u2019s\ + \ process of adjustment to actual and expected climate change. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node9 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node3 + description: '6.This Standard covers Disclosure Requirements regarding climate-related + hazards that can lead to physical climate risks for the undertaking and its + adaptation solutions to reduce these risks. It also covers transition risks + arising from the needed adaptation to climate- related hazards. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node10 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node3 + description: "7.The Disclosure Requirements related to \u2018Energy\u2019 cover\ + \ all types of energy production and consumption. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node11 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e1 + name: 'Interactions with other ESRS ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node12 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node11 + description: "8.\tOzone-depleting substances (ODS), nitrogen oxides (NOX) and\ + \ sulphur oxides (SOX), among other air emissions, are connected to climate\ + \ change but are covered under the reporting requirements in ESRS E2. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node13 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node11 + description: "9.\tImpacts on people that may arise from the transition to a\ + \ climate-neutral economy are covered under the ESRS S1 Own workforce, ESRS\ + \ S2 Workers in the value chain, ESRS S3 Affected communities and ESRS S4\ + \ Consumers and end-users. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node14 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node11 + description: "10.\tClimate change mitigation and adaptation are closely related\ + \ to topics addressed in particular in ESRS E3 Water and marine resources\ + \ and ESRS E4 Biodiversity and ecosystems. With regard to water and as illustrated\ + \ in the table of climate-related hazards in AR 11, this standard addresses\ + \ acute and chronic physical risks which arise from the water and ocean-related\ + \ hazards. Biodiversity loss and ecosystem degradation that may be caused\ + \ by climate change are addressed in ESRS E4 Biodiversity and ecosystems. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node15 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node11 + description: "11.\tThis Standard should be read and applied in conjunction with\ + \ ESRS 1 General requirements and ESRS 2 General disclosures. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node16 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e1 + name: 'Disclosure Requirements ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node17 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node16 + name: ESRS 2 General disclosures + description: "12.\tThe requirements of this section should be read and applied\ + \ in conjunction with the disclosures required by ESRS 2 on Chapter 2 Governance,\ + \ Chapter 3 Strategy and Chapter 4 Impact, risk and opportunity management.\ + \ The resulting disclosures shall be presented in the sustainability statement\ + \ alongside the disclosures required by ESRS 2, except for ESRS 2 SBM-3 Material\ + \ impacts, risks and opportunities and their interaction with strategy and\ + \ business model, for which the undertaking may, in accordance with ESRS 2\ + \ paragraph 49, present the disclosures alongside the other disclosures required\ + \ in this topical standard. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node18 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node17 + name: 'Governance ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node19 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node18 + name: Disclosure requirement related to ESRS 2 GOV-3 + description: 'Integration of sustainability- related performance in incentive + schemes ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.gov-3-13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node19 + ref_id: E1.GOV-3-13 + description: 'The undertaking shall disclose whether and how climate-related + considerations are factored into the remuneration of members of the administrative, + management and supervisory bodies, including if their performance has been + assessed against the GHG emission reduction targets reported under Disclosure + Requirement E1-4 and the percentage of the remuneration recognised in the + current period that is linked to climate related considerations, with an explanation + of what the climate considerations are. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node21 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node17 + name: 'Strategy ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node21 + ref_id: E1-1 + name: Disclosure Requirement E1-1 + description: 'Transition plan for climate change mitigation ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1 + ref_id: E1-1-14 + description: 'The undertaking shall disclose its transition plan for climate + change mitigation ( 28 ). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1 + ref_id: E1-1 -15 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of the undertaking\u2019s past, current, and future mitigation efforts to\ + \ ensure that its strategy and business model are compatible with the transition\ + \ to a sustainable economy, and with the limiting of global warming to 1.5\ + \ \xB0C in line with the Paris Agreement and with the objective of achieving\ + \ climate neutrality by 2050 and, where relevant, the undertaking\u2019s exposure\ + \ to coal, oil and gas-related activities. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1 + ref_id: E1-1 -16 + description: 'The information required by paragraph 14 shall include: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16 + ref_id: E1-1 -16.a + description: "by reference to GHG emission reduction targets (as required by\ + \ Disclosure Requirement E1-4), an explanation of how the undertaking\u2019\ + s targets are compatible with the limiting of global warming to 1.5\xB0C in\ + \ line with the Paris Agreement; " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16 + ref_id: E1-1 -16.b + description: "by reference to GHG emission reduction targets (as required by\ + \ Disclosure Requirement E1-4) and the climate change mitigation actions (as\ + \ required by Disclosure Requirement E1-3), an explanation of the decarbonisation\ + \ levers identified, and key actions planned, including changes in the undertaking\u2019\ + s product and service portfolio and the adoption of new technologies in its\ + \ own operations, or the upstream and/or downstream value chain; " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16 + ref_id: E1-1 -16.c + description: "by reference to the climate change mitigation actions (as required\ + \ by Disclosure Requirement E1-3), an explanation and quantification of the\ + \ undertaking\u2019s investments and funding supporting the implementation\ + \ of its transition plan, with a reference to the key performance indicators\ + \ of taxonomy-aligned CapEx, and where relevant the CapEx plans, that the\ + \ undertaking discloses in accordance with Commission Delegated Regulation\ + \ (EU) 2021/2178; " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16 + ref_id: E1-1 -16.d + description: "a qualitative assessment of the potential locked-in GHG emissions\ + \ from the undertaking\u2019s key assets and products. This shall include\ + \ an explanation of if and how these emissions may jeopardise the achievement\ + \ of the undertaking\u2019s GHG emission reduction targets and drive transition\ + \ risk, and if applicable, an explanation of the undertaking\u2019s plans\ + \ to manage its GHG-intensive and energy- intensive assets and products; " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16 + ref_id: E1-1 -16.e + description: 'for undertakings with economic activities that are covered by + delegated regulations on climate adaptation or mitigation under the Taxonomy + Regulation, an explanation of any objective or plans (CapEX, CapEx plans, + OpEX) that the undertaking has for aligning its economic activities (revenues, + CapEx, OpEx) with the criteria established in Commission Delegated Regulation + 2021/2139 ( 29 ); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16 + ref_id: E1-1 -16.f + description: 'if applicable, a disclosure of significant CapEx amounts invested + during the reporting period related to coal, oil and gas-related economic + activities; ( 30 ) ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16.g + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16 + ref_id: E1-1 -16.g + description: 'a disclosure on whether or not the undertaking is excluded from + the EU Paris-aligned Benchmarks; ( 31 ) ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16.h + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16 + ref_id: E1-1 -16.h + description: "an explanation of how the transition plan is embedded in and aligned\ + \ with the undertaking\u2019s overall business strategy and financial planning; " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16 + ref_id: E1-1 -16.i + description: 'whether the transition plan is approved by the administrative, + management and supervisory bodies; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16.j + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--16 + ref_id: E1-1 -16.j + description: "an explanation of the undertaking\u2019s progress in implementing\ + \ the transition plan. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1 + ref_id: E1-17 + description: 'In case the undertaking does not have a transition plan in place, + it shall indicate whether and, if so, when it will adopt a transition plan. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node37 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node21 + name: Disclosure Requirement related to ESRS 2 SBM-3 + description: 'Material impacts, risks and opportunities and their interaction + with strategy and business model ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node37 + ref_id: E1.SBM-3-18 + description: 'The undertaking shall explain for each material climate-related + risk it has identified, whether the entity considers the risk to be a climate- + related physical risk or climate-related transition risk. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node37 + ref_id: E1.SBM-3-19 + description: 'The undertaking shall describe the resilience of its strategy + and business model in relation to climate change. This description shall include: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3-19.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3-19 + ref_id: E1.SBM-3-19.a + description: 'the scope of the resilience analysis; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3-19.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3-19 + ref_id: E1.SBM-3-19.b + description: 'how and when the resilience analysis has been conducted, including + the use of climate scenario analysis as referenced in the Disclosure Requirement + related to ESRS 2 IRO-1 and the related application requirement paragraphs; + and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3-19.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3-19 + ref_id: E1.SBM-3-19.c + description: 'the results of the resilience analysis including the results from + the use of scenario analysis. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node43 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node17 + name: 'Impact, risk and opportunity management ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node44 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node43 + name: Disclosure requirement related to ESRS 2 IRO-1 + description: 'Description of the processes to identify and assess material climate-related + impacts, risks and opportunities ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node44 + ref_id: E1.IRO-1-20 + description: 'The undertaking shall describe the process to identify and assess + climate-related impacts, risks and opportunities. This description shall include + its process in relation to: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20 + ref_id: E1.IRO-1-20.a + description: "impacts on climate change, in particular, the undertaking\u2019\ + s GHG emissions (as required by Disclosure Requirement ESRS E1-6); " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20 + ref_id: E1.IRO-1-20.b + description: 'climate-related physical risks in own operations and along the + upstream and downstream value chain, in particular: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20.b.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20.b + ref_id: E1.IRO-1-20.b.i + description: 'the identification of climate-related hazards, considering at + least high emission climate scenarios; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20.b.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20.b + ref_id: E1.IRO-1-20.b.ii + description: 'the assessment of how its assets and business activities may be + exposed and are sensitive to these climate-related hazards, creating gross + physical risks for the undertaking. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20 + ref_id: E1.IRO-1-20.c + description: 'climate-related transition risks and opportunities in own operations + and along the upstream and downstream value chain, in particular: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20.c.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20.c + ref_id: E1.IRO-1-20.c.i + description: "the identification of climate-related transition events, considering\ + \ at least a climate scenario in line with limiting global warming to 1.5\xB0\ + C with no or limited overshoot; and " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20.c.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-20.c + ref_id: E1.IRO-1-20.c.ii + description: 'the assessment of how its assets and business activities may be + exposed to these climate-related transition events, creating gross transition + risks or opportunities for the undertaking. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node44 + ref_id: E1.IRO-1-21 + description: 'When disclosing the information required under paragraphs 20 (b)and + 20 (c) the undertaking shall explain how it has used climate-related scenario + analysis, including a range of climate scenarios, to inform the identification + and assessment of physical risks and transition risks and opportunities over + the short-, medium- and long-term. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node43 + ref_id: E1-2 + name: 'Disclosure Requirement E1-2 ' + description: Policies related to climate change mitigation and adaptation + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2 + ref_id: E1-2.22 + description: 'The undertaking shall describe its policies adopted to manage + its material impacts, risks and opportunities related to climate change mitigation + and adaptation. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2 + ref_id: E1-2.23 + description: 'The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking has policies that address the identification, + assessment, management and/or remediation of its material climate change mitigation + and adaptation impacts, risks and opportunities. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2 + ref_id: E1-2.24 + description: 'The disclosure required by paragraph 22 shall contain the information + on the policies the undertaking has in place to manage its material impacts, + risks and opportunities related to climate change mitigation and adaptation + in accordance with ESRS 2 MDR-P Policies adopted to manage material sustainability + matters. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2 + ref_id: E1-2.25 + description: 'The undertaking shall indicate whether and how its policies address + the following areas: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.25.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.25 + ref_id: E1-2.25.a + description: climate change mitigation; + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.25.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.25 + ref_id: E1-2.25.b + description: climate change adaptation; + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.25.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.25 + ref_id: E1-2.25.c + description: energy efficiency; + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.25.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.25 + ref_id: E1-2.25.d + description: renewable energy deployment; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.25.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2.25 + ref_id: E1-2.25.e + description: 'other ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node43 + ref_id: E1-3 + name: Disclosure Requirement E1-3 + description: 'Actions and resources in relation to climate change policies ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3 + ref_id: E1-3.26 + description: 'The undertaking shall disclose its climate change mitigation and + adaptation actions and the resources allocated for their implementation. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3 + ref_id: E1-3.27 + description: 'The objective of this Disclosure Requirement is to provide an + understanding of the key actions taken and planned to achieve climate-related + policy objectives and targets. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3 + ref_id: E1-3.28 + description: 'The description of the actions and resources related to climate + change mitigation and adaptation shall follow the principles stated in ESRS + 2 MDR-A Actions and resources in relation to material sustainability matters. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3 + ref_id: E1-3.29 + description: 'In addition to ESRS 2 MDR-A, the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29 + ref_id: E1-3.29.a + description: 'when listing key actions taken in the reporting year and planned + for the future, present the climate change mitigation actions by decarbonisation + lever including the nature- based solutions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29 + ref_id: E1-3.29.b + description: 'when describing the outcome of the actions for climate change + mitigation, include the achieved and expected GHG emission reductions; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29 + ref_id: E1-3.29.c + description: 'relate significant monetary amounts of CapEx and OpEx required + to implement the actions taken or planned to: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29.c.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29.c + ref_id: E1-3.29.c.i + description: 'the relevant line items or notes in the financial statements; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29.c.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29.c + ref_id: E1-3.29.c.ii + description: 'the key performance indicators required under Commission Delegated + Regulation (EU) 2021/2178; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29.c.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3.29.c + ref_id: E1-3.29.c.iii + description: 'if applicable, the CapEx plan required by Commission Delegated + Regulation (EU) 2021/2178. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node75 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node17 + name: 'Metrics and targets ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node75 + ref_id: E1-4 + name: Disclosure Requirement E1-4 + description: 'Targets related to climate change mitigation and adaptation ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4 + ref_id: E1-4.30 + description: 'The undertaking shall disclose the climate-related targets it + has set. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4 + ref_id: E1-4.31 + description: 'The objective of this Disclosure Requirement is to enable an understanding + of the targets the undertaking has set to support its climate change mitigation + and adaptation policies and address its material climate-related impacts, + risks and opportunities. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4 + ref_id: E1-4.32 + description: 'The disclosure of the targets required in paragraph 30 shall contain + the information required in ESRS 2 MDR-T Tracking effectiveness of policies + and actions through targets. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4 + ref_id: E1-4.33 + description: 'For the disclosure required by paragraph 30, the undertaking shall + disclose whether and how it has set GHG emissions reduction targets and/or + any other targets to manage material climate-related impacts, risks and opportunities, + for example, renewable energy deployment, energy efficiency, climate change + adaptation, and physical or transition risk mitigation. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4 + ref_id: E1-4.34 + description: 'If the undertaking has set GHG emission reduction targets ( 32 + ), ESRS 2 MDR-T and the following requirements shall apply: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34 + ref_id: E1-4.34.a + description: 'GHG emission reduction targets shall be disclosed in absolute + value (either in tonnes of CO2eq or as a percentage of the emissions of a + base year) and, where relevant, in intensity value; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34 + ref_id: E1-4.34.b + description: GHG emission reduction targets shall be disclosed for Scope 1, + 2, and 3 GHG emissions, either separately or combined. The undertaking shall + specify, in case of combined GHG emission reduction targets, which GHG emission + Scopes (1, 2 and/or 3) are covered by the target, the share related to each + respective GHG emission Scope and which GHGs are covered. The undertaking + shall explain how the consistency of these targets with its GHG inventory + boundaries is ensured (as required by Disclosure Requirement E1-6). The GHG + emission reduction targets shall be gross targets, meaning that the undertaking + shall not include GHG removals, carbon credits or avoided emissions as a means + of achieving the GHG emission reduction targets + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34 + ref_id: E1-4.34.c + description: 'the undertaking shall disclose its current base year and baseline + value, and from 2030 onwards, update the base year for its GHG emission reduction + targets after every five-year period thereafter. The undertaking may disclose + the past progress made in meeting its targets before its current base year + provided that this information is consistent with the requirements of this + Standard; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34 + ref_id: E1-4.34.d + description: 'GHG emission reduction targets shall at least include target values + for the year 2030 and, if available, for the year 2050. From 2030, target + values shall be set after every 5-year period thereafter; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34 + ref_id: E1-4.34.e + description: "the undertaking shall state whether the GHG emission reduction\ + \ targets are science- based and compatible with limiting global warming to\ + \ 1.5\xB0C. The undertaking shall state which framework and methodology has\ + \ been used to determine these targets including whether they are derived\ + \ using a sectoral decarbonisation pathway and what the underlying climate\ + \ and policy scenarios are and whether the targets have been externally assured.\ + \ As part of the critical assumptions for setting GHG emission reduction targets,\ + \ the undertaking shall briefly explain how it has considered future developments\ + \ (e.g., changes in sales volumes, shifts in customer preferences and demand,\ + \ regulatory factors, and new technologies) and how these will potentially\ + \ impact both its GHG emissions and emissions reductions; and " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4.34 + ref_id: E1-4.34.f + description: 'the undertaking shall describe the expected decarbonisation levers + and their overall quantitative contributions to achieve the GHG emission reduction + targets (e.g., energy or material efficiency and consumption reduction, fuel + switching, use of renewable energy, phase out or substitution of product and + process). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node75 + ref_id: E1-5 + name: Disclosure Requirement E1-5 + description: 'Energy consumption and mix ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.35 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5 + ref_id: E1-5.35 + description: 'The undertaking shall provide information on its energy consumption + and mix. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5 + ref_id: E1-5.36 + description: "The objective of this Disclosure Requirement is to provide an\ + \ understanding of the undertaking\u2019s total energy consumption in absolute\ + \ value, improvement in energy efficiency, exposure to coal, oil and gas-related\ + \ activities, and the share of renewable energy in its overall energy mix. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5 + ref_id: E1-5.37 + description: 'The disclosure required by paragraph 35 shall include the total + energy consumption in MWh related to own operations disaggregated by: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37 + ref_id: E1-5.37.a + description: 'total energy consumption from fossil sources ( 33 ); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37 + ref_id: E1-5.37.b + description: 'total energy consumption from nuclear sources; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37 + ref_id: E1-5.37.c + description: 'total energy consumption from renewable sources disaggregated + by: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37.c.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37.c + ref_id: E1-5.37.c.i + description: 'fuel consumption for renewable sources including biomass (also + comprising industrial and municipal waste of biologic origin), biofuels, biogas, + hydrogen from renewable sources ( 34 ), etc.; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37.c.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37.c + ref_id: E1-5.37.c.ii + description: 'consumption of purchased or acquired electricity, heat, steam, + and cooling from renewable sources; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37.c.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.37.c + ref_id: E1-5.37.c.iii + description: 'consumption of self-generated non-fuel renewable energy. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.38 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5 + ref_id: E1-5.38 + description: 'The undertaking with operations in high climate impact sectors + ( 35 ) shall further disaggregate their total energy consumption from fossil + sources by: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.38.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.38 + ref_id: E1-5.38.a + description: 'fuel consumption from coal and coal products; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.38.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.38 + ref_id: E1-5.38.b + description: 'fuel consumption from crude oil and petroleum products; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.38.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.38 + ref_id: E1-5.38.c + description: 'fuel consumption from natural gas; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.38.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.38 + ref_id: E1-5.38.d + description: 'fuel consumption from other fossil sources; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.38.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.38 + ref_id: E1-5.38.e + description: 'consumption of purchased or acquired electricity, heat, steam, + or cooling from fossil sources; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5.39 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5 + ref_id: E1-5.39 + description: 'In addition, where applicable, the undertaking shall disaggregate + and disclose separately its non-renewable energy production and renewable + energy production in MWh. ( 36 ) ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node105 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node17 + name: 'Energy intensity based on net revenue ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node106 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node105 + description: 'The undertaking shall provide information on the energy intensity + (total energy consumption per net revenue) associated with activities in high + climate impact sectors. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node107 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node105 + description: 'The disclosure on energy intensity required by paragraph 40 shall + only be derived from the total energy consumption and net revenue from activities + in high climate impact sectors. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node108 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node105 + description: 'The undertaking shall specify the high climate impact sectors + that are used to determine the energy intensity required by paragraph 40. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node109 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node105 + description: 'The undertaking shall disclose the reconciliation to the relevant + line item or notes in the financial statements of the net revenue amount from + activities in high climate impact sectors (the denominator in the calculation + of the energy intensity required by paragraph 40). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node105 + ref_id: E1-6 + name: Disclosure Requirement E1-6 + description: 'Gross Scopes 1, 2, 3 and Total GHG emissions ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.44 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6 + ref_id: E1-6.44 + description: 'The undertaking shall disclose in metric tonnes of CO2eq its ( + 38 ): ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.44.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.44 + ref_id: E1-6.44.a + description: 'gross Scope 1 GHG emissions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.44.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.44 + ref_id: E1-6.44.b + description: 'gross Scope 2 GHG emissions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.44.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.44 + ref_id: E1-6.44.c + description: 'gross Scope 3 GHG emissions; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.44.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.44 + ref_id: E1-6.44.d + description: 'total GHG emissions. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.45 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6 + ref_id: E1-6.45 + description: 'The objective of the Disclosure Requirement in paragraph 44 in + respect of: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.45.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.45 + ref_id: E1-6.45.a + description: 'gross Scope 1 GHG emissions as required by paragraph 44 (a) is + to provide an understanding of the direct impacts of the undertaking on climate + change and the proportion of its total GHG emissions that are regulated under + emission trading schemes. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.45.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.45 + ref_id: E1-6.45.b + description: "gross Scope 2 GHG emissions as required by paragraph 44 (b) is\ + \ to provide an understanding of the indirect impacts on climate change caused\ + \ by the undertaking\u2019s consumed energy whether externally purchased or\ + \ acquired. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.45.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.45 + ref_id: E1-6.45.c + description: "gross Scope 3 GHG emissions as required by paragraph 44 (c) is\ + \ to provide an understanding of the GHG emissions that occur in the undertaking\u2019\ + s upstream and downstream value chain beyond its Scope 1 and 2 GHG emissions.\ + \ For many undertakings, Scope 3 GHG emissions may be the main component of\ + \ their GHG inventory and are an important driver of the undertaking\u2019\ + s transition risks. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.45.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.45 + ref_id: E1-6.45.d + description: "total GHG emissions as required by paragraph 44 (d) is to provide\ + \ an overall understanding of the undertaking\u2019s GHG emissions and whether\ + \ they occur from its own operations or the usptream and donwstream value\ + \ chain. This disclosure is a prerequisite for measuring progress towards\ + \ reducing GHG emissions in accordance with the undertaking\u2019s climate-related\ + \ targets and EU policy goals. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.46 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6 + ref_id: E1-6.46 + description: "When disclosing the information on GHG emissions required under\ + \ paragraph 44, the undertaking shall refer to ESRS 1 paragraphs from 62 to\ + \ 67. In principle, the data on GHG emissions of its associates or joint ventures\ + \ that are part of the undertaking\u2019s upstream and downstream value chain\ + \ (ESRS 1 Paragraph 67) are not limited to the share of equity held. For its\ + \ associates, joint ventures, unconsolidated subsidiaries (investment entities)\ + \ and contractual arrangements that are joint arrangements not structured\ + \ through an entity (i.e., jointly controlled operations and assets), the\ + \ undertaking shall include the GHG emissions in accordance with the extent\ + \ of the undertaking\u2019s operational control over them. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.47 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6 + ref_id: E1-6.47 + description: 'In case of significant changes in the definition of what constitutes + the reporting undertaking and its upstream and downstream value chain, the + undertaking shall disclose these changes and explain their effect on the year-to-year + comparability of its reported GHG emissions (i.e., the effect on the comparability + of current versus previous reporting period GHG emissions). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.48 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6 + ref_id: E1-6.48 + description: 'The disclosure on gross Scope 1 GHG emissions required by paragraph + 44 (a) shall include: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.48.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.48 + ref_id: E1-6.48.a + description: 'the gross Scope 1 GHG emissions in metric tonnes of CO2eq; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.48.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.48 + ref_id: E1-6.48.b + description: 'the percentage of Scope 1 GHG emissions from regulated emission + trading schemes. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.49 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6 + ref_id: E1-6.49 + description: 'The disclosure on gross Scope 2 GHG emissions required by paragraph + 44 (b) shall include: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.49.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.49 + ref_id: E1-6.49.a + description: 'the gross location-based Scope 2 GHG emissions in metric tonnes + of CO2eq; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.49.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.49 + ref_id: E1-6.49.b + description: 'the gross market-based Scope 2 GHG emissions in metric tonnes + of CO2eq. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.50 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6 + ref_id: E1-6.50 + description: 'For Scope 1 and Scope 2 emissions disclosed as required by paragraphs + 44 (a) and (b) the undertaking shall disaggregate the information, separately + disclosing emissions from: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.50.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.50 + ref_id: E1-6.50.a + description: 'the consolidated accounting group (the parent and subsidiaries); + and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.50.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.50 + ref_id: E1-6.50.b + description: 'investees such as associates, joint ventures, or unconsolidated + subsidiaries that are not fully consolidated in the financial statements of + the consolidated accounting group, as well as contractual arrangements that + are joint arrangements not structured through an entity (i.e., jointly controlled + operations and assets), for which it has operational control. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.51 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6 + ref_id: E1-6.51 + description: 'The disclosure of gross Scope 3 GHG emissions required by paragraph + 44 (c) shall include GHG emissions in metric tonnes of CO2eq from each significant + Scope 3 category (i.e. each Scope 3 category that is a priority for the undertaking) + . ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.52 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6 + ref_id: E1-6.52 + description: 'The disclosure of total GHG emissions required by paragraph 44 + (d) shall be the sum of Scope 1, 2 and 3 GHG emissions required by paragraphs + 44 (a) to (c). The total GHG emissions shall be disclosed with a disaggregation + that makes a distinction of: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.52.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.52 + ref_id: E1-6.52.a + description: 'the total GHG emissions derived from the underlying Scope 2 GHG + emissions being measured using the location-based method; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.52.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6.52 + ref_id: E1-6.52.b + description: 'the total GHG emissions derived from the underlying Scope 2 GHG + emissions being measured using the market-based method. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node136 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node17 + name: 'GHG Intensity based on net revenue ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node137 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node136 + description: 'The undertaking shall disclose its GHG emissions intensity (total + GHG emissions per net revenue). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node138 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node136 + description: 'The disclosure on GHG intensity required by paragraph 53 shall + provide the total GHG emissions in metric tonnes of CO2eq (required by paragraph + 44 (d)) per net revenue. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node139 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node136 + description: 'The undertaking shall disclose the reconciliation to the relevant + line item or notes in the financial statements of the net revenue amounts + (the denominator in the calculation of the GHG emissions intensity required + by paragraph 53). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node136 + ref_id: E1-7 + name: Disclosure Requirement E1-7 + description: 'GHG removals and GHG mitigation projects financed through carbon + credits ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.56 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7 + ref_id: E1-7.56 + description: 'The undertaking shall disclose: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.56.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.56 + ref_id: E1-7.56.a + description: 'GHG removals and storage in metric tonnes of CO2eq resulting from + projects it may have developed in its own operations, or contributed to in + its upstream and downstream value chain; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.56.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.56 + ref_id: E1-7.56.b + description: 'the amount of GHG emission reductions or removals from climate + change mitigation projects outside its value chain it has financed or intends + to finance through any purchase of carbon credits. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.57 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7 + ref_id: E1-7.57 + description: 'The objective of this Disclosure Requirement is: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.57.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.57 + ref_id: E1-7.57.a + description: "to provide an understanding of the undertaking\u2019s actions\ + \ to permanently remove or actively support the removal of GHG from the atmosphere,\ + \ potentially for achieving net-zero targets (as stated in paragraph 60). " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.57.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.57 + ref_id: E1-7.57.b + description: 'to provide an understanding of the extent and quality of carbon + credits the undertaking has purchased or intends to purchase from the voluntary + market, potentially for supporting its GHG neutrality claims (as stated in + paragraph 61). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.58 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7 + ref_id: E1-7.58 + description: 'The disclosure on GHG removals and storage required by paragraph + 56 (a) shall include, if applicable: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.58.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.58 + ref_id: E1-7.58.a + description: "the total amount of GHG removals and storage in metric tonnes\ + \ of CO2eq disaggregated and separately disclosed for the amount related to\ + \ the undertaking\u2019s own operations and its upstream and donwstream value\ + \ chain, and broken down by removal activity; and " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.58.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.58 + ref_id: E1-7.58.b + description: 'the calculation assumptions, methodologies and frameworks applied + by the undertaking. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.59 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7 + ref_id: E1-7.59 + description: 'The disclosure on carbon credits required by paragraph 56 (b) + shall include, if applicable: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.59.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.59 + ref_id: E1-7.59.a + description: "the total amount of carbon credits outside the undertaking\u2019\ + s value chain in metric tonnes of CO2eq that are verified against recognised\ + \ quality standards and cancelled in the reporting period; and " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.59.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.59 + ref_id: E1-7.59.b + description: "the total amount of carbon credits outside the undertaking\u2019\ + s value chain in metric tonnes of CO2eq planned to be cancelled in the future\ + \ and whether they are based on existing contractual agreements or not. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.60 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7 + ref_id: E1-7.60 + description: 'In the case where the undertaking discloses a net-zero target + in addition to the gross GHG emission reduction targets in accordance with + Disclosure Requirement E1-4, paragraph 30, it shall explain the scope, methodologies + and frameworks applied and how the residual GHG emissions (after approximately + 90-95% of GHG emission reduction with the possibility for justified sectoral + variations in line with a recognised sectoral decarbonisation pathway) are + intended to be neutralised by, for example, GHG removals in its own operations + and upstream and donwstream value chain. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.61 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7 + ref_id: E1-7.61 + description: 'In the case where the undertaking may have made public claims + of GHG neutrality that involve the use of carbon credits, it shall explain: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.61.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.61 + ref_id: E1-7.61.a + description: 'whether and how these claims are accompanied by GHG emission reduction + targets as required by Disclosure requirement ESRS E1- 4; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.61.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.61 + ref_id: E1-7.61.b + description: 'whether and how these claims and the reliance on carbon credits + neither impede nor reduce the achievement of its GHG emission reduction targets + ( ), or, if applicable, its net zero target; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.61.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7.61 + ref_id: E1-7.61.c + description: 'the credibility and integrity of the carbon credits used, including + by reference to recognised quality standards. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node136 + ref_id: E1-8 + name: Disclosure Requirement E1-8 + description: 'Internal carbon pricing ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8.62 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-8 + ref_id: E1-8.62 + description: The undertaking shall disclose whether it applies internal carbon + pricing schemes, and if so, how they support its decision making and incentivise + the implementation of climate-related policies and targets + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8.63 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-8 + ref_id: E1-8.63 + description: 'The information required in paragraph 62 shall include: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8.63.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-8.63 + ref_id: E1-8.63.a + description: 'the type of internal carbon pricing scheme, for example, the shadow + prices applied for CapEX or research and development (R&D) investment decision + making, internal carbon fees or internal carbon funds; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8.63.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-8.63 + ref_id: E1-8.63.b + description: 'the specific scope of application of the carbon pricing schemes + (activities, geographies, entities, etc.); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8.63.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-8.63 + ref_id: E1-8.63.c + description: 'the carbon prices applied according to the type of scheme and + critical assumptions made to determine the prices, including the source of + the applied carbon prices and why these are deemed relevant for their chosen + application. The undertaking may disclose the calculation methodology of the + carbon prices including the extent to which these have been set using scientific + guidance and how their future development is related to science- based carbon + pricing trajectories; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8.63.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-8.63 + ref_id: E1-8.63.d + description: "the current year approximate gross GHG emission volumes by Scopes\ + \ 1, 2 and, where applicable, Scope 3 in metric tonnes of CO2eq covered by\ + \ these schemes, as well as their share of the undertaking\u2019s overall\ + \ GHG emissions for each respective Scope. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node136 + ref_id: E1-9 + name: Disclosure Requirement E1-9 + description: 'Anticipated financial effects from material physical and transition + risks and potential climate-related opportunities ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.64 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9 + ref_id: E1-9.64 + description: 'The undertaking shall disclose its: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.64.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.64 + ref_id: E1-9.64.a + description: 'anticipated financial effects from material physical risks; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.64.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.64 + ref_id: E1-9.64.b + description: 'anticipated financial effects from material transition risks; + and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.64.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.64 + ref_id: E1-9.64.c + description: 'potential to benefit from material climate-related opportunities. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.65 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9 + ref_id: E1-9.65 + description: 'The information required by paragraph 64 is in addition to the + information on current financial effects required under ESRS 2 SBM-3 para + 48 (d). The objective of this Disclosure Requirement related to: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.65.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.65 + ref_id: E1-9.65.a + description: "anticipated financial effects due to material physical risks and\ + \ transition risks is to provide an understanding of how these risks have\ + \ (or could reasonably be expected to have) a material influence on the undertaking\u2019\ + s financial position, financial performance and cash flows, over the short-,\ + \ medium- and long- term. The results of scenario analysis used to conduct\ + \ resilience analysis as required under paragraphs AR 10 to AR 13 should inform\ + \ the assessment of anticipated financial effects from material physical and\ + \ transition risks. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.65.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.65 + ref_id: E1-9.65.b + description: 'potential to pursue material climate-related opportunities is + to enable an understanding of how the undertaking may financially benefit + from material climate- related opportunities. This disclosure is complementary + to the key performance indicators to be disclosed in accordance with Commission + Delegated Regulation (EU) 2021/2178. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.66 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9 + ref_id: E1-9.66 + description: 'The disclosure of anticipated financial effects from material + physical risks required by paragraph 64 (a) shall include ( 41 ): ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.66.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.66 + ref_id: E1-9.66.a + description: 'the monetary amount and proportion (percentage) of assets at material + physical risk over the short-, medium- and long-term before considering climate + change adaptation actions; with the monetary amounts of these assets disaggregated + by acute and chronic physical risk ( 42 ); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.66.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.66 + ref_id: E1-9.66.b + description: 'the proportion of assets at material physical risk addressed by + the climate change adaptation actions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.66.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.66 + ref_id: E1-9.66.c + description: 'the location of significant assets at material physical risk ( + 43 ); and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.66.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.66 + ref_id: E1-9.66.d + description: 'the monetary amount and proportion (percentage) of net revenue + from its business activities at material physical risk over the short-, medium- + and long-term. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.67 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9 + ref_id: E1-9.67 + description: 'The disclosure of anticipated financial effects from material + transition risks required by paragraph 64 (b) shall include: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.67.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.67 + ref_id: E1-9.67.a + description: 'the monetary amount and proportion (percentage) of assets at material + transition risk over the short-, medium- and long-term before considering + climate mitigation actions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.67.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.67 + ref_id: E1-9.67.b + description: 'the proportion of assets at material transition risk addressed + by the climate change mitigation actions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.67.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.67 + ref_id: E1-9.67.c + description: "a breakdown of the carrying value of the undertaking\u2019s real\ + \ estate assets by energy-efficiency classes ( 44 ); " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.67.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.67 + ref_id: E1-9.67.d + description: 'liabilities that may have to be recognised in financial statements + over the short-, medium- and long-term; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.67.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.67 + ref_id: E1-9.67.e + description: "the monetary amount and proportion (percentage) of net revenue\ + \ from its business activities at material transition risk over the short-,\ + \ medium- and long-term including, where relevant, the net revenue from the\ + \ undertaking\u2019s customers operating in coal, oil and gas- related activities. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.68 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9 + ref_id: E1-9.68 + description: 'The undertaking shall disclose reconciliations to the relevant + line items or notes in the financial statements of the following: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.68.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.68 + ref_id: E1-9.68.a + description: 'significant amounts of the assets and net revenue at material + physical risk (as required by paragraph 66); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.68.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.68 + ref_id: E1-9.68.b + description: 'significant amounts of the assets, liabilities, and net revenue + at material transition risk (as required by paragraph 67). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.69 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9 + ref_id: E1-9.69 + description: 'For the disclosure of the potential to pursue climate-related + opportunities required by paragraph 64 (c) the undertaking shall consider + ( 45 ): ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.69.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.69 + ref_id: E1-9.69.a + description: 'its expected cost savings from climate change mitigation and adaptation + actions; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.69.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.69 + ref_id: E1-9.69.b + description: 'the potential market size or expected changes to net revenue from + low-carbon products and services or adaptation solutions to which the undertaking + has or may have access. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9.70 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9 + ref_id: E1-9.70 + description: 'A quantification of the financial effects that arise from opportunities + is not required if such a disclosure does not meet the qualitative characteristics + of useful information included under ESRS 1 Appendix B Qualitative characteristics + of information. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e1-appendix-a + assessable: false + depth: 1 + ref_id: ESRS E1-Appendix A + name: 'Application Requirements ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node192 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e1-appendix-a + name: 'Strategy ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node192 + ref_id: E1-1 AR + name: Disclosure Requirement E1-1 + description: 'Transition plan for climate change mitigation ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar-1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar + ref_id: E1-1 AR 1 + description: "A transition plan relates to the undertaking\u2019s efforts in\ + \ climate change mitigation. When disclosing its transition plan, the undertaking\ + \ is expected to provide a high-level explanation of how it will adjust its\ + \ strategy and business model to ensure compatibility with the transition\ + \ to a sustainable economy and with the limiting of global warming to 1.5\xB0\ + C in line with the Paris Agreement (or an updated inter national agreement\ + \ on climate change) and the objective of achieving climate neutrality by\ + \ 2050 with no or limited overshoot as established in Regulation (EU) 2021/1119\ + \ (European Climate Law), and where applicable, how it will adjust its exposure\ + \ to coal, and oil and gas-related activities. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar-2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar + ref_id: E1-1 AR 2 + description: "Sectoral pathways have not yet been defined by the public policies\ + \ for all sectors. Hence, the disclosure under paragraph 16 (a) on the compatibility\ + \ of the transition plan with the objective of limiting global warming to\ + \ 1.5\xB0C should be understood as the disclosure of the undertaking\u2019\ + s GHG emissions reduction target. The disclosure under paragraph 16 (a) shall\ + \ be benchmarked in relation to a pathway to 1.5\xB0C. This benchmark should\ + \ be based on either a sectoral decarbonisation pathway if available for the\ + \ undertaking\u2019s sector or an economy- wide scenario bearing in mind its\ + \ limitations (i.e., it is a simple translation of emission reduction objectives\ + \ from the state to undertaking level). This AR should be read also in conjunction\ + \ with AR 26 and AR 27 and the sectoral decarbonisation pathways they refer\ + \ to. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar-3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar + ref_id: E1-1 AR 3 + description: 'When disclosing the information required under paragraph 16(d) + the undertaking may consider: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar-3.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar-3 + ref_id: E1-1 AR 3.a + description: the cumulative locked-in GHG emissions associated with key assets + from the reporting year until 2030 and 2050 in tCO2eq. This will be assessed + as the sum of the estimated Scopes 1 and 2 GHG emissions over the operating + lifetime of the active and firmly planned key assets. Key assets are those + owned or controlled by the undertaking, and they consist of existing or planned + assets (such as stationary or mobile installations, facilities, and equipment) + that are sources of either significant direct or energy-indirect GHG emissions. + Firmly planned key assets are those that the undertaking will most likely + deploy within the next 5 years. + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1--ar-3.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar-3 + ref_id: E1-1 -AR 3.b + description: "the cumulative locked-in GHG emissions associated with the direct\ + \ use-phase GHG emissions of sold products in tCO2eq, assessed as the sales\ + \ volume of products in the reporting year multiplied by the sum of estimated\ + \ direct use-phase GHG emissions over their expected lifetime. This requirement\ + \ only applies if the undertaking has identified the Scope 3 category \u2018\ + use of sold products\u2019 as significant under Disclosure Requirement E1-6\ + \ paragraph 51; and " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar-3.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar-3 + ref_id: E1-1 AR 3.c + description: 'an explanation of the plans to manage, i.e., to transform, decommission + or phase out its GHG-intensive and energy-intensive assets and products. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar-4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar + ref_id: E1-1 AR 4 + description: 'When disclosing the information required under paragraph 16 (e), + the undertaking shall explain how the alignment of its economic activities + with the provisions of Commission Delegated Regulation (EU) 2021/2139 is expected + to evolve over time to support its transition to a sustainable economy. In + doing so, the undertaking shall take account of the key performance indicators + required to be disclosed under Article 8 of Regulation (EU) 2020/852 (in particular + taxonomy- aligned revenue and CapEx and, if applicable, CapEx plans). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar-5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-1-ar + ref_id: E1-1 AR 5 + description: "When disclosing the information required under paragraph 16 (g),\ + \ the undertaking shall state whether or not it is excluded from the EU Paris-aligned\ + \ Benchmarks in accordance with the exclusion criteria stated in Articles\ + \ 12(1), points (d) to (g) ( 46 ) and Article 12(2) of Commission Delegated\ + \ Regulation \t(EU) \t2020/1818 \t(Climate Benchmark Standards Regulation)\ + \ ( 47 ). " + - urn: urn:intuitem:risk:req_node:esrs_p2:node202 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node192 + name: Disclosure Requirement related to ESRS 2 SBM-3 + description: 'Material impacts, risks and opportunities and their interaction + with strategy and business model ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node202 + ref_id: E1.SBM-3.AR-6 + description: When disclosing the information on the scope of the resilience + analysis as required under paragraph 19 (a), the undertaking shall explain + which part of its own operations and upstream and downstream value chain as + well as which material physical risks and transition risks may have been excluded + from the analysis + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node202 + ref_id: E1.SBM-3.AR-7 + description: 'When disclosing the information on how the resilience analysis + has been conducted as required under paragraph 19 (b), the undertaking shall + explain: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-7.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-7 + ref_id: E1.SBM-3.AR-7.a + description: 'the critical assumptions about how the transition to a lower-carbon + and resilient economy will affect its surrounding macroeconomic trends, energy + consumption and mix, and technology deployment assumptions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-7.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-7 + ref_id: E1.SBM-3.AR-7.b + description: 'the time horizons applied and their alignment with the climate + and business scenarios considered for determining material physical and transition + risks (paragraphs AR 11to AR 12) and setting GHG emissions reduction targets + (reported under Disclosure Requirement E1-4); and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-7.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-7 + ref_id: E1.SBM-3.AR-7.c + description: 'how the estimated anticipated financial effects from material + physical and transition risks (as required by Disclosure Requirement E1-9) + as well as the mitigation actions and resources (disclosed under Disclosure + Requirement E1-3) were considered. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node202 + ref_id: E1.SBM-3.AR-8 + description: 'When disclosing the information on the results of the resilience + analysis as required under paragraph 19 (c), the undertaking shall explain: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-8.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-8 + ref_id: E1.SBM-3.AR-8.a + description: "the areas of uncertainties of the resilience analysis and to what\ + \ extent the assets and business activities at risk are considered within\ + \ the definition of the undertaking\u2019s strategy, investment decisions,\ + \ and current and planned mitigation actions; " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-8.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.sbm-3.ar-8 + ref_id: E1.SBM-3.AR-8.b + description: 'the ability of the undertaking to adjust or adapt its strategy + and business model to climate change over the short-, medium- and long-term, + including securing ongoing access to finance at an affordable cost of capital, + the ability to redeploy, upgrade or decommission existing assets, shifting + its products and services portfolio, or reskilling its workforce. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node211 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e1-appendix-a + name: 'Impact, risk and opportunity management ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node212 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node211 + name: 'Disclosure Requirement related to ESRS 2 IRO-1 ' + description: Description of the processes to identify and assess material climate-related + impacts, risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node212 + ref_id: E1.IRO-1-AR.9 + description: 'When disclosing the information on the processes to identify and + assess climate impacts as required under paragraph 20 (a), the undertaking + shall explain how it has: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.9.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.9 + ref_id: E1.IRO-1-AR.9.a + description: 'screened its activities and plans in order to identify actual + and potential future GHG emission sources and, if applicable, drivers for + other climate-related impacts (e.g., emissions of black carbon or tropospheric + ozone or land-use change) in own operations and along the value chain; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.9.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.9 + ref_id: E1.IRO-1-AR.9.b + description: 'assessed its actual and potential impacts on climate change (i.e., + its total GHG emissions). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.10 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node212 + ref_id: E1.IRO-1-AR.10 + description: 'The undertaking may link the information disclosed under paragraphs + 20 (a) and AR 9 to the information disclosed under the following Disclosure + Requirements: Disclosure Requirement E1-1, paragraph 16 (d) on locked-in GHG + emissions; Disclosure Requirement E1-4 and Disclosure Requirement E1-6. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node212 + ref_id: E1.IRO-1-AR.11 + description: 'When disclosing the information on the processes to identify and + assess physical risks as required under paragraph 20 (b), the undertaking + shall explain whether and how: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.11.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.11 + ref_id: E1.IRO-1-AR.11.a + description: 'it has identified climate-related hazards (see table below) over + the short-, medium- and long-term and screened whether its assets and business + activities may be exposed to these hazards; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.11.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.11 + ref_id: E1.IRO-1-AR.11.b + description: 'it has defined short-, medium- and long-term time horizons and + how these definitions are linked to the expected lifetime of its assets, strategic + planning horizons and capital allocation plans; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.11.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.11 + ref_id: E1.IRO-1-AR.11.c + description: "it has assessed the extent to which its assets and business activities\ + \ may be exposed and are sensitive to the identified climate-related hazards,\ + \ taking into consideration the likelihood, magnitude and duration of the\ + \ hazards as well as the geospatial coordinates (such as Nomenclature of Territorial\ + \ Units of Statistics- NUTS for the EU territory) specific to the undertaking\u2019\ + s locations and supply chains; and \t " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.11.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.11 + ref_id: E1.IRO-1-AR.11.d + description: "the identification of climate-related hazards and the assessment\ + \ of exposure and sensitivity are informed by high emissions climate scenarios,\ + \ which may, for example, be based on IPCC SSP5-8.5, relevant regional climate\ + \ projections based on these emission scenarios, or NGFS (Network for Greening\ + \ the Financial System) climate scenarios with high physical risk such as\ + \ \u2018Hot house world\u2019 or \u2018Too little, too late\u2019. For general\ + \ requirements regarding climate-related scenario analysis see paragraphs\ + \ 18, 19, AR 13 to AR 15. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.12 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node212 + ref_id: E1.IRO-1-AR.12 + description: 'When disclosing the information on the processes to identify transition + risks and opportunities as required under paragraph 20 (c), the undertaking + shall explain whether and how it has: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.12.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.12 + ref_id: E1.IRO-1-AR.12.a + description: 'identified transition events (see the table with examples below) + over the short-, medium- and long-term and screened whether its assets and + business activities may be exposed to these events. In case of transition + risks and opportunities, what is considered long-term may cover more than + 10 years and may be aligned with climate-related public policy goals; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.12.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.12 + ref_id: E1.IRO-1-AR.12.b + description: 'assessed the extent to which its assets and business activities + may be exposed and are sensitive to the identified transition events, taking + into consideration the likelihood, magnitude and duration of the transition + events; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.12.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.12 + ref_id: E1.IRO-1-AR.12.c + description: "informed the identification of transition events and the assessment\ + \ of exposure by climate-related scenario analysis, considering at least a\ + \ scenario consistent with the Paris Agreement and limiting climate change\ + \ to 1.5\xB0C, for example, based on scenarios of the International Energy\ + \ Agency (Net zero Emissions by 2050, Sustainable Development Scenario, etc),\ + \ or NGFS (Network for Greening the Financial System) climate scenarios. For\ + \ the general requirements related to climate-related scenario analysis see\ + \ paragraphs 18, 19, AR 13 to AR 15; and " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.12.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.12 + ref_id: E1.IRO-1-AR.12.d + description: 'identified assets and business activities that are incompatible + with or need significant efforts to be compatible with a transition to a climate-neutral + economy (for example, due to significant locked-in GHG emissions or incompatibility + with the requirements for Taxonomy-alignment under Commission Delegated Regulation + (EU) 2021/2139). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.13 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node212 + ref_id: E1.IRO-1-AR.13 + description: 'When disclosing the information required under paragraphs 19, + 20, 21, AR 10 and AR 11, the undertaking shall explain how it has used climate-related + scenario analysis that is commensurate to its circumstances to inform the + identification and assessment of physical and transition risks and opportunities + over the short-, medium- and long- term, including: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.13.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.13 + ref_id: E1.IRO-1-AR.13.a + description: 'which scenarios were used, their sources and alignment with state- + of-the-art science; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.13.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.13 + ref_id: E1.IRO-1-AR.13.b + description: 'narratives, time horizons, and endpoints used with a discussion + of why it believes the range of scenarios used covers its plausible risks + and uncertainties; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.13.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.13 + ref_id: E1.IRO-1-AR.13.c + description: 'the key forces and drivers taken into consideration in each scenario + and why these are relevant to the undertaking, for example, policy assumptions, + macroeconomic trends, energy usage and mix, and technology assumptions; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.13.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.13 + ref_id: E1.IRO-1-AR.13.d + description: "key inputs and constraints of the scenarios, including their level\ + \ of detail (e.g., whether the analysis of physical climate-related risks\ + \ is based on geospatial coordinates specific to the undertaking\u2019s locations\ + \ or national- or regional-level broad data). " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.14 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node212 + ref_id: E1.IRO-1-AR.14 + description: "When conducting scenario analysis, the undertaking may consider\ + \ the following guidance: TCFD Technical Supplement on \u2018The Use of Scenario\ + \ Analysis in Disclosure of Climate-Related Risks and Opportunities\u2019\ + \ (2017); TCFD \u2018Guidance on Scenario Analysis for Non- Financial Companies\u2019\ + \ (2020); ISO 14091:2021 \u2018Adaptation to climate change \u2014 Guidelines\ + \ on vulnerability, impacts and risk assessment\u2019; any other recognised\ + \ industry standards such as NGFS (Network for Greening the Financial System);\ + \ and EU, national, regional and local regulations. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1.iro-1-ar.15 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node212 + ref_id: E1.IRO-1-AR.15 + description: 'The undertaking shall briefly explain how the climate scenarios + used are compatible with the critical climate-related assumptions made in + the financial statements. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node211 + ref_id: E1-2 AR + name: Disclosure Requirement E1-2 + description: 'Policies related to climate change mitigation and adaptation ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2-ar-16 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2-ar + ref_id: E1-2 AR 16 + description: 'Policies related to either climate change mitigation or climate + adaptation may be disclosed separately as their objectives, people involved, + actions and resources needed to implement them are different. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2-ar-17 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2-ar + ref_id: E1-2 AR 17 + description: "Policies related to climate change mitigation address the management\ + \ of the undertaking\u2019s GHG emissions, GHG removals and transition risks\ + \ over different time horizons, in its own operations and/or in the upstream\ + \ and downstream value chain. The requirement under paragraph 22 may relate\ + \ to stand-alone climate change mitigation policies as well as relevant policies\ + \ on other matters that indirectly support climate change mitigation including\ + \ training policies, procurement or supply chain policies, investment policies,\ + \ or product development policies. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-2-ar-18 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-2-ar + ref_id: E1-2 AR 18 + description: "Policies related to climate change adaptation address the management\ + \ of the undertaking\u2019s physical climate risks and of its transition risks\ + \ related to climate change adaptation. The requirement under paragraphs 22\ + \ and 25 may relate to stand-alone climate change adaptation policies as well\ + \ as relevant policies on other matters that indirectly support climate change\ + \ adaptation including training policies, and emergency or health and safety\ + \ policies. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node211 + ref_id: E1-3 AR + name: Disclosure Requirements E1-3 + description: 'Actions and resources in relation to climate change policies ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-19 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar + ref_id: E1-3 AR 19 + description: 'When disclosing the information on actions as required under paragraphs + 29 (a) and 29 (b), the undertaking may: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-19.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-19 + ref_id: E1-3 AR 19.a + description: 'disclose its key actions taken and/or plans to implement climate + change mitigation and adaptation policies in its single or separate actions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-19.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-19 + ref_id: E1-3 AR 19.b + description: 'aggregate types of mitigation actions (decarbonisation levers) + such as energy efficiency, electrification, fuel switching, use of renewable + energy, products change, and supply-chain decarbonisation that fit the undertakings'' + specific actions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-19.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-19 + ref_id: E1-3 AR 19.c + description: 'disclose the list of key mitigation actions alongside the measurable + targets (as required by Disclosure Requirement E1-4) with disaggregation by + decarbonisation levers; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-19.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-19 + ref_id: E1-3 AR 19.d + description: 'disclose the climate change adaptation actions by type of adaptation + solution such as nature-based adaptation, engineering, or technological solutions. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-20 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar + ref_id: E1-3 AR 20 + description: "When disclosing the information on resources as required under\ + \ paragraph 29 (c), the undertaking shall only disclose the significant OpEx\ + \ and CapEx amounts required for the implementation of the actions as the\ + \ purpose of this information is to demonstrate the credibility of its actions\ + \ rather than to reconcile the disclosed amounts to the financial statements.\ + \ The disclosed CapEx and OpEx amounts shall be the additions made to both\ + \ tangible and intangible assets during the current financial year as well\ + \ as the planned additions for future periods of implementing the actions.\ + \ The disclosed amounts shall only be the incremental financial investments\ + \ directly contributing to the achievement of the undertaking\u2019s targets. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-21 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar + ref_id: E1-3 AR 21 + description: "In line with the requirements of ESRS 2 MDR-A, the undertaking\ + \ shall explain if and to what extent its ability to implement the actions\ + \ depends on the availability and allocation of resources. Ongoing access\ + \ to finance at an affordable cost of capital can be critical for the implementation\ + \ of the undertaking\u2019s actions, which include its adjustments to supply/demand\ + \ changes or its related acquisitions and significant research and development\ + \ (R&D) investments. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar-22 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-3-ar + ref_id: E1-3 AR 22 + description: 'The amounts of OpEx and CapEx required for the implementation + of the actions disclosed under paragraph 29 (c) shall be consistent with the + key performance indicators (CapEx and OpEx key performance indicators) and, + if applicable, the CapEx plan required by Commission Delegated Regulation + (EU) 2021/2178. The undertaking shall explain any potential differences between + the significant OpEx and CapEx amounts disclosed under this Standard and the + key performance indicators disclosed under Commission Delegated Regulation + (EU) 2021/2178 due to, for instance, the disclosure of non-eligible economic + activities as defined in that delegated regulation. The undertaking may structure + its actions by economic activity to compare its OpEx and CapEx, and if applicable + its OpEx and/or CapEx plans to its Taxonomy-aligned key performance indicators. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node247 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e1-appendix-a + name: 'Metrics and targets ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node247 + ref_id: E1-4 AR + name: Disclosure Requirement E1-4 + description: 'Targets related to climate change mitigation and adaptation ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-23 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar + ref_id: E1-4 AR 23 + description: 'Under paragraph 34 (a), the undertaking may disclose GHG emission + reduction targets in intensity value. Intensity targets are formulated as + ratios of GHG emissions relative to a unit of physical activity or economic + output. Relevant units of activity or output are referred to in ESRS sector-specific + standards. In cases where the undertaking has only set a GHG intensity reduction + target, it shall nevertheless disclose the associated absolute values for + the target year and interim target year (s). This may result in a situation + where an undertaking is required to disclose an increase of absolute GHG emissions + for the target year and interim target year(s), for example because it anticipates + organic growth of its business. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-24 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar + ref_id: E1-4 AR 24 + description: 'When disclosing the information required under paragraph 34 (b), + the undertaking shall specify the share of the target related to each respective + GHG emission Scope (1, 2 or 3). The undertaking shall state the method used + to calculate Scope 2 GHG emissions included in the target (i.e., either the + location-based or market-based method). If the boundary of the GHG emission + reduction target diverges from that of the GHG emissions reported under Disclosure + Requirement E1-6, the undertaking shall disclose which gases are covered, + the respective percentage of Scope 1, 2, 3 and total GHG emissions covered + by the target. For the GHG emission reduction targets of its subsidiaries, + the undertaking shall analogously apply these requirements at the level of + the subsidiary. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-25 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar + ref_id: E1-4 AR 25 + description: 'When disclosing the information required under paragraph 34(c) + on base year and baseline value: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-25.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-25 + ref_id: E1-4 AR 25.a + description: 'the undertaking shall briefly explain how it has ensured that + the baseline value against which the progress towards the target is measured + is representative in terms of the activities covered and the influences from + external factors (e.g., temperature anomalies in a certain year influencing + the amount of energy consumption and related GHG emissions). This can be done + by the normalisation of the baseline value, or, by using a baseline value + that is derived from a 3-year average if this increases the representativeness + and allows a more faithful representation; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-25.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-25 + ref_id: E1-4 AR 25.b + description: 'the baseline value and base year shall not be changed unless significant + changes in either the target or reporting boundary occur. In such a case, + the undertaking shall explain how the new baseline value affects the new target, + its achievement and presentation of progress over time. To foster comparability, + when setting new targets, the undertaking shall select a recent base year + that does not precede the first reporting year of the new target period by + longer than 3 years. For example, for 2030 as the target year and a target + period between 2025 and 2030, the base year shall be selected from the period + between 2022 and 2025; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-25.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-25 + ref_id: E1-4 AR 25.c + description: "the undertaking shall update its base year from 2030 and after\ + \ every 5-year period thereafter. This means that before 2030, the base years\ + \ chosen by undertakings\u2019 may be either the currently applied base year\ + \ for existing targets or the first year of application of the sustainability\ + \ reporting requirements as set out in Article 5(2) of Directive (EU) 2022/2464\ + \ (2024, 2025 or 2026) and, after 2030, every 5 years (2030, 2035, etc); and " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-25.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-25 + ref_id: E1-4 AR 25.d + description: 'when presenting climate-related targets, the undertaking may disclose + the progress in meeting these targets made before its current base year. In + doing so, the undertaking shall, to the greatest extent possible, ensure that + the information on past progress is consistent with the requirements of this + Standard. In the case of methodological differences, for example, regarding + target boundaries, the undertaking shall provide a brief explanation for these + differences. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-26 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar + ref_id: E1-4 AR 26 + description: "When disclosing the information required under paragraphs 34 (d)\ + \ and 34 (e), the undertaking shall present the information over the target\ + \ period with reference to a sector- specific, if available, or a cross-sector\ + \ emission pathway compatible with limiting global warming to 1.5\xB0C. For\ + \ this purpose, the undertaking shall calculate a 1.5\xB0C aligned reference\ + \ target value for Scope 1 and 2 (and, if applicable, a separate one for Scope\ + \ 3) against which its own GHG emission reduction targets or interim targets\ + \ in the respective Scopes can be compared. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-27 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar + ref_id: E1-4 AR 27 + description: "The reference target value may be calculated by multiplying the\ + \ GHG emissions in the base year with either a sector-specific (sectoral decarbonisation\ + \ methodology) or cross-sector (contraction methodology) emission reduction\ + \ factor. These emission reduction factors can be derived from different sources.\ + \ The undertaking should ensure that the source used is based on an emission\ + \ reduction pathway compatible with limiting global warming to 1.5\xB0C. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-28 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar + ref_id: E1-4 AR 28 + description: 'The emission reduction factors are subject to further development. + Consequently, undertakings are encouraged to only use updated publicly available + information. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-29 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar + ref_id: E1-4 AR 29 + description: "The reference target value is dependent on the base year and baseline\ + \ emissions of the undertaking\u2019s GHG emission reduction target. As a\ + \ result, the reference target value for undertakings with a recent base year\ + \ or from higher baseline emissions may be less challenging to achieve than\ + \ it will be for undertakings that have already taken ambitious past actions\ + \ to reduce GHG emissions. Therefore, undertakings that have in the past achieved\ + \ GHG emissions reductions compatible with either a 1.5\xB0C-aligned cross-sector\ + \ or sector-specific pathway, may adjust their baseline emissions accordingly\ + \ to determine the reference target value. Accordingly, if the undertaking\ + \ is adjusting the baseline emissions to determine the reference target value,\ + \ it shall not consider GHG emission reductions that precede the year 2020\ + \ and it shall provide appropriate evidence of its past achieved GHG emission\ + \ reduction. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-30 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar + ref_id: E1-4 AR 30 + description: 'When disclosing the information required under paragraph 34 (f), + the undertaking shall explain: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-30.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-30 + ref_id: E1-4 AR 30.a + description: 'by reference to its climate change mitigation actions, the decarbonisation + levers and their estimated quantitative contributions to the achievement of + its GHG emission reduction targets broken down by each Scope (1, 2 and 3); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-30.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-30 + ref_id: E1-4 AR 30.b + description: 'whether it plans to adopt new technologies and the role of these + to achieve its GHG emission reduction targets; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-30.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-30 + ref_id: E1-4 AR 30.c + description: "whether and how it has considered a diverse range of climate scenarios,\ + \ at least including a climate scenario compatible with limiting global warming\ + \ to 1.5\xB0C, to detect relevant environmental-, societal-, technology-,\ + \ market- and policy-related developments and determine its decarbonisation\ + \ levers. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-4-ar-30 + ref_id: E1-4 AR 31 + description: 'The undertaking may present its GHG emission reduction targets + together with its climate change mitigation actions (see paragraph AR 19) + as a table or graphical pathway showing developments over time. The following + figure and table provide examples combining targets and decarbonisation levers: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node247 + ref_id: E1-5 AR + name: Disclosure Requirement E1-5 + description: 'Energy consumption and mix ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node266 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar + name: 'Calculation guidance ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node266 + ref_id: E1-5 AR 32 + description: 'When preparing the information on energy consumption required + under paragraph 35, the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32 + ref_id: E1-5 AR 32.a + description: 'only report energy consumed from processes owned or controlled + by the undertaking applying the same perimeter applied for reporting GHG Scopes + 1 and 2 emissions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32 + ref_id: E1-5 AR 32.b + description: 'exclude feedstocks and fuels that are not combusted for energy + purposes. The undertaking that consumes fuel as feedstocks can disclose information + on this consumption separately from the required disclosures; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32 + ref_id: E1-5 AR 32.c + description: 'ensure all quantitative energy-related information is reported + in either Mega-Watt- hours (MWh) in Lower Heating Value or net calorific value. + If raw data of energy- related information is only available in energy units + other than MWh (such as Giga-Joules (GJ) or British Thermal Units (Btu)), + in volume units (such as cubic feet or gallons) or in mass units (such as + kilograms or pounds), they shall be converted to MWh using suitable conversion + factors (see for example Annex II of the Fifth Assessment IPCC report). Conversion + factors for fuels shall be made transparent and applied in a consistent manner; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32 + ref_id: E1-5 AR 32.d + description: 'ensure all quantitative energy-related information is reported + as final energy consumption, referring to the amount of energy the undertaking + actually consumes using for example the table in Annex IV of Directive 2012/27 + of the European Parliament and of the Council ( 48 ) on energy efficiency; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32 + ref_id: E1-5 AR 32.e + description: 'avoid double counting fuel consumption when disclosing self- generated + energy consumption. If the undertaking generates electricity from either a + non-renewable or renewable fuel source and then consumes the generated electricity, + the energy consumption shall be counted only once under fuel consumption; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32 + ref_id: E1-5 AR 32.f + description: 'not offset energy consumption even if onsite generated energy + is sold to and used by a third party; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32 + ref_id: E1-5 AR 32.g + description: "not count energy that is sourced from within the organisational\ + \ boundary under \u2018purchased or acquired\u2019 energy; " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32 + ref_id: E1-5 AR 32.h + description: "account for steam, heat or cooling received as \u2018waste energy\u2019\ + \ from a third party\u2019s industrial processes under \u2018purchased or\ + \ acquired\u2019 energy; " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32 + ref_id: E1-5 AR 32.i + description: "account for renewable hydrogen ( 49 ) as a renewable fuel. Hydrogen\ + \ that is not completely derived from renewable sources shall be included\ + \ under \u2018fuel consumption from other non-renewable sources\u2019; and " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32.j + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-32 + ref_id: E1-5 AR 32.j + description: 'adopt a conservative approach when splitting the electricity, + steam, heat or cooling between renewable and non-renewable sources based on + the approach applied to calculate market-based Scope 2 GHG emissions. The + undertaking shall only consider these energy consumptions as deriving from + renewable sources if the origin of the purchased energy is clearly defined + in the contractual arrangements with its suppliers (renewable power purchasing + agreement, standardised green electricity tariff, market instruments like + Guarantee of Origin from renewable sources in Europe ( 50 ) or similar instruments + like Renewable Energy Certificates in the US and Canada, etc.). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-33 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node266 + ref_id: E1-5 AR 33 + description: 'The information required under paragraph 38 is applicable if the + undertaking is operating in at least one high climate impact sector. The + information required under paragraph 38 (a) to (e). shall also include energy + from fossil sources consumed in operations that are not in high climate impact + sectors. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node266 + ref_id: E1-5 AR 34 + description: 'The information on Energy consumption and mix may be presented + using the following tabular format for high climate impact sectors and for + all other sector by omitting rows (1) to (5). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node266 + ref_id: E1-5 AR 35 + description: 'The total energy consumption with a distinction between fossil, + nuclear and renewable energy consumption may be presented graphically in the + sustainability statement showing developments over time (e.g., through a pie + or bar chart). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node281 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar + name: 'Energy intensity based on net revenue ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node282 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node281 + name: 'Calculation guidance ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node282 + ref_id: E1-5 AR 36 + description: 'When preparing the information on energy intensity required under + paragraph 40, the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-36.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-36 + ref_id: E1-5 AR 36.a + description: 'calculate the energy intensity ratio using the following formula: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-36.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-36 + ref_id: E1-5 AR 36.b + description: 'express the total energy consumption in MWh and the net revenue + in monetary units (e.g., Euros); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-36.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-36 + ref_id: E1-5 AR 36.c + description: 'the numerator and denominator shall only consist of the proportion + of the total final energy consumption (in the numerator) and net revenue (in + the denominator) that are attributable to activities in high climate impact + sectors. In effect, there should be consistency in the scope of both the numerator + and denominator; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-36.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-36 + ref_id: E1-5 AR 36.d + description: 'calculate the total energy consumption in line with the requirement + in paragraph 37; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-36.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-36 + ref_id: E1-5 AR 36.e + description: 'calculate the net revenue in line with the accounting standards + requirements applicable for the financial statements, i.e., IFRS 15 Revenue + from Contracts with Customers or local GAAP requirements. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-37 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node282 + ref_id: E1-5 AR 37 + description: 'The quantitative information may be presented in the following + table. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node290 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node281 + name: Connectivity of energy intensity based on net revenue with financial reporting + information + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-38 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node290 + ref_id: E1-5 AR 38 + description: 'The reconciliation of net revenue from activities in high climate + impact sectors to the relevant financial statements line item or disclosure + (as required by paragraph 43) may be presented either: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-38.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-38 + ref_id: E1-5 AR 38.a + description: 'by a cross-reference to the related line item or disclosure in + the financial statements; or ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-38.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-5-ar-38 + ref_id: E1-5 AR 38.b + description: 'If the net revenue cannot be directly cross-referenced to a line + item or disclosure in the financial statements, by a quantitative reconciliation + using the below tabular format. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node247 + ref_id: E1-6 AR + name: Disclosure Requirements E1-6 + description: 'Gross Scopes 1, 2, 3 and Total GHG emissions ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node295 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar + name: 'Calculation guidance ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-39 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 39 + description: 'When preparing the information for reporting GHG emissions as + required by paragraph 44, the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-39.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-39 + ref_id: E1-6 AR 39.a + description: 'consider the principles, requirements and guidance provided by + the GHG Protocol Corporate Standard (version 2004). The undertaking may consider + Commission Recommendation (EU) 2021/2279 ( 51 ) or the requirements stipulated + by EN ISO 14064-1:2018. If the undertaking already applies the GHG accounting + methodology of ISO 14064- 1: 2018, it shall nevertheless comply with the requirements + of this standard (e.g., regarding reporting boundaries and the disclosure + of market-based Scope 2 GHG emissions); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-39.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-39 + ref_id: E1-6 AR 39.b + description: 'disclose the methodologies, significant assumptions and emissions + factors used to calculate or measure GHG emissions accompanied by the reasons + why they were chosen, and provide a reference or link to any calculation tools + used; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-39.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-39 + ref_id: E1-6 AR 39.c + description: 'include emissions of CO2, CH4, N2O, HFCs, PFCs, SF6, and NF3. + Additional GHG may be considered when significant; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-39.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-39 + ref_id: E1-6 AR 39.d + description: 'use the most recent Global Warming Potential (GWP) values published + by the IPCC based on a 100-year time horizon to calculate CO2eq emissions + of non-CO2 gases. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-40 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 40 + description: 'When preparing the information for reporting GHG emissions from + its associates, joint ventures, unconsolidated subsidiaries (investment entities) + and contractual arrangements as required by paragraph 50, the undertaking + shall consolidate 100% of the GHG emissions of the entities it operationally + controls. In practice, this happens when the undertakings holds the license + - or permit - to operate the assets from these associates, joint ventures, + unconsolidated subsidiaries (investment entities) and contractual arrangements. + When the undertaking has a contractually defined part-time operational control, + it shall consolidate 100% the GHG emitted during the time of its operational + control. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-41 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 41 + description: 'In line with ESRS 1 chapter 3.7, the undertaking shall disaggregate + information on its GHG emissions as appropriate. For example, the undertaking + may disaggregate its Scope 1, 2, 3, or total GHG emissions by country, operating + segments, economic activity, subsidiary, GHG category (CO2, CH4, N2O, HFCs, + PFCs, SF6, NF3, and other GHG considered by the undertaking) or source type + (stationary combustion, mobile combustion, process emissions and fugitive + emissions). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-42 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 42 + description: "An undertaking might have a different reporting period from some\ + \ or all of the entities in its value chain. In such circumstances, the undertaking\ + \ is permitted to measure its GHG emissions in accordance with paragraph 44\ + \ using information for reporting periods that are different from its own\ + \ reporting period if that information is obtained from entities in its value\ + \ chain with reporting periods that are different from the undertaking\u2019\ + s reporting period, on the condition that: " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-42.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-42 + ref_id: E1-6 AR 42.a + description: 'the undertaking uses the most recent data available from those + entities in its value chain to measure and disclose its greenhouse gas emissions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-42.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-42 + ref_id: E1-6 AR 42.b + description: 'the length of the reporting periods is the same; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-42.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-42 + ref_id: E1-6 AR 42.c + description: "the undertaking discloses the effects of significant events and\ + \ changes in circumstances (relevant to its GHG emissions) that occur between\ + \ the reporting dates of the entities in its value chain and the date of the\ + \ undertaking\u2019s general purpose financial statements. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-43 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 43 + description: 'When preparing the information on gross Scope 1 GHG emissions + required under paragraph 48 (a), the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-43.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-43 + ref_id: E1-6 AR 43.a + description: 'calculate or measure GHG emissions from stationary combustion, + mobile combustion, process emissions and fugitive emissions; and use suitable + activity data that include the non-renewable fuel consumption; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-43.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-43 + ref_id: E1-6 AR 43.b + description: 'use suitable and consistent emission factors; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-43.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-43 + ref_id: E1-6 AR 43.c + description: 'disclose biogenic emissions of CO2 from the combustion or bio- + degradation of biomass separately from the Scope 1 GHG emissions, but include + emissions of other types of GHG (in particular CH4 and N2O); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-43.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-43 + ref_id: E1-6 AR 43.d + description: 'not include any removals, or any purchased, sold or transferred + carbon credits or GHG allowances in the calculation of Scope 1 GHG emissions; + and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-43.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-43 + ref_id: E1-6 AR 43.e + description: 'for activities reporting under the EU ETS, report on Scope 1 emissions + following the EU ETS methodology. The EU ETS methodology may also be applied + to activities in geographies and sectors that are not covered by the EU ETS. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-44 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 44 + description: 'When preparing the information on the percentage of Scope 1 GHG + emissions from regulated emission trading schemes required under paragraph + 48 (b), the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-44.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-44 + ref_id: E1-6 AR 44.a + description: 'consider GHG emissions from the installations it operates that + are subject to regulated Emission Trading Schemes (ETS), including the EU-ETS, + national ETS and non-EU ETS, if applicable; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-44.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-44 + ref_id: E1-6 AR 44.b + description: 'only include emissions of CO2, CH4, N2O, HFCs, PFCs, SF6, and + NF3; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-44.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-44 + ref_id: E1-6 AR 44.c + description: 'ensure the same accounting period for gross Scope 1 GHG emissions + and GHG emissions regulated under the ETS; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-44.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-44 + ref_id: E1-6 AR 44.d + description: 'calculate the share by using the following formula: GHG Emissions + in (t CO 2 eq) from EU ETS installations + national ETS installations + nonEU + ETS installations / Scope 1 GHG emissions (t CO2eq) ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 45 + description: 'When preparing the information on gross Scope 2 GHG emissions + required under paragraph 49, the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45 + ref_id: E1-6 AR 45.a + description: 'consider the principles and requirements of the GHG Protocol Scope + 2 Guidance (version 2015, in particular the Scope 2 quality criteria in chapter + 7.1 relating to contractual instruments); it may also consider Commission + Recommendation (EU) 2021/2279 or the relevant requirements for the quantification + of indirect GHG emissions from imported energy in EN ISO 14064-1:2018; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45 + ref_id: E1-6 AR 45.b + description: 'include purchased or acquired electricity, steam, heat, and cooling + consumed by the undertaking; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45 + ref_id: E1-6 AR 45.c + description: 'avoid double counting of GHG emissions reported under Scope 1 + or 3; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45 + ref_id: E1-6 AR 45.d + description: "apply the location-based and market-based methods to calculate\ + \ Scope 2 GHG emissions and provide information on the share and types of\ + \ contractual instruments. Location-based method quantifies Scope 2 GHG emissions\ + \ based on average energy generation emission factors for defined locations,\ + \ including local, subnational, or national boundaries (GHG Protocol, \u2018\ + Scope 2 Guidance\u2019, Glossary, 2015). Market-based method quantifies Scope\ + \ 2 GHG emissions based on GHG emissions emitted by the generators from which\ + \ the reporting entity contractually purchases electricity bundled with instruments,\ + \ or unbundled instruments on their own (GHG Protocol, \u2018Scope 2 Guidance\u2019\ + , Glossary, 2015); in this case, the undertaking may disclose the share of\ + \ market-based scope 2 GHG emissions linked to purchased electricity bundled\ + \ with instruments such as Guarantee of Origins or Renewable Energy Certificates.\ + \ The undertaking shall provide information about the share and types of contractual\ + \ instruments used for the sale and purchase of energy bundled with attributes\ + \ about the energy generation or for unbundled energy attribute claims. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45 + ref_id: E1-6 AR 45.e + description: 'disclose biogenic emissions of CO2 carbon from the combustion + or biodegradation of biomass separately from the Scope 2 GHG emissions but + include emissions of other types of GHG (in particular CH4 and N2O). In case + the emission factors applied do not separate the percentage of biomass or + biogenic CO2, the undertaking shall disclose this. In case GHG emissions other + than CO2 (particularly CH4 and N2O) are not available for, or excluded from, + location-based grid average emissions factors or with the market- based method + information, the undertaking shall disclose this. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-45 + ref_id: E1-6 AR 45.f + description: 'not include any removals, or any purchased, sold or transferred + carbon credits or GHG allowances in the calculation of Scope 2 GHG emissions. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 46 + description: 'When preparing the information on gross Scope 3 GHG emissions + required under paragraph 51, the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + ref_id: E1-6 AR 46.a + description: 'consider the principles and provisions of the GHG Protocol Corporate + Value Chain (Scope 3) Accounting and Reporting Standard (Version 2011); and + it may consider Commission Recommendation (EU) 2021/2279 or the relevant requirements + for the quantification of indirect GHG emissions from EN ISO 14064- 1:2018; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + ref_id: E1-6 AR 46.b + description: "if it is a financial institution, consider the GHG Accounting\ + \ and Reporting Standard for the Financial Industry from the Partnership for\ + \ Carbon Accounting Financial (PCAF), specifically part A \u2018Financed Emissions\u2019\ + \ (version December 2022); " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + ref_id: E1-6 AR 46.c + description: 'screen its total Scope 3 GHG emissions based on the 15 Scope 3 + categories identified by the GHG Protocol Corporate Standard and GHG Protocol + Corporate Value Chain (Scope 3) Accounting and Reporting Standard (Version + 2011) using appropriate estimates. Alternatively, it may screen its indirect + GHG emissions based on the categories provided by EN ISO 14064-1:2018 clause + 5.2.4 (excluding indirect GHG emissions from imported energy); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + ref_id: E1-6 AR 46.d + description: 'identify and disclose its significant Scope 3 categories based + on the magnitude of their estimated GHG emissions and other criteria provided + by GHG Protocol Corporate Value Chain (Scope 3) Accounting and Reporting Standard + (Version 2011, p. 61 and 65- 68) or EN ISO 14064-1:2018 Annex H.3.2, such + as financial spend, influence, related transition risks and opportunities + or stakeholder views; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + ref_id: E1-6 AR 46.e + description: 'calculate or estimate GHG emissions in significant Scope 3 categories + using suitable emissions factors; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + ref_id: E1-6 AR 46.f + description: "update Scope 3 GHG emissions in each significant category every\ + \ year on the basis of current activity data; update the full Scope 3 GHG\ + \ inventory at least every 3 years or on the occurrence of a significant event\ + \ or a significant change in circumstances (a significant event or significant\ + \ change in circumstances can, for example, relate to changes in the undertaking\u2019\ + s activities or structure, changes in the activities or structure of its upstream\ + \ and downstream value chain(s), a change in calculation methodology or in\ + \ the discovery of errors);\u201D); " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + ref_id: E1-6 AR 46.g + description: "disclose the extent to which the undertaking\u2019s Scope 3 GHG\ + \ emissions are measured using inputs from specific activities within the\ + \ entity\u2019s upstream and downstream value chain, and disclose the percentage\ + \ of emissions calculated using primary data obtained from suppliers or other\ + \ value chain partners. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + ref_id: E1-6 AR 46.h + description: 'for each significant Scope 3 GHG category, disclose the reporting + boundaries considered, the calculation methods for estimating the GHG emissions + as well as if and which calculation tools were applied. The Scope 3 categories + should be consistent with the GHGP and include: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.h.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.h + ref_id: E1-6 AR 46.h.i + description: 'indirect Scope 3 GHG emissions from the consolidated accounting + group (the parent and its subsidiaries), ' + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e1-ar-46.h.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.h + ref_id: ESRS E1-AR 46.h.ii + description: 'indirect Scope 3 GHG emissions from associates, joint ventures, + and unconsolidated subsidiaries for which the undertaking has the ability + to control the operational activities and relationships (i.e., operational + control), ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.h.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.h + ref_id: E1-6 AR 46.h.iii + description: "Scope 1, 2 and 3 GHG emissions from associates, joint ventures,\ + \ unconsolidated subsidiaries (investment entities) and joint arrangements\ + \ for which the undertaking does not have operational control and when these\ + \ entities are part of the undertaking\u2019s upstream and dopwnstream value\ + \ chain. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + ref_id: E1-6 AR 46.i + description: 'disclose a list of Scope 3 GHG emissions categories included in + and excluded from the inventory with a justification for excluded Scope 3 + categories; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.j + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + ref_id: E1-6 AR 46.j + description: 'disclose biogenic emissions of CO 2 from the combustion or biodegradation + of biomass that occur in its upstream and downstream value chain separately + from the gross Scope 3 GHG emissions, and include emissions of other types + of GHG (such as CH 4 and N2O), and emissions of CO2 that occur in the life + cycle of biomass other than from combustion or biodegradation (such as GHG + emissions from processing or transporting biomass) in the calculation of Scope + 3 GHG emissions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46.k + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-46 + ref_id: E1-6 AR 46.k + description: 'not include any removals, or any purchased, sold or transferred + carbon credits or GHG allowances in the calculation of Scope 3 GHG emissions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-47 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 47 + description: 'When preparing the information on the total GHG emissions required + under paragraph 52, the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-47.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-47 + ref_id: E1-6 AR 47.a + description: 'apply the following formulas to calculate the total GHG emissions: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-47.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-47 + ref_id: E1-6 AR 47.b + description: 'disclose total GHG emissions with a distinction between emissions + derived from the location-based and market-based methods applied while measuring + the underlying Scope 2 GHG emissions. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-48 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 48 + description: 'The undertaking shall disclose its total GHG emissions disaggregated + by Scopes 1 and 2 and significant Scope 3 in accordance with the table below. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-49 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 49 + description: 'To highlight potential transition risks, the undertaking may disclose + its total GHG emissions disaggregated by major countries and, if applicable, + by operating segments (applying the same segments for the financial statements + as required by the accounting standards, i.e., IFRS 8 Operating Segments or + local GAAP). Scope 3 GHG emissions may be excluded from these breakdowns by + country if the related data is not readily available. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-50 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 50 + description: 'The Scope 3 GHG emissions may also be presented by according to + the indirect emission categories defined in EN ISO 14064-1:2018. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-51 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 51 + description: "If it is material for the undertaking's Scope 3 emissions, it\ + \ shall disclose the GHG emissions from purchased cloud computing and data\ + \ centre services as a subset of the overarching Scope 3 category \u2018upstream\ + \ purchased goods and services\u2019. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-52 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node295 + ref_id: E1-6 AR 52 + description: 'The total GHG emissions disaggregated by Scope 1, 2 and 3 GHG + emissions may be graphically presented in the sustainability statement (e.g., + as a bar or pie chart) showing the split of GHG emissions across the value + chain (Upstream, Own operations, Transport, Downstream). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node348 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar + name: 'GHG intensity based on net revenue ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node349 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node348 + name: Calculation guidance + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-53 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node349 + ref_id: E1-6 AR 53 + description: 'When disclosing the information on GHG intensity based on net + revenue required under paragraph 53, the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-53.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-53 + ref_id: E1-6 AR 53.a + description: 'calculate the GHG intensity ratio by the following formula: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-53.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-53 + ref_id: E1-6 AR 53.b + description: 'express the total GHG emissions in metric tonnes of CO2eq and + the net revenue in monetary units (e.g., Euros) and present the results for + the market-based and location-based method; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-53.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-53 + ref_id: E1-6 AR 53.c + description: 'include the total GHG emissions in the numerator and overall net + revenue in the denominator; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-53.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-53 + ref_id: E1-6 AR 53.d + description: 'calculate the total GHG emissions as required by paragraphs 44 + (d) and 52; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-53.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-53 + ref_id: E1-6 AR 53.e + description: 'calculate the net revenue in line with the requirements in accounting + standards applied for financial statements, i.e., IFRS 15 or local GAAP. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-54 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node349 + ref_id: E1-6 AR 54 + description: 'The quantitative information may be presented in the following + tabular format. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-55 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node349 + ref_id: E1-6 AR 55 + description: 'The reconciliation of the net revenue used to calculate GHG intensity + to the relevant line item or notes in the financial statements (as required + by paragraph 55) may be done by either: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-55.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-55 + ref_id: E1-6 AR 55.a + description: 'a cross-reference to the related line item or disclosure in the + financial statements; or ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-55.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-6-ar-55 + ref_id: E1-6 AR 55.b + description: 'if the net revenue cannot be directly cross-referenced to a line + item or disclosure in the financial statements, by a quantitative reconciliation + using the below tabular format. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node247 + ref_id: E1-7 AR + name: Disclosure Requirement E1-7 + description: 'GHG removals and GHG mitigation projects financed through carbon + credits ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node361 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar + name: 'GHG removals and storage in own operations and the upstream and downstream + value chain ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-56 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node361 + ref_id: E1-7 AR 56 + description: "In addition to their GHG emission inventories, undertakings shall\ + \ provide transparency on how and to what extent they either enhance natural\ + \ sinks or apply technical solutions to remove GHGs from the atmosphere in\ + \ their own operations and upstream and downstream value chain. While there\ + \ are no generally accepted concepts and methodologies for accounting for\ + \ GHG removals, this Standard aims to increase transparency on the undertaking\u2019\ + s efforts to remove GHGs from the atmosphere (paragraphs 56 (a) and 58). The\ + \ GHG removals outside the value chain that the undertaking supports through\ + \ the purchase of carbon credits are to be disclosed separately as required\ + \ by paragraphs 56 (b) and 59. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-57 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node361 + ref_id: E1-7 AR 57 + description: "When disclosing the information on GHG removals and storage from\ + \ the undertaking\u2019s own operations and its upstream and donwstream value\ + \ chain required under paragraphs 56 (a) and 58, for each removal and storage\ + \ activity, the undertaking shall describe: " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-57.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-57 + ref_id: E1-7 AR 57.a + description: 'the GHGs concerned; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-57.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-57 + ref_id: E1-7 AR 57.b + description: 'whether removal and storage are biogenic or from land-use change + (e.g., afforestation, reforestation, forest restoration, urban tree planting, + agroforestry, building soil carbon, etc.), technological (e. g., direct air + capture), or hybrid (e.g., bioenergy with CO2 capture and storage), and technological + details about the removal, the type of storage and, if applicable, the transport + of removed GHGs; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-57.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-57 + ref_id: E1-7 AR 57.c + description: 'if applicable, a brief explanation of whether the activity qualifies + as a nature-based solution; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-57.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-57 + ref_id: E1-7 AR 57.d + description: 'how the risk of non-permanence is managed, including determining + and monitoring leakage and reversal events, as appropriate. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node368 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node361 + name: 'Calculation guidance ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node361 + ref_id: E1-7 AR 58 + description: "When preparing the information on GHG removals and storage from\ + \ the undertaking\u2019s own operations and its upstream and donwstream value\ + \ chain required under paragraphs 56 (a) and 58, the undertaking shall: " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58 + ref_id: E1-7 AR 58.a + description: 'consider, as far as applicable, the GHG Protocol Corporate Standard + (version 2004), Product Standard (version 2011), Agriculture Guidance (version + 2014), Land use, land-use change, and forestry Guidance for GHG project accounting + (version 2006); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58 + ref_id: E1-7 AR 58.b + description: 'apply consensus methods on accounting for GHG removals as soon + as they are available, notably the EU regulatory framework for the certification + of CO2 removals; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58 + ref_id: E1-7 AR 58.c + description: 'if applicable, explain the role of removals for its climate change + mitigation policy; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58 + ref_id: E1-7 AR 58.d + description: 'include removals from operations that it owns, controls, or contributes + to and that have not been sold to another party through carbon credits; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58 + ref_id: E1-7 AR 58.e + description: 'if applicable, mark those GHG removal activities in own operations + or the value chain that have been converted into carbon credits and sold on + to other parties on the voluntary market; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58 + ref_id: E1-7 AR 58.f + description: 'account for the GHG emissions associated with a removal activity, + including transport and storage, under Disclosure Requirement E1-6 (Scopes + 1, 2 or 3). To increase transparency on the efficiency of a removal activity, + including transport and storage, the undertaking may disclose the GHG emissions + associated with this activity (e.g., GHG emissions from electricity consumption + of direct air capture technologies) alongside, but separately from, the amount + of removed GHG emissions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58 + ref_id: E1-7 AR 58.g + description: 'in case of a reversal, account for the respective GHG emissions + as an offset for the removals in the reporting period; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58 + ref_id: E1-7 AR 58.h + description: 'use the most recent GWP values published by the IPCC based on + a 100-year time horizon to calculate CO2eq emissions of non-CO2 gases and + describe the assumptions made, methodologies and frameworks applied for calculation + of the amount of GHG removals; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-58 + ref_id: E1-7 AR 58.i + description: 'consider nature-based solutions. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-59 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node361 + ref_id: E1-7 AR 59 + description: 'The undertaking shall disaggregate and separately disclose the + GHG removals that occur in its own operations and those that occur in its + upstream and downstream value chain. GHG removal activities in the upstream + and downstream value chain shall include those that the undertaking is actively + supporting, for example, through a cooperation project with a supplier. The + undertaking is not expected to include any GHG removals that may occur in + its upstream and downstream value chain that it is not aware of. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-60 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node361 + ref_id: E1-7 AR 60 + description: 'The quantitative information on GHG removals may be presented + by using the following tabular format. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node381 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar + name: 'GHG mitigation projects financed through carbon credits ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-61 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node381 + ref_id: E1-7 AR 61 + description: "Financing GHG emission reduction projects outside the undertaking\u2019\ + s value chain through purchasing carbon credits that fulfil high-quality standards\ + \ can be a useful contribution towards mitigating climate change. This Standard\ + \ requires the undertaking to disclose whether it uses carbon credits separately\ + \ from the GHG emissions (paragraphs 56 (b) and 59) and GHG emission reduction\ + \ targets (Disclosure Requirement E1-4). It also requires the undertaking\ + \ to show the extent of use and which quality criteria it uses for those carbon\ + \ credits. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-62 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node381 + ref_id: E1-7 AR 62 + description: 'When disclosing the information on carbon credits required under + paragraphs 56 (b) and 59, the undertaking shall disclose the following disaggregation + as applicable: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-62.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-62 + ref_id: E1-7 AR 62.a + description: 'the share (percentage of volume) of reduction projects and removal + projects; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-62.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-62 + ref_id: E1-7 AR 62.b + description: 'for carbon credits from removal projects, an explanation whether + they are from biogenic or technological sinks; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-62.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-62 + ref_id: E1-7 AR 62.c + description: 'the share (percentage of volume) for each recognised quality standard; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-62.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-62 + ref_id: E1-7 AR 62.d + description: 'the share (percentage of volume) issued from projects in the EU; + and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-62.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-62 + ref_id: E1-7 AR 62.e + description: 'the share (percentage of volume) that qualifies as a corresponding + adjustment under Article. 6 of the Paris Agreement. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node389 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node381 + name: 'Calculation guidance ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node381 + ref_id: E1-7 AR 63 + description: 'When preparing the information on carbon credits required under + paragraphs 56 (b) and 59, the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63 + ref_id: E1-7 AR 63.a + description: 'Consider recognised quality standards;. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63 + ref_id: E1-7 AR 63.b + description: 'if applicable, explain the role of carbon credits in its climate + change mitigation policy; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63 + ref_id: E1-7 AR 63.c + description: 'not include carbon credits issued from GHG emission reduction + projects within its value chain as the respective GHG emission reductions + shall already be disclosed under Disclosure Requirement E1-6 (Scope 2 or Scope + 3) at the time they occur (i.e., double counting is avoided); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63 + ref_id: E1-7 AR 63.d + description: 'not include carbon credits from GHG removal projects within its + value chain as the respective GHG removals may already be accounted for under + Disclosure Requirement E1-7 at the time they occur (i.e., double counting + is avoided); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63 + ref_id: E1-7 AR 63.e + description: 'not disclose carbon credits as an offset for its GHG emissions + under Disclosure Requirement E1-6 on GHG emissions; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63 + ref_id: E1-7 AR 63.f + description: 'not disclose carbon credits as a means to reach the GHG emission + reduction targets disclosed under Disclosure Requirement E1-4; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-63 + ref_id: E1-7 AR 63.g + description: 'calculate the amount of carbon credits to be cancelled in the + future, as the sum of carbon credits in metric tonnes of CO2eq over the duration + of existing contractual agreements. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-7-ar-64 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node381 + ref_id: E1-7 AR 64 + description: 'The information on carbon credits cancelled in the reporting year + and planned to be cancelled in the future may be presented using the following + tabular formats. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node247 + ref_id: E1-8 AR + name: Disclosure Requirement E1-8 + description: 'Internal carbon pricing ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8-ar-65 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-8-ar + ref_id: E1-8 AR 65 + description: 'When disclosing the information required under paragraphs 62 and + 63, if applicable, the undertaking shall briefly explain whether and how the + carbon prices used in internal carbon pricing schemes are consistent with + those used in financial statements. This shall be done in respect of the internal + carbon prices used for, ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8-ar-65.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-8-ar-65 + ref_id: E1-8 AR 65.a + description: 'the assessment of the useful life and residual value of its assets + (intangibles, property, plant and equipment); ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8-ar-65.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-8-ar-65 + ref_id: E1-8 AR 65.b + description: 'the impairment of assets; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8-ar-65.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-8-ar-65 + ref_id: E1-8 AR 65.c + description: 'the fair value measurement of assets acquired through business + acquisitions. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-8-ar-66 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-8-ar + ref_id: E1-8 AR 66 + description: 'The information may be presented by using the following table: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node247 + ref_id: E1-9 AR + name: Disclosure Requirement E1-9 + description: 'Anticipated financial effects from material physical and transition + risks and potential climate-related opportunities ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node406 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar + name: 'Anticipated financial effects from material physical and transition risks ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-67 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node406 + ref_id: E1-9 AR 67 + description: "Material climate-related physical risks and transition risks may\ + \ affect the undertaking\u2019s financial position (e.g., owned assets, financially-\ + \ controlled leased assets, and liabilities), performance (e.g., potential\ + \ future increase/decrease in net revenue and costs due to business interruptions,\ + \ increased supply prices resulting in potential margin erosions), and cash\ + \ flows. The low probability, high severity and long-term time horizons of\ + \ some climate- related physical risk exposures and the uncertainty arising\ + \ from the transition to a sustainable economy mean that there will be associated\ + \ material anticipated financial effects that are outside the scope of the\ + \ requirements of applicable accounting standards. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-68 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node406 + ref_id: E1-9 AR 68 + description: "Currently, there is no commonly accepted methodology to assess\ + \ or measure how material physical risks and transition risks may affect the\ + \ undertaking\u2019s future financial position, financial, performance and\ + \ cash flows. Therefore, the disclosure of the financial effects (as required\ + \ by paragraphs 64, 66 and 67) will depend on the undertaking\u2019s internal\ + \ methodology and the exercise of significant judgement in determining the\ + \ inputs, and assumptions needed to quantify their anticipated financial effects. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node409 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node406 + name: Calculation guidance - Anticipated financial effects from material physical + risks + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-69 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node409 + ref_id: E1-9 AR 69 + description: 'When disclosing the information required under paragraphs 64 (a) + and 66, the undertaking shall explain whether and how: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-69.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-69 + ref_id: E1-9 AR 69.a + description: 'it assessed the anticipated financial effects for assets and business + activities at material physical risk, including the scope of application, + time horizons, calculation methodology, critical assumptions and parameters + and limitations of the assessment; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-69.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-69 + ref_id: E1-9 AR 69.b + description: "the assessment of assets and business activities considered to\ + \ be at material physical risk relies on or is part of the process to determine\ + \ material physical risk as required under paragraphs 20 (b) and AR 11 and\ + \ to determine climate scenarios as required under paragraphs 19 and AR 13\ + \ to AR 14. In particular, it shall explain how it has defined medium- and\ + \ long-term time horizons and how these definitions are linked to the expected\ + \ lifetime of the undertaking\u2019s assets, strategic planning horizons and\ + \ capital allocation plans. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node409 + ref_id: E1-9 AR 70 + description: 'When preparing the information on assets at material physical + risk that is required to be disclosed under paragraph 66 (a), the undertaking + shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70 + ref_id: E1-9 AR 70.a + description: 'Calculate the assets at material physical risk in terms of monetary + amount and as a proportion (percentage) of total assets at the reporting date + (i.e., the proportion is an estimate of the carrying value of assets at material + physical risk divided by total carrying value as stated in the statement of + financial position or balance sheet). The estimate of assets at material physical + risk shall be derived starting from the assets recognised in the financial + statements. The estimate of monetary amounts and proportion of assets at physical + risk may be presented as either a single amount or range. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70 + ref_id: E1-9 AR 70.b + description: ' All types of assets including finance-lease / right-of-use assets + shall be considered when determining the assets at material physical risk.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70 + ref_id: E1-9 AR 70.c + description: 'To contextualise this information, the undertaking shall: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70.c.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70.c + ref_id: E1-9 AR 70.c.i + description: 'disclose the location of its significant assets at material physical + risk. Significant assets located ( 52 ) in the EU territory shall be aggregated + by NUTS codes 3 level digits (Nomenclature of Territorial Units for Statistics). + For significant assets located outside EU territory, the breakdown by NUTS + code will only be provided where applicable. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70.c.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70.c + ref_id: E1-9 AR 70.c.ii + description: 'disaggregate the monetary amounts of assets at risk by acute and + chronic physical risk ( 53 ). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-70 + ref_id: E1-9 AR 70.d + description: 'calculate the share of assets at material physical risk resulting + from paragraph 66 (a) that is addressed by the climate change adaptation actions + based on the information disclosed under Disclosure Requirement E1-3. This + aims at approximating net risks. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-71 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node409 + ref_id: E1-9 AR 71 + description: 'When preparing the information required under paragraph 64 (a) + and 66 (d), the undertaking may assess and disclose the share of net revenue + from business activities at physical risk. This disclosure ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-71.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-71 + ref_id: E1-9 AR 71.a + description: 'shall be based on the net revenue in line with the requirements + in accounting standards applied for financial statements, i.e., IFRS 15 or + local GAAP. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-71.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-71 + ref_id: E1-9 AR 71.b + description: "may include a breakdown of the undertaking\u2019s business activities\ + \ with the corresponding details of the associated percentage of total net\ + \ revenue, the risk factors (hazards, exposure and sensitivity) and, if possible,\ + \ the magnitude of the anticipated financial effects in terms of margin erosion\ + \ over the short-, medium- and long-term time horizons. The nature of business\ + \ activities may also be disaggregated by operating segments if the undertaking\ + \ has disclosed the contribution of margins by operational segments in its\ + \ segment reporting in the financial statements. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node423 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node406 + name: Calculation guidance - Anticipated financial effects from transition risks + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-72 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node423 + ref_id: E1-9 AR 72 + description: 'When disclosing the information required under paragraphs 64 (b) + and 67 (a), the undertaking shall explain whether and how: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-72.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-72 + ref_id: E1-9 AR 72.a + description: 'it has assessed the potential effects on future financial performance + and position for assets and business activities at material transition risk, + including the scope of application, calculation methodology, critical assumptions + and parameters, and limitations of the assessment; and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-72.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-72 + ref_id: E1-9 AR 72.b + description: "the assessment of assets and business activities considered to\ + \ be at material transition risk relies on or is part of the process to determine\ + \ material transition risks as described under paragraphs 20 (c) and AR 12\ + \ and to determine scenarios as required under paragraphs AR 12 to AR 15.\ + \ In particular, it shall explain how it has defined medium- and long-term\ + \ time horizons and how these definitions are linked to the expected lifetime\ + \ of the undertaking\u2019s assets, strategic planning horizons and capital\ + \ allocation plans. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-73 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node423 + ref_id: E1-9 AR 73 + description: 'When disclosing the information on assets at material transition + risk as required under paragraphs 67 (a) and (b): ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-73.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-73 + ref_id: E1-9 AR 73.a + description: "the undertaking shall at the very least include an estimate of\ + \ the amount of potentially stranded assets (in monetary amounts and as a\ + \ proportion/percentage) from the reporting year until 2030 and from 2030\ + \ to 2050. Stranded assets are understood as the active or firmly planned\ + \ key assets of the undertaking with significant locked-in GHG emissions over\ + \ their operating lifetime. Firmly planned key assets are those that the undertaking\ + \ will most likely deploy within the next 5 years. The amount may be expressed\ + \ as a range of asset values based on different climate and policy scenarios,\ + \ including a scenario aligned with limiting climate change to 1.5\xB0C. " + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-73.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-73 + ref_id: E1-9 AR 73.b + description: 'the undertaking shall disclose a breakdown of the carrying value + of its real estate assets, including rights-of-use assets, by energy efficiency + classes. The energy efficiency shall be represented in terms of either the + ranges of energy consumption in kWh/m 2 or the EPC ( 54 ) (Energy Performance + Certificate) ( 55 ) label class. If the undertaking cannot obtain this information + on a best-effort basis, it shall disclose the total carrying amount of the + real estate assets for which the energy consumption is based on internal estimates. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-73.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-73 + ref_id: E1-9 AR 73.c + description: 'the undertaking shall calculate the proportion (percentage) of + total assets (including finance lease/right-of-use assets) at material transition + risk addressed by the climate change mitigation actions based on the information + disclosed under Disclosure Requirement E1-3. The total assets amount is the + carrying amount on the balance sheet at the reporting date. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node423 + ref_id: E1-9 AR 74 + description: 'When disclosing the information on potential liabilities from + material transition risks required under paragraph 67(d): ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74 + ref_id: E1-9 AR 74.a + description: 'undertakings that operate installations regulated under an emission + trading scheme may include a range of potential future liabilities originating + from these schemes; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74 + ref_id: E1-9 AR 74.b + description: 'undertakings subject to the EU ETS, may disclose the potential + future liabilities that relate to their allocation plans for the period before + and until 2030. The potential liability may be estimated on the basis of: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.b.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.b + ref_id: E1-9 AR 74.b.i + description: 'the number of allowances held by the undertaking at the beginning + of the reporting period; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.b.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.b + ref_id: E1-9 AR 74.b.ii + description: 'the number of allowances to be purchased in the market yearly, + i.e., before and until 2030; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.b.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.b + ref_id: E1-9 AR 74.b.iii + description: 'the gap between estimated future emissions under various transition + scenarios and free allocations of allowances that are known for the period + until 2030, and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.b.iv + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.b + ref_id: E1-9 AR 74.b.iv + description: 'the estimated yearly cost per tonne of CO2 for which an allowance + needs to be purchased; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74 + ref_id: E1-9 AR 74.c + description: 'In assessing its potential future liabilities, the undertaking + may consider and disclose the number of Scope 1 GHG emission allowances within + regulated emission trading schemes and the cumulative number of emission allowances + stored (from previous allowances) at the beginning of the reporting period; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74 + ref_id: E1-9 AR 74.d + description: 'undertakings disclosing volumes of carbon credits planned to be + cancelled in the near future (Disclosure Requirement E1-7) may disclose the + potential future liabilities associated with those based on existing contractual + agreements; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74 + ref_id: E1-9 AR 74.e + description: 'the undertaking may also include its monetised gross Scope 1, + 2 and total GHG emissions (in monetary units) calculated as follows: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.e.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.e + ref_id: E1-9 AR 74.e.i + description: 'monetised Scope 1 and 2 GHG emissions in the reporting year by + the following formula: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.e.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.e + ref_id: E1-9 AR 74.e.ii + description: 'monetised total GHG emissions in the reporting year by the following + formula: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.e.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-74.e + ref_id: E1-9 AR 74.e.iii + description: 'by use of a lower, middle and upper cost rate ( 56 ) for GHG emissions + (e.g., market carbon price and different estimates for the societal costs + of carbon) and reasons for selecting them. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-75 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node423 + ref_id: E1-9 AR 75 + description: 'Other approaches and methodologies may be applied to assess how + transition risks may affect the future financial position of the undertaking. + In any case, the disclosure of anticipated financial effects shall include + a description of the methodologies and definitions used by the undertaking. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-76 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node423 + ref_id: E1-9 AR 76 + description: 'When preparing the information required under paragraph 67 (e), + the undertaking may assess and disclose the share of net revenue from business + activities at transition risks. This disclosure: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-76.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-76 + ref_id: E1-9 AR 76.a + description: 'shall be based on the net revenue in line with the requirements + in accounting standards applied for financial statements, i.e., IFRS 15 or + local GAAP. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e1-ar-76.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-76 + ref_id: ESRS E1-AR 76.b + description: "may include a breakdown of the undertaking\u2019s business activities\ + \ with the corresponding details of the associated percentage of current net\ + \ revenue, risk factors (events and exposure), and when possible, the anticipated\ + \ financial effects related to margin erosion over the short-, medium- and\ + \ long-term. The nature of business activities may also be disaggregated by\ + \ operating segments if the undertaking has disclosed the contribution of\ + \ margins by operational segments in its segment reporting in the financial\ + \ statements. " + - urn: urn:intuitem:risk:req_node:esrs_p2:node448 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node406 + name: Connectivity with financial reporting information + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-77 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node448 + ref_id: E1-9 AR 77 + description: 'The reconciliation of the significant amount of assets, liabilities, + and net revenue (vulnerable to either material physical risks or transition + risks) to the relevant line item or disclosure (e.g., in segment reporting) + in the financial statements (as required by paragraph 68) may be presented + by the undertaking as follows: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-77.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-77 + ref_id: E1-9 AR 77.a + description: 'as a cross-reference to the related line item or disclosure in + the financial statements if these amounts are identifiable in the financial + statements; or ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-77.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-77 + ref_id: E1-9 AR 77.b + description: 'If these cannot be directly cross-referenced, as a quantitative + reconciliation of each to the relevant line item or disclosure in the financial + statement using the below tabular format: ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-78 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node448 + ref_id: E1-9 AR 78 + description: 'The undertaking shall ensure the consistency of data and assumptions + to assess and report the anticipated financial effects from material physical + risks and transition risks in the sustainability statement with the corresponding + data and assumptions used for the financial statements (e.g., carbon prices + used for assessing impairment of assets, the useful life of assets, estimates + and provisions). The undertaking shall explain the reasons for any inconsistencies + (e.g., if the full financial implications of climate-related risks are still + under assessment or are not deemed material in the financial statements). ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-79 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node448 + ref_id: E1-9 AR 79 + description: 'For potential future effects on liabilities (as required by paragraph + 67 (d)), if applicable, the undertaking shall cross-reference the description + of the emission trading schemes in the financial statements. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node454 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar + name: 'Climate-related opportunities ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-80 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node454 + ref_id: E1-9 AR 80 + description: 'When disclosing the information under paragraph 69 (a), the undertaking + shall explain the nature of the cost savings (e.g., from reduced energy consumption), + the time horizons and the methodology used, including the scope of the assessment, + critical assumptions, and limitations, and whether and how scenario analysis + was applied. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e1-9-ar-81 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node454 + ref_id: E1-9 AR 81 + description: 'When disclosing the information required under paragraph 69 (b), + the undertaking shall explain how it has assessed the market size or any expected + changes to net revenue from low-carbon products and services or adaptation + solutions including the scope of the assessment, the time horizon, critical + assumptions, and limitations and to what extent this market is accessible + to the undertaking. The information on the market size may be put in perspective + to the current taxonomy-aligned revenue disclosed under the provisions of + Regulation (EU) 2020/852. The entity may also explain how it will pursue its + climate-related opportunities and, where possible, this should be linked to + the disclosures on policies, targets and actions under Disclosure Requirements + E1-2, E1-3 and E1- 4. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e2 + assessable: false + depth: 1 + ref_id: ESRS E2 + name: POLLUTION + - urn: urn:intuitem:risk:req_node:esrs_p2:node458 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e2 + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p2:node459 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node458 + description: "1. The objective of this Standard is to specify Disclosure Requirements\ + \ which will enable users of the sustainability statement to understand: \n\ + (a) how the undertaking affects pollution of air, water and soil, in terms\ + \ of material positive and negative actual or potential impacts;\n(b) any\ + \ actions taken, and the result of such actions, to prevent or mitigate actual\ + \ or potential negative impacts, and to address risks and opportunities;\n\ + (c) the plans and capacity of the undertaking to adapt its strategy and business\ + \ model in line with the transition to a sustainable economy and with the\ + \ need to prevent, control and eliminate pollution. This is to create a toxic-free\ + \ environment with zero pollution also in support of the EU Action Plan \u2018\ + Towards a Zero Pollution for Air, Water and Soil\u2019;\n(d) the nature, type\ + \ and extent of the undertaking\u2019s material risks and opportunities related\ + \ to the undertaking\u2019s pollution-related impacts and dependencies, as\ + \ well as the prevention, control, elimination or reduction of pollution,\ + \ including where this results from the application of regulations, and how\ + \ the undertaking manages this; and\n(e) the financial effects on the undertaking\ + \ over the short-, medium-and long-term of material risks and opportunities\ + \ arising from the undertaking\u2019s pollution-related impacts and dependencies." + - urn: urn:intuitem:risk:req_node:esrs_p2:node460 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node458 + description: '2. This Standard sets out Disclosure Requirements related to the + following sustainability matters: pollution of air, water, soil, substances + of concern, including substances of very high concern.' + - urn: urn:intuitem:risk:req_node:esrs_p2:node461 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node458 + description: "3. \u2018Pollution of air\u2019 refers to the undertaking\u2019\ + s emissions into air (both indoor and outdoor), and prevention, control and\ + \ reduction of such emissions." + - urn: urn:intuitem:risk:req_node:esrs_p2:node462 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node458 + description: "4. \u2018Pollution of water\u2019 refers to the undertaking\u2019\ + s emissions to water, and prevention, control and reduction of such emissions." + - urn: urn:intuitem:risk:req_node:esrs_p2:node463 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node458 + description: "5. \u2018Pollution of soil\u2019 refers to the undertaking\u2019\ + s emissions into soil and the prevention, control and reduction of such emissions." + - urn: urn:intuitem:risk:req_node:esrs_p2:node464 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node458 + description: "6. With regard to \u2018substances of concern\u2019, this standard\ + \ covers the undertaking\u2019s production, use and/or distribution and commercialisation\ + \ of substances of concern, including substances of very high concern. Disclosure\ + \ Requirements on substances of concern aim at providing users with an understanding\ + \ of actual or potential impacts related to such substances, also taking account\ + \ of possible restrictions on their use and/or distribution and commercialisation." + - urn: urn:intuitem:risk:req_node:esrs_p2:node465 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e2 + name: Interaction with other ESRS + - urn: urn:intuitem:risk:req_node:esrs_p2:node466 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node465 + description: '7. The topic of pollution is closely connected to other environmental + sub-topics such as climate change, water and marine resources, biodiversity + and circular economy. Thus, to provide a comprehensive overview of what could + be material to pollution, relevant Disclosure Requirements are covered in + other environmental Standards as follows: + + (a) ESRS E1 Climate change which addresses the following seven greenhouse + gases connected to air pollution: carbon dioxide (CO2), methane (CH4), nitrous + oxide (N2O), hydrofluorocarbons (HFCs), perfluorocarbons (PFCs), sulphur hexafluoride + (SF6) and nitrogen trifluoride (NF3). + + (b) ESRS E3 Water and marine resources which addresses water consumption, + in particular in areas at water risk, water recycling and storage. This also + includes the responsible management of marine resources, including the nature + and quantity of marine resources-related commodities (such as gravels, deep-sea + minerals, seafood) used by the undertaking. This Standard covers the negative + impacts, in terms of pollution of water and marine resources, including microplastics, + generated by such activities. + + (c) ESRS E4 Biodiversity and ecosystems which addresses ecosystems and species. + Pollution as a direct impact driver of biodiversity loss is addressed by this + Standard. + + (d) ESRS E5 Resource use and circular economy which addresses, in particular, + the transition away from extraction of non-renewable resources and the implementation + of practices that prevent waste generation, including pollution generated + by waste.' + - urn: urn:intuitem:risk:req_node:esrs_p2:node467 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node465 + description: "8. The undertaking\u2019s pollution-related impacts may affect\ + \ people and communities. Material negative impacts on affected communities\ + \ from pollution-related impacts attributable to the undertaking are covered\ + \ in ESRS S3 Affected communities." + - urn: urn:intuitem:risk:req_node:esrs_p2:node468 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node465 + description: 9. This Standard should be read in conjunction with ESRS 1 General + requirements and ESRS 2 General disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p2:node469 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e2 + name: Disclosure Requirements + - urn: urn:intuitem:risk:req_node:esrs_p2:node470 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node469 + name: ESRS 2 General disclosures + description: 10. The requirements of this section should be read in conjunction + with and reported alongside the disclosures required by ESRS 2 chapter 4 Impact, + risk and opportunity management. + - urn: urn:intuitem:risk:req_node:esrs_p2:node471 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node470 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p2:node472 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node471 + name: Disclosure Requirement related to ESRS 2 IRO-1 + description: Description of the processes to identify and assess material pollution-related + impacts, risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1-11 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node472 + ref_id: E2.IRO-1-11 + description: 'The undertaking shall describe the process to identify material + impacts, risks and opportunities and shall provide information on:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1-11.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1-11 + ref_id: E2.IRO-1-11.a + description: whether the undertaking has screened its site locations and business + activities in order to identify its actual and potential pollution- related + impacts, risks and opportunities in its own operations and upstream and downstream + value chain, and if so, the methodologies, assumptions and tools used in the + screening; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1-11.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1-11 + ref_id: E2.IRO-1-11.b + description: whether and how the undertaking has conducted consultations, in + particular with affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node471 + ref_id: E2-1 + name: Disclosure Requirement E2-1 + description: Policies related to pollution + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1 + ref_id: E2-1-12 + description: The undertaking shall describe its policies adopted to manage its + material impacts, risks and opportunities related to pollution prevention + and control. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1 + ref_id: E2-1-13 + description: The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking has policies that address the identification, + assessment, management and/or remediation of material pollution-related impacts, + risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1 + ref_id: E2-1-14 + description: The disclosure required by paragraph 12 shall contain the information + on the policies the undertaking has in place to manage its material impacts, + risks and opportunities related to pollution in accordance with ESRS 2 MDR-P + Policies adopted to manage material sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1 + ref_id: E2-1-15 + description: 'The undertaking shall indicate, with regard to its own operations + and its upstream and donwstream value chain, whether and how its policies + address the following areas where material:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-15.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-15 + ref_id: E2-1-15.a + description: (a) mitigating negative impacts related to pollution of air, water + and soil including prevention and control; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-15.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-15 + ref_id: E2-1-15.b + description: (b) substituting and minimising the use of substances of concern, + and phasing out substances of very high concern, in particular for non- essential + societal use and in consumer products; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-15.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-15 + ref_id: E2-1-15.c + description: (c) avoiding incidents and emergency situations, and if and when + they occur, controlling and limiting their impact on people and the environment. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node471 + ref_id: E2-2 + name: Disclosure Requirement E2-2 + description: Actions and resources related to pollution + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-2 + ref_id: E2-2-16 + description: The undertaking shall disclose its pollution-related actions and + the resources allocated to their implementation. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-2 + ref_id: E2-2-17 + description: The objective of this Disclosure Requirement is to enable an understanding + of the key actions taken and planned to achieve the pollution- related policy + objectives and targets. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-2 + ref_id: E2-2-18 + description: The description of the pollution-related action plans and resources + shall contain the information prescribed in ESRS 2 MDR-A Actions and resources + in relation to material sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-2 + ref_id: E2-2-19 + description: 'In addition to ESRS 2 MDR-A, the undertaking may specify to which + layer in the following mitigation hierarchy an action and resources can be + allocated:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-19.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-19 + ref_id: E2-2-19.a + description: avoid pollution including any phase out of materials or compounds + that have a negative impact (prevention of pollution at source); + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-19.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-19 + ref_id: E2-2-19.b + description: 'reduce pollution, including: any phase-out of materials or compounds; + meeting enforcement requirements such as Best Available Techniques (BAT) requirements; + or meeting the Do No Significant Harm criteria for pollution prevention and + control according to the EU Taxonomy Regulation and its Delegated Acts (minimisation + of pollution); and' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-19.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-19 + ref_id: E2-2-19.c + description: restore, regenerate and transform ecosystems where pollution has + occurred (control of the impacts both from regular activities and incidents). + - urn: urn:intuitem:risk:req_node:esrs_p2:node492 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node470 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node492 + ref_id: E2-3 + name: Disclosure Requirement E2-3 + description: Targets related to pollution + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3 + ref_id: E2-3-20 + description: The undertaking shall disclose the pollution-related targets it + has set. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3 + ref_id: E2-3-21 + description: The objective of this Disclosure Requirement is to enable an understanding + of the targets the undertaking has set to support its pollution- related policies + and to address its material pollution-related impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3 + ref_id: E2-3-22 + description: The description of targets shall contain the information requirements + defined in ESRS 2 MDR-T Tracking effectiveness of policies and actions through + targets. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3 + ref_id: E2-3-23 + description: 'The disclosure required by paragraph 20 shall indicate whether + and how its targets relate to the prevention and control of:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-23.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-23 + ref_id: E2-3-23.a + description: air pollutants and respective specific loads; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-23.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-23 + ref_id: E2-3-23.b + description: emissions to water and respective specific loads; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-23.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-23 + ref_id: E2-3-23.c + description: pollution to soil and respective specific loads; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-23.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-23 + ref_id: E2-3-23.d + description: substances of concern and substances of very high concern. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3 + ref_id: E2-3-24 + description: 'In addition to ESRS 2 MDR-T, the undertaking may specify whether + ecological thresholds (e.g., the biosphere integrity, stratospheric ozone- + depletion, atmospheric aerosol loading, soil depletion, ocean acidification) + and entity-specific allocations were taken into consideration when setting + targets. If so, the undertaking may specify:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-24.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-24 + ref_id: E2-3-24.a + description: the ecological thresholds identified, and the methodology used + to identify such thresholds; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-24.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-24 + ref_id: E2-3-24.b + description: whether or not the thresholds are entity-specific and if so, how + they were determined; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-24.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-24 + ref_id: E2-3-24.c + description: how responsibility for respecting identified ecological thresholds + is allocated in the undertaking. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3 + ref_id: E2-3-25 + description: The undertaking shall specify as part of the contextual information, + whether the targets that it has set and presented are mandatory (required + by legislation) or voluntary. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node492 + ref_id: E2-4 + name: Disclosure Requirement E2-4 + description: Targets related to pollution + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4 + ref_id: E2-4-26 + description: The undertaking shall disclose the pollutants that it emits through + its own operations, as well as the microplastics it generates or uses. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4 + ref_id: E2-4-27 + description: The objective of this Disclosure Requirement is to provide an understanding + of the emissions that the undertaking generates to air, water and soil in + its own operations, and of its generation and use of microplastics. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4 + ref_id: E2-4-28 + description: 'The undertaking shall disclose the amounts of:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-28.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-28 + ref_id: E2-4-28.a + description: "each pollutant listed in Annex II of Regulation (EC) No 166/2006\ + \ of the European Parliament and of the Council ( 57 ) (European Pollutant\ + \ Release and Transfer Register \u2018E-PRTR Regulation\u2019) emitted to\ + \ air, water and soil, with the exception of emissions of GHGs which are disclosed\ + \ in accordance with ESRS E1 Climate Change ( 58 );" + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-28.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-28 + ref_id: E2-4-28.b + description: microplastics generated or used by the undertaking. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4 + ref_id: E2-4-29 + description: The amounts referred in paragraph 28 shall be consolidated amounts + including the emissions from those facilities over which the undertaking has + financial control and those over which it has operational control. The consolidation + shall include only the emissions from facilities for which the applicable + threshold value specified in Annex II of Regulation (EC) No 166/2006 is exceeded. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4 + ref_id: E2-4-30 + description: 'The undertaking shall put its disclosure into context and describe:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-30.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-30 + ref_id: E2-4-30.a + description: the changes over time, + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-30.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-30 + ref_id: E2-4-30.b + description: the measurement methodologies; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-30.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-30 + ref_id: E2-4-30.c + description: the process(es) to collect data for pollution-related accounting + and reporting, including the type of data needed and the information sources. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4 + ref_id: E2-4-31 + description: When an inferior methodology compared to direct measurement of + emissions is chosen to quantify emissions, the reasons for choosing this inferior + methodology shall be outlined by the undertaking. If the undertaking uses + estimates, it shall disclose the standard, sectoral study or sources which + form the basis of its estimates, as well as the possible degree of uncertainty + and the range of estimates reflecting the measurement uncertainty. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node492 + ref_id: E2-5 + name: Disclosure Requirement E2-5 + description: Substances of concern and substances of very high concern + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-5-32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-5 + ref_id: E2-5-32 + description: The undertaking shall disclose information on the production, use, + distribution, commercialisation and import/export of substances of concern + and substances of very high concern, on their own, in mixtures or in articles. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-5-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-5 + ref_id: E2-5-33 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of the impact of the undertaking on health and the environment through substances\ + \ of concern and through substances of very high concern on their own. It\ + \ is also to enable an understanding of the undertaking\u2019s material risks\ + \ and opportunities, including exposure to those substances and risks arising\ + \ from changes in regulations." + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-5-34 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-5 + ref_id: E2-5-34 + description: The disclosure required by paragraph 32 shall include the total + amounts of substances of concern that are generated or used during the production + or that are procured, and the total amounts of substances of concern that + leave its facilities as emissions, as products, or as part of products or + services split into main hazard classes of substances of concern. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-5-35 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-5 + ref_id: E2-5-35 + description: The undertaking shall present separately the information for substances + of very high concern. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node492 + ref_id: E2-6 + name: Disclosure Requirement E2-6 + description: Anticipated financial effects from material pollution-related risks + and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6 + ref_id: E2-6-36 + description: The undertaking shall disclose the anticipated financial effects + of material pollution-related risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-37 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6 + ref_id: E2-6-37 + description: "The information required by paragraph 36 is in addition to the\ + \ information on current financial effects on the undertaking\u2019s, financial\ + \ position, financial performance and cash flows for the reporting period\ + \ required under ESRS 2 SBM-3 para 48 (d)." + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-38 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6 + ref_id: E2-6-38 + description: 'The objective of this Disclosure Requirement is to provide an + understanding of:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-38.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-38 + ref_id: E2-6-38.a + description: "anticipated financial effects due to material risks arising from\ + \ pollution-related impacts and dependencies and how those risks have (or\ + \ could reasonably be expected to have) a material influence on the undertaking\u2019\ + s financial position, financial performance, and cash flows, over the short,\ + \ medium and long term." + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-38.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-38 + ref_id: E2-6-38.b + description: anticipated financial effects due to material opportunities related + to pollution prevention and control. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-39 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6 + ref_id: E2-6-39 + description: 'The disclosure shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-39.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-39 + ref_id: E2-6-39.a + description: ' a quantification of the anticipated financial effects in monetary + terms before considering pollution-related actions, or where not possible + without undue cost or effort, qualitative information. For financial effects + arising from opportunities, a quantification is not required if it would result + in disclosure that does not meet the qualitative characteristics of information + (see ESRS 1 Appendix B Qualitative characteristics of information);' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-39.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-39 + ref_id: E2-6-39.b + description: a description of the effects considered, the related impacts and + the time horizons in which they are likely to materialise; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-39.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-39 + ref_id: E2-6-39.c + description: the critical assumptions used to quantify the anticipated financial + effects, as well as the sources and level of uncertainty of those assumptions. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-40 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6 + ref_id: E2-6-40 + description: 'The information provided under paragraph 39(a) shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-40.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-40 + ref_id: E2-6-40.a + description: the share of net revenue made with products and services that are + or that contain substances of concern, and the share of net revenue made with + products and services that are or that contain substances of very high concern; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-40.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-40 + ref_id: E2-6-40.b + description: the operating and capital expenditures incurred in the reporting + period in conjunction with major incidents and deposits; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-40.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-40 + ref_id: E2-6-40.c + description: the provisions for environmental protection and remediation costs, + e.g., for rehabilitating contaminated sites, recultivating landfills, removal + of environmental contamination at existing production or storage sites and + similar measures. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-41 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6 + ref_id: E2-6-41 + description: "The undertaking shall disclose any relevant contextual information\ + \ including a description of material incidents and deposits whereby pollution\ + \ had negative impacts on the environment and/or is expected to have negative\ + \ effects on the undertaking\u2019s financial cash flows, financial position\ + \ and financial performance with short-, medium- and long-term time horizons." + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e2-appendix-a + assessable: false + depth: 1 + ref_id: ESRS E2-Appendix A + name: Application Requirements + - urn: urn:intuitem:risk:req_node:esrs_p2:node540 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e2-appendix-a + name: ESRS 2 GENERAL DISCLOSURES + - urn: urn:intuitem:risk:req_node:esrs_p2:node541 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node540 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p2:node542 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node541 + name: Disclosure Requirement related to ESRS 2 IRO-1 + description: Description of the processes to identify and assess material pollution-related + impacts, risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node542 + ref_id: E2.IRO-1.AR-1 + description: 'When conducting a materiality assessment on environmental subtopics, + the undertaking shall assess the materiality of pollution in its own operations + and its upstream and downstream value chain, and may consider the four phases + below, also known as the LEAP approach:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-1 + ref_id: E2.IRO-1.AR-1.a + description: 'Phase 1: locate where in its own operations and its upstream and + downstream value chain the interface with nature takes place;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-1 + ref_id: E2.IRO-1.AR-1.b + description: 'Phase 2: evaluate the pollution-related dependencies and impacts;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-1 + ref_id: E2.IRO-1.AR-1.c + description: 'Phase 3: assess the material risks and opportunities; and' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-1.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-1 + ref_id: E2.IRO-1.AR-1.d + description: 'Phase 4: prepare and report the results of the materiality assessment.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node542 + ref_id: E2.IRO-1.AR-2 + description: The materiality assessment for ESRS E2 corresponds to the first + three phases of this LEAP approach. The fourth phase addresses the outcome + of the process. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node542 + ref_id: E2.IRO-1.AR-3 + description: "The process to assess the materiality of impacts, dependencies,\ + \ risks and opportunities shall consider the provisions in ESRS 2 IRO-1 Description\ + \ of the processes to identify and assess material impacts, risks and opportunities,\ + \ and IRO-2 Disclosure Requirements in ESRS covered by the undertaking\u2019\ + s sustainability statement." + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node542 + ref_id: E2.IRO-1.AR-4 + description: 'The sub-topics covered by the materiality assessment under ESRS + E2 include:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-4.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-4 + ref_id: E2.IRO-1.AR-4.a + description: pollution of air, water and soil (excluding GHG emissions and waste), + microplastics, and substances of concern; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-4.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-4 + ref_id: E2.IRO-1.AR-4.b + description: dependencies on ecosystem services that help to mitigate pollution- + related impacts. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node542 + ref_id: E2.IRO-1.AR-5 + description: 'In Phase 1, to locate where in its own operations and its upstream + and downstream value chain the interface with nature takes place, the undertaking + may consider:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-5.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-5 + ref_id: E2.IRO-1.AR-5.a + description: the site locations of direct assets and operations and related + upstream and downstream activities across the value chain; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-5.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-5 + ref_id: E2.IRO-1.AR-5.b + description: the site locations where emissions of water, soil and air pollutants + occur; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-5.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-5 + ref_id: E2.IRO-1.AR-5.c + description: the sectors or business units related to those emissions or to + the production, use, distribution, commercialisation and import/export of + microplastics, substances of concern, and substances of very high concern, + on their own, in mixtures or in articles. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node542 + ref_id: E2.IRO-1.AR-6 + description: "Phase 2 relates to the evaluation of the undertaking\u2019s impacts\ + \ and dependencies for each material site or sector/business unit including\ + \ by assessing the severity and likelihood of impacts on the environment and\ + \ human health." + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node542 + ref_id: E2.IRO-1.AR-7 + description: 'n Phase 3, to assess its material risks and opportunities based + on the results of Phases 1 and 2, the undertaking may :' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7 + ref_id: E2.IRO-1.AR-7.a + description: 'identify transition risks and opportunities in its own operations + and its upstream and downstream value chain by the categories of:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.a.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.a + ref_id: E2.IRO-1.AR-7.a.i + description: 'policy and legal: e.g., introduction of regulation, exposure to + sanctions and litigation (e.g., negligence towards ecosystems), enhanced reporting + obligations;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.a.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.a + ref_id: E2.IRO-1.AR-7.a.ii + description: 'technology: e.g., substitution of products or services by products + or services with a lower impact, transition away from substances of concern;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.a.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.a + ref_id: E2.IRO-1.AR-7.a.iii + description: 'market: e.g., shifting supply, demand and financing, volatility + or increased costs of some substances; and' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.a.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.a + ref_id: E2.IRO-1.AR-7.a.iv + description: "reputation: e.g., changing societal, customer or community perceptions\ + \ as a result of an organisation\u2019s role in pollution prevention and control;" + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7 + ref_id: E2.IRO-1.AR-7.b + description: identify physical risks, e.g., sudden interruption of access to + clean water, acid rain, or other pollution incidents that are likely to lead + to or that have led to pollution with subsequent effects on the environment + and society; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7 + ref_id: E2.IRO-1.AR-7.c + description: 'identify opportunities related to pollution prevention and control + categorised by:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.c + ref_id: E2.IRO-1.AR-7.c.i + description: 'resource efficiency: decrease quantities of substances used or + improve efficiency of production process to minimise impacts;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.c + ref_id: E2.IRO-1.AR-7.c.ii + description: 'markets: e.g., diversification of business activities;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.c.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.c + ref_id: E2.IRO-1.AR-7.c.iii + description: 'financing: e.g., access to green funds, bonds or loans;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.c.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.c + ref_id: E2.IRO-1.AR-7.c.iv + description: 'resilience: e.g., diversification of substances used and control + of emissions through innovation or technology; and' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.c.v + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-7.c + ref_id: E2.IRO-1.AR-7.c.v + description: 'reputation: positive stakeholder relations as a result of a proactive + stance on managing risks.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node542 + ref_id: E2.IRO-1.AR-8 + description: In order to assess materiality, the undertaking may consider Commission + Recommendation (EU) 2021/2279 on the use of the Environmental Footprint methods + to measure and communicate the life cycle environmental performance of products + and organisations. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node542 + ref_id: E2.IRO-1.AR-9 + description: 'When providing information on the outcome of its materiality assessment, + the undertaking shall consider:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-9.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-9 + ref_id: E2.IRO-1.AR-9.a + description: "a list of site locations where pollution is a material issue for\ + \ the undertaking\u2019s own operations and its upstream and downstream value\ + \ chain; and" + - urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-9.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2.iro-1.ar-9 + ref_id: E2.IRO-1.AR-9.b + description: a list of business activities associated with pollution material + impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node541 + ref_id: E2-1 AR + name: Disclosure Requirement E2-1 + description: Policies related to pollution + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-ar-10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-ar + ref_id: E2-1 AR 10 + description: The policies described under this Disclosure Requirement may be + integrated in broader environmental or sustainability policies covering different + subtopics. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-ar-11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-ar + ref_id: E2-1 AR 11 + description: The description of the policies shall include information on the + pollutant(s) or substance(s) covered. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-ar-12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-ar + ref_id: E2-1 AR 12 + description: "When disclosing information under paragraph 12, the undertaking\ + \ may include contextual information on the relations between its policies\ + \ implemented and how they may contribute to the EU Action Plan \u2018Towards\ + \ a Zero Pollution for Air, Water and Soil\u2019 with for instance elements\ + \ on: " + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-ar-12.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-ar-12 + ref_id: E2-1 AR 12.a + description: how it is or may be affected by the targets and measures of the + EU Action Plan and the revision of existing directives (e.g., the Industrial + Emissions Directive); + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-ar-12.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-1-ar-12 + ref_id: E2-1 AR 12.b + description: how it intends to reduce its pollution footprint to contribute + to these targets. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node541 + ref_id: E2-2 AR + name: Disclosure Requirement E2-2 + description: Actions and resources related to pollution + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-ar-13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-ar + ref_id: E2-2 AR 13 + description: Where actions extend to upstream or downstream value chain engagements, + the undertaking shall provide information on the types of actions reflecting + these engagements. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-ar-14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-ar + ref_id: E2-2 AR 14 + description: When considering resources, examples of operational expenditures + could be investments in research and development to innovate and develop safe + and sustainable alternatives to the use of substances of concern or to decrease + emissions in a production process. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-ar-15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-2-ar + ref_id: E2-2 AR 15 + description: Where relevant to achieve its pollution-related policy objectives + and targets, the undertaking may provide information on site-level action + plans. + - urn: urn:intuitem:risk:req_node:esrs_p2:node585 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node540 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node585 + ref_id: E2-3 AR + name: Disclosure Requirement E2-3 + description: Targets related to pollution + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-ar-16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-ar + ref_id: E2-3 AR 16 + description: If the undertaking refers to ecological thresholds when setting + targets, it may refer to the guidance provided by the Science-Based Targets + Initiative for Nature (SBTN) in its interim guidance (Initial Guidance for + Business, September 2020), or any other guidance with a scientifically acknowledged + methodology that allows setting of science- based targets by identifying ecological + thresholds and, if applicable, entity-specific allocations. Ecological thresholds + can be local, national and/or global. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-ar-17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-ar + ref_id: E2-3 AR 17 + description: The undertaking may specify whether the target addresses shortcomings + related to the Substantial Contribution criteria for Pollution Prevention + and Control as defined in delegated acts adopted pursuant to Article 14 (2) + of Regulation (EU) 2020/852. Where the Do No Significant Harm (DNSH) criteria + for Pollution Prevention and Control as defined in delegated acts adopted + pursuant to Article 10(3), Article 11(3), Article 12(2), Article 13(2), and + Article 15(2) of Regulation (EU) 2020/852 are not met, the undertaking may + specify whether the target addresses shortcomings related those DNSH critera. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-ar-18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-ar + ref_id: E2-3 AR 18 + description: Where relevant to support the policies it has adopted, the undertaking + may provide information on the targets set at site level. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-ar-19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-3-ar + ref_id: E2-3 AR 19 + description: "The targets may cover the undertaking\u2019s own operations and/or\ + \ the value chain." + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node585 + ref_id: E2-4 AR + name: 'Disclosure Requirement E2-4 ' + description: Pollution of air, water and soil + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar + ref_id: E2-4 AR 20 + description: "The information to be provided on microplastics under paragraph\ + \ 28(b) shall include microplastics that have been generated or used during\ + \ production processes or that are procured, and that leave the undertaking\u2019\ + s facilities as emissions, as products, or as part of products or services.\ + \ Microplastics may be unintentionally produced when larger pieces of plastics\ + \ like car tires or synthetic textiles wear and tear or may be deliberately\ + \ manufactured and added to products for specific purposes (e.g., exfoliating\ + \ beads in facial or body scrubs)." + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar + ref_id: E2-4 AR 21 + description: The volume of pollutants shall be presented in appropriate mass + units, for example tonnes or kilogrammes. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar + ref_id: E2-4 AR 22 + description: The information required under this Disclosure Requirement shall + be provided at the level of the reporting undertaking. However, the undertaking + may disclose additional breakdown including information at site level or a + breakdown of its emissions by type of source, by sector or by geographical + area. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar + ref_id: E2-4 AR 23 + description: 'When providing contextual information on the emissions, the undertaking + may consider:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-23.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-23 + ref_id: E2-4 AR 23.a + description: " the local air quality indices (AQI) for the area where the undertaking\u2019\ + s air pollution occurs;" + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-23.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-23 + ref_id: E2-4 AR 23.b + description: the degree of urbanisation (DEGURBA) ( 59 ) for the area where + air pollution occurs; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-23.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-23 + ref_id: E2-4 AR 23.c + description: "the undertaking\u2019s percentage of the total emissions of pollutants\ + \ to water and soil occurring in areas at water risk, including areas of high-water\ + \ stress." + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar + ref_id: E2-4 AR 24 + description: The information provided under this Disclosure Requirement may + refer to information the undertaking is already required to report under other + existing legislation (i.e., IED, E- PRTR, etc.). + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar + ref_id: E2-4 AR 25 + description: "Where the undertaking\u2019s activities are subject to Directive\ + \ 2010/75/EU of the European Parliament and of the Council on industrial emissions\ + \ (IED) ( 60 ) and relevant Best Available Techniques Reference Documents\ + \ (BREFs), irrespective of whether the activity takes place within the European\ + \ Union or not, the undertaking may disclose the following additional information:" + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-25.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-25 + ref_id: E2-4 AR 25.a + description: a list of installations operated by the undertaking that fall under + the IED and EU- BAT Conclusions; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-25.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-25 + ref_id: E2-4 AR 25.b + description: a list of any non-compliance incidents or enforcement actions necessary + to ensure compliance in case of breaches of permit conditions; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-25.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-25 + ref_id: E2-4 AR 25.c + description: " the actual performance, as specified in the EU-BAT conclusions\ + \ for industrial installations, and comparison of the undertaking\u2019s environmental\ + \ performance against \u2018emission levels associated with the best available\ + \ techniques\u2019 the (BAT-AEL) as described in EU-BAT conclusions;" + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-25.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-25 + ref_id: E2-4 AR 25.d + description: "the actual performance of the undertaking against \u2018environmental\ + \ performance levels associated with the best available techniques\u2019 (BAT-AEPLs)\ + \ provided that they are applicable to the sector and installation; and" + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-25.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-25 + ref_id: E2-4 AR 25.e + description: a list of any compliance schedules or derogations granted by competent + authorities according to Art. 15(4) Directive 2010/75/EU that are associated + with the implementation of BAT-AELs. + - urn: urn:intuitem:risk:req_node:esrs_p2:node606 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar + name: Methodologies + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node606 + ref_id: E2-4 AR 26 + description: 'When providing information on pollutants, the undertaking shall + consider approaches for quantification in the following order of priority:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-26.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-26 + ref_id: E2-4 AR 26.a + description: direct measurement of emissions, effluents or other pollution through + the use of recognised continuous monitoring systems (e. g., AMS Automated + Measuring Systems); + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-26.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-26 + ref_id: E2-4 AR 26.b + description: periodic measurements; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-26.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-26 + ref_id: E2-4 AR 26.c + description: calculation based on site-specific data; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-26.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-26 + ref_id: E2-4 AR 26.d + description: calculation based on published pollution factors; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-26.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-26 + ref_id: E2-4 AR 26.e + description: estimation. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node606 + ref_id: E2-4 AR 27 + description: 'Regarding the disclosure of methodologies required by paragraph + 30, the undertaking shall consider:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-27.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-27 + ref_id: E2-4 AR 27.a + description: whether its monitoring is carried out in accordance with EU BREF + Standards or another relevant reference benchmark; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-27.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-4-ar-27 + ref_id: E2-4 AR 27.b + description: whether and how the calibration tests of the AMS were undertaken + and the verification of periodic measurement by independent labs were ensured. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-5-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node585 + ref_id: E2-5 AR + name: Disclosure Requirement E2-5 + description: Substances of concern and substances of very high concern + - urn: urn:intuitem:risk:req_node:esrs_p2:node617 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-5-ar + name: List of substances to be considered + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-5-ar-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node617 + ref_id: E2-5 AR 28 + description: " In order for the information to be complete, substances in the\ + \ undertaking\u2019s own operations and those procured shall be included (e.g.,\ + \ embedded in ingredients, semi- finished products, or the final product)." + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-5-ar-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node617 + ref_id: E2-5 AR 29 + description: The volume of pollutants shall be presented in mass units, for + example tonnes or kilogrammes or other mass units appropriate for the volumes + and type of pollutants being released. + - urn: urn:intuitem:risk:req_node:esrs_p2:node620 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-5-ar + name: Contextual information + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-5-ar-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node620 + ref_id: E2-5 AR 30 + description: "The information provided under this Disclosure Requirement may\ + \ refer to information the undertaking is already required to report under\ + \ other existing legislation (i.e., Directive 2010/75/EU, Regulation (EC)\ + \ No 166/2006 \u2018E-PRTR\u2019, etc.)." + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node585 + ref_id: E2-6 AR + name: Disclosure Requirement E2-6 + description: Anticipated financial effects from material pollution-related risks + and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar-31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar + ref_id: E2-6 AR 31 + description: 'The operating and capital expenditures related to incidents and + deposits may include for instance:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar-31.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar-31 + ref_id: E2-6 AR 31.a + description: cost for eliminating and remediating the respective pollution of + air, water and soil including environmental protection; + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar-31.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar-31 + ref_id: E2-6 AR 31.b + description: damage compensation costs including payment of fines and penalties + imposed by regulators or government authorities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar-32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar + ref_id: E2-6 AR 32 + description: Incidents may include for instance interruptions of production, + whether arising from the supply chain and/or from own operations, which resulted + in pollution. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar-33 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar + ref_id: E2-6 AR 33 + description: The undertaking may include an assessment of its related products + and services at risk over the short-, medium- and long-term, explaining how + these are defined, how financial amounts are estimated, and which critical + assumptions are made. + - urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar-34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e2-6-ar + ref_id: E2-6 AR 34 + description: The quantification of the anticipated financial effects in monetary + terms under paragraph 38(a) may be a single amount or a range. + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e3 + assessable: false + depth: 1 + ref_id: ESRS E3 + name: WATER AND MARINE RESOURCES + - urn: urn:intuitem:risk:req_node:esrs_p2:node630 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e3 + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p2:node631 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node630 + description: "1. The objective of this Standard is to specify Disclosure Requirements\ + \ which will enable users of the sustainability statement to understand:\n\ + (a) how the undertaking affects water and marine resources, in terms of material\ + \ positive and negative actual or potential impacts;\n(b) any actions taken,\ + \ and the result of such actions to prevent or mitigate material actual or\ + \ potential negative impacts, to protect water and marine resources, also\ + \ with reference to reduction of water consumption, and to address risks and\ + \ opportunities;\n(c) whether, how and to what extent the undertaking contributes\ + \ to the European Green Deal\u2019s ambitions for fresh air, clean water,\ + \ healthy soil and biodiversity, as well as to the sustainability of the blue\ + \ economy and fisheries sectors, taking account of the following: Directive\ + \ 2000/60/EC of the European Parliament and of the Council ( 61 ) (EU Water\ + \ Framework Directive), Directive 2008/56/EC of the European Parliament and\ + \ of the Council ( 62 ) (EU Marine Strategy Framework Directive), Directive\ + \ 2014/89/EU of the European Parliament and of the Council ( 63 ) (EU Maritime\ + \ Spatial Planning Directive), the Sustainable Development Goals (in particular\ + \ SDG 6 Clean water and sanitation and 14 Life below water), and respect of\ + \ global environmental limits (e.g. biosphere integrity, ocean acidification,\ + \ freshwater use, and biogeochemical flows planetary boundaries);\n(d) the\ + \ plans and capacity of the undertaking to adapt its strategy and business\ + \ model in line with the promotion of sustainable water use based on long-term\ + \ protection of available water resources; protection of aquatic ecosystems\ + \ and restoration of freshwater and marine habitats;\n(e) the nature, type\ + \ and extent of the undertaking\u2019s material risks and opportunities arising\ + \ from the undertaking\u2019s impacts and dependencies on water and marine\ + \ resources, and how the undertaking manages them; and\n(f) the financial\ + \ effects on the undertaking over the short-, medium- and long term of material\ + \ risks and opportunities arising from the undertaking\u2019s impacts and\ + \ dependencies on water and marine resources." + - urn: urn:intuitem:risk:req_node:esrs_p2:node632 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node630 + description: "2. This Standard sets out Disclosure Requirements related to water\ + \ and marine resources. With regard to \u2018water\u2019, this standard covers\ + \ surface water and groundwater. It includes disclosure requirements on water\ + \ consumption in the undertaking\u2019s activities, products and services,\ + \ as well as related information on water withdrawals and water discharges." + - urn: urn:intuitem:risk:req_node:esrs_p2:node633 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node630 + description: "3. With regard to \u2018marine resources\u2019, this standard\ + \ covers the extraction and use of such resources, and associated economic\ + \ activities." + - urn: urn:intuitem:risk:req_node:esrs_p2:node634 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e3 + name: Interaction with other ESRS + - urn: urn:intuitem:risk:req_node:esrs_p2:node635 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node634 + description: "4. The topic of water and marine resources is closely connected\ + \ to other environmental sub- topics such as climate change, pollution, biodiversity\ + \ and circular economy. Thus, to provide a comprehensive overview of what\ + \ could be material to water and marine resources, relevant Disclosure Requirements\ + \ are covered in other environmental ESRS as follows:\n(a) ESRS E1 Climate\ + \ change, which addresses, in particular, acute and chronic physical risks\ + \ which arise from water and ocean-related hazards caused or exacerbated by\ + \ climate change, including increasing water temperature, changing precipitation\ + \ patterns and types (rain, hail, snow/ice), precipitation or hydrological\ + \ variability, ocean acidification, saline intrusion, sea level rise, drought,\ + \ high water stress, heavy precipitation, flood and glacial lake outbursts;\n\ + (b) ESRS E2 Pollution, which addresses, in particular, the emissions to water,\ + \ which includes emissions to oceans, and the use and generation of microplastics;\ + \ \n(c) ESRS E4 Biodiversity and ecosystems, which addresses, in particular,\ + \ the conservation and sustainable use of and impact on freshwater aquatic\ + \ ecosystems as well as the oceans and seas; and\n(d) ESRS E5 Resource use\ + \ and circular economy which addresses in particular waste management including\ + \ plastic, and the transition towards the extraction of non-renewable resources\ + \ of wastewater; reduced use of plastic; and the recycling of wastewater." + - urn: urn:intuitem:risk:req_node:esrs_p2:node636 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node634 + description: "5. The undertaking\u2019s impacts on water and marine resources\ + \ affect people and communities. Material negative impacts on affected communities\ + \ from water and marine resources-related impacts attributable to the undertaking\ + \ are covered in ESRS S3 Affected communities." + - urn: urn:intuitem:risk:req_node:esrs_p2:node637 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node634 + description: 6. This Standard should be read in conjunction with ESRS 1 General + requirements and ESRS 2 General disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p2:node638 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e3 + name: Disclosure requirements + - urn: urn:intuitem:risk:req_node:esrs_p2:node639 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node638 + name: ESRS 2 General disclosures + description: 7. The requirements of this section should be read in conjunction + with and reported alongside the disclosures required by ESRS 2 chapter 4 Impact, + risk and opportunity management. + - urn: urn:intuitem:risk:req_node:esrs_p2:node640 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node639 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p2:node641 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node640 + name: Disclosure Requirement related to ESRS 2 IRO-1 + description: Description of the processes to identify and assess material water + and marine resources-related impacts, risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1-8 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node641 + ref_id: E3.IRO-1-8 + description: 'The undertaking shall describe the process to identify material + impacts, risks and opportunities and shall provide information on: (a) whether + and how the undertaking it has screened its assets and activities in order + to identify its actual and potential water and marine resources-related impacts, + risks and opportunities in its own operations and its upstream and downstream + value chain, and if so the methodologies, assumptions and tools used in the + screening; (b) whether and how it has conducted consultations, in particular, + with affected communities ( 64 ).' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node640 + ref_id: E3-1 + name: Disclosure Requirement E3-1 + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-9 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1 + ref_id: E3-1-9 + description: The undertaking shall describe its policies adopted to manage its + material impacts, risks and opportunities related to water and marine resources + ( 65 ). + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-10 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1 + ref_id: E3-1-10 + description: The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking has policies that address the identification, + assessment, management and/or remediation of its material water and marine + resources-related impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-11 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1 + ref_id: E3-1-11 + description: The disclosure required by paragraph 9 shall contain the information + on the policies the undertaking has in place to manage its material impacts, + risks and opportunities related to water and marine resources in accordance + with ESRS 2 MDR-P Policies adopted to manage material sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1 + ref_id: E3-1-12 + description: 'The undertaking shall indicate whether and how its policies address + the following matters where material:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12 + ref_id: E3-1-12.a + description: 'water management including:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12.a.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12.a + ref_id: E3-1-12.a.i + description: the use and sourcing of water and marine resources in its own operations; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12.a.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12.a + ref_id: E3-1-12.a.ii + description: water treatment as a step towards more sustainable sourcing of + water; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12.a.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12.a + ref_id: E3-1-12.a.iii + description: ' the prevention and abatement of water pollution resulting from + its activities.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12 + ref_id: E3-1-12.b + description: ' product and service design in view of addressing water-related + issues and the preservation of marine resources; and' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-12 + ref_id: E3-1-12.c + description: commitment to reduce material water consumption in areas at water + risk in its own operations and along the upstream and downstream value chain. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1 + ref_id: E3-1-13 + description: If at least one of the sites of the undertaking is located in an + area of high-water stress and it is not covered by a policy, the undertaking + shall state this to be the case and provide reasons for not having adopted + such a policy. The undertaking may disclose a timeframe in which it aims to + adopt such a policy. ( 66 ) + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1 + ref_id: E3-1-14 + description: The undertaking shall specify whether it has adopted policies or + practices related to sustainable oceans and seas ( 67 ). + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node640 + ref_id: E3-2 + name: Disclosure Requirement E3-2 + description: Actions and resources related to water and marine resources + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2 + ref_id: E3-2-15 + description: The undertaking shall disclose its water and marine resources- + related actions and the resources allocated to their implementation. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2 + ref_id: E3-2-16 + description: The objective of this Disclosure Requirement is to enable an understanding + of the key actions taken and planned to achieve the water and marine resources-related + policy objectives and targets. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2 + ref_id: E3-2-17 + description: The description of the actions and resources shall follow the principles + defined in ESRS 2 MDR-A Actions and resources in relation to material sustainability + matters. In addition to ESRS 2 MDR-A, the undertaking may specify to which + layer in the mitigation hierarchy an action and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2 + ref_id: E3-2-18 + description: 'Resources can be allocated to:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-18.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-18 + ref_id: E3-2-18.a + description: avoid the use of water and marine resources; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-18.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-18 + ref_id: E3-2-18.b + description: reduce the use of water and marine resources such as through efficiency + measures; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-18.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-18 + ref_id: E3-2-18.c + description: reclaiming and reuse of water; or + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-18.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-18 + ref_id: E3-2-18.d + description: restoration and regeneration of aquatic ecosystem and water bodies. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2 + ref_id: E3-2-19 + description: The undertaking shall specify actions and resources in relation + to areas at water risk, including areas of high-water stress + - urn: urn:intuitem:risk:req_node:esrs_p2:node666 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node639 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node666 + ref_id: E3-3 + name: Disclosure Requirement E3-3 + description: Targets related to water and marine resources + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3 + ref_id: E3-3-20 + description: The undertaking shall disclose the water and marine resources-related + targets it has set. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3 + ref_id: E3-3-21 + description: The objective of this Disclosure Requirement is to enable an understanding + of the targets the undertaking has adopted to support its water and marine + resources-related policies and address its material water and marine resources-related + impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3 + ref_id: E3-3-22 + description: The description of the targets shall contain the information requirements + defined in ESRS 2 MDR-T Tracking effectiveness of policies and actions through + targets. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3 + ref_id: E3-3-23 + description: 'The disclosure required by paragraph 20 shall indicate whether + and how its targets relate to:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-23.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-23 + ref_id: E3-3-23.a + description: the management of material impacts, risks and opportunities related + to areas at water risk, including improvement of the water quality; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-23.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-23 + ref_id: E3-3-23.b + description: the responsible management of marine resources impacts, risks and + opportunities including the nature and quantity of marine resources- related + commodities (such as gravels, deep-sea minerals, seafood) used by the undertaking; + and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-23.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-23 + ref_id: E3-3-23.c + description: the reduction of water consumption, including an explanation of + how those targets relate to areas at water risk, including areas of high water-stress. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3 + ref_id: E3-3-24 + description: 'In addition to ESRS 2 MDR-T, the undertaking may specify whether + ecological thresholds and entity-specific allocations were taken into consideration + when setting targets. If so, the undertaking may specify:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-24.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-24 + ref_id: E3-3-24.a + description: the ecological thresholds identified, and the methodology used + to identify such thresholds; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-24.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-24 + ref_id: E3-3-24.b + description: whether or not the thresholds are entity-specific and if so, how + they were determined; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-24.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-24 + ref_id: E3-3-24.c + description: how responsibility for respecting identified ecological thresholds + is allocated in the undertaking. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3 + ref_id: E3-3-25 + description: The undertaking shall specify as part of the contextual information, + whether the targets it has set and presented are mandatory (required by legislation) + or voluntary. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node666 + ref_id: E3-4 + name: Disclosure Requirement E3-4 + description: Water consumption + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4 + ref_id: E3-4-26 + description: The undertaking shall disclose information on its water consumption + performance related to its material impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4 + ref_id: E3-4-27 + description: "The objective of this Disclosure Requirement is to provide an\ + \ understanding of the undertaking\u2019s water consumption and any progress\ + \ by the undertaking in relation to its targets." + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4 + ref_id: E3-4-28 + description: 'The disclosure required by paragraph 26 relates to own operations + and shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-28.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-28 + ref_id: E3-4-28.a + description: total water consumption in m3; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-28.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-28 + ref_id: E3-4-28.b + description: ' total water consumption in m3 in areas at water risk, including + areas of high-water stress;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-28.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-28 + ref_id: E3-4-28.c + description: total water recycled and reused in m3; ( 68 ) + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-28.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-28 + ref_id: E3-4-28.d + description: total water stored and changes in storage in m3; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-28.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-28 + ref_id: E3-4-28.e + description: " any contextual information necessary regarding points (a) to\ + \ (d), including the water basins\u2019 water quality and quantity, how the\ + \ data have been compiled, such as any standards, methodologies, and assumptions\ + \ used, including whether the information is calculated, estimated, modelled,\ + \ or sourced from direct measurements, and the approach taken for this, such\ + \ as the use of any sector-specific factors." + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4 + ref_id: E3-4-29 + description: 'The undertaking shall provide information on its water intensity: + total water consumption in its own operations in m3 per million EUR net revenue + ( 69 ).' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node666 + ref_id: E3-5 + name: Disclosure Requirement E3-5 + description: Anticipated financial effects from material water and marine resources-related + risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-5 + ref_id: E3-5-30 + description: The undertaking shall disclose the anticipated financial effects + of material water and marine resources-related risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-5 + ref_id: E3-5-31 + description: "The information required by paragraph 30 is in addition to the\ + \ information on current financial effects on the entity\u2019s financial\ + \ position, financial performance and cash flows for the reporting period\ + \ required under ESRS 2 SBM-3 para 48 (d)." + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-5 + ref_id: E3-5-32 + description: 'The objective of this Disclosure Requirement is to provide an + understanding of:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-32.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-32 + ref_id: E3-5-32.a + description: "anticipated financial effects due to material risks arising from\ + \ water and marine resources-related impacts and dependencies and how these\ + \ risks have (or could reasonably be expected to have) a material influence\ + \ on the undertaking\u2019s financial position, financial performance and\ + \ cash flows, over the short-, medium- and long-term; and" + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-32.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-32 + ref_id: E3-5-32.b + description: anticipated financial effects due to material opportunities related + to water and marine resources. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-5 + ref_id: E3-5-33 + description: 'The disclosure shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-33.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-33 + ref_id: E3-5-33.a + description: a quantification of the anticipated financial effects in monetary + terms before considering water and marine resources-related actions or where + not possible without undue cost or effort, qualitative information. For financial + effects arising from opportunities, a quantification is not required if it + would result in disclosure that does not meet the qualitative characteristics + of information (see ESRS 1 Appendix B Qualitative characteristics of information); + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-33.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-33 + ref_id: E3-5-33.b + description: a description of the effects considered, the impacts and dependencies + to which they relate, and the time horizons in which they are likely to materialise; + and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-33.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-33 + ref_id: E3-5-33.c + description: the critical assumptions used to quantify the anticipated financial + effects, as well as the sources and level of uncertainty of those assumptions. + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e3-appendix-a + assessable: false + depth: 1 + ref_id: ESRS E3-Appendix A + name: Application Requirements + - urn: urn:intuitem:risk:req_node:esrs_p2:node701 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e3-appendix-a + name: ESRS 2 General disclosures + - urn: urn:intuitem:risk:req_node:esrs_p2:node702 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node701 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p2:node703 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node702 + name: Disclosure Requirement related to ESRS 2 IRO-1 + description: Description of the processes to identify and assess material water + and marine resources-related impacts, risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-1 + description: 'When conducting a materiality assessment on environmental subtopics, + the undertaking shall assess the materiality of water and marine resources + in its own operations and its upstream and downstream value chain, and may + consider the four phases below, also known as the LEAP approach:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-1 + ref_id: E3.IRO-1.AR-1.a + description: 'Phase 1: locate where in its own operations and along the value + chain the interface with nature takes place;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-1 + ref_id: E3.IRO-1.AR-1.b + description: 'Phase 2: evaluate the dependencies and impacts;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-1 + ref_id: E3.IRO-1.AR-1.c + description: 'Phase 3: assess the material risks and opportunities; and' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-1.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-1 + ref_id: E3.IRO-1.AR-1.d + description: 'Phase 4: prepare and report the results of the materiality assessment.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-2 + description: The materiality assessment for ESRS E3 corresponds to the first + three phases of this LEAP approach, the fourth phase addresses the outcome + of the process. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-3 + description: "The processes to assess the materiality of impacts, risks and\ + \ opportunities shall consider the provisions in ESRS 2 IRO-1 Description\ + \ of the processes to identify and assess material impacts, risks and opportunities,\ + \ and IRO-2 Disclosure Requirements in ESRS covered by the undertaking\u2019\ + s sustainability statement." + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-4 + description: 'The sub-topics related to water and marine resources covered by + the materiality assessment include:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-4.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-4 + ref_id: E3.IRO-1.AR-4.a + description: water, which encompasses the consumption of surface water, groundwater, + as well as withdrawals and discharges of water; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-4.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-4 + ref_id: E3.IRO-1.AR-4.b + description: marine resources, which encompasses the extraction and use of such + resources and associated economic activities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-5 + description: 'In phase 1, to locate where there are areas at water risk, and + areas where there is an interface with marine resources that could lead to + material impacts and dependencies in its own operations and along its upstream + and downstream value chain, the undertaking may consider:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-5.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-5 + ref_id: E3.IRO-1.AR-5.a + description: the locations of direct assets and operations and related upstream + and downstream activities across the value chain; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-5.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-5 + ref_id: E3.IRO-1.AR-5.b + description: the sites located in areas at water risk, including areas of high- + water stress; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-5.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-5 + ref_id: E3.IRO-1.AR-5.c + description: the sectors or business units that are interfacing with water or + marine resources in these priority locations. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-6 + description: The undertaking shall consider river basins as the relevant level + for assessment of locations and combine that approach with an operational + risk assessment of its facilities and the facilities of suppliers with material + impacts and risks. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-7 + description: "The undertaking shall consider the criteria for defining the status\ + \ of water bodies according to the relevant Annexes of Directive 2000/60/EC\ + \ (Water Framework Directive) as well as the guidance documents provided for\ + \ implementation of the Water Framework Directive. The list of guidance documents\ + \ can be accessed under the European Commission\u2019s Environment home page." + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-8 + description: 'In phase 2, to evaluate its impacts and dependencies for each + priority location identified under AR 5, the undertaking may:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-8.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-8 + ref_id: E3.IRO-1.AR-8.a + description: identify business processes and activities that lead to impacts + and dependencies on environmental assets and ecosystem services; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-8.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-8 + ref_id: E3.IRO-1.AR-8.b + description: "identify water and marine resources-related impacts and dependencies\ + \ across the undertaking\u2019s value chain; and" + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-8.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-8 + ref_id: E3.IRO-1.AR-8.c + description: assess the severity and likelihood of the positive and negative + impacts on water and marine resources. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-9 + description: For the identification of water and marine resources-related dependencies, + the undertaking may rely on international classifications such as the Common + International Classification of Ecosystem Services (CICES). + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-10 + description: When identifying its marine resources-related dependencies, the + undertaking shall consider if it depends upon key marine resources-related + commodities, including but not limited to gravels and seafood products. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-11 + description: Marine resources are defined according to their use by human societies + and must be considered in relation to the pressure they are subject to. Some + of the pressure indicators are presented in other ESRS, namely microplastics + and emissions to water in ESRS E2 and plastic waste in ESRS E5. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-12 + description: 'Examples of marine resources dependencies which may be considered + by the undertaking are:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-12.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-12 + ref_id: E3.IRO-1.AR-12.a + description: dependencies on commercially exploited fish and shellfish in its + own operations and its upstream and downstream value chain; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-12.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-12 + ref_id: E3.IRO-1.AR-12.b + description: fishing activity that involves mobile bottom trawling, which can + also have negative impacts on the seabed. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-13 + description: 'AR 13.In Phase 3, to assess its material risks and opportunities + based on the results of Phases 1 and 2, the undertaking may :' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13 + ref_id: E3.IRO-1.AR-13.a + description: 'identify transition risks and opportunities in its own operations + and its value chain by the categories of:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.a.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.a + ref_id: E3.IRO-1.AR-13.a.i + description: 'policy and legal: e.g., introduction of regulation or policy (e.g., + changes such as increased water protection, increased quality of water regulations, + regulation of flows of water supply), ineffective governance of water bodies + or marine resources, in particular across boundaries (e.g., transboundary + governance and cooperation) resulting in water or oceans degradation, exposure + to sanctions and litigation (e.g., non-respect of permits or allocations; + negligence towards or killing of threatened marine species), enhanced reporting + obligations on marine ecosystems and related services;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.a.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.a + ref_id: E3.IRO-1.AR-13.a.ii + description: 'technology: e.g., substitution of products or services by products + or services with a lower impact on water and marine resources, transition + to more efficient and cleaner technologies (i.e., with lower impacts on oceans + and water), new monitoring technologies (e.g., satellite), water purification, + flood protection;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.a.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.a + ref_id: E3.IRO-1.AR-13.a.iii + description: 'market: e.g., shifting supply, demand and financing, volatility + or increased costs of water or marine resources;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.a.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.a + ref_id: E3.IRO-1.AR-13.a.iv + description: "reputation: e.g., changing societal, customer or community perceptions\ + \ as a result of an organisation\u2019s impact on water and marine resources;\ + \ and" + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.a.v + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.a + ref_id: E3.IRO-1.AR-13.a.v + description: contribution to systemic risks via its own operations and its upstream + and downstream value chain, including the risks that a marine ecosystem collapses + or the risks that a critical natural system no longer functions (e.g., tipping + points are reached, summing physical risks); + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.b. + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13 + ref_id: E3.IRO-1.AR-13.b. + description: identify physical risk including water quantity (water scarcity, + water stress), water quality, infrastructure decay or unavailability of some + marine resources-related commodities (e.g. the rarefaction of some species + of fish or other underwater marine living organisms sold as products by the + undertaking) leading for instance to the impossibility of running operations + in certain geographical areas; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13 + ref_id: E3.IRO-1.AR-13.c + description: 'identify opportunities categorised by:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.c + ref_id: E3.IRO-1.AR-13.c.i + description: 'resource efficiency: e.g., transition to more efficient services + and processes requiring less water and marine resources;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.c + ref_id: E3.IRO-1.AR-13.c.ii + description: 'markets: e.g., development of less resource-intense products and + services, diversification of business activities;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.c.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.c + ref_id: E3.IRO-1.AR-13.c.iii + description: 'financing: e.g., access to green funds, bonds or loans;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.c.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.c + ref_id: E3.IRO-1.AR-13.c.iv + description: 'resilience: e.g., diversification of marine or water resources + and business activities (e.g., starting a new business unit on ecosystem restoration), + investing in green infrastructures, nature-based solutions, adopting recycling + and circularity mechanisms that reduce the dependencies on water or marine + resources; and' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.c.v + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-13.c + ref_id: E3.IRO-1.AR-13.c.v + description: 'reputation: positive stakeholder engagement as a result of a proactive + stance on managing nature-related risks (e.g., leading to preferred partner + status).' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-14 + description: "The undertaking may rely on primary, secondary or modelled data\ + \ collection or other relevant approaches to assess material impacts, dependencies,\ + \ risks and opportunities, including Commission Recommendation 2021/2279 on\ + \ the use of the Environmental Footprint methods to measure and communicate\ + \ the life cycle environmental performance of products and organisations (Annex\ + \ I \u2013 Product Environmental Footprint; Annex III \u2013 Organisation\ + \ Environmental Footprint)." + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node703 + ref_id: E3.IRO-1.AR-15 + description: 'When providing information on the outcome of the materiality assessment, + the undertaking shall consider:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-15.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-15 + ref_id: E3.IRO-1.AR-15.a + description: "a list of geographical areas where water is a material issue for\ + \ the undertaking\u2019s own operations and its upstream and downstream value\ + \ chain;" + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-15.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-15 + ref_id: E3.IRO-1.AR-15.b + description: a list of marine resources-related commodities used by the undertaking + which are material to the good environmental status of marine waters as well + as for the protection of marine resources; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-15.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3.iro-1.ar-15 + ref_id: E3.IRO-1.AR-15.c + description: a list of sectors or segments associated with water and marine + resources material impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node702 + ref_id: E3-1 AR + name: Disclosure Requirement E3-1 + description: Policies related to water and marine resources + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar + ref_id: E3-1 AR 16 + description: The policies described under this Disclosure Requirement may be + integrated in broader environmental or sustainability policies covering different + subtopics. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar + ref_id: E3-1 AR 17 + description: 'When disclosing information under paragraph 9, the undertaking + may disclose whether its policies :' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-17.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-17 + ref_id: E3-1 AR 17.a + description: prevent further deterioration and protect and enhance the status + of water bodies and aquatic ecosystems; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-17.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-17 + ref_id: E3-1 AR 17.b + description: promote sustainable water use based on a long-term protection of + available water resources; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-17.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-17 + ref_id: E3-1 AR 17.c + description: aim at enhanced protection and improvement of the aquatic environment; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-17.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-17 + ref_id: E3-1 AR 17.d + description: promote a good environmental status of marine water; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-17.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-17 + ref_id: E3-1 AR 17.e + description: promote reduction of water withdrawals and water discharges. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar + ref_id: E3-1 AR 18 + description: 'The undertaking may also disclose information about policies which:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-18.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-18 + ref_id: E3-1 AR 18.a + description: contribute to good ecological and chemical quality of surface water + bodies and good chemical quality and quantity of groundwater bodies, in order + to protect human health, water supply, natural ecosystems and biodiversity, + the good environmental status of marine waters and the protection of the resource + base upon which marine related activities depend; + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-18.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-18 + ref_id: E3-1 AR 18.b + description: minimise material impacts and risks and implement mitigation measures + that aim to maintain the value and functionality of priority services and + to increase resource efficiency on own operations; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-18.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-1-ar-18 + ref_id: E3-1 AR 18.c + description: avoid impacts on affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node702 + ref_id: E3-2 AR + name: Disclosure Requirement E3-2 + description: Actions and resources related to water and marine resources policies + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-ar-19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-ar + ref_id: E3-2 AR 19 + description: When disclosing information required under paragraph 15, the undertaking + shall consider the actions, or action plans, contributing to address the material + impacts, risks and opportunities identified. Useful guidance is provided by + the Alliance for Water Stewardship (AWS). + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-ar-20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-ar + ref_id: E3-2 AR 20 + description: "Considering that water and marine resources are shared resources\ + \ which may require collective actions, or action plans, involving other stakeholders,\ + \ the undertaking may provide information on those specific collective actions,\ + \ including information on other parties (competitors, suppliers, retailers,\ + \ customers, other business partners, local communities and authorities, government\ + \ agencies\u2026) and specific information on the project, its specific contribution,\ + \ its sponsors and other participants." + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-ar-21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-2-ar + ref_id: E3-2 AR 21 + description: When providing information on capital expenditures, the undertaking + may consider expenditures related, for example, to stormwater drain rehabilitation, + pipelines, or machinery used to manufacture new low water-use products. + - urn: urn:intuitem:risk:req_node:esrs_p2:node765 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node701 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node765 + ref_id: E3-3 AR + name: Disclosure Requirement E3-3 + description: Targets related to water and marine resources + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar-22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar + ref_id: E3-3 AR 22 + description: If the undertaking refers to ecological thresholds when setting + targets, it may refer to the guidance provided by the Science-Based Targets + Initiative for Nature (SBTN) in its interim guidance (Initial Guidance for + Business, September 2020). It may also refer to any other guidance with a + scientifically acknowledged methodology that enables the setting of science-based + targets by identifying ecological thresholds and, if applicable, organisation-specific + allocations. Ecological thresholds can be local, national and/or global. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar-23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar + ref_id: E3-3 AR 23 + description: 'The undertaking may provide targets relating to:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar-23.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar-23 + ref_id: E3-3 AR 23.a + description: the reduction of water withdrawals; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar-23.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar-23 + ref_id: E3-3 AR 23.b + description: the reduction of water discharges. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar-24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar + ref_id: E3-3 AR 24 + description: If the undertaking provides targets on withdrawals, it may include + water withdrawal from polluted soils and aquifers, and water withdrawn and + treated for remediation purposes. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar-25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar + ref_id: E3-3 AR 25 + description: ' If the undertaking provides targets on discharges, it may include + water discharges to groundwater such as reinjection to aquifers, or water + returning to a groundwater source via a soakaway or a swale.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar-26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar + ref_id: E3-3 AR 26 + description: ' The targets may cover its own operations and/or its upstream + and downstream value chain.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar-27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-3-ar + ref_id: E3-3 AR 27 + description: The undertaking may specify whether the target addresses shortcomings + related to the Substantial Contribution criteria for Water and Marine Resources + as defined in the Commission delegated acts adopted pursuant to Article 12(2) + of Regulation (EU) 2020/852. Where the Do No Significant Harm (DNSH) criteria + for Water and Marine Resources as defined in delegated acts adopted pursuant + to Article 10 (3), Article 11(3), Article 13(2), Article 14(2), and Article + 15(2) of Regulation (EU) 2020/852 are not met, the undertaking may specify + whether the target addresses shortcomings related those DNSH criteria. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node765 + ref_id: E3-4 AR + name: Disclosure Requirement E3-4 + description: Water consumption + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-ar-28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-ar + ref_id: E3-4 AR 28 + description: The undertaking may operate in various areas at water risk. When + disclosing information under paragraph 28 (b), the undertaking shall include + such information only for those areas that have been identified as material + in accordance with ESRS2 IRO-1 and ESRS2 SBM-3. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-ar-29 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-ar + ref_id: E3-4 AR 29 + description: 'When disclosing contextual information on water consumption performance + required by paragraph 28(e), the undertaking shall explain the calculation + methodologies and more specifically the share of the measure obtained from + direct measurement, from sampling and extrapolation, or from best estimates. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-ar-30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-ar + ref_id: E3-4 AR 30 + description: The undertaking may provide information on other breakdowns (i.e., + per sector or segments). + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-ar-31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-ar + ref_id: E3-4 AR 31 + description: When disclosing information required by paragraph 29 the undertaking + may provide additional intensity ratios based on other denominators. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-ar-32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-4-ar + ref_id: E3-4 AR 32 + description: The undertaking may also provide information on its water withdrawals + and water discharges. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node765 + ref_id: E3-5 AR + name: Disclosure Requirement E3-5 + description: Anticipated financial effects from material water and marine resources-related + risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-ar-33 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-ar + ref_id: E3-5 AR 33 + description: The undertaking may include an assessment of its related products + and services at risk over the short-, medium- and long-term, explaining how + these are defined, how financial amounts are estimated, and which critical + assumptions are made. + - urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-ar-34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e3-5-ar + ref_id: E3-5 AR 34 + description: 'The quantification of the anticipated financial effects in monetary + terms under paragraph 33(a) may be a single amount or a range. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e4 + assessable: false + depth: 1 + ref_id: ESRS E4 + name: BIODIVERSITY AND ECOSYSTEMS + - urn: urn:intuitem:risk:req_node:esrs_p2:node785 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e4 + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p2:node786 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node785 + description: "1.The objective of this Standard is to specify Disclosure Requirements\ + \ which will enable users of the sustainability statement to understand:\n\ + (a) how the undertaking affects biodiversity and ecosystems, in terms of material\ + \ positive and negative, actual and potential impacts, including the extent\ + \ to which it contributes to the drivers of biodiversity and ecosystem loss\ + \ and degradation;\n(b) any actions taken, and the result of such actions,\ + \ to prevent or mitigate material negative actual or potential impacts and\ + \ to protect and restore biodiversity and ecosystems, and to address risks\ + \ and opportunities; and\n(c) the plans and capacity of the undertaking to\ + \ adapt its strategy and business model in line with:\ni. respecting planetary\ + \ boundaries related to biosphere integrity and land-system change;\nii. the\ + \ vision of the Kunming-Montreal Global Biodiversity Framework and its relevant\ + \ goals and targets;\niii. relevant aspects of the EU Biodiversity Strategy\ + \ for 2030 ( 70 );\niv. Directive 2009/147/EC of the European Parliament and\ + \ of the Council and Council Directive 92/43/EEC (EU Birds and Habitats Directives)\ + \ ( 71 ); and\nv. Directive 2008/56/EC of the European Parliament and of the\ + \ Council (Marine Strategy Framework Directive ( 72 ) ;\n(d) the nature, type\ + \ and extent of the undertaking\u2019s material risks, dependencies and opportunities\ + \ related to biodiversity and ecosystems, and how the undertaking manages\ + \ them; and\n(e) the financial effects on the undertaking over the short-,\ + \ medium- and long-term of material risks and opportunities arising from the\ + \ undertaking\u2019s impacts and dependencies on biodiversity and ecosystems." + - urn: urn:intuitem:risk:req_node:esrs_p2:node787 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node785 + description: "2. This Standard sets out Disclosure Requirements related to the\ + \ undertaking\u2019s relationship to terrestrial, freshwater and marine habitats,\ + \ ecosystems and populations of related fauna and flora species, including\ + \ diversity within species, between species and of ecosystems and their interrelation\ + \ with indigenous peoples and other affected communities." + - urn: urn:intuitem:risk:req_node:esrs_p2:node788 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node785 + description: "3. The terms \u2018biodiversity\u2019 and \u2018biological diversity\u2019\ + \ refer to the variability among living organisms from all sources including,\ + \ inter alia, terrestrial, freshwater, marine and other aquatic ecosystems\ + \ and the ecological complexes of which they are part." + - urn: urn:intuitem:risk:req_node:esrs_p2:node789 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e4 + name: Interaction with other ESRS + - urn: urn:intuitem:risk:req_node:esrs_p2:node790 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node789 + description: "4. \u2018Biodiversity and ecosystems\u2019 are closely connected\ + \ to other environmental matters. The main direct drivers of biodiversity\ + \ and ecosystems change are climate change, pollution, land-use change, freshwater-use\ + \ change and sea-use change, direct exploitation of organisms and invasive\ + \ alien species. These drivers are covered in this standard, except for climate\ + \ change (covered by ESRS E1) and pollution (covered by ESRS E2)." + - urn: urn:intuitem:risk:req_node:esrs_p2:node791 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node789 + description: '5. To obtain a comprehensive understanding of material impacts + and dependencies on biodiversity and ecosystems, the Disclosure Requirements + of other environmental ESRS should be read and interpreted in conjunction + with the specific disclosure requirements of this Standard. The relevant disclosure + requirements covered in other environmental ESRS are: + + (a) ESRS E1 Climate change, which addresses in particular GHG emissions and + energy resources (energy consumption); + + (b) ESRS E2 Pollution, which addresses pollution to air, water and soil; + + (c) ESRS E3 Water and marine resources which addresses in particular water + resources (water consumption) and marine resources; + + (d) ESRS E5 Resource use and circular economy addresses in particular the + transition away from extraction of non-renewable resources and the implementation + of practices that prevent waste generation, including pollution generated + by waste.' + - urn: urn:intuitem:risk:req_node:esrs_p2:node792 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node789 + description: "6. The undertaking\u2019s impacts on biodiversity and ecosystems\ + \ affect people and communities. When reporting on material negative impacts\ + \ on affected communities from biodiversity and ecosystem change under ESRS\ + \ E4, the undertaking shall consider the requirements of ESRS S3 Affected\ + \ communities." + - urn: urn:intuitem:risk:req_node:esrs_p2:node793 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node789 + description: 7. This Standard should be read in conjunction with ESRS 1 General + requirements and ESRS 2 General disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p2:node794 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e4 + name: Disclosure Requirements + - urn: urn:intuitem:risk:req_node:esrs_p2:node795 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node794 + name: ESRS 2 General disclosures + description: 8. The requirements of this section shall be read in conjunction + with the disclosures required by ESRS 2 Chapter 2 Governance, Chapter 3 Strategy + and Chapter 4 Impact, risk and opportunity management. + - urn: urn:intuitem:risk:req_node:esrs_p2:node796 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node794 + description: 9. The resulting disclosures shall be presented alongside the disclosures + required by ESRS 2, except for ESRS 2 SBM-3, for which the undertaking has + an option to present the disclosures alongside the topical disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p2:node797 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node794 + description: 10. In addition to the requirements in ESRS 2, this Standard also + includes the topic specific Disclosure Requirement E4-1 Transition plan and + consideration of biodiversity and ecosystems in strategy and business model. + - urn: urn:intuitem:risk:req_node:esrs_p2:node798 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node797 + name: Strategy + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node798 + ref_id: E4-1 + name: Disclosure Requirement E4-1 + description: Transition plan and consideration of biodiversity and ecosystems + in strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-11 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1 + ref_id: E4-1-11 + description: The undertaking shall disclose how its biodiversity and ecosystem + impacts, dependencies, risks and opportunities originate from and trigger + adaptation of its strategy and business model. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1 + ref_id: E4-1-12 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of the resilience of the undertaking\u2019s strategy and business model\ + \ in relation to biodiversity and ecosystems, and of the compatibility of\ + \ the undertaking\u2019s strategy and business model with regard to relevant\ + \ local, national and global public policy targets related to biodiversity\ + \ and ecosystems." + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1 + ref_id: E4-1-13 + description: 'The undertaking shall describe the resilience of its strategy + and business model in relation to biodiversity and ecosystems. The description + shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13 + ref_id: E4-1-13.a + description: an assessment of the resilience of the current business model and + strategy to biodiversity and ecosystems-related physical, transition and systemic + risks; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13 + ref_id: E4-1-13.b + description: "the scope of the resilience analysis in relation to the undertaking\u2019\ + s own operations and its upstream and downstream value chain and in relation\ + \ to the risks considered in that analysis;" + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13 + ref_id: E4-1-13.c + description: the key assumptions made; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13 + ref_id: E4-1-13.d + description: ' the time horizons used;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13 + ref_id: E4-1-13.e + description: the results of the resilience analysis; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-13 + ref_id: E4-1-13.f + description: the involvement of stakeholders, including, where appropriate, + holders of indigenous and local knowledge. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1 + ref_id: E4-1-14 + description: If information specified in this disclosure requirement is disclosed + by the undertaking as part of the information required under ESRS 2 SBM- 3, + the undertaking may refer to the information it has disclosed under ESRS 2 + SBM-3. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1 + ref_id: E4-1-15 + description: The undertaking may disclose its transition plan to improve and, + ultimately, achieve alignment of its business model and strategy with the + vision of the Kunming-Montreal Global Biodiversity Framework and its relevant + goals and targets, the EU Biodiversity Strategy for 2030, and with respecting + planetary boundaries related to biosphere integrity and land-system change. + - urn: urn:intuitem:risk:req_node:esrs_p2:node811 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node798 + name: Disclosure Requirement SBM 3 + description: Material impacts, risks and opportunities and their interaction + with strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node811 + ref_id: E4.SBM-3-16 + description: 'The undertaking shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16 + ref_id: E4.SBM-3-16.a + description: 'a list of material sites in its own operations, including sites + under its operational control, based on the results of paragraph 17(a). The + undertaking shall disclose these locations by:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16.a.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16.a + ref_id: E4.SBM-3-16.a.i + description: specifying the activities negatively affecting biodiversity sensitive + areas ( 73 ); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16.a.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16.a + ref_id: E4.SBM-3-16.a.ii + description: providing a breakdown of sites according to the impacts and dependencies + identified, and to the ecological status of the areas (with reference to the + specific ecosystem baseline level) where they are located; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16.a.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16.a + ref_id: E4.SBM-3-16.a.iii + description: specifying the biodiversity-sensitive areas impacted, for users + to be able to determine the location and the responsible competent authority + with regards to the activities specified in paragraph 16 (a) i. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16 + ref_id: E4.SBM-3-16.b + description: whether it has identified material negative impacts with regards + to land degradation, desertification or soil sealing ( 74 ); and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4.sbm-3-16 + ref_id: E4.SBM-3-16.c + description: whether it has operations that affect threatened species ( 75 ). + - urn: urn:intuitem:risk:req_node:esrs_p2:node819 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node797 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p2:node820 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node819 + name: Disclosure Requirement related to ESRS 2 IRO-1 + description: Description of processes to identify and assess material biodiversity + and ecosystem-related impacts, risks, dependencies and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node820 + ref_id: E4-IRO-1-17 + description: 'The undertaking shall describe its process to identify material + impacts, risks, dependencies and opportunities. The description of the process + shall include whether and how the undertaking:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17 + ref_id: E4-IRO-1-17.a + description: identified and assessed actual and potential impacts on biodiversity + and ecosystems at own site locations and in the upstream and downstream value + chain, including assessment criteria applied; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17 + ref_id: E4-IRO-1-17.b + description: identified and assessed dependencies on biodiversity and ecosystems + and their services at own site locations and in the upstream and downstream + value chain, including assessment criteria applied, and, if this assessment + includes ecosystem services that are disrupted or likely to be; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17 + ref_id: E4-IRO-1-17.c + description: ' identified and assessed transition and physical risks and opportunities + related to biodiversity and ecosystems, including assessment criteria applied + based on its impacts and dependencies;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17 + ref_id: E4-IRO-1-17.d + description: considered systemic risks; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17 + ref_id: E4-IRO-1-17.e + description: 'conducted consultations with affected communities on sustainability + assessments of shared biological resources and ecosystems and, in particular:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17.e.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17.e + ref_id: E4-IRO-1-17.e.i + description: when a site, a raw material production or sourcing is likely to + negatively impact biodiversity and ecosystems, the identification of the specific + sites, raw materials production or sourcing with negative or potentially negative + impacts on affected communities; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17.e.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17.e + ref_id: E4-IRO-1-17.e.ii + description: when affected communities are likely to be impacted, the undertaking, + shall disclose how these communities were involved in the materiality assessment; + and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17.e.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-17.e + ref_id: E4-IRO-1-17.e.iii + description: with respect to impacts on ecosystem services of relevance to affected + communities in its own operations, the undertaking shall indicate how negative + impacts may be avoided. If these impacts are unavoidable, the undertaking + may indicate its plans to minimise them and implement mitigation measures + that aim to maintain the value and functionality of priority services. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node820 + ref_id: E4-IRO-1-18 + description: 'The undertaking may disclose whether and how it has used biodiversity + and ecosystems scenario analysis to inform the identification and assessment + of material risks and opportunities over short-, medium- and long-term time + horizons. If the undertaking has used such scenario analysis, it may disclose + the following information:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-18.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-18 + ref_id: E4-IRO-1-18.a + description: why the considered scenarios were selected; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-18.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-18 + ref_id: E4-IRO-1-18.b + description: ' how the considered scenarios are updated according to evolving + conditions and emerging trends; and' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-18.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-18 + ref_id: E4-IRO-1-18.c + description: whether the scenarios are informed by expectations published by + authoritative intergovernmental bodies, such as the Convention for Biological + Diversity and, where relevant, by scientific consensus, such as that expressed + by the Intergovernmental Science-policy Platform on Biodiversity and Ecosystem + Services (IPBES). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node820 + ref_id: E4-IRO-1-19 + description: 'The undertaking shall specifically disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-19.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-19 + ref_id: E4-IRO-1-19.a + description: whether or not it has sites located in or near biodiversity-sensitive + areas and whether activities related to these sites negatively affect these + areas by leading to the deterioration of natural habitats and the habitats + of species and to the disturbance of the species for which a protected area + has been designated; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-19.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1-19 + ref_id: E4-IRO-1-19.b + description: 'whether it has been concluded that it is necessary to implement + biodiversity mitigation measures, such as those identified in: Directive 2009/147/EC + of the European Parliament and of the Council on the conservation of wild + birds; Council Directive 92/43/EEC on the conservation of natural habitats + and of wild fauna and flora; an Environmental Impact Assessment (EIA) as defined + in Article 1(2), point (g), of Directive 2011/92/EU of the European Parliament + and of the Council ( 76 ) on the assessment of the effects of certain public + and private projects on the environment; and for activities located in third + countries, in accordance with equivalent national provisions or international + standards, such as the International Finance Corporation (IFC) Performance + Standard 6: Biodiversity Conservation and Sustainable Management of Living + Natural Resources.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node819 + ref_id: E4-2 + name: Disclosure Requirement E4-2 + description: Policies related to biodiversity and ecosystems + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2 + ref_id: E4-2-20 + description: The undertaking shall describe its adopted policies to manage its + material impacts, risks, dependencies and opportunities that are related to + biodiversity and ecosystems. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2 + ref_id: E4-2-21 + description: The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking has policies that address the identification, + assessment, management and/or remediation of its material biodiversity and + ecosystem- related impacts, dependencies, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2 + ref_id: E4-2-22 + description: The disclosure required by paragraph 20 shall contain the information + on the policies the undertaking has in place to manage its material impacts, + risks, dependencies and opportunities related to biodiversity and ecosystems + in accordance with ESRS 2 MDR-P Policies adopted to manage material sustainability + matters). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2 + ref_id: E4-2-23 + description: 'In addition to the provisions of ESRS 2 MDR-P the undertaking + shall describe whether and how its biodiversity and ecosystems-related policies:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23 + ref_id: E4-2-23.a + description: relate to the matters specified in ESRS E4 AR 4; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23 + ref_id: E4-2-23.b + description: relate to its material biodiversity and ecosystems-related impacts; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23 + ref_id: E4-2-23.c + description: relate to material dependencies and material physical and transition + risks and opportunities; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23 + ref_id: E4-2-23.d + description: support traceability of products, components and raw materials + with material actual or potential impacts on biodiversity and ecosystems along + the value chain; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23 + ref_id: E4-2-23.e + description: address production, sourcing or consumption from ecosystems that + are managed to maintain or enhance conditions for biodiversity, as demonstrated + by regular monitoring and reporting of biodiversity status and gains or losses; + and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-23 + ref_id: E4-2-23.f + description: address social consequences of biodiversity and ecosystems-related + impacts. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2 + ref_id: E4-2-24 + description: 'The undertaking shall specifically disclose whether it has adopted:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-24.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-24 + ref_id: E4-2-24.a + description: biodiversity and ecosystem protection policy covering operational + sites owned, leased, or managed in or near a biodiversity sensitive area; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-24.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-24 + ref_id: E4-2-24.b + description: sustainable land / agriculture practices or policies ( 77 ); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-24.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-24 + ref_id: E4-2-24.c + description: sustainable oceans / seas practices or policies ( 78 ); and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-24.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-24 + ref_id: E4-2-24.d + description: policies to address deforestation ( 79 ). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node819 + ref_id: E4-3 + name: 'Disclosure Requirement E4-3 ' + description: Actions and resources related to biodiversity and ecosystems + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3 + ref_id: E4-3-25 + description: The undertaking shall disclose its biodiversity and ecosystems-related + actions and the resources allocated to their implementation. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3 + ref_id: E4-3-26 + description: The objective of this Disclosure Requirement is to enable an understanding + of the key actions taken and planned that significantly contribute to the + achievement of biodiversity and ecosystems-related policy objectives and targets. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3 + ref_id: E4-3-27 + description: The description of key actions and resources shall follow the mandatory + content defined in ESRS 2 MDR-A Actions and resources in relation to material + sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3 + ref_id: E4-3-28 + description: 'In addition, the undertaking :' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28 + ref_id: E4-3-28.a + description: may disclose how it has applied the mitigation hierarchy with regard + to its actions (avoidance, minimisation, restoration/rehabilitation, and compensation + or offsets); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28 + ref_id: E4-3-28.b + description: 'shall disclose whether it used biodiversity offsets in its action + plans. If the actions contain biodiversity offsets, the undertaking shall + include the following information:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28.b.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28.b + ref_id: E4-3-28.b.i + description: the aim of the offset and key performance indicators used; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28.b.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28.b + ref_id: E4-3-28.b.ii + description: the financing effects (direct and indirect costs) of biodiversity + offsets in monetary terms; and; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28.b.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28.b + ref_id: E4-3-28.b.iii + description: a description of offsets including area, type, the quality criteria + applied and the standards that the biodiversity offsets comply with; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-28 + ref_id: E4-3-28.c + description: shall describe whether and how it has incorporated local and indigenous + knowledge and nature- based solutions into biodiversity and ecosystems-related + actions. + - urn: urn:intuitem:risk:req_node:esrs_p2:node864 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node797 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node864 + ref_id: E4-4 + name: 'Disclosure Requirement E4-4 ' + description: Targets related to biodiversity and ecosystems + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4 + ref_id: E4-4-29 + description: The undertaking shall disclose the biodiversity and ecosystem- + related targets it has set. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4 + ref_id: E4-4-30 + description: The objective of this Disclosure Requirement is to allow an understanding + of the targets the undertaking has adopted to support its biodiversity and + ecosystems policies and address its material related impacts, dependencies, + risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4 + ref_id: E4-4-31 + description: The description of the targets shall follow the mandatory content + defined in ESRS 2 MDR-T Tracking effectiveness of policies and actions through + targets. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4 + ref_id: E4-4-32 + description: 'The disclosure required by paragraph 29 shall include the following + information:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32 + ref_id: E4-4-32.a + description: 'whether ecological thresholds and allocations of impacts to the + undertaking were applied when setting targets. If so, the undertaking shall + specify:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.a.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.a + ref_id: E4-4-32.a.i + description: the ecological thresholds identified and the methodology used to + identify such thresholds; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.a.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.a + ref_id: E4-4-32.a.ii + description: whether or not the thresholds are entity-specific and if so, how + they were determined; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.a.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.a + ref_id: E4-4-32.a.iii + description: how responsibility for respecting identified ecological thresholds + is allocated in the undertaking; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32 + ref_id: E4-4-32.b + description: whether the targets are informed by, and/or aligned with the Kunming-Montreal + Global Biodiversity Framework, relevant aspects of the EU Biodiversity Strategy + for 2030 and other biodiversity and ecosystem-related national policies and + legislation; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32 + ref_id: E4-4-32.c + description: how the targets relate to the biodiversity and ecosystem impacts, + dependencies, risks and opportunities identified by the undertaking in relation + to its own operations and its upstream and downstream value chain; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32 + ref_id: E4-4-32.d + description: the geographical scope of the targets, if relevant; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32 + ref_id: E4-4-32.e + description: whether or not the undertaking used biodiversity offsets in setting + its targets; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-32 + ref_id: E4-4-32.f + description: to which of the layers of the mitigation hierarchy the target can + be allocated (i.e., avoidance, minimisation, restoration and rehabilitation, + compensation or offsets). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node864 + ref_id: E4-5 + name: Disclosure Requirement E4-5 + description: Impact metrics related to biodiversity and ecosystems change + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5 + ref_id: E4-5-33 + description: The undertaking shall report metrics related to its material impacts + on biodiversity and ecosystems. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-34 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5 + ref_id: E4-5-34 + description: The objective of this Disclosure Requirement is to enable an understanding + of the performance of the undertaking against impacts identified as material + in the materiality assessment on biodiversity and ecosystems change. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-35 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5 + ref_id: E4-5-35 + description: If the undertaking identified sites located in or near biodiversity- + sensitive areas that it is negatively affecting (see paragraph 19(a)), the + undertaking shall disclose the number and area (in hectares) of sites owned, + leased or managed in or near these protected areas or key biodiversity areas. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5 + ref_id: E4-5-36 + description: If the undertaking has identified material impacts with regards + to land- use change, or impacts on the extent and condition of ecosystems, + it may also disclose their land-use based on a Life Cycle Assessment. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-37 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5 + ref_id: E4-5-37 + description: For datapoints specified in paragraphs 38 to 41, the undertaking + shall consider its own operations. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-38 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5 + ref_id: E4-5-38 + description: 'If the undertaking has concluded that it directly contributes + to the impact drivers of land-use change, freshwater-use change and/or sea-use + change, it shall report relevant metrics. The undertaking may disclose metrics + that measure:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-38.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-38 + ref_id: E4-5-38.a + description: the conversion over time (e.g. 1 or 5 years) of land cover (e.g. + deforestation or mining); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-38.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-38 + ref_id: E4-5-38.b + description: changes over time (e.g. 1 or 5 years) in the management of the + ecosystem (e.g., through the intensification of agricultural management, or + the application of better management practices or forestry harvesting); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-38.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-38 + ref_id: E4-5-38.c + description: changes in the spatial configuration of the landscape (e.g. fragmentation + of habitats, changes in ecosystem connectivity); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-38.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-38 + ref_id: E4-5-38.d + description: changes in ecosystem structural connectivity (e.g. habitat permeability + based on physical features and arrangements of habitat patches); and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-38.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-38 + ref_id: E4-5-38.e + description: the functional connectivity (e.g. how well genes or individuals + move through land, freshwater and seascape). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-39 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5 + ref_id: E4-5-39 + description: If the undertaking concluded that it directly contributes to the + accidental or voluntary introduction of invasive alien species, the undertaking + may disclose the metrics it uses to manage pathways of introduction and spread + of invasive alien species and the risks posed by invasive alien species. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5 + ref_id: E4-5-40 + description: 'If the undertaking identified material impacts related to the + state of species, the undertaking may report metrics it considers relevant. + The undertaking may:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40 + ref_id: E4-5-40.a + description: ' refer to relevant disclosure requirements in ESRS E1, ESRS E2, + ESRS E3, and ESRS E5;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40 + ref_id: E4-5-40.b + description: "consider population size, range within specific ecosystems as\ + \ well as extinction risk. These aspects provide insight on the health of\ + \ a single species\u2019 population and its relative resilience to human induced\ + \ and naturally occurring change;" + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40 + ref_id: E4-5-40.c + description: disclose metrics that measure changes in the number of individuals + of a species within a specific area; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40 + ref_id: E4-5-40.d + description: 'disclose metrics on species at extinction risk ( 80 ) that measure:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40.d.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40.d + ref_id: E4-5-40.d.i + description: the threat status of species and how activities/pressures may affect + the threat status; or + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40.d.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-40.d + ref_id: E4-5-40.d.ii + description: "changes in the relevant habitat for a threatened species as a\ + \ proxy for the undertaking\u2019s impact on the local population\u2019s extinction\ + \ risk." + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-41 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5 + ref_id: E4-5-41 + description: 'If the undertaking identified material impacts related to ecosystems, + it may disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-41.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-41 + ref_id: E4-5-41.a + description: with regard to ecosystems extent, metrics that measure area coverage + of a particular ecosystem without necessarily considering the quality of the + area being assessed, such as habitat cover. For example, forest cover is a + measure of the extent of a particular ecosystem type, without factoring in + the condition of the ecosystem (e.g., provides the area without describing + the species diversity within the forest). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-41.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-41 + ref_id: E4-5-41.b + description: 'with regard to ecosystems condition:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-41.b.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-41.b + ref_id: E4-5-41.b.i + description: metrics that measure the quality of ecosystems relative to a pre- + determined reference state; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-41.b.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-41.b + ref_id: E4-5-41.b.ii + description: "metrics that measure multiple species within an ecosystem rather\ + \ than the number of individuals within a single species within an ecosystem\ + \ (for example: scientifically established species richness and abundance\ + \ indicators that measure the development of (native) species composition\ + \ within an ecosystem against the reference state at the beginning of the\ + \ first reporting period as well as the targeted state outlined in the Kunming-Montreal\ + \ Global Biodiversity Framework, or an aggregation of species\u2019 conservation\ + \ status if relevant); or" + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-41.b.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-41.b + ref_id: E4-5-41.b.iiI + description: metrics that reflect structural components of condition such as + habitat connectivity (i.e., how linked habitats are to each other). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node864 + ref_id: E4-6 + name: Disclosure Requirement E4-6 + description: Anticipated financial effects from material biodiversity and ecosystem-related + risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-42 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-6 + ref_id: E4-6-42 + description: The undertaking shall disclose its anticipated financial effects + of material biodiversity- and ecosystem-related risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-43 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-6 + ref_id: E4-6-43 + description: "The information required by paragraph 42 is in addition to the\ + \ information on current financial effects on the entity\u2019s financial\ + \ position, financial performance and cash flows for the reporting period\ + \ required under ESRS 2 SBM-3 para 48 (d)." + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-44 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-6 + ref_id: E4-6-44 + description: 'The objective of this Disclosure Requirement is to provide an + understanding of:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-44.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-44 + ref_id: E4-6-44.a + description: "anticipated financial effects due to material risks arising from\ + \ biodiversity- and ecosystem-related impacts and dependencies and how these\ + \ risks have (or could reasonably be expected to have) a material influence\ + \ on the undertaking\u2019s financial position, financial performance and\ + \ cash flows over the short-, medium- and long- term; and" + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-44.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-44 + ref_id: E4-6-44.b + description: 'anticipated financial effects due to material opportunities related + to biodiversity and ecosystems. ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-45 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-6 + ref_id: E4-6-45 + description: 'The disclosure shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-45.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-45 + ref_id: E4-6-45.a + description: a quantification of the anticipated financial effects in monetary + terms before considering biodiversity and ecosystems-related actions or where + not possible without undue cost or effort, qualitative information. For financial + effects arising from material opportunities, a quantification is not required + if it would result in disclosure that does not meet the qualitative characteristics + of information (see ESRS 1 Appendix B Qualitative characteristics of information). + The quantification of the anticipated financial effects in monetary terms + may be a single amount or a range; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-45.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-45 + ref_id: E4-6-45.b + description: a description of the effects considered, the impacts and dependencies + to which they relate and the time horizons in which they are likely to materialise; + and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-45.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-45 + ref_id: E4-6-45.c + description: the critical assumptions used to quantify the anticipated financial + effects as well as the sources and the level of uncertainty of those assumptions. + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e4-appendix-a + assessable: false + depth: 1 + ref_id: ESRS E4-Appendix A + name: Application Requirements + - urn: urn:intuitem:risk:req_node:esrs_p2:node916 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e4-appendix-a + name: ESRS 2 GENERAL DISCLOSURES + - urn: urn:intuitem:risk:req_node:esrs_p2:node917 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node916 + name: Strategy + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node917 + ref_id: E4-1 AR + name: 'Disclosure Requirement E4-1 ' + description: Transition plan and consideration of biodiversity and ecosystems + in strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar + ref_id: E4-1 AR 1 + description: 'If disclosing a transition plan, the undertaking may:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + ref_id: E4-1 AR 1.a + description: explain how it will adjust its strategy and business model to improve + and, ultimately, achieve alignment with relevant local, national and global + public policy goals and targets related to biodiversity and ecosystems including + the vision of the Kunming- Montreal Global Biodiversity Framework and its + relevant goals and targets, the EU Biodiversity Strategy for 2030, and Directive + 2009/147/EC Council Directive 92/43/EEC (the EU Birds and Habitats Directives) + and, as appropriate, planetary boundaries related to biosphere integrity and + land-system change; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + ref_id: E4-1 AR 1.b + description: ' include information about its own operations and also explain + how it is responding to material impacts in its upstream and downstream value + chain identified in its materiality assessment in accordance with ESRS 2 IRO-1 + Description of the processes to identify and assess material impacts, risks + and opportunities;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + ref_id: E4-1 AR 1.c + description: explain how its strategy interacts with its transition plan; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-1.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + ref_id: E4-1 AR 1.d + description: explain how it contributes to addressing biodiversity and ecosystem + impact drivers and its possible mitigation actions following the mitigation + hierarchy and the main path-dependencies and locked- in assets and resources + (e.g., plants, raw materials) that are associated with biodiversity and ecosystems + change; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-1.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + ref_id: E4-1 AR 1.e + description: explain and quantify its investments and funding supporting the + implementation of its transition plan, with a reference to the key performance + indicators of taxonomy-aligned CapEx, and where relevant the CapEx plans, + that the undertaking discloses in accordance with Commission Delegated Regulation + (EU) 2021/2178; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-1.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + ref_id: E4-1 AR 1.f + description: if it has economic activities that are covered by delegated regulations + on biodiversity under the Taxonomy Regulation, explain any objective or plans + (CapEX, CapEx plans) that it has for aligning its economic activities (revenues, + CapEx) with the criteria established in those delegated regulations; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-1.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + ref_id: E4-1 AR 1.g + description: ' explain how biodiversity offsets are used as part of the transition + plan, and if so, where the offsets are planned to be used, the extent of use + in relation to the overall transition plan, and whether the mitigation hierarchy + was considered;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-1.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + ref_id: E4-1 AR 1.h + description: explain how the process of implementing and updating the transition + plan is managed; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-1.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + ref_id: E4-1 AR 1.i + description: explain how it measures progress, namely indicate the metrics and + methodologies it uses for that purpose; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-1.j + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + ref_id: E4-1 AR 1.j + description: indicate whether the administrative, management and supervisory + bodies have approved the transition plan; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-1.k + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1--ar-1 + ref_id: E4-1 AR 1.k + description: indicate current challenges and limitations to draft a plan in + relation to areas of significant impact and how the company is addressing + those challenges. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar + ref_id: E4-1 AR 2 + description: 'If disclosing a transition plan, the undertaking may, for example, + refer to the following targets from the EU Biodiversity Strategy for 2030:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2 + ref_id: E4-1 AR 2.a + description: The decline of pollinators is reversed. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2 + ref_id: E4-1 AR 2.b + description: The risk and use of chemical pesticides is reduced by 50%, and + the use of more hazardous pesticides is reduced by 50%. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2 + ref_id: E4-1 AR 2.c + description: At least 25% of agricultural land is under organic farming management, + and the uptake of agro-ecological practices is significantly increased. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2 + ref_id: E4-1 AR 2.d + description: ' Three billion additional trees are planted in the EU, in full + respect of ecological principles.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2 + ref_id: E4-1 AR 2.e + description: Significant progress in the remediation of contaminated soil sites. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2 + ref_id: E4-1 AR 2.f + description: At least 25 000 km of free-flowing rivers are restored. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2 + ref_id: E4-1 AR 2.g + description: ' The losses of nutrients from fertilisers are reduced by 50%, + resulting in the reduction of the use of fertilisers by at least 20%.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-2 + ref_id: E4-1 AR 2.h + description: The negative impacts on sensitive species and habitats, including + on the seabed through fishing and extraction activities, are substantially + reduced to achieve good environmental status. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar + ref_id: E4-1 AR 3 + description: 'If disclosing a transition plan, the undertaking may also refer + to the Sustainable Development Goals, in particular:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-3.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-3 + ref_id: E4-1 AR 3.a + description: SDG 2 - End hunger, achieve food security and improved nutrition + and promote sustainable agriculture; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-3.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-3 + ref_id: E4-1 AR 3.b + description: SDG 6 - Ensure availability and sustainable management of water + and sanitation for all; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-3.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-3 + ref_id: E4-1 AR 3.c + description: SDG 14 - Conserve and sustainably use the oceans, seas and marine + resources for sustainable development; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-3.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-1-ar-3 + ref_id: E4-1 AR 3.d + description: SDG 15 - Protect, restore and promote sustainable use of terrestrial + ecosystems, sustainably manage forests, combat desertification, and halt and + reverse land degradation and halt biodiversity loss. + - urn: urn:intuitem:risk:req_node:esrs_p2:node945 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node916 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p2:node946 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node945 + name: Disclosure requirements related to ESRS 2 IRO-1 + description: Description of the processes to identify and assess material biodiversity + and ecosystem-related impacts, risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node946 + ref_id: E4-IRO-1.AR-4 + description: "The materiality assessment under ESRS E4 includes the undertaking\u2019\ + s:" + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4 + ref_id: E4-IRO-1.AR-4.a + description: 'contribution to direct impact drivers on biodiversity loss ( 81 + ):' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a + ref_id: E4-IRO-1.AR-4.a.i + description: climate change; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a + ref_id: E4-IRO-1.AR-4.a.ii + description: land-use change (e.g., land artificialisation), freshwater-use + change and sea-use change; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a + ref_id: E4-IRO-1.AR-4.a.iii + description: direct exploitation; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a + ref_id: E4-IRO-1.AR-4.a.iv + description: invasive alien species; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a.v + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a + ref_id: E4-IRO-1.AR-4.a.v + description: pollution; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a.vi + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.a + ref_id: E4-IRO-1.AR-4.a.vi + description: others. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4 + ref_id: E4-IRO-1.AR-4.b + description: impacts on the state of species (i.e., species population size, + species global extinction risk); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4 + ref_id: E4-IRO-1.AR-4.c + description: impacts on the extent and condition of ecosystems including through + land degradation, desertification and soil sealing); and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-4 + ref_id: E4-IRO-1.AR-4.d + description: impacts and dependencies on ecosystem services. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node946 + ref_id: E4-IRO-1.AR-5 + description: When assessing the materiality of impacts, dependencies, risks + and opportunities the undertaking shall consider the provisions in ESRS 2 + IRO-1 and ESRS 1 Chapter 3 Double materiality as the basis for sustainability + disclosures and describe its considerations. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node946 + ref_id: E4-IRO-1.AR-6 + description: 'The undertaking shall assess the materiality of biodiversity and + ecosystems in its own operations and its upstream and downstream value chain, + and may conduct its materiality assessment in line with the first three phases + of the LEAP approach: Locate (paragraph AR 7), Evaluate (paragraph AR 8) and + Assess (paragraph AR 9).' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node946 + ref_id: E4-IRO-1.AR-7 + description: 'Phase 1 relates to the localisation of relevant sites regarding + its interface with biodiversity and ecosystems. To identify these relevant + sites the undertaking may:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-7.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-7 + ref_id: E4-IRO-1.AR-7.a + description: develop a list of locations of direct assets and operations and + related upstream and downstream value chain that are relevant to the undertakings + business activities. Furthermore, the undertaking may provide information + about sites for which future operations have been formally announced; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-7.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-7 + ref_id: E4-IRO-1.AR-7.b + description: list the biomes and ecosystems it is interfacing with based on + the list of locations identified under paragraph AR 7(a); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-7.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-7 + ref_id: E4-IRO-1.AR-7.c + description: identify the current integrity and importance of biodiversity and + ecosystem at each location taking into consideration the information provided + in paragraphs 16 and 17; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-7.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-7 + ref_id: E4-IRO-1.AR-7.d + description: develop a list of locations where the undertaking is interfacing + with locations in or near biodiversity-sensitive areas taking into consideration + the information provided in paragraphs 16 and 17; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-7.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-7 + ref_id: E4-IRO-1.AR-7.e + description: identify which sectors, business units, value chains or asset classes + are interfacing with biodiversity and ecosystems in these material sites. + Instead of identifying these interfaces per site, the undertaking may choose + to identify them per raw material procured or sold by weight in tons, if such + practice offers greater transparency. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node946 + ref_id: E4-IRO-1.AR-8 + description: 'In Phase 2, to evaluate its actual or potential impacts and dependencies + on biodiversity and ecosystems for relevant sites, the undertaking may:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8 + ref_id: E4-IRO-1.AR-8.a + description: identify business processes and activities that interface with + biodiversity and ecosystems; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8 + ref_id: E4-IRO-1.AR-8.b + description: identify actual and potential impacts and dependencies; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8 + ref_id: E4-IRO-1.AR-8.c + description: 'indicate the size, scale, frequency of occurrence and timeframe + of the impacts on biodiversity and ecosystems taking into consideration the + disclosures under paragraphs 16 and 17. Furthermore, the undertaking may disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8.c + ref_id: E4-IRO-1.AR-8.c.i + description: "the percentage of its suppliers\u2019 facilities which are located\ + \ in risk prone areas (with threatened species on the IUCN Red List of Species,\ + \ the Birds and Habitats Directive or nationally list of threatened species,\ + \ or in officially recognised Protected Areas, the Natura 2000 network of\ + \ protected areas and Key Biodiversity Areas);" + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8.c + ref_id: E4-IRO-1.AR-8.c.ii + description: the percentage of its procurement spent from suppliers with facilities + which are located in risk prone areas (with threatened species on the IUCN + Red List of Species, the Birds and Habitats Directive or nationally list of + threatened species, or in officially recognised Protected Areas, the Natura + 2000 network of protected areas and Key Biodiversity Areas); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-8 + ref_id: E4-IRO-1.AR-8.d + description: indicate the size and scale of the dependencies on biodiversity + and ecosystems, including on raw materials, natural resources and ecosystem + services. The undertaking may rely on the international classifications such + as the Common International Classification of Ecosystem Services (CICES). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node946 + ref_id: E4-IRO-1.AR-9 + description: 'In Phase 3, to assesses its material risks and opportunities based + on the results of Phases 1 and 2, the undertaking may consider the following + categories:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9 + ref_id: E4-IRO-1.AR-9.a + description: 'physical risks:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.a.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.a + ref_id: E4-IRO-1.AR-9.a.i + description: acute risks (e.g., natural disasters exacerbated by loss of coastal + protection from ecosystems, leading to costs of storm damage to coastal infrastructure, + disease or pests affecting the species or variety of crop the undertaking + relies on, especially in the case of no or low genetic diversity, species + loss and ecosystem degradation); and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.a.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.a + ref_id: E4-IRO-1.AR-9.a.ii + description: chronic risks (e.g., loss of crop yield due to decline in pollination + services, increasing scarcity or variable production of key natural inputs, + ecosystem degradation due to operations leading to, for example, coastal erosion + and forest fragmentation, ocean acidification, land loss to desertification + and soil degradation and consequent loss of soil fertility, species loss). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9 + ref_id: E4-IRO-1.AR-9.b + description: 'transition risks, including:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.b.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.b + ref_id: E4-IRO-1.AR-9.b.i + description: 'policy and legal: e.g. introduction of regulation or policy (e.g. + changes such as increased land protection); exposure to sanctions and litigation + (e.g. spills of polluting effluents that damage human and ecosystem health; + or violation of biodiversity-related rights, permits or allocations; or negligence + towards or killing of threatened species); enhanced reporting obligations + on biodiversity, ecosystems and related services;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.b.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.b + ref_id: E4-IRO-1.AR-9.b.ii + description: 'technology: e.g. substitution of products or services by products + or services with a lower impact on biodiversity or dependence on ecosystem + services, lack of access to data or access to poor quality data that hamper + biodiversity-related assessments, transition to more efficient and cleaner + technologies (i.e. with lower impacts on biodiversity), new monitoring technologies + (e.g. satellite), requirements to use certain technologies (e.g. climate resistant + crops, mechanical pollinators, water purification, flood protection);' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.b.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.b + ref_id: E4-IRO-1.AR-9.b.iii + description: 'market: e.g., shifting supply, demand and financing, volatility + or increased costs of raw materials (e.g., biodiversity-intense inputs for + which price has risen due to ecosystem degradation);' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.b.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.b + ref_id: E4-IRO-1.AR-9.b.iv + description: "reputation: e.g., changing societal, customer or community perceptions\ + \ as a result of an organisation\u2019s role in loss of biodiversity, violation\ + \ of nature-related rights through operations, negative media coverage due\ + \ to impacts on critical species and/or ecosystems, biodiversity-related social\ + \ conflicts over endangered species, protected areas, resources or pollution." + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9 + ref_id: E4-IRO-1.AR-9.c + description: 'systemic risks, including:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.c + ref_id: E4-IRO-1.AR-9.c.i + description: ecosystem collapse risks that a critical natural system no longer + functions, e.g., tipping points are reached and the collapse of ecosystems + resulting in wholesale geographic or sector losses (summing physical risks); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.c + ref_id: E4-IRO-1.AR-9.c.ii + description: aggregated risk linked to fundamental impacts of biodiversity loss + to levels of transition and physical risk across one or more sectors in a + portfolio (corporate or financial); and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.c.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.c + ref_id: E4-IRO-1.AR-9.c.iii + description: contagion risks that financial difficulties of certain corporations + or financial institutions linked to failure to account for exposure to biodiversity-related + risks spill over to the economic system as a whole. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9 + ref_id: E4-IRO-1.AR-9.d + description: 'opportunities, including for example:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.d.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.d + ref_id: E4-IRO-1.AR-9.d.i + description: 'business performance categories: resource efficiency; products + and services; markets; capital flow and financing; reputational capital; and' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.d.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-9.d + ref_id: E4-IRO-1.AR-9.d.ii + description: 'sustainability performance categories: ecosystem protection, restoration + and regeneration; sustainability use of natural resources.' + - urn: urn:intuitem:risk:req_node:esrs_p2:node989 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node946 + name: 'Presentation of information:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-iro-1.ar-10 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node989 + ref_id: E4-IRO-1.AR-10 + description: 'The undertaking may consider the tables below to facilitate its + materiality assessment of material sites identified under paragraph AR 7:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node945 + ref_id: E4-2 AR + name: 'Disclosure Requirement E4-2 ' + description: Policies related to biodiversity and ecosystems + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar + ref_id: E4-2 AR 11 + description: The policies described under this Disclosure Requirement may be + integrated in broader environmental or sustainability policies covering different + subtopics. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar + ref_id: E4-2 AR 12 + description: 'The undertaking may also provide information on how the policy + refers to the production, sourcing or consumption of raw materials, and in + particular how it:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-12.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-12 + ref_id: E4-2 AR 12.a + description: limits procurement from suppliers that cannot demonstrate that + they are not contributing to significant damage to protected areas or key + biodiversity areas (e.g., through certification); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-12.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-12 + ref_id: E4-2 AR 12.b + description: refers to recognised standards or third-party certifications overseen + by regulators; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-12.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-12 + ref_id: E4-2 AR 12.c + description: addresses raw materials originating from ecosystems that have been + managed to maintain or enhance conditions for biodiversity, as demonstrated + by regular monitoring and reporting of biodiversity status and gains or losses. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar + ref_id: E4-2 AR 13 + description: The undertaking may disclose connections and alignment with other + global goals and agreements such as the SDGs 2, 6, 14 and 15 or any other + well established global convention related to biodiversity and ecosystems. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar + ref_id: E4-2 AR 14 + description: When disclosing policies related to social consequences of biodiversity + and ecosystems related dependencies and impacts under 23 (f), the undertaking + may notably refer to the Nagoya Protocol and the Convention for Biological + Diversity (CBD). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar + ref_id: E4-2 AR 15 + description: 'When disclosing information about whether and how its policies + address the social consequences of biodiversity and ecosystems- related impacts + under paragraph 23(f), the undertaking may provide information in relation + to:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-15.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-15 + ref_id: E4-2 AR 15.a + description: the fair and equitable sharing of the benefits arising from the + utilisation of genetic resources; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-15.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-15 + ref_id: E4-2 AR 15.b + description: the free, prior and informed consent for access to genetic resources. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar + ref_id: E4-2 AR 16 + description: 'The undertaking may also explain how its policy enables it to:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-16.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-16 + ref_id: E4-2 AR 16.a + description: avoid negative impacts on biodiversity and ecosystems in its own + operations and related upstream and downstream value chain; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-16.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-16 + ref_id: E4-2 AR 16.b + description: reduce and minimise its negative impacts on biodiversity and ecosystems + in its operations and throughout the upstream and downstream value chain that + cannot be avoided; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-16.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-16 + ref_id: E4-2 AR 16.c + description: restore and rehabilitate degraded ecosystems or restore cleared + ecosystems following exposure to impacts that cannot be completely avoided + and/or minimised; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-16.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-16 + ref_id: E4-2 AR 16.d + description: mitigate its contribution to material biodiversity loss drivers. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar + ref_id: E4-2 AR 17 + description: 'When disclosing its policies, if referring to third-party standards + of conduct, the undertaking may disclose whether the standard used:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-17.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-17 + ref_id: E4-2 AR 17.a + description: is objective and achievable based on a scientific approach to identifying + issues, and realistic in assessing how these issues can be addressed on the + ground under a variety of practical circumstances; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-17.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-17 + ref_id: E4-2 AR 17.b + description: is developed or maintained through a process of ongoing consultation + with stakeholders with balanced input from all relevant stakeholder groups, + including producers, traders, processors, financiers, local people and communities, + indigenous peoples, and civil society organisations representing consumer, + environmental and social interests, with no group holding undue authority + or veto power over the content; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-17.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-17 + ref_id: E4-2 AR 17.c + description: encourages a step-wise approach and continuous improvement, both + in the standard and its application of better management practices, and requires + the establishment of meaningful targets and specific milestones to indicate + progress against principles and criteria over time; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-17.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-17 + ref_id: E4-2 AR 17.d + description: is verifiable through independent certifying or verifying bodies, + which have defined and rigorous assessment procedures that avoid conflicts + of interest, and are compliant with ISO guidance on accreditation and verification + procedures or Article 5(2) of Regulation (EC) No 765/2008; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-17.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-2-ar-17 + ref_id: E4-2 AR 17.e + description: conforms to the ISEAL Code of Good Practice. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node945 + ref_id: E4-3 AR + name: Disclosure Requirement E4-3 + description: Actions and resources related to biodiversity and ecosystems + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar + ref_id: E4-3 AR 18 + description: 'The undertaking may relate significant monetary amounts of CapEx + and OpEx required to implement the actions taken or planned to:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-18.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-18 + ref_id: E4-3 AR 18.a + description: the relevant line items or notes in the financial statements; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-18.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-18 + ref_id: E4-3 AR 18.b + description: the key performance indicators required under article 8 of Regulation + (EU) 2020/852 and under Commission Delegated Regulation (EU) 2021/2178; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-18.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-18 + ref_id: E4-3 AR 18.c + description: if applicable, the CapEx plan required by Commission Delegated + Regulation (EU) 2021/2178. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3ar-19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar + ref_id: E4-3AR 19 + description: "The undertaking may disclose whether it considers an \u2018avoidance\u2019\ + \ action plan, which prevents damaging actions before they take place. Avoidance\ + \ often involves a decision to deviate from the business-as- usual project\ + \ development path. An example of avoidance is altering the biodiversity and\ + \ ecosystem footprint of a project to avoid destruction of natural habitat\ + \ on the site and/or establishing set-asides where priority biodiversity values\ + \ are present and will be conserved. At a minimum, avoidance should be considered\ + \ where there are biodiversity and ecosystem-related values that are in one\ + \ of the following categories: particularly vulnerable and irreplaceable,\ + \ of particular concern to stakeholders, or where a cautious approach is warranted\ + \ due to uncertainty about impact assessment or about the efficacy of management\ + \ measures. The three main types of avoidance are defined below:" + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-19.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3ar-19 + ref_id: E4-3 AR 19.a + description: avoidance through site selection (Locate the entire project away + from biodiversity-sensitive areas); + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-19.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3ar-19 + ref_id: E4-3 AR 19.b + description: 'avoidance through project design (Configure infrastructure to + preserve biodiversity-sensitive areas); and ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-19.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3ar-19 + ref_id: E4-3 AR 19.c + description: avoidance through scheduling (Time project activities to account + for patterns of species behaviour (e.g., breeding, migration) or ecosystem + functions (e.g., river dynamics). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar + ref_id: E4-3 AR 20 + description: 'With regard to key actions, the undertaking may disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20 + ref_id: E4-3 AR 20.a + description: a list of key stakeholders involved (e.g., competitors, suppliers, + retailers, other business partners, affected communities and authorities, + government agencies) and how they are involved, mentioning key stakeholders + negatively or positively impacted by actions and how they are impacted, including + impacts or benefits created for affected communities, smallholders, indigenous + peoples or other persons in vulnerable situations; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20 + ref_id: E4-3 AR 20.b + description: where applicable, an explanation of the need for appropriate consultations + and the need to respect the decisions of affected communities; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20 + ref_id: E4-3 AR 20.c + description: a brief assessment of whether the key actions may induce significant + negative sustainability impacts; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20 + ref_id: E4-3 AR 20.d + description: an explanation of whether the key action is intended to be a one- + time initiative or systematic practice; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20 + ref_id: E4-3 AR 20.e + description: "an explanation of whether the key action plan is carried out only\ + \ by the undertaking, using the undertaking\u2019s resources, or whether it\ + \ is part of a wider initiative to which the undertaking significantly contributes.\ + \ If the key action plan is part of a wider initiative, the undertaking may\ + \ provide more information on the project, its sponsors and other participants;" + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-20 + ref_id: E4-3 AR 20.f + description: a description of how it contributes to systemwide change, notably + to alter the drivers of biodiversity and ecosystem change, e.g., through technological, + economic, institutional, and social factors and changes in underlying values + and behaviours; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar-21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-3-ar + ref_id: E4-3 AR 21 + description: "In the context of this Disclosure Requirement, \u2018local and\ + \ indigenous knowledge\u2019 refer to the understandings, skills and philosophies\ + \ developed by societies with long histories of interaction with their natural\ + \ surroundings. For rural and indigenous peoples, local knowledge informs\ + \ decision-making about fundamental aspects of day-to-day life." + - urn: urn:intuitem:risk:req_node:esrs_p2:node1030 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node916 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1030 + ref_id: E4-4 AR + name: Disclosure Requirement E4-4 + description: Targets related to biodiversity and ecosystems + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar-22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar + ref_id: E4-4 AR 22 + description: The undertaking may specify whether the target addresses shortcomings + related to the Substantial Contribution criteria for Biodiversity as defined + in the delegated acts adopted pursuant to Article 15(2) of Regulation (EU) + 2020/852. Where the Do No Significant Harm (DNSH) criteria for Biodiversity + as defined in delegated acts adopted pursuant to Article 10(3), Article 11(3), + Article 12(2), Article 13(2), and Article 14(2) of Regulation (EU) 2020/852 + are not met, the undertaking may specify whether the target addresses shortcomings + related those DNSH critera. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar-23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar + ref_id: E4-4 AR 23 + description: When disclosing information required under paragraph 29 for the + purpose of setting targets the undertaking shall consider the need for an + informed and willing consent of local and indigenous peoples, the need for + appropriate consultations and the need to respect the decisions of these communities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar-24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar + ref_id: E4-4 AR 24 + description: 'The targets related to material impacts may be presented in a + table as illustrated below:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar-25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar + ref_id: E4-4 AR 25 + description: 'The targets related to the potentially material sustainability + matters listed in paragraph AR 4 of this Standard, may be presented in a table + as illustrated below:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar-26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar + ref_id: E4-4 AR 26 + description: 'Measurable targets related to biodiversity and ecosystems may + be expressed as:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar-26.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar-26 + ref_id: E4-4 AR 26.a + description: size and location of all habitat areas protected or restored, whether + directly or indirectly controlled by the undertaking, and whether the success + of the restoration measure was or is approved by independent external professionals; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar-26.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar-26 + ref_id: E4-4 AR 26.b + description: recreated surfaces (environments in which management initiatives + are implemented so as to create a habitat on a site where it did not exist + initially); or + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar-26.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-4-ar-26 + ref_id: E4-4 AR 26.c + description: number or percentage of projects / sites whose ecological integrity + was improved (e.g., installation of fish passes, wildlife corridors). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1030 + ref_id: E4-5 AR + name: Disclosure Requirement E4-5 + description: Impact metrics related to biodiversity and ecosystems change + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 27 + description: 'When preparing the information required under this Disclosure + Requirement, the undertaking shall consider and may describe:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27 + ref_id: E4-5 AR 27.a + description: the methodologies and metrics used and an explanation for why these + methodologies and metrics are selected, as well as their assumptions, limitations + and uncertainties, and any changes in methodologies made over time and why + they occurred; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27 + ref_id: E4-5 AR 27.b + description: 'the scope of the metrics and methodologies, for example:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.b.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.b + ref_id: E4-5 AR 27.b.i + description: undertaking, site, brand, commodity, corporate business unit, activity; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.b.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.b + ref_id: E4-5 AR 27.b.ii + description: aspects (as set out in paragraph AR 4) covered. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27 + ref_id: E4-5 AR 27.c + description: 'the biodiversity components of the metrics: species specific, + ecosystem specific;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27 + ref_id: E4-5 AR 27.d + description: the geographies covered by the methodology and an explanation of + why any relevant geographies were omitted; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27 + ref_id: E4-5 AR 27.e + description: how the metrics integrate ecological thresholds (e.g., the biosphere + integrity and land-system change, planetary boundaries) and allocations; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27 + ref_id: E4-5 AR 27.f + description: the frequency of monitoring, key metrics being monitored, and the + baseline condition/value and baseline year/period, as well as the reference + period; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27 + ref_id: E4-5 AR 27.g + description: whether these metrics rely on primary data, secondary data, modelled + data or on expert judgement, or a mixture of these; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27 + ref_id: E4-5 AR 27.h + description: an indication of which action is measured and monitored via the + metrics and how they relate to the achievement of targets; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.i + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27 + ref_id: E4-5 AR 27.i + description: whether metrics are mandatory (required by legislation) or voluntary. + If they are mandatory, the undertaking may indicate the relevant legislation; + if voluntary, the undertaking may refer to any voluntary standard or procedure + used; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27.j + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-27 + ref_id: E4-5 AR 27.j + description: whether the metrics are informed by or correspond to expectations + or recommendations of relevant and authoritative national, EU-level or intergovernmental + guidelines, policies, legislation or agreements, such as the Convention for + Biological Diversity (CBD) or IPBES. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 28 + description: "The undertaking shall disclose metrics that are verifiable and\ + \ that are technically and scientifically robust considering the appropriate\ + \ time scales geographies, and may disclose how its selected metrics correspond\ + \ to those criteria. To ensure that the metric is relevant there should be\ + \ a clear relationship between the indicator and the purpose of the measurement.\ + \ Uncertainties should be reduced as far as possible. Data or mechanisms used\ + \ should be supported by well- established organisations and updated over\ + \ time. Robust modelled data and expert judgment can be used where data gaps\ + \ exist. The methodology shall be sufficiently detailed to allow for meaningful\ + \ comparison of impacts and mitigation activities over time. Information gathering\ + \ processes and definitions must be systematically applied. This enables a\ + \ meaningful review of the undertaking\u2019s performance over time and helps\ + \ internal and peer comparison." + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-29 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 29 + description: If a metric corresponds to a target, the baseline for both shall + be aligned. The biodiversity baseline is an essential component of the larger + biodiversity and ecosystems management process. The baseline is necessary + to inform impact assessment and management planning, as well as monitoring + and adaptive management. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 30 + description: "Methodologies available to collect data and measure the undertakings\u2019\ + \ impacts on biodiversity and ecosystems may be separated into three categories\ + \ as follows:" + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-30.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-30 + ref_id: E4-5 AR 30.a + description: 'primary data: collected in-situ using on the ground surveys;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-30.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-30 + ref_id: E4-5 AR 30.b + description: 'secondary data: including geospatial data layers that are overlaid + with geographic location data of business activities.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-30.b.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-30.b + ref_id: E4-5 AR 30.b.i + description: At the species level, data layers on the ranges of different species + can be used to predict the species that may be present at different locations. + This includes operation sites and sourcing locations. Different range layers + will have different levels of accuracy depending on certain factors (e.g., + whether species ranges have been refined based on availability of habitat). + Information on the threat status of the species, and the activities that threaten + them, can provide an indication of the likely contribution that business activities + may be having on driving population trends and threat status. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-30.b.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-30.b + ref_id: E4-5 AR 30.b.ii + description: At the ecosystem level, data layers reflecting change in the extent + and condition of ecosystems can be applied, including levels of habitat fragmentation + and connectivity. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-30.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-30 + ref_id: E4-5 AR 30.c + description: 'modelled biodiversity state data: Model-based approaches are commonly + used for measuring ecosystem level indicators (e.g., extent, condition, or + function). Models quantify how the magnitude of different pressures affects + the state of biodiversity. These are referred to as pressure-state relationships + and are based on globally collected data. Modelling results are applied locally + to estimate how undertaking-level pressures will cause changes in ecosystem + condition.An impact driver generally has three main characteristics: magnitude + (e.g., amount of contaminant, noise intensity), spatial extent (e.g., area + of land contaminated) and temporal extent (duration of persistence of contaminant).' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 31 + description: "With regard to life cycle assessment for land-use, the undertaking\ + \ may refer to the \u2018Land-use related environmental indicators for Life\ + \ Cycle Assessment\u2019 by the Joint Research Center." + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 32 + description: With regard to the introduction of invasive alien species, the + undertaking may disclose the pathways and number of invasive alien species + and the extent of surface covered by invasive alien species. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-33 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 33 + description: With regard to metrics on the extent and condition of ecosystems, + useful guidance can be found in the work of the United Nations System of Environmental + Economic Accounting Ecosystem Accounting (UN SEEA EA). + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 34 + description: 'The undertaking may disclose in units of area (e.g., m2 or ha) + on land- use using guidance provided by the Eco-Management and Audit Scheme + (EMAS) ( 82 ):' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-34.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-34 + ref_id: E4-5 AR 34.a + description: total use of land; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-34.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-34 + ref_id: E4-5 AR 34.b + description: total sealed area; + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-34.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-34 + ref_id: E4-5 AR 34.c + description: total nature-oriented area on site; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-34.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-34 + ref_id: E4-5 AR 34.d + description: total nature-oriented area off site. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 35 + description: "The undertaking may disclose, for example, land cover change,\ + \ which is the physical representation of the drivers \u2018habitat modification\u2019\ + \ and \u2018industrial and domestic activities\u2019, i.e., the man-made or\ + \ natural change of the physical properties of the earth\u2019s surface at\ + \ a specific location." + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-36 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 36 + description: Land cover is a typical variable that can be assessed with earth + observation data. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-37 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 37 + description: 'When reporting on material impacts related to the ecosystems, + the undertaking may, in addition to the extent and condition of ecosystems, + also consider the functioning of ecosystems by using:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-37.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-37 + ref_id: E4-5 AR 37.a + description: 'a metric that measures a process or function that the ecosystem + completes, or that reflects the ability of the ecosystem to undertake that + specific process or function: e.g. net primary productivity, which is a measure + of plant productivity based on the rate at which energy is stored by plants + and made available to other species in the ecosystem. It is a core process + that occurs for ecosystems to function. It is related to many factors, such + as species diversity, but does not measure these factors directly; or' + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-37.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-37 + ref_id: E4-5 AR 37.b + description: A metric that measures changes to the population of scientifically + identified species under threat. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar-38 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-5-ar + ref_id: E4-5 AR 38 + description: At the ecosystem level, data layers reflecting change in the extent + and condition of ecosystems may be applied, including levels of habitat fragmentation + and connectivity. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1030 + ref_id: E4-6 AR + name: Disclosure Requirement E4-6 + description: Anticipated financial effects from material biodiversity and ecosystem-related + risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-ar-39 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-ar + ref_id: E4-6 AR 39 + description: The undertaking may include an assessment of its related products + and services at risk over the short-, medium- and long-term, explaining how + these are defined, how financial amounts are estimated, and which critical + assumptions are made. + - urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-ar-40 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e4-6-ar + ref_id: E4-6 AR 40 + description: The quantification of the anticipated financial effects in monetary + terms under paragraph 45(a) may be a single amount or a range. + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e5 + assessable: false + depth: 1 + ref_id: ESRS E5 + name: RESOUCE USE AND CIRCULAR ECONOMY + - urn: urn:intuitem:risk:req_node:esrs_p2:node1080 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e5 + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p2:node1081 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1080 + description: "1. The objective of this Standard is to specify Disclosure Requirements\ + \ which will enable users of the sustainability statement to understand:\n\ + (a) how the undertaking affects resource use, including resource efficiency,\ + \ avoiding the depletion of resources and the sustainable sourcing and use\ + \ of renewable resources (referred to in this Standard as \u2018resource use\ + \ and circular economy\u2019) in terms of material positive and negative actual\ + \ or potential impacts;\n(b) any actions taken, and the result of such actions,\ + \ to prevent or mitigate actual or potential negative impacts arising from\ + \ resource use, including its measures to help decoupling its economic growth\ + \ from the use of materials, and to address risks and opportunities;\n(c)\ + \ the plans and capacity of the undertaking to adapt its strategy and business\ + \ model in line with circular economy principles including but not limited\ + \ to minimising waste, maintaining the value of products, materials and other\ + \ resources at their highest value and enhancing their efficient use in production\ + \ and consumption;\n(d) the nature, type and extent of the undertaking\u2019\ + s material risks and opportunities related to the undertaking\u2019s impacts\ + \ and dependencies, arising from resource use and circular economy, and how\ + \ the undertaking manages them; and\n(e) the financial effects on the undertaking\ + \ over the short-, medium- and long-term of material risks and opportunities\ + \ arising from the undertaking\u2019s impacts and dependencies on resource\ + \ use and circular economy." + - urn: urn:intuitem:risk:req_node:esrs_p2:node1082 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1080 + description: "2. This Standard sets out Disclosure Requirements related to \u2018\ + resource use\u2019 and \u2018circular economy\u2019 and in particular on:\n\ + (a) resource inflows including the circularity of material resource inflows,\ + \ considering renewable and non-renewable resources; and\n(b) resource outflows\ + \ including information on products and materials; and\n(c) waste." + - urn: urn:intuitem:risk:req_node:esrs_p2:node1083 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1080 + description: 3. Circular economy means an economic system in which the value + of products, materials and other resources in the economy is maintained for + as long as possible, enhancing their efficient use in production and consumption, + thereby reducing the environmental impact of their use, minimising waste and + the release of hazardous substances at all stages of their life cycle, including + through the application of the waste hierarchy. The goal is to maximise and + maintain the value of the technical and biological resources, products and + materials by creating a system that allows for durability, optimal use or + re-use, refurbishment, remanufacturing, recycling and nutrient cycling. + - urn: urn:intuitem:risk:req_node:esrs_p2:node1084 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1080 + description: 4. This Standard builds on relevant EU legislative frameworks and + policies including the EU Circular Economy Action Plan, Directive 2008/98/EC + of the European Parliament and of the Council ( 83 ) (Waste Framework Directive) + and the EU industrial strategy. + - urn: urn:intuitem:risk:req_node:esrs_p2:node1085 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1080 + description: "5. To evaluate the transition from business as usual, meaning\ + \ an economy in which finite resources are extracted to make products that\ + \ are used and then thrown away (\u2018take-make-waste\u2019), to a circular\ + \ economic system, this Standard relies on the identification of the physical\ + \ flows of resources, materials and products used and generated by the undertaking\ + \ through Disclosure Requirement E5-4 Resource inflows and Disclosure Requirement\ + \ E5-5 Resource outflows." + - urn: urn:intuitem:risk:req_node:esrs_p2:node1086 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e5 + name: Interactions with other ESRS + - urn: urn:intuitem:risk:req_node:esrs_p2:node1087 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1086 + description: 6. Resource use is a major driver of other environmental impacts + such as climate change, pollution, water and marine resources and biodiversity. + A circular economy is a system that tends towards sustainable use of resources + in extraction, processing, production, consumption and management of waste. + Such system brings multiple environmental benefits, in particular, the reduction + of material and energy consumption and emissions into the air (greenhouse + gas emissions or other pollution), the limitation of water withdrawals and + discharges and the regeneration of nature limiting the impact on biodiversity. + - urn: urn:intuitem:risk:req_node:esrs_p2:node1088 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1086 + description: '7. To provide a comprehensive overview of which other environmental + matters could be material to resource use and circular economy, relevant disclosure + requirements are covered in other environmental ESRS as follows: (a) ESRS + E1 Climate change, which addresses, in particular, GHG emissions and energy + resources (energy consumption); (b) ESRS E2 Pollution, which addresses, in + particular, emissions to water, air and soil as well as substances of concern; + (c) ESRS E3 Water and marine resources, which addresses, in particular, water + resource (water consumption) and marine resources; and (d) ESRS E4 Biodiversity + and ecosystems, which ' + - urn: urn:intuitem:risk:req_node:esrs_p2:node1089 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1086 + description: "8. The undertaking\u2019s impacts related to resource use and\ + \ circular economy, in particular impacts related to waste, can affect people\ + \ and communities. Material negative impacts on affected communities from\ + \ resource use and circular economy attributable to the undertaking are covered\ + \ in ESRS S3 Affected communities. The efficient and circular use of resources\ + \ also benefits competitiveness and economic wellbeing" + - urn: urn:intuitem:risk:req_node:esrs_p2:node1090 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1086 + description: 9. This Standard should be read in conjunction with ESRS 1 General + requirements and ESRS 2 General disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p2:node1091 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e5 + name: Disclosure Requirements + - urn: urn:intuitem:risk:req_node:esrs_p2:node1092 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1091 + name: ESRS 2 General disclosures + description: 10.The requirements of this section should be read in conjunction + with and reported alongside the disclosures required by ESRS 2 chapter 4 Impact, + risk and opportunity management. + - urn: urn:intuitem:risk:req_node:esrs_p2:node1093 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1092 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p2:node1094 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1093 + name: Disclosure Requirement related to ESRS 2 IRO-1 + description: Description of the processes to identify and assess material resource + use and circular economy-related impacts, risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1-11 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1094 + ref_id: E5.IRO-1-11 + description: 'The undertaking shall describe the process to identify material + impacts, risks and opportunities related to resource use and circular economy, + in particular regarding resource inflows, resource outflows and waste, and + shall provide information on:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1-11.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1-11 + ref_id: E5.IRO-1-11.a + description: whether the undertaking has screened its assets and activities + in order to identify its actual and potential impacts, risks and opportunities + in its own operations and its upstream and downstream value chain, and if + so, the methodologies, assumptions and tools used in the screening; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1-11.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1-11 + ref_id: E5.IRO-1-11.b + description: whether and how the undertaking has conducted consultations, in + particular, with affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1093 + ref_id: E5-1 + name: 'Disclosure Requirement E5-1 ' + description: Policies related to resource use and circular economy + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1 + ref_id: E5-1-12 + description: The undertaking shall describe its policies adopted to manage its + material impacts, risks and opportunities related to resource use and circular + economy. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1 + ref_id: E5-1-13 + description: The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking has policies that address the identification, + assessment, management and/or remediation of its material impacts, risks and + opportunities related to resource use and circular economy. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1 + ref_id: E5-1-14 + description: The disclosure required by paragraph 12 shall contain the information + on the policies the undertaking has in place to manage its material impacts, + risks and opportunities related to resource use and circular economy in accordance + with ESRS 2 MDR-P Policies adopted to manage material sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1 + ref_id: E5-1-15 + description: 'In the summary, the undertaking shall indicate whether and how + its policies address the following matters where material:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-15.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-15 + ref_id: E5-1-15.a + description: transitioning away from use of virgin resources, including relative + increases in use of secondary (recycled) resources; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-15.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-15 + ref_id: E5-1-15.b + description: sustainable sourcing and use of renewable resources. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1 + ref_id: E5-1-16 + description: Policies shall address material impacts, risks and opportunities + in its own operations and along its upstream and downstream value chain. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1093 + ref_id: E5-2 + name: Disclosure Requirement E5-2 + description: Actions and resources related to resource use and circular economy + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2 + ref_id: E5-2-17 + description: The undertaking shall disclose its resource use and circular economy + actions and the resources allocated to their implementation. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2 + ref_id: E5-2-18 + description: The objective of this Disclosure Requirement is to enable an understanding + of the key actions taken and planned to achieve the resource use and circular + economy-related policy objectives and targets. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2 + ref_id: E5-2-19 + description: The description of the resource use and circular economy-related + actions and resources allocated shall follow the principles defined in ESRS + 2 MDR-A Actions and resources in relation to material sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2 + ref_id: E5-2-20 + description: 'In addition to ESRS 2 MDR-A, the undertaking may specify whether + and how an action and resources cover:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20 + ref_id: E5-2-20.a + description: higher levels of resource efficiency in use of technical and biological + materials and water, particularly in relation to critical raw materials and + rare earths as listed in the Raw Materials Information System; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20 + ref_id: E5-2-20.b + description: higher rates of use of secondary raw materials (recyclates); + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20 + ref_id: E5-2-20.c + description: 'application of circular design, leading to increased product durability + and optimisation of use, and higher rates of: Reuse, Repair, Refurbishing, + Remanufacture, Repurposing and Recycling.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20 + ref_id: E5-2-20.d + description: application of circular business practices such as (i) value retention + actions (maintenance, repair, refurbishing, remanufacturing, component harvesting, + upgrading and reverse logistics, closed loop systems, second-hand retailing), + (ii) value maximisation actions (product-service systems, collaborative and + sharing economy business models), (iii) end-of-life actions (recycling, upcycling, + extended producer responsibility), and (iv) systems efficiency actions (industrial + symbiosis); + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20 + ref_id: E5-2-20.e + description: "actions taken to prevent waste generation in the undertaking\u2019\ + s upstream and downstream value chain; and" + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-20 + ref_id: E5-2-20.f + description: optimistation of waste management in line with the waste hierarchy. + - urn: urn:intuitem:risk:req_node:esrs_p2:node1117 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1092 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1117 + ref_id: E5-3 + name: 'Disclosure Requirement E5-3 ' + description: Targets related to resource use and circular economy + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3 + ref_id: E5-3-21 + description: The undertaking shall disclose the resource use and circular economy- + related targets it has set. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3 + ref_id: E5-3-22 + description: The objective of this Disclosure Requirement is to enable an understanding + of the targets the undertaking has adopted to support its resource use and + circular economy policy and to address its material impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3 + ref_id: E5-3-23 + description: The description of the targets shall contain the information requirements + defined in ESRS 2 MDR-T Tracking effectiveness of policies and actions through + targets. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3 + ref_id: E5-3-24 + description: "The disclosure required by paragraph 21 shall indicate whether\ + \ and how the undertaking\u2019s targets relate to resource inflows and resource\ + \ outflows, including waste and products and materials, and, more specifically\ + \ to:" + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24 + ref_id: E5-3-24.a + description: the increase of circular product design (including for instance + design for durability, dismantling, reparability, recyclability etc); + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24 + ref_id: E5-3-24.b + description: the increase of circular material use rate; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24 + ref_id: E5-3-24.c + description: the minimisation of primary raw material; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24 + ref_id: E5-3-24.d + description: sustainable sourcing and use (in line with the cascading principle) + of renewable resources; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24 + ref_id: E5-3-24.e + description: the waste management, including preparation for proper treatment; + and + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-24 + ref_id: E5-3-24.f + description: other matters related to resource use or circular economy. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3 + ref_id: E5-3-25 + description: The undertaking shall specify to which layer of the waste hierarchy + the target relates. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3 + ref_id: E5-3-26 + description: 'In addition to ESRS 2 MDR-T, the undertaking may specify whether + ecological thresholds and entity-specific allocations were taken into consideration + when setting targets. If so, the undertaking may specify:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-26.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-26 + ref_id: E5-3-26.a + description: the ecological thresholds identified, and the methodology used + to identify such thresholds; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-26.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-26 + ref_id: E5-3-26.b + description: whether or not the thresholds are entity-specific and if so, how + they were determined; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-26.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-26 + ref_id: E5-3-26.c + description: how responsibility for respecting identified ecological thresholds + is allocated in the undertaking. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3 + ref_id: E5-3-27 + description: The undertaking shall specify as part of the contextual information, + whether the targets it has set and presented are mandatory (required by legislation) + or voluntary. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1117 + ref_id: E5-4 + name: Disclosure Requirement E5-4 + description: Resource inflows + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4 + ref_id: E5-4-28 + description: The undertaking shall disclose information on its resource inflows + related to its material impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4 + ref_id: E5-4-29 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of the resource use in the undertaking\u2019s own operations and its upstream\ + \ value chain." + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4 + ref_id: E5-4-30 + description: "The disclosure required by paragraph 28 shall include a description\ + \ of its resource inflows where material: products (including packaging) and\ + \ materials (specifying critical raw materials and rare earths), water and\ + \ property, plant and equipment used in the undertaking\u2019s own operations\ + \ and along its upstream value chain." + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4 + ref_id: E5-4-31 + description: "When an undertaking assesses that resource inflows is a material\ + \ sustainability matter, it shall disclose the following information about\ + \ the materials used to manufacture the undertaking\u2019s products and services\ + \ during the reporting period, in tonnes or kilogrammes:" + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-31.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-31 + ref_id: E5-4-31.a + description: the overall total weight of products and technical and biological + materials used during the reporting period; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-31.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-31 + ref_id: E5-4-31.b + description: "the percentage of biological materials (and biofuels used for\ + \ non- energy purposes) used to manufacture the undertaking\u2019s products\ + \ and services (including packaging) that is sustainably sourced, with the\ + \ information on the certification scheme used and on the application of the\ + \ cascading principle; and" + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-31.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-31 + ref_id: E5-4-31.c + description: "the weight in both absolute value and percentage, of secondary\ + \ reused or recycled components, secondary intermediary products and secondary\ + \ materials used to manufacture the undertaking\u2019s products and services\ + \ (including packaging)." + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4 + ref_id: E5-4-32 + description: The undertaking shall provide information on the methodologies + used to calculate the data. It shall specify whether the data is sourced from + direct measurement or estimations, and disclose the key assumptions used. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1117 + ref_id: E5-5 + name: Disclosure Requirement E5-5 + description: ' Resource outflows' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5 + ref_id: E5-5-33 + description: The undertaking shall disclose information on its resource outflows, + including waste, related to its material impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-34 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5 + ref_id: E5-5-34 + description: 'The objective of this Disclosure Requirement is to provide an + understanding of:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-34.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-34 + ref_id: E5-5-34.a + description: how the undertaking contributes to the circular economy by i) designing + products and materials in line with circular economy principles and ii) increasing + or maximising the extent to which products, materials and waste processing + are recirculated in practice after first use; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-34.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-34 + ref_id: E5-5-34.b + description: "the undertaking\u2019s waste reduction and waste management strategy,\ + \ the extent to which the undertaking knows how its pre-consumer waste is\ + \ managed in its own activities." + - urn: urn:intuitem:risk:req_node:esrs_p2:node1149 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5 + name: Products and materials + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-35 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1149 + ref_id: E5-5-35 + description: "The undertaking shall provide a description of the key products\ + \ and materials that come out of the undertaking\u2019s production process\ + \ and that are designed along circular principles, including durability, reusability,\ + \ repairability, disassembly, remanufacturing, refurbishment, recycling, recirculation\ + \ by the biological cycle, or optimisation of the use of the product or material\ + \ through other circular business models." + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-36 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1149 + ref_id: E5-5-36 + description: 'Undertakings for which outflows are material shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-36.a + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-36 + ref_id: E5-5-36.a + description: The expected durability of the products placed on the market by + the undertaking, in relation to the industry average for each product group; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-36.b + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-36 + ref_id: E5-5-36.b + description: 'The reparability of products, using an established rating system, + where possible; ' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-36.c + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-36 + ref_id: E5-5-36.c + description: The rates of recyclable content in products and their packaging. + - urn: urn:intuitem:risk:req_node:esrs_p2:node1155 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5 + name: Waste + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1155 + ref_id: E5-5-37 + description: 'The undertaking shall disclose the following information on its + total amount of waste from its own operations, in tonnes or kilogrammes:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.a + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37 + ref_id: E5-5-37.a + description: the total amount of waste generated ; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.b + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37 + ref_id: E5-5-37.b + description: 'the total amount by weight diverted from disposal, with a breakdown + between hazardous waste and non-hazardous waste and a breakdown by the following + recovery operation types:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.b.i + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.b + ref_id: E5-5-37.b.i + description: preparation for reuse; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.b.ii + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.b + ref_id: E5-5-37.b.ii + description: recycling; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.b.iii + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.b + ref_id: E5-5-37.b.iii + description: other recovery operations. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.c + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37 + ref_id: E5-5-37.c + description: 'the amount by weight directed to disposal by waste treatment type + and the total amount summing all three types, with a breakdown between hazardous + waste and non-hazardous waste. The waste treatment types to be disclosed are:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.c.i + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.c + ref_id: E5-5-37.c.i + description: incineration; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.c.ii + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.c + ref_id: E5-5-37.c.ii + description: landfill; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.c.iii + assessable: true + depth: 9 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.c + ref_id: E5-5-37.c.iii + description: other disposal operations; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37.d + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-37 + ref_id: E5-5-37.d + description: the total amount and percentage of non-recycled waste ( 84 ). + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-38 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1155 + ref_id: E5-5-38 + description: 'When disclosing the composition of the waste, the undertaking + shall specify:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-38.a + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-38 + ref_id: E5-5-38.a + description: the waste streams relevant to its sector or activities (e.g. tailings + for the undertaking in the mining sector, electronic waste for the undertaking + in the consumer electronics sector, or food waste for the undertaking in the + agriculture or in the hospitality sector); and; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-38.b + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-38 + ref_id: E5-5-38.b + description: the materials that are present in the waste (e.g. biomass, metals, + non-metallic minerals, plastics, textiles, critical raw materials and rare + earths). + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-39 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1155 + ref_id: E5-5-39 + description: The undertaking shall also disclose the total amount of hazardous + waste and radioactive waste generated by the undertaking, where radioactive + waste is defined in Article 3(7) of Council Directive 2011/70/Euratom ( 85 + ). + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-40 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1155 + ref_id: E5-5-40 + description: The undertaking shall provide contextual information on the methodologies + used to calculate the data and in particular the criteria and assumptions + used to determine and classify products designed along circular principles + under paragraph 35. It shall specify whether the data is sourced from direct + measurement or estimations; and disclose the key assumptions used. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1117 + ref_id: E5-6 + name: Disclosure Requirement E5-6 + description: Anticipated financial effects from material resource use and circular + economy-related risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-41 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-6 + ref_id: E5-6-41 + description: The undertaking shall disclose the anticipated financial effects + of material risks and opportunities arising from resource use and circular + economy-related impacts. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-42 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-6 + ref_id: E5-6-42 + description: "The information required by paragraph 41 is in addition the information\ + \ on current financial effects on the entity\u2019s financial position, financial\ + \ performance and cash flows for the reporting period required under ESRS\ + \ 2 SBM-3 para 48 (d). The objective of this Disclosure Requirement is to\ + \ provide an understanding of:" + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-42.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-42 + ref_id: E5-6-42.a + description: "anticipated financial effects due to material risks arising from\ + \ material resource use and circular economy-related impacts and dependencies\ + \ and how these risks have or could reasonably be expected to have) a material\ + \ influence on the undertaking\u2019s financial position, financial performance\ + \ performance, and cash flows over the short-, medium- and long-term; and" + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-42.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-42 + ref_id: E5-6-42.b + description: anticipated financial effects due to material opportunities related + to resource use and circular economy. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-43 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-6 + ref_id: E5-6-43 + description: 'The disclosure shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-43.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-43 + ref_id: E5-6-43.a + description: a quantification of the anticipated financial effects in monetary + terms before considering resource use and circular economy- related actions, + or where not possible without undue cost or effort, qualitative information. + For financial effects arising from material opportunities, a quantification + is not required if it would result in disclosure that does not meet the qualitative + characteristics of information (see ESRS 1 Appendix B Qualitative characteristics + of information); + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-43.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-43 + ref_id: E5-6-43.b + description: a description of the effects considered, the impacts and dependencies + to which they relate and the time horizons in which they are likely to materialise; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-43.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-43 + ref_id: E5-6-43.c + description: the critical assumptions used to quantify the anticipated financial + effects, as well as the sources and level of uncertainty of those assumptions. + - urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e5-appendix-a + assessable: false + depth: 1 + ref_id: ESRS E5-Appendix A + name: Application Requirements + - urn: urn:intuitem:risk:req_node:esrs_p2:node1182 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:esrs-e5-appendix-a + name: ESRS 2 GENERAL DISCLOSURES + - urn: urn:intuitem:risk:req_node:esrs_p2:node1183 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1182 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p2:node1184 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1183 + name: Disclosure requirement related to ESRS 2 IRO-1 + description: Description of the processes to identify and assess material resource + use and circular economy-related impacts, risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1184 + ref_id: E5.IRO-1.AR-1 + description: 'When conducting a materiality assessment on environmental subtopics, + the undertaking shall assess the materiality of resource use and circular + economy in its own operations and its upstream and downstream value chain, + and may consider the four phases below, also known as the LEAP approach:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-1.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-1 + ref_id: E5.IRO-1.AR-1.a + description: "Phase 1: locate where in the undertaking\u2019s own operations\ + \ and along its upstream and downstream value chain the interface with nature\ + \ takes place;" + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-1.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-1 + ref_id: E5.IRO-1.AR-1.b + description: 'Phase 2: evaluate the dependencies and impacts;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-1.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-1 + ref_id: E5.IRO-1.AR-1.c + description: 'Phase 3: assess the material risks and opportunities;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-1.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-1 + ref_id: E5.IRO-1.AR-1.d + description: 'Phase 4: prepare and report the results of the materiality assessment.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1184 + ref_id: E5.IRO-1.AR-2 + description: With regard to ESRS E5, phases 1 and 2 rely mainly on the materiality + assessments conducted under ESRS E1 (including energy consumption), ESRS E2 + (pollution), ESRS E3 (marine resources, water consumption) and ESRS E4 (biodiversity, + ecosystems, raw materials). Indeed, circular economy eventually aims at reducing + the environmental impact of the use of products, materials and other resources, + minimizing waste and the release of hazardous substances and hence at reducing + impacts on nature. This application requirement focuses mainly on the third + phase of this LEAP approach, while the fourth phase addresses the outcome + of the process. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1184 + ref_id: E5.IRO-1.AR-3 + description: "The process to assess the materiality of impacts, dependencies,\ + \ risks and opportunities shall consider the provisions in ESRS 2 IRO-1 Description\ + \ of the processes to identify and assess material impacts, risks and opportunities\ + \ and IRO-2 Disclosure Requirements in ESRS covered by the undertaking\u2019\ + s sustainability statement." + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1184 + ref_id: E5.IRO-1.AR-4 + description: 'The sub-topics related to resource use and circular economy covered + by the materiality assessment include:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-4.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-4 + ref_id: E5.IRO-1.AR-4.a + description: resource inflows including the circularity of material resource + inflows, considering resource use optimisation, intensity of materials and + products and renewable and non-renewable resources; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-4.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-4 + ref_id: E5.IRO-1.AR-4.b + description: resource outflows related to products and services; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-4.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-4 + ref_id: E5.IRO-1.AR-4.c + description: waste, including hazardous waste and non-hazardous waste management. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1184 + ref_id: E5.IRO-1.AR-5 + description: 'In Phase 3, to assess its material risks and opportunities based + on the results of Phases 1 and 2, the undertaking may:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5 + ref_id: E5.IRO-1.AR-5.a + description: 'identify transition risks and opportunities in its own operations + and its upstream and downstream value chain, including the risk of staying + in a business-as-usual scenario:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.a.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.a + ref_id: E5.IRO-1.AR-5.a.i + description: policy and legal, e.g., bans on the extraction and use of non- + renewable resources, regulations on waste treatment; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.a.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.a + ref_id: E5.IRO-1.AR-5.a.ii + description: technology, e.g., introduction on the market of new technologies + to replace existing use of products and materials; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.a.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.a + ref_id: E5.IRO-1.AR-5.a.iii + description: market, e.g., shifting supply, demand and financing; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.a.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.a + ref_id: E5.IRO-1.AR-5.a.iv + description: reputation, e.g. changing societal, customer or community perceptions. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5 + ref_id: E5.IRO-1.AR-5.b + description: identify physical risks including depletion of stock and use of + virgin and non-virgin renewable resources, and of non-renewable resources; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5 + ref_id: E5.IRO-1.AR-5.c + description: 'identify opportunities categorised by:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.c.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.c + ref_id: E5.IRO-1.AR-5.c.i + description: 'resource efficiency: e.g., transition to more efficient services + and processes requiring less resources, eco-design for longevity, repair, + reuse, recycle, by- products, take-back systems, decoupling activity from + extraction of materials, intensifying circular material use, creation of a + system that allows for dematerialization (e.g., digitisation, improving utilisation + rates, weight reduction); practices to ensure products and materials are collected, + sorted, and reused, repaired, refurbished, remanufactured;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.c.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.c + ref_id: E5.IRO-1.AR-5.c.ii + description: 'markets: e.g., demand for less resource-intense products and services, + and new consumption models such as product-as- a- service, pay-per-use, sharing, + leasing;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.c.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.c + ref_id: E5.IRO-1.AR-5.c.iii + description: 'financing: e.g., access to green funds, bonds or loans;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.c.iv + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.c + ref_id: E5.IRO-1.AR-5.c.iv + description: 'resilience: e.g., diversification of resources and business activities + (e.g., start a new business unit to recycle new materials), investing in green + infrastructures, adopting recycling and circularity mechanisms that reduce + the dependencies, capability of the undertaking to safeguard future stocks + and flows of resources; and' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.c.v + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-5.c + ref_id: E5.IRO-1.AR-5.c.v + description: reputation. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1184 + ref_id: E5.IRO-1.AR-6 + description: 'The undertaking may consider the following methodologies to assess + its impacts, risks and opportunities in its own operations and along its upstream + and downstream value chain:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-6.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-6 + ref_id: E5.IRO-1.AR-6.a + description: "Commission Recommendation 2021/2279 on the use of the Environmental\ + \ Footprint methods to measure and communicate the life cycle environmental\ + \ performance of products and organizations (Annex I \u2013 Product Environmental\ + \ Footprint; Annex III \u2013 Organisation Environmental Footprint); and" + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-6.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-6 + ref_id: E5.IRO-1.AR-6.b + description: Material Flow Analysis (MFA) from the European Environment Agency. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1184 + ref_id: E5.IRO-1.AR-7 + description: 'When providing information on the outcome of the materiality assessment, + the undertaking shall consider:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7 + ref_id: E5.IRO-1.AR-7.a + description: a list of business units associated to resource use and circular + economy material impacts, risks and opportunities in the context of the products + and services of the undertaking and the waste it generates; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7 + ref_id: E5.IRO-1.AR-7.b + description: a list and prioritisation of the material resources used by the + undertaking; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7 + ref_id: E5.IRO-1.AR-7.c + description: the material impacts and risks of staying in business as usual; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7 + ref_id: E5.IRO-1.AR-7.d + description: the material opportunities related to a circular economy; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7 + ref_id: E5.IRO-1.AR-7.e + description: the material impacts and risks of a transition to a circular economy; + and + - urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5.iro-1.ar-7 + ref_id: E5.IRO-1.AR-7.f + description: the stages of the value chain where resource use, risks and negative + impacts are concentrated. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1183 + ref_id: E5-1 AR + name: Disclosure Requirement E5-1 + description: Policies related to resource use and circular economy + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-ar-8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-ar + ref_id: E5-1 AR 8 + description: The policies described under this Disclosure Requirement may be + integrated in broader environmental or sustainability policies covering different + subtopics. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-ar-9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-ar + ref_id: E5-1 AR 9 + description: 'When providing information on its policies, the undertaking shall + consider whether and how its policies address:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-ar-9.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-ar-9 + ref_id: E5-1 AR 9.a + description: 'the waste hierarchy: (a) prevention; (b) preparing for re-use; + (c) recycling; (d) other recovery, e.g., energy recovery; and (e) disposal. + In this context, the waste treatment cannot be considered as a recovery;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-ar-9.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-ar-9 + ref_id: E5-1 AR 9.b + description: the prioritisation of the avoidance or minimisation waste (Re-use, + Repair, Refurbish, Remanufacture and Repurpose) over waste treatment (Recycling). + The concepts of eco-design ( 86 ), waste as a resource or post- consumer waste + (at the end of a consumer- product lifecycle), should also be taken into consideration. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-ar-10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-1-ar + ref_id: E5-1 AR 10 + description: " When defining its policies, the undertaking may consider the\ + \ Paper on \u2018Categorisation system for the circular economy\u2019, which\ + \ describes circular design and production models, circular use models, circular\ + \ value recovery models and circular support along the principles of the nine\ + \ circular economy \u2018R\u2019 strategies or principles: refuse, rethink,\ + \ reduce, re-use, repair, refurbish, remanufacture, repurpose and recycle." + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1183 + ref_id: E5-2 AR + name: 'Disclosure Requirement E5-2 ' + description: Actions and resources in relation to resource use and circular + economy + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar-11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar + ref_id: E5-2 AR 11 + description: When providing information under paragraph 17 and considering that + resources are shared and that circular economy strategies may require collective + actions, the undertaking may specify the actions taken to engage with its + upstream and downstream value chain and/or its local network on the development + of collaborations or initiatives increasing the circularity of products and + materials. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar-12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar + ref_id: E5-2 AR 12 + description: 'In particular, the undertaking may specify the following:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar-12.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar-12 + ref_id: E5-2 AR 12.a + description: how it contributes to circular economy, including for instance + smart waste collection systems; + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar-12.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar-12 + ref_id: E5-2 AR 12.b + description: 'the other stakeholders involved in the collective actions: competitors, + suppliers, retailers, customers, other business partners, local communities + and authorities, government agencies;' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar-12.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar-12 + ref_id: E5-2 AR 12.c + description: ' a description of the organisation of the collaboration or initiative, + including the specific contribution of the undertaking and the roles of the + different stakeholders in the project.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar-13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-2-ar + ref_id: E5-2 AR 13 + description: "The actions may cover the undertaking\u2019s own operations and/or\ + \ its upstream and downstream value chain." + - urn: urn:intuitem:risk:req_node:esrs_p2:node1232 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1182 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1232 + ref_id: E5-3 AR + name: 'Disclosure Requirement E5-3 ' + description: Targets related to resource use and circular economy + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar-14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar + ref_id: E5-3 AR 14 + description: If the undertaking refers to ecological thresholds to set targets, + it may refer to the guidance provided by the Science-Based Targets Initiative + for Nature (SBTN) in its interim guidance (Initial Guidance for Business, + September 2020) or any other guidance with a scientifically acknowledged methodology + that allows to set science-based targets by identifying ecological thresholds + and, if applicable, organisation-specific allocations. Ecological thresholds + can be local, national and/or global. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar-15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar + ref_id: E5-3 AR 15 + description: When providing information on targets, the undertaking shall prioritise + targets in absolute value. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar-16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar + ref_id: E5-3 AR 16 + description: When providing information targets according to paragraph 24, the + undertaking shall consider the production phase, the use phase, and the end + of functional life of products and materials. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar-17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar + ref_id: E5-3 AR 17 + description: When providing information on targets related to virgin renewable + raw material under paragraph 24(c), the undertaking shall consider how those + targets may impact biodiversity loss, also in light of ESRS E4. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar-18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar + ref_id: E5-3 AR 18 + description: The undertaking may disclose other targets under paragraph 24(f) + including in relation to sustainable sourcing. If so, the undertaking shall + explain the definition of sustainable sourcing it has adopted and how it relates + to the objective set out in paragraph 22. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar-19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar + ref_id: E5-3 AR 19 + description: "The targets may cover the undertaking\u2019s own operations and/or\ + \ its upstream and downstream value chain." + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar-20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-3-ar + ref_id: E5-3 AR 20 + description: The undertaking may specify whether the target addresses shortcomings + related to the Substantial Contribution criteria for Circular Economy as defined + in the delegated acts adopted pursuant to Article 13(2) of Regulation (EU) + 2020/852. Where the Do No Significant Harm (DNSH) criteria for Circular Economy + as defined in delegated acts adopted pursuant to Article 10(3), Article 11(3), + Article 12(2), Article 14(2), and Article 15(2) of Regulation (EU) 2020/852 + are not met, the undertaking may specify whether the target addresses shortcomings + related those DNSH criteria. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1232 + ref_id: E5-4 AR + name: Disclosure Requirement E5-4 + description: Resource inflows + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-ar-21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-ar + ref_id: E5-4 AR 21 + description: 'Resource inflows may cover the following categories: IT equipment, + textiles, furniture, buildings, heavy machinery, mid-weight machinery, light + machinery, heavy transport, mid-weight transport, light transport and warehousing + equipment. With regard to materials, resource inflow indicators include raw + materials, associated process materials, and semi-manufactured goods or parts.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-ar-22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-ar + ref_id: E5-4 AR 22 + description: When the undertaking is subject to paragraph 31, it may also provide + transparency on the materials that are sourced from by-products/waste stream + (e.g., offcuts of a material that has not previously been in a product). + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-ar-23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-ar + ref_id: E5-4 AR 23 + description: The denominator of the percentage indicator required under paragraphs + 31(b) and 31(c) is the overall total weight of materials used during the reporting + period. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-ar-24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-ar + ref_id: E5-4 AR 24 + description: "The reported usage data are to reflect the material in its original\ + \ state, and not to be presented with further data manipulation, such as reporting\ + \ it as \u2018dry weight\u2019." + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-ar-25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-4-ar + ref_id: E5-4 AR 25 + description: In cases where there is an overlap between categories of reused, + recycled, the undertaking shall specify how double counting was avoided and + the choices that were made. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1232 + ref_id: E5-5 AR + name: Disclosure Requirement E5-5 + description: Resource outflows + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar + ref_id: E5-5 AR 26 + description: "Products and materials information to be provided under paragraph\ + \ 35 refers to all materials and products that come out of the undertaking\u2019\ + s production process and that a company puts on the market (including packaging)." + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar + ref_id: E5-5 AR 27 + description: When compiling the rate, the undertaking shall use as denominator + the overall total weight of materials used during the reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar + ref_id: E5-5 AR 28 + description: The undertaking may disclose its engagement in product end-of-life + waste management, for example through extended producer responsibility schemes + or take-back schemes. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-29 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar + ref_id: E5-5 AR 29 + description: Type of waste is to be understood as hazardous waste or non-hazardous + waste. Some specific waste, such as radioactive waste, may also be presented + as a separate type. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar + ref_id: E5-5 AR 30 + description: ' When considering the waste streams relevant to its sectors or + activities, the undertaking may consider the list of waste descriptions from + the European Waste Catalogue.' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar + ref_id: E5-5 AR 31 + description: Examples of other types of recovery operations under paragraph + 37(b)iii may be found in Annex II of Directive 2008/98/EC (Waste Framework + Directive). + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar + ref_id: E5-5 AR 32 + description: Examples of other types of disposal operations under paragraph + 37(c)iii may be found in Annex I of Directive 2008/98/EC (Waste Framework + Directive). + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-33 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar + ref_id: E5-5 AR 33 + description: 'When providing contextual information under paragraph 40 the undertaking + may:' + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-33.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-33 + ref_id: E5-5 AR 33.a + description: explain the reasons for high weights of waste directed to disposal + (e.g., local regulations that prohibit landfill of specific types of waste); + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-33.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-33 + ref_id: E5-5 AR 33.b + description: describe sector practices, sector standards, or external regulations + that mandate a specific disposal operation; and + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-33.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-5-ar-33 + ref_id: E5-5 AR 33.c + description: specify whether the data has been modelled or sourced from direct + measurements, such as waste transfer notes from contracted waste collectors. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:node1232 + ref_id: E5-6 AR + name: Disclosure Requirement E5-6 + description: Anticipated financial effects from material resource use and circular + economy-related risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-ar-34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-ar + ref_id: E5-6 AR 34 + description: When providing information under paragraph 42(b), the undertaking + may illustrate and describe how it intends to strengthen value retention. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-ar-35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-ar + ref_id: E5-6 AR 35 + description: The undertaking may include an assessment of its related products + and services at risk over the short-, medium- and long-term, explaining how + these are defined, how financial amounts are estimated, and which critical + assumptions are made. + - urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-ar-36 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p2:e5-6-ar + ref_id: E5-6 AR 36 + description: The quantification of the anticipated financial effects in monetary + terms under paragraph 43(a) may be a range. diff --git a/backend/library/libraries/esrs-p3.yaml b/backend/library/libraries/esrs-p3.yaml new file mode 100644 index 000000000..bbdbae7b4 --- /dev/null +++ b/backend/library/libraries/esrs-p3.yaml @@ -0,0 +1,9572 @@ +urn: urn:intuitem:risk:library:esrs_p3 +locale: en +ref_id: ESRS S1/ESRS S2/ESRS S3/ESRS S4/ESRS G1 +name: European sustainability reporting standards (ESRS S1/ESRS S2/ESRS S3/ESRS S4/ESRS + G1) +description: 'The Commission adopted today the European Sustainability Reporting Standards + (ESRS) for use by all companies subject to the Corporate Sustainability Reporting + Directive (CSRD). + + (ESRS S1 Own workforce/ESRS S2 Workers in the value chain/ESRS S3 Affected communities/ESRS + S4 Consumers and end-users/ESRS G1 Business conduct) + + Current consolidated version: 22/12/2023 + + https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02023R2772-20231222' +copyright: EUROPEAN COMMISSION +version: 1 +provider: EUROPEAN COMMISSION +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:esrs_p3 + ref_id: ESRS S1/ESRS S2/ESRS S3/ESRS S4/ESRS G1 + name: European sustainability reporting standards (ESRS S1/ESRS S2/ESRS S3/ESRS + S4/ESRS G1) + description: 'The Commission adopted today the European Sustainability Reporting + Standards (ESRS) for use by all companies subject to the Corporate Sustainability + Reporting Directive (CSRD). + + (ESRS S1 Own workforce/ESRS S2 Workers in the value chain/ESRS S3 Affected communities/ESRS + S4 Consumers and end-users/ESRS G1 Business conduct) + + Current consolidated version: 22/12/2023 + + https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02023R2772-20231222' + requirement_nodes: + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1 + assessable: false + depth: 1 + ref_id: ESRS S1 + name: OWN WORKFORCE + - urn: urn:intuitem:risk:req_node:esrs_p3:node3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1 + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p3:node4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node3 + description: "1.The objective of this Standard is to specify disclosure requirements\ + \ which will enable users of the sustainability statement to understand the\ + \ undertaking\u2019s material impacts on its own workforce, as well as related\ + \ material risks and opportunities, including:\n(a) how the undertaking affects\ + \ its own workforce, in terms of material positive and negative actual or\ + \ potential impacts;\n(b) any actions taken, and the result of such actions,\ + \ to prevent, mitigate or remediate actual or potential negative impacts,\ + \ and to address risks and opportunities;\n(c) the nature, type and extent\ + \ of the undertaking\u2019s material risks and opportunities related to its\ + \ impacts and dependencies on its own workforce, and how the undertaking manages\ + \ them; and\n(d) the financial effects on the undertaking over the short-,\ + \ medium-and long-term of material risks and opportunities arising from the\ + \ undertaking\u2019s impacts and dependencies on its own workforce." + - urn: urn:intuitem:risk:req_node:esrs_p3:node5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node3 + description: "2. In order to meet the objective, this Standard also requires\ + \ an explanation of the general approach the undertaking takes to identify\ + \ and manage any material actual and potential impacts on its own workforce\ + \ in relation to the following social, including human rights, factors or\ + \ matters:\n(a) working conditions, including:\ni. secure employment;\nii.\ + \ working time;\niii. adequate wages;\niv. social dialogue;\nv. freedom of\ + \ association, the existence of works councils and the information, consultation\ + \ and participation rights of workers;\nvi. collective bargaining, including\ + \ the rate of the undertaking\u2019s workforce covered by collective agreements;\n\ + vii. work-life balance; and\nviii. health and safety.\n(b) equal treatment\ + \ and opportunities for all, including:\ni. gender equality and equal pay\ + \ for work of equal value;\nii. training and skills development;\niii. employment\ + \ and inclusion of persons with disabilities;\niv. measures against violence\ + \ and harassment in the workplace;\nand\nv. diversity.\n(c) other work-related\ + \ rights, including those that relate to:\ni. child labour;\nii. forced labour;\n\ + iii. adequate housing; and\niv. privacy." + - urn: urn:intuitem:risk:req_node:esrs_p3:node6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node3 + description: "3. This Standard also requires an explanation of how such impacts,\ + \ as well as the undertaking\u2019s dependencies on its own workforce, can\ + \ create material risks or opportunities for the undertaking. For example,\ + \ on the matter of equal opportunities, discrimination in hiring and promotion\ + \ against women can reduce the undertaking\u2019s access to qualified labour\ + \ and harm its reputation. Conversely, policies to increase the representation\ + \ of women in the workforce and in upper levels of management can have positive\ + \ effects, such as increasing the pool of qualified labour and improving the\ + \ undertaking\u2019s reputation." + - urn: urn:intuitem:risk:req_node:esrs_p3:node7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node3 + description: "4. This Standard covers an undertaking\u2019s own workforce, which\ + \ is understood to include both people who are in an employment relationship\ + \ with the undertaking (\u2018employees\u2019) and non-employees who are either\ + \ people with contracts with the undertaking to supply labour (\u2018self-employed\ + \ people\u2019) or people provided by undertakings primarily engaged in \u2018\ + employment activities\u2019 (NACE Code N78). See Application Requirement 3\ + \ for examples of who falls under own workforce. The information required\ + \ to be disclosed with regard to non-employees shall not affect their status\ + \ pursuant to applicable labour law." + - urn: urn:intuitem:risk:req_node:esrs_p3:node8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node3 + description: "5. This Standard does not cover workers in the undertaking\u2019\ + s upstream or downstream value chain; these categories of workers are covered\ + \ in ESRS S2 Workers in the value chain." + - urn: urn:intuitem:risk:req_node:esrs_p3:node9 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node3 + description: "6. The Standard requires undertakings to describe their own workforce,\ + \ including key characteristics of the employees and non-employees that are\ + \ part of it. This description provides users with an understanding of the\ + \ structure of the undertaking\u2019s own workforce and helps to contextualise\ + \ information provided through other disclosures." + - urn: urn:intuitem:risk:req_node:esrs_p3:node10 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node3 + description: "7. The objective of the Standard is also to enable users to understand\ + \ the extent to which the undertaking aligns or complies with international\ + \ and European human rights instruments and conventions, including the International\ + \ Bill of Human Rights, the UN Guiding Principles on Business and Human Rights\ + \ and the OECD Guidelines for Multinational Enterprises, the International\ + \ Labour Organization\u2019s Declaration on Fundamental Principles and Rights\ + \ at Work and ILO fundamental conventions, the UN Convention on Persons with\ + \ Disabilities, the European Convention of Human Rights, the revised European\ + \ Social Charter, the Charter of Fundamental Rights of the European Union,\ + \ the EU policy priorities as set out by the European Pillar of Social Rights,\ + \ and Union legislation, including the EU labour law acquis." + - urn: urn:intuitem:risk:req_node:esrs_p3:node11 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1 + name: Interaction with other ESRS + - urn: urn:intuitem:risk:req_node:esrs_p3:node12 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node11 + description: 8. This Standard shall be read in conjunction with ESRS 1 General + principles and ESRS 2 General requirements. + - urn: urn:intuitem:risk:req_node:esrs_p3:node13 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node11 + description: 9. This Standard shall be read in conjunction with ESRS S2 Workers + in the value chain, ESRS S3 Affected communities and ESRS S4 Consumers and + end-users. + - urn: urn:intuitem:risk:req_node:esrs_p3:node14 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node11 + description: "10.The reporting under this Standard shall be consistent, coherent\ + \ and where relevant clearly linked with reporting on the undertaking\u2019\ + s value chain workers under ESRS S2, in order to ensure effective reporting." + - urn: urn:intuitem:risk:req_node:esrs_p3:node15 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1 + name: Disclosure requirements + - urn: urn:intuitem:risk:req_node:esrs_p3:node16 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node15 + name: ESRS 2 General disclosures + description: 11. The requirements of this section should be read in conjunction + with the disclosures required by ESRS 2 on Strategy (SBM). The resulting disclosures + shall be presented alongside the disclosures required by ESRS 2, except for + ESRS 2 SBM-3, for which the undertaking has an option to present the disclosures + alongside the topical disclosure. + - urn: urn:intuitem:risk:req_node:esrs_p3:node17 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node16 + name: Strategy + - urn: urn:intuitem:risk:req_node:esrs_p3:node18 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node17 + name: Disclosure Requirement related to ESRS 2 SBM-2 + description: Interests and views of stakeholders + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-2-12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node18 + ref_id: S1.SBM-2-12 + description: "When responding to ESRS 2 SBM-2, the undertaking shall disclose\ + \ how the interests, views, and rights of people in its own workforce, including\ + \ respect for their human rights, inform its strategy and business model.\ + \ The undertaking\u2019s own workforce is a key group of affected stakeholders." + - urn: urn:intuitem:risk:req_node:esrs_p3:node20 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node17 + name: Disclosure Requirement related to ESRS 2 SBM-3 + description: Material impacts, risks and opportunities and their interaction + with strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node20 + ref_id: S1.SBM-3-13 + description: 'When responding to ESRS 2 SBM-3 paragraph 48, the undertaking + shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-13.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-13 + ref_id: S1.SBM-3-13.a + description: "whether and how actual and potential impacts on its own workforce\ + \ as identified in ESRS 2 IRO-1 Description of the processes to identify and\ + \ assess material impacts, risks and opportunities: (i) originate from or\ + \ are connected to the undertaking\u2019s strategy and business models, and\ + \ (ii) inform and contribute to adapting the undertaking\u2019s strategy and\ + \ business model; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-13.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-13 + ref_id: S1.SBM-3-13.b + description: the relationship between its material risks and opportunities arising + from impacts and dependencies on own workforce and its strategy and business + model. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node20 + ref_id: S1.SBM-3-14 + description: "When fulfilling the requirements of paragraph 48, the undertaking\ + \ shall disclose whether all people in its own workforce who could be materially\ + \ impacted by the undertaking are included in the scope of its disclosure\ + \ under ESRS 2. These material impacts shall include impacts that are connected\ + \ with the undertaking\u2019s own operations and its value chain, including\ + \ through its products or services, as well as through its business relationships.\ + \ In addition, the undertaking shall provide the following information:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14 + ref_id: S1.SBM-3-14.a + description: a brief description of the types of employees and non-employees + in its own workforce subject to material impacts by its operations, and specify + whether they are employees, self- employed people, or people provided by third + party undertakings primarily engaged in employment activities; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14 + ref_id: S1.SBM-3-14.b + description: in the case of material negative impacts, whether they are either + (i) widespread or systemic in contexts where the undertaking operates (for + example, child labour or forced labour or compulsory labour in specific countries + or regions outside the EU), or (ii) related to individual incidents (for example, + an industrial accident or an oil spill); + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14 + ref_id: S1.SBM-3-14.c + description: in the case of material positive impacts, a brief description of + the activities that result in the positive impacts, the types of employees + and non-employees in its own workforce that are positively affected or could + be positively affected; the undertaking may also disclose whether the positive + impacts occur in specific countries or regions; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14 + ref_id: S1.SBM-3-14.d + description: any material risks and opportunities for the undertaking arising + from impacts and dependencies on its own workforce; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14 + ref_id: S1.SBM-3-14.e + description: "any material impacts on its own workforce that may arise from\ + \ transition plans for reducing negative impacts on the environment and achieving\ + \ greener and climate- neutral operations, including information on the impacts\ + \ on own workforce caused by the undertaking\u2019s plans and actions to reduce\ + \ carbon emissions in line with international agreements. Impacts, risks and\ + \ opportunities include restructuring and employment loss as well as opportunities\ + \ arising from job creation and reskilling or upskilling;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14 + ref_id: S1.SBM-3-14.f + description: 'operations at significant risk of incidents of forced labour or + compulsory labour ( 87 ) either in terms of:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.f.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.f + ref_id: S1.SBM-3-14.f.i + description: type of operation (such as manufacturing plant); or + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.f.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.f + ref_id: S1.SBM-3-14.f.ii + description: countries or geographic areas with operations considered at risk; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.g + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14 + ref_id: S1.SBM-3-14.g + description: 'operations at significant risk of incidents of child labour ( + 88 ) either in terms of:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.g.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.g + ref_id: S1.SBM-3-14.g.i + description: type of operation (such as manufacturing plant); or + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.g.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-14.g + ref_id: S1.SBM-3-14.g.ii + description: countries or geographic areas with operations considered at risk. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node20 + ref_id: S1.SBM-3-15 + description: In describing the main types of people in its own workforce who + are or could be negatively affected, based on the materiality assessment set + out in ESRS 2 IRO 1, the undertaking shall disclose whether and how it has + developed an understanding of how people with particular characteristics, + those working in particular contexts, or those undertaking particular activities + may be at greater risk of harm. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3-16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node20 + ref_id: S1.SBM-3-16 + description: The undertaking shall disclose which, if any, of its material risks + and opportunities arising from impacts and dependencies on people in its own + workforce relate to specific groups of people (for example, particular age + groups, or people working in a particular factory or country) rather than + to all of its own workforce (for example, a general pay cut, or training offered + to all people in its own workforce). + - urn: urn:intuitem:risk:req_node:esrs_p3:node38 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node16 + name: Impacts, risks and opportunities management + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node38 + ref_id: S1-1 + name: Disclosure Requirement S1-1 + description: Policies related to own workforce + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1 + ref_id: S1-1-17 + description: The undertaking shall describe its policies adopted to manage its + material impacts on its own workforce, as well as associated material risks + and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1 + ref_id: S1-1-18 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of the extent to which the undertaking has policies that address the identification,\ + \ assessment, management and/or remediation of material impacts on the undertaking\u2019\ + s own workforce specifically, as well as policies that cover material impacts,\ + \ risks and opportunities related to its own workforce." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1 + ref_id: S1-1-19 + description: "The disclosure required by paragraph 17 shall contain the information\ + \ on the undertaking\u2019s policies to manage its material impacts, risks\ + \ and opportunities related to its own workforce in accordance with ESRS 2\ + \ MDR-P Policies adopted to manage material sustainability matters. In addition,\ + \ the undertaking shall specify if such policies cover specific groups within\ + \ its own workforce or all of its own workforce." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1 + ref_id: S1-1-20 + description: 'The undertaking shall describe its human rights policy commitments + ( 89 ) that are relevant to its own workforce, including those processes and + mechanisms to monitor compliance with the UN Guiding Principles on Business + and Human Rights, ILO Declaration on Fundamental Principles and Rights at + Work and the OECD Guidelines for Multinational Enterprises ( 90 ). In its + disclosure it shall focus on those matters that are material in relation to, + as well as its general approach to:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-20.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-20 + ref_id: S1-1-20.a + description: respect for the human rights, including labour rights, of people + in its own workforce; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-20.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-20 + ref_id: S1-1-20.b + description: engagement with people in its own workforce; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-20.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-20 + ref_id: S1-1-20.c + description: measures to provide and/or enable remedy for human rights impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1 + ref_id: S1-1-21 + description: The undertaking shall disclose whether and how its policies with + regard to its own workforce are aligned with relevant internationally recognised + instruments, including the UN Guiding Principles on Business and Human Rights + ( 91 ). + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1 + ref_id: S1-1-22 + description: The undertaking shall state whether its policies in relation to + its own workforce explicitly address trafficking in human beings ( 92 ), forced + labour or compulsory labour and child labour. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1 + ref_id: S1-1-23 + description: The undertaking shall state whether it has a workplace accident + prevention policy or management system ( 93 ). + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1 + ref_id: S1-1-24 + description: 'The undertaking shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-24.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-24 + ref_id: S1-1-24.a + description: whether it has specific policies aimed at the elimination of discrimination, + including harassment, promoting equal opportunities and other ways to advance + diversity and inclusion; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-24.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-24 + ref_id: S1-1-24.b + description: 'whether the following grounds for discrimination are specifically + covered in the policy: racial and ethnic origin, colour, sex, sexual orientation, + gender identity, disability, age, religion, political opinion, national extraction + or social origin, or other forms of discrimination covered by Union regulation + and national law;' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-24.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-24 + ref_id: S1-1-24.c + description: whether the undertaking has specific policy commitments related + to inclusion or positive action for people from groups at particular risk + of vulnerability in its own workforce and, if so, what these commitments are; + and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-24.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-24 + ref_id: S1-1-24.d + description: whether and how these policies are implemented through specific + procedures to ensure discrimination is prevented, mitigated and acted upon + once detected, as well as to advance diversity and inclusion in general. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node38 + ref_id: S1-2 + name: Disclosure Requirement S1-2 + description: "Processes for engaging with own workforce and workers\u2019 representatives\ + \ about impacts" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2 + ref_id: S1-2-25 + description: The undertaking shall disclose its general processes for engaging + with people in its own workforce and workers' representatives about actual + and potential impacts on its own workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2 + ref_id: S1-2-26 + description: The objective of this Disclosure Requirement is to enable an understanding + of how the undertaking engages, as part of its ongoing due diligence process, + with people in its own workforce and workers' representatives about material, + actual and potential, positive and/or negative impacts that do or are likely + to affect them, and whether and how perspectives of its own workforces are + taken into account in the decision-making processes of the undertaking. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2 + ref_id: S1-2-27 + description: 'The undertaking shall disclose whether and how the perspectives + of its own workforce inform its decisions or activities aimed at managing + the actual and potential impacts on its own workforce. This shall include, + where relevant, an explanation of:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-27.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-27 + ref_id: S1-2-27.a + description: "whether engagement occurs directly with the undertaking\u2019\ + s own workforce or workers' representatives;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-27.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-27 + ref_id: S1-2-27.b + description: the stage(s) at which engagement occurs, the type of engagement + and frequency of the engagement; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-27.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-27 + ref_id: S1-2-27.c + description: "the function and the most senior role within the undertaking that\ + \ has operational responsibility for ensuring that this engagement happens\ + \ and that the results inform the undertaking\u2019s approach;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-27.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-27 + ref_id: S1-2-27.d + description: where applicable, a Global Framework Agreement or other agreements + that the undertaking has with workers' representatives related to the respect + of human rights of its own workforce, including an explanation of how the + agreement enables the undertaking to gain insight into the perspectives of + its own workforce; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-27.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-27 + ref_id: S1-2-27.e + description: where applicable, how the undertaking assesses the effectiveness + of its engagement with its own workforce, including, where relevant, any agreements + or outcomes that result. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2 + ref_id: S1-2-28 + description: Where applicable, the undertaking shall disclose the steps it takes + to gain insight into the perspectives of people in its own workforce who may + be particularly vulnerable to impacts and/or marginalised (for example, women, + migrants, people with disabilities). + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2 + ref_id: S1-2-29 + description: If the undertaking cannot disclose the above required information + because it has not adopted a general process to engage with its own workforce, + it shall disclose this to be the case. It may disclose a timeframe in which + it aims to have such a process in place. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node38 + ref_id: S1-3 + name: Disclosure Requirement S1-3 + description: Processes to remediate negative impacts and channels for own workforce + to raise concerns + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3 + ref_id: S1-3-30 + description: The undertaking shall describe the processes it has in place to + provide for or cooperate in the remediation of negative impacts on people + in its own workforce that the undertaking is connected with, as well as channels + available to its own workforce to raise concerns and have them addressed. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3 + ref_id: S1-3-31 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of the formal means by which the undertaking\u2019s own workforce can make\ + \ their concerns and needs known directly to the undertaking and/or through\ + \ which the undertaking supports the availability of such channels (for example,\ + \ grievance mechanisms) in the workplace, and how follow up is carried out\ + \ with the people concerned regarding the issues raised and the effectiveness\ + \ of these channels." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3 + ref_id: S1-3-32 + description: 'The undertaking shall describe the processes in place to cover + the matters defined within paragraph 2 of the Objective section by disclosing + the following information:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-32.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-32 + ref_id: S1-3-32.a + description: its general approach to and processes for providing or contributing + to remedy where it has caused or contributed to a material negative impact + on people in its own workforce, including whether and how the undertaking + assesses that the remedy provided is effective; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-32.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-32 + ref_id: S1-3-32.b + description: any specific channels it has in place for its own workforce to + raise their concerns or needs directly with the undertaking and have them + addressed, including whether these are established by the undertaking itself + and/or through participation in third-party mechanisms; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-32.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-32 + ref_id: S1-3-32.c + description: whether or not the undertaking has a grievance/complaints handling + mechanism related to employee matters ( 94 ); and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-32.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-32 + ref_id: S1-3-32.d + description: the processes through which the undertaking supports the availability + of such channels in the workplace of its own workforce; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-32.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-32 + ref_id: S1-3-32.e + description: how it tracks and monitors issues raised and addressed, and, how + it ensures the effectiveness of the channels, including through the involvement + of stakeholders who are intended users. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3 + ref_id: S1-3-33 + description: "The undertaking shall disclose whether and how it assesses that\ + \ people in its own workforce are aware of, and trust, these structures or\ + \ processes as a way to raise their concerns or needs and have them addressed.\ + \ In addition, the undertaking shall disclose whether it has policies in place\ + \ regarding the protection of individuals that use them, including workers\u2019\ + \ representatives, against retaliation. If such information has been disclosed\ + \ in accordance with ESRS G1-1, the undertaking may refer to that information." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-34 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3 + ref_id: S1-3-34 + description: If the undertaking cannot disclose the above required information + because it has not adopted a channel for raising concerns and/or does not + support the availability of such a channel in the workplace for its own workforce, + it shall disclose this to be the case. It may disclose a timeframe in which + it aims to have such a channel in place. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node38 + ref_id: S1-4 + name: Disclosure Requirement S1-4 + description: Taking action on material impacts on ownworkforce, and approaches + to managing material risks and pursuing material opportunities related to + own workforce, and effectiveness of those actions + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-35 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4 + ref_id: S1-4-35 + description: The undertaking shall disclose how it takes action to address material + negative and positive impacts, and to manage material risks and pursue material + opportunities related to its own workforce, and the effectiveness of those + actions. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4 + ref_id: S1-4-36 + description: 'The objective of this Disclosure Requirement is twofold. Firstly, + it is to enable an understanding of any actions and initiatives through which + the undertaking seeks to:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-36.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-36 + ref_id: S1-4-36.a + description: to prevent, mitigate and remediate negative material impacts on + its own workforce; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-36.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-36 + ref_id: S1-4-36.b + description: to achieve positive material impacts for its own workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:node82 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-36 + description: Secondly, it is to enable an understanding of the ways in which + the undertaking is addressing the material risks and pursuing the material + opportunities related to its own workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-37 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4 + ref_id: S1-4-37 + description: The undertaking shall provide a summarised description of the action + plans and resources to manage its material impacts, risks, and opportunities + related to its own workforce in accordance with ESRS 2 MDR- A Actions and + resources in relation to material sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-38 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4 + ref_id: S1-4-38 + description: 'In relation to the material impacts related to its own workforce, + the undertaking shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-38.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-38 + ref_id: S1-4-38.a + description: actions taken, planned or underway to prevent or mitigate material + negative impacts on its own workforce; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-38.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-38 + ref_id: S1-4-38.b + description: whether and how it has taken action to provide or enable remedy + in relation to an actual material impact; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-38.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-38 + ref_id: S1-4-38.c + description: any additional actions or initiatives it has in place with the + primary purpose of delivering positive impacts for its own workforce; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-38.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-38 + ref_id: S1-4-38.d + description: how it tracks and assesses the effectiveness of these actions and + initiatives in delivering outcomes for its own workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-39 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4 + ref_id: S1-4-39 + description: In relation to paragraph 36, the undertaking shall describe the + processes through which it identifies what action is needed and appropriate + in response to a particular actual or potential negative impact on its own + workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-40 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4 + ref_id: S1-4-40 + description: 'In relation to material risks and opportunities, the undertaking + shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-40.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-40 + ref_id: S1-4-40.a + description: what action is planned or underway to mitigate material risks for + the undertaking arising from its impacts and dependencies on its own workforce + and how it tracks effectiveness in practice; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-40.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-40 + ref_id: S1-4-40.b + description: what action is planned or underway to pursue material opportunities + for the undertaking in relation to its own workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-41 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4 + ref_id: S1-4-41 + description: 'The undertaking shall disclose whether and how it ensures that + its own practices do not cause or contribute to material negative impacts + on own workforce, including, where relevant, its practices in relation to + procurement, sales and data use. This may include disclosing what approach + is taken when tensions arise between the prevention or ' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-42 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4 + ref_id: S1-4-42 + description: When disclosing the information required under paragraph 40, the + undertaking shall consider ESRS 2 MDR-T Tracking effectiveness of policies + and actions through targets if it evaluates the effectiveness of an action + by setting a target. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-43 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4 + ref_id: S1-4-43 + description: The undertaking shall disclose what resources are allocated to + the management of its material impacts, with information that allows users + to gain an understanding of how the material impacts are managed. + - urn: urn:intuitem:risk:req_node:esrs_p3:node96 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node16 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-5 + name: Disclosure Requirement S1-5 + description: Targets related to managing material negative impacts, advancing + positive impacts, and managing material risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-44 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5 + ref_id: S1-5-44 + description: 'The undertaking shall disclose the time-bound and outcome- oriented + targets it may have set related to:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-44.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-44 + ref_id: S1-5-44.a + description: reducing negative impacts on its own workforce; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-44.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-44 + ref_id: S1-5-44.b + description: advancing positive impacts on its own workforce; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-44.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-44 + ref_id: S1-5-44.c + description: managing material risks and opportunities related to its own workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-45 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5 + ref_id: S1-5-45 + description: The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking is using outcome- oriented targets + to drive and measure its progress in addressing its material negative impacts + and/or advancing positive impacts on its own workforce, and/or in managing + material risks and opportunities related to its own workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-46 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5 + ref_id: S1-5-46 + description: "The summarised description of the targets set to manage its material\ + \ impacts, risks and opportunities related to the undertaking\u2019s own workforce\ + \ shall contain the information requirements defined in ESRS 2 MDR-T." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-47 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5 + ref_id: S1-5-47 + description: "The undertaking shall disclose the process for setting the targets,\ + \ including whether and how the undertaking engaged directly with its own\ + \ workforce or workers\u2019 representatives in:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-47.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-47 + ref_id: S1-5-47.a + description: setting any such targets; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-47.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-47 + ref_id: S1-5-47.b + description: "tracking the undertaking\u2019s performance against them; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-47.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-47 + ref_id: S1-5-47.c + description: "identifying any lessons or improvements as a result of the undertaking\u2019\ + s performance." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-6 + name: 'Disclosure Requirement S1-6 ' + description: "Characteristics of the undertaking\u2019s employees" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-48 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6 + ref_id: S1-6-48 + description: The undertaking shall describe key characteristics of employees + in its own workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-49 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6 + ref_id: S1-6-49 + description: "The objective of this Disclosure Requirement is to provide insight\ + \ into the undertaking\u2019s approach to employment, including the scope\ + \ and nature of impacts arising from its employment practices, to provide\ + \ contextual information that aids an understanding of the information reported\ + \ in other disclosures, and to serve as the basis for calculation for quantitative\ + \ metrics to be disclosed under other disclosure requirements in this Standard." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6 + ref_id: S1-6-50 + description: 'In addition to the information required by paragraph 40(a)iii + of ESRS 2 General Disclosures, the undertaking shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50 + ref_id: S1-6-50.a + description: the total number of employees by head count, and breakdowns by + gender and by country for countries in which the undertaking has 50 or more + employees representing at least 10% of its total number of employees; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50 + ref_id: S1-6-50.b + description: 'the total number by head count or full time equivalent (FTE) of:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.b.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.b + ref_id: S1-6-50.b.i + description: permanent employees, and breakdown by gender; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.b.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.b + ref_id: S1-6-50.b.ii + description: temporary employees, and breakdown by gender; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.b.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.b + ref_id: S1-6-50.b.iii + description: non-guaranteed hours employees, and breakdown by gender. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50 + ref_id: S1-6-50.c + description: the total number of employees who have left the undertaking during + the reporting period and the rate of employee turnover in the reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50 + ref_id: S1-6-50.d + description: 'a description of the methodologies and assumptions used to compile + the data, including whether the numbers are reported:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.d.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.d + ref_id: S1-6-50.d.i + description: in head count or full-time equivalent (FTE) (including an explanation + of how FTE is defined); and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.d.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.d + ref_id: S1-6-50.d.ii + description: at the end of the reporting period, as an average across the reporting + period, or using another methodology. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50 + ref_id: S1-6-50.e + description: where applicable, a provision of contextual information necessary + to understand the data (for example, to understand fluctuations in number + of employees during the reporting period); and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-50 + ref_id: S1-6-50.f + description: a cross-reference of the information reported under (a) above to + the most representative number in the financial statements. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6.51 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6 + ref_id: S1-6.51 + description: For the information specified in point (b) of paragraph 50, the + undertaking may in addition disclose the breakdown by region. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6.52 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6 + ref_id: S1-6.52 + description: 'The undertaking may disclose by head count or full time equivalent + (FTE) the following information:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6.52.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6.52 + ref_id: S1-6.52.a + description: full-time employees, and breakdowns by gender and by region; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6.52.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6.52 + ref_id: S1-6.52.b + description: part-time employees, and breakdowns by gender and by region + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-7 + name: Disclosure Requirement S1-7 + description: "Characteristics of non-employees in the undertaking\u2019s own\ + \ workforce" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.53 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7 + ref_id: S1-7.53 + description: The undertaking shall describe key characteristics of non- employees + in its own workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.54 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7 + ref_id: S1-7.54 + description: "The objective of this Disclosure Requirement is to provide insight\ + \ into the undertaking\u2019s approach to employment, including the scope\ + \ and nature of impacts arising from its employment practices, to provide\ + \ contextual information that aids the understanding of the information reported\ + \ in other disclosures, and to serve as the basis for calculation for quantitative\ + \ metrics to be disclosed under other disclosure requirements in this Standard.\ + \ It also allows an understanding of how much the undertaking relies on non-employees\ + \ as part of its workforce." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.55 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7 + ref_id: S1-7.55 + description: 'The disclosure required by paragraph 53 shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.55.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.55 + ref_id: S1-7.55.a + description: "a disclosure of the total number of non-employees in the undertaking\u2019\ + s own workforce, i.e., either people with contracts with the undertaking to\ + \ supply labour (\u2018self-employed people\u2019) or people provided by undertakings\ + \ primarily engaged in \u2018employment activities\u2019 (NACE Code N78)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.55.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.55 + ref_id: S1-7.55.b + description: 'an explanation of the methodologies and assumptions used to compile + the data, including whether the number of non-employees is reported:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.55.b.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.55.b + ref_id: S1-7.55.b.i + description: in headcount or full-time equivalent (FTE) (including a definition + of how FTE is defined); and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.55.b.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.55.b + ref_id: S1-7.55.b.ii + description: at the end of the reporting period, as an average across the reporting + period, or using another methodology. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.55.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7.55 + ref_id: S1-7.55.c + description: "where applicable, a provision of contextual information necessary\ + \ to understand the data (for example, significant fluctuations in the number\ + \ of non-employees in the undertaking\u2019s own workforce during the reporting\ + \ period and between the current and the previous reporting period)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-56 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7 + ref_id: S1-7-56 + description: For the information specified in point (a) of paragraph 55, the + undertaking may disclose the most common types of non-employees (for example, + self-employed people, people provided by undertakings primarily engaged in + employment activities, and other types relevant to the undertaking), their + relationship with the undertaking, and the type of work that they perform. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-57 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7 + ref_id: S1-7-57 + description: Where data is not available, the undertaking shall estimate the + number and state that it has done so. When the undertaking performs estimates, + it shall describe the basis of preparation of this estimation. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-8 + name: Disclosure Requirement S1-8 + description: Collective bargaining coverage and social dialogue + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-58 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8 + ref_id: S1-8-58 + description: The undertaking shall disclose information on the extent to which + the working conditions and terms of employment of its employees are determined + or influenced by collective bargaining agreements and on the extent to which + its employees are represented in social dialogue in the European Economic + Area (EEA) + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-59 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8 + ref_id: S1-8-59 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of the coverage of collective bargaining agreements and social dialogue\ + \ for the undertaking\u2019s own employees." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-60 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8 + ref_id: S1-8-60 + description: 'The undertaking shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-60.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-60 + ref_id: S1-8-60.a + description: the percentage of its total employees covered by collective bargaining + agreements; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-60.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-60 + ref_id: S1-8-60.b + description: in the EEA, whether it has one or more collective bargaining agreements + and, if so, the overall percentage of its employees covered by such agreement(s) + for each country in which it has significant employment, defined as at least + 50 employees by head count representing at least 10% of its total number of + employees; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-60.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-60 + ref_id: S1-8-60.c + description: outside the EEA, the percentage of its own employees covered by + collective bargaining agreements by region. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-61 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8 + ref_id: S1-8-61 + description: For employees not covered by collective bargaining agreements, + the undertaking may disclose whether it determines their working conditions + and terms of employment based on collective bargaining agreements that cover + its other employees or based on collective bargaining agreements from other + undertakings. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-62 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8 + ref_id: S1-8-62 + description: The undertaking may disclose the extent to which the working conditions + and terms of employment of non-employees in its own workforce are determined + or influenced by collective bargaining agreements, including an estimate of + the coverage rate. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-63 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8 + ref_id: S1-8-63 + description: 'The undertaking shall disclose the following information in relation + to social dialogue:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-63.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-63 + ref_id: S1-8-63.a + description: "the global percentage of employees covered by workers\u2019 representatives,\ + \ reported at the country level for each EEA country in which the undertaking\ + \ has significant employment; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-63.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-63 + ref_id: S1-8-63.b + description: the existence of any agreement with its employees for representation + by a European Works Council (EWC), a Societas Europaea (SE) Works Council, + or a Societas Cooperativa Europaea (SCE) Works Council. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-9 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-9 + name: Disclosure Requirement S1-9 + description: Diversity metrics + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-9-64 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-9 + ref_id: S1-9-64 + description: The undertaking shall disclose the gender distribution at top management + and the age distribution amongst its employees. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-9-65 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-9 + ref_id: S1-9-65 + description: The objective of this Disclosure Requirement is to enable an understanding + of gender diversity at top management level and the age distribution of its + employees. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-9-66 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-9 + ref_id: S1-9-66 + description: 'The undertaking shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-9-66.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-9-66 + ref_id: S1-9-66.a + description: the gender distribution in number and percentage at top management + level; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-9-66.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-9-66 + ref_id: S1-9-66.b + description: 'the distribution of employees by age group: under 30 years old; + 30- 50 years old; over 50 years old.' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-10 + name: Disclosure Requirement S1-10 + description: Adequate wages + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-67 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10 + ref_id: S1-10-67 + description: The undertaking shall disclose whether or not its employees are + paid an adequate wage, and if they are not all paid an adequate wage, the + countries and percentage of employees concerned. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-68 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10 + ref_id: S1-10-68 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of whether or not all the undertaking\u2019s employees are paid an adequate\ + \ wage, in line with applicable benchmarks." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-69 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10 + ref_id: S1-10-69 + description: The undertaking shall disclose whether all its employees are paid + an adequate wage, in line with applicable benchmarks. If so, stating this + will be sufficient to fulfil this disclosure requirement and no further information + is needed. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-70 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10 + ref_id: S1-10-70 + description: If not all its employees are paid an adequate wage in line with + applicable benchmarks, the undertaking shall disclose the countries where + employees earn below the applicable adequate wage benchmark and the percentage + of employees that earn below the applicable adequate wage benchmark for each + of these countries. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-71 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10 + ref_id: S1-10-71 + description: The undertaking may also disclose the information specified in + this disclosure requirement with regard to non-employees in its workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-11 + name: Disclosure Requirement S1-11 + description: Social protection + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-72 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11 + ref_id: S1-11-72 + description: The undertaking shall disclose whether its employees are covered + by social protection against loss of income due to major life events, and, + if not, the countries where this is not the case. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-73 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11 + ref_id: S1-11-73 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of whether the undertaking\u2019s employees are covered by social protection\ + \ against loss of income due to major life events, and, if not, the countries\ + \ where this is not the case." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11 + ref_id: S1-11-74 + description: 'The undertaking shall disclose whether all its employees are covered + by social protection, through public programs or through benefits offered + by the undertaking, against loss of income due to any of the following major + life events:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74 + ref_id: S1-11-74.a + description: sickness; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74 + ref_id: S1-11-74.b + description: unemployment starting from when the own worker is working for the + undertaking; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74 + ref_id: S1-11-74.c + description: employment injury and acquired disability; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74 + ref_id: S1-11-74.d + description: parental leave; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74 + ref_id: S1-11-74.e + description: retirement + - urn: urn:intuitem:risk:req_node:esrs_p3:node171 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-74 + description: If so, stating this is sufficient to fulfil this disclosure requirement + and no further information is needed. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-75 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11 + ref_id: S1-11-75 + description: If not all of its employees are covered by social protection in + accordance with paragraph 72, the undertaking shall in addition disclose the + countries where employees do not have social protection with regard to one + or more of the types of events listed in paragraph 72 and for each of those + countries the types of employees who do not have social protection with regard + to each applicable major life event. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-76 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11 + ref_id: S1-11-76 + description: The undertaking may also disclose the information specified in + this disclosure requirement with regard to non-employees in its workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-12 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-12 + name: Disclosure Requirement S1-12 + description: Persons with disabilities + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-12-77 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-12 + ref_id: S1-12-77 + description: The undertaking shall disclose the percentage of its own employees + with disabilities. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-12-78 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-12 + ref_id: S1-12-78 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of the extent to which persons with disabilities are included among the\ + \ undertaking\u2019s employees." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-12-79 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-12 + ref_id: S1-12-79 + description: The undertaking shall disclose the percentage of persons with disabilities + amongst its employees, subject to legal restrictions on the collection of + data. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-12-80 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-12 + ref_id: S1-12-80 + description: The undertaking may disclose the percentage of employees with disabilities + with a breakdown by gender. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-13 + name: Disclosure Requirement S1-13 + description: Training and skills development metrics + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-81 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13 + ref_id: S1-13-81 + description: The undertaking shall disclose the extent to which training and + skills development is provided to its employees. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-82 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13 + ref_id: S1-13-82 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of the training and skills development -related activities that have been\ + \ offered to employees, within the context of continuous professional growth,\ + \ to upgrade employees\u2019 skills and facilitate continued employability." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-83 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13 + ref_id: S1-13-83 + description: 'The disclosure required by paragraph 81 shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-83.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-83 + ref_id: S1-13-83.a + description: the percentage of employees that participated in regular performance + and career development reviews; such information shall be broken down by gender; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-83.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-83 + ref_id: S1-13-83.b + description: the average number of training hours per employee and by gender. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-84 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13 + ref_id: S1-13-84 + description: The undertaking may disclose breakdowns by employee category for + the percentage of employees that participated in regular performance and career + development and for the average number of training hours per employee. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-85 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13 + ref_id: S1-13-85 + description: The undertaking may also disclose the information specified in + this disclosure requirement with regard to non-employees in its workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-14 + name: 'Disclosure Requirement S1-14 ' + description: Health and safety metrics + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-86 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14 + ref_id: S1-14-86 + description: "The undertaking shall disclose information on the extent to which\ + \ its own workforce is covered by its health and safety management system\ + \ and the number of incidents associated with work-related injuries, ill health\ + \ and fatalities of its own workforce. In addition, it shall disclose the\ + \ number of fatalities as a result of work-related injuries and work-related\ + \ ill health of other workers working on the undertaking\u2019s sites." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-87 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14 + ref_id: S1-14-87 + description: The objective of this Disclosure Requirement is to allow an understanding + of the coverage, quality and performance of the health and safety management + system established to prevent work-related injuries. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14 + ref_id: S1-14-88 + description: "The disclosure required by paragraph 86 shall include the following\ + \ information, where applicable broken down between employees and non-employees\ + \ in the undertaking\u2019s own workforce:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88 + ref_id: S1-14-88.a + description: "the percentage of people in its own workforce who are covered\ + \ by the undertaking\u2019s health and safety management system based on legal\ + \ requirements and/or recognised standards or guidelines;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88 + ref_id: S1-14-88.b + description: the number of fatalities ( 95 ) as a result of work-related injuries + and work-related ill health; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88 + ref_id: S1-14-88.c + description: the number and rate of recordable work-related accidents; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88 + ref_id: S1-14-88.d + description: "with regard to the undertaking\u2019s employees, the number of\ + \ cases of recordable work-related ill health, subject to legal restrictions\ + \ on the collection of data; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88 + ref_id: S1-14-88.e + description: "with regard to the undertaking\u2019s employees, the number of\ + \ days lost to work-related injuries and fatalities from work-related accidents,\ + \ work-related ill health and fatalities from ill health ( 96 )." + - urn: urn:intuitem:risk:req_node:esrs_p3:node196 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-88 + description: "The information for (b) shall also be reported for other workers\ + \ working on the undertaking\u2019s sites, such as value chain workers if\ + \ they are working on the undertaking\u2019s sites." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-89 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14 + ref_id: S1-14-89 + description: The undertaking may also disclose the information specified in + points (d) and (e) of paragraph 88 with regard to non-employees. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-90 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14 + ref_id: S1-14-90 + description: 'In addition, the undertaking may include the following additional + information on the health and safety coverage: the percentage of its own workers + covered by a health and safety management system which is based on legal requirements + and/or recognised standards or guidelines and which has been internally audited + and/or audited or certified by an external party.' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-15 + name: 'Disclosure Requirement S1-15 ' + description: Work-life balance metrics + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-91 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15 + ref_id: S1-15-91 + description: The undertaking shall disclose the extent to which employees are + entitled to and make use of family-related leave. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-92 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15 + ref_id: S1-15-92 + description: The objective of this Disclosure Requirement is to provide an understanding + of the entitlement and actual practices amongst the employees to take family-related + leave in a gender equitable manner, as it is one of the dimensions of work-life + balance. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-93 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15 + ref_id: S1-15-93 + description: 'The disclosure required by paragraph 91 shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-93.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-93 + ref_id: S1-15-93.a + description: the percentage of employees entitled to take family-related leave; + and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-93.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-93 + ref_id: S1-15-93.b + description: the percentage of entitled employees that took family-related leave, + and a breakdown by gender. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-94 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15 + ref_id: S1-15-94 + description: "If all of the undertaking\u2019s employees are entitled to family-related\ + \ leave through social policy and/or collective bargaining agreements, it\ + \ is sufficient to disclose this in order to meet the requirement of paragraph\ + \ 93a." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-16 + name: 'Disclosure Requirement S1-16 ' + description: Remuneration metrics (pay gap and total remuneration) + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-95 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16 + ref_id: S1-16-95 + description: The undertaking shall disclose the percentage gap in pay between + its female and male employees and the ratio between the remuneration of its + highest paid individual and the median remuneration for its employees. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-96 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16 + ref_id: S1-16-96 + description: "The objective of this Disclosure Requirement is twofold: to allow\ + \ an understanding of the extent of any gap in the pay between women and men\ + \ amongst the undertaking\u2019s employees; and to provide insight into the\ + \ level of remuneration inequality inside the undertaking and whether wide\ + \ pay disparities exist." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-97 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16 + ref_id: S1-16-97 + description: 'The disclosure required by paragraph 95 shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-97.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-97 + ref_id: S1-16-97.a + description: the gender pay gap, defined as the difference of average pay levels + between female and male employees, expressed as percentage of the average + pay level of male employees ( 97 ); + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-97.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-97 + ref_id: S1-16-97.b + description: the annual total remuneration ratio of the highest paid individual + to the median annual total remuneration for all employees (excluding the highest-paid + individual) ( 98 ); and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-97.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-97 + ref_id: S1-16-97.c + description: where applicable, any contextual information necessary to understand + the data and how the data has been compiled and other changes to the underlying + data that are to be considered. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-98 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16 + ref_id: S1-16-98 + description: The undertaking may disclose a breakdown of the gender pay gap + as defined in paragraph 97(a) by employee category and/or by country/ segment. + The undertaking may also disclose the gender pay gap between employees by + categories of employees broken down by ordinary basic salary and complementary + or variable components. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-99 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16 + ref_id: S1-16-99 + description: In relation to paragraph 97 (b), the undertaking may report this + figure adjusted for purchasing power differences between countries, in which + case it shall report the methodology used for the calculation. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node96 + ref_id: S1-17 + name: Disclosure Requirement S1-17 + description: Incidents, complaints and severe human rights impacts + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-100 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17 + ref_id: S1-17-100 + description: The undertaking shall disclose the number of work-related incidents + and/or complaints and severe human rights impacts within its own workforce, + and any related fines, sanctions or compensation for the reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-101 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17 + ref_id: S1-17-101 + description: The objective of this Disclosure Requirement is to allow an understanding + of the extent to which work-related incidents and severe cases of human rights + impacts are affecting its own workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-102 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17 + ref_id: S1-17-102 + description: The disclosure required by paragraph 100 shall include, subject + to the relevant privacy regulations, work-related incidents of discrimination + on the grounds of gender, racial or ethnic origin, nationality, religion or + belief, disability, age, sexual orientation, or other relevant forms of discrimination + involving internal and/or external stakeholders across operations in the reporting + period. This includes incidents of harassment as a specific form of discrimination. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-103 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17 + ref_id: S1-17-103 + description: 'The undertaking shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-103.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-103 + ref_id: S1-17-103.a + description: the total number of incidents of discrimination, including harassment, + reported in the reporting period ( 99 ); + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-103.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-103 + ref_id: S1-17-103.b + description: "the number of complaints filed through channels for people in\ + \ the undertaking\u2019s own workforce to raise concerns (including grievance\ + \ mechanisms) and, where applicable, to the National Contact Points for OECD\ + \ Multinational Enterprises related to the matters defined in paragraph 2\ + \ of this Standard, excluding those already reported in (a) above;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-103.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-103 + ref_id: S1-17-103.c + description: the total amount of fines, penalties, and compensation for damages + as a result of the incidents and complaints disclosed above, and a reconciliation + of such monetary amounts disclosed with the most relevant amount presented + in the financial statements; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-103.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-103 + ref_id: S1-17-103.d + description: where applicable, contextual information necessary to understand + the data and how such data has been compiled. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-104 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17 + ref_id: S1-17-104 + description: 'The undertaking shall disclose the following information regarding + identified cases of severe human rights incidents (e.g., forced labour, human + trafficking or child labour):' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-104.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-104 + ref_id: S1-17-104.a + description: "the number of severe human rights incidents connected to the undertaking\u2019\ + s workforce in the reporting period, including an indication of how many of\ + \ these are cases of non-respect of the UN Guiding Principles on Business\ + \ and Human Rights, ILO Declaration on Fundamental Principles and Rights at\ + \ Work or OECD Guidelines for Multinational Enterprises. If no such incidents\ + \ have occurred, the undertaking shall state this ( 100 ); and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-104.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-104 + ref_id: S1-17-104.b + description: the total amount of fines, penalties and compensation for damages + for the incidents described in (a) above, and a reconciliation of the monetary + amounts disclosed in the most relevant amount in the financial statements. + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1-appendix-a + assessable: false + depth: 1 + ref_id: ESRS S1-Appendix A + name: Application Requirements + - urn: urn:intuitem:risk:req_node:esrs_p3:node228 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1-appendix-a + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p3:node229 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node228 + description: AR 1. In addition to the issues listed in paragraph 2, the undertaking + may also consider disclosing information about other issues relevant to a + material impact for a shorter period of time, for instance initiatives regarding + the health and safety of its own workforce during a pandemic. + - urn: urn:intuitem:risk:req_node:esrs_p3:node230 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node228 + description: AR 2. The overview of social matters provided in paragraph 2 is + not meant to imply that all of these issues should be reported on in each + Disclosure Requirement in this Standard. Rather, they provide a list of matters + derived from the sustainability reporting requirements set out in Directive + 2013/34/EU that the undertaking shall consider for the ESRS 2 materiality + assessment related to its own workforce and, as appropriate, report as material + impacts, risks and opportunities within the scope of this Standard. + - urn: urn:intuitem:risk:req_node:esrs_p3:node231 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node228 + description: "AR 3. Examples of people that fall within the scope of \u2018\ + Own workforce\u2019 are:\n(a) Examples of contractors (self-employed persons)\ + \ in the undertaking\u2019s own workforce include:\ni. Contractors hired by\ + \ the undertaking to perform work that would otherwise be carried out by an\ + \ employee\nii. Contractors hired by the undertaking to perform work in a\ + \ public area (e.g., on a road, on the street).\niii. Contractors hired by\ + \ the undertaking to deliver the work/ service directly at the workplace of\ + \ a client of the undertaking.\n(b) Examples of people employed by a third\ + \ party engaged in \u2018employment activities\u2019 include people who perform\ + \ the same work that employees carry out, such as:\ni. people who fill in\ + \ for employees who are temporarily absent (due to illness, holiday, parental\ + \ leave, etc.);\nii. people performing work additional to regular employees;\n\ + iii. people who are dispatched temporarily from another EU member state to\ + \ work for the undertaking (\u2018posted workers\u2019)." + - urn: urn:intuitem:risk:req_node:esrs_p3:node232 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1-appendix-a + name: ESRS 2 General Disclosures + - urn: urn:intuitem:risk:req_node:esrs_p3:node233 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node232 + name: Strategy + - urn: urn:intuitem:risk:req_node:esrs_p3:node234 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node233 + name: Disclosure Requirement related to ESRS 2 SBM-2 + description: Interests and views of stakeholders + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-2.ar-4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node234 + ref_id: S1.SBM-2.AR-4 + description: ESRS 2 SBM-2 requires the undertaking to provide an understanding + of whether and how it considers the role that its strategy and business model + may play in creating, exacerbating or mitigating significant material impacts + on its own workforce, and whether and how the business model and strategy + are adapted to address such material impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-2.ar-5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node234 + ref_id: S1.SBM-2.AR-5 + description: "While the undertaking\u2019s own workforce may not be engaging\ + \ with the undertaking at the level of its strategy or business model, their\ + \ views can inform the undertaking\u2019s assessment of its strategy and business\ + \ model. The undertaking shall consider the views of workers\u2019 representatives\ + \ when applicable to fulfil this disclosure." + - urn: urn:intuitem:risk:req_node:esrs_p3:node237 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node233 + name: Disclosure Requirement related to ESRS 2 SBM-3 + description: Material impacts, risks and opportunities and their interaction + with strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3.ar-6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node237 + ref_id: S1.SBM-3.AR-6 + description: "Impacts on the undertaking\u2019s own workforce can originate\ + \ in its strategy or business model in a number of different ways. For example,\ + \ impacts may relate to the undertaking\u2019s value proposition (such as\ + \ providing lowest cost products or services, or high-speed delivery, in ways\ + \ that put pressure on labour rights in its own operations), or its cost structure\ + \ and the revenue model (such as shifting inventory risk to suppliers, with\ + \ knock-on effects on the labour rights of people who work for them)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3.ar-7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node237 + ref_id: S1.SBM-3.AR-7 + description: "Impacts on the undertaking\u2019s own workforce that originate\ + \ in the strategy or business model can also bring material risks to the undertaking.\ + \ For example, risks arise if some people in the workforce are at risk of\ + \ forced labour, and the undertaking is importing products into countries\ + \ where the law allows for the confiscation of imported goods that are suspected\ + \ of being made with forced labour. An example of opportunities for the undertaking\ + \ may result from providing opportunities for the workforce such as job creation\ + \ and upskilling in the context of a \u2018just transition\u2019. Another\ + \ example, in the context of a pandemic or other severe health crisis, relates\ + \ to the undertaking potentially relying on contingent labour with little\ + \ to no access to sick care and health benefits that may face severe operational\ + \ and business continuity risks as workers have no choice but to keep working\ + \ while sick, further exacerbating the spread of the disease and causing major\ + \ supply chain breakdowns. Reputational and business opportunity risks linked\ + \ to the exploitation of low-skilled, low-paid workers in sourcing geographies\ + \ with minimal protections for them are also increasing with media backlash\ + \ and consumer preferences moving to more ethically sourced or sustainable\ + \ goods." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3.ar-8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node237 + ref_id: S1.SBM-3.AR-8 + description: "Examples of particular characteristics of people in the undertaking\u2019\ + s own workforce that may be considered by the undertaking when responding\ + \ to paragraph 15 relate to young people that may be more susceptible to impacts\ + \ on their physical and mental development, or women in a context where women\ + \ are routinely discriminated against in the terms and conditions of work,\ + \ or migrants in a context where the market for the supply of labour is poorly\ + \ regulated and workers are routinely charged recruitment fees. For some people\ + \ in the workforce, the inherent nature of the activity that they are required\ + \ to undertake may put them at risk (for example, people required to handle\ + \ chemicals or operate certain equipment or low paid employees who are on\ + \ \u2018zero hours\u2019 contracts)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1.sbm-3.ar-9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node237 + ref_id: S1.SBM-3.AR-9 + description: "With regard to paragraph 16, material risks could also arise because\ + \ of the undertaking\u2019s dependency on its own workforce where low-likelihood\ + \ but high-impact events may trigger financial effects; for example, where\ + \ a global pandemic leads to severe health impacts on the undertaking\u2019\ + s workforce resulting in major disruptions to production and distribution.\ + \ Other examples of risk related to the undertaking\u2019s dependency on its\ + \ workforce include a shortage in skilled workers or political decisions or\ + \ legislation affecting its own operations and own workforce." + - urn: urn:intuitem:risk:req_node:esrs_p3:node242 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node232 + name: Impacts, risks and opportunities management + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node242 + ref_id: S1-1 AR + name: Disclosure Requirement S1-1 + description: Policies related to own workforce + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar + ref_id: S1-1 AR 10 + description: "The undertaking shall consider whether explanations of significant\ + \ changes to the policies adopted during the reporting year (for example,\ + \ new expectations for foreign subsidiaries, new or additional approaches\ + \ to due diligence and remedy) provide contextual information for users and\ + \ may disclose such explanations. This includes policies and commitments of\ + \ the undertaking to prevent or mitigate the risks and negative impacts on\ + \ people in its own workforce of reducing carbon emissions and transitioning\ + \ to greener and climate-neutral operations as well as to provide opportunities\ + \ for the workforce such as job creation and upskilling, including explicit\ + \ commitments to a \u2018just transition\u2019." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar + ref_id: S1-1 AR 11 + description: "The policy may take the form of a stand-alone policy regarding\ + \ the undertaking\u2019s own workforce or be included in a broader document\ + \ such as a code of ethics or a general sustainability policy that has already\ + \ been disclosed by the undertaking as part of another ESRS. In those cases,\ + \ the undertaking shall provide an accurate cross-reference to identify the\ + \ aspects of the policy that satisfy the requirements of this Disclosure Requirement." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar + ref_id: S1-1 AR 12 + description: "When disclosing the alignment of its policies with the UN Guiding\ + \ Principles on Business and Human Rights, the undertaking shall consider\ + \ that the Guiding Principles refer to the International Bill of Human Rights,\ + \ which consist of the Universal Declaration of Human Rights and the two Covenants\ + \ that implement it, as well as the International Labour Organisation\u2019\ + s Declaration on Fundamental Rights and Principles at Work and the core conventions\ + \ that underpin it, and may report on alignment with these instruments." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar + ref_id: S1-1 AR 13 + description: When explaining how external-facing policies are embedded, the + undertaking may, for example, consider internal policies of responsible sourcing, + and alignment with other policies relevant to its own workforce, for example, + regarding forced labour. With regard to supplier codes of conduct that the + undertaking may have, it shall indicate whether they include provisions addressing + the safety of workers, precarious work (i.e., use of workers on short-term + or limited hours contracts, workers employed via third parties, sub- contracting + to third parties or use of informal workers), human trafficking, the use of + forced labour or child labour, and whether such provisions are fully in line + with applicable ILO standards. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar + ref_id: S1-1 AR 14 + description: "The undertaking may provide an illustration of the types of communication\ + \ of its policies to those individuals, group of individuals or entities for\ + \ whom they are relevant, either because they are expected to implement them\ + \ (for example, the undertaking\u2019s employees, contractors and suppliers),\ + \ or because they have a direct interest in their implementation (for example,\ + \ people in its own workforce, investors). It may disclose communication tools\ + \ and channels (for example, flyers, newsletters, dedicated websites, social\ + \ media, face to face interactions, workers\u2019 representatives), aimed\ + \ at ensuring that the policy is accessible and that different audiences understand\ + \ its implications. The undertaking may also explain how it identifies and\ + \ removes potential barriers for dissemination, such as through translation\ + \ into relevant languages or the use of graphic depictions." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar + ref_id: S1-1 AR 15 + description: Discrimination in employment and occupation occurs when someone + is treated differently or less favourably because of characteristics that + are not related to merit or the inherent requirements of the job. These characteristics + are commonly defined in national laws. Besides the grounds mentioned in the + Disclosure Requirement, the undertaking shall consider other grounds for discrimination + prohibited under national legislation. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar + ref_id: S1-1 AR 16 + description: ' Discrimination can arise in a variety of work-related activities. + These include access to employment, particular occupations, training and vocational + guidance and social security. Moreover, it can occur with respect to the terms + and conditions of employment, such as: recruitment, remuneration, hours of + work and rest, paid holidays, maternity protection, security of tenure, job + assignments, performance assessment and advancement, training opportunities, + promotion prospects, occupational safety and health, termination of employment. + The undertaking may address these areas specifically when disclosing its policies + and underlying procedures to fulfil the disclosure requirement.' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar + ref_id: S1-1 AR 17 + description: 'The undertaking may disclose whether it:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17 + ref_id: S1-1 AR 17.a + description: has policies and procedures which make qualifications, skills and + experience the basis for the recruitment, placement, training and advancement + at all levels, while accounting for the fact that some individuals may have + more difficulty than others to acquire such qualifications, skills and experience; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17 + ref_id: S1-1 AR 17.b + description: assigns responsibility at top management level for equal treatment + and opportunities in employment, issue clear company-wide policies and procedures + to guide equal employment practices, and link advancement to desired performance + in this area; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17 + ref_id: S1-1 AR 17.c + description: provides staff training on non-discrimination policies and practices, + with a particular focus on middle and upper management to raise awareness + and address resolution strategies for preventing and addressing systemic and + incidental discrimination; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17 + ref_id: S1-1 AR 17.d + description: makes adjustments to the physical environment to ensure health + and safety for workers, customers and other visitors with disabilities; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17 + ref_id: S1-1 AR 17.e + description: evaluates whether job requirements have been defined in a way that + could systematically disadvantage certain groups; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17 + ref_id: S1-1 AR 17.f + description: keeps up-to-date records on recruitment, training and promotion + that provide a transparent view of opportunities for employees and their progression + within the undertaking; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17 + ref_id: S1-1 AR 17.g + description: puts in place grievance procedures to address complaints, handle + appeals and provide recourse for employees (especially in the context of negotiations + and collective agreements) when discrimination is identified, and is alert + to formal structures and informal cultural issues that can prevent employees + from raising concerns and grievances; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-1-ar-17 + ref_id: S1-1 AR 17.h + description: has programs to promote access to skills development. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node242 + ref_id: S1-2 AR + name: Disclosure Requirement S1-2 + description: Processes for engaging with own workforce and workers' representatives + about impacts + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar + ref_id: S1-2 AR 18 + description: When describing what function or role has operational responsibility + for such engagement and/or ultimate accountability, the undertaking may disclose + whether this is a dedicated role or function or part of a broader role or + function, and whether any capacity building activities have been offered to + support the staff to undertake engagement. If it cannot identify such a position + or function, it may state that this is the case. This disclosure could also + be fulfilled by making reference to information disclosed according to ESRS + 2 GOV-1 The role of the administrative, management and supervisory bodies. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar + ref_id: S1-2 AR 19 + description: 'When preparing the disclosures described in paragraph 27 b) and + c), the following illustrations may be considered:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-19.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-19 + ref_id: S1-2 AR 19.a + description: examples of stages at which engagement occurs are i) determining + the approach to mitigation and ii) evaluating the effectiveness of mitigation; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-19.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-19 + ref_id: S1-2 AR 19.b + description: for type of engagement, these could be participation, consultation + and/or information; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-19.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-19 + ref_id: S1-2 AR 19.c + description: for the frequency of the engagement, information may be provided + on whether engagement occurs on a regular basis, at certain points in a project + or business process, (for example, when a new harvest season begins or a new + production line is opened), as well as whether it occurs in response to legal + requirements and/or in response to stakeholder requests and whether the result + of the engagement is being integrated into the undertaking's decision- making + processes; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-19.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-19 + ref_id: S1-2 AR 19.d + description: for the role with operational responsibility, whether the undertaking + requires relevant staff to have certain skills, or whether it provides training + or capacity building to relevant staff to undertake engagement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar + ref_id: S1-2 AR 20 + description: Global Framework Agreements (GFA) serve to establish an ongoing + relationship between a multinational enterprise and a Global Union Federation + to ensure that the undertaking adheres to the same standards in every country + in which it operates. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar + ref_id: S1-2 AR 21 + description: To illustrate how the perspectives of its own workforce have informed + specific decisions or activities, the undertaking may provide examples from + the current reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar + ref_id: S1-2 AR 22 + description: Where the undertaking has agreements with national, European or + international trade unions or works councils related to the rights of people + in its own workforce, this can be disclosed to illustrate how the agreement + enables the undertaking to gain insight into the perspectives of such people. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar + ref_id: S1-2 AR 23 + description: Where possible, the undertaking may disclose examples from the + reporting period to illustrate how the perspectives of its own workforce and + workers' representatives have informed specific decisions or activities of + the undertaking. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar + ref_id: S1-2 AR 24 + description: 'The undertaking shall consider the following aspects when fulfilling + this Disclosure Requirement:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-24.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-24 + ref_id: S1-2 AR 24.a + description: The type of engagement (for example, information, consultation + or participation) and its frequency (for example, ongoing, quarterly, annually); + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-24.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-24 + ref_id: S1-2 AR 24.b + description: how feedback is recorded and integrated into decision-making, and + how people in the workforce are informed about the way in which their feedback + has influenced decisions; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-24.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-24 + ref_id: S1-2 AR 24.c + description: whether engagement activities take place at the organisational + level or at a lower level, such as at the site or project level, and in the + latter case, how information from engagement activities is centralised; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-24.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-24 + ref_id: S1-2 AR 24.d + description: the resources (for example, financial or human resources) allocated + to engagement; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-24.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-24 + ref_id: S1-2 AR 24.e + description: "how it engages with people in its workforce and workers\u2019\ + \ representatives on the impacts on its own workforce that may arise from\ + \ reducing carbon emissions and transitioning to greener and climate-neutral\ + \ operations, in particular restructuring, employment loss or creation, training\ + \ and up/reskilling, gender and social equity, and health and safety." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar + ref_id: S1-2 AR 25 + description: 'The undertaking may also disclose the following information in + relation to paragraph 24 on diversity:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-25.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-25 + ref_id: S1-2 AR 25.a + description: how it engages with at-risk or persons in vulnerable situations + (for example whether it takes specific approaches and gives special attention + to potential barriers); + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-25.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-25 + ref_id: S1-2 AR 25.b + description: how it takes into account potential barriers to engagement with + people in its workforce (for example, language and cultural differences, gender + and power imbalances, divisions within a community or group); + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-25.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-25 + ref_id: S1-2 AR 25.c + description: how it provides people in its workforce with information that is + understandable and accessible through appropriate communication channels; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-25.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-25 + ref_id: S1-2 AR 25.d + description: any conflicting interests that have arisen among its workforce + and how the undertaking has resolved these conflicting interests; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-25.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-25 + ref_id: S1-2 AR 25.e + description: how it seeks to respect the human rights of all stakeholders engaged, + for example, their rights to privacy, freedom of expression, and peaceful + assembly and protest. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar-26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-2-ar + ref_id: S1-2 AR 26 + description: The undertaking may also report information about the effectiveness + of processes for engaging with its own workforce from previous reporting periods. + This applies in cases where the undertaking has assessed the effectiveness + of these processes or derived lessons during the current reporting period. + Processes used to track effectiveness can include internal or external auditing + or verification, impact assessments, measurement systems, stakeholder feedback, + grievance mechanisms, external performance ratings, and benchmarking. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node242 + ref_id: S1-3 AR + name: 'Disclosure Requirement S1-3 ' + description: Processes to remediate negative impacts and channels for its own + workforce to raise concerns + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar + ref_id: S1-3 AR 27 + description: ' In fulfilling the requirements set out by the disclosure criteria + of Disclosure Requirement ESRS S1-3, the undertaking may be guided by the + content of the UN Guiding Principles on Business and Human Rights and the + OECD Due Diligence Guidance for Responsible Business Conduct focused on remediation + and grievance mechanisms.' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar + ref_id: S1-3 AR 28 + description: "Channels for raising concerns or needs include grievance mechanisms,\ + \ hotlines, trade unions (where people in the workforce are unionised), works\ + \ councils, dialogue processes or other means through which the undertaking\u2019\ + s own workforce or workers\u2019 representatives can raise concerns about\ + \ impacts or explain needs that they would like the undertaking to address.\ + \ This could include both channels provided by the undertaking directly and\ + \ channels provided by the entities where their own workforce is working,\ + \ in addition to any other mechanisms an undertaking may use to gain insight\ + \ into the management of impacts on its own workforce, such as compliance\ + \ audits. Where the undertaking is relying solely on information about the\ + \ existence of such channels provided by its business relationships to answer\ + \ this requirement, it may state that." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-29 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar + ref_id: S1-3 AR 29 + description: "Third party mechanisms could include those operated by the government,\ + \ NGOs, industry associations and other collaborative initiatives. The undertaking\ + \ may disclose whether these are accessible to all of its own workforce (or\ + \ workers\u2019 representatives or, in their absence, individuals or organisations\ + \ acting on their behalf or who are otherwise in a position to be aware of\ + \ negative impacts)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar + ref_id: S1-3 AR 30 + description: The undertaking shall consider whether and how people in its own + workforce that may be affected and their workers' representatives are able + to access channels at the level of the undertaking they are employed by, or + contracted to work for, in relation to each material impact. Relevant channels + may include hotlines, trade unions (where people in the workforce are unionised) + or works councils, or other grievance mechanisms operated by the relevant + undertaking or by a third party. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar + ref_id: S1-3 AR 31 + description: "In explaining whether and how the undertaking knows that people\ + \ in its own workforce are aware of and trust any of these channels, the undertaking\ + \ may provide relevant and reliable data about the effectiveness of these\ + \ channels from the perspective of the people concerned. Examples of sources\ + \ of information are surveys of people in the undertaking\u2019s workforce\ + \ that have used such channels and their levels of satisfaction with the process\ + \ and outcomes." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar + ref_id: S1-3 AR 32 + description: "In describing the effectiveness of channels for its own workforce\ + \ and workers\u2019 representatives to raise concerns, the undertaking may\ + \ be guided by the following questions, based on the \u2018effectiveness criteria\ + \ for non-judicial grievance mechanisms\u2019, as laid out in the UN Guiding\ + \ Principles on Business and Human Rights, in particular principle 31. The\ + \ considerations below may be applied to individual channels or to a collective\ + \ system of channels:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32 + ref_id: S1-3 AR 32.a + description: do the channels have legitimacy by providing appropriate accountability + for their fair conduct and building stakeholder trust? + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32 + ref_id: S1-3 AR 32.b + description: are the channels known and accessible to stakeholders? + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32 + ref_id: S1-3 AR 32.c + description: do the channels have clear and known procedures, with indicative + timeframes? + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32 + ref_id: S1-3 AR 32.d + description: do the channels ensure reasonable access for stakeholders to sources + of information, advice and expertise? + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32 + ref_id: S1-3 AR 32.e + description: do the channels offer transparency by providing sufficient information + both to complainants and, where applicable, to meet any public interest? + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32 + ref_id: S1-3 AR 32.f + description: do outcomes achieved through the channels accord with internationally + recognised human rights? + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32 + ref_id: S1-3 AR 32.g + description: does the undertaking identify insights from the channels that support + continuous learning in both improving the channels and preventing future impacts? + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-3-ar-32 + ref_id: S1-3 AR 32.h + description: does the undertaking focus on dialogue with complainants as the + means to reach agreed solutions, rather than seeking to unilaterally determine + the outcome? + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node242 + ref_id: S1-4 AR + name: Disclosure Requirement S1-4 + description: Taking action on material impacts on own workforce, and approaches + to managing material risks and pursuing material opportunities related to + own workforce, and effectiveness of those actions + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-33 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 33 + description: 'It may take time to understand negative impacts and how the undertaking + may be involved with them through its own workforce, as well as to identify + appropriate responses and put them into practice). Therefore, the undertaking + may disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-33.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-33 + ref_id: S1-4 AR 33.a + description: its general and specific approaches to addressing material negative + impacts; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-33.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-33 + ref_id: S1-4 AR 33.b + description: ' its initiatives aimed at contributing to additional material + positive impacts;' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-33.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-33 + ref_id: S1-4 AR 33.c + description: how far it has progressed in its efforts during the reporting period; + and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-33.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-33 + ref_id: S1-4 AR 33.d + description: its aims for continued improvement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 34 + description: Appropriate action can vary according to whether the undertaking + causes or contributes to a material impact, or whether it is involved because + the impact is directly linked to its operations, products or services by a + business relationship. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 35 + description: "Given that material negative impacts affecting its own workforce\ + \ that have occurred during the reporting period may also be connected with\ + \ other entities or operations outside its direct control, the undertaking\ + \ may disclose whether and how it seeks to use its leverage in its business\ + \ relationships to manage those impacts. This may include using commercial\ + \ leverage (for example, enforcing contractual requirements with business\ + \ relationships or implementing incentives), other forms of leverage within\ + \ the relationship (such as providing training or capacity-building on workers\u2019\ + \ rights to entities with which the undertaking has a business relationship)\ + \ or collaborative leverage with peers or other actors (such as initiatives\ + \ aimed at responsible recruitment or ensuring workers receive an adequate\ + \ wage)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-36 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 36 + description: When the undertaking discloses its participation in an industry + or multi-stakeholder initiative as part of its actions to address material + negative impacts, the undertaking may disclose how the initiative, and its + own involvement, is aiming to address the material impact concerned. It may + report under ESRS S1-5 the relevant targets set by the initiative and progress + towards them. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-37 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 37 + description: When disclosing whether and how the undertaking considers actual + and potential impacts on its own workforce in decisions to terminate business + relationships and whether and how it seeks to address any negative impacts + that may result from termination, the undertaking may include examples. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-38 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 38 + description: Processes used to track the effectiveness of actions can include + internal or external auditing or verification, court proceedings and/or related + court decisions, impact assessments, measurement systems, stakeholder feedback, + grievance mechanisms, external performance ratings, and benchmarking. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-39 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 39 + description: Reporting on effectiveness is aimed at enabling the understanding + of the links between actions taken by an undertaking and the effective management + of impacts. Additional information that the undertaking may provide includes + data showing a decrease in the number of incidents identified. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-40 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 40 + description: "With regard to initiatives or processes whose primary aim is to\ + \ deliver positive impacts for people in the undertaking\u2019s own workforce\ + \ that are based on their needs, and with regard to progress in the implementation\ + \ of such initiatives or processes, the undertaking may disclose:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-40.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-40 + ref_id: S1-4 AR 40.a + description: "information about whether and how people in its own workforce\ + \ and workers\u2019 representatives play a role in decisions regarding the\ + \ design and implementation of these programmes or processes; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-40.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-40 + ref_id: S1-4 AR 40.b + description: "information about the intended or achieved positive outcomes for\ + \ the undertaking\u2019s own workforce of these programmes or processes." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-41 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 41 + description: "The undertaking may explain whether any such initiatives are designed\ + \ also to support the achievement of one or more Sustainable Development Goals.\ + \ For example, an undertaking committing to SDG 8 to \u2018promote sustained,\ + \ inclusive and sustainable economic growth, full and productive employment\ + \ and decent work for all\u2019 may be actively working towards eliminating\ + \ forced labour or compulsory labour or supporting higher levels of productivity\ + \ on activities in developing countries through technological upgrades and\ + \ training of local labour, which can benefit both the specific people in\ + \ its own workforce targeted by the actions, and also their local communities." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-42 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 42 + description: "When disclosing the intended or achieved positive outcomes of\ + \ its actions for the undertaking\u2019s own workforce, a distinction is to\ + \ be made between evidence of certain activities having occurred (for example,\ + \ that x number of people have received financial literacy training) from\ + \ evidence of actual outcomes for the people concerned (for example, that\ + \ x people report that they are able to better manage their pay and their\ + \ household budgets)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-43 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 43 + description: If the undertaking has taken measures to mitigate negative impacts + on its own workforce that arise from the transition to a greener, climate- + neutral economy, such as training and reskilling, employment guarantees, and + in the case of downscaling or mass dismissal, measures such as job counselling, + coaching, intra-company placements and early retirement plans, the undertaking + shall disclose those measures. This includes measures to comply with prevailing + regulation. The undertaking may highlight present and/or expected external + developments that influence whether dependencies turn into risks. This includes + consideration of impacts that may arise from the transition to greener and + climate-neutral operations. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-44 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 44 + description: 'When disclosing the material risks and opportunities related to + its impacts or dependencies on its own workforce, the undertaking may consider + the following:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-44.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-44 + ref_id: S1-4 AR 44.a + description: "risks related to the undertaking\u2019s impacts on its own workforce\ + \ may include the reputational or legal exposure where people in the undertaking\u2019\ + s workforce are found to be subject to forced labour or child labour;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-44.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-44 + ref_id: S1-4 AR 44.b + description: "risks related to the undertaking\u2019s dependencies on its own\ + \ workforce may include disruption of business operations where significant\ + \ employee turnover or lack of skills/training development threaten the undertaking\u2019\ + s business; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-44.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-44 + ref_id: S1-4 AR 44.c + description: "opportunities related to the undertaking\u2019s impacts on its\ + \ own workforce may include market differentiation and greater customer appeal\ + \ from guaranteeing decent pay and conditions for non-employees." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-45 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 45 + description: When explaining whether dependencies turn into risks, the undertaking + shall consider external developments. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-46 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 46 + description: When disclosing policies, actions and resources and targets related + to the management of material risks and opportunities, in cases where risks + and opportunities arise from a material impact, the undertaking may cross-reference + its disclosures on policies, actions and resources and targets in relation + to that impact. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-47 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 47 + description: The undertaking shall consider whether and how its process(es) + to manage material risks related to own workforce are integrated into its + existing risk management process(es). + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar-48 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-4-ar + ref_id: S1-4 AR 48 + description: When disclosing the resources allocated to the management of material + impacts, the undertaking may explain which internal functions are involved + in managing the impacts and what types of action they take to address negative + and advance positive impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:node325 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node232 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-5 AR + name: Disclosure Requirement S1-5 + description: Targets related to managing material impacts, advancing positive + impacts, as well as to risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar-49 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar + ref_id: S1-5 AR 49 + description: 'When disclosing information about targets in accordance with paragraph + 44, the undertaking may disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar-49.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar-49 + ref_id: S1-5 AR 49.a + description: the intended outcomes to be achieved in the lives of a certain + number of people in its own workforce; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar-49.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar-49 + ref_id: S1-5 AR 49.b + description: the stability of the targets over time in terms of definitions + and methodologies to enable comparability over time; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar-49.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar-49 + ref_id: S1-5 AR 49.c + description: the standards or commitments which the targets are based on (for + instance codes of conduct, sourcing policies, global frameworks, or industry + codes). + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar-50 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar + ref_id: S1-5 AR 50 + description: ' Targets related to risks and opportunities may be the same as + or distinct from targets related to impacts. For example, a target to reach + adequate wages for non-employees could both reduce impacts on those people + and reduce associated risks in terms of the quality and reliability of their + output.' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar-51 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar + ref_id: S1-5 AR 51 + description: The undertaking may also distinguish between short-, medium- and + long-term targets covering the same policy commitment. For example, the undertaking + may have a long-term target to achieve an 80% reduction in health and safety + incidents affecting its delivery drivers by 2030 and a near-term target to + reduce the overtime hours of delivery drivers by x% while maintaining their + income by 2024. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar-52 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-5-ar + ref_id: S1-5 AR 52 + description: When modifying or replacing a target in the reporting period, the + undertaking may explain the change by cross-referencing it to significant + changes in the business model or to broader changes in the accepted standard + or legislation from which the target is derived to provide contextual information + as per ESRS 2 BP-2 Disclosures in relation to specific circumstances. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-6 AR + name: Disclosure Requirement S1-6 + description: "Characteristics of the Undertaking\u2019s Employees" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar-53 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar + ref_id: S1-6 AR 53 + description: "This Disclosure Requirement covers all employees who perform work\ + \ for any of the undertaking\u2019s entities included in its sustainability\ + \ reporting." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar-54 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar + ref_id: S1-6 AR 54 + description: "Providing a breakdown of employees by country gives insight into\ + \ the distribution of activity across countries. The number of employees in\ + \ each country is also a key trigger for many information, consultation and\ + \ participation rights for workers and workers' representatives, both in the\ + \ Union labour law acquis (for example, Directive 2009/38/EC of the European\ + \ Parliament and of the Council ( 101 ) \u2018European Works Councils Directive\u2019\ + \ and Directive 2002/14/EC of the European Parliament and of the Council (\ + \ 102 ) \u2018Information and Consultation Directive\u2019) and in national\ + \ law (for example, rights to establish a works council or to have board level\ + \ employee representation). Providing a breakdown of employees by gender and\ + \ type of employment relationship gives insight into gender representation\ + \ across the undertaking. Additionally, providing a breakdown of employees\ + \ by region gives insight into regional variations. A region can refer to\ + \ a country or other geographic locations, such as a region within a country\ + \ or a world region." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar-55 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar + ref_id: S1-6 AR 55 + description: 'The undertaking shall disclose the requested disclosures in the + following tabular formats:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar-56 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar + ref_id: S1-6 AR 56 + description: The definitions of permanent, temporary, non-guaranteed hours, + full- time, and part-time employees differ between countries. If the undertaking + has employees in more than one country, it shall use the definitions as per + the national laws of the countries where the employees are based to calculate + country-level data. The country-level data shall then be added up to calculate + total numbers, disregarding differences in national legal definitions. Non-guaranteed + hours employees are employed by the undertaking without a guarantee of a minimum + or fixed number of working hours. The employee may need to make themselves + available for work as required, but the undertaking is not contractually obliged + to offer the employee a minimum or fixed number of working hours per day, + week, or month. Casual employees, employees with zero-hour contracts, and + on-call employees are examples that fall under this category. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar-57 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar + ref_id: S1-6 AR 57 + description: Disclosing the number of employees at the end of the reporting + period provides information for that point in time, without capturing fluctuations + during the reporting period. Disclosing these numbers in averages across the + reporting period takes into account fluctuations during the reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar-58 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar + ref_id: S1-6 AR 58 + description: Quantitative data, such as the number of temporary or part-time + employees, is unlikely to be sufficient on its own. For example, a high proportion + of temporary or part-time employees could indicate a lack of employment security + for employees, but it could equally signal workplace flexibility when offered + as a voluntary choice. For this reason, the undertaking is required to disclose + contextual information to help information users interpret the data. The undertaking + can explain the reasons for temporary employment. An example of such a reason + is the recruitment of employees to undertake work on a temporary or seasonal + project or event. Another example is the standard practice of offering a temporary + contract (for example, six months) to new employees before an offer of permanent + employment is made. The undertaking may also explain the reasons for non- + guaranteed hours employment. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar-59 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar + ref_id: S1-6 AR 59 + description: For the own employee turnover calculation, the undertaking shall + calculate the aggregate of the number of employees who leave voluntarily or + due to dismissal, retirement, or death in service. The undertaking shall use + this number for the numerator of the employee turnover rate and may determine + the denominator used to calculate this rate and describe its methodology. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar-60 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-6-ar + ref_id: S1-6 AR 60 + description: Where data is not available for detailed information, the undertaking + shall use an estimation of the employee number or ratios, in accordance with + ESRS 1, and clearly identify where the use of estimates has taken place. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-7 AR + name: Disclosure Requirement S1-7 + description: "Characteristics of non-employees in the undertaking\u2019s own\ + \ workforce" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-ar-61 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-ar + ref_id: S1-7 AR 61 + description: "This Disclosure Requirement provides insight into the undertaking\u2019\ + s approach to employment, as well as the scope and nature of impacts arising\ + \ from its employment practices. It also provides contextual information that\ + \ aids an understanding of the information reported in other disclosures.\ + \ This disclosure covers both individual contractors supplying labour to the\ + \ undertaking (\u2018self-employed people\u2019) and workers provided by undertakings\ + \ primarily engaged in \u2018employment activities\u2019 (NACE Code N78).\ + \ If all the people performing work for the undertaking are employees and\ + \ the undertaking does not have any people in its workforce who are not employees,\ + \ this Disclosure Requirement is not material for the undertaking; notwithstanding,\ + \ the undertaking may state this fact when disclosing the information required\ + \ by Disclosure Requirement S1-6 as contextual information as this information\ + \ can be relevant for the users of the Sustainability Statement." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-ar-62 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-ar + ref_id: S1-7 AR 62 + description: "Examples of contractors (self-employed people) in the undertaking\u2019\ + s own workforce include: contractors hired by the undertaking to perform work\ + \ that would otherwise be carried out by an employee; contractors hired by\ + \ the undertaking to perform work in a public area (for example, on a road,\ + \ on the street); and contractors hired by the undertaking to deliver the\ + \ work/service directly at the workplace of a client of the organization.\ + \ Examples of people employed by a third party engaged in \u2018employment\ + \ activities\u2019 whose work is under the direction of the undertaking include:\ + \ people who perform the same work that employees carry out, such as people\ + \ who fill in for employees who are temporarily absent (due to illness, holiday,\ + \ parental leave, etc.); people performing regular work at the same site as\ + \ employees; and workers who are dispatched temporarily from another EU member\ + \ state to work for the undertaking (\u2018posted workers\u2019). Examples\ + \ of value chain workers (and thus of workers not in the undertaking\u2019\ + s own workforce and reported under the scope of ESRS S2) include: workers\ + \ for a supplier contracted by the undertaking who work on the supplier\u2019\ + s premises using the supplier\u2019s work methods; workers for a \u2018downstream\u2019\ + \ entity which purchases goods or services from the undertaking; and workers\ + \ of an equipment supplier to the undertaking who, at one or more of the undertaking\u2019\ + s workplaces, perform regular maintenance on the supplier\u2019s equipment\ + \ (for example, photocopier) as stipulated in the contract between the equipment\ + \ supplier and the undertaking." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-ar-63 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-ar + ref_id: S1-7 AR 63 + description: If the undertaking cannot report exact figures, it shall use estimates + according to the provisions in ESRS 1 to disclose the number of people in + its own workforce who are not employees to the nearest ten or, where the number + of people in its own workforce who are not employees is greater than 1 000, + to the nearest 100, and explain this. In addition, it shall clearly identify + the information that derives from actual data and estimates. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-ar-64 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-ar + ref_id: S1-7 AR 64 + description: "Disclosing the number of people in the undertaking\u2019s own\ + \ workforce who are not employees at the end of the reporting period provides\ + \ information for that point in time without capturing fluctuations during\ + \ the reporting period. Disclosing this number as an average across the reporting\ + \ period considers fluctuations during the reporting period and can provide\ + \ more insightful and relevant information for users." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-ar-65 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-7-ar + ref_id: S1-7 AR 65 + description: "The information disclosed by the undertaking allows users to understand\ + \ how the number of non-employees in the undertaking\u2019s own workforce\ + \ varies during the reporting period or compared to the previous reporting\ + \ period (i.e., whether the numbers have increased or decreased). The undertaking\ + \ may also disclose the reasons for the fluctuations. For example, an increase\ + \ in the number of non-employees during the reporting period could be due\ + \ to a seasonal event. Conversely, a decrease in the number of non- employees\ + \ compared to the previous reporting period could be due to the completion\ + \ of a temporary project. If the undertaking discloses fluctuations, it shall\ + \ also explain the criteria used to determine which fluctuations it discloses.\ + \ If there are no significant fluctuations in the number of non-employees\ + \ during the reporting period or between the current and previous reporting\ + \ period, the undertaking may disclose this information." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-8 AR + name: Disclosure Requirement S1-8 + description: Collective bargaining coverage and social dialogue + - urn: urn:intuitem:risk:req_node:esrs_p3:node350 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-ar + name: Collective bargaining coverage + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-ar-66 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node350 + ref_id: S1-8 AR 66 + description: 'The percentage of employees covered by collective bargaining agreements + is calculated using the following formula:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-ar-67 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node350 + ref_id: S1-8 AR 67 + description: "The employees in the undertaking\u2019s own workforce covered\ + \ by collective bargaining agreements are those individuals to whom the undertaking\ + \ is obliged to apply the agreement. This means that if none of the employees\ + \ are covered by a collective bargaining agreement, the percentage reported\ + \ is zero. An employee in the undertaking\u2019s own workforce covered by\ + \ more than one collective bargaining agreement only needs to be counted once." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-ar-68 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node350 + ref_id: S1-8 AR 68 + description: This requirement is not aimed at obtaining the percentage of employees + represented by a works council or belonging to trade unions, which can be + different. The percentage of employees covered by collective bargaining agreements + can be higher than the percentage of unionised employees when the collective + bargaining agreements apply to both union and non-union members. Alternatively, + the percentage of employees covered by collective bargaining agreements can + be lower than the percentage of unionised employees. This may be the case + when there are no collective bargaining agreements available or when the collective + bargaining agreements do not cover all unionised employees. + - urn: urn:intuitem:risk:req_node:esrs_p3:node354 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-ar + name: Social Dialogue + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-ar-69 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node354 + ref_id: S1-8 AR 69 + description: "For calculating the information required by paragraph 63(a), the\ + \ undertaking shall identify in which European Economic Area (EEA) countries\ + \ it has significant employment (i.e., at least 50 employees representing\ + \ at least 10% of its total employees). For these countries it shall report\ + \ the percentage of employees in that country which are employed in establishments\ + \ in which employees are represented by workers\u2019 representatives. Establishment\ + \ is defined as any place of operations where the undertaking carries out\ + \ a non-transitory economic activity with human means and goods. Examples\ + \ include: a factory, a branch of a retail chain, or an undertaking\u2019\ + s headquarters. For countries in which there is only one establishment the\ + \ percentage reported shall be either 100% or 0%." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-8-ar-70 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node354 + ref_id: S1-8 AR 70 + description: The information required by this Disclosure Requirement shall be + reported as follows + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-9-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-9 AR + name: Disclosure Requirement S1-9 + description: Diversity metrics + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-9-ar-71 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-9-ar + ref_id: S1-9 AR 71 + description: "In preparing the disclosure on gender at top management, the undertaking\ + \ shall use the definition of top management as one and two levels below the\ + \ administrative and supervisory bodies unless this concept has already been\ + \ defined with the undertaking\u2019s operations and differs from the previous\ + \ description. If this is the case, the undertaking can use its own definition\ + \ for top management and disclose that fact and its own definition." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-10 AR + name: Disclosure Requirement S1-10 + description: Adequate Wages + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-72 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar + ref_id: S1-10 AR 72 + description: The lowest wage shall be calculated for the lowest pay category, + excluding interns and apprentices. This is to be based on the basic wage plus + any fixed additional payments that are guaranteed to all employees. The lowest + wage shall be considered separately for each country in which the undertaking + has operations, except outside the EEA when the relevant adequate or minimum + wage is defined at a sub national level. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-73 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar + ref_id: S1-10 AR 73 + description: 'The adequate wage benchmark used for comparison with the lowest + wage shall not be lower than:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-73.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-73 + ref_id: S1-10 AR 73.a + description: 'in the EEA: the minimum wage set in accordance with Directive + (EU) 2022/2041 of the European Parliament and of the Council ( 111 ) on adequate + minimum wages in the European Union. In the period until Directive (EU) 2022/2041 + enters into application, where there is no applicable minimum wage determined + by legislation or collective bargaining in an EEA country, the undertaking + shall use an adequate wage benchmark that is either not lower than the minimum + wage in a neighboring country with a similar socio-economic status or not + lower than a commonly-referenced international norm such as 60% of the country''s + median wage and 50% of the gross average wage.' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-73.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-73 + ref_id: S1-10 AR 73.b + description: 'outside of the EEA:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-73.b.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-73.b + ref_id: S1-10 AR 73.b.i + description: the wage level established in any existing international, national + or sub-national legislation, official norms or collective agreements, based + on an assessment of a wage level needed for a decent standard of living; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-73.b.ii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-73.b + ref_id: S1-10 AR 73.b.ii + description: if none of the instruments identified in (i) exist, any national + or sub-national minimum wage established by legislation or collective bargaining; + or + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-73.b.iii + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-73.b + ref_id: S1-10 AR 73.b.iii + description: "if none of the instruments identified in (i) or (ii) exist, any\ + \ benchmark that meets the criteria set out by the Sustainable Trade Initiative\ + \ (IDH) (\u2018Roadmap on Living Wages - A Platform to Secure Living Wages\ + \ in Supply Chains\u2019), including applicable benchmarks aligned with the\ + \ Anker methodology, or provided by the Wage Indicator Foundation or Fair\ + \ Wage Network, provided the primacy of collective bargaining for the establishment\ + \ of terms and conditions of employment is ensured." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar-74 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-10-ar + ref_id: S1-10 AR 74 + description: Directive (EU) 2022/2041 on adequate minimum wages in the European + Union references both indicative reference values commonly used at international + level such as 60 % of the gross median wage and 50 % of the gross average + wage, and/or indicative reference values used at national level. Data for + the indicative values of 60% of the national median gross wage or 50% of the + national average gross wage can be obtained from the European Labour Force + Survey. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-11 AR + name: Disclosure Requirement S1-11 + description: Social protection + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-ar-75 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-11-ar + ref_id: S1-11 AR 75 + description: Social protection refers to all the measures that provide access + to health care and income support in cases of challenging life events such + as the loss of a job, being sick and in need of medical care, giving birth + and raising a child, or retiring and in need of a pension. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-12-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-12 AR + name: Disclosure Requirement S1-12 + description: Persons with disabilities + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-12-ar-76 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-12-ar + ref_id: S1-12 AR 76 + description: When disclosing the information required in paragraph 77 regarding + persons with disabilities, the undertaking shall provide any contextual information + necessary to understand the data and how the data has been compiled (methodology). + For example, information about the impact of different legal definitions of + persons with disabilities in the different countries in which the undertaking + has operations. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-13 AR + name: Disclosure Requirement S1-13 + description: Training and Skills Development metrics + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-ar-77 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-ar + ref_id: S1-13 AR 77 + description: "A regular performance review is defined as a review based on criteria\ + \ known to the employee and his or her superior undertaken with the knowledge\ + \ of the employee at least once per year. The review can include an evaluation\ + \ by the worker\u2019s direct superior, peers, or a wider range of employees.\ + \ The review can also involve the human resources department. In order to\ + \ disclose the information required by paragraph 83 (a), the undertaking shall\ + \ use the employee headcount figures provided in Disclosure Requirement ESRS\ + \ S1-6 in the denominator to calculate the:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-ar-77.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-ar-77 + ref_id: S1-13 AR 77.a + description: number/proportion of performance reviews per employee; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-ar-77.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-ar-77 + ref_id: S1-13 AR 77.b + description: number of reviews in proportion to the agreed number of reviews + by the management. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-ar-78 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-ar + ref_id: S1-13 AR 78 + description: 'To disclose the average required per paragraph 83 (b), the undertaking + shall perform the following calculation: total number of training hours offered + to and completed by employees per gender category divided by the total number + of employees per gender category. For the total training average and the average + by gender, the head count figures for total employment and employment by gender + reported in Disclosure Requirement ESRS S1-6 shall be used.' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-ar-79 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-13-ar + ref_id: S1-13 AR 79 + description: "Employee categories are a breakdown of employees by level (such\ + \ as senior management, middle management) or function (such as technical,\ + \ administrative, production). This information is derived from the undertaking\u2019\ + s own human resources system. In categorising the workforce, the undertaking\ + \ shall define reasonable and meaningful employee categories which enable\ + \ users of the information to understand different performance measures between\ + \ the categories. The undertaking may present a category for executive and\ + \ non- executive employees." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-14 AR + name: Disclosure Requirement S1-14 + description: Health and safety metrics + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-80 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar + ref_id: S1-14 AR 80 + description: "In relation to paragraph 88 (a), the percentage of its own workforce\ + \ who are covered by the undertaking\u2019s health and safety management system\ + \ shall be disclosed on a head count basis rather than a full-time equivalent\ + \ basis" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-81 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar + ref_id: S1-14 AR 81 + description: "With regard to paragraph 90, when the undertaking\u2019s health\ + \ and safety management system, or certain parts thereof, has been subject\ + \ to an internal audit or external certification, the undertaking may state\ + \ this fact, or absence thereof, and the underlying standards for such audits/\ + \ certifications, as applicable." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-82 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar + ref_id: S1-14 AR 82 + description: Fatalities may be reported separately for those resulting from + work- related injuries and those resulting from work-related ill health. + - urn: urn:intuitem:risk:req_node:esrs_p3:node382 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar + name: "Guidance on \u2018work-related\u2019" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-83 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node382 + ref_id: S1-14 AR 83 + description: 'Work-related injuries and work-related ill health arise from exposure + to hazards at work. Notwithstanding, other types of incidents can occur that + are not connected with the work itself. For example, the following incidents + are generally not considered to be work-related, unless otherwise specified + in applicable national legislation:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-83.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-83 + ref_id: S1-14 AR 83.a + description: a person in the workforce suffers a heart attack while at work + that it is not connected with work; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-83.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-83 + ref_id: S1-14 AR 83.b + description: a person in the workforce driving to or from work is injured in + a car accident (when driving is not part of the work and where the transport + has not been organised by the undertaking); and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-83.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-83 + ref_id: S1-14 AR 83.c + description: a person in the workforce with epilepsy has a seizure at work that + is not connected with work. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-84 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node382 + ref_id: S1-14 AR 84 + description: "With regard to travelling for work purposes, injuries and ill\ + \ health that occur while a person is travelling are work-related if, at the\ + \ time of the injury or ill health, the person was engaged in work activities\ + \ \u2018in the interest of the employer\u2019. Examples of such activities\ + \ include travelling to and from customer contacts; conducting job tasks;\ + \ and entertaining or being entertained to transact, discuss, or promote business\ + \ (at the direction of the employer). If the undertaking is responsible for\ + \ the transport commuting, incidents occurred while commuting are considered\ + \ to be work-related. Nonetheless, incidents which arise during travel, outside\ + \ of the undertaking\u2019s responsibility (i. e., regular commuting to and\ + \ from work), may be reported separately provided that the undertaking has\ + \ such data available across the undertaking." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-85 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node382 + ref_id: S1-14 AR 85 + description: With regard to working from home, injuries and ill health that + occur when working from home are work-related, if the injury or ill health + occurs while the person is performing work from home; and the injury or ill + health is directly related to the performance of work rather than the general + home environment or setting. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-86 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node382 + ref_id: S1-14 AR 86 + description: With regard to mental illness, it is considered to be work-related, + if it has been notified voluntarily by the person concerned and it is supported + by an opinion from a licensed healthcare professional with appropriate training + and experience; and if such opinion states that the illness is work-related. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-87 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node382 + ref_id: S1-14 AR 87 + description: Health issues resulting, for example, from smoking, drug and alcohol + abuse, physical inactivity, unhealthy diets, and psychosocial factors unrelated + to work are not considered work-related. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-88 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node382 + ref_id: S1-14 AR 88 + description: Occupational diseases are not considered work-related injuries + but are covered under work-related ill health. + - urn: urn:intuitem:risk:req_node:esrs_p3:node392 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar + name: Guidance on computing the rate of work-related injuries + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-89 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node392 + ref_id: S1-14 AR 89 + description: In computing the rate of work-related injuries, the undertaking + shall divide the respective number of cases by the number of total hours worked + by people in its own workforce and multiplied by 1 000 000. Thereby, these + rates represent the number of respective cases per one million hours worked. + A rate based on 1 000 000 hours worked indicates the number of work-related + injuries per 500 full time people in the workforce over a 1-year timeframe. + For comparability purposes a rate based on 1 000 000 hours worked shall be + used also for undertakings with less than 500 people in the workforce. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-90 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node392 + ref_id: S1-14 AR 90 + description: If the undertaking cannot directly calculate the number of hours + worked, it may estimate this on the basis of normal or standard hours of work, + taking into account entitlements to periods of paid leave of absence from + work (for example, paid vacations, paid sick leave, public holidays) and explain + this in its disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-91 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node392 + ref_id: S1-14 AR 91 + description: An undertaking shall include fatalities as a result of work-related + injury in the calculation of the number and rate of recordable work- related + injuries. + - urn: urn:intuitem:risk:req_node:esrs_p3:node396 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar + name: Guidance on recordable work-related ill health + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-92 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node396 + ref_id: S1-14 AR 92 + description: Work-related ill health can include acute, recurring, and chronic + health problems caused or aggravated by work conditions or practices. These + include musculoskeletal disorders, skin and respiratory diseases, malignant + cancers, diseases caused by physical agents (for example, noise-induced hearing + loss, vibration-caused diseases), and mental illnesses (for example, anxiety, + post-traumatic stress disorder). For the purpose of the required disclosures, + the undertaking shall, at a minimum, include in its disclosure those cases + outlined in the ILO List of Occupational Diseases. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-93 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node396 + ref_id: S1-14 AR 93 + description: In the context of this Standard, work-related musculoskeletal disorders + are covered under work-related ill health (and not injuries). + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-94 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node396 + ref_id: S1-14 AR 94 + description: "The cases to be disclosed in paragraph 88(d) relate to cases of\ + \ work- related ill health notified to the undertaking or identified by the\ + \ undertaking through medical surveillance, during the reporting period. The\ + \ undertaking might be notified of cases of work-related ill health through\ + \ reports by affected people, compensation agencies, or healthcare professionals.\ + \ The disclosure may include cases of work- related ill health that were detected\ + \ during the reporting period among people who were formerly in the undertaking\u2019\ + s workforce." + - urn: urn:intuitem:risk:req_node:esrs_p3:node400 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar + name: Guidance on the number of days lost + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-14-ar-95 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node400 + ref_id: S1-14 AR 95 + description: The undertaking shall count the number of days lost such that the + first full day and last day of absence shall be included. Calendar days should + be considered for the calculation, thus days on which the affected individual + is not scheduled for work (for example, weekends, public holidays) will count + as lost days. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-15 AR + name: 'Disclosure Requirement S1-15 ' + description: Work-life balance + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar-96 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar + ref_id: S1-15 AR 96 + description: "Family-related leave include maternity leave, paternity leave,\ + \ parental leave, and carers\u2019 leave that is available under national\ + \ law or collective agreements. For the purpose of this Standard, these concepts\ + \ are defined as:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar-96.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar-96 + ref_id: S1-15 AR 96.a + description: 'maternity leave (also called pregnancy leave): employment- protected + leave of absence for employed women directly around the time of childbirth + (or, in some countries, adoption);' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar-96.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar-96 + ref_id: S1-15 AR 96.b + description: 'paternity leave: leave from work for fathers or, where and in + so far as recognised by national law, for equivalent second parents, on the + occasion of the birth or adoption of a child for the purposes of providing + care;' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar-96.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar-96 + ref_id: S1-15 AR 96.c + description: 'parental leave: leave from work for parents on the grounds of + the birth or adoption of a child to take care of that child, as defined by + each Member State;' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar-96.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar-96 + ref_id: S1-15 AR 96.d + description: "carers\u2019 leave from work: leave for workers to provide personal\ + \ care or support to a relative, or a person who lives in the same household,\ + \ in need of significant care or support for a serious medical reason, as\ + \ defined by each Member State." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar-97 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-15-ar + ref_id: S1-15 AR 97 + description: With regard to paragraph 93 (a), employees entitled to family-related + leave are those who are covered by regulations, organisational policies, agreements, + contracts or collective bargaining agreements that contain family-related + leave entitlements and have reported their entitlement to the undertaking + or the undertaking is aware of the entitlement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-16 AR + name: Disclosure Requirement S1-16 + description: Remuneration metrics (pay gap and total remuneration) + - urn: urn:intuitem:risk:req_node:esrs_p3:node410 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar + name: Pay gap + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-98 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node410 + ref_id: S1-16 AR 98 + description: "When compiling the information required under paragraph 97 (a)\ + \ for the gap in pay between its female and male employees (also known as\ + \ the \u2018gender pay gap\u2019) the undertaking shall use the following\ + \ methodology:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-98.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-98 + ref_id: S1-16 AR 98.a + description: "include all employees\u2019 gross hourly pay level; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-98.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-98 + ref_id: S1-16 AR 98.b + description: 'apply the following formula to calculate the gender pay gap:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-99 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node410 + ref_id: S1-16 AR 99 + description: When disclosing the information required under paragraph 97 (a), + the undertaking shall provide any contextual information necessary to understand + the data and how the data has been compiled (methodology). Information regarding + how objective factors such as type of work and country of employment influence + the gender pay gap may be reported. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-100 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node410 + ref_id: S1-16 AR 100 + description: "The measure of the undertaking\u2019s gender pay gap shall be\ + \ reported for the current reporting period and, if reported in previous sustainability\ + \ reports, for the previous two reporting periods." + - urn: urn:intuitem:risk:req_node:esrs_p3:node416 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar + name: Total remuneration Ratio + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node416 + ref_id: S1-16 AR 101 + description: 'When compiling the information required by paragraph 97 (b), the + undertaking shall:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101 + ref_id: S1-16 AR 101.a + description: ' include all employees;' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101 + ref_id: S1-16 AR 101.b + description: "consider, depending on the undertaking\u2019s remuneration policies,\ + \ all of the following:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.b.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.b + ref_id: S1-16 AR 101.b.i + description: base salary, which is the sum of guaranteed, short-term, and non-variable + cash compensation; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.b.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.b + ref_id: S1-16 AR 101.b.ii + description: benefits in cash, which is the sum of the base salary and cash + allowances, bonuses, commissions, cash profit-sharing, and other forms of + variable cash payments; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.b.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.b + ref_id: S1-16 AR 101.b.iii + description: benefits in kind, such as cars, private health insurance, life + insurance, wellness programs; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.b.iv + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.b + ref_id: S1-16 AR 101.b.iv + description: direct remuneration, which is the sum of benefits in cash, benefits + in kind and total fair value of all annual long-term incentives (for example, + stock option awards, restricted stock shares or units, performance stock shares + or units, phantom stock shares, stock appreciation rights, and long-term cash + awards). + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.v + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-101.b + ref_id: S1-16 AR 101.v + description: 'apply the following formula for the annual total remuneration + ratio:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-16-ar-102 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node416 + ref_id: S1-16 AR 102 + description: To illustrate the contextual information, the undertaking may provide + an explanation to understand the data and how the data has been compiled (methodology). + Quantitative data, such as the annual total remuneration ratio, may not be + sufficient on its own to understand pay disparity and its drivers. For example, + pay ratios can be influenced by the size of the undertaking (for example, + revenue, number of employees), its sector, its employment strategy (for example, + reliance on outsourced workers or part-time employees, a high degree of automation), + or currency volatility. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node325 + ref_id: S1-17 AR + name: Disclosure Requirement S1-17 + description: Incidents, complaints and severe human rights impacts + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-103 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar + ref_id: S1-17 AR 103 + description: 'In addition to the information required by paragraphs 103 and + 104, the undertaking may disclose the status of incidents and/or complaints + and actions taken with reference to the following:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-103.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-103 + ref_id: S1-17 AR 103.a + description: incidents reviewed by the undertaking; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-103.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-103 + ref_id: S1-17 AR 103.b + description: remediation plans being implemented; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-103.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-103 + ref_id: S1-17 AR 103.c + description: remediation plans that have been implemented, with results reviewed + through routine internal management review processes; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-103.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-103 + ref_id: S1-17 AR 103.d + description: incidents no longer subject to action. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-104 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar + ref_id: S1-17 AR 104 + description: 'If the undertaking compiles the information described in AR 103, + it shall consider the following: ' + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-104.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-104 + ref_id: S1-17 AR 104.a + description: an incident is no longer subject to action if it is resolved, the + case is completed, or no further action is required by the undertaking. For + example, an incident for which no further action is required can include cases + that are withdrawn or where the underlying circumstances that led to the incident + no longer exist; + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-104.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-104 + ref_id: S1-17 AR 104.b + description: remedial action is directed toward the alleged harasser and the + alleged victim. Remedial action toward the victim may include offering to + pay his/her expenses for counselling sessions, offering the victim some paid + time off, offering to reinstate sick/ vacation days if the victim has incurred + any expenses due to the harassment (such as having used sick or vacation days); + and + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-104.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-104 + ref_id: S1-17 AR 104.c + description: remedial action toward the harasser may include giving the harasser + a verbal and/or written warning, mandating anti- harassment counselling or + sending the harasser to an appropriate seminar, harassment awareness and prevention + training. A suspension without pay may also be an option. If the harasser + has been disciplined earlier but his/her harassment does not cease, then more + serious discipline may be required. + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-105 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar + ref_id: S1-17 AR 105 + description: "Severe human rights incidents include instances of lawsuits, formal\ + \ complaints through the undertaking or third-party complaint mechanisms,\ + \ serious allegations in public reports or the media, where these are connected\ + \ to the undertaking\u2019s own workforce, and the fact of the incidents is\ + \ not disputed by the undertaking, as well as any other severe impacts of\ + \ which the undertaking is aware." + - urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar-106 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s1-17-ar + ref_id: S1-17 AR 106 + description: In addition to the information required by paragraph 104 above, + the undertaking may disclose the number of severe human rights incidents where + the undertaking played a role securing remedy for those affected during the + reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1-appendix-a.1 + assessable: false + depth: 1 + ref_id: ESRS S1-Appendix A.1 + description: Application Requirements for ESRS 2 related disclosures + - urn: urn:intuitem:risk:req_node:esrs_p3:node439 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1-appendix-a.1 + description: 'This appendix is an integral part of ESRS S1 Own workforce. It + supports the application of the disclosure requirements from ESRS 2 set out + in this standard and has the same authority as the other parts of this Standard. + It provides a non- exhaustive list of the factors to be considered by the + undertaking when complying with ESRS 2 SBM-2 and ESRS 2 SBM-3. This appendix + does not provide definitions of the terms mentioned below. All defined terms + can be found in Annex II: Acronyms and Glossary of Terms.' + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1-appendix-a.2 + assessable: false + depth: 1 + ref_id: ESRS S1-Appendix A.2 + description: Application Requirements for ESRS S1-1 Policies related to own + workforce + - urn: urn:intuitem:risk:req_node:esrs_p3:node441 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1-appendix-a.2 + description: This appendix is an integral part of the ESRS S1 Own workforce + and has the same authority as the other parts of this Standard. It supports + the application of the requirements for Disclosure Requirement ESRS S1-1 for + social and human rights matters with examples of disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1-appendix-a.3 + assessable: false + depth: 1 + ref_id: ESRS S1-Appendix A.3 + description: Application Requirements for ESRS S1-4 Taking action on material + impacts on own workforce, and approaches to managing material risks and pursuing + material opportunities related to own workforce, and effectiveness of those + actions + - urn: urn:intuitem:risk:req_node:esrs_p3:node443 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1-appendix-a.3 + description: 'This appendix is an integral part of the ESRS S1 Own workforce + and has the same authority as the other parts of this Standard. It supports + the application of the requirements for Disclosure Requirement ESRS S1-4 for + social and human rights matters with examples of disclosures:' + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1-appendix-a.4 + assessable: false + depth: 1 + ref_id: ESRS S1-Appendix A.4 + description: "Application Requirements for ESRS S1\u20135 Targets related to\ + \ managing material negative impacts, advancing positive impacts, and managing\ + \ material risks and opportunities" + - urn: urn:intuitem:risk:req_node:esrs_p3:node445 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s1-appendix-a.4 + description: 'This appendix is an integral part of the ESRS S1 Own workforce + and has the same authority as the other parts of this Standard. It supports + the application of the requirements for Disclosure Requirement ESRS S1-5 for + social and human rights matters with examples of disclosures:' + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s2 + assessable: false + depth: 1 + ref_id: ESRS S2 + name: WORKERS IN THE VALUE CHAIN + - urn: urn:intuitem:risk:req_node:esrs_p3:node447 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s2 + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p3:node448 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node447 + description: "1. The objective of this Standard is to specify disclosure requirements\ + \ which will enable users of the sustainability statement to understand material\ + \ impacts on value chain workers connected with the undertaking\u2019s own\ + \ operations and value chain, including through its products or services,\ + \ as well as through its business relationships, and its related material\ + \ risks and opportunities, including:\n(a) how the undertaking affects workers\ + \ in its value chain, in terms of material positive and negative actual or\ + \ potential impacts;\n(b) any actions taken, and the result of such actions,\ + \ to prevent, mitigate or remediate actual or potential negative impacts,\ + \ and to address risks and opportunities;\n(c) the nature, type and extent\ + \ of the undertaking\u2019s material risks and opportunities, including those\ + \ related to its impacts and dependencies on workers in the value chain, and\ + \ how the undertaking manages them; and\n(d) the financial effects on the\ + \ undertaking over the short-, medium- and long term of material risks and\ + \ opportunities, including those arising from the undertaking\u2019s impacts\ + \ and dependencies on workers in the value chain." + - urn: urn:intuitem:risk:req_node:esrs_p3:node449 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node447 + description: '2. In order to meet the objective, this Standard requires an explanation + of the general approach the undertaking takes to identify and manage any material + actual and potential impacts on value chain workers in relation to: + + (a) working conditions (for example, secure employment, working time, adequate + wage, social dialogue, freedom of association, including the existence of + work councils, collective bargaining, work-life balance and health and safety); + + (b) equal treatment and opportunities for all (for example, gender equality + and equal pay for work of equal value, training and skills development, the + employment and inclusion of persons with disabilities, measures against violence + and harassment in the workplace, and diversity); + + (c) other work-related rights (for example, child labour, forced labour, adequate + housing, water and sanitation and privacy).' + - urn: urn:intuitem:risk:req_node:esrs_p3:node450 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node447 + description: "3. This Standard also requires an explanation of how such impacts,\ + \ as well as the undertaking\u2019s dependencies on value chain workers, can\ + \ create material risks or opportunities for the undertaking. For example,\ + \ negative impacts on value chain workers may disrupt the undertaking\u2019\ + s operations (through customers refusing to buy its products or state agencies\ + \ impounding its goods) and harm its reputation. Conversely, respect for workers\u2019\ + \ rights and active support programmes (for example through financial literacy\ + \ initiatives) can bring business opportunities, such as more reliable supply\ + \ or widening of the future consumer base." + - urn: urn:intuitem:risk:req_node:esrs_p3:node451 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node447 + description: "4. This Standard covers all workers in the undertaking\u2019s\ + \ upstream and downstream value chain who are or can be materially impacted\ + \ by the undertaking, including impacts that are connected with the undertaking\u2019\ + s own operations and value chain, including through its products or services,\ + \ as well as through its business relationships. This includes all workers\ + \ who are not included in the scope of \u2018own workforce\u2019 (\u2018own\ + \ workforce\u2019 includes employees, individual contractors, i.e., self-\ + \ employed workers, and workers provided by third party undertakings primarily\ + \ engaged in \u2018employment activities\u2019). Own workforce is covered\ + \ in ESRS S1 Own workforce. See AR 3 for examples of what is included in the\ + \ scope of this Standard." + - urn: urn:intuitem:risk:req_node:esrs_p3:node452 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s2 + name: Interaction with other ESRS + - urn: urn:intuitem:risk:req_node:esrs_p3:node453 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node452 + description: 5. This Standard applies when material impacts on and/or material + risks and opportunities related to value chain workers have been identified + through the materiality assessment process laid out in ESRS 2 General disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p3:node454 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node452 + description: 6. This Standard shall be read in conjunction with ESRS 1 General + requirements, and ESRS 2, as well as the ESRS S1, ESRS S3 Affected communities + and ESRS S4 Consumers and end-users. + - urn: urn:intuitem:risk:req_node:esrs_p3:node455 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node452 + description: "7. The reporting under this Standard shall be consistent, coherent\ + \ and where relevant clearly linked with reporting on the undertaking\u2019\ + s own workforce under ESRS S1, in order to ensure effective reporting." + - urn: urn:intuitem:risk:req_node:esrs_p3:node456 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s2 + name: Disclosure Requirements + - urn: urn:intuitem:risk:req_node:esrs_p3:node457 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node456 + name: ESRS 2 General disclosures + description: 8. The requirements of this section should be read in conjunction + with the disclosures required by ESRS 2 on Strategy (SBM). The resulting disclosures + shall be presented alongside the disclosures required by ESRS 2, except for + SBM-3 Material impacts, risks and opportunities and their interaction with + strategy and business model, for which the undertaking has an option to present + the disclosures alongside the topical disclosure. + - urn: urn:intuitem:risk:req_node:esrs_p3:node458 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node457 + name: Strategy + - urn: urn:intuitem:risk:req_node:esrs_p3:node459 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node458 + name: Disclosure Requirement related to ESRS 2 SBM-2 + description: Interests and views of stakeholders + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-2-9 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node459 + ref_id: S2.SBM-2-9 + description: When responding to ESRS 2 SBM-2 paragraph 43, the undertaking shall + disclose how the interests, views, and rights of its value chain workers could + be materially impacted by the undertaking, including respect for their human + rights, inform its strategy and business model. Value chain workers are a + key group of affected stakeholders. + - urn: urn:intuitem:risk:req_node:esrs_p3:node461 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node458 + name: 'Disclosure Requirement related to ESRS 2 SBM-3 ' + description: Material impacts, risks and opportunities and their interaction + with strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-10 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node461 + ref_id: S2.SBM-3-10 + description: 'When responding to ESRS 2 SBM-3 paragraph 48, the undertaking + shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-10.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-10 + ref_id: S2.SBM-3-10.a + description: "whether and how actual and potential impacts on value chain workers,\ + \ as identified in ESRS 2 IRO-1 Description of the processes to identify and\ + \ assess material impacts, risks and opportunities: (i) originate from or\ + \ are connected to the undertaking\u2019s strategy and business models, and\ + \ (ii) inform and contribute to adapting the undertaking\u2019s strategy and\ + \ business model; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-10.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-10 + ref_id: S2.SBM-3-10.b + description: the relationship between on the one hand its material risks and + opportunities arising from impacts and dependencies on value chain workers, + and on the other hand its strategy and business model. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node461 + ref_id: S2.SBM-3-11 + description: "When fulfilling the requirements of paragraph ESRS 2 SBM-3 paragraph\ + \ 48, the undertaking shall disclose whether all value chain workers who are\ + \ likely to be materially impacted by the undertaking, including impacts that\ + \ are connected with the undertaking\u2019s own operations and value chain,\ + \ including through its products or services , as well as through its business\ + \ relationships, are included in the scope of its disclosure under ESRS 2.\ + \ In addition, the undertaking shall provide the following information:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11 + ref_id: S2.SBM-3-11.a + description: "a brief description of the types of value chain workers who could\ + \ be materially impacted by the undertaking, including impacts that connected\ + \ with the undertaking\u2019s own operations and value chain, including through\ + \ its products or services, as well as through its business relationships,\ + \ and specify whether they are:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.a.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.a + ref_id: S2.SBM-3-11.a.i + description: workers working on the undertaking site but who are not part of + own workforce, i.e., who are not self-employed workers or workers provided + by third party undertakings primarily engaged in employment activities (covered + through ESRS S1); + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.a.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.a + ref_id: S2.SBM-3-11.a.ii + description: "workers working for entities in the undertaking\u2019s upstream\ + \ value chain (e.g., those involved in the extraction of metals or minerals\ + \ or harvesting of commodities, in refining, manufacturing or other forms\ + \ of processing);" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.a.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.a + ref_id: S2.SBM-3-11.a.iii + description: "workers working for entities in the undertaking\u2019s downstream\ + \ value chain (e.g., those involved in the activities of logistics or distribution\ + \ providers, franchisees, retailers);" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.a.iv + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.a + ref_id: S2.SBM-3-11.a.iv + description: workers working in the operations of a joint venture or special + purpose vehicle involving the reporting undertaking; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.a.v + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.a + ref_id: S2.SBM-3-11.a.v + description: workers who (within the prior categories or additionally) are particularly + vulnerable to negative impacts whether due to their inherent characteristics + or to the particular context, such as trade unionists, migrant workers, home + workers, women or young workers. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11 + ref_id: S2.SBM-3-11.b + description: "any geographies, at country level or other levels, or commodities\ + \ for which there is a significant risk of child labour, or of forced labour\ + \ or compulsory labour, among workers in the undertaking\u2019s value chain\ + \ ( 112 );" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11 + ref_id: S2.SBM-3-11.c + description: in the case of material negative impacts, whether they are either + (i) widespread or systemic in contexts where the undertaking operates or has + sourcing or other business relationships (e.g., child labour or forced labour + in particular commodity supply chains in specific countries or regions), or + (ii) related to individual incidents (e.g., an industrial accident or an oil + spill) or to specific business relationships. This includes consideration + of impacts on value chain workers that may arise from the transition to greener + and climate-neutral operations. Potential impacts include impacts associated + with innovation and restructuring, closure of mines, increased mining of minerals + needed for the transition to a sustainable economy, and solar panel production; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11 + ref_id: S2.SBM-3-11.d + description: "in the case of material positive impacts, a brief description\ + \ of the activities that result in the positive impacts (e.g., updated purchasing\ + \ practices, capacity-building to supply chain workers), including providing\ + \ opportunities for the workforce such as job creation and upskilling in the\ + \ context of a \u2018just transition\u2019, and the types of value chain workers\ + \ that are positively affected or could be positively affected; the undertaking\ + \ may also disclose whether the positive impacts occur in specific countries\ + \ or regions; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-11 + ref_id: S2.SBM-3-11.e + description: any material risks and opportunities for the undertaking arising + from impacts and dependencies on value chain workers. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node461 + ref_id: S2.SBM-3-12 + description: In describing the main types of value chain workers who are or + could be negatively affected, based on the materiality assessment set out + in ESRS 2 IRO-1, the undertaking shall disclose whether and how it has developed + an understanding of how workers with particular characteristics, those working + in particular contexts, or those undertaking particular activities may be + at greater risk of harm. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3-13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node461 + ref_id: S2.SBM-3-13 + description: The undertaking shall disclose which, if any, of its material risks + and opportunities arising from impacts and dependencies on its value chain + workers relate to specific groups of value chain workers (for example, particular + age groups, workers in a particular factory or country) rather than to all + of the value chain workers. + - urn: urn:intuitem:risk:req_node:esrs_p3:node478 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node457 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node478 + ref_id: S2-1 + name: Disclosure Requirement S2-1 + description: Policies related to value chain workers + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1 + ref_id: S2-1-14 + description: The undertaking shall describe its policies adopted to manage its + material impacts on value chain workers, as well as associated material risks + and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1 + ref_id: S2-1-15 + description: The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking has policies that address the identification, + assessment, management and/or remediation of material impacts on value chain + workers specifically, as well as policies that cover material risks or opportunities + related to value chain workers. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1 + ref_id: S2-1-16 + description: "The disclosure required by paragraph 14 shall contain the information\ + \ on the undertaking\u2019s policies to manage its material impacts, risks\ + \ and opportunities related to value chain workers in accordance with ESRS\ + \ 2 MDR-P Policies adopted to manage material sustainability matters. In addition,\ + \ the undertaking shall specify whether such policies cover specific groups\ + \ of value chain workers or all value chain workers." + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1 + ref_id: S2-1-17 + description: 'The undertaking shall describe its human rights policy commitments + ( 113 ) that are relevant to value chain workers, including those processes + and mechanisms to monitor compliance with the UN Guiding Principles on Business + and Human Rights, ILO Declaration on Fundamental Principles and Rights at + Work or OECD Guidelines for Multinational Enterprises ( 114 ). In its disclosure, + it shall focus on those matters that are material in relation to, as well + as the general approach to:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-17.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-17 + ref_id: S2-1-17.a + description: respect for the human rights, including labour rights, of workers; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-17.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-17 + ref_id: S2-1-17.b + description: engagement with value chain workers; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-17.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-17 + ref_id: S2-1-17.c + description: measures to provide and/or enable remedy for human rights impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1 + ref_id: S2-1-18 + description: The undertaking shall state whether its policies in relation to + value chain workers explicitly address trafficking in human beings ( 115 ), + forced labour or compulsory labour and child labour. It shall also state whether + the undertaking has a supplier code of conduct ( 116 ). + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1 + ref_id: S2-1-19 + description: The undertaking shall disclose whether and how its policies with + regard to value chain workers are aligned with internationally recognised + instruments relevant to value chain workers, including the United Nations + (UN) Guiding Principles on Business and Human Rights ( 117 ). The undertaking + shall also disclose the extent to which cases of non-respect of the UN Guiding + Principles on Business and Human Rights, ILO Declaration on Fundamental Principles + and Rights at Work or OECD Guidelines for Multinational Enterprises that involve + value chain workers have been reported in its upstream and downstream value + chain and, if applicable, an indication of the nature of such cases ( 118 + ). + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node478 + ref_id: S2-2 + name: Disclosure Requirement S2-2 + description: Processes for engaging with value chain workers about impacts + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2 + ref_id: S2-2-20 + description: The undertaking shall disclose its general processes for engaging + with value chain workers and their representatives about actual and potential + impacts on them. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2 + ref_id: S2-2-21 + description: The objective of this Disclosure Requirement is to enable an understanding + of whether and how the undertaking engages, as part of its ongoing due diligence + process, with value chain workers and their legitimate representatives, or + with credible proxies, about material actual and potential positive and/or + negative impacts that do or are likely to affect them, and whether and how + perspectives of value chain workers are taken into account in the decision-making + processes of the undertaking. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2 + ref_id: S2-2-22 + description: 'The undertaking shall disclose whether and how the perspectives + of value chain workers inform its decisions or activities aimed at managing + the actual and potential impacts on value chain workers. This shall include, + where relevant, an explanation of:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-22.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-22 + ref_id: S2-2-22.a + description: whether engagement occurs with value chain workers or their legitimate + representatives directly, or with credible proxies that have insight into + their situation; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-22.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-22 + ref_id: S2-2-22.b + description: the stage(s) at which engagement occurs, the type of engagement, + and the frequency of the engagement; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-22.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-22 + ref_id: S2-2-22.c + description: "the function and the most senior role within the undertaking that\ + \ has operational responsibility for ensuring that this engagement happens,\ + \ and that the results inform the undertaking\u2019s approach;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-22.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-22 + ref_id: S2-2-22.d + description: "where applicable, Global Framework Agreements or for agreements\ + \ that the undertaking has with global union federations related to respect\ + \ of human rights of workers in the value chain, including their right to\ + \ bargain collectively, and including an explanation of how the agreement\ + \ enables the undertaking to gain insight into those workers\u2019 perspectives;\ + \ and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-22.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-22 + ref_id: S2-2-22.e + description: where applicable, how the undertaking assesses the effectiveness + of its engagement with workers in the value chain, including, where relevant, + any agreements or outcomes that result. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2 + ref_id: S2-2-23 + description: Where applicable, the undertaking shall disclose the steps it takes + to gain insight into the perspectives of workers that may be particularly + vulnerable to impacts and/or marginalised (for example, women workers, migrant + workers, workers with disabilities). + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2 + ref_id: S2-2-24 + description: If the undertaking cannot disclose the above required information + because it has not adopted a general process to engage with workers in the + value chain, it shall disclose this to be the case. It may disclose a timeframe + in which it aims to have such a process in place. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node478 + ref_id: S2-3 + name: Disclosure Requirement S2-3 + description: Processes to remediate negative impacts and channels for value + chain workers to raise concerns + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3 + ref_id: S2-3-25 + description: The undertaking shall describe the processes it has in place to + provide for or cooperate in the remediation of negative impacts on value chain + workers that the undertaking is connected with, as well as channels available + to value chain workers to raise concerns and have them addressed. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3 + ref_id: S2-3-26 + description: The objective of this Disclosure Requirement is to enable an understanding + of the formal means by which value chain workers can make their concerns and + needs known directly to the undertaking and/or through which the undertaking + supports the availability of such channels (for example, grievance mechanisms + ) in the workplace of value chain workers, how follow up is carried out with + these workers regarding the issues raised, and the effectiveness of these + channels. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3 + ref_id: S2-3-27 + description: 'The undertaking shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-27.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-27 + ref_id: S2-3-27.a + description: its general approach to and processes for providing or contributing + to remedy where it has caused or contributed to a material negative impact + on value chain workers, including whether and how the undertaking assesses + that the remedy provided is effective; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-27.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-27 + ref_id: S2-3-27.b + description: any specific channels it has in place for value chain workers to + raise their concerns or needs directly with the undertaking and have them + addressed, including whether these are established by the undertaking itself + and/or whether they are third-party mechanisms; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-27.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-27 + ref_id: S2-3-27.c + description: the processes through which it supports or requires the availability + of such channels in the workplace of value chain workers; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-27.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-27 + ref_id: S2-3-27.d + description: how it tracks and monitors issues raised and addressed, and how + it ensures the effectiveness of the channels, including through involvement + of stakeholders who are the intended users. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3 + ref_id: S2-3-28 + description: The undertaking shall disclose whether and how it assesses that + value chain workers are aware of and trust these structures or processes as + a way to raise their concerns or needs and have them addressed. In addition, + the undertaking shall disclose whether it has policies in place regarding + the protection of individuals that use them against retaliation. If such information + has been disclosed in accordance with ESRS G1-1, the undertaking may refer + to that information. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3 + ref_id: S2-3-29 + description: If the undertaking cannot disclose the above required information + because it has not adopted a channel for raising concerns and/or does not + support the availability of such a channel in the workplace of value chain + workers, it shall disclose this to be the case. It may disclose a timeframe + in which it aims to have such a channel or processes in place. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node478 + ref_id: S2-4 + name: 'Disclosure Requirement S2-4 ' + description: Taking action on material impacts on value chain workers, and approaches + to managing material risks and pursuing material opportunities related to + value chain workers, and effectiveness of those actions + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4 + ref_id: S2-4-30 + description: The undertaking shall disclose how it takes action to address material + impacts on value chain workers, and to manage material risks and pursue material + opportunities related to value chain workers and the effectiveness of those + actions. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4 + ref_id: S2-4-31 + description: 'The objective of this Disclosure Requirement is twofold. Firstly, + it is to enable an understanding of any actions or initiatives through which + the undertaking seeks to:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-31.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-31 + ref_id: S2-4-31.a + description: prevent, mitigate and remediate the negative material impacts on + value chain workers; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-31.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-31 + ref_id: S2-4-31.b + description: achieve positive material impacts for value chain workers. + - urn: urn:intuitem:risk:req_node:esrs_p3:node515 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-31 + description: Secondly, it is to enable an understanding of the ways in which + the undertaking is addressing the material risks and pursuing the material + opportunities related to workers in the value chain. + - urn: urn:intuitem:risk:req_node:esrs_p3:node516 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-31 + description: The undertaking shall provide a summarised description of the action + plans and resources to manage its material impacts, risks, and opportunities + related to value chain workers as per ESRS 2 MDR-A Actions and resources in + relation to material sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4 + ref_id: S2-4-32 + description: 'In relation to material impacts, the undertaking shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-32.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-32 + ref_id: S2-4-32.a + description: actions taken, planned or underway to prevent or mitigate material + negative impacts on value chain workers; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-32.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-32 + ref_id: S2-4-32.b + description: whether and how it has taken action to provide or enable remedy + in relation to an actual material impact; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-32.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-32 + ref_id: S2-4-32.c + description: any additional actions or initiatives it has in place with the + primary purpose of delivering positive impacts for value chain workers; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-32.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-32 + ref_id: S2-4-32.d + description: how it tracks and assesses the effectiveness of such actions and + initiatives in delivering intended outcomes for value chain workers. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4 + ref_id: S2-4-33 + description: 'In relation to paragraph 30, the undertaking shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-33.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-33 + ref_id: S2-4-33.a + description: the processes through which it identifies what action is needed + and appropriate in response to a particular actual or potential negative impact + on value chain workers; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-33.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-33 + ref_id: S2-4-33.b + description: its approach to taking action in relation to specific material + negative impacts on value chain workers, including any action in relation + to its own purchasing or other internal practices, as well as capacity- building + or other forms of engagement with entities in the value chain, or forms of + collaborative action with industry peers or other relevant parties; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-33.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-33 + ref_id: S2-4-33.c + description: how it ensures that processes to provide or enable remedy in the + event of material negative impacts are available and effective in their implementation + and outcomes. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-34 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4 + ref_id: S2-4-34 + description: 'In relation to material risks and opportunities, the undertaking + shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-34.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-34 + ref_id: S2-4-34.a + description: what action is planned or underway to mitigate material risks for + the undertaking arising from its impacts and dependencies on value chain workers + and how it tracks effectiveness in practice; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-34.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-34 + ref_id: S2-4-34.b + description: what action is planned or underway to pursue material opportunities + for the undertaking in relation to value chain workers. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-35 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4 + ref_id: S2-4-35 + description: The undertaking shall disclose whether and how it takes action + to avoid causing or contributing to material negative impacts on value chain + workers through its own practices, including, where relevant, in relation + to procurement, sales and data use. This may include disclosing what approach + is taken when tensions arise between the prevention or mitigation of material + negative impacts and other business pressures. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4 + ref_id: S2-4-36 + description: The undertaking shall also disclose whether severe human rights + issues and incidents connected to its upstream and downstream value chain + have been reported and, if applicable, disclose these ( 119 ). + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-37 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4 + ref_id: S2-4-37 + description: When disclosing the information required under paragraph 32 (c), + the undertaking shall consider ESRS 2 (see ESRS 2 MDR-T Tracking effectiveness + of policies and actions through targets) if it evaluates the effectiveness + of an action by setting a target. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-38 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4 + ref_id: S2-4-38 + description: The undertaking shall disclose what resources are allocated to + the management of its material impacts, with information that enables users + to gain an understanding of how the material impacts are managed. + - urn: urn:intuitem:risk:req_node:esrs_p3:node533 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node457 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node533 + ref_id: S2-5 + name: Disclosure Requirement S2-5 + description: Targets related to managing material negative impacts, advancing + positive impacts, and managing material risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-39 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5 + ref_id: S2-5 39 + description: 'The undertaking shall disclose the time-bound and outcome-oriented + targets it may have set related to:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-39.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-39 + ref_id: S2-5 39.a + description: reducing negative impacts on value chain workers; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-39.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-39 + ref_id: S2-5 39.b + description: advancing positive impacts on value chain workers; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-39.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-39 + ref_id: S2-5 39.c + description: managing material risks and opportunities related to value chain + workers. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-40 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5 + ref_id: S2-5 40 + description: The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking is using time-bound and outcome-oriented + targets to drive and measure its progress in addressing material negative + impacts, and/or advancing positive impacts on value chain workers, and/or + in managing material risks and opportunities related to value chain workers. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-41 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5 + ref_id: S2-5 41 + description: The summarised description of the targets to manage its material + impacts, risks and opportunities related to value chain workers shall contain + the information requirements defined in ESRS 2 MDR-T. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-42 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5 + ref_id: S2-5 42 + description: 'The undertaking shall disclose the process for setting the targets, + including whether and how the undertaking engaged directly with workers in + the value chain, their legitimate representatives, or with credible proxies + that have insight into their situation in:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-42.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-42 + ref_id: S2-5 42.a + description: setting any such targets; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-42.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-42 + ref_id: S2-5 42.b + description: "tracking the undertaking\u2019s performance against them; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-42.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-42 + ref_id: S2-5 42.c + description: "identifying any lessons or improvements as a result of the undertaking\u2019\ + s performance." + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s2-appendix-a + assessable: false + depth: 1 + ref_id: ESRS S2-Appendix A + name: Application Requirements + - urn: urn:intuitem:risk:req_node:esrs_p3:node546 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s2-appendix-a + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p3:node547 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node546 + description: AR 1. In addition to the issues listed in paragraph 2, the undertaking + may also consider disclosing information about other issues relevant to a + material impact for a shorter period of time, for instance initiatives regarding + the health and safety of value chain workers during a pandemic. + - urn: urn:intuitem:risk:req_node:esrs_p3:node548 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node546 + description: AR 2. The overview of social and human rights matters provided + in paragraph 2 is not meant to imply that all of these issues should be disclosed + in each Disclosure Requirement in this Standard. Rather, it provides a list + of matters that the undertaking shall consider in its materiality assessment + (ref. to ESRS 1 chapter 3 Double materiality as the basis for sustainability + disclosures and ESRS 2 IRO-1) related to value chain workers and, as appropriate, + disclose as material impacts, risks and opportunities within the scope of + this Standard. + - urn: urn:intuitem:risk:req_node:esrs_p3:node549 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node546 + description: "AR 3. Examples of workers that fall within the scope of this Standard\ + \ are:\n(a) workers of outsourced services working in the workplace of the\ + \ undertaking (e.g., third party catering or security workers);\n(b) workers\ + \ of a supplier contracted by the undertaking who work on the supplier\u2019\ + s premises using the supplier\u2019s work methods;\n(c) workers for a \u2018\ + downstream\u2019 entity which purchases goods or services from the undertaking;\n\ + (d) workers of an equipment supplier to the undertaking who, at a workplace\ + \ controlled by the undertaking, perform regular maintenance on the supplier\u2019\ + s equipment (e.g., photocopier) as stipulated in the contract between the\ + \ equipment supplier and the undertaking; and\n(e) workers deeper in the supply\ + \ chain who are extracting commodities that are then processed into components\ + \ that go in the undertaking\u2019s products." + - urn: urn:intuitem:risk:req_node:esrs_p3:node550 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s2-appendix-a + name: ESRS 2 General disclosures + - urn: urn:intuitem:risk:req_node:esrs_p3:node551 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node550 + name: Strategy + - urn: urn:intuitem:risk:req_node:esrs_p3:node552 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node551 + name: Disclosure Requirement related to ESRS 2 SBM-2 + description: Interests and views of stakeholders + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-2.ar-4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node552 + ref_id: S2.SBM-2.AR-4 + description: Disclosure Requirement ESRS 2 SBM-2 requires the undertaking to + provide an understanding of whether and how it considers the role that its + strategy and business model may play in creating, exacerbating or mitigating + significant material impacts on value chain workers, and whether and how the + business model and strategy are adapted to address such material impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-2.ar-5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node552 + ref_id: S2.SBM-2.AR-5 + description: "While value chain workers may not be engaging with the undertaking\ + \ at the level of its strategy or business model, their views can inform the\ + \ undertaking\u2019s assessment of its strategy and business model. The undertaking\ + \ may disclose the views of the value chain workers and value chain workers\u2019\ + \ representatives." + - urn: urn:intuitem:risk:req_node:esrs_p3:node555 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node551 + name: Disclosure Requirement related to ESRS 2 SBM-3 + description: Material impacts, risks and opportunities and their interaction + with strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3.ar-6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node555 + ref_id: S2.SBM-3.AR-6 + description: "Impacts on value chain workers can originate in the undertaking\u2019\ + s strategy or business model in a number of different ways. For example, impacts\ + \ may relate to the undertaking\u2019s value proposition (such as providing\ + \ lowest cost products or services, or high-speed delivery, in ways that put\ + \ pressure on labour rights in the upstream and downstream value chains),\ + \ its value chain (such as relying on commodities of unclear provenance, without\ + \ visibility on impacts on workers), or its cost structure and the revenue\ + \ model (e.g. shifting inventory risk to suppliers, with knock-on effects\ + \ on the labour rights of their workers)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3.ar-7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node555 + ref_id: S2.SBM-3.AR-7 + description: Impacts on value chain workers that originate in the strategy or + the business model can also bring material risks to the undertaking. For example, + in the context of a pandemic or other severe health crisis, undertakings that + rely on contingent labour with little to no access to sick care and health + benefits may face severe operational and business continuity risks as workers + have no choice but to keep working while sick, further exacerbating the spread + of the disease and causing major supply chain breakdowns. Another example + is where selling goods premised on cheapest prices for customers create operational + risks as suppliers under extreme price pressure may sub-contract production, + leading to lower quality, and a longer, less transparent, and less controllable + supply chain. Reputational and business opportunity risks linked to the exploitation + of low-skilled, low-paid workers in sourcing geographies with minimal protections + for them are also increasing with media backlash and consumer preferences + moving to more ethically sourced or sustainable goods. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3.ar-8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node555 + ref_id: S2.SBM-3.AR-8 + description: "Examples of particular characteristics of value chain workers\ + \ that may be considered by the undertaking when responding to paragraph 12\ + \ relate to young workers that may be more susceptible to impacts on their\ + \ physical and mental development, or women workers in a context where women\ + \ are routinely discriminated against in the terms and conditions of work,\ + \ or migrant workers in a context where the market for the supply of labour\ + \ is poorly regulated and workers are routinely charged recruitment fees.\ + \ For some workers, the inherent nature of the activity that they are required\ + \ to undertake may put them at risk (e.g., workers required to handle chemicals\ + \ or operate certain equipment or low paid workers who are on \u2018zero hours\u2019\ + \ contracts)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s2.sbm-3.ar-9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node555 + ref_id: S2.SBM-3.AR-9 + description: "With regard to paragraph 13, material risks could also arise because\ + \ of the undertaking\u2019s dependency on value chain workers where low likelihood\ + \ but high impact events may trigger financial effects; for example, where\ + \ a global pandemic leads to severe health impacts on workers at all stages\ + \ of the value chain resulting in major disruptions to production and distribution.\ + \ Other examples of risk related to the undertaking\u2019s dependency on value\ + \ chain workers include a shortage in skilled workers or political decisions\ + \ or legislation affecting value chain workers working for logistics providers.\ + \ For example, if some workers in the undertaking\u2019s value chain are at\ + \ risk of forced labour, and the undertaking is importing products into countries\ + \ where the law allows for the confiscation of imported goods that are suspected\ + \ of being made with forced labour." + - urn: urn:intuitem:risk:req_node:esrs_p3:node560 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node550 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node560 + ref_id: S2-1 AR + name: Disclosure Requirement S2-1 + description: Policies related to value chain workers + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar-10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar + ref_id: S2-1 AR 10 + description: "If the policies are limited to the undertaking\u2019s own workforce\ + \ and do not cover workers in upstream and downstream entities and relationships,\ + \ they shall be disclosed under ESRS S1 and not in relation to this requirement." + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar-11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar + ref_id: S2-1 AR 11 + description: If the disclosures under ESRS S1 include information relevant for + workers in the value chain, a reference to this can be made here; disclosures + on the remaining elements shall then be fulfilled under this Disclosure Requirement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar-12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar + ref_id: S2-1 AR 12 + description: The undertaking may disclose explanations of significant changes + to the policies adopted during the reporting year (e.g., new expectations + for suppliers, new or additional approaches to due diligence and remedy). + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar-13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar + ref_id: S2-1 AR 13 + description: The policy may take the form of a stand-alone policy regarding + value chain workers or be included in a broader document such as a code of + ethics or a general sustainability policy that has already been disclosed + by the undertaking as part of another ESRS. In those cases, the undertaking + shall provide an accurate cross-reference to identify the aspects of the policy + that satisfy the requirements of this Disclosure Requirement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar-14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar + ref_id: S2-1 AR 14 + description: "When disclosing the alignment of its policies with the UN Guiding\ + \ Principles on Business and Human Rights, the undertaking shall consider\ + \ that the Guiding Principles refer to the International Bill of Rights, which\ + \ consist of the Universal Declaration of Human Rights and the two Covenants\ + \ that implement it, as well as the International Labour Organisation\u2019\ + s Declaration on Fundamental Rights and Principles at Work and the core conventions\ + \ that underpin it, and may disclose its alignment with these instruments." + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar-15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar + ref_id: S2-1 AR 15 + description: When disclosing how external-facing policies are embedded, the + undertaking may, for example, consider internal policies of responsible sourcing, + and alignment with other policies relevant to value chain workers, for example, + regarding forced labour. With regard to supplier codes of conduct that the + undertaking may have, the summary shall indicate whether they include provisions + addressing the safety of workers, precarious work (for example, the use of + workers on short-term or limited hours contracts, workers employed via third + parties, sub-contracting to third parties or use of informal workers), human + trafficking, the use of forced labour or child labour, and whether such provisions + are fully in line with applicable ILO standards. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar-16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-1-ar + ref_id: S2-1 AR 16 + description: "The undertaking may provide an illustration of the types of communication\ + \ of its policies to those individuals, group of individuals or entities for\ + \ whom they are relevant, either because they are expected to implement them\ + \ (for example, the undertaking\u2019s employees, contractors and suppliers),\ + \ or because they have a direct interest in their implementation (for example,\ + \ own workers, investors). It may disclose communication tools and channels\ + \ (for example, flyers, newsletters, dedicated websites, social media, face\ + \ to face interactions, workers\u2019 representatives), aimed at ensuring\ + \ that the policy is accessible and that different audiences understand its\ + \ implications. The undertaking may also explain how it identifies and removes\ + \ potential barriers for dissemination, such as through translation into relevant\ + \ languages or the use of graphic depictions." + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node560 + ref_id: S2-2 AR + name: Disclosure Requirement S2-2 + description: Processes for engaging with value chain workers about impacts + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar + ref_id: S2-2 AR 17 + description: When describing which function or role has operational responsibility + for such engagement and/or ultimate accountability, the undertaking may disclose + whether this is a dedicated role or function or part of a broader role or + function, and whether any capacity building activities have been offered to + support the staff to undertake engagement. If it cannot identify such a position + or function, it may state that this is the case. This disclosure could also + be fulfilled by making reference to information disclosed according to ESRS + 2 GOV-1 The role of the administrative, management and supervisory bodies. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar + ref_id: S2-2 AR 18 + description: 'When preparing the disclosures described in paragraph 22 b) and + c), the following illustrations may be considered:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-18.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-18 + ref_id: S2-2 AR 18.a + description: examples of stages at which engagement occurs are i) determining + the approach to mitigation and ii) evaluation the effectiveness of mitigation; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-18.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-18 + ref_id: S2-2 AR 18.b + description: for type of engagement, these could be participation, consultation + and/or information; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-18.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-18 + ref_id: S2-2 AR 18.c + description: for the frequency of the engagement, information may be provided + on whether engagement occurs on a regular basis, at certain points in a project + or business process, for example, when a new harvest season begins or a new + production line is opened, as well as whether it occurs in response to legal + requirements and/or in response to stakeholder requests and whether the result + of the engagement is being integrated into the undertaking's decision- making + processes; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-18.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-18 + ref_id: S2-2 AR 18.d + description: for the role with operational responsibility, whether the undertaking + requires relevant staff to have certain skills, or whether it provides training + or capacity building to relevant staff to undertake engagement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar + ref_id: S2-2 AR 19 + description: Global Framework Agreements (GFA) serve to establish an ongoing + relationship between a multinational enterprise and a Global Union Federation + to ensure that the undertaking adheres to the same standards in every country + in which it operates. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar-20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-2-ar + ref_id: S2-2 AR 20 + description: To illustrate how the perspectives of value chain workers have + informed specific decisions or activities of the undertaking, the undertaking + may provide examples from the current reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node560 + ref_id: S2-3 AR + name: Disclosure Requirement S2-3 + description: Processes to remediate negative impacts and channels for value + chain workers to raise concerns + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar + ref_id: S2-3 AR 21 + description: In fulfilling the requirements set out by Disclosure Requirement + ESRS S2-3, the undertaking may be guided by the content of the UN Guiding + Principles on Business and Human Rights and the OECD Guidelines for Multinational + Enterprises focused on remediation and grievance mechanisms. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar + ref_id: S2-3 AR 22 + description: Channels for raising concerns or needs include grievance mechanisms, + hotlines, trade unions (where workers are unionised), dialogue processes or + other means through which value chain workers or their legitimate representatives + can raise concerns about impacts or explain needs that they would like the + undertaking to address. This could include both channels provided by the undertaking + directly and channels provided by the entities where the value chain workers + are working, in addition to any other mechanisms the undertaking may use to + gain insight into the management of impacts on workers, such as compliance + audits. Where the undertaking is relying solely on information about the existence + of such channels provided by its business relationships to answer this requirement, + it may state that. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar + ref_id: S2-3 AR 23 + description: To provide greater insight into the information covered in Disclosure + Requirement ESRS S2-3, the undertaking may explain whether and how value chain + workers that may be affected are able to access channels at the level of the + undertaking they are employed by, or contracted to work for, in relation to + each material impact. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar + ref_id: S2-3 AR 24 + description: Third party mechanisms could include those operated by the government, + NGOs, industry associations and other collaborative initiatives. The undertaking + may disclose whether these are accessible to all workers who may be potentially + or actually materially impacted by the undertaking, or individuals or organisations + acting on their behalf or who are otherwise in a position to be aware of negative + impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar + ref_id: S2-3 AR 25 + description: In relation to the protection of individuals that use the mechanisms + against the retaliation, the undertaking may describe whether it treats grievances + confidentially and with respect to the rights of privacy and data protection; + and whether the mechanisms allow for workers to use them anonymously (for + example, through representation by a third party). + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar + ref_id: S2-3 AR 26 + description: In disclosing whether and how the undertaking knows that value + chain workers are aware of and trust any of these channels, the undertaking + may provide relevant and reliable data about the effectiveness of these channels + from the perspective of value chain workers themselves. Examples of sources + of information are surveys of workers that have used such channels and their + levels of satisfaction with the process and outcomes. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar + ref_id: S2-3 AR 27 + description: "In describing the effectiveness of channels for value chain workers\ + \ to raise concerns, the undertaking may be guided by the following questions,\ + \ based on the \u2018effectiveness criteria for non-judicial grievance mechanisms\u2019\ + , as laid out in the UN Guiding Principles on Business and Human Rights, in\ + \ particular Principle 31. The below considerations may be applied to individual\ + \ channels or to a collective system of channels:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27 + ref_id: S2-3 AR 27.a + description: do the channels hold legitimacy by providing appropriate accountability + for their fair conduct and building stakeholder trust? + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27 + ref_id: S2-3 AR 27.b + description: are the channels known and accessible to stakeholders? + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27 + ref_id: S2-3 AR 27.c + description: ' do the channels have clear and known procedures, with indicative + timeframes?' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27 + ref_id: S2-3 AR 27.d + description: do the channels ensure reasonable access for stakeholders to sources + of information, advice and expertise? + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27 + ref_id: S2-3 AR 27.e + description: do the channels offer transparency by providing sufficient information + both to complainants and, where applicable, to meet any public interest? + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27 + ref_id: S2-3 AR 27.f + description: do outcomes achieved through the channels accord with internationally + recognised human rights? + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27 + ref_id: S2-3 AR 27.g + description: does the undertaking identify insights from the channels that support + continuous learning in both improving the channels and preventing future impacts? + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-3-ar-27 + ref_id: S2-3 AR 27.h + description: does the undertaking focus on dialogue with complainants as the + means to reach agreed solutions, rather than seeking to unilaterally determine + the outcome? + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node560 + ref_id: S2-4 AR + name: Disclosure Requirement S2-4 + description: Taking action on material impacts on value chain workers, and approaches + to managing material risks and pursuing material opportunities related to + value chain workers, and effectiveness of those actions + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 28 + description: 'It may take time to understand negative impacts and how the undertaking + may be involved with them through its value chain, as well as to identify + appropriate responses and put them into practice. Therefore, the undertaking + shall consider:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-28.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-28 + ref_id: S2-4 AR 28.a + description: its general and specific approaches to addressing material negative + impacts; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-28.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-28 + ref_id: S2-4 AR 28.b + description: its initiatives aimed at contributing to additional material positive + impacts; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-28.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-28 + ref_id: S2-4 AR 28.c + description: how far it has progressed in its efforts during the reporting period; + and + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-28.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-28 + ref_id: S2-4 AR 28.d + description: its aims for continued improvement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-29 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 29 + description: Appropriate action can vary according to whether the undertaking + causes or contributes to a material impact or whether the material impact + is directly linked to its own operations, products or services through a business + relationship. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 30 + description: "Given that material negative impacts affecting value chain workers\ + \ that have occurred during the reporting period may also be linked to entities\ + \ or operations outside its direct control, the undertaking may disclose whether\ + \ and how it seeks to use its leverage in its business relationships to manage\ + \ those impacts. This may include using commercial leverage (for example,\ + \ enforcing contractual requirements with business relationships or implementing\ + \ incentives), other forms of leverage within the relationship (such as providing\ + \ training or capacity-building on workers\u2019 rights to entities with which\ + \ the undertaking has a business relationships) or collaborative leverage\ + \ with peers or other actors (such as initiatives aimed at responsible recruitment\ + \ or ensuring workers receive an adequate wage)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 31 + description: When the undertaking discloses its participation in an industry + or multi-stakeholder initiative as part of its actions to address material + negative impacts, the undertaking may disclose how the initiative, and its + own involvement, is aiming to address the material impact concerned. It may + disclose under ESRS S2-5 the relevant targets set by the initiative and progress + towards them. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 32 + description: When disclosing whether and how the undertaking considers actual + and potential impacts on value chain workers in decisions to terminate business + relationships and whether and how it seeks to address any negative impacts + that may result from termination, the undertaking may include examples. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-33 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 33 + description: In disclosing how it tracks the effectiveness of its actions to + manage material impacts during the reporting period, the undertaking may disclose + any lessons learned from the previous and current reporting periods. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 34 + description: Processes used to track the effectiveness of actions can include + internal or external auditing or verification, court proceedings and/or related + court decisions, impact assessments, measurement systems, stakeholder feedback, + grievance mechanisms, external performance ratings, and benchmarking. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 35 + description: "Reporting on effectiveness is aimed at enabling the understanding\ + \ of the links between actions taken by the undertaking and the effective\ + \ management of impacts. For example, to show the effectiveness of its actions\ + \ to support its suppliers with improving their working conditions, the undertaking\ + \ may disclose survey feedback from the suppliers\u2019 workers showing that\ + \ working conditions have improved since the time the undertaking began working\ + \ with those suppliers. Additional information that the undertaking may provide\ + \ includes data showing a decrease in the number of incidents identified through\ + \ for instance, independent audits." + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-36 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 36 + description: "With regard to initiatives or processes the undertaking has in\ + \ place that are based on affected workers\u2019 needs and with regard to\ + \ progress in the implementation of such initiatives or processes, the undertaking\ + \ may disclose:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-36.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-36 + ref_id: S2-4 AR 36.a + description: information about whether and how value chain workers and legitimate + representatives or their credible proxies play a role in decisions regarding + the design and implementation of these programmes or processes; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-36.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-36 + ref_id: S2-4 AR 36.b + description: information about the intended or achieved positive outcomes for + value chain workers of these initiatives or processes. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-37 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 37 + description: "The undertaking may disclose whether any initiatives or processes\ + \ whose primary aim is to deliver positive impacts for value chain workers\ + \ are designed also to support the achievement of one or more of the UN Sustainable\ + \ Development Goals (SDGs). For example, through a commitment to advance UN\ + \ SDG 8 to \u2018promote sustained, inclusive and sustainable economic growth,\ + \ full and productive employment and decent work for all\u2019 the undertaking\ + \ may be providing capacity-building to smallholders in its supply chain,\ + \ resulting in increases in their income; or it may be supporting training\ + \ to increase the proportion of women able to take delivery jobs in its downstream\ + \ value chain." + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-38 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 38 + description: When disclosing the intended or achieved positive outcomes of its + actions for value chain workers a distinction is to be made between evidence + of certain activities having occurred (e.g., that x number of workers have + received financial literacy training) from evidence of actual outcomes for + workers (e.g., that x workers report that they are able to better manage their + household budgets so as to meet their savings goals). + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-39 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 39 + description: "When disclosing whether initiatives or processes also play a role\ + \ in mitigating material negative impacts, the undertaking may e.g., consider\ + \ programmes that aim to advance women workers\u2019 financial literacy that\ + \ have resulted in more women being promoted as well as in reports of reduced\ + \ sexual harassment in the workplace." + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-40 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 40 + description: "When disclosing the material risks and opportunities related to\ + \ the undertaking\u2019s impacts or dependencies on value chain workers, the\ + \ undertaking may consider the following:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-40.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-40 + ref_id: S2-4 AR 40.a + description: "risks related to the undertaking\u2019s impacts on value chain\ + \ workers may include the reputational or legal exposure where value chain\ + \ workers are found to be subject to forced labour or child labour;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-40.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-40 + ref_id: S2-4 AR 40.b + description: "risks related to the undertaking\u2019s dependencies on value\ + \ chain workers may include disruption of business operations where a pandemic\ + \ closes significant parts of its supply chain or distribution network;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-40.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-40 + ref_id: S2-4 AR 40.c + description: "opportunities related to the undertaking\u2019s impacts on value\ + \ chain workers may include market differentiation and greater customer appeal\ + \ from guaranteeing decent pay and conditions for non- employee workers; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-40.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-40 + ref_id: S2-4 AR 40.d + description: "opportunities related to the undertaking\u2019s dependencies on\ + \ value chain workers might include the achievement of a future sustainable\ + \ supply of a commodity by ensuring smallholder farmers earn enough to persuade\ + \ future generations to keep farming that crop." + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-41 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 41 + description: When disclosing whether dependencies turn into risks, the undertaking + shall consider external developments. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-42 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 42 + description: When disclosing policies, actions and resources and targets related + to the management of material risks and opportunities, in cases where risks + and opportunities arise from a material impact, the undertaking may cross-reference + its disclosures on policies, action and resources and targets in relation + to that impact. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-43 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 43 + description: The undertaking shall consider whether and how its process(es) + to manage material risks related to value chain workers are integrated into + its existing risk management process(es). + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar-44 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-4-ar + ref_id: S2-4 AR 44 + description: When disclosing the resources allocated to the management of material + impacts, the undertaking may disclose which internal functions are involved + in managing the impacts and what types of action they take to address negative + and advance positive impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:node622 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node550 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node622 + ref_id: S2-5 AR + name: Disclosure Requirement S2-5 + description: Targets related to managing material negative impacts, advancing + positive impacts, and managing material risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar-45 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar + ref_id: S2-5 AR 45 + description: 'When disclosing information about targets in accordance with paragraph + 39, the undertaking may disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar-45.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar-45 + ref_id: S2-5 AR 45.a + description: the intended outcomes to be achieved in the lives of value chain + workers, being as specific as possible; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar-45.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar-45 + ref_id: S2-5 AR 45.b + description: the stability of the targets over time in terms of definitions + and methodologies to enable comparability over time; + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar-45.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar-45 + ref_id: S2-5 AR 45.c + description: the standards or commitments on which the targets are based (for + instance codes of conduct, sourcing policies, global frameworks or industry + codes). + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar-46 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar + ref_id: S2-5 AR 46 + description: Targets related to material risks and opportunities may be the + same as or distinct from targets related to material impacts. For example, + a target to reach living wages for supply chain workers could both reduce + impacts on those workers and reduce associated risks in terms of the quality + and reliability of supply. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar-47 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar + ref_id: S2-5 AR 47 + description: The undertaking may also distinguish between short-, medium- and + long-term targets covering the same policy commitment. For example, the undertaking + may have a long-term target to achieve an 80% reduction in health and safety + incidents affecting the workers of a given supplier by 2030 and a near-term + target to reduce their overtime hours of delivery drivers by x% while maintaining + their income by 2024. + - urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar-48 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s2-5-ar + ref_id: S2-5 AR 48 + description: When modifying or replacing a target in the reporting period, the + undertaking may explain the change by cross-referencing it to significant + changes in the business model or to broader changes in the accepted standard + or legislation from which the target is derived to provide contextual information, + as per ESRS 2 BP-2 Disclosures in relation to specific circumstances. + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s3 + assessable: false + depth: 1 + ref_id: ESRS S3 + name: AFFECTED COMMUNITIES + - urn: urn:intuitem:risk:req_node:esrs_p3:node632 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s3 + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p3:node633 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node632 + description: "1. The objective of this Standard is to specify disclosure requirements\ + \ which will enable users of the sustainability statement to understand material\ + \ impacts on affected communities connected with the undertaking\u2019s own\ + \ operations and value chain, including through its products or services,\ + \ as well as through its business relationships, and its related material\ + \ risks and opportunities, including:\n(a) how the undertaking affects communities,\ + \ in areas where impacts are most likely to be present and severe, in terms\ + \ of material positive and negative actual or potential impacts;\n(b) any\ + \ actions taken, and the result of such actions, to prevent, mitigate or remediate\ + \ actual or potential negative impacts, and to address risks and opportunities;\n\ + (c) the nature, type and extent of the undertaking\u2019s material risks and\ + \ opportunities related to its impacts and dependencies on affected communities,\ + \ and how the undertaking manages them; and\n(d) the financial effects on\ + \ the undertaking over the short-, medium- and long-term of material risks\ + \ and opportunities arising from the undertaking\u2019s impacts and dependencies\ + \ on affected communities." + - urn: urn:intuitem:risk:req_node:esrs_p3:node634 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node632 + description: "2. In order to meet the objective, this Standard requires an explanation\ + \ of the general approach the undertaking takes to identify and manage any\ + \ material actual and potential impacts on affected communities in relation\ + \ to:\n(a) communities\u2019 economic, social and cultural rights (for example,\ + \ adequate housing, adequate food, water and sanitation, land-related and\ + \ security-related impacts);\n(b) communities\u2019 civil and political rights\ + \ (for example, freedom of expression, freedom of assembly, impacts on human\ + \ rights defenders); and\n(c) particular rights of indigenous peoples (for\ + \ example, free, prior and informed consent, self-determination, cultural\ + \ rights)." + - urn: urn:intuitem:risk:req_node:esrs_p3:node635 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node632 + description: "3. This Standard also requires an explanation of how such impacts,\ + \ as well as the undertaking\u2019s dependencies on affected communities,\ + \ can create material risks or opportunities for the undertaking. For example,\ + \ negative relationships with affected communities may disrupt the undertaking\u2019\ + s own operations or harm its reputation, while constructive relationships\ + \ can bring business benefits, such as stable and conflict-free operations\ + \ and a greater ease of recruiting locally." + - urn: urn:intuitem:risk:req_node:esrs_p3:node636 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s3 + name: Interaction with other ESRS + - urn: urn:intuitem:risk:req_node:esrs_p3:node637 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node636 + description: 4. This standard applies when material impacts on and/or material + risks and opportunities related to affected communities have been identified + through the materiality assessment process laid out in ESRS 2 General disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p3:node638 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node636 + description: 5. This Standard shall be read in conjunction with ESRS 1 General + requirements, and ESRS 2, as well as the ESRS S1 Own workforce, ESRS S2 Workers + in the value chain and ESRS S4 Consumers and end-users. + - urn: urn:intuitem:risk:req_node:esrs_p3:node639 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s3 + name: Disclosure Requirements + - urn: urn:intuitem:risk:req_node:esrs_p3:node640 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node639 + name: ESRS 2 General disclosures + description: 6. The requirements of this section should be read in conjunction + with the disclosures required by ESRS 2 on Strategy (SBM). The resulting disclosures + shall be presented alongside the disclosures required by ESRS 2, except for + SBM-3 Material impacts, risks and opportunities and their interaction with + strategy and business model, for which the undertaking has an option to present + the disclosures alongside the topical disclosure. + - urn: urn:intuitem:risk:req_node:esrs_p3:node641 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node640 + name: Strategy + - urn: urn:intuitem:risk:req_node:esrs_p3:node642 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node641 + name: 'Disclosure Requirement related to ESRS 2 SBM-2 ' + description: Interests and views of stakeholders + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-2-7 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node642 + ref_id: S3.SBM-2-7 + description: When responding to ESRS 2 SBM-2, paragraph 43, the undertaking + shall disclose how the views, interests, and rights of affected communities, + including respect for their human rights (and their rights as indigenous peoples, + where applicable), inform its strategy and business model. Affected communities + are a key group of affected stakeholders. + - urn: urn:intuitem:risk:req_node:esrs_p3:node644 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node641 + name: Disclosure Requirement related to ESRS 2 SBM-3 + description: Material impacts, risks and opportunities and their interaction + with strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-8 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node644 + ref_id: S3.SBM-3-8 + description: 'When responding to ESRS 2 SBM-3 paragraph 48, the undertaking + shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-8.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-8 + ref_id: S3.SBM-3-8.a + description: "whether and how actual and potential impacts on affected communities\ + \ as identified in ESRS 2 IRO-1 Description of the processes to identify and\ + \ assess material impacts, risks and opportunities: (i) originate from or\ + \ are connected to the undertaking\u2019s strategy and business models, and\ + \ (ii) inform and contribute to adapting the undertaking\u2019s strategy and\ + \ business model; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-8.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-8 + ref_id: S3.SBM-3-8.b + description: the relationship between its material risks and opportunities arising + from impacts and dependencies on affected communities and its strategy and + business model. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node644 + ref_id: S3.SBM-3-9 + description: "When fulfilling the requirements of paragraph 48, the undertaking\ + \ shall disclose whether all affected communities who are likely to be materially\ + \ impacted by the undertaking, including impacts that are connected with the\ + \ undertaking\u2019s own operations and value chain, including through its\ + \ products or services, as well as through its business relationships, are\ + \ included in the scope of its disclosure under ESRS 2. In addition, the undertaking\ + \ shall provide the following information:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9 + ref_id: S3.SBM-3-9.a + description: 'a brief description of the types of communities subject to material + impacts by its own operations or through its upstream and downstream value + chain, and specify whether they are:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.a.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.a + ref_id: S3.SBM-3-9.a.i + description: "communities living or working around the undertaking\u2019s operating\ + \ sites, factories, facilities or other physical operations, or more remote\ + \ communities affected by activities at those sites (for example by downstream\ + \ water pollution);" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.a.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.a + ref_id: S3.SBM-3-9.a.ii + description: "communities along the undertaking\u2019s value chain (for example,\ + \ those affected by the operations of suppliers facilities or by the activities\ + \ of logistics or distribution providers);" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.a.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.a + ref_id: S3.SBM-3-9.a.iii + description: communities at one or both endpoints of the value chain (for example, + at the point of extraction of metals or minerals or harvesting of commodities, + or communities around waste or recycling sites); + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.a.iv + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.a + ref_id: S3.SBM-3-9.a.iv + description: communities of indigenous peoples. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9 + ref_id: S3.SBM-3-9.b + description: "in the case of material negative impacts, whether they are either\ + \ (i) widespread or systemic in contexts where the undertaking operates or\ + \ has sourcing or other business relationships (for example, marginalised\ + \ populations suffering impacts on their health and quality of life in a highly\ + \ industrialised area), or (ii) related to individual incidents in the undertaking\u2019\ + s own operations (e.g., a toxic waste spill affecting a community\u2019s access\ + \ to clean drinking water) or in a specific business relationship (e.g., a\ + \ peaceful protest by communities against business operations that was met\ + \ with a violent response from the undertaking\u2019s security services).\ + \ This includes consideration of impacts on affected communities that may\ + \ arise from the transition to greener and climate- neutral operations. Potential\ + \ impacts include impacts associated with innovation and restructuring, closure\ + \ of mines, increased mining of minerals needed for the transition to a sustainable\ + \ economy and solar panel production;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9 + ref_id: S3.SBM-3-9.c + description: in the case of material positive impacts, a brief description of + the activities that result in the positive impacts (for example, capacity- + building to support more and new forms of local livelihoods) and the types + of communities that are positively affected or could be positively affected; + the undertaking may also disclose whether the positive impacts occur in specific + countries or regions; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-9 + ref_id: S3.SBM-3-9.d + description: any material risks and opportunities for the business arising from + impacts and dependencies on affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-10 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node644 + ref_id: S3.SBM-3-10 + description: In describing the main types of communities who are or could be + negatively affected, based on the materiality assessment set out in Disclosure + Requirement ESRS 2 IRO-1, the undertaking shall disclose whether and how it + has developed an understanding of how affected communities with particular + characteristics or those living in particular contexts, or those undertaking + particular activities may be at greater risk of harm. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3-11 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node644 + ref_id: S3.SBM-3-11 + description: The undertaking shall disclose which, if any, of its material risks + and opportunities arising from impacts and dependencies on affected communities + relate to specific groups of affected communities rather than to all affected + communities. + - urn: urn:intuitem:risk:req_node:esrs_p3:node659 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node640 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node659 + ref_id: S3-1 + name: Disclosure Requirement S3-1 + description: Policies related to affected communities + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1 + ref_id: S3-1-12 + description: The undertaking shall describe its policies adopted to manage its + material impacts on affected communities, as well as associated material risks + and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1 + ref_id: S3-1-13 + description: The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking has policies that address the identification, + assessment, management and/or remediation of material impacts on affected + communities specifically, as well as policies that cover material risks or + opportunities related to affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1 + ref_id: S3-1-14 + description: "The disclosure required by paragraph 12 shall contain the information\ + \ on the undertaking\u2019s policies to manage its material impacts, risks\ + \ and opportunities related to affected communities in accordance with ESRS\ + \ 2 MDR-P Policies adopted to manage material sustainability matters. In addition,\ + \ the undertaking shall specify if such policies cover specific affected communities\ + \ or all affected communities." + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1 + ref_id: S3-1-15 + description: The undertaking shall disclose any particular policy provisions + for preventing and addressing impacts on indigenous peoples. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1 + ref_id: S3-1-16 + description: 'The undertaking shall describe its human rights policy commitments + ( 120 ) that are relevant to affected communities, including those processes + and mechanisms to monitor compliance with the UN Guiding Principles on Business + and Human Rights, ILO Declaration on Fundamental Principles and Rights at + Work or OECD Guidelines for Multinational Enterprises. In its disclosure it + shall focus on those matters that are material in relation to ( 121 ), as + well as its general approach to:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-16.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-16 + ref_id: S3-1-16.a + description: respect for the human rights of communities, and indigenous peoples + specifically; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-16.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-16 + ref_id: S3-1-16.b + description: engagement with affected communities; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-16.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-16 + ref_id: S3-1-16.c + description: measures to provide and/or enable remedy for human rights impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1 + ref_id: S3-1-17 + description: The undertaking shall disclose whether and how its policies with + regard to affected communities are aligned with internationally recognised + standards relevant to communities and indigenous peoples specifically, including + the United Nations (UN) Guiding Principles on Business and Human Rights. The + undertaking shall also disclose the extent to which cases of non-respect of + the UN Guiding Principles on Business and Human Rights, ILO Declaration on + Fundamental Principles and Rights at Work or OECD Guidelines for Multinational + Enterprises that involve affected communities have been reported in its own + operations or in its upstream and downstream value chain and, if applicable, + an indication of the nature of such cases ( 122 ). + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1 + ref_id: S3-1-18 + description: The policy may take the form of a stand-alone policy regarding + communities or be included in a broader document such as a code of ethics + or a general sustainability policy that has already been disclosed by the + undertaking as part of another ESRS. In those cases, the undertaking shall + provide an accurate cross-reference to identify the aspects of the policy + that satisfy the requirements of this Disclosure Requirement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node659 + ref_id: S3-2 + name: Disclosure Requirement S3-2 + description: Processes for engaging with affected communities about impacts + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2 + ref_id: S3-1-19 + description: The undertaking shall disclose its general processes for engaging + with affected communities and their representatives about actual and potential + impacts on them. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2 + ref_id: S3-1-20 + description: The objective of this Disclosure Requirement is to enable an understanding + of whether and how the undertaking engages, as part of its ongoing due diligence + process, with affected communities, their legitimate representatives, or with + credible proxies, about material actual and potential positive and/or negative + impacts that do or are likely to affect them, and whether and how perspectives + of affected communities are taken into account in the decision-making processes + of the undertaking. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2 + ref_id: S3-1-21 + description: 'The undertaking shall disclose whether and how the perspectives + of affected communities inform its decisions or activities aimed at managing + actual and potential impacts on communities. This shall include, where relevant, + an explanation of:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-21.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-21 + ref_id: S3-1-21.a + description: whether engagement occurs with affected communities or their legitimate + representatives directly, or with credible proxies that have insight into + their situation; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-21.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-21 + ref_id: S3-1-21.b + description: the stage(s) at which engagement occurs, the type of engagement, + and the frequency of the engagement; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-21.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-21 + ref_id: S3-1-21.c + description: "the function and the most senior role within the undertaking that\ + \ has operational responsibility for ensuring this engagement happens, and\ + \ that the results inform the undertaking\u2019s approach;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-21.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-21 + ref_id: S3-1-21.d + description: where applicable, how the undertaking assesses the effectiveness + of its engagement with affected communities, including, where relevant, any + agreements or outcomes that result. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2 + ref_id: S3-1-22 + description: Where applicable, the undertaking shall disclose the steps it takes + to gain insight into the perspectives of affected communities that may be + particularly vulnerable to impacts and/or marginalised, and into the perspective + of specific groups within the affected communities, such as women and girls. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2 + ref_id: S3-1-23 + description: 'Where affected communities are indigenous peoples, the undertaking + shall also disclose how it takes into account and ensures respect of their + particular rights in its stakeholder engagement approach, including their + right to free, prior and informed consent with regard to: (i) their cultural, + intellectual, religious and spiritual property; (ii) activities affecting + their lands and territories; and (iii) legislative or administrative measures + that affect them. In particular, where engagement occurs with indigenous peoples, + the undertaking shall also disclose whether and how indigenous peoples have + been consulted on the mode and parameters of the engagement (for example, + in designing the agenda, nature, and timeliness of the engagement).' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2 + ref_id: S3-1-24 + description: If the undertaking cannot disclose the above required information + because it has not adopted a general process to engage with affected communities, + it shall disclose this to be the case. It may disclose a timeframe in which + it aims to have such a process in place. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node659 + ref_id: S3-3 + name: Disclosure Requirement S3-3 + description: Processes to remediate negative impacts and channels for affected + communities to raise concerns + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3 + ref_id: S3-3-25 + description: The undertaking shall describe the processes it has in place to + provide for or cooperate in the remediation of negative impacts on affected + communities that the undertaking is connected with, as well as channels available + to affected communities to raise concerns and have them addressed. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3 + ref_id: S3-3-26 + description: The objective of this Disclosure Requirement is to enable an understanding + of the formal means by which affected communities can make their concerns + and needs known directly to the undertaking, and/or through which the undertaking + supports the availability of such channels (for example, grievance mechanisms) + by its business relationships, how follow up is performed with these communities + regarding the issues raised, and the effectiveness of these channels. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3 + ref_id: S3-3-27 + description: 'The undertaking shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-27.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-27 + ref_id: S3-3-27.a + description: its general approach to and processes for providing or contributing + to remedy where it has identified that it has caused or contributed to a material + negative impact on affected communities, including whether and how the undertaking + assesses that the remedy provided is effective; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-27.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-27 + ref_id: S3-3-27.b + description: any specific channels it has in place for affected communities + to raise their concerns or needs directly with the undertaking and have them + addressed, including whether these are established by the undertaking itself + and/or through participation in third-party mechanisms; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-27.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-27 + ref_id: S3-3-27.c + description: its processes through which the undertaking supports the availability + of such channels by its business relationships; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-27.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-27 + ref_id: S3-3-27.d + description: how it tracks and monitors issues raised and addressed, and how + it ensures the effectiveness of the channels, including through involvement + of stakeholders who are the intended users of those channels. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3 + ref_id: S3-3-28 + description: The undertaking shall disclose whether and how it assesses that + affected communities are aware of and trust these structures or processes + as a way to raise their concerns or needs and have them addressed. In addition, + the undertaking shall disclose whether it has policies in place regarding + the protection of individuals that use them against retaliation. If such information + has been disclosed in accordance with ESRS G1-1, the undertaking may refer + to that information. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3 + ref_id: S3-3-29 + description: If the undertaking cannot disclose the above required information + because it has not adopted a channel for raising concerns and/or does not + support the availability of such a channel by its business relationships, + it shall disclose this to be the case. It may disclose a timeframe in which + it aims to have such a channel or processes in place. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node659 + ref_id: S3-4 + name: Disclosure Requirement S3-4 + description: Taking action on material impacts on affected communities, and + approaches to managing material risks and pursuing material opportunities + related to affected communities, and effectiveness of those actions + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4 + ref_id: S3-4-30 + description: The undertaking shall disclose how it takes action to address material + impacts on affected communities, and to manage material risks and pursue material + opportunities related to affected communities and the effectiveness of those + actions. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4 + ref_id: S3-4-31 + description: 'The objective of this Disclosure Requirement is twofold. Firstly, + it is to provide an understanding of any actions and initiatives through which + the undertaking seeks to:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-31.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-31 + ref_id: S3-4-31.a + description: prevent, mitigate and remediate the negative material impacts on + affected communities; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-31.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-31 + ref_id: S3-4-31.b + description: achieve positive material impacts for affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p3:node697 + assessable: false + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-31 + description: Secondly, it is to enable an understanding of the ways in which + the undertaking is addressing the material risks and pursuing the material + opportunities related to affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p3:node698 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-31 + description: The undertaking shall provide a summarised description of the action + plans and resources to manage its material impacts, risks, and opportunities + related to affected communities as per ESRS 2 MDR-A Actions and resources + in relation to material sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4 + ref_id: S3-4-32 + description: 'In relation to material impacts, the undertaking shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-32.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-32 + ref_id: S3-4-32.a + description: actions taken, planned or underway to prevent or mitigate material + negative impacts on affected communities; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-32.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-32 + ref_id: S3-4-32.b + description: whether and how it has taken action to provide or enable remedy + in relation to an actual material impact; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-32.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-32 + ref_id: S3-4-32.c + description: any additional actions or initiatives it has in place with the + primary purpose of delivering positive impacts for affected communities; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-32.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-32 + ref_id: S3-4-32.d + description: how it tracks and assesses the effectiveness of these actions and + intiatives in delivering intended outcomes for affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4 + ref_id: S3-4-33 + description: 'In relation to paragraph 30, the undertaking shall describe: ' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-33.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-33 + ref_id: S3-4-33.a + description: the processes through which it identifies what action is needed + and appropriate in response to a particular actual or potential negative impact + on affected communities; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-33.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-33 + ref_id: S3-4-33.b + description: its approach to taking action in relation to specific material + negative impacts on communities, including any action in relation to its own + practices regarding land acquisition, planning and construction, operation + or closure practices, as well as whether wider industry or collaborative action + with other relevant parties will be required; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-33.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-33 + ref_id: S3-4-33.c + description: how it ensures that processes to provide or enable remedy in the + event of material negative impacts are available and effective in their implementation + and outcomes. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-34 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4 + ref_id: S3-4-34 + description: 'In relation to material risks and opportunities, the undertaking + shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-34.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-34 + ref_id: S3-4-34.a + description: what action is planned or underway to mitigate material risks for + the undertaking arising from its impacts and dependencies on affected communities + and how it tracks effectiveness in practice; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-34.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-34 + ref_id: S3-4-34.b + description: what action is planned or underway to pursue material opportunities + for the undertaking in relation to affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-35 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4 + ref_id: S3-4-35 + description: The undertaking shall disclose whether and how it takes action + to avoid causing or contributing to material negative impacts on affected + communities through its own practices, including, where relevant, in relation + to planning, land acquisition and exploitation, finance, extraction or production + of raw materials, use of natural resources, and management of environmental + impacts. This may include disclosing what approach is taken when tensions + arise between the prevention or mitigation of material negative impacts and + other business pressures. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4 + ref_id: S3-4-36 + description: The undertaking shall also disclose whether severe human rights + issues and incidents connected to affected communities have been reported + and, if applicable, disclose these ( 123 ). + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-37 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4 + ref_id: S3-4-37 + description: When disclosing the information required under paragraph 32 (d), + the undertaking shall consider ESRS 2 MDR-T Tracking effectiveness of policies + and actions through targets if it evaluates the effectiveness of an action + by setting a target. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-38 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4 + ref_id: S3-4-38 + description: The undertaking shall disclose what resources are allocated to + the management of its material impacts, with information that enables users + to gain an understanding of how the material impacts are managed. + - urn: urn:intuitem:risk:req_node:esrs_p3:node715 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node640 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node715 + ref_id: S3-5 + name: Disclosure Requirement S3-5 + description: Targets related to managing material negative impacts, advancing + positive impacts, and managing material risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-39 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5 + ref_id: S3-5-39 + description: 'The undertaking shall disclose the time-bound and outcome- oriented + targets it may have set related to:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-39.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-39 + ref_id: S3-5-39.a + description: reducing negative impacts on affected communities; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-39.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-39 + ref_id: S3-5-39.b + description: advancing positive impacts on affected communities; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-39.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-39 + ref_id: S3-5-39.c + description: managing material risks and opportunities related to affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-40 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5 + ref_id: S3-5-40 + description: The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking is using time-bound and outcome-oriented + targets to drive and measure its progress in addressing material negative + impacts, and/or advancing positive impacts on affected communities, and/or + in managing material risks and opportunities related to affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-41 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5 + ref_id: S3-5-41 + description: The summarised description of the targets to manage its material + impacts, risks and opportunities related to affected communities shall contain + the information requirements defined in ESRS 2 MDR-T. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-42 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5 + ref_id: S3-5-42 + description: 'The undertaking shall disclose the process for setting the targets, + including whether and how the undertaking engaged directly with affected communities, + their legitimate representatives, or with credible proxies that have insight + into their situation in:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-42.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-42 + ref_id: S3-5-42.a + description: setting any such targets; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-42.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-42 + ref_id: S3-5-42.b + description: "tracking the undertaking\u2019s performance against them; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-42.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-42 + ref_id: S3-5-42.c + description: "identifying, any, lessons or improvements as a result of the undertaking\u2019\ + s performance." + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s3-appendix-a + assessable: false + depth: 1 + ref_id: ESRS S3-Appendix A + name: Application Requirements + - urn: urn:intuitem:risk:req_node:esrs_p3:node728 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s3-appendix-a + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p3:node729 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node728 + description: AR 1. The overview of social and human rights matters provided + in paragraph 2 is not meant to imply that all of these issues should be disclosed + in each Disclosure Requirement in this Standard. Rather, it provides a list + of matters that the undertaking shall consider in its materiality assessment + (ref. to ESRS 1 chapter 3 Double materiality as the basis for sustainability + disclosures and ESRS 2 IRO-1) related to affected communities and, as appropriate, + disclose as material impacts, risks and opportunities within the scope of + this Standard. + - urn: urn:intuitem:risk:req_node:esrs_p3:node730 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node728 + description: "AR 2. In addition to the issues listed in paragraph 2, the undertaking\ + \ may also consider disclosing information about other issues relevant to\ + \ a material impact for a shorter period of time, for instance initiatives\ + \ regarding the impacts on communities related to the undertaking\u2019s operations\ + \ due to extreme and sudden weather conditions." + - urn: urn:intuitem:risk:req_node:esrs_p3:node731 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s3-appendix-a + name: ESRS 2 General Disclosures + - urn: urn:intuitem:risk:req_node:esrs_p3:node732 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node731 + name: Strategy + - urn: urn:intuitem:risk:req_node:esrs_p3:node733 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node732 + name: Disclosure Requirement related to ESRS 2 SBM-2 + description: Interests and views of stakeholders + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-2.ar-3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node733 + ref_id: S3.SBM-2.AR-3 + description: Disclosure Requirement ESRS 2 SBM-2 requires the undertaking to + provide an understanding of if and how it considers the role that its strategy + and business model may play in creating, exacerbating or mitigating significant + material impacts on affected communities, and whether and how the business + model and strategy are adapted to address such material impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-2.ar-4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node733 + ref_id: S3.SBM-2.AR-4 + description: "While affected communities may not be engaging with the undertaking\ + \ at the level of its strategy or business model, their views can inform the\ + \ undertaking\u2019s assessment of its strategy and business model. The undertaking\ + \ may disclose the views of affected communities and affected communities'\ + \ representatives." + - urn: urn:intuitem:risk:req_node:esrs_p3:node736 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node732 + name: Disclosure Requirement related to ESRS 2 SBM-3 + description: Material impacts, risks and opportunities and their interaction + with strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3.ar-5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node736 + ref_id: S3.SBM-3.AR-5 + description: "Impacts on affected communities can originate in the undertaking\u2019\ + s strategy or business model in a number of different ways. For example, impacts\ + \ may relate to the undertaking\u2019s value proposition (such as, construction\ + \ or commencement of projects with timelines that do not allow sufficient\ + \ time for consultation with groups affected by the projects), its value chain\ + \ (for example, land-use in countries in which ownership is often contested\ + \ or records are unreliable or in which land-users such as indigenous peoples\ + \ are unrecognised), or its cost structure and the revenue model (such as,\ + \ aggressive strategies to minimise taxation, particularly with respect to\ + \ operations in developing countries)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3.ar-6 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node736 + ref_id: S3.SBM-3.AR-6 + description: "Impacts on affected communities that originate in the strategy\ + \ or business model can also bring material risks to the undertaking. For\ + \ example, where the undertaking\u2019s strategy involves moving into higher\ + \ risk geographies in pursuit of certain commodities, and if affected communities\ + \ resist its presence or object to its local practices, this may create extensive\ + \ and costly delays, and affect the undertaking\u2019s ability to secure future\ + \ land concessions or permits. Similarly, if the undertaking\u2019s business\ + \ model relies on intensive water extraction at its plants, to the extent\ + \ that it affects access to water for communities\u2019 consumption, hygiene\ + \ and livelihoods, this may result in reputationally-damaging boycotts, complaints\ + \ and lawsuits." + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3.ar-7 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node736 + ref_id: S3.SBM-3.AR-7 + description: "Examples of particular characteristics of affected communities\ + \ that may be considered by the undertaking when responding to paragraph 10\ + \ may be an affected community that is physically or economically isolated\ + \ and is particularly susceptible to introduced diseases or has limited access\ + \ to social services and therefore relies on infrastructure set up by the\ + \ undertaking. It may be because where land worked by women is purchased by\ + \ the undertaking and payments go to male heads of households, women become\ + \ further disenfranchised in the community. It may also be because the community\ + \ is indigenous, and its members seek to exercise cultural or economic rights\ + \ to the land owned or used by the undertaking \u2013 or by one of the entities\ + \ with which it has a business relationship \u2013 in a context where their\ + \ rights are not protected by the state. In addition, the undertaking shall\ + \ consider whether different characteristics overlap. For example, characteristics\ + \ such as ethnicity, socioeconomic status, migrant status and gender may create\ + \ overlapping risks of harm for certain affected communities, or for distinct\ + \ parts of those affected communities, since affected communities are often\ + \ heterogeneous in nature." + - urn: urn:intuitem:risk:req_node:esrs_p3:s3.sbm-3.ar-8 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node736 + ref_id: S3.SBM-3.AR-8 + description: "With regard to paragraph 11, material risks could also arise because\ + \ of the undertaking\u2019s dependency on affected communities where low likelihood\ + \ but high impact events may trigger financial effects; for example, where\ + \ a natural disaster leads to a catastrophic industrial accident involving\ + \ the undertaking\u2019s operations, resulting in severe harm to affected\ + \ communities." + - urn: urn:intuitem:risk:req_node:esrs_p3:node741 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node731 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node741 + ref_id: S3-1 AR + name: Disclosure Requirement S3-1 + description: Policies related to affected communities + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-ar-9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-ar + ref_id: S3-1 AR 9 + description: The description shall include the key information necessary to + ensure a faithful representation of the policies in relation to affected communities + and, therefore, the undertaking shall consider explanations of significant + changes to the policies adopted during the reporting year (for example, new + or additional approaches to engagement, due diligence and remedy). + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-ar-10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-ar + ref_id: S3-1 AR 10 + description: "When disclosing the alignment of its policies with the UN Guiding\ + \ Principles on Business and Human Rights, the undertaking shall consider\ + \ that the Guiding Principles refer to the International Bill of Rights, which\ + \ consists of the Universal Declaration of Human Rights and the two Covenants\ + \ that implement it, as well as the UN Declaration on the Rights of Indigenous\ + \ Peoples, the International Labour Organisation\u2019s Convention concerning\ + \ Indigenous and Tribal Peoples (ILO No. 169) and the core conventions that\ + \ underpin it, and may disclose its alignment with these instruments." + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-ar-11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-ar + ref_id: S3-1 AR 11 + description: "The undertaking may provide an illustration of the types of communication\ + \ of its policies to those individuals, group of individuals or entities for\ + \ whom they are relevant, either because they are expected to implement them\ + \ (for example, the undertaking\u2019s employees, contractors and suppliers),\ + \ or because they have a direct interest in their implementation (for example,\ + \ own workers, investors). It may disclose communication tools and channels\ + \ (for example, flyers, newsletters, dedicated websites, social media, face\ + \ to face interactions, workers\u2019 representatives), aimed at ensuring\ + \ that the policy is accessible and that different audiences understand its\ + \ implications. The undertaking may also explain how it identifies and removes\ + \ potential barriers for dissemination, such as through translation into relevant\ + \ languages or the use of graphic depictions." + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-ar-12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-1-ar + ref_id: S3-1 AR 12 + description: When disclosing severe human rights issues and incidents connected + to affected communities, the undertaking shall consider any legal disputes + related to land rights and to the free, prior and informed consent of indigenous + peoples. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node741 + ref_id: S3-2 AR + name: Disclosure Requirement S3-2 + description: Processes for engaging with affected communities about impacts + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar + ref_id: S3-2 AR 13 + description: Explanations of how the undertaking takes into account and ensures + respect of the right of indigenous peoples to free, prior and informed consent + may include information about processes to consult with indigenous peoples + to obtain such consent. The undertaking shall consider how the consultation + includes a good faith negotiation with affected indigenous peoples to obtain + their free, prior and informed consent where the undertaking affects the lands, + territories or resources that indigenous peoples customarily own, occupy or + otherwise use; or relocates them from land or territories subject to traditional + ownership or under customary use or occupation; or affects or exploits their + cultural, intellectual, religious and spiritual property. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar + ref_id: S3-2 AR 14 + description: When describing which function or role has operational responsibility + for such engagement and/or ultimate accountability, the undertaking may disclose + whether this is a dedicated role or function or part of a broader role or + function, and whether any capacity building activities have been offered to + support the staff to undertake engagement. If it cannot identify such a position + or function, it may state that this is the case. This disclosure could also + be fulfilled by making reference to information disclosed according to ESRS + 2 GOV-1 The role of the administrative, management and supervisory bodies. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar + ref_id: S3-2 AR 15 + description: 'When preparing the disclosures described in paragraph 21 b) and + c), the following illustrations may be considered: ' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-15.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-15 + ref_id: S3-2 AR 15.a + description: examples of stages at which engagement occurs are i) determining + the approach to mitigation and ii) evaluating the effectiveness of mitigation; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-15.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-15 + ref_id: S3-2 AR 15.b + description: for type of engagement, these could be participation, consultation + and/or information; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-15.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-15 + ref_id: S3-2 AR 15.c + description: for the frequency of the engagement, information may be provided + on whether engagement occurs on a regular basis, at certain points in a project + or business process; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-15.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-15 + ref_id: S3-2 AR 15.d + description: "for the role with operational responsibility, whether the undertaking\ + \ requires relevant staff to have certain skills, or whether it provides training\ + \ or capacity building to relevant staff to undertake engagement. In the case\ + \ of material impacts, risks and opportunities related to indigenous peoples,\ + \ this includes training on indigenous people\u2019s rights, including on\ + \ free, prior and informed consent." + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar-16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-2-ar + ref_id: S3-2 AR 16 + description: To illustrate how the perspectives of communities have informed + specific decisions or activities of the undertaking, the undertaking may provide + examples from the current reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node741 + ref_id: S3-3 AR + name: Disclosure Requirement S3-3 + description: Processes to remediate negative impacts and channels for affected + communities to raise concerns + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar + ref_id: S3-3 AR 17 + description: In fulfilling the requirements set out by Disclosure Requirement + ESRS S3-3, the undertaking may be guided by the content of the UN Guiding + Principles on Business and Human Rights and the OECD Guidelines for Multinational + Enterprises focused on remediation and grievance mechanisms. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar + ref_id: S3-3 AR 18 + description: Channels for raising concerns or needs, include grievance mechanisms, + hotlines, dialogue processes or other means through which affected communities + or their legitimate representatives can raise concerns about impacts or explain + needs that they would like the undertaking to address. This could include + channels provided by the undertaking directly, in addition to any other mechanisms + the undertaking may use to gain insight into the management of impacts on + communities, such as compliance audits. Where the undertaking is relying solely + on information about the existence of such channels provided by its business + relationships to answer this requirement, it may state that. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar + ref_id: S3-3 AR 19 + description: To provide greater insight into the information covered in ESRS + S3-3, the undertaking may explain whether and how communities that may be + affected are able to access channels at the level of the undertaking they + are affected by, in relation to each material impact. Relevant insights include + information on whether affected communities can access channels in a language + they understand, and whether they have been consulted in the design of such + channels. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar + ref_id: S3-3 AR 20 + description: Third party mechanisms could include those operated by the government, + NGOs, industry associations and other collaborative initiatives. The undertaking + may disclose whether these are accessible to all affected communities who + may be potentially or actually materially impacted by the undertaking, or + individuals or organisations acting on their behalf or who are otherwise in + a position to be aware of negative impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar + ref_id: S3-3 AR 21 + description: In relation to the protection of individuals that use the mechanisms + against retaliation, the undertaking may describe whether it treats grievances + confidentially and with respect to the rights of privacy and data protection; + and whether to the mechanisms can be used anonymously (for example, through + representation by a third party). + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar + ref_id: S3-3 AR 22 + description: When disclosing processes related to providing and enabling remedy + for indigenous peoples, relevant information includes whether and how the + undertaking has considered their customs, traditions, rules and legal systems. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar + ref_id: S3-3 AR 23 + description: In disclosing whether and how the undertaking knows that affected + communities are aware of and trust any of these channels, the undertaking + may provide relevant and reliable data about the effectiveness of these channels + from the perspective of affected communities themselves. Examples of sources + of information are surveys of community members that have used such channels + and their levels of satisfaction with the process and outcomes. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar + ref_id: S3-3 AR 24 + description: "In describing the effectiveness of channels for affected communities\ + \ to raise concerns, the undertaking may be guided by the following questions,\ + \ based on the \u2018effectiveness criteria for non- judicial grievance mechanisms\u2019\ + , as laid out in the UN Guiding Principles on Business and Human Rights, in\ + \ particular Principle 31. The below considerations may be applied on an individual\ + \ channel basis or for the collective system of channels:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24 + ref_id: S3-3 AR 24.a + description: do the channels hold legitimacy by providing appropriate accountability + for their fair conduct and building stakeholder trust? + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24 + ref_id: S3-3 AR 24.b + description: are the channels known and accessible to stakeholders? + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24 + ref_id: S3-3 AR 24.c + description: do the channels have clear and known procedures, set timeframes + and clarity on the processes? + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24 + ref_id: S3-3 AR 24.d + description: do the channels ensure reasonable access to sources of information, + advice and expertise? + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24 + ref_id: S3-3 AR 24.e + description: do the channels offer transparency by providing sufficient information + both to complainants and, where applicable, to meet any public interest at + stake? + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24 + ref_id: S3-3 AR 24.f + description: do the outcomes achieved through the channels accord with internationally + recognised human rights? + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24 + ref_id: S3-3 AR 24.g + description: does the undertaking identify insights from the channels that support + continuous learning in both improving the channels and preventing future impacts? + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-3-ar-24 + ref_id: S3-3 AR 24.h + description: does the undertaking focus on dialogue with complainants as the + means to reach agreed solutions, rather than seeking to unilaterally determine + the outcome? + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node741 + ref_id: S3-4 AR + name: Disclosure Requirement S3-4 + description: Taking action on material impacts on affected communities, and + approaches to managing material risks and pursuing material opportunities + related to affected communities, and effectiveness of those actions + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 25 + description: 'It may take time to understand negative impacts and how the undertaking + may be involved with them through its value chain, as well as to identify + appropriate responses and put them into practice. Therefore, the undertaking + shall consider:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-25.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-25 + ref_id: S3-4 AR 25.a + description: its general and specific approaches to addressing material negative + impacts; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-25.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-25 + ref_id: S3-4 AR 25.b + description: its social investment or other development programmes aimed at + contributing to additional material positive impacts; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-25.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-25 + ref_id: S3-4 AR 25.c + description: how far it has progressed in its efforts during the reporting period; + and + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-25.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-25 + ref_id: S3-4 AR 25.d + description: its aims for continued improvement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 26 + description: Appropriate action can vary according to whether the undertaking + causes or contributes to a material impact, or whether the material impact + is directly linked to its own operations, products or services through a business + relationship. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 27 + description: Given that material negative impacts affecting communities that + have occurred during the reporting period may also be linked to entities or + operations outside its direct control, the undertaking may disclose whether + and how it seeks to use its leverage in its business relationships to manage + those impacts. This may include using commercial leverage (for example, enforcing + contractual requirements with business relationships or implementing incentives), + other forms of leverage within the relationship (such as providing training + or capacity-building on the rights of indigenous peoples to entities with + which the undertaking has a business relationships) or collaborative leverage + with peers or other actors (such as initiatives aimed at minimising security-related + impacts on communities or participating in company-community partnerships). + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 28 + description: 'Impacts on communities may stem from environmental matters which + are disclosed by the undertaking under the ESRS E1 to E5. Examples include:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28 + ref_id: S3-4 AR 28.a + description: "ESRS E1 Climate Change: The implementation of climate change mitigation\ + \ plans may require the undertaking to invest in renewable energy projects\ + \ that may affect the lands, territories and natural resources of indigenous\ + \ peoples. If the undertaking does not consult with the affected indigenous\ + \ peoples , it could negatively impact the affected communities\u2019 right\ + \ to free, prior and informed consent;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28 + ref_id: S3-4 AR 28.b + description: 'ESRS E2 Pollution: The undertaking may negatively impact affected + communities by failing to protect them from pollution from a particular production + facility that causes them health- related issues;' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28 + ref_id: S3-4 AR 28.c + description: 'ESRS E3 Water and marine sources: The undertaking may negatively + impact the access to clean drinking water of communities when withdrawing + water in water stressed areas;' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28 + ref_id: S3-4 AR 28.d + description: 'ESRS E4 Biodiversity and ecosystems: The undertaking may negatively + affect the livelihood of local farmers through operations that contaminate + soil. Additional examples include the sealing of land through building new + infrastructure, which can eradicate plant species that are critical for, for + example, local biodiversity or to filter water for communities; or the introduction + of invasive species (whether plants or animals) that can impact ecosystems + and cause subsequent harm;' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28 + ref_id: S3-4 AR 28.e + description: 'ESRS E5 Resource use and circular economy: The undertaking may + negatively impact the lives of communities by affecting their health through + the mismanagement of hazardous waste.' + - urn: urn:intuitem:risk:req_node:esrs_p3:node787 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-28 + description: Where the connection between environmental impacts and local communities + is addressed in the disclosures within the Disclosure Requirements ESRS E1-E5, + the undertaking may cross-reference to those and clearly identify such disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-29 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 29 + description: When the undertaking discloses its participation in an industry + or multi-stakeholder initiative as part of its actions to address material + negative impacts, the undertaking may disclose how the initiative, and its + own involvement, is aiming to address the material impact concerned. It may + disclose under ESRS S3-5 the relevant targets set by the initiative and progress + towards them. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 30 + description: When disclosing whether and how the undertaking considers actual + and potential impacts on affected communities in decisions to terminate business + relationships and whether and how it seeks to address any negative impacts + that may result from termination, the undertaking may include examples. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 31 + description: In disclosing how it tracks the effectiveness of actions to manage + material impacts during the reporting period, the undertaking may disclose + any lessons learned from the previous and current reporting periods. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 32 + description: Processes used to track the effectiveness of actions can include + internal or external auditing or verification, court proceedings and/or related + court decisions, impact assessments, measurement systems, stakeholder feedback, + grievance mechanisms, external performance ratings, and benchmarking. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-33 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 33 + description: Reporting on effectiveness is aimed at enabling the understanding + of the links between actions taken by an undertaking and the effective management + of impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 34 + description: "With regard to initiatives or processes whose primary aim is to\ + \ deliver positive impacts for affected communities that are based on affected\ + \ communities\u2019 needs, and with regard to progress in the implementation\ + \ of such initiatives or processes, the undertaking may disclose:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-34.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-34 + ref_id: S3-4 AR 34.a + description: information about whether and how affected communities and legitimate + representatives or their credible proxies play a role in decisions regarding + the design and implementation of these investments or programmes; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-34.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-34 + ref_id: S3-4 AR 34.b + description: information about the intended or achieved positive outcomes for + affected communities of these investments or programmes. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-34.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-34 + ref_id: S3-4 AR 34.c + description: an explanation of the approximate scope of affected communities + covered by the described social investment or development programmes, and, + where applicable, the rationale for why selected communities were chosen for + a given social investment or development programme's implementation. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 35 + description: "The undertaking may disclose whether any initiatives or processes\ + \ whose primary aim is to deliver positive impacts for affected communities\ + \ are designed also to support the achievement of one or more of the UN Sustainable\ + \ Development Goals (SDGs). For example, through a commitment to advance UN\ + \ SDG 5 to \u2018achieve gender equality and empower all women and girls\u2019\ + \ the undertaking may be taking thoughtful measures to include women in the\ + \ consultation process with an affected community to meet standards of effective\ + \ stakeholder engagement, which can help empower the women in the process\ + \ itself, but potentially also in their daily lives." + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-36 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 36 + description: When disclosing the intended or achieved positive outcomes of its + actions for affected communities a distinction is to be made between evidence + of certain activities having occurred (for example, that x number of women + community members have been provided with training on how to become local + suppliers to the undertaking) from evidence of actual outcomes for affected + communities (for example, that x women community members have set up small + businesses and have had their contracts with the undertaking renewed year-on-year). + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-37 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 37 + description: "When disclosing whether initiatives or processes also play a role\ + \ in mitigating material negative impacts, the undertaking may for example\ + \ consider programmes that aim to improve local infrastructure surrounding\ + \ an undertaking\u2019s operations, such as improvements in roads leading\ + \ to a reduction in the number of severe traffic accidents involving community\ + \ members." + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-38 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 38 + description: "When disclosing the material risks and opportunities related to\ + \ the undertaking\u2019s impacts or dependencies on affected communities,\ + \ the undertaking may consider the following:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-38.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-38 + ref_id: S3-4 AR 38.a + description: "risks related to the undertaking\u2019s impacts on affected communities\ + \ may include the reputational or legal exposure, as well as operational risks,\ + \ where affected communities protest against resettlements or the loss of\ + \ access to lands, leading to costly delays, boycotts, or lawsuits;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-38.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-38 + ref_id: S3-4 AR 38.b + description: "risks related to the undertaking\u2019s dependencies on affected\ + \ communities may include disruption of business operations where indigenous\ + \ peoples decide to withdraw their consent to a project on their lands, forcing\ + \ the undertaking to significantly modify or abandon the project;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-38.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-38 + ref_id: S3-4 AR 38.c + description: "opportunities related to the undertaking\u2019s impacts on affected\ + \ communities may include more easily financing projects and being a partner\ + \ of choice for communities, governments and other businesses; and " + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-38.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-38 + ref_id: S3-4 AR 38.d + description: "opportunities related to the undertaking\u2019s dependencies on\ + \ affected communities may include the development of positive relationships\ + \ between the undertaking and indigenous peoples that enable existing projects\ + \ to expand with strong support." + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-39 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 39 + description: "In disclosing the information in AR 38, the undertaking may consider\ + \ explanations of risks and opportunities stemming from environmental impacts\ + \ or dependencies (please refer to AR 28 for further details), including related\ + \ human rights (or social) impacts. Examples include reputational risks stemming\ + \ from the impact on the health of communities of unmanaged polluting discharges;\ + \ or the financial effects of protests that may disrupt or interrupt an undertaking\u2019\ + s activities, for example, in response to operations in water stressed areas\ + \ that may impact the lives of affected communities." + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-40 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 40 + description: When disclosing whether dependencies turn into risks, the undertaking + shall consider external developments. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-41 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 41 + description: When disclosing policies, action and resources and targets related + to the management of material risks and opportunities, in cases where risks + and opportunities arise from a material impact, the undertaking may cross-reference + its disclosures on policies, actions and resources and targets in relation + to that impact. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-42 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 42 + description: The undertaking shall consider whether and how its processes to + manage material risks related to affected communities are integrated into + its existing risk management processes. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar-43 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-4-ar + ref_id: S3-4 AR 43 + description: When disclosing the resources allocated to the management of material + impacts, the undertaking may disclose which internal functions are involved + in managing the impacts and what types of action they take to address negative + and advance positive impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:node810 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node731 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node810 + ref_id: S3-5 AR + name: 'Disclosure Requirement S3-5 ' + description: Targets related to managing material negative impacts, advancing + positive impacts, and managing material risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar-44 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar + ref_id: S3-5 AR 44 + description: 'When disclosing information about targets in accordance with paragraph + 39, the undertaking may disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar-44.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar-44 + ref_id: S3-5 AR 44.a + description: the intended outcomes to be achieved in the lives of affected communities, + being as specific as possible; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar-44.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar-44 + ref_id: S3-5 AR 44.b + description: the stability of the targets over time in terms of definitions + and methodologies to enable comparability over time; + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar-44.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar-44 + ref_id: S3-5 AR 44.c + description: the standards or commitments which the targets are based on (for + instance codes of conduct, sourcing policies, global frameworks or industry + codes). + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar-45 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar + ref_id: S3-5 AR 45 + description: Targets related to material risks and opportunities may be the + same as or distinct from targets related to material impacts. For example, + a target to fully restore livelihoods of affected communities following resettlement + could both reduce impacts on those communities and reduce associated risks + such as community protests. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar-46 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar + ref_id: S3-5 AR 46 + description: The undertaking may also distinguish between short-, medium- and + long-term targets covering the same policy commitment. For example, the undertaking + may have as a main objective to employ community members at a local mining + site, with the long-term goal of staffing 100% locally by 2025, and with the + short-term objective of adding x percent of local employees every year up + and until 2025. + - urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar-47 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s3-5-ar + ref_id: S3-5 AR 47 + description: When modifying or replacing a target in the reporting period, the + undertaking may explain the change by linking it to significant changes in + the business model or to broader changes in the accepted standard or legislation + from which the target is derived to provide contextual information as per + ESRS 2 BP-2 Disclosures in relation to specific circumstances. + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s4 + assessable: false + depth: 1 + ref_id: ESRS S4 + name: CONSUMERS AND END-USERS + - urn: urn:intuitem:risk:req_node:esrs_p3:node820 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s4 + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p3:node821 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node820 + description: "1. The objective of this Standard is to specify disclosure requirements\ + \ which will enable users of the sustainability statement to understand material\ + \ impacts on consumers and end-users connected with the undertaking\u2019\ + s own operations and value chain, including through its products or services,\ + \ as well as through its business relationships, and its related material\ + \ risks and opportunities, including:\n(a) how the undertaking affects the\ + \ consumers and/or end-users of its products and/or services (referred to\ + \ in this Standard as \u2018consumers and end-users\u2019), in terms of material\ + \ positive and negative actual or potential impacts;\n(b) any actions taken,\ + \ and the result of such actions, to prevent, mitigate or remediate actual\ + \ or potential negative impacts, and to address risks and opportunities;\n\ + (c) the nature, type and extent of the undertaking\u2019s material risks and\ + \ opportunities related to its impacts and dependencies on consumers and end-users,\ + \ and how the undertaking manages such risks and opportunities; and\n(d) the\ + \ financial effects on the undertaking over the short-, medium-and long-term\ + \ of material risks and opportunities arising from the undertaking\u2019s\ + \ impacts and dependencies on consumers and/or end- users." + - urn: urn:intuitem:risk:req_node:esrs_p3:node822 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node820 + description: '2. In order to meet the objective, this Standard requires an explanation + of the general approach the undertaking takes to identify and manage any material + actual and potential impacts on the consumers and/or end- + + users related to its products and/or services in relation to: + + (a) information-related impacts on consumers and/or end-users (for example, + privacy, freedom of expression and access to (quality) information; + + (b) personal safety of consumers and/or end-users (for example, health and + safety, security of a person and protection of children); + + (c) social inclusion of consumers and/or end-users (for example, non- discrimination, + access to products and services and responsible marketing practices).' + - urn: urn:intuitem:risk:req_node:esrs_p3:node823 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node820 + description: "3. This Standard also requires an explanation of how such impacts,\ + \ as well as the undertaking\u2019s dependencies on consumers and/or end-\ + \ users, can create material risks or opportunities for the undertaking. For\ + \ example, negative impacts on the reputation of the undertaking\u2019s products\ + \ and/or services can be detrimental to its business performance, while trust\ + \ in products and/or services can bring business benefits, such as increased\ + \ sales or widening of the future consumer base." + - urn: urn:intuitem:risk:req_node:esrs_p3:node824 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node820 + description: "4. The unlawful use or misuse of the undertaking\u2019s products\ + \ and services by consumers and end-users fall outside the scope of this standard." + - urn: urn:intuitem:risk:req_node:esrs_p3:node825 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s4 + name: Interaction with other ESRS + - urn: urn:intuitem:risk:req_node:esrs_p3:node826 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node825 + description: 5. This standard applies when material impacts on and/or material + risks and opportunities related to consumers and/or end-users have been identified + through the materiality assessment process laid out in ESRS 2 General disclosures. + - urn: urn:intuitem:risk:req_node:esrs_p3:node827 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node825 + description: 6. This Standard shall be read in conjunction with ESRS 1 General + requirements, and ESRS 2, as well as ESRS S1 Own workforce, ESRS S2 Workers + in the value chain and ESRS S3 Affected communities. + - urn: urn:intuitem:risk:req_node:esrs_p3:node828 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s4 + name: Disclosure Requirements + - urn: urn:intuitem:risk:req_node:esrs_p3:node829 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node828 + name: ESRS 2 General Disclosures + description: 7. The requirements of this section should be read in conjunction + with the disclosures required by ESRS 2 on Strategy (SBM). The resulting disclosures + shall be presented alongside the disclosures required by ESRS 2, except for + SBM-3 Material impacts, risks and opportunities and their interaction with + strategy and business model, for which the undertaking has an option to present + the disclosures alongside the topical disclosure. + - urn: urn:intuitem:risk:req_node:esrs_p3:node830 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node829 + name: Strategy + - urn: urn:intuitem:risk:req_node:esrs_p3:node831 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node830 + name: Disclosure Requirement related to ESRS 2 SBM-2 + description: Interests and views of stakeholders + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-2-8 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node831 + ref_id: S4.SBM-2-8 + description: When responding to ESRS 2 SBM-2, paragraph 43, the undertaking + shall disclose how the interests, views and rights of its consumers and/or + end-users, including respect for their human rights, inform its strategy and + business model. Consumers and/or end-users are a key group of affected stakeholders. + - urn: urn:intuitem:risk:req_node:esrs_p3:node833 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node830 + name: Disclosure Requirement related to ESRS 2 SBM-3 + description: Material impacts, risks and opportunities and their interaction + with strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-9 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node833 + ref_id: S4.SBM-3-9 + description: 'When responding to ESRS 2 SBM-3 paragraph 48, the undertaking + shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-9.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-9 + ref_id: S4.SBM-3-9.a + description: "whether and how actual and potential impacts on consumers and/or\ + \ end-users as identified in Disclosure Requirements ESRS 2 IRO-1 Description\ + \ of the processes to identify and assess material impacts, risks and opportunities:\ + \ (i) originate from or are connected to the undertaking\u2019s strategy and\ + \ business model, and (ii) inform and contribute to adapting the undertaking\u2019\ + s strategy and business model, and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-9.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-9 + ref_id: S4.SBM-3-9.b + description: the relationship between its material risks and opportunities arising + from impacts and dependencies on consumers and/or end-users and its strategy + and business model. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node833 + ref_id: S4.SBM-3-10 + description: "When fulfilling the requirements of paragraph 48, the undertaking\ + \ shall disclose whether all consumers and/or end-users who are likely to\ + \ be materially impacted by the undertaking, including impacts connected with\ + \ the undertaking\u2019s own operations and value chain, including through\ + \ its products or services, as well as through its business relationships,\ + \ are included in the scope of its disclosure under ESRS 2. In addition, the\ + \ undertaking shall disclose the following information:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10 + ref_id: S4.SBM-3-10.a + description: 'a brief description of the types of consumers and/or end-users + subject to material impacts by its own operations or through its value chain, + and specify whether they are:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.a.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.a + ref_id: S4.SBM-3-10.a.i + description: consumers and/or end-users of products that are inherently harmful + to people and/or increase risks for chronic disease; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.a.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.a + ref_id: S4.SBM-3-10.a.ii + description: consumers and/or end-users of services that potentially negatively + impact their rights to privacy, to have their personal data protected, to + freedom of expression and to non- discrimination; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.a.iii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.a + ref_id: S4.SBM-3-10.a.iii + description: consumers and/or end-users who are dependent on accurate and accessible + product- or service- related information, such as manuals and product labels, + to avoid potentially damaging use of a product or service; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.a.iv + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.a + ref_id: S4.SBM-3-10.a.iv + description: consumers and/or end-users who are particularly vulnerable to health + or privacy impacts or impacts from marketing and sales strategies, such as + children or financially vulnerable individuals; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10 + ref_id: S4.SBM-3-10.b + description: in the case of material negative impacts, whether they are either + (i) widespread or systemic in contexts where the undertaking sells or provides + its products or services (for example, state surveillance that affects the + privacy of service users), or (ii) related to individual incidents (for example, + a defect linked to a particular product) or to specific business relationships + (for example, a business partner uses marketing that inappropriately targets + young consumers); + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10 + ref_id: S4.SBM-3-10.c + description: in the case of material positive impacts, a brief description of + the activities that result in the positive impacts (for example, product design + that improves its accessibility for persons with disabilities) and the types + of consumers and/or end-users that are positively affected or could be positively + affected; the undertaking may also disclose whether the positive impacts occur + in specific countries or regions; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-10 + ref_id: S4.SBM-3-10.d + description: any material risks and opportunities for the business arising from + impacts and dependencies on consumers and/or end-users. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-11 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node833 + ref_id: S4.SBM-3-11 + description: In describing the main types of consumers and/or end-users who + are or could be negatively affected, based on the materiality assessment set + out in ESRS 2 IRO-1, the undertaking shall disclose whether and how it has + developed an understanding of how consumers and/or end- users with particular + characteristics, or those using particular products or services, may be at + greater risk of harm. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3-12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node833 + ref_id: S4.SBM-3-12 + description: The undertaking shall disclose which, if any, of its material risks + and opportunities arising from impacts and dependencies on consumers and/or + end-users, relate to specific groups of consumers and/or end- users (for example, + particular age groups) rather than to all consumers and/or end-users. + - urn: urn:intuitem:risk:req_node:esrs_p3:node848 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node829 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node848 + ref_id: S4-1 + name: Disclosure Requirement S4-1 + description: Policies related to consumers and end-users + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1 + ref_id: S4-1-13 + description: The undertaking shall describe its policies adopted to manage its + material impacts of its products and/or services on consumers and end-users, + as well as associated material risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1 + ref_id: S4-1-14 + description: The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking has policies that address the identification, + assessment, management and/or remediation of material impacts on consumers + and/or end-users specifically, as well as policies that cover material risks + or opportunities related to consumers and/or end-users. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1 + ref_id: S4-1-15 + description: "The disclosure required by paragraph 13 shall contain the information\ + \ on the undertaking\u2019s policies to manage its material impacts, risks\ + \ and opportunities related to consumers and/or end-users in accordance with\ + \ ESRS 2 MDR-P Policies adopted to manage material sustainability matters.\ + \ In addition, the undertaking shall specify if such policies cover specific\ + \ groups or all consumers and/or end-users." + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1 + ref_id: S4-1-16 + description: 'The undertaking shall describe its human rights policy commitments + ( 124 ) that are relevant to consumers and/or end-users, including those processes + and mechanisms to monitor compliance with the UN Guiding Principles on Business + and Human Rights, ILO Declaration on Fundamental Principles and Rights at + Work or OECD Guidelines for Multinational Enterprises. In its disclosure it + shall focus on those matters that are material, as well as the general approach + in relation to ( 125 ):' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-16.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-16 + ref_id: S4-1-16.a + description: respect for the human rights of consumers and/or end-users; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-16.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-16 + ref_id: S4-1-16.b + description: engagement with consumers and/or end-users; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-16.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-16 + ref_id: S4-1-16.c + description: measures to provide and/or enable remedy for human rights impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1 + ref_id: S4-1-17 + description: The undertaking shall disclose whether and how its policies with + regard to consumers and/or end-users are aligned with internationally recognised + instruments relevant to consumers and/or end-users, including United Nations + (UN) Guiding Principles on Business and Human Rights. The undertaking shall + also disclose the extent to which cases of non-respect of the UN Guiding Principles + on Business and Human Rights, ILO Declaration on Fundamental Principles and + Rights at Work or OECD Guidelines for Multinational Enterprises that involve + consumers and/or end-users have been reported in its downstream value chain + and, if applicable, an indication of the nature of such cases ( 126 ). + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node848 + ref_id: S4-2 + name: 'Disclosure Requirement S4-2 ' + description: Processes for engaging with consumers and end-users about impacts + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2 + ref_id: S4-2-18 + description: The undertaking shall disclose its general processes for engaging + with consumers and end-users and their representatives about actual and potential + impacts on them. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2 + ref_id: S4-2-19 + description: The objective of this Disclosure Requirement is to enable an understanding + of whether and how the undertaking engages, as part of its ongoing due diligence + process, with consumers and/or end-users, their legitimate representatives, + or with credible proxies, about material actual and potential positive and/or + negative impacts that do or are likely to affect them, and whether and how + perspectives of consumers and/or end-users are taken into account in the decision- + making processes of the undertaking. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2 + ref_id: S4-2-20 + description: 'The undertaking shall disclose whether and how the perspectives + of consumers and/or end-users inform its decisions or activities aimed at + managing actual and potential impacts on consumers and/or end-users. This + shall include, where relevant, an explanation of:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-20.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-20 + ref_id: S4-2-20.a + description: whether engagement occurs with affected consumers and/or end- users + or their legitimate representatives directly, or with credible proxies that + have insight into their situation; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-20.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-20 + ref_id: S4-2-20.b + description: the stage(s) at which engagement occurs, the type of engagement, + and the frequency of the engagement; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-20.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-20 + ref_id: S4-2-20.c + description: "the function and the most senior role within the undertaking that\ + \ has operational responsibility for ensuring this engagement happens and\ + \ that the results inform the undertaking\u2019s approach; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-20.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-20 + ref_id: S4-2-20.d + description: where applicable, how the undertaking assesses the effectiveness + of its engagement with consumers and/or end-users, and, where relevant, any + agreements or outcomes that result from such engagement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2 + ref_id: S4-2-21 + description: Where applicable, the undertaking shall disclose the steps it takes + to gain insight into the perspectives of consumers and/or end-users that may + be particularly vulnerable to impacts and/or marginalised (for example, people + with disabilities, children, etc.). + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2 + ref_id: S4-2-22 + description: If the undertaking cannot disclose the above required information + because it has not adopted a general process to engage with consumers and/or + end-users, it shall disclose this to be the case. It may disclose a timeframe + in which it aims to have such a process in place. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node848 + ref_id: S4-3 + name: Disclosure Requirement S4-3 + description: Processes to remediate negative impacts and channels for consumers + and end-users to raise concerns + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3 + ref_id: S4-3-23 + description: The undertaking shall describe the processes it has in place to + provide for or cooperate in the remediation of negative impacts on consumers + and end-users that the undertaking is connected with, as well as channels + available to consumers and end-users to raise concerns and have them addressed. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3 + ref_id: S4-3-24 + description: The objective of this Disclosure Requirement is to enable an understanding + of the formal means by which consumers and/or end-users can make their concerns + and needs known directly to the undertaking, and/or through which the undertaking + supports the availability of such channels (for example, grievance mechanisms) + by its business relationships, how follow up is performed with these consumers + and/or end-users regarding the issues raised, and the effectiveness of these + channels. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3 + ref_id: S4-3-25 + description: 'The undertaking shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-25.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-25 + ref_id: S4-3-25.a + description: its general approach to and processes for providing or contributing + to remedy where it has identified that it has caused or contributed to a material + negative impact on consumers and/or end-users, including whether and how the + undertaking assesses that the remedy provided is effective; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-25.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-25 + ref_id: S4-3-25.b + description: any specific channels it has in place for consumers and/or end- + users to raise their concerns or needs directly with the undertaking and have + them addressed, including whether these are established by the undertaking + itself and/or through participation in third-party mechanisms; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-25.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-25 + ref_id: S4-3-25.c + description: the processes through which the undertaking supports or requires + the availability of such channels by its business relationships; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-25.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-25 + ref_id: S4-3-25.d + description: how it tracks and monitors issues raised and addressed, and how + it ensures the effectiveness of the channels, including through involvement + of stakeholders who are the intended users. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3 + ref_id: S4-3-26 + description: The undertaking shall disclose whether and how it assesses that + consumers and/or end-users are aware of and trust these structures or processes + as a way to raise their concerns or needs and have them addressed. In addition, + the undertaking shall disclose whether it has policies in place to protect + individuals from retaliation when they use such structures or processes. If + such information has been disclosed in accordance with ESRS G1-1, the undertaking + may refer to that information. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3 + ref_id: S4-3-27 + description: If the undertaking cannot disclose the above required information + because it has not adopted a channel for raising concerns and/or does not + support the availability of mechanisms by its business relationships, it shall + disclose this to be the case. It may disclose a timeframe in which it aims + to have such a channel or processes in place. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node848 + ref_id: S4-4 + name: Disclosure Requirement S4-4 + description: Taking action on material impacts on consumers and end- users, + and approaches to managing material risks and pursuing material opportunities + related to consumers and end-users, and effectiveness of those actions + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4 + ref_id: S4-4-28 + description: The undertaking shall disclose how it takes action to address material + impacts on consumers and end-users, and to manage material risks and pursue + material opportunities related to consumers and end-users, and effectiveness + of those actions. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4 + ref_id: S4-4-29 + description: 'The objective of this Disclosure Requirement is twofold. Firstly, + it is to provide an understanding of any actions and initiatives through which + the undertaking seeks to:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-29.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-29 + ref_id: S4-4-29.a + description: prevent, mitigate and remediate the negative material impacts on + consumers and/or end-users, and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-29.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-29 + ref_id: S4-4-29.b + description: achieve positive material impacts for consumers and/or end-users. + - urn: urn:intuitem:risk:req_node:esrs_p3:node883 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-29 + description: Secondly, it is to enable an understanding of the ways in which + the undertaking is addressing the material risks and pursuing the material + opportunities related to consumers and/or end-users. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4 + ref_id: S4-4-30 + description: The undertaking shall provide a summarised description of the action + plans and resources to manage its material impacts, risks, and opportunities + related to consumers and end-users as per ESRS 2 MDR-A Actions and resources + in relation to material sustainability matters. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4 + ref_id: S4-4-31 + description: 'In relation to material impacts, the undertaking shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-31.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-31 + ref_id: S4-4-31.a + description: actions taken, planned or underway to prevent, mitigate or remediate + material negative impacts on consumers and/or end- users; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-31.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-31 + ref_id: S4-4-31.b + description: whether and how it has taken action to provide or enable remedy + in relation to an actual material impact; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-31.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-31 + ref_id: S4-4-31.c + description: any additional actions or initiatives it has in place with the + primary purpose of positively contributing to improved social outcomes for + consumers and/or end-users; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-31.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-31 + ref_id: S4-4-31.d + description: how it tracks and assesses the effectiveness of these actions and + initiatives in delivering intended outcomes for consumers and/or end-users. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4 + ref_id: S4-4-32 + description: 'In relation to paragraph 28, the undertaking shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-32.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-32 + ref_id: S4-4-32.a + description: the processes through which it identifies what action is needed + and appropriate in response to a particular actual or potential negative impact + on consumers and/or end-users; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-32.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-32 + ref_id: S4-4-32.b + description: its approaches to taking action in relation to specific material + negative impacts on consumers and/or end-users, including any action in relation + to its own practices regarding product design, marketing or sales, as well + as whether wider industry or collaborative action with other relevant parties + will be required; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-32.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-32 + ref_id: S4-4-32.c + description: how it ensures that processes to provide or enable remedy in the + event of material negative impacts are available and effective in their implementation + and outcomes. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4 + ref_id: S4-4-33 + description: 'In relation to material risks and opportunities, the undertaking + shall describe:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-33.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-33 + ref_id: S4-4-33.a + description: what action is planned or underway to mitigate material risks for + the undertaking arising from its impacts and dependencies on consumers and/or + end-users and how it tracks effectiveness in practice; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-33.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-33 + ref_id: S4-4-33.b + description: what action is planned or underway to pursue material opportunities + for the undertaking in relation to consumers and/or end- users. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-34 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4 + ref_id: S4-4-34 + description: The undertaking shall disclose whether and how it takes action + to avoid causing or contributing to material negative impacts on consumers + and/or end-users through its own practices, including, where relevant, in + relation to marketing, sales and data use. This may include disclosing what + approach is taken when tensions arise between the prevention or mitigation + of material negative impacts and other business pressures. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-35 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4 + ref_id: S4-4-35 + description: When preparing this disclosure, the undertaking shall consider + whether severe human rights issues and incidents connected to its consumers + and/or end-users have been reported and, if applicable, disclose these ( 127 + ). + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4 + ref_id: S4-4-36 + description: 'Where the undertaking evaluates the effectiveness of an action + by setting a target, in disclosing the information required under paragraph + 31(d), the undertaking shall consider ESRS 2 MDR-T Tracking effectiveness + of policies and actions through targets. ' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-37 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4 + ref_id: S4-4-37 + description: The undertaking shall disclose what resources are allocated to + the management of its material impacts with information that enables users + to gain an understanding of how the material impacts are managed. + - urn: urn:intuitem:risk:req_node:esrs_p3:node901 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node829 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node901 + ref_id: S4-5 + name: Disclosure Requirement S4-5 + description: Targets related to managing material negative impacts, advancing + positive impacts, and managing material risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-38 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5 + ref_id: S4-5-38 + description: 'The undertaking shall disclose the time-bound and outcome- oriented + targets it may have set related to:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-38.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-38 + ref_id: S4-5-38.a + description: reducing negative impacts on consumers and/or end-users; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-38.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-38 + ref_id: S4-5-38.b + description: advancing positive impacts on consumers and/or end-users; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-38.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-38 + ref_id: S4-5-38.c + description: managing material risks and opportunities related to consumers + and/or end-users. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-39 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5 + ref_id: S4-5-39 + description: The objective of this Disclosure Requirement is to enable an understanding + of the extent to which the undertaking is using time-bound and outcome-oriented + targets to drive and measure progress in addressing material negative impacts, + and/or advancing positive impacts on consumers and/or end-users, and/or in + managing material risks and opportunities related to consumers and/or end- + users . + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-40 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5 + ref_id: S4-5-40 + description: The summarised description of the targets to manage its material + impacts, risks and opportunities related to consumers and/or end- users shall + contain the information requirements defined in ESRS 2 MDR-T. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-41 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5 + ref_id: S4-5-41 + description: 'The undertaking shall disclose the process for setting the targets, + including whether and how the undertaking engaged directly with consumers + and/or end-users, their legitimate representatives, or with credible proxies + that have insight into their situation in:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-41.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-41 + ref_id: S4-5-41.a + description: setting any such targets; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-41.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-41 + ref_id: S4-5-41.b + description: "tracking the undertaking\u2019s performance against them; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-41.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-41 + ref_id: S4-5-41.c + description: "identifying, if any, lessons or improvements as a result of the\ + \ undertaking\u2019s performance." + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s4-appendix-a + assessable: false + depth: 1 + ref_id: ESRS S4-Appendix A + name: Application Requirements + - urn: urn:intuitem:risk:req_node:esrs_p3:node914 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s4-appendix-a + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p3:node915 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node914 + description: AR 1. The undertaking may highlight special issues relevant to + a material impact for a shorter period of time, for instance initiatives regarding + the health and safety of consumers and/or end-users in relation to contamination + of a product or severe breach of privacy due to a massive data leak. + - urn: urn:intuitem:risk:req_node:esrs_p3:node916 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node914 + description: AR 2. The overview of social and human rights matters provided + in paragraph 2 is not meant to imply that all of these issues should be disclosed + in each Disclosure Requirement in this Standard. Rather, it provides a list + of matters that the undertaking shall consider in its materiality assessment + (ref. to ESRS 1 chapter 3 Double materiality as the basis for sustainability + disclosures and ESRS 2 IRO-1) related to consumers and/or end-users and, subsequently, + disclose as material impacts, risks and opportunities within the scope of + this Standard. + - urn: urn:intuitem:risk:req_node:esrs_p3:node917 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-s4-appendix-a + name: ESRS 2 General disclosures + - urn: urn:intuitem:risk:req_node:esrs_p3:node918 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node917 + name: Strategy + - urn: urn:intuitem:risk:req_node:esrs_p3:node919 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node918 + name: Disclosure Requirement related to ESRS 2 SBM-2 + description: Interests and views of stakeholders + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-2.ar-3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node919 + ref_id: S4.SBM-2.AR-3 + description: ESRS 2 SBM-2 requires the undertaking to provide an understanding + of if and how it considers whether its strategy and business model play a + role in creating, exacerbating or (conversely) mitigating significant material + impacts on consumers and/or end-users, and whether and how the business model + and strategy are adapted to address such material impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-2.ar-4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node919 + ref_id: S4.SBM-2.AR-4 + description: "While consumers and/or end-users may not be engaging with the\ + \ undertaking at the level of its strategy or business model, their views\ + \ can inform the undertaking\u2019s assessment of its strategy and business\ + \ model. The undertaking may disclose the views of the (actual or potential)\ + \ materially affected consumers and/or end-users\u2019 legitimate representatives\ + \ or those of credible proxies that have insight into their situation." + - urn: urn:intuitem:risk:req_node:esrs_p3:node922 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node918 + name: Disclosure Requirement related to ESRS 2 SBM-3 + description: Material impacts, risks and opportunities and their interaction + with strategy and business model + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3.ar-5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node922 + ref_id: S4.SBM-3.AR-5 + description: "Impacts on consumers and/or end-users can originate in the undertaking\u2019\ + s business model or strategy in a number of different ways. For example, impacts\ + \ may relate to the undertaking\u2019s value proposition (for example, providing\ + \ online platforms with potential for online and offline harm), its value\ + \ chain (for example, speed in developing products or services, or delivering\ + \ projects, with risks to health and safety), or its cost structure and the\ + \ revenue model (for example, sales- maximising incentives that put consumers\ + \ at risk)." + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3.ar-6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node922 + ref_id: S4.SBM-3.AR-6 + description: "Impacts on consumers and/or end-users that originate in the strategy\ + \ or business model can also bring material risks to the undertaking. For\ + \ example, if the undertaking\u2019s business model is premised on incentivising\ + \ its sales force to sell high volumes of a product or service (for example,\ + \ credit cards or pain medicine) at speed, and this results in large- scale\ + \ harm to consumers, the undertaking may face lawsuits and reputational damage\ + \ affecting its future business and credibility." + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3.ar-7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node922 + ref_id: S4.SBM-3.AR-7 + description: Examples of particular characteristics of consumers and/or end-users + that may be considered by the undertaking when responding to paragraph 11 + include young consumers and/or end-users who may be more susceptible to impacts + on their physical and mental development, or who lack financial literacy and + may be more susceptible to exploitative sales or marketing practices. They + may also include women in a context where women are routinely discriminated + against in their access to particular services or in the marketing of particular + products. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4.sbm-3.ar-8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node922 + ref_id: S4.SBM-3.AR-8 + description: "With regard to paragraph 12, the risks could arise because of\ + \ the undertaking\u2019s dependency on consumers and/or end-users where low\ + \ likelihood but high impact events may trigger financial effects, for example,\ + \ where a global pandemic leads to severe impacts on certain consumers\u2019\ + \ livelihoods resulting in major changes in patterns of consumption." + - urn: urn:intuitem:risk:req_node:esrs_p3:node927 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node917 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node927 + ref_id: S4-1 AR + name: Disclosure Requirement S4-1 + description: ' Policies related to consumers and end-users' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-ar-9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-ar + ref_id: S4-1 AR 9 + description: The description shall include the key information necessary to + ensure a faithful representation of the policies in relation to consumers + and end-users, and therefore, the undertaking shall consider explanations + of significant changes to the policies adopted during the reporting year (for + example, new expectations for business customers, new or additional approaches + to due diligence and remedy). + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-ar-10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-ar + ref_id: S4-1 AR 10 + description: The policy may take the form of a stand-alone policy regarding + consumers and/or end-users or be included in a broader document such as a + code of ethics or a general sustainability policy that has already been disclosed + by the undertaking as part of another ESRS. In those cases, the undertaking + shall provide an accurate cross-reference to identify the aspects of the policy + that satisfy the requirements of this Disclosure Requirement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-ar-11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-ar + ref_id: S4-1 AR 11 + description: In disclosing its alignment of its policies with the UN Guiding + Principles on Business and Human Rights, the undertaking shall consider that + the Guiding Principles refer to the International Bill of Human Rights, which + consists of the Universal Declaration of Human Rights and the two Covenants + that implement it, and may disclose its alignment with these instruments. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-ar-12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-ar + ref_id: S4-1 AR 12 + description: When disclosing how external facing policies are embedded, the + undertaking may, for example, consider internal-facing sales and distribution + policies and alignment with other policies relevant to consumers and/or end-users. + The undertaking shall also consider its policies for safeguarding the veracity + and usefulness of information provided to potential and actual consumers and/or + end-users, both before and after sale. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-ar-13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-1-ar + ref_id: S4-1 AR 13 + description: "The undertaking may provide an illustration of the types of communication\ + \ of its policies to those individuals, group of individuals or entities for\ + \ whom they are relevant, either because they are expected to implement them\ + \ (for example, the undertaking\u2019s employees, contractors and suppliers),\ + \ or because they have a direct interest in their implementation (for example,\ + \ own workers, investors). It may disclose communication tools and channels\ + \ (for example, flyers, newsletters, dedicated websites, social media, face\ + \ to face interactions, workers\u2019 representatives), aimed at ensuring\ + \ that the policy is accessible and that different audiences understand its\ + \ implications. The undertaking may also explain how it identifies and removes\ + \ potential barriers for dissemination, such as through translation into relevant\ + \ languages or the use of graphic depictions." + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node927 + ref_id: S4-2 AR + name: Disclosure Requirement S4-2 + description: Processes for engaging with consumers and end-users about impacts + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar + ref_id: S4-2 AR 14 + description: Credible proxies who have knowledge of the interests, experiences + or perspectives of consumers and end-users could include national consumer + protection bodies for some consumers. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar + ref_id: S4-2 AR 15 + description: When describing which function or role has operational responsibility + for such engagement and/or ultimate accountability, the undertaking may disclose + whether this is a dedicated role or function or part of a broader role or + function, and whether any capacity building activities have been offered to + support the staff to undertake engagement. If it cannot identify such a position + or function, it may state that this is the case. This disclosure could also + be fulfilled by making reference to information disclosed according to ESRS + 2 GOV-1 The role of the administrative, management and supervisory bodies. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar + ref_id: S4-2 AR 16 + description: 'When preparing the disclosures described in paragraph 20 b) and + c), the following illustrations may be considered:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-16.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-16 + ref_id: S4-2 AR 16.a + description: for stage(s) at which engagement occurs, examples could be in determining + mitigation approaches or in evaluating their effectiveness; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-16.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-16 + ref_id: S4-2 AR 16.b + description: for type of engagement, these could be participation, consultation + and/or information; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-16.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-16 + ref_id: S4-2 AR 16.c + description: for the frequency of the engagement, information may be provided + on whether engagement occurs on a regular basis, at certain points in a project + or business process, as well as whether it occurs in response to legal requirements + and/or in response to stakeholder requests and whether the result of the engagement + is being integrated into the undertaking's decision-making processes; and + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-16.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-16 + ref_id: S4-2 AR 16.d + description: for the role with operational responsibility, whether the undertaking + requires relevant staff to have certain skills, or whether it provides training + or capacity building to relevant staff to undertake engagement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-2-ar-16 + ref_id: S4-2 AR 17 + description: To illustrate how the perspectives of consumers and/or end-users + have informed specific decisions or activities of the undertaking, the undertaking + may provide examples from the current reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node927 + ref_id: S4-3 AR + name: Disclosure Requirement S4-3 + description: Processes to remediate negative impacts and channels for consumers + and end-users to raise concerns + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar + ref_id: S4-3 AR 18 + description: In fulfilling the requirements set out by the disclosure criteria + of ESRS S4-3, the undertaking may be guided by the content of the UN Guiding + Principles on Business and Human Rights and the OECD Guidelines for Multinational + Enterprises focused on remediation and grievance mechanisms. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar + ref_id: S4-3 AR 19 + description: Channels for raising concerns or needs, include grievance mechanisms, + hotlines, dialogue processes or other means through which consumers and/or + end-users or their legitimate representatives can raise concerns about impacts + or explain needs that they would like the undertaking to address. This could + include channels provided by the undertaking directly and is to be disclosed + in addition to any other mechanisms the undertaking may use to gain insight + into the management of impacts on consumers and/or end-users, such as compliance + audits. Where the undertaking is relying solely on information about the existence + of such channels provided by its business relationships to answer this requirement, + it may state that. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar + ref_id: S4-3 AR 20 + description: To provide greater insight into the information covered in ESRS + S4-3, the undertaking may provide insight into whether and how consumers and/or + end-users that may be affected are able to access channels at the level of + the undertaking they are affected by, in relation to each material impact. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar + ref_id: S4-3 AR 21 + description: "Third party mechanisms could include those operated by the government,\ + \ NGOs, industry associations and other collaborative initiatives. With regard\ + \ to the scope of these mechanisms, the undertaking may disclose whether these\ + \ are accessible to all consumers and/or end-users who may be potentially\ + \ or actually materially impacted by the undertaking, or individuals or organisations\ + \ acting on their behalf or who are otherwise in a position to be aware of\ + \ negative impacts, and through which consumers and/or end-users (or individuals\ + \ or organisations acting on their behalf or who are otherwise in a position\ + \ to be aware of negative impacts), can raise complaints or concerns related\ + \ to the undertaking\u2019s own activities." + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar + ref_id: S4-3 AR 22 + description: In relation to the protection of individuals that use the mechanisms + against the retaliation, the undertaking may describe whether it treats grievances + confidentially and with respect to the rights of privacy and data protection; + and whether they allow for consumer and/or end- users to use them anonymously + (for example, through representation by a third party). + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar + ref_id: S4-3 AR 23 + description: In disclosing whether and how the undertaking knows that consumers + and/or end-users are aware of and trust any of these channels, the undertaking + may provide relevant and reliable data about the effectiveness of these channels + from the perspective of consumers and/or end-users themselves. Examples of + sources of information are surveys of consumers and/or end-users that have + used such channels and their levels of satisfaction with the process and outcomes. + To illustrate the usage level of such channels, the undertaking may disclose + the number of complaints received from consumers and/or end-users during the + reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar + ref_id: S4-3 AR 24 + description: "In describing the effectiveness of channels for consumers and/or\ + \ end- users to raise concerns, the undertaking may be guided by the following\ + \ questions, based on the \u2018effectiveness criteria for nonjudicial grievance\ + \ mechanisms\u2019, as laid out in the UN Guiding Principles on Business and\ + \ Human Rights. The below considerations may be applied on an individual channel\ + \ basis or for the collective system of channels:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24 + ref_id: S4-3 AR 24.a + description: do the channels hold legitimacy by providing appropriate accountability + for their fair conduct and building stakeholder trust? + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24 + ref_id: S4-3 AR 24.b + description: are the channels known and accessible to stakeholders? + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24 + ref_id: S4-3 AR 24.c + description: do the channels have known procedures, set timeframes and clarity + on the processes? + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24 + ref_id: S4-3 AR 24.d + description: do the channels ensure reasonable access to sources of information, + advice and expertise? + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24 + ref_id: S4-3 AR 24.e + description: do the channels offer transparency by providing sufficient information + both to complainants and where applicable, to meet any public interest at + stake? + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24 + ref_id: S4-3 AR 24.f + description: do the outcomes achieved from the channels accord with internationally + recognised human rights? + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24.g + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24 + ref_id: S4-3 AR 24.g + description: does the undertaking identify insights from the channels that support + continuous learning in both improving the channels and preventing future impacts? + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24.h + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-24 + ref_id: S4-3 AR 24.h + description: does the undertaking focus on dialogue with complainants as the + means to reach agreed solutions, rather than seeking to unilaterally determine + the outcome? + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar-25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-3-ar + ref_id: S4-3 AR 25 + description: For more information, see Principle 31 of the UN Guiding Principles + on Business and Human Rights. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node927 + ref_id: S4-4 AR + name: Disclosure Requirement S4-4 + description: Taking action on material impacts on consumers and end- users, + and approaches to managing material risks and pursuing material opportunities + related to consumers and end-users, and effectiveness of those actions + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 25 + description: 'It may take time to understand negative impacts and how the undertaking + may be involved with them through its downstream value chain, as well as to + identify appropriate responses and put them into practice). Therefore, the + undertaking shall consider:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-25.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-25 + ref_id: S4-4 AR 25.a + description: Its general and specific approaches to addressing material negative + impacts; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-25.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-25 + ref_id: S4-4 AR 25.b + description: its initiatives aimed at contributing to additional material positive + impacts; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-25.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-25 + ref_id: S4-4 AR 25.c + description: how far it has progressed in its efforts during the reporting period; + and + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-25.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-25 + ref_id: S4-4 AR 25.d + description: its aims for continued improvement. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 26 + description: Appropriate action can vary according to whether the undertaking + causes or contributes to a material impact, or whether the material impact + is directly linked to its own operations, products or services through a business + relationship. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 27 + description: Given that material negative impacts affecting consumers and/or + end- users that have occurred during the reporting period may also be linked + to entities or operations outside its direct control, the undertaking may + disclose whether and how it seeks to use leverage with relevant business relationships + to manage those impacts. This may include using commercial leverage (for example, + enforcing contractual requirements with business relationships or implementing + incentives), other forms of leverage within the relationship (such as providing + training or capacity-building on proper product use or sale practices to business + relationships) or collaborative leverage with peers or other actors (such + as initiatives aimed at responsible marketing or product safety). + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 28 + description: When the undertaking discloses its participation in an industry + or multi-stakeholder initiative as part of its actions to address material + negative impacts, the undertaking may disclose how the initiative, and its + own involvement, is aiming to address the material impact concerned. It may + disclose under ESRS S4-5 the relevant targets set by the initiative and progress + towards them. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-29 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 29 + description: When disclosing whether and how it considers actual and potential + impacts on consumers and/or end-users in decisions to terminate business relationships + and whether and how it seeks to address any negative impacts that may result + from termination, the undertaking may include examples. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 30 + description: In disclosing how it tracks the effectiveness of actions to manage + material impacts during the reporting period, the undertaking may disclose + any lessons learned from the previous and current reporting periods. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 31 + description: Processes used to track the effectiveness of actions can include + internal or external auditing or verification, court proceedings and/or related + court decisions, impact assessments, measurement systems, stakeholder feedback, + grievance mechanisms, external performance ratings, and benchmarking. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 32 + description: Reporting on effectiveness is aimed at enabling the understanding + of the links between actions taken by the undertaking and the effective management + of impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-33 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 33 + description: "With regard to initiatives or processes the undertaking has in\ + \ place that are based on affected consumers and/or end-users\u2019 needs\ + \ and their level of implementation, the undertaking may disclose:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-33.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-33 + ref_id: S4-4 AR 33.a + description: information about whether and how consumers and/or end-users and + legitimate representatives or their credible proxies play a role in decisions + regarding the design and implementation of these programmes or processes; + and + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-33.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-33 + ref_id: S4-4 AR 33.b + description: information about the intended or achieved positive outcomes for + consumers and/or end- users of these programmes or processes. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 34 + description: "The undertaking may disclose whether any initiatives or processes\ + \ whose primary aim is to deliver positive impacts for consumers and/or end-users\ + \ are designed to also support the achievement of one or more of the UN Sustainable\ + \ Development Goals (SDGs). For example, through a commitment to advance UN\ + \ SDG 3 to \u2018ensure healthy lives and promote well-being for all at all\ + \ ages\u2019 the undertaking may be actively working to make its products\ + \ less addictive and harmful to physical and psychological health." + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 35 + description: When disclosing the intended positive outcomes of the undertaking's + actions for consumers and/or end-users, a distinction is to be made between + evidence of certain activities having occurred (for example, that x number + of consumers have received information about healthy eating habits) from evidence + of actual outcomes for consumers and/or end-users (for example, that x number + of consumers have adopted healthier eating habits). + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-36 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 36 + description: When disclosing whether initiatives or processes also play a role + in mitigating material negative impacts, the undertaking may, for example, + consider programmes that aim to support heightened awareness of the risk of + online scams, leading to a reduction in the number of cases of end-users experiencing + breaches of data privacy. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-37 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 37 + description: "When disclosing the material risks and opportunities related to\ + \ the undertaking\u2019s impacts or dependencies on consumers and/or end-\ + \ users, the undertaking may consider the following:" + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-37.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-37 + ref_id: S4-4 AR 37.a + description: "risks related to the undertaking\u2019s impacts on consumers and/or\ + \ end-users may include reputational or legal exposure where poorly designed\ + \ or defective products result in injuries or deaths;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-37.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-37 + ref_id: S4-4 AR 37.b + description: "risks related to the undertaking\u2019s dependencies on consumers\ + \ and/or end-users may include the loss of business continuity where an economic\ + \ crisis makes consumers unable to afford certain products or services;" + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-37.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-37 + ref_id: S4-4 AR 37.c + description: "opportunities related to the undertaking\u2019s impacts on consumers\ + \ and/or end- users may include market differentiation and greater customer\ + \ appeal from offering safe products or privacy-respecting services; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-37.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-37 + ref_id: S4-4 AR 37.d + description: "opportunities related to the undertaking\u2019s dependencies on\ + \ consumers and/or end-users may include the achievement of a loyal future\ + \ consumer base by ensuring, for example, that LGBTQI people are respected\ + \ and that the undertaking\u2019s selling practices do not exclude such people\ + \ from the products or services it offers." + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-38 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 38 + description: When disclosing whether dependencies turn into risks, the undertaking + shall consider external developments. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-39 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 39 + description: When disclosing policies, action and resources and targets related + to the management of material risks and opportunities, in cases where risks + and opportunities arise from a material impact, the undertaking may cross-reference + its disclosures on policies, action and resources and targets in relation + to that impact. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-40 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 40 + description: The undertaking shall consider the extent to which its processes + to manage material risks related to consumers and/or end-users are integrated + into its existing risk management processes and how. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar-41 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-4-ar + ref_id: S4-4 AR 41 + description: When disclosing the resources allocated to the management of material + impacts, the undertaking may disclose which internal functions are involved + in managing the impacts and what types of action they take to address negative + and advance positive impacts. + - urn: urn:intuitem:risk:req_node:esrs_p3:node988 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node917 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node988 + ref_id: S4-5 AR + name: 'Disclosure Requirement S4-5 ' + description: Targets related to managing material negative impacts, advancing + positive impacts, and managing material risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar-42 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar + ref_id: S4-5 AR 42 + description: 'When disclosing targets in relation to consumers and/or end-users, + the undertaking may disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar-42.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar-42 + ref_id: S4-5 AR 42.a + description: the intended outcomes to be achieved in the lives of consumers + and/or end-users, being as specific as possible; + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar-42.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar-42 + ref_id: S4-5 AR 42.b + description: their stability over time in terms of definitions and methodologies + to enable comparability; and/or + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar-42.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar-42 + ref_id: S4-5 AR 42.c + description: ' the standards or commitments on which the targets are based are + to be clearly defined in the reporting (for instance codes of conduct, sourcing + policies, global frameworks or industry codes). ' + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar-43 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar + ref_id: S4-5 AR 43 + description: "Targets related to material risks and opportunities may be the\ + \ same as or distinct from targets tied to material impacts. For example,\ + \ a target to ensure equal access to finance for underserved consumers could\ + \ both reduce discrimination impacts on those consumers and enlarge the undertaking\u2019\ + s pool of customers." + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar-44 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar + ref_id: S4-5 AR 44 + description: The undertaking may also distinguish between short, medium and + long-term targets covering the same policy commitment. For example, the undertaking + may have as a main objective to make its online services accessible to people + with disabilities, with the long- term goal of having adapted 100% of its + online services by 2025, and with the short-term objective of adding x number + of accessible features every year up and until 2025. + - urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar-45 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:s4-5-ar + ref_id: S4-5 AR 45 + description: When modifying or replacing a target in the reporting period, the + undertaking may explain the change by cross-referencing it to significant + changes in the business model or to broader changes in the accepted standard + or legislation from which the target is derived to provide contextual information + as per ESRS 2 BP-2 Disclosures in relation to specific circumstances. + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-g1 + assessable: false + depth: 1 + ref_id: ESRS G1 + name: BUSINESS CONDUCT + - urn: urn:intuitem:risk:req_node:esrs_p3:node998 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-g1 + name: Objective + - urn: urn:intuitem:risk:req_node:esrs_p3:node999 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node998 + description: "1. The objective of this Standard is to specify disclosure requirements\ + \ which will enable users of the undertaking\u2019s sustainability statements\ + \ to understand the undertaking\u2019s strategy and approach, processes and\ + \ procedures as well as its performance in respect of business conduct." + - urn: urn:intuitem:risk:req_node:esrs_p3:node1000 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node998 + description: "2. This Standard focusses on the following matters, collectively\ + \ referred to in this Standard as \u2018business conduct or business conduct\ + \ matters\u2019:\n(a) business ethics and corporate culture, including anti-corruption\ + \ and anti-bribery, the protection of whistleblowers, and animal welfare;\n\ + (b) the management of relationships with suppliers, including payment practices,\ + \ especially with regard to late payment to small and medium-sized undertakings.\n\ + (c) activities and commitments of the undertaking related to exerting its\ + \ political influence, including its lobbying activities;" + - urn: urn:intuitem:risk:req_node:esrs_p3:node1001 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-g1 + name: Interaction with other ESRS + - urn: urn:intuitem:risk:req_node:esrs_p3:node1002 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1001 + description: 3. The content of this Standard on general disclosures as well + as impact, risk and opportunity management and metrics and targets shall be + read in conjunction respectively with ESRS 1 General principles and ESRS 2 + General requirements. + - urn: urn:intuitem:risk:req_node:esrs_p3:node1003 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-g1 + name: Disclosure Requirements + - urn: urn:intuitem:risk:req_node:esrs_p3:node1004 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1003 + name: ESRS 2 General disclosures + description: 4. The requirements of this section should be read in conjunction + with and reported alongside the disclosures required by ESRS 2 on Governance + (GOV), Strategy (SBM) and Management of impacts, risks and opportunities (IRO). + - urn: urn:intuitem:risk:req_node:esrs_p3:node1005 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1004 + name: Governance + - urn: urn:intuitem:risk:req_node:esrs_p3:node1006 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1005 + name: Disclosure Requirement related to ESRS 2 GOV-1 + description: The role of the administrative, management and supervisory bodies + - urn: urn:intuitem:risk:req_node:esrs_p3:g1.gov-1.5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1006 + ref_id: G1.GOV-1.5 + description: '5. When disclosing information about the role of the administrative, + management and supervisory bodies, the undertaking shall cover the following + aspects:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1.gov-1.5.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1.gov-1.5 + ref_id: G1.GOV-1.5.a + description: (a) the role of the administrative, management and supervisory + bodies related to business conduct; and + - urn: urn:intuitem:risk:req_node:esrs_p3:g1.gov-1.5.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1.gov-1.5 + ref_id: G1.GOV-1.5.b + description: (b) the expertise of the administrative, management and supervisory + bodies on business conduct matters. + - urn: urn:intuitem:risk:req_node:esrs_p3:node1010 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1004 + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p3:node1011 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1010 + name: Disclosure Requirement related to ESRS 2 IRO-1 + description: Description of the processes to identify and assess material impacts, + risks and opportunities + - urn: urn:intuitem:risk:req_node:esrs_p3:g1.iro-1-6 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1011 + ref_id: G1.IRO-1-6 + description: When describing the process to identify material impacts, risks + and opportunities in relation to business conduct matters, the undertaking + shall disclose all relevant criteria used in the process, including location, + activity, sector and the structure of the transaction. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1010 + ref_id: G1-1 + name: 'Disclosure Requirement G1-1 ' + description: Business conduct policies and corporate culture + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-7 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1 + ref_id: G1-1-7 + description: The undertaking shall disclose its policies with respect to business + conduct matters and how it fosters its corporate culture. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-8 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1 + ref_id: G1-1-8 + description: "The objective of this Disclosure Requirement is to enable an understanding\ + \ of the extent to which the undertaking has policies that address the identification,\ + \ assessment, management and/or remediation of its material impacts, risks\ + \ and opportunities related to business conduct matters. It also aims to provide\ + \ an understanding of the undertaking\u2019s approach to corporate culture." + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-9 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1 + ref_id: G1-1-9 + description: The disclosures required under paragraph 7 shall include how the + undertaking establishes, develops, promotes and evaluates its corporate culture. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1 + ref_id: G1-1-10 + description: "The disclosures in paragraph 7 shall cover the following aspects\ + \ related to the undertaking\u2019s policies on business conduct matters:" + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10 + ref_id: G1-1-10.a + description: a description of the mechanisms for identifying, reporting and + investigating concerns about unlawful behaviour or behaviour in contradiction + of its code of conduct or similar internal rules; and whether it accommodates + reporting from internal and/or external stakeholders; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10 + ref_id: G1-1-10.b + description: where the undertaking has no policies on anti-corruption or anti- + bribery consistent with the United Nations Convention against Corruption ( + 128 ), it shall state this and whether it has plans to implement them and + the timetable for implementation; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10 + ref_id: G1-1-10.c + description: 'how the undertaking protects whistleblowers, including:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.c.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.c + ref_id: G1-1-10.c.i + description: details on the establishment of internal whistleblower reporting + channels, including whether the undertaking provides for information and training + to its own workers and information about the designation and training of staff + receiving reports; and + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.c.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.c + ref_id: G1-1-10.c.ii + description: measures to protect against retaliation its own workers who are + whistleblowers in accordance with the applicable law transposing Directive + (EU) 2019/1937 of the European Parliament and of the Council ( 129 ); + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10 + ref_id: G1-1-10.d + description: where the undertaking has no policies on the protection of whistle- + blowers ( 130 ), it shall state this and whether it has plans to implement + them and the timetable for implementation; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10 + ref_id: G1-1-10.e + description: beyond the procedures to follow-up on reports by whistleblowers + in accordance with the applicable law transposing Directive (EU) 2019/1937, + whether the undertaking has procedures to investigate business conduct incidents, + including incidents of corruption and bribery, promptly, independently and + objectively; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10 + ref_id: G1-1-10.f + description: where applicable, whether the undertaking has in place policies + with respect to animal welfare; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.g + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10 + ref_id: G1-1-10.g + description: "the undertaking\u2019s policy for training within the organisation\ + \ on business conduct, including target audience, frequency and depth of coverage;\ + \ and" + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10.h + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-10 + ref_id: G1-1-10.h + description: the functions within the undertaking that are most at risk in respect + of corruption and bribery. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-11 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1 + ref_id: G1-1-11 + description: Undertakings that are subject to legal requirements under national + law transposing Directive (EU) 2019/1937, or to equivalent legal requirements + with regard to the protection of whistle-blowers, may comply with the disclosure + specified in paragraph 10 (d) by stating that they are subject to those legal + requirements. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1010 + ref_id: G1-2 + name: Disclosure Requirement G1-2 + description: Management of relationships with suppliers + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2.12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2 + ref_id: G1-2.12 + description: The undertaking shall provide information about the management + of its relationships with its suppliers and its impacts on its supply chain. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2.13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2 + ref_id: G1-2.13 + description: "The objective of this Disclosure Requirement is to provide an\ + \ understanding of the undertaking\u2019s management of its procurement process\ + \ including fair behaviour with suppliers." + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2.14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2 + ref_id: G1-2.14 + description: The undertaking shall provide a description of its policy to prevent + late payments, specifically to SMEs. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2.15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2 + ref_id: G1-2.15 + description: 'The disclosure required under paragraph 12 shall include the following + information:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2.15.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2.15 + ref_id: G1-2.15.a + description: "the undertaking\u2019s approach to its relationships with its\ + \ suppliers, taking account of risks to the undertaking related to its supply\ + \ chain and of impacts on sustainability matters; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2.15.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2.15 + ref_id: G1-2.15.b + description: whether and how it takes into account social and environmental + criteria for the selection of its suppliers. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1010 + ref_id: G1-3 + name: Disclosure Requirement G1-3 + description: Prevention and detection of corruption and bribery + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3 + ref_id: G1-3-16 + description: The undertaking shall provide information about its system to prevent + and detect, investigate, and respond to allegations or incidents relating + to corruption and bribery including the related training. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3 + ref_id: G1-3-17 + description: The objective of this Disclosure Requirement is to provide transparency + on the key procedures of the undertaking to prevent, detect, and address allegations + about corruption and bribery. This includes the training provided to own workers + and/or information provided internally or to suppliers. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3 + ref_id: G1-3-18 + description: 'The disclosure required under paragraph 16 shall include the following + information:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-18.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-18 + ref_id: G1-3-18.a + description: a description of the procedures in place to prevent, detect, and + address allegations or incidents of corruption and bribery; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-18.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-18 + ref_id: G1-3-18.b + description: whether the investigators or investigating committee are separate + from the chain of management involved in the matter; and + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-18.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-18 + ref_id: G1-3-18.c + description: the process, if any, to report outcomes to the administrative, + management and supervisory bodies. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3 + ref_id: G1-3-19 + description: Where the undertaking has no such procedures in place, it shall + disclose this fact and, where applicable, its plans to adopt them. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3 + ref_id: G1-3-20 + description: The disclosures required by paragraph 16 shall include information + about how the undertaking communicates its policies to those for whom they + are relevant to ensure that the policy is accessible and that they understand + its implications. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3 + ref_id: G1-3-21 + description: 'The disclosure required by paragraph 16 shall include information + about the following with respect to training:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-21.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-21 + ref_id: G1-3-21.a + description: the nature, scope and depth of anti-corruption and anti-bribery + training programmes offered or required by the undertaking; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-21.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-21 + ref_id: G1-3-21.b + description: the percentage of functions-at-risk covered by training programmes; + and + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-21.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-21 + ref_id: G1-3-21.c + description: the extent to which training is given to members of the administrative, + management and supervisory bodies. + - urn: urn:intuitem:risk:req_node:esrs_p3:node1049 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1004 + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1049 + ref_id: G1-4 + name: 'Disclosure Requirement G1-4 ' + description: Incidents of corruption or bribery + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-4 + ref_id: G1-4-22 + description: The undertaking shall provide information on incidents of corruption + or bribery during the reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-4 + ref_id: G1-4-23 + description: The objective of this Disclosure Requirement is to provide transparency + on the incidents relating to corruption or bribery during the reporting period + and the related outcomes. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-4 + ref_id: G1-4-24 + description: 'The undertaking shall disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-24.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-24 + ref_id: G1-4-24.a + description: the number of convictions and the amount of fines for violation + of anti-corruption and anti- bribery laws ( 131 ); and + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-24.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-24 + ref_id: G1-4-24.b + description: any actions taken to address breaches in procedures and standards + of anti-corruption and anti-bribery ( 132 ). + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-4 + ref_id: G1-4-25 + description: 'The undertaking may disclose:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-25.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-25 + ref_id: G1-4-25.a + description: the total number and nature of confirmed incidents of corruption + or bribery; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-25.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-25 + ref_id: G1-4-25.b + description: the number of confirmed incidents in which own workers were dismissed + or disciplined for corruption or bribery-related incidents; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-25.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-25 + ref_id: G1-4-25.c + description: the number of confirmed incidents relating to contracts with business + partners that were terminated or not renewed due to violations related to + corruption or bribery; and + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-25.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-25 + ref_id: G1-4-25.d + description: details of public legal cases regarding corruption or bribery brought + against the undertaking and its own workers during the reporting period and + the outcomes of such cases. This includes cases that were initiated in previous + years where the outcome was only established in the current reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-4-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-4 + ref_id: G1-4-26 + description: The disclosures required shall include incidents involving actors + in its value chain only where the undertaking or its employees are directly + involved. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1049 + ref_id: G1-5 + name: Disclosure Requirement G1-5 + description: Political influence and lobbying activities + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5 + ref_id: G1-5-27 + description: The undertaking shall provide information on the activities and + commitments related to exerting its political influence, including its lobbying + activities related to its material impacts, risks and opportunities. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5 + ref_id: G1-5-28 + description: "The objective of this Disclosure Requirement is to provide transparency\ + \ on the undertaking\u2019s activities and commitments related to exerting\ + \ its political influence with political contributions, including the types\ + \ and purpose of lobbying activities." + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5 + ref_id: G1-5-29 + description: 'The disclosure required by paragraph 27 shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29 + ref_id: G1-5-29.a + description: if applicable, the representative(s) responsible in the administrative, + management and supervisory bodies for the oversight of these activities; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29 + ref_id: G1-5-29.b + description: 'for financial or in-kind political contributions:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29.b.i + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29.b + ref_id: G1-5-29.b.i + description: the total monetary value of financial and in-kind political contributions + made directly and indirectly by the undertaking aggregated by country or geographical + area where relevant, as well as type of recipient/beneficiary; and + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29.b.ii + assessable: true + depth: 8 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29.b + ref_id: G1-5-29.b.ii + description: where appropriate, how the monetary value of in-kind contributions + is estimated. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29 + ref_id: G1-5-29.c + description: "the main topics covered by its lobbying activities and the undertaking\u2019\ + s main positions on these in brief. This shall include explanations on how\ + \ this interacts with its material impacts, risks and opportu" + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-29 + ref_id: G1-5-29.d + description: if the undertaking is registered in the EU Transparency Register + or in an equivalent transparency register in a Member State, the name of any + such register and its identification number in the register. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5 + ref_id: G1-5-30 + description: The disclosure shall also include information about the appointment + of any members of the administrative, management and supervisory bodies who + held a comparable position in public administration (including regulators) + in the 2 years preceding such appointment in the current reporting period. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-6 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1049 + ref_id: G1-6 + name: 'Disclosure Requirement G1-6 ' + description: Payment practices + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-6 + ref_id: G1-6-31 + description: The undertaking shall provide information on its payment practices, + especially with respect to late payments to small and medium enterprises (SMEs). + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-6 + ref_id: G1-6-32 + description: The objective of this Disclosure Requirement is to provide insights + on the contractual payment terms and on its performance with regard to payment, + especially as to how these impact SMEs and specifically with respect to late + payments to SMEs. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-6 + ref_id: G1-6-33 + description: 'The disclosure under paragraph 31 shall include:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-33.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-33 + ref_id: G1-6-33.a + description: the average time the undertaking takes to pay an invoice from the + date when the contractual or statutory term of payment starts to be calculated, + in number of days; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-33.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-33 + ref_id: G1-6-33.b + description: "a description of the undertaking\u2019s standard payment terms\ + \ in number of days by main category of suppliers and the percentage of its\ + \ payments aligned with these standard terms;" + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-33.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-33 + ref_id: G1-6-33.c + description: the number of legal proceedings currently outstanding for late + payments; and + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-33.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-33 + ref_id: G1-6-33.d + description: complementary information necessary to provide sufficient context. + If the undertaking has used representative sampling to calculate the information + required under point (a), it shall state that fact and briefly describe the + methodology used. + - urn: urn:intuitem:risk:req_node:esrs_p3:esrs-g1-appendix-a + assessable: false + depth: 1 + ref_id: ESRS G1-Appendix A + name: Application Requirements + - urn: urn:intuitem:risk:req_node:esrs_p3:node1082 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-g1-appendix-a + name: Impact, risk and opportunity management + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1082 + ref_id: G1-1 AR + name: Disclosure Requirement G1-1 + description: Business conduct policies and corporate culture + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-ar-1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-ar + ref_id: G1-1 AR 1 + description: 'The undertaking may consider the following aspects when determining + its disclosure under paragraph 7:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-ar-1.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-ar-1 + ref_id: G1-1 AR 1.a + description: the aspects of corporate culture that are taken into consideration + and discussed by the administrative, management and supervisory bodies and + with which frequency; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-ar-1.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-ar-1 + ref_id: G1-1 AR 1.b + description: the principal themes that are promoted and communicated as part + of the corporate culture; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-ar-1.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-ar-1 + ref_id: G1-1 AR 1.c + description: "how the members of the undertaking\u2019s administrative, management\ + \ and supervisory bodies provide direction to promote a corporate culture;\ + \ and" + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-ar-1.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-1-ar-1 + ref_id: G1-1 AR 1.d + description: specific incentives or tools for its own workers to foster and + encourage its corporate culture. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1082 + ref_id: G1-2 AR + name: Disclosure Requirement G1-2 + description: Management of relationships with suppliers + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar + ref_id: G1-2 AR 2 + description: "For purposes of this standard, management of relationships with\ + \ the undertaking\u2019s suppliers may include the following:" + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2 + ref_id: G1-2 AR 2.a + description: "how the undertaking\u2019s practices, including activities to\ + \ avoid or minimise the impacts of disruptions to its supply chain, support\ + \ its strategy and risk management;" + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2 + ref_id: G1-2 AR 2.b + description: "training of the undertaking\u2019s procurement/supply chain workforce\ + \ on engagement and dialogue with suppliers as well as incentives of its procurement\ + \ workforce including whether such incentives refer to price, quality or sustainability\ + \ factors;" + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2.c + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2 + ref_id: G1-2 AR 2.c + description: the screening and evaluation of social and environmental performance + of suppliers; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2.d + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2 + ref_id: G1-2 AR 2.d + description: the inclusion of locally based suppliers in its supply chain and/or + suppliers with certification; + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2.e + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2 + ref_id: G1-2 AR 2.e + description: "how the undertaking\u2019s practices deal with vulnerable suppliers;" + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2.f + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2 + ref_id: G1-2 AR 2.f + description: "the undertaking\u2019s targets and actions with regard to communication\ + \ and management of relationships with suppliers; and" + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2.g + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-2 + ref_id: G1-2 AR 2.g + description: how the outcomes of these practices are evaluated, including supplier + visits, audits or surveys. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar-3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-2-ar + ref_id: G1-2 AR 3 + description: "Vulnerable suppliers\u2019 includes suppliers that are exposed\ + \ to significant economic, environmental and/or social risks." + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1082 + ref_id: G1-3 AR + name: Disclosure Requirement G1-3 + description: Prevention and detection of corruption and bribery + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-ar-4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-ar + ref_id: G1-3 AR 4 + description: "\u2018Functions-at-risk \u2019 means those functions deemed to\ + \ be at risk of corruption and bribery as a result of its tasks and responsibilities." + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-ar-5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-ar + ref_id: G1-3 AR 5 + description: Disclosures may include details about the risk assessments and/or + mapping, as well as monitoring programmes and/or internal control procedures + performed by the undertaking to detect corruption and bribery. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-ar-6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-ar + ref_id: G1-3 AR 6 + description: "The undertaking\u2019s policies on corruption and bribery may\ + \ be relevant to specific groups of people, either because they are expected\ + \ to implement them (for example, the undertaking\u2019s employees, contractors\ + \ and suppliers), or because they have a direct interest in their implementation\ + \ (for example, value chain workers, investors). The undertaking may disclose\ + \ the communication tools and channels (e.g., flyers, newsletters, dedicated\ + \ websites, social media, face to face interactions, unions and/or workers\ + \ representatives) to communicate policies to such groups. This may also include\ + \ the identification and/or removal of potential barriers to dissemination,\ + \ such as through translation into relevant languages or the use of graphic\ + \ depictions." + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-ar-7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-ar + ref_id: G1-3 AR 7 + description: The undertaking may disclose an analysis of its training activities + by, for example, region of training or category of own workforce where its + programmes differ significantly based on such factors and such information + would be useful to users. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-ar-8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-3-ar + ref_id: G1-3 AR 8 + description: 'The undertaking may present the required information about training + using the following table: Anti-corruption and bribery training illustrative + example' + - urn: urn:intuitem:risk:req_node:esrs_p3:node1105 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:esrs-g1-appendix-a + name: Metrics and targets + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1105 + ref_id: G1-5 AR + name: Disclosure Requirement G1-5 + description: Political influence and lobbying activities + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar-9 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar + ref_id: G1-5 AR 9 + description: "For purposes of this Standard \u2018political contribution\u2019\ + \ means financial or in-kind support provided directly to political parties,\ + \ their elected representatives or persons seeking political office. Financial\ + \ contributions can include donations, loans, sponsorships, advance payments\ + \ for services, or the purchase of tickets for fundraising events and other\ + \ similar practices. In-kind contributions can include advertising, use of\ + \ facilities, design and printing, donation of equipment, provision of board\ + \ membership, employment or consultancy work for elected politicians or candidates\ + \ for office." + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar-10 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar + ref_id: G1-5 AR 10 + description: "\u2018Indirect political contribution\u2019 refers to those political\ + \ contributions made through an intermediary organisation such as a lobbyist\ + \ or charity, or support given to an organisation such as a think tank or\ + \ trade association linked to or supporting particular political parties or\ + \ causes." + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar-11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar + ref_id: G1-5 AR 11 + description: "When determining \u2018comparable position\u2019 in this standard,\ + \ the undertaking shall consider various factors, including level of responsibility\ + \ and scope of activities undertaken." + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar-12 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar + ref_id: G1-5 AR 12 + description: 'The undertaking may provide the following information on its financial + or in-kind contributions with regard to its lobbying expenses:' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar-12.a + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar-12 + ref_id: G1-5 AR 12.a + description: the total monetary amount of such internal and external expenses; + and + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar-12.b + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar-12 + ref_id: G1-5 AR 12.b + description: the total amount paid for membership to lobbying associations. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar-13 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar + ref_id: G1-5 AR 13 + description: If the undertaking is legally obliged to be a member of a chamber + of commerce or other organisation that represents its interests, it may disclose + that this is the case. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar-14 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar + ref_id: G1-5 AR 14 + description: In meeting the requirement in paragraph 29(c) the undertaking shall + consider the alignment between its public statements on its material impacts, + risks and opportunities and its lobbying activities. + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar-15 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-5-ar + ref_id: G1-5 AR 15 + description: 'An example of what such disclosures could look like: Political + engagement (including lobbying activities) illustrative example' + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-ar + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:node1105 + ref_id: G1-6 AR + name: Disclosure Requirement G1-6 + description: Payment practices + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-ar-16 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-ar + ref_id: G1-6 AR 16 + description: "In some cases, the undertaking\u2019s standard contractual payment\ + \ terms may differ significantly depending on country or type of supplier.\ + \ In such cases, information about the standard terms per main categories\ + \ of suppliers or country or geographical region could be examples of additional\ + \ contextual information to explain the disclosures in paragraph 33(b)." + - urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-ar-17 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:esrs_p3:g1-6-ar + ref_id: G1-6 AR 17 + description: "An example of what the description of standard contract term disclosures\ + \ in paragraph 33(b) could look like: ABC\u2019s standard contract payment\ + \ terms are payment on receipt of invoice for wholesalers which encompass\ + \ approximately 80% of its annual invoices by value. It pays for services\ + \ received within 30 days after receipt of the invoice which are about 5%\ + \ of its annual invoices. The remainder of its invoices are paid within 60\ + \ days of receipt except for those in country X which in accordance with the\ + \ marketplace standards are paid within 90 days of receipt." diff --git a/backend/library/libraries/ict-minimal.yaml b/backend/library/libraries/ict-minimal.yaml new file mode 100644 index 000000000..765b230a6 --- /dev/null +++ b/backend/library/libraries/ict-minimal.yaml @@ -0,0 +1,3059 @@ +urn: urn:intuitem:risk:library:ict-minimal +locale: en +ref_id: ict-minimal +name: ICT - Minimum standard +description: Minimum standard for improving ICT resilience - Version may 2023 +copyright: Creative Commons BY. +version: '1' +provider: Swiss FONES +packager: intuitem +translations: + de: + name: IKT - Minimalstandard + description: 'Minimal standard zur Verbesserung der IKT-Resilienz - ' + fr: + name: Norme minimale TIC + description: "Norme minimale pour am\xE9liorer la r\xE9silience - version mai\ + \ 2023" + it: + name: Standard minimo TIC + description: Standard minimo per migliorare la resilienza delle TIC +objects: + framework: + urn: urn:intuitem:risk:framework:ict-minimal + ref_id: ict-minimal + name: ICT - Minimum standard + description: Minimum standard for improving ICT resilience - Version may 2023 + translations: + de: + name: IKT - Minimalstandard + description: Minimal standard zur Verbesserung der IKT-Resilienz + fr: + name: Norme minimale TIC + description: "Norme minimale pour am\xE9liorer la r\xE9silience - version\ + \ mai 2023" + it: + name: Standard minimo TIC + description: Standard minimo per migliorare la resilienza delle TIC + min_score: 0 + max_score: 4 + scores_definition: + - score: 0 + name: not implemented + description: null + translations: + de: + name: Nicht umgesetzt + description: null + fr: + name: Pas mis en oeuvre + description: null + it: + name: non attuata + description: null + - score: 1 + name: Partial + description: null + translations: + de: + name: "Partiell umgesetzt, nicht vollst\xE4ndig definiert und abgenommen" + description: null + fr: + name: "partiellement mis en oeuvre, pas enti\xE8rement d\xE9fini ni valid\xE9" + description: null + it: + name: parzialmente attuata, non definita e approvata completamente + description: null + - score: 2 + name: Risk informed + description: null + translations: + de: + name: "Partiell umgesetzt, vollst\xE4ndig definiert und abgenommen" + description: null + fr: + name: "partiellement mis en oeuvre, enti\xE8rement d\xE9fini et accept\xE9" + description: null + it: + name: parzialmente attuata, definita e approvata completamente + description: null + - score: 3 + name: Repeatable + description: null + translations: + de: + name: "Umgesetzt, vollst\xE4ndig oder gr\xF6sstenteils umgesetzt, statisch" + description: null + fr: + name: "enti\xE8rement ou tr\xE8s largement mis en oeuvre, d\xE9finitif (\"\ + statique\")" + description: null + it: + name: attuata, completamente o in gran parte attuata, statica + description: null + - score: 4 + name: Adaptive + description: null + translations: + de: + name: "Dynamisch, umgesetzt, kontinuierlich \xFCberpr\xFCft, verbessert" + description: null + fr: + name: "mis en oeuvre dynamiquement, contr\xF4l\xE9 et am\xE9lior\xE9 en\ + \ permanence" + description: null + it: + name: dinamica, attuata, verificata costantemente, migliorata + description: null + requirement_nodes: + - urn: urn:intuitem:risk:req_node:ict-minimal:id + assessable: false + depth: 1 + ref_id: ID + name: Identify + translations: + de: + name: Identifizieren (ID-Identify) + description: null + fr: + name: Identifier (ID-Identify) + description: null + it: + name: Identificare (ID-Identify) + description: null + - urn: urn:intuitem:risk:req_node:ict-minimal:id.am + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id + ref_id: ID.AM + name: 'Asset Management ' + description: "The data, personnel, devices, systems, and facilities that enable\ + \ the organization to achieve business purposes are identified and managed\ + \ consistent with their relative importance to business objectives and the\ + \ organization\u2019s risk strategy." + translations: + de: + name: Inventar Management (Assest Management ID.AM) + description: "Die Daten, Personen, Ger\xE4te, Systeme und Anlagen, einer\ + \ Organisation sind in einer Art und Weise identifiziert, katalogisiert\ + \ und bewertet, die ihrer Kritikalit\xE4t hinsichtlich der zu erf\xFC\ + llenden Gesch\xE4ftsprozesse, sowie der Risikostrategie der Organisation\ + \ entspricht." + fr: + name: Inventaire et organisation (Asset Management ID.AM) + description: "Les donn\xE9es, les personnes, les appareils, les syst\xE8\ + mes et les installations d\u2019une entreprise sont identifi\xE9s, catalogu\xE9\ + s et \xE9valu\xE9s. L\u2019\xE9valuation se fait en fonction de leur criticit\xE9\ + \ pour les processus op\xE9rationnels \xE0 mettre en place et de la strat\xE9\ + gie de l\u2019entreprise en mati\xE8re de risque." + it: + name: "Gestione dell\u2019inventario (Asset Management ID:AM): " + description: "Dati, persone, apparecchi, sistemi e impianti di un organismo\ + \ o di un\u2019impresa sono identificati, catalogati e valutati. La valutazione\ + \ deve corrispondere alla loro criticit\xE0 in relazione alle procedure\ + \ operative da attuare e alla strategia di rischio adottata." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.am-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.am + ref_id: ID.AM-1 + description: Draw up an inventory-taking process which ensures that you have + a complete inventory of all your ICT assets at all times. + translations: + de: + name: null + description: "Erarbeiten Sie einen Inventarisierungsprozess welcher sicherstellt,\ + \ dass zu jedem Zeitpunkt ein vollst\xE4ndiges Inventar Ihrer IKT-Betriebsmittel\ + \ (Assets) vorhanden ist." + fr: + name: null + description: "D\xE9veloppez un processus d\u2019inventaire garantissant\ + \ en permanence un recensement exhaustif de vos \xE9quipements TIC (Asset)." + it: + name: null + description: Definite una procedura che garantisca la costante presenza + di un inventario completo dei vostri strumenti operativi TIC (asset). + - urn: urn:intuitem:risk:req_node:ict-minimal:id.am-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.am + ref_id: ID.AM-2 + description: Produce an inventory of all of the software platforms/licences + and applications within your organisation. + translations: + de: + name: null + description: Inventarisieren Sie all ihre Softwareplattformen / -Lizenzen + und Applikationen innerhalb Ihrer Organisation. + fr: + name: null + description: Inventoriez toutes les plateformes, licences et applications + logicielles dans votre entreprise. + it: + name: null + description: "Inventariate tutte le piattaforme/licenze e applicazioni di\ + \ software all\u2019interno dell\u2019organismo." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.am-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.am + ref_id: ID.AM-3 + description: Catalogue all of your internal communication and data flows. + translations: + de: + name: null + description: "Organisatorische Kommunikation und Datenfl\xFCsse werden abgebildet." + fr: + name: null + description: "Listez tous les flux de communication et de transferts de\ + \ donn\xE9es en interne." + it: + name: null + description: Catalogate tutti i flussi di comunicazione e di dati interni. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.am-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.am + ref_id: ID.AM-4 + description: Catalogue all external ICT systems that are relevant to your organisation. + translations: + de: + name: null + description: Externe Informationssysteme werden katalogisiert. + fr: + name: null + description: "Listez tous les syst\xE8mes TIC externes cruciaux pour votre\ + \ entreprise." + it: + name: null + description: Catalogate tutti i sistemi TIC esterni pertinenti per il vostro + organismo o la vostra impresa. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.am-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.am + ref_id: ID.AM-5 + description: Resources (e.g., hardware, devices, data, time, personnel, and + software) are prioritized based on their classification, criticality, and + business value + translations: + de: + name: null + description: "Ressourcen (z. B. Hardware, Ger\xE4te, Daten, Zeit, Personal\ + \ und Software) werden basierend auf ihrer Klassifizierung, Kritikalit\xE4\ + t und ihrem Gesch\xE4ftswert priorisiert." + fr: + name: null + description: "Les ressources (par exemple, le hardware, les \xE9quipements,\ + \ les donn\xE9es, le temps, le personnel et les softwares) sont class\xE9\ + es par ordre de priorit\xE9 en fonction de leur classification, de leur\ + \ criticit\xE9 et de leur valeur pour l'entreprise" + it: + name: null + description: "Le risorse (ad esempio, hardware, dispositivi, dati, tempo,\ + \ personale e software) vengono classificate in base alla loro classificazione,\ + \ criticit\xE0 e valore aziendale." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.am-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.am + ref_id: ID.AM-6 + description: Cybersecurity roles and responsibilities for the entire workforce + and third-party stakeholders (e.g., suppliers, customers, partners) are established. + translations: + de: + name: null + description: "Cybersecurity-Rollen und -Verantwortlich-keiten f\xFCr die\ + \ gesamte Belegschaft und externe Stakeholder (z. B. Lieferanten, Kunden,\ + \ Partner) sind festgelegt." + fr: + name: null + description: "Les r\xF4les et responsabilit\xE9s de l\u2019ensemble du personnel\ + \ et des parties prenantes externes (p.ex. Fournisseurs, clients, partenaires)\ + \ sont \xE9tablies." + it: + name: null + description: "Vengono stabiliti i ruoli e le responsabilit\xE0 in materia\ + \ di cybersecurity per l'intera forza lavoro e per gli stakeholder terzi\ + \ (ad esempio, fornitori, clienti, partner)." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.be + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id + ref_id: ID.BE + name: 'Business Environment ' + description: "The business\u2019s objectives, tasks and activities are rated\ + \ and prioritised. This information is used as a basis for allocating responsibilities" + translations: + de: + name: "Gesch\xE4ftsumfeld (Business Environment ID.BE)" + description: "Die Ziele, Aufgaben und Aktivit\xE4ten des Unternehmens sind\ + \ priorisiert und bewertet. Diese Informationen dienen als Grundlage f\xFC\ + r die Zuweisung der Verantwortlichkeiten hinsichtlich Cybersicherheit\ + \ und Risikomanagement." + fr: + name: "Environnement de l\u2019entreprise (Business Environment ID.BE) " + description: "Les objectifs, les t\xE2ches et les activit\xE9s de l\u2019\ + entreprise sont hi\xE9rarchis\xE9s et \xE9valu\xE9s. Cette information\ + \ sert \xE0 r\xE9partir les responsabilit\xE9s." + it: + name: Ambiente operativo (Business environment ID.BE) + description: "Obiettivi, mansioni e attivit\xE0 dell\u2019impresa sono definiti\ + \ in ordine di priorit\xE0 e valutati. Queste informazioni servono da\ + \ riferimento per l\u2019attribuzione delle responsabilit\xE0." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.be-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.be + ref_id: ID.BE-1 + description: Identify, document and communicate the exact role of your business + within the (critical) supply chain. + translations: + de: + name: null + description: Die Rolle Ihres Unternehmens innerhalb der (kritischen) Versorgungskette + ist identifiziert, dokumentiert und kommuniziert. + fr: + name: null + description: "D\xE9finissez, documentez et communiquez le r\xF4le exact\ + \ de votre entreprise dans la cha\xEEned\u2019approvisionnement (critique)." + it: + name: null + description: "Identificate, documentate e comunicate il ruolo esatto del\ + \ vostro organismo o della vostra impresa all\u2019interno della catena\ + \ di approvvigionamento (critica)." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.be-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.be + ref_id: ID.BE-2 + description: The importance of the organisation as a critical infrastructure + operator, and its position within the critical sector, is identified and communicated. + translations: + de: + name: null + description: Die Bedeutung der Organisation als kritische Infrastruktur + und ihre Position innerhalb des kritischen Sektors ist identifiziert und + kommuniziert. + fr: + name: null + description: "Identifiez et communiquez l\u2019importance de votre entreprise\ + \ en tant qu\u2019infrastructure vitale et sa position dans le secteur\ + \ critique." + it: + name: null + description: "Il significato dell\u2019organismo o dell\u2019impresa come\ + \ infrastrutture critiche e la loro posizione all\u2019interno del settore\ + \ sono identificati e comunicati." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.be-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.be + ref_id: ID.BE-3 + description: Objectives, tasks and activities within the organisation are prioritised + and rated. + translations: + de: + name: null + description: "Die Ziele, Aufgaben und Aktivit\xE4ten innerhalb der Organisation\ + \ sind bewertet und priorisiert." + fr: + name: null + description: "Evaluez et hi\xE9rarchisez les objectifs, les t\xE2ches et\ + \ les activit\xE9s dans l\u2019entreprise." + it: + name: null + description: "Obiettivi, mansioni e attivit\xE0 all\u2019interno dell\u2019\ + impresa sono definiti in ordine di priorit\xE0 e valutati." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.be-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.be + ref_id: ID.BE-4 + description: Dependencies and critical functions for delivery of critical services + are established. + translations: + de: + name: null + description: "Abh\xE4ngigkeiten und kritische Funktionen f\xFCr die Bereitstellung\ + \ kritischer Dienste sind festgelegt." + fr: + name: null + description: "Les d\xE9pendances et les fonctions critiques pour la fourniture\ + \ de services critiques sont \xE9tablies." + it: + name: null + description: Catalogate tutti i sistemi TIC esterni pertinenti per il vostro + organismo o la vostra impresa. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.be-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.be + ref_id: ID.BE-5 + description: Resilience requirements to support delivery of critical services + are established for all operating states (e.g. under duress/attack, during + recovery, normal operations). + translations: + de: + name: null + description: "F\xFCr alle Betriebszust\xE4nde (z. B. unter Zwang/Angriff,\ + \ w\xE4hrend der Wiederherstellung, im Normalbetrieb) sind die Anforderungen\ + \ an die Widerstandsf\xE4higkeit zur Unterst\xFCtzung der Erbringung kritischer\ + \ Dienste festgelegt." + fr: + name: null + description: "Pour toutes les circonstances (p.ex. en cas d\u2019attaque/contrainte,\ + \ pendant la recuperation, en fonctionnement normal) sont \xE9tablies\ + \ des exigences de resilience pour la fourniture de services critiques." + it: + name: null + description: I requisiti di resilienza per supportare l'erogazione dei servizi + critici sono stabiliti per tutti gli stati operativi (ad esempio, in caso + di stress/attacco, durante il recupero, durante le normali operazioni). + - urn: urn:intuitem:risk:req_node:ict-minimal:id.gv + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id + ref_id: ID.GV + name: 'Governance ' + description: Governance determines responsibilities, monitors, and ensures compliance + with regulatory, legal and operational requirements from the business environment. + translations: + de: + name: 'Governance (Governance ID.GV):' + description: "Die Governance bildet den Ordnungsrahmen f\xFCr die Leitung\ + \ und \xDCberwachung der Cybersicherheit. Sie setzt sich zusammen aus\ + \ ihren Weisungen, Abl\xE4ufen und Prozessen. Sie regelt Zust\xE4ndigkeiten,\ + \ \xFCberwacht und stellt sicher, dass regulatorische und rechtliche Anforderungen\ + \ aus dem Gesch\xE4ftsumfeld sowie operationelle Anforderungen richtig\ + \ verstanden werden und informiert das Management entsprechend." + fr: + name: "R\xE8gles (Governance ID.GV)" + description: "Une bonne gouvernance fixe les responsabilit\xE9s, surveille\ + \ et s\u2019assure que les exigences r\xE9glementaires, juridiques et\ + \ op\xE9rationnelles soient respect\xE9es dans la sph\xE8re d\u2019activit\xE9\ + ." + it: + name: Direttive (Governance ID.GV) + description: "La governance regola competenze e controlla e garantisce il\ + \ rispetto dei requisiti regolatori, giuridici e operazionali dell\u2019\ + ambiente operativo." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.gv-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.gv + ref_id: ID.GV-1 + description: Organizational cybersecurity policy is established and communicated + translations: + de: + name: null + description: Vorgaben zur Informationssicherheit sind im Unternehmen festgelegt + und kommuniziert. + fr: + name: null + description: "Des directives sur la s\xE9curit\xE9 de l\u2019information\ + \ sont \xE9tablies et communiqu\xE9es dans l\u2019entreprise." + it: + name: null + description: La politica di cybersecurity dell'organizzazione viene stabilita + e comunicata. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.gv-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.gv + ref_id: ID.GV-2 + description: Information security roles and responsibilities are coordinated + with internal roles (e.g. those in risk management) and external partners. + translations: + de: + name: null + description: Rollen und Verantwortlichkeiten im Bereich der Informationssicherheit + sind mit internen Rollen (z.B. aus dem Riskmanagement) sowie externen + Partnern koordiniert. + fr: + name: null + description: "Convenir entre les responsables internes (gestion des risques\ + \ par ex.) et des partenaires externes, des r\xF4les et des responsabilit\xE9\ + s en mati\xE8re de s\xE9curit\xE9 informatique." + it: + name: null + description: "Ruoli e responsabilit\xE0 nel settore della sicurezza dell\u2019\ + informazione sono coordinati con i ruoli interni (p.es. della gestione\ + \ dei rischi) e con i partner esterni." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.gv-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.gv + ref_id: ID.GV-3 + description: Ensure that your organisation complies with all statutory and regulatory + cybersecurity requirements, including those applicable to data protection. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Ihre Organisation alle gesetzlichen\ + \ und regulatorischen Vorgaben im Bereich der Cybersecurity erf\xFCllt,\ + \ inkl. Vorgaben zum Datenschutz." + fr: + name: null + description: "V\xE9rifiez que votre entreprise respecte toutes les exigences\ + \ l\xE9gales et r\xE9glementaires en mati\xE8re de cybers\xE9curit\xE9\ + , y compris au niveau de la protection des donn\xE9es." + it: + name: null + description: Assicuratevi che il vostro organismo o la vostra impresa soddisfino + tutte le direttive legali e regolatorie nel settore della cybersicurezza, + incluse quelle che riguardano la protezione dei dati. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.gv-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.gv + ref_id: ID.GV-4 + description: Ensure that cybersecurity risks are embedded in business-wide risk + management structures. + translations: + de: + name: null + description: Stellen Sie sicher, dass Cyberrisiken Teil des unternehmensweiten + Risikomanagements sind. + fr: + name: null + description: "Assurez-vous que les cyber-risques sont bien int\xE9gr\xE9\ + s dans la gestion des risques pour toute l\u2019entreprise." + it: + name: null + description: "Assicuratevi che i cyberrischi siano parte della gestione\ + \ dei rischi a livello dell\u2019organismo o dell\u2019impresa." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.ra + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id + ref_id: ID.RA + name: 'Risk Assessment ' + description: The organisation understands the effects of cybersecurity risks + on business operations, assets and individuals, including reputational risks. + translations: + de: + name: 'Risikomanagement (Risk Assessment ID.RA):' + description: "Die Organisation kennt die Auswirkungen von Cybersicherheits-Risiken\ + \ auf die Gesch\xE4ftst\xE4tigkeit, auf Betriebsmittel und Individuen,\ + \ inklusive Reputationsrisiken." + fr: + name: Analyse de risque (Risk Assessment ID.RA) + description: "L\u2019entreprise analyse l\u2019impact des cyber-risques\ + \ sur ses activit\xE9s, ses \xE9quipements et son personnel, y compris\ + \ les risques r\xE9putationnels." + it: + name: Analisi dei rischi (Risk Assessment ID.RA) + description: "L\u2019organismo o l\u2019impresa conoscono le conseguenze\ + \ dei cyberrischi sull\u2019attivit\xE0, gli strumenti operativi e gli\ + \ individui, inclusi i rischi legati alla propria reputazione." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.ra-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.ra + ref_id: ID.RA-1 + description: Identify the (technical) vulnerabilities of your assets, and document + them. + translations: + de: + name: null + description: Identifizieren Sie die (technischen) Verwundbarkeiten ihrer + Betriebsmittel und dokumentieren Sie diese. + fr: + name: null + description: "Identifiez les faiblesses (techniques) de vos \xE9quipements\ + \ et documentez-les." + it: + name: null + description: "Identificate le vulnerabilit\xE0 (tecniche) dei vostri strumenti\ + \ operativi e documentatele." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.ra-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.ra + ref_id: ID.RA-2 + description: Share intelligence regularly in fora and other bodies to stay up + to date about cybersecurity threats. + translations: + de: + name: null + description: "Aktuelle Informationen \xFCber Cyber-Bedrohungen werden durch\ + \ regelm\xE4ssigen Austausch in Foren und Gremien erhalten." + fr: + name: null + description: "Participez \xE0 des forums et \xE0 des r\xE9unions d\u2019\ + experts pour \xE9changer des informations et \xEAtre au courant des cybermenaces." + it: + name: null + description: Scambiate regolarmente opinioni ed esperienze in forum e comitati + per ottenere informazioni aggiornate sulle cyberminacce. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.ra-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.ra + ref_id: ID.RA-3 + description: Identify and document internal and external cybersecurity threats. + translations: + de: + name: null + description: Identifizieren und dokumentieren Sie interne und externe Cyberbedrohungen. + fr: + name: null + description: "Identifiez et documentez les cybermenaces, aussi bien internes\ + \ qu\u2019externes." + it: + name: null + description: Identificate e documentate cyberminacce interne ed esterne. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.ra-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.ra + ref_id: ID.RA-4 + description: Identify the possible business impacts of cybersecurity threats, + and calculate the probability of their occurring. + translations: + de: + name: null + description: "Identifizieren Sie m\xF6gliche Auswirkungen der Cyber-Bedrohungen\ + \ auf die Gesch\xE4ftst\xE4tigkeit und bewerten Sie ihre Eintretenswahrscheinlichkeit." + fr: + name: null + description: "Identifiez l\u2019impact potentiel des cybermenaces sur vos\ + \ activit\xE9s et \xE9valuez leur probabilit\xE9 d\u2019occurrence." + it: + name: null + description: "Identificate possibili effetti delle cyberminacce sull\u2019\ + attivit\xE0 operativa e valutate le probabilit\xE0 che si verifichino." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.ra-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.ra + ref_id: ID.RA-5 + description: Rate the risks to your organisation based on threats, vulnerabilities, + impacts (on business activity) and probabilities. + translations: + de: + name: null + description: "Bewerten Sie die Risiken f\xFCr Ihre Organisation, basierend\ + \ auf den Bedrohungen, Verwundbarkeiten, Auswirkungen (auf die Gesch\xE4\ + ftst\xE4tigkeit) und Eintretenswahrscheinlichkeiten." + fr: + name: null + description: "\xC9valuez les risques pour votre entreprise en fonction des\ + \ menaces, des vuln\xE9rabilit\xE9s, de l\u2019impact (sur ses activit\xE9\ + s) et de leur probabilit\xE9 d\u2019occurrence." + it: + name: null + description: "Valutate i rischi per il vostro organismo o la vostra impresa\ + \ basandovi su minacce, vulnerabilit\xE0, conseguenze (sull\u2019attivit\xE0\ + \ operativa) e probabilit\xE0 che si verifichino." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.ra-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.ra + ref_id: ID.RA-6 + description: Define possible immediate responses should a risk occur, and prioritise + these measures. + translations: + de: + name: null + description: "Definieren Sie m\xF6gliche Sofortmassnahmen bei Eintritt eines\ + \ Risikos und priorisieren Sie diese." + fr: + name: null + description: "D\xE9finissez les mesures \xE0 prendre imm\xE9diatement lorsqu\u2019\ + un risque se concr\xE9tise et fixez des priorit\xE9s." + it: + name: null + description: "Definite possibili misure immediate in presenza di un rischio\ + \ e classificatele secondo le priorit\xE0." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.rm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id + ref_id: ID.RM + name: 'Risk Management Strategy ' + description: Determine the priorities, constraints and maximum risk tolerances + of your organisation. On this basis, assess your operational risks. + translations: + de: + name: 'Risikomanagement Strategie (Risk Management Strategy ID.RM):' + description: "Priorit\xE4ten, Einschr\xE4nkungen und maximal tragbare Risiken\ + \ der Organisation sind festgelegt. Diese Definitionen werden als Grundlage\ + \ zur Beurteilung operativer Risiken genutzt." + fr: + name: "Strat\xE9gie pour g\xE9rer les risques (Risk Management Strategy\ + \ ID.RM)" + description: "D\xE9finissez les priorit\xE9s, les restrictions et les risques\ + \ maximaux supportables pour votre entreprise. \xC9valuez vos risques\ + \ op\xE9rationnels sur cette base." + it: + name: Strategia di gestione dei rischi (Risk Management Strategy ID.RM) + description: "Definite priorit\xE0, limiti e rischi massimi ammissibili.\ + \ Valutate in base a questi elementi i rischi operativi." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.rm-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.rm + ref_id: ID.RM-1 + description: Establish risk management processes, manage them actively and have + them confirmed by the persons/stakeholders concerned. + translations: + de: + name: null + description: "Etablieren Sie Risikomanagementprozesse, managen Sie diese\ + \ aktiv und lassen Sie sich von den Beteiligten Personen / Anspruchsgruppen\ + \ best\xE4tigen." + fr: + name: null + description: "D\xE9finissez les processus de gestion des risques, g\xE9\ + rez-les activement et faites-les confirmer par les personnes impliqu\xE9\ + es ou les parties prenantes." + it: + name: null + description: Definite procedure di gestione dei rischi, applicatele e chiedete + riscontro alle persone/ai gruppi di riferimento coinvolti. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.rm-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.rm + ref_id: ID.RM-2 + description: "Define and communicate your organisation\u203As maximum risk tolerance." + translations: + de: + name: null + description: Definieren und kommunizieren Sie das maximal tragbare Risiko + Ihrer Organisation. + fr: + name: null + description: "D\xE9finissez et communiquez la tol\xE9rance maximale au risque\ + \ de pour votre entreprise." + it: + name: null + description: Definite e comunicate i rischi massimi ammissibili del vostro + organismo o della vostra impresa. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.rm-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.rm + ref_id: ID.RM-3 + description: "Ensure that maximum risk tolerance is calculated taking into account\ + \ your organisation\u2019s importance as an operator of a critical infrastructure.\ + \ This calculation should also be informed by sector-specific risk analyses." + translations: + de: + name: null + description: "Stellen Sie sicher, dass die Definition des maximal tragbaren\ + \ Risikos unter der Ber\xFCcksichtigung der Bedeutung als kritischer Infrastruktur\ + \ und unter Einbezug von sektorspezifischen Risikoanalysen erstellt wurde." + fr: + name: null + description: "Assurez-vous que la tol\xE9rance maximale au risque est \xE9\ + valu\xE9e en prenant en compte l\u2019importance de votre entreprise du\ + \ fait qu\u2019elle exploite une infrastructure critique. Prenez \xE9\ + galement en consid\xE9ration, dans votre analyse, les risques propres\ + \ au secteur." + it: + name: null + description: "Assicuratevi che i rischi massimi ammissibili vengano valutati\ + \ considerando l\u2019importanza del vostro organismo o della vostra impresa\ + \ come gestori di un\u2019infrastruttura sensibile. Tenete conto anche\ + \ delle analisi dei rischi specifiche al settore." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.sc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id + ref_id: ID.SC + name: 'Supply Chain Riskmanagement ' + description: Determine priorities, constraints, and the maximum risks that your + organisation is willing to accept in connection with supplier-related risks. + translations: + de: + name: 'Lieferketten Risikomanagement ' + description: "(Supply Chain Riskmanagement ID.SC): Legen Sie die Priorit\xE4\ + ten, Einschr\xE4nkungen und maximalen Risiken fest, die Ihre Organisation\ + \ in Zusammenhang mit Lieferantenrisiken zu tragen gewillt ist. Verwenden\ + \ Sie die Definition der Lieferantenrisiken als Grundlage zur Beurteilung\ + \ operativer Risiken." + fr: + name: "Gestion des risques li\xE9s \xE0 la cha\xEEne d\u2019approvisionnement\ + \ (Supply Chain Riskmanagement ID.SC)" + description: "D\xE9finissez les priorit\xE9s, les restrictions et les risques\ + \ maximaux que votre entreprise peut accepter par rapport \xE0 ses fournisseurs." + it: + name: Gestione dei rischi della catena di fornitori + description: "(Supply Chain Riskmanagement ID.SC) Definite priorit\xE0,\ + \ limiti e rischi massimi che il vostro organismo o la vostra impresa\ + \ sono disposti ad assumere in relazione ai fornitori." + - urn: urn:intuitem:risk:req_node:ict-minimal:id.sc-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.sc + ref_id: ID.SC-1 + description: Establish clear procedures to manage supply chain risks. Have these + procedures reviewed and agreed by all of the stakeholders involved. + translations: + de: + name: null + description: "Prozesse f\xFCr das Risikomanagement in der Cyber-Supply-Chain\ + \ sind identifiziert, etabliert, bewertet, verwaltet und von den organisatorischen\ + \ Interessenvertretern vereinbart." + fr: + name: null + description: "D\xE9finissez des processus clairs pour g\xE9rer les risques\ + \ li\xE9s \xE0 une perturbation dans la cha\xEEne d\u2019approvisionnement.\ + \ Faites contr\xF4ler et valider ces processus par toutes les parties\ + \ prenantes." + it: + name: null + description: Definite procedure chiare per la gestione dei rischi relativi + ai fornitori. Fatele verificare da tutti i gruppi di riferimento e chiedete + il loro consenso. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.sc-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.sc + ref_id: ID.SC-2 + description: Suppliers and third party partners of information systems, components, + and services are identified, prioritized, and assessed using a cyber supply + chain risk assessment process. + translations: + de: + name: null + description: "Lieferanten und Drittpartner von Informationssystemen, Komponenten\ + \ und Dienstleistungen werden identifiziert, nach Priorit\xE4ten geordnet\ + \ und anhand eines Risikobewertungs-prozesses f\xFCr die CyberLieferkette\ + \ bewertet." + fr: + name: null + description: "Les fournisseurs et prestataires pour les syst\xE8mes d\u2019\ + information, composants et services sont identifi\xE9s, class\xE9s par\ + \ priorit\xE9 et \xE9valu\xE9s par un processus d\u2019\xE9valuation des\ + \ risques pour la cha\xEEne d\u2019approvisionnement cyber." + it: + name: null + description: I fornitori e i partner terzi di sistemi informativi, componenti + e servizi vengono identificati, classificati e valutati utilizzando un + processo di valutazione del rischio della catena di approvvigionamento + informatico. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.sc-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.sc + ref_id: ID.SC-3 + description: Place your suppliers and service-providers under a contractual + obligation to develop and implement appropriate measures to meet the objectives + and requirements of the supply chain risk management process. + translations: + de: + name: null + description: "Vertr\xE4ge mit Lieferanten und Drittparteien verpflichten\ + \ diese, Massnahmen, zur Erf\xFCllung der Ziele des Cybersicherheitsprogramms\ + \ und des Cyber-Lieferketten Risikomanagement Plans der Organisation umzusetzen\ + \ und einzuhalten." + fr: + name: null + description: "Exigez de vos fournisseurs et prestataires de services qu\u2019\ + ils s\u2019engagent contractuellement \xE0 d\xE9velopper et mettre en\ + \ \u0153uvre des mesures appropri\xE9es pour atteindre les objectifs du\ + \ processus pour g\xE9rer les risques li\xE9s \xE0 la cha\xEEne d\u2019\ + approvisionnement." + it: + name: null + description: Obbligate per contratto fornitori e operatori a sviluppare + e introdurre misure adeguate a rispettare obiettivi e direttive relativi + alla procedura di gestione dei rischi nella catena di fornitori. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.sc-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.sc + ref_id: ID.SC-4 + description: Establish a system of monitoring to ensure that all of your suppliers + and service-providers are fulfilling their obligations as required. Have this + confirmed on a regular basis by audit reports or technical test results. + translations: + de: + name: null + description: "Etablieren Sie ein Monitoring um sicherzustellen, dass all\ + \ Ihre Lieferanten und Dienstleister ihre Verpflichtungen gem\xE4ss den\ + \ Vorgaben erf\xFCllen. Lassen sie sich dies regelm\xE4ssig in Audit-Berichten\ + \ oder technische Pr\xFCfergebnissen best\xE4tigen." + fr: + name: null + description: "Faites un suivi syst\xE9matique pour vous assurer que tous\ + \ vos fournisseurs et prestataires de services remplissent leurs obligations\ + \ conform\xE9ment aux exigences. Faites-le v\xE9rifier r\xE9guli\xE8rement\ + \ par des rapports d\u2019audit ou par les r\xE9sultats des tests techniques." + it: + name: null + description: Create un sistema di monitoraggio per garantire che fornitori + e operatori si attengano ai loro obblighi secondo le direttive. Chiedete + regolarmente riscontro in sede di rapporti su audit o risultati di prove + tecniche. + - urn: urn:intuitem:risk:req_node:ict-minimal:id.sc-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:id.sc + ref_id: ID.SC-5 + description: Work with your suppliers and service-providers to define response + and recovery procedures following cybersecurity incidents. Conduct drills + to test these procedures. + translations: + de: + name: null + description: "Definieren Sie mit Ihren Lieferanten und Dienstleistern Reaktions-\ + \ und Widerherstellungsprozesse.Testen sie diese Prozesse in \xDCbungen." + fr: + name: null + description: "D\xE9finissez avec vos fournisseurs et prestataires les processus\ + \ pour r\xE9agir et r\xE9cup\xE9rer apr\xE8s des probl\xE8mes de cybers\xE9\ + curit\xE9. Validez ces processus par des simulations." + it: + name: null + description: Definite con fornitori e operatori procedure di reazione e + ripristino susseguenti a cybereventi. Verificatele in sede di test. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr + assessable: false + depth: 1 + ref_id: PR + name: Protect + translations: + de: + name: "Sch\xFCtzen (PR - Protect)" + description: null + fr: + name: "Prot\xE9ger (PR - Protect)" + description: null + it: + name: Proteggere (PR - Protect) + description: null + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr + ref_id: PR.AC + name: 'Access Management ' + description: Ensure that physical and logical access to ICT assets and facilities + is restricted to authorised individuals, processes and devices, and that they + can be used only for permitted activities. + translations: + de: + name: "Identit\xE4tsmanagement, Authentifizierung und Zugriffsmanagement" + description: "(Identity Management, Authentication and Access Control PR.AC):\ + \ Stellen Sie sicher, dass der physische und logische Zugriff auf IKT-Betriebsmittel\ + \ und \u2013Anlagen nur f\xFCr autorisierte Personen, Prozesse und Ger\xE4\ + te m\xF6glich ist und dass der Zugriff nur f\xFCr als zul\xE4ssig definierte\ + \ Aktivit\xE4ten m\xF6glich ist. Dies wird in \xDCbereinstimmung mit dem\ + \ bewerteten Risiko eines unbefugten Zugangs zu autorisierten Aktivit\xE4\ + ten und Transaktionen verwaltet." + fr: + name: "Gestion des acc\xE8s (Access management PR.AC)" + description: "Veiller \xE0 ce que les acc\xE8s physique et logique aux \xE9\ + quipements et installations TIC ne soient possibles que pour les personnes,\ + \ processus et appareils autoris\xE9s et \xE0 ce que seules les activit\xE9\ + s pr\xE9vues soient permises." + it: + name: "Gestione dell\u2019inventario (Asset management PR.AC)" + description: "Assicuratevi che l\u2019accesso fisico e logico a strumenti\ + \ e impianti operativi TIC sia possibile solo a persone, procedure e apparecchi\ + \ autorizzati e unicamente per attivit\xE0 consentite." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac + ref_id: PR.AC-1 + description: Establish a clearly defined procedure for granting and managing + permissions and access data for users, devices and processes. + translations: + de: + name: null + description: "Etablieren Sie einen klar definierten Prozess zur Erteilung\ + \ und Verwaltung von Berechtigungen und Zugangsdaten f\xFCr Benutzer,\ + \ Ger\xE4te und Prozesse." + fr: + name: null + description: "D\xE9finissez un processus clair pour octroyer et g\xE9rer\ + \ les autorisations et les donn\xE9es d\u2019identification pour utilisateurs,\ + \ appareils/machines et processus." + it: + name: null + description: Definite una procedura chiaramente definita per attribuire + e gestire autorizzazioni e dati di accesso per utenti, apparecchi e procedure. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac + ref_id: PR.AC-2 + description: Ensure that only authorised individuals have physical access to + ICT assets. Take action (on building security, for example) to ensure that + ICT assets are protected from unauthorised physical access. + translations: + de: + name: null + description: "Stellen sie sicher, dass nur autorisierte Personen physischen\ + \ Zugriff auf die IKT-Betriebsmittel haben. Sorgen sie mit (baulichen)\ + \ Massnahmen daf\xFCr, dass die IKT-Betriebsmittel vor unautorisiertem\ + \ physischem Zugriff gesch\xFCtzt sind." + fr: + name: null + description: "Assurez-vous que seules les personnes autoris\xE9es ont physiquement\ + \ acc\xE8s aux \xE9quipements TIC. Prenez des mesures concr\xE8tes pour\ + \ garantir que les ressources TIC sont prot\xE9g\xE9es contre tout acc\xE8\ + s physique non autoris\xE9." + it: + name: null + description: Assicuratevi che unicamente persone autorizzate abbiano accesso + agli strumenti operativi TIC. Proteggete con misure (strutturali) gli + strumenti operativi TIC da accessi fisici non autorizzati. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac + ref_id: PR.AC-3 + description: Establish procedures by which to manage remote access. + translations: + de: + name: null + description: Etablieren Sie Prozesse zur Verwaltung der Fernzugriffe. + fr: + name: null + description: "D\xE9finissez les processus pour g\xE9rer les acc\xE8s \xE0\ + \ distance." + it: + name: null + description: Definite procedure per gestire gli accessi a distanza. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac + ref_id: PR.AC-4 + description: Define permission levels according to the principle of least privilege, + as well as separation of functions. + translations: + de: + name: null + description: "Definieren Sie Zugriffsberechtigungen und Autorisierungen\ + \ unter Ber\xFCcksichtigung der Grunds\xE4tze der geringsten Rechte und\ + \ der Aufgabentrennung." + fr: + name: null + description: "D\xE9finissez les niveaux d\u2019autorisation en \xE9tant\ + \ le plus restrictif possible (principe de moindre privil\xE8ge) et s\xE9\ + parez les fonctions." + it: + name: null + description: Definite livelli di autorizzazione secondo il principio del + privilegio minimo e della separazione delle funzioni. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac + ref_id: PR.AC-5 + description: Ensure that the integrity of your network is protected. Segregate + your network both logically and physically where necessary and sensible. + translations: + de: + name: null + description: "Stellen Sie sicher, dass die Integrit\xE4t ihres Netzwerks\ + \ gesch\xFCtzt ist. Segmentieren und segregieren Sie Ihr Netzwerk logisch\ + \ und physisch, wo notwendig und sinnvoll." + fr: + name: null + description: "Contr\xF4lez que l\u2019int\xE9grit\xE9 de votre r\xE9seau\ + \ est prot\xE9g\xE9e. S\xE9parez votre r\xE9seau au niveau logique comme\ + \ physique, si c\u2019est n\xE9cessaire et judicieux.." + it: + name: null + description: "Assicuratevi che l\u2019integrit\xE0 della vostra rete sia\ + \ protetta. Separate la vostra rete sul piano fisico e logico qualora\ + \ utile e necessario." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac + ref_id: PR.AC-6 + description: Ensure that digital identities are allocated to unambiguously authenticated + individuals or processes. + translations: + de: + name: null + description: "Stellen Sie sicher, dass digitale Identit\xE4ten eindeutig\ + \ verifizierten Personen oder Prozessen zugeordnet sind." + fr: + name: null + description: "N\u2019attribuez des identit\xE9s num\xE9riques qu\u2019\xE0\ + \ des personnes ou \xE0 des processus que vous avez clairement identifi\xE9\ + s." + it: + name: null + description: "Assicuratevi che le identit\xE0 digitali siano attribuite\ + \ chiaramente a persone e procedure verificate." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac-7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ac + ref_id: PR.AC-7 + description: "Users, devices, and other assets are authenticated (e.g., single-factor,\ + \ multi-factor) commensurate with the risk of the transaction (e.g., individuals\u2019\ + \ security and privacy risks and other organizational risks)." + translations: + de: + name: null + description: "Die Authentifizierung von Benutzern, Ger\xE4ten und anderen\ + \ Verm\xF6genswerten (z. B. Ein-Faktor- oder Mehr-Faktor-Authentifizierung)\ + \ erfolgt entsprechend dem Risiko der Transaktion (z. B. Sicherheits-\ + \ und Datenschutzrisiken f\xFCr Einzelpersonen und andere Unternehmensrisiken)." + fr: + name: null + description: "L\u2018authentification d\u2018utilisateurs, appareils et\ + \ autres assets (p.ex. Authentification \xE0 un ou plusieurs facteurs)\ + \ est effectu\xE9e en fonction du risque de la transaction (p.ex. Risques\ + \ de s\xE9curit\xE9 ou protection des donn\xE9es pour des personnes et\ + \ autres risques d\u2018entreprise)." + it: + name: null + description: "Gli utenti, i dispositivi e le altre risorse sono autenticati\ + \ (ad esempio, a un solo fattore o a pi\xF9 fattori) in base al rischio\ + \ della transazione (ad esempio, i rischi per la sicurezza e la privacy\ + \ degli individui e altri rischi organizzativi)." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.at + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr + ref_id: PR.AT + name: 'Awareness and Training ' + description: Ensure that your staff and external partners receive appropriate, + regular training on all cybersecurity matters. Ensure that your staff and + external partners perform their security-related tasks in accordance with + the related requirements and procedures. + translations: + de: + name: 'Awareness and Training (PR.AT):' + description: "Stellen Sie sicher, dass Ihre Mitarbeitenden und externen\ + \ Partner regelm\xE4ssig bez\xFCglich aller Belange der Cybersicherheit\ + \ geschult und ausgebildet werden. Stellen Sie sicher, dass Ihre Mitarbeitenden\ + \ und externen Partner ihre sicherheitsrelevanten Aufgaben gem\xE4ss den\ + \ zugeh\xF6rigen Vorgaben, Vereinbarungen und Prozessen ausf\xFChren." + fr: + name: Sensibilisation et formation (PR.AT) + description: "Assurez-vous que vos employ\xE9s et vos partenaires externes\ + \ sont correctement form\xE9s et conscients de tous les aspects de la\ + \ cybers\xE9curit\xE9. Veillez \xE0 ce qu\u2019ils ex\xE9cutent les t\xE2\ + ches impactant la s\xE9curit\xE9 conform\xE9ment aux exigences et aux\ + \ processus d\xE9finis." + it: + name: Sensibilizzazione e formazione (PR.AT) + description: Assicuratevi che il vostro personale e i partner esterni seguano + regolarmente una formazione su tutti gli aspetti legati alla cybersicurezza. + Assicuratevi che il vostro personale e i partner esterni svolgano le mansioni + pertinenti per la sicurezza secondo le relative procedure e direttive. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.at-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.at + ref_id: PR.AT-1 + description: Ensure that all members of staff are informed and trained on cybersecurity. + translations: + de: + name: null + description: "Stellen Sie sicher, dass alle Mitarbeitenden bez\xFCglich\ + \ Cybersecurity informiert und geschult sind." + fr: + name: null + description: "Veillez \xE0 ce que tous vos collaborateurs soient sensibilis\xE9\ + s et form\xE9s en mati\xE8re de cybers\xE9curit\xE9." + it: + name: null + description: Assicuratevi che tutto il personale sia informato e istruito + sulla cybersicurezza. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.at-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.at + ref_id: PR.AT-2 + description: Ensure that higher-level users are particularly aware of their + role and responsibility. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Anwender mit h\xF6heren Berechtigungsstufen\ + \ sich ihrer Rolle und Verantwortung besonders bewusst sind." + fr: + name: null + description: "Veillez \xE0 ce que les utilisateurs ayant des niveaux d\u2019\ + autorisation \xE9lev\xE9s soient conscients de leur r\xF4le et de leurs\ + \ responsabilit\xE9s." + it: + name: null + description: "Assicuratevi che gli utenti con livelli di autorizzazione\ + \ elevati siano consapevoli del loro ruolo e delle relative responsabilit\xE0\ + ." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.at-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.at + ref_id: PR.AT-3 + description: Ensure that all third-party stakeholders (suppliers, customers + and partners) are aware of their role and responsibility. + translations: + de: + name: null + description: Stellen Sie sicher, dass sich alle beteiligten Akteure ausserhalb + Ihres Unternehmens (Lieferanten, Kunden, Partner) ihrer Rolle und Verantwortung + bewusst sind. + fr: + name: null + description: "Veillez \xE0 ce que tous les acteurs ext\xE9rieurs \xE0 votre\ + \ entreprise (fournisseurs, clients, partenaires) soient conscients de\ + \ leur r\xF4le et de leurs responsabilit\xE9s." + it: + name: null + description: "Assicuratevi che tutti i soggetti coinvolti al di fuori dell\u2019\ + impresa (fornitori, clienti, partner) siano consapevoli del loro ruolo\ + \ e delle relative responsabilit\xE0." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.at-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.at + ref_id: PR.AT-4 + description: Ensure that all managers are aware of their particular role and + responsibility. + translations: + de: + name: null + description: "Stellen Sie sicher, dass sich alle F\xFChrungskr\xE4fte ihrer\ + \ besonderen Rolle und Verantwortung bewusst sind." + fr: + name: null + description: "Veillez \xE0 ce que tous les cadres soient conscients de leurs\ + \ r\xF4les sp\xE9cifiques et de leurs responsabilit\xE9s." + it: + name: null + description: "Assicuratevi che tutti i quadri dirigenti siano consapevoli\ + \ del loro ruolo e delle relative responsabilit\xE0." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.at-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.at + ref_id: PR.AT-5 + description: Ensure that those in charge of physical security and information + security are aware of their particular role and responsibilities. + translations: + de: + name: null + description: "Stellen Sie sicher, dass die Verantwortlichen f\xFCr physische\ + \ Sicherheit und Informationssicherheit sich ihrer besonderen Rolle und\ + \ Verantwortung bewusst sind." + fr: + name: null + description: "Veillez \xE0 ce que les responsables de la s\xE9curit\xE9\ + \ physique et de la s\xE9curit\xE9 informatique soient conscients de leurs\ + \ r\xF4les sp\xE9cifiques et de leurs responsabilit\xE9s." + it: + name: null + description: "Assicuratevi che i responsabili della sicurezza fisica e della\ + \ sicurezza dell\u2019informazione siano consapevoli del loro ruolo e\ + \ delle loro responsabilit\xE0 particolari." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr + ref_id: PR.DS + name: 'Data Security ' + description: "Ensure that information, data and data carriers are managed in\ + \ a way which protects the confidentiality, integrity and availability of\ + \ the data in accordance with the organisation\u2019s risk strategy." + translations: + de: + name: Datensicherheit (Data Security PR.DS) + description: "Informationen, Daten und Datentr\xE4ger werden so gehandhabt,\ + \ dass die Vertraulichkeit, Integrit\xE4t und Verf\xFCgbarkeit der Daten\ + \ gem\xE4ss der Risikostrategie der Organisation gesch\xFCtzt werden kann." + fr: + name: "S\xE9curit\xE9 des donn\xE9es (Data Security PR.DS)" + description: "Assurez-vous que les informations, les donn\xE9es et leurs\ + \ supports sont g\xE9r\xE9s de mani\xE8re \xE0 prot\xE9ger la confidentialit\xE9\ + , l\u2019int\xE9grit\xE9 et la disponibilit\xE9 des donn\xE9es, conform\xE9\ + ment\xE0 la strat\xE9gie de votre entreprise pour g\xE9rer les risques." + it: + name: Sicurezza dati (Data security PR.DS) + description: "Assicuratevi che informazioni, dati e supporti dati siano\ + \ gestiti in modo da proteggere confidenzialit\xE0, integrit\xE0 e disponibilit\xE0\ + \ dei dati secondo la strategia dei rischi del vostro organismo o della\ + \ vostra impresa." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds + ref_id: PR.DS-1 + description: Ensure that stored data is protected (against violations of confidentiality, + integrity and availability). + translations: + de: + name: null + description: "Stellen Sie sicher, dass gespeicherte Daten gesch\xFCtzt sind\ + \ (vor Verletzungen der Vertraulichkeit, Integrit\xE4t und Verf\xFCgbarkeit)." + fr: + name: null + description: "Assurez-vous que les donn\xE9es stock\xE9es sont prot\xE9\ + g\xE9es (contre toute atteinte ou pr\xE9judice en termes de confidentialit\xE9\ + , d\u2019int\xE9grit\xE9 et de disponibilit\xE9)." + it: + name: null + description: "Assicuratevi che i dati memorizzati siano protetti (da violazioni\ + \ della confidenzialit\xE0, dell\u2019integrit\xE0 e della disponibilit\xE0\ + )." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds + ref_id: PR.DS-2 + description: Ensure that data is protected while in transit (against violations + of confidentiality, integrity and availability). + translations: + de: + name: null + description: "Stellen Sie sicher, dass Daten w\xE4hren der \xDCbertragung\ + \ (vor Verletzungen der Vertraulichkeit, Integrit\xE4t und Verf\xFCgbarkeit)\ + \ gesch\xFCtzt sind." + fr: + name: null + description: "Assurez-vous que les donn\xE9es sont prot\xE9g\xE9es pendant\ + \ leur transmission (contre toute atteinte ou pr\xE9judice en termes de\ + \ confidentialit\xE9, d\u2019int\xE9grit\xE9 et de disponibilit\xE9)." + it: + name: null + description: "Assicuratevi che in sede di trasmissione i dati siano protetti\ + \ (da violazioni della confidenzialit\xE0, dell\u2019integrit\xE0 e della\ + \ disponibilit\xE0)." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds + ref_id: PR.DS-3 + description: Ensure that you have a formal procedure in place for your ICT assets + which protects data upon removal, transfer or the replacement of those assets. + translations: + de: + name: null + description: "Stellen Sie sicher, dass f\xFCr Ihre IKT-Betriebsmittel ein\ + \ formaler Prozess etabliert ist, welcher die Daten bei Entfernung, Verschiebung\ + \ oder Ersatz der Betriebsmittel sch\xFCtzt." + fr: + name: null + description: "Veuillez \xE0 ce qu\u2019un processus formel soit d\xE9fini\ + \ pour votre mat\xE9riel TIC afin de prot\xE9ger les donn\xE9es lorsque\ + \ des \xE9quipements sont supprim\xE9s, d\xE9plac\xE9s ou remplac\xE9\ + s." + it: + name: null + description: Assicuratevi che per i vostri strumenti operativi TIC venga + definita una procedura formale idonea a proteggere i dati in caso di eliminazione, + spostamento o sostituzione di tali strumenti. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds + ref_id: PR.DS-4 + description: Ensure that your ICT assets have sufficient capacity to ensure + data availability is maintained. + translations: + de: + name: null + description: "Stellen Sie sicher, dass ihre IKT-Betriebsmittel bez\xFCglich\ + \ der Verf\xFCgbarkeit der Daten \xFCber ausreichende Kapazit\xE4tsreserven\ + \ verf\xFCgen." + fr: + name: null + description: "Veillez \xE0 ce que vos \xE9quipements TIC aient une r\xE9\ + serve de capacit\xE9 suffisante afin que vos donn\xE9es soient toujours\ + \ disponibles." + it: + name: null + description: "Assicuratevi che i vostri strumenti operativi TIC dispongano\ + \ di riserve di capacit\xE0 sufficienti in relazione alla disponibilit\xE0\ + \ dei dati." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds + ref_id: PR.DS-5 + description: Ensure that appropriate action has been taken to prevent data leaks. + translations: + de: + name: null + description: "Stellen Sie sicher, dass ad\xE4quate Massnahmen gegen den\ + \ Abfluss von Daten (Datenlecks) implementiert sind." + fr: + name: null + description: "Assurez-vous que des mesures appropri\xE9es sont mises en\ + \ oeuvre contre les fuites de donn\xE9es(\xABpompage\xBB)." + it: + name: null + description: Assicuratevi che vengano introdotte misure adeguate conto le + fughe di dati (Data leak). + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds + ref_id: PR.DS-6 + description: Establish a procedure to check the integrity of firmware, operating + systems, application software and data. + translations: + de: + name: null + description: "Etablieren Sie einen Prozess, um Firmware, Betriebssysteme,\ + \ Anwendungssoftware und Daten hinsichtlich ihrer Integrit\xE4t zu verifizieren." + fr: + name: null + description: "D\xE9finissez un processus pour v\xE9rifier l\u2019int\xE9\ + grit\xE9 des firmwares, des syst\xE8mes d\u2019exploitation, des softwares\ + \ d\u2019application et des donn\xE9es." + it: + name: null + description: "Definite una procedura per verificare l\u2019integrit\xE0\ + \ di firmware, sistemi operativi, software applicativi e dati." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds-7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds + ref_id: PR.DS-7 + description: Provide a development and testing IT environment which is completely + separate from productive systems. + translations: + de: + name: null + description: "Stellen Sie eine IT-Umgebung f\xFCr das Entwickeln und Testen\ + \ zur Verf\xFCgung, welche komplett unabh\xE4ngig von den produktiven\ + \ Systemen ist." + fr: + name: null + description: "Ayez un environnement informatique (IT) pour le d\xE9veloppement\ + \ et les tests qui soit totalement ind\xE9pendant des syst\xE8mes de production." + it: + name: null + description: Mettete a disposizione un ambiente IT per lo sviluppo e i test + completamente indipendente dai sistemi produttivi. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds-8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ds + ref_id: PR.DS-8 + description: Establish a procedure to check the integrity of the hardware you + use. + translations: + de: + name: null + description: "Etablieren Sie einen Prozess, um die eingesetzte Hardware\ + \ hinsichtlich ihrer Integrit\xE4t zu verifizieren." + fr: + name: null + description: "D\xE9finissez un processus pour v\xE9rifier l\u2019int\xE9\ + grit\xE9 des hardwares utilis\xE9s." + it: + name: null + description: "Definite una procedura per verificare l\u2019integrit\xE0\ + \ dell\u2019hardware." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr + ref_id: PR.IP + name: 'Information Protection Processes and Procedures ' + description: Draw up policies to protect information systems and assets. Apply + these policies to protect those information systems and assets. + translations: + de: + name: 'Schutz von Daten (Information Protection Processes and Procedures + PR.IP):' + description: "Richtlinien zum Schutz von Informationssystemen und Betriebsmitteln\ + \ sind erstellt. Diese Richtlinien umfassen im Minimum den Zweck, den\ + \ Umfang, die Rollen und die Verantwortlichkeiten sowie die Koordination\ + \ innerhalb der Organisation. Diese Richtlinien werden genutzt um die\ + \ Informationssysteme und Betriebsmittel zu sch\xFCtzen." + fr: + name: "Protection des donn\xE9es (Information Protection Processes and Procedures\ + \ PR.IP)" + description: "Etablissez des directives pour prot\xE9ger vos syst\xE8mes\ + \ informatiques et vos \xE9quipements de production. Et appliquez-les\ + \ strictement pour garantir cette protection." + it: + name: Protezione di dati (Information protection processes and procedures + PR.IP) + description: Definite direttive per la protezione di sistemi di informazione + e strumenti operativi. Applicate le direttive per proteggere i sistemi + di informazione e gli strumenti operativi. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-1 + description: Draw up a baseline configuration for your information and communication + infrastructure, as well as for industrial control systems. Ensure that this + baseline configuration complies with typical security principles (e.g. N-1 + redundancy, least-functionality configuration, etc.). + translations: + de: + name: null + description: "Erstellen Sie eine Standardkonfiguration f\xFCr die Informations-\ + \ und Kommunikationsinfrastruktur, sowie f\xFCr die industriellen Kontrollsysteme.\ + \ Stellen sie sicher, dass diese Standardkonfiguration typische Security-Prinzipien\ + \ (z.B. N-1 Redundanz, Minimalkon-figuration, etc.) einh\xE4lt." + fr: + name: null + description: "G\xE9n\xE9rez une configuration standard pour l\u2019infrastructure\ + \ d\u2019information et de communication, ainsi que pour les syst\xE8\ + mes de contr\xF4le industriel. Assurez-vous que cette configuration par\ + \ d\xE9faut ob\xE9it aux r\xE8gles usuelles de s\xE9curit\xE9 (par ex.\ + \ redondance N-1, configuration minimale, etc.)." + it: + name: null + description: "Definite la configurazione standard per l\u2019infrastruttura\ + \ dell\u2019informazione e della comunicazione e per i sistemi di controllo\ + \ industriali. Assicuratevi che questa configurazione standard preveda\ + \ principi di sicurezza tipici (p.es. ridondanza N-1, configurazione minima\ + \ ecc.)." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-2 + description: Establish a life cycle procedure for the use of ICT assets. + translations: + de: + name: null + description: "Etablieren Sie einen Lebenszyklus-Prozess f\xFCr den Einsatz\ + \ von IKT-Betriebsmitteln." + fr: + name: null + description: "D\xE9finissez un processus \xAB cycle de vie \xBB pour l\u2019\ + utilisation des \xE9quipements TIC." + it: + name: null + description: "Definite una procedura per il ciclo di vita relativa all\u2019\ + impiego di strumenti operativi TIC." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-3 + description: Establish a procedure to monitor configuration changes. + translations: + de: + name: null + description: "Etablieren Sie einen Prozess zur Kontrolle von Konfigurations\xE4\ + nderungen." + fr: + name: null + description: "D\xE9finissez un processus pour contr\xF4ler les changements\ + \ de configuration." + it: + name: null + description: Definite una procedura per il controllo delle modifiche alla + configurazione. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-4 + description: Ensure that backups of your information are conducted, maintained + and tested on a regular basis (check that you are able to revert to your backups). + translations: + de: + name: null + description: "Stellen Sie sicher, dass Sicherungen (Backups) Ihrer Informationen\ + \ regelm\xE4ssig durchgef\xFChrt, bewirtschaftet und getestet werden (R\xFC\ + ckspielbarkeit der Backups testen)." + fr: + name: null + description: "Assurez-vous que des sauvegardes informatiques (Backups) sont\ + \ effectu\xE9es, g\xE9r\xE9es et test\xE9es r\xE9guli\xE8rement (+ qu\u2019\ + on peut restaurer les donn\xE9es sauvegard\xE9es)." + it: + name: null + description: Assicuratevi che le duplicazioni delle informazioni (backup) + vengano effettuate, gestite e testate regolarmente (sperimentare il ripristino + del backup). + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-5 + description: Ensure that you comply with all (regulatory) requirements and policies + concerning your physical assets. + translations: + de: + name: null + description: "Stellen Sie sicher, dass sie alle (regulatorischen) Vorgaben\ + \ und Richtlinien hinsichtlich den physischen Betriebsmittel erf\xFCllen." + fr: + name: null + description: "Contr\xF4lez que toutes les exigences (r\xE9glementaires)\ + \ et les directives concernant les \xE9quipements \xAB physiques \xBB\ + \ soient respect\xE9es." + it: + name: null + description: Assicuratevi di rispettare tutte le disposizioni e le direttive + regolatorie in relazione agli strumenti operativi fisici. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-6 + description: Ensure that data is destroyed according to requirements. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Daten gem\xE4ss den Vorgaben vernichtet\ + \ werden." + fr: + name: null + description: "Contr\xF4lez que les donn\xE9es soient toujours d\xE9truites\ + \ selon les prescriptions." + it: + name: null + description: Assicuratevi che i dati vengano smaltiti secondo le direttive. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-7 + description: Ensure that your information security procedures are enhanced and + improved continuously. + translations: + de: + name: null + description: Stellen Sie sicher, dass ihre Prozesse zur Informationssicherheit + kontinuierlich weiterentwickelt und verbessert werden. + fr: + name: null + description: "D\xE9veloppez et am\xE9liorez r\xE9guli\xE8rement vos processus\ + \ de s\xE9curit\xE9 informatique." + it: + name: null + description: "Assicuratevi che le procedure relative alla sicurezza dell\u2019\ + informazione vengano costantemente aggiornate e migliorate." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-8 + description: Share information about the effectiveness of various protection + technologies with your partners. + translations: + de: + name: null + description: "Tauschen Sie sich bez\xFCglich der Effektivit\xE4t verschiedener\ + \ Schutztechnologien mit Ihren Partnern aus." + fr: + name: null + description: "Discutez de l\u2019efficacit\xE9 des diff\xE9rentes technologies\ + \ de protection avec vos partenaires." + it: + name: null + description: "Scambiate con i vostri partner esperienze sull\u2019efficacia\ + \ delle tecnologie di protezione." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-9 + description: Establish response procedures for any cyber incidents that may + occur. (Incident response planning, business continuity management, incident + recovery, disaster recovery.) + translations: + de: + name: null + description: "Etablieren Sie Prozesse zur Reaktion auf eingetretene Cyber-Vorf\xE4\ + lle. (Incident Response-Planning, Business Continuity Management, Incident\ + \ Recovery, Disaster Recovery)." + fr: + name: null + description: "Instaurez des processus pour r\xE9agir aux cyberincidents.\ + \ (Incident Response-Planing, Business Continuity Management, Incident\ + \ Recovery, Disaster Recovery)." + it: + name: null + description: Definite procedure per reagire a cybereventi (incident response-planning, + business continuity management, incident recovery, disaster recovery). + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-10 + description: Test response and recovery plans. + translations: + de: + name: null + description: "Testen sie die Reaktions- und Widerherstellungspl\xE4ne." + fr: + name: null + description: "Testez les plans de r\xE9action et de r\xE9cup\xE9ration." + it: + name: null + description: Testate i piani di reazione e ripristino. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-11 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-11 + description: Embed aspects of cybersecurity in the staff recruitment process + at an early stage (e.g. by conducting background checks and individual security + checks). + translations: + de: + name: null + description: "Etablieren Sie Aspekte der Cybersecurity bereits in den Personalrekrutierungsprozess\ + \ (z.B. durch die Etablierung von Background-checks / Personensicherheitspr\xFC\ + fungen)." + fr: + name: null + description: "Tenez compte de la cybers\xE9curit\xE9 d\xE8s le processus\ + \ de recrutement (en v\xE9rifiant les ant\xE9c\xE9dents ou par des contr\xF4\ + les de s\xE9curit\xE9 personnels, par ex.)." + it: + name: null + description: "Definite gli aspetti della cybersicurezza gi\xE0 in sede di\ + \ iter di assunzione del personale (p.es. tramite controlli/verifiche\ + \ di sicurezza sulle persone)." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip-12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ip + ref_id: PR.IP-12 + description: Develop and implement a procedure for dealing with identified vulnerabilities. + translations: + de: + name: null + description: Entwickeln und implementieren Sie einen Prozess zum Umgang + mit erkannten Schwachstellen. + fr: + name: null + description: "D\xE9veloppez et mettez en oeuvre un processus pour traiter\ + \ les failles rep\xE9r\xE9es." + it: + name: null + description: Sviluppate e introducete una procedura per gestire le carenze + individuate. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ma + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr + ref_id: PR.MA + name: 'Maintenance ' + description: Ensure that maintenance and repair work to components of the ICT + system and/or the ICS are conducted in accordance with policies and procedures. + translations: + de: + name: 'Wartung (Maintenance PR.MA):' + description: "Unterhalts- und Reparaturarbeiten an Komponenten von IT-Systemen\ + \ und ICS werden gem\xE4ss den geltenden Richtlinien und Prozessen durchgef\xFC\ + hrt." + fr: + name: Maintenance (PR.MA) + description: "Veillez \xE0 ce que la maintenance et la r\xE9paration des\ + \ composantes des syst\xE8mes TIC et du SCI soient effectu\xE9es conform\xE9\ + ment aux directives et m\xE9thodes en vigueur." + it: + name: Manutenzione (Maintenance PR.MA) + description: "Assicuratevi che i lavori di riparazione e manutenzione su\ + \ componenti del sistema TIC e/o dell\u2019ICS vengano effettuati conformemente\ + \ alle direttive a alle procedure vigenti." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ma-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ma + ref_id: PR.MA-1 + description: Ensure that the operation and maintenance of, and any repairs to + assets are logged. Ensure that such work is conducted promptly and uses only + those means which have been tested and approved. + translations: + de: + name: null + description: "Stellen Sie sicher, dass der Betrieb, die Wartung und allf\xE4\ + llige Reparaturen an den Betriebsmitteln aufgezeichnet und dokumentiert\ + \ werden (Logging). Stellen Sie sicher, dass diese zeitnah durchgef\xFC\ + hrt werden und nur unter Einsatz von gepr\xFCften und freigegebenen Mitteln\ + \ erfolgen." + fr: + name: null + description: "Veillez \xE0 ce que le fonctionnement, la maintenance et les\ + \ \xE9ventuelles r\xE9parations des \xE9quipements soient enregistr\xE9\ + s et document\xE9s (journalisation). Assurez-vous qu\u2019elles sont effectu\xE9\ + es rapidement et en ne recourant qu\u2019\xE0 des moyens test\xE9s et\ + \ approuv\xE9s." + it: + name: null + description: Assicuratevi che il funzionamento, la manutenzione ed eventuali + riparazioni agli strumenti operativi vengano registrati e documentati + (logging). Assicuratevi che queste operazioni siano effettuate rapidamente + e unicamente utilizzando mezzi verificati e autorizzati. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.ma-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.ma + ref_id: PR.MA-2 + description: Ensure that maintenance work on your systems that is carried out + via remote access is logged. Ensure that no unauthorised access is possible. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Unterhaltsarbeiten an Ihren Systemen,\ + \ die \xFCber Fernzugriffe erfolgen, aufgezeichnet und dokumentiert werden.\ + \ Stellen Sie sicher, dass kein unautorisierter Zugriff m\xF6glich ist." + fr: + name: null + description: "Enregistrez et documentez \xE9galement les travaux de maintenance\ + \ de vos syst\xE8mes distants. Assurez-vous qu\u2019aucun acc\xE8s non\ + \ autoris\xE9 n\u2019est possible." + it: + name: null + description: Assicuratevi che i lavori di manutenzione a sistemi accessibili + a distanza siano registrati e documentati. Assicuratevi che non siano + possibili accessi non autorizzati. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.pt + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr + ref_id: PR.PT + name: 'Protective Technology ' + description: Install technical security solutions in accordance with requirements + and procedures to ensure the security and resilience of your ICT systems and + their data. + translations: + de: + name: 'Protective Technology (PR.PT):' + description: "Technische Security-L\xF6sungen sind installiert um die Sicherheit\ + \ und Resilienz der Systeme und Daten gem\xE4ss den Vorgaben und Prozessen\ + \ zu garantieren." + fr: + name: Technologie de protection (Protective Technology PR.PT) + description: "Installez des solutions techniques pour assurer la s\xE9curit\xE9\ + \ et la r\xE9silience de vos syst\xE8mes ICT et de leurs donn\xE9es selon\ + \ les exigences et processus." + it: + name: Impiego di tecnologie di protezione (Protective technology PR.PT) + description: Installate soluzioni tecniche per garantire la sicurezza e + la resilienza dei sistemi TIC e dei loro dati secondo le direttive e le + procedure definite. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.pt-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.pt + ref_id: PR.PT-1 + description: Define requirements for audits and log records. Produce and check + the regular logs in accordance with those requirements and policies. + translations: + de: + name: null + description: "Definieren Sie Vorgaben zu Audits und Log-Aufzeichnungen.\ + \ Erstellen und pr\xFCfen Sie die regelm\xE4ssigen Logs gem\xE4ss den\ + \ Vorgaben und Richtlinien." + fr: + name: null + description: "D\xE9finissez les exigences pour les audits et les enregistrements\ + \ de journaux. G\xE9n\xE9rez et v\xE9rifiez ces journaux r\xE9guli\xE8\ + rement, selon les exigences et les directives." + it: + name: null + description: Definite le direttive per gli audit e le registrazioni log. + Definite e verificate i log regolari secondo le disposizioni e le direttive. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.pt-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.pt + ref_id: PR.PT-2 + description: Ensure that removable media are protected, and that they are used + only in accordance with policy. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Wechseldatentr\xE4ger gesch\xFCtzt\ + \ sind und dass sie nur gem\xE4ss den Richtlinien eingesetzt werden." + fr: + name: null + description: "Assurez-vous que les supports amovibles sont prot\xE9g\xE9\ + s et que leur utilisation se fait dans le strict respect des directives." + it: + name: null + description: Assicuratevi che i supporti rimovibili siano protetti e vengano + utilizzati unicamente in base alle direttive. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.pt-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.pt + ref_id: PR.PT-3 + description: Ensure that your system is configured so that a minimum level of + functionality is guaranteed at all times. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Ihr System so konfiguriert ist, dass\ + \ jederzeit eine Minimalfunktionalit\xE4t gew\xE4hrleistet wird (Systemh\xE4\ + rtung)." + fr: + name: null + description: "Veillez \xE0 ce que votre syst\xE8me soit configur\xE9 pour\ + \ assurer en tout temps une fonctionnalit\xE9 minimale (Hardening de syst\xE8\ + me)." + it: + name: null + description: "Assicuratevi che il vostro sistema sia configurato in modo\ + \ da garantire sempre un livello minimo di funzionalit\xE0." + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.pt-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.pt + ref_id: PR.PT-4 + description: Ensure that your communications and control networks are protected. + translations: + de: + name: null + description: "Stellen Sie sicher, dass ihre Kommunikations- und Steuernetzwerke\ + \ gesch\xFCtzt sind." + fr: + name: null + description: "Assurez la protection de vos r\xE9seaux de communication et\ + \ de contr\xF4le." + it: + name: null + description: Assicuratevi che le vostre reti di comunicazione e di controllo + siano protette. + - urn: urn:intuitem:risk:req_node:ict-minimal:pr.pt-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:pr.pt + ref_id: PR.PT-5 + description: Ensure that mechanisms (e.g. failsafe, load balancing, hot swap) + are implemented to achieve resilience requirements in normal and adverse situations. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Mechanismen (z.B. Ausfallsicherheit,\ + \ Lastenausgleich, Hot-Swap) implementiert sind, um die Anforderungen\ + \ an die Ausfallsicherheit in normalen und ung\xFCnstigen Situationen\ + \ zu erf\xFCllen." + fr: + name: null + description: "Assurez-vous que des m\xE9canismes (par ex. s\xE9curit\xE9\ + \ en cas de panne, \xE9quilibrage de charge, remplacement \xE0 chaud)\ + \ sont mis en oeuvre pour r\xE9pondre aux exigences en mati\xE8re de s\xE9\ + curit\xE9 en cas de panne dans des situations normales et d\xE9favorables." + it: + name: null + description: "Assicuratevi che i vostri sistemi funzionino conformemente\ + \ agli scenari predefiniti. P.es.: funzionalit\xE0 durante un attacco,\ + \ nella fase di ripristino e nella fase operativa normale." + - urn: urn:intuitem:risk:req_node:ict-minimal:de + assessable: false + depth: 1 + ref_id: DE + name: Detect + translations: + de: + name: Detektieren (DE - Detect) + description: null + fr: + name: "D\xE9tecter (DE - Detect)" + description: null + it: + name: Intercettare (DE - Detect) + description: null + - urn: urn:intuitem:risk:req_node:ict-minimal:de.ae + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de + ref_id: DE.AE + name: 'Anomalies and Events ' + description: Ensure that anomalies (abnormal behaviours) and security-related + events are detected swiftly and that the potential impact of incidents is + understood. + translations: + de: + name: "Vorf\xE4lle (Anomalies and Events DE.AE):" + description: Anomalien und sicherheitsrelevante Ereignisse werden erkannt + und potenzielle Auswirkungen des Vorfalls verstanden. + fr: + name: Anomalies et incidents (Anomalies and Events DE.AE) + description: "Veillez \xE0 ce que les anomalies et autres \xE9v\xE9nements\ + \ (exceptionnels) soient d\xE9tect\xE9s \xE0 temps et que le personnel\ + \ soit conscient de l\u2019impact potentiel de ces incidents." + it: + name: Anomalie ed eventi (Anomalies and events DE.AE) + description: Assicuratevi che le anomalie (comportamenti anormali) e gli + eventi pertinenti per la sicurezza vengano individuati in tempo utile + e i loro effetti potenziali siano recepiti. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.ae-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.ae + ref_id: DE.AE-1 + description: Define a baseline for permitted network operations and expected + data flows for users and systems. Manage these values continuously. + translations: + de: + name: null + description: "Definieren sie Standardwerte f\xFCr zul\xE4ssige Netzwerkoperationen\ + \ und die zu erwartenden Datenfl\xFCsse f\xFCr Anwender und Systeme. Managen\ + \ sie diese Werte fortlaufend." + fr: + name: null + description: "D\xE9finissez des valeurs par d\xE9faut pour les op\xE9rations\ + \ r\xE9seau licites et les flux de donn\xE9es pr\xE9vus pour les utilisateurs\ + \ et les syst\xE8mes. G\xE9rez ces valeurs en permanence." + it: + name: null + description: Definite valori standard per operazioni di rete ammesse e relativi + flussi di dati per utenti e sistemi. Gestite regolarmente questi valori. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.ae-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.ae + ref_id: DE.AE-2 + description: Ensure that detected cybersecurity incidents are analysed to understand + their targets and methods. + translations: + de: + name: null + description: "Stellen Sie sicher, dass entdeckte Cybersecurity Vorf\xE4\ + lle hinsichtlich ihrer Ziele und ihrer Methoden analysiert werden." + fr: + name: null + description: "Assurez-vous que les incidents de cybers\xE9curit\xE9 d\xE9\ + tect\xE9s sont analys\xE9s quant \xE0 leurs objectifs et m\xE9thodes." + it: + name: null + description: Assicuratevi che gli eventi di cybersicurezza individuati siano + analizzati in funzione di obiettivi e metodi. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.ae-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.ae + ref_id: DE.AE-3 + description: Ensure that information on cybersecurity incidents is aggregated + and correlated from multiple sources and sensors. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Informationen zu Cybersecurityvorf\xE4\ + llen aus verschiedenen Quellen und Sensoren aggregiert und aufbereitet\ + \ werden." + fr: + name: null + description: "Assurez-vous que les informations sur les incidents de cybers\xE9\ + curit\xE9 provenant de diff\xE9rentes sources et capteurs sont compil\xE9\ + es et exploit\xE9es." + it: + name: null + description: Assicuratevi che le informazioni sugli eventi di cybersicurezza + provenienti da fonti e sensori diversi siano raggruppate ed elaborate. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.ae-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.ae + ref_id: DE.AE-4 + description: Determine the impact of possible events. + translations: + de: + name: null + description: "Bestimmen Sie die Auswirkungen m\xF6glicher Ereignissen." + fr: + name: null + description: "D\xE9terminez les cons\xE9quences probables des incidents." + it: + name: null + description: Definite gli effetti di possibili eventi. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.ae-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.ae + ref_id: DE.AE-5 + description: Define the thresholds above which cybersecurity incidents trigger + an alert. + translations: + de: + name: null + description: "Definieren Sie Schwellenwerte die f\xFCr Vorfallswarnungen\ + \ festgelegt sind." + fr: + name: null + description: "D\xE9finissez les valeurs limites au-del\xE0 desquelles les\ + \ incidents de cybers\xE9curit\xE9 doivent g\xE9n\xE9rer des alertes." + it: + name: null + description: Definite i valori soglia a partire dai quali gli eventi di + cybersicurezza innescano una situazione di allarme. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.cm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de + ref_id: DE.CM + name: 'Security Continuous Monitoring ' + description: Ensure that ICT systems, including all assets, are monitored at + regular intervals to detect cybersecurity incidents, and also to verify the + effectiveness of protective measures. + translations: + de: + name: "\xDCberwachung (Security Continuous Monitoring DE.CM):" + description: "Das IKT-System inkl. aller Betriebsmittel wird in regelm\xE4\ + ssigen Intervallen \xFCberwacht, um einerseits Cybersicherheitsvorf\xE4\ + lle zu entdecken und anderseits die Effektivit\xE4t der Gegenmassnahmen\ + \ sicherstellen zu k\xF6nnen." + fr: + name: Anomalies et incidents (Anomalies and Events DE.CM) + description: "Veillez \xE0 ce que les anomalies et autres \xE9v\xE9nements\ + \ (exceptionnels) soient d\xE9tect\xE9s \xE0 temps et que le personnel\ + \ soit conscient de l\u2019impact potentiel de ces incidents." + it: + name: Anomalie ed eventi (Anomalies and events DE.CM) + description: Assicuratevi che le anomalie (comportamenti anormali) e gli + eventi pertinenti per la sicurezza vengano individuati in tempo utile + e i loro effetti potenziali siano recepiti. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.cm-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.cm + ref_id: DE.CM-1 + description: Monitor networks continuously to detect potential cybersecurity + events. + translations: + de: + name: null + description: "Etablieren Sie ein kontinuierliches Netzwerkmonitoring, um\ + \ potentielle Cybersecurity-vorf\xE4lle zu entdecken." + fr: + name: null + description: "Mettez en place une surveillance permanente du r\xE9seau pour\ + \ d\xE9tecter les incidentsde cybers\xE9curit\xE9 potentiels." + it: + name: null + description: Mettete a punto un sistema di monitoraggio costante della rete + per individuare eventi di cybersicurezza. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.cm-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.cm + ref_id: DE.CM-2 + description: Continuous monitoring/surveillance of all physical assets and buildings + to detect cybersecurity incidents. + translations: + de: + name: null + description: "Etablieren Sie ein kontinuierliches Monitoring / \xDCberwachung\ + \ aller physischen Betriebsmittel und Geb\xE4ude, um Cybersecurityvorf\xE4\ + lle entdecken zu k\xF6nnen." + fr: + name: null + description: "Mettez en place une surveillance continue (monitorage) de\ + \ tous les \xE9quipements et des b\xE2timents pour d\xE9tecter les incidents\ + \ de cybers\xE9curit\xE9." + it: + name: null + description: Definite un sistema di monitoraggio/controllo costanti di tutti + gli strumenti operativi fisici e degli edifici per individuare eventi + di cybersicurezza. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.cm-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.cm + ref_id: DE.CM-3 + description: Establish a system to monitor ICT use on the part of your staff, + to detect potential cybersecurity incidents. + translations: + de: + name: null + description: "Die Aktivit\xE4ten der Mitarbeiter werden \xFCberwacht, um\ + \ potenzielle Cybersicherheitsvorf\xE4lle zu erkennen." + fr: + name: null + description: "Mettez en place un monitorage de l\u2019utilisation des TIC\ + \ par les employ\xE9s pour d\xE9tecter les incidents de cybers\xE9curit\xE9\ + \ potentiels." + it: + name: null + description: "Definite un sistema di monitoraggio sull\u2019uso dei TIC\ + \ da parte del personale per individuare potenziali eventi di cybersicurezza." + - urn: urn:intuitem:risk:req_node:ict-minimal:de.cm-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.cm + ref_id: DE.CM-4 + description: Ensure that malware can be detected. + translations: + de: + name: null + description: Stellen Sie sicher, dass Schadsoftware entdeckt werden kann. + fr: + name: null + description: "Veillez \xE0 pouvoir d\xE9tecter les maliciels." + it: + name: null + description: Assicuratevi che i software dannosi vengano identificati. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.cm-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.cm + ref_id: DE.CM-5 + description: Ensure that malware can be detected on mobile devices. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Schadsoftware auf Mobilger\xE4ten\ + \ entdeckt werden kann." + fr: + name: null + description: "Veillez \xE0 pouvoir d\xE9tecter les maliciels sur les appareils\ + \ mobiles." + it: + name: null + description: Assicuratevi che i software dannosi su apparecchi mobili vengano + identificati. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.cm-6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.cm + ref_id: DE.CM-6 + description: Ensure that the activities of external service providers can be + monitored so that cybersecurity incidents can be detected. + translations: + de: + name: null + description: "Stellen Sie sicher, dass die Aktivit\xE4ten von externen Dienstleistern\ + \ \xFCberwacht werden, so dass Cybersecurityvorf\xE4lle entdeckt werden\ + \ k\xF6nnen." + fr: + name: null + description: "Assurez-vous que les activit\xE9s des prestataires de services\ + \ externes sont surveill\xE9es (monitor\xE9es) pour d\xE9tecter d\u2019\ + \xE9ventuels incidents de cybers\xE9curit\xE9." + it: + name: null + description: "Assicuratevi che le attivit\xE0 degli operatori esterni siano\ + \ sottoposte a controllo in modo da poter individuare eventi di cybersicurezza." + - urn: urn:intuitem:risk:req_node:ict-minimal:de.cm-7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.cm + ref_id: DE.CM-7 + description: Monitor your system continuously to ensure that activities or access + by unauthorised persons, devices and software are detected. + translations: + de: + name: null + description: "\xDCberwachen Sie ihre Systeme laufend, um sicherzustellen,\ + \ dass Aktivit\xE4ten / Zugriffe von unberechtigten Personen, Ger\xE4\ + ten und Software erkannt wird." + fr: + name: null + description: "Surveillez votre syst\xE8me en permanence pour \xEAtre certain\ + \ que des activit\xE9s ou acc\xE8s li\xE9s \xE0 des personnes, \xE9quipements\ + \ ou logiciels non autoris\xE9s seront d\xE9tect\xE9s." + it: + name: null + description: "Controllate costantemente il vostro sistema per garantire\ + \ che le attivit\xE0/gli accessi di persone, apparecchi e software non\ + \ autorizzati possano essere individuati." + - urn: urn:intuitem:risk:req_node:ict-minimal:de.cm-8 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.cm + ref_id: DE.CM-8 + description: Vulnerability scans are performed. + translations: + de: + name: null + description: "F\xFChren Sie Verwundbarkeitsscans durch." + fr: + name: null + description: "Proc\xE9dez \xE0 des scans de vuln\xE9rabilit\xE9s." + it: + name: null + description: "Vengono eseguite scansioni di vulnerabilit\xE0" + - urn: urn:intuitem:risk:req_node:ict-minimal:de.dp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de + ref_id: DE.DP + name: 'Detection Processes ' + description: Processes and instructions for detecting cybersecurity incidents + are cultivated, maintained and tested. + translations: + de: + name: 'Erkennungsprozesse (Detection Processes DE.DP):' + description: "Prozesse und Handlungsanweisungen zur Detektion von Cybersicherheitsvorf\xE4\ + llen werden gepflegt, getestet und unterhalten, so dass Cybersicherheitsvorf\xE4\ + lle erkannt werden." + fr: + name: "Processus de d\xE9tection (Detection Processes DE.DP)" + description: "Maintenez, testez et entretenez les processus et les instructions\ + \ pour d\xE9tecter les incidents de cybers\xE9curit\xE9." + it: + name: Procedure di intercettazione (Detection processes DE.DP) + description: "Procedure e istruzioni operative per l\u2019intercettazione\ + \ di eventi di cybersicurezza vengono gestite, testate e aggiornate." + - urn: urn:intuitem:risk:req_node:ict-minimal:de.dp-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.dp + ref_id: DE.DP-1 + description: Define clear roles and responsibilities so that there is no doubt + about who is responsible for what, and who holds what authority. + translations: + de: + name: null + description: "Definieren Sie klare Rollen und Verantwortlichkeiten, so dass\ + \ klar ist, wer wof\xFCr zust\xE4ndig ist und wer welche Kompetenzen hat." + fr: + name: null + description: "D\xE9finissez clairement les r\xF4les et les responsabilit\xE9\ + s pour que tous sachent bien qui est responsable de quoi et qui a telles\ + \ ou telles comp\xE9tences." + it: + name: null + description: "Definite ruoli e responsabilit\xE0 in modo che sia chiaro\ + \ chi svolge quali mansioni e con quali competenze." + - urn: urn:intuitem:risk:req_node:ict-minimal:de.dp-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.dp + ref_id: DE.DP-2 + description: Ensure that detection processes comply with all requirements and + conditions. + translations: + de: + name: null + description: "Stellen Sie sicher, dass die Detektionsprozesse all ihre Vorgaben\ + \ und Bedingungen erf\xFCllen." + fr: + name: null + description: "Assurez-vous que les processus de d\xE9tection correspondent\ + \ aux exigences et conditions fix\xE9es." + it: + name: null + description: Assicuratevi che le procedure di intercettazione rispettino + tutte le direttive e le condizioni vigenti.. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.dp-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.dp + ref_id: DE.DP-3 + description: Test your detection processes. + translations: + de: + name: null + description: Testen Sie ihre Detektionsprozesse. + fr: + name: null + description: "Testez vos processus de d\xE9tection." + it: + name: null + description: Testate le procedure di intercettazione. + - urn: urn:intuitem:risk:req_node:ict-minimal:de.dp-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.dp + ref_id: DE.DP-4 + description: Communicate detected incidents to the relevant actors (e.g. suppliers, + customers, partners, authorities, etc.). + translations: + de: + name: null + description: "Kommunizieren Sie detektierte Vorf\xE4lle an die zust\xE4\ + ndigen Stellen (z.B. Lieferanten, Kunden, Partner, Beh\xF6rden, etc.)." + fr: + name: null + description: "Communiquez aux personnes concern\xE9es (par ex. fournisseurs,\ + \ clients, partenaires, autorit\xE9s) les incidents que vous avez d\xE9\ + tect\xE9s." + it: + name: null + description: "Segnalate gli eventi intercettati alle persone competenti\ + \ (p. es. fornitori, clienti, partner, autorit\xE0 ecc.)" + - urn: urn:intuitem:risk:req_node:ict-minimal:de.dp-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:de.dp + ref_id: DE.DP-5 + description: Improve your detection processes continuously. + translations: + de: + name: null + description: Verbessern Sie Ihre Detektionsprozesse kontinuierlich. + fr: + name: null + description: "Am\xE9liorez en permanence vos processus de d\xE9tection." + it: + name: null + description: Migliorate continuamente le vostre procedure di intercettazione. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs + assessable: false + depth: 1 + ref_id: RS + name: Respond + translations: + de: + name: Reagieren (RS - Respond) + description: null + fr: + name: "R\xE9agir (RS - Respond)" + description: null + it: + name: Reagire (RS - Respond) + description: null + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs + ref_id: RS.RP + name: 'Response Planning ' + description: Draw up a response plan to address detected cybersecurity incidents. + Ensure that this response plan is executed promptly and properly in any incident. + translations: + de: + name: 'Reaktionsplanung (Response Planning RS.RP):' + description: "Reaktionsprozesse und -verfahren werden kontinuierlich ausgef\xFC\ + hrt und aufrechterhalten, um die Reaktion auf erkannte Cybersicherheitsvorf\xE4\ + lle zu gew\xE4hrleisten." + fr: + name: "Plan d\u2019intervention (Response Planning RS.RP)" + description: "\xC9laborez un plan d\u2019intervention pour traiter les incidents\ + \ de cybers\xE9curit\xE9 d\xE9tect\xE9s. Assurez-vous qu\u2019en cas d\u2019\ + incident ce plan d\u2019intervention est ex\xE9cut\xE9 correctement et\ + \ en temps utile." + it: + name: Piano di reazione (Response planning RS.RP) + description: Definite un piano di reazione per indirizzare gli eventi di + cybersicurezza individuati. Assicuratevi che il piano di reazione venga + applicato correttamente e tempestivamente nel caso di un evento. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.rp-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.rp + ref_id: RS.RP-1 + description: Ensure that the response plan is executed promptly and properly + during or after a detected incident. + translations: + de: + name: null + description: "Stellen Sie sicher, dass der Reaktionsplan w\xE4hrend oder\ + \ nach einem detektierten Cyber-securityvorfall korrekt und zeitnah durchgef\xFC\ + hrt wird." + fr: + name: null + description: "Assurez-vous que le plan d\u2019intervention est correctement\ + \ suivi et rapidement ex\xE9cut\xE9 si un incident de cybers\xE9curit\xE9\ + \ est d\xE9tect\xE9." + it: + name: null + description: Assicuratevi che il piano di reazione venga applicato correttamente + e immediatamente durante o dopo un evento di cybersicurezza intercettato. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs + ref_id: RS.CO + name: 'Communications ' + description: Ensure that your response procedures are coordinated with internal + and external stakeholders. Ensure that, should an event occur, you receive + support from public-sector bodies if necessary and appropriate. + translations: + de: + name: 'Kommunikation (Communications RS.CO):' + description: "Reaktionsma\xDFnahmen werden mit internen und externen Akteuren\ + \ koordiniert (z. B. externe Unterst\xFCtzung im Ereignisfall durch Strafverfolgungsbeh\xF6\ + rden)." + fr: + name: Communications (Communications RS.CO) + description: "Contr\xF4lez que vos processus de r\xE9action soient coordonn\xE9\ + s avec ceux des parties prenantes, internes et externes. Selon le type\ + \ d\u2019incident, veillez \xE0 pouvoir b\xE9n\xE9ficier du soutien des\ + \ autorit\xE9s si la situation l\u2019exige." + it: + name: Comunicazione (Communications RS.CO) + description: "Assicuratevi che le procedure di reazione siano coordinate\ + \ con i gruppi di riferimento interni ed esterni. Assicuratevi di poter\ + \ contare in caso di evento, se necessario e opportuno, sull\u2019appoggio\ + \ di uffici statali." + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.co-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.co + ref_id: RS.CO-1 + description: Ensure that all individuals are familiar with their response and + the sequence of their actions if and when a cybersecurity incident occurs. + translations: + de: + name: null + description: "Stellen Sie sicher, dass alle Personen ihre Aufgaben bez\xFC\ + glich der Reaktion und der Reihenfolge ihrer Handlungen auf eingetretene\ + \ Cybersecurityvorf\xE4lle kennen." + fr: + name: null + description: "Assurez-vous que toutes les personnes connaissent leurs t\xE2\ + ches et la marche \xE0 suivre lorsqu\u2019elles doivent r\xE9agir \xE0\ + \ un incident de cybers\xE9curit\xE9." + it: + name: null + description: "Assicuratevi che tutte le persone conoscano le proprie mansioni\ + \ in termini di reazione e priorit\xE0 in caso di eventi di cybersicurezza." + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.co-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.co + ref_id: RS.CO-2 + description: Define reporting criteria and ensure that cybersecurity incidents + are reported and processed in accordance with these criteria. + translations: + de: + name: null + description: "Definieren Sie Kriterien f\xFCr Meldungen und stellen Sie\ + \ sicher, dass Cybersecurityvorf\xE4lle gem\xE4ss diesen Kriterien gemeldet\ + \ und bearbeitet werden." + fr: + name: null + description: "D\xE9finissez des crit\xE8res pour le signalement des incidents\ + \ de cybers\xE9curit\xE9 et assurez-vous qu'ils soient signal\xE9s et\ + \ tait\xE9s conform\xE9ment \xE0 ces crit\xE8res." + it: + name: null + description: "Definite i criteri di segnalazione e assicuratevi che gli\ + \ eventi di cybersicurezza siano resi noti e gestiti in loro conformit\xE0\ + ." + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.co-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.co + ref_id: RS.CO-3 + description: Share information and findings about detected cybersecurity incidents + in accordance with the defined criteria. + translations: + de: + name: null + description: "Teilen Sie Informationen und Erkenntnisse zu detektierten\ + \ Cybersecurityvorf\xE4llen gem\xE4ss den definierten Kriterien." + fr: + name: null + description: "Partagez les informations sur les incidents de cybers\xE9\ + curit\xE9 relev\xE9s \u2013 ainsi que les enseignements qui en d\xE9coulent\ + \ \u2013 selon ces crit\xE8res pr\xE9d\xE9finis." + it: + name: null + description: Attribuite agli eventi di cybersicurezza intercettati informazioni + e risultati in base ai criteri definiti. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.co-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.co + ref_id: RS.CO-4 + description: Coordination with stakeholders occurs consistent with response + plans + translations: + de: + name: null + description: "Die Koordinierung mit allen Beteiligten und den Anspruchsgruppen\ + \ erfolgt im Einklang mit den Reaktionspl\xE4nen gem\xE4ss den vordefinierten\ + \ Kriterien." + fr: + name: null + description: "La coordination avec toutes les parties prenantes et les groupes\ + \ d'int\xE9r\xEAt se fait en accord avec les plans de r\xE9action selon\ + \ les crit\xE8res pr\xE9d\xE9finis." + it: + name: null + description: "Il coordinamento con le parti interessate \xE8 coerente con\ + \ i piani di risposta." + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.co-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.co + ref_id: RS.CO-5 + description: Voluntary information sharing occurs with external stakeholders + to achieve broader cybersecurity situational awareness + translations: + de: + name: null + description: "Es werden regelm\xE4ssig freiwillig Informationen mit externen\ + \ Akteuren ausgetauscht, um das Bewusstsein hinsichtlich der aktuellen\ + \ Cybersicherheitssituation zu steigern." + fr: + name: null + description: "Des informations sont r\xE9guli\xE8rement et volontairement\ + \ \xE9chang\xE9es avec des acteurs externes afin d'accro\xEEtre la sensibilisation\ + \ \xE0 la situation actuelle en mati\xE8re de cybers\xE9curit\xE9" + it: + name: null + description: "La condivisione volontaria delle informazioni avviene con\ + \ gli stakeholder esterni per ottenere una pi\xF9 ampia consapevolezza\ + \ della situazione della cybersicurezza." + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.an + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs + ref_id: RS.AN + name: 'Analysis ' + description: Ensure that regular analyses are conducted to permit an effective + response to cybersecurity incidents. + translations: + de: + name: 'Analyse (Analysis RS.AN):' + description: "Regelm\xE4ssige Analysen, die eine effektive Reaktion auf\ + \ Cybersicherheitsvorf\xE4lle erm\xF6glichen, werden durchgef\xFChrt." + fr: + name: Analyse (Analysis RS.AN) + description: "Effectuez r\xE9guli\xE8rement des analyses afin de r\xE9agir\ + \ correctement en cas d\u2019incidents de cybers\xE9curit\xE9." + it: + name: Analisi (Analysis RS.AN) + description: Assicuratevi che vengano effettuate regolarmente analisi tali + da consentirvi di reagire adeguatamente a eventi di cybersicurezza. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.an-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.an + ref_id: RS.AN-1 + description: Ensure that notifications from detection systems are noted and + investigated. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Benachrichtigungen aus Detektionssystemen\ + \ ber\xFCcksichtigt und Nachforschungen ausgel\xF6st werden." + fr: + name: null + description: "Assurez-vous que les alertes \xE9manant de syst\xE8mes de\ + \ d\xE9tection sont prises en compte et d\xE9clenchent des enqu\xEAtes." + it: + name: null + description: Assicuratevi che le segnalazioni provenienti dai sistemi di + intercettamento vengano prese in considerazione e che siano attivate le + relative ricerche. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.an-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.an + ref_id: RS.AN-2 + description: Ensure that the impact of a cybersecurity incident is properly + understood. + translations: + de: + name: null + description: Stellen Sie sicher, dass die Auswirkungen eines Cybersecurityvorfalls + bekannt ist und verstanden wird. + fr: + name: null + description: "Veillez \xE0 ce que les impacts d\u2019un incident de s\xE9\ + curit\xE9 cyber soient connus et compris" + it: + name: null + description: Assicuratevi che le conseguenze di un evento di cybersicurezza + siano individuate correttamente. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.an-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.an + ref_id: RS.AN-3 + description: Conduct a forensic analysis after any incident that occurs. + translations: + de: + name: null + description: "F\xFChren Sie nach einem eingetretenen Vorfall forensische\ + \ Analysen durch." + fr: + name: null + description: "Effectuez une analyse forensique apr\xE8s chaque incident" + it: + name: null + description: Dopo il verificarsi di un evento effettuate analisi forensi. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.an-4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.an + ref_id: RS.AN-4 + description: Categorise incidents that occur in accordance with the requirements + of the response plan. + translations: + de: + name: null + description: "Kategorisieren Sie eingetretene Vorf\xE4lle gem\xE4ss den\ + \ Vorgaben des Reaktionsplans." + fr: + name: null + description: "Classez les incidents selon les exigences du plan de r\xE9\ + action." + it: + name: null + description: Classificate gli eventi verificatisi in base alle direttive + contenute nel piano di reazione. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.an-5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.an + ref_id: RS.AN-5 + description: Processes are established to receive, analyze and respond to vulnerabilities + disclosed to the organization from internal and external sources (e.g. internal + testing, security bulletins, or security researchers). + translations: + de: + name: null + description: Richten Sie Prozesse ein, um Schwachstellen, die der Organisation + aus internen und externen Quellen (z. B. interne Audits, Sicherheitsbulletins + oder Sicherheitsforscher) bekannt werden, zu empfangen, zu analysieren + und darauf zu reagieren. + fr: + name: null + description: "Mettre en place des processus pour recevoir, analyser et r\xE9\ + agir aux vuln\xE9rabilit\xE9s port\xE9es \xE0 la connaissance de l'organisation\ + \ par des sources internes et externes (par exemple, audits internes,\ + \ bulletins de s\xE9curit\xE9 ou chercheurs en s\xE9curit\xE9)." + it: + name: null + description: "Vengono stabiliti processi per ricevere, analizzare e rispondere\ + \ alle vulnerabilit\xE0 divulgate all'organizzazione da fonti interne\ + \ ed esterne (ad esempio, test interni, bollettini di sicurezza o ricercatori\ + \ di sicurezza)." + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.mi + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs + ref_id: RS.MI + name: 'Mitigation ' + description: Act to prevent the further spread of a cybersecurity incident and + to limit the potential damage. + translations: + de: + name: 'Mitigation (Mitigation RS.MI):' + description: "Es werden Ma\xDFnahmen ergriffen, um die Ausbreitung eines\ + \ Ereignisses zu verhindern, seine Auswirkungen abzuschw\xE4chen und den\ + \ Vorfall zu beseitigen." + fr: + name: Circonscrire les dommages (Mitigation RS.MI) + description: "Faites tout pour \xE9viter qu\u2019un incident de cybers\xE9\ + curit\xE9 se propage afin de limiter les \xE9ventuels dommages." + it: + name: Diminuzione del danno (Mitigation RS.MI) + description: Operate in modo da evitare il propagarsi di un evento di cybersicurezza + e ridurre possibili danni. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.mi-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.mi + ref_id: RS.MI-1 + description: Ensure that cybersecurity incidents can be contained and their + further spread blocked. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Cybersecurityvorf\xE4lle eingegrenzt\ + \ werden k\xF6nnen und die weitere Ausbreitung unterbrochen wird." + fr: + name: null + description: "Assurez-vous que les incidents de cybers\xE9curit\xE9 peuvent\ + \ \xEAtre circonscrits et que vous pouvez stopper leur impact." + it: + name: null + description: Assicuratevi che gli eventi di cybersicurezza possano essere + circoscritti e che ne venga interrotta la diffusione. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.mi-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.mi + ref_id: RS.MI-2 + description: Ensure that the impact of cybersecurity incidents can be mitigated. + translations: + de: + name: null + description: "Stellen Sie sicher, dass die Auswirkungen von Cybersecurityvorf\xE4\ + llen gemindert werden k\xF6nnen." + fr: + name: null + description: "Assurez-vous de pouvoir r\xE9duire l\u2019impact des incidents\ + \ de cybers\xE9curit\xE9." + it: + name: null + description: Assicuratevi che le conseguenze di un evento di cybersicurezza + siano individuate correttamente. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.mi-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.mi + ref_id: RS.MI-3 + description: Ensure that newly identified vulnerabilities are reduced or documented + as accepted risks. + translations: + de: + name: null + description: Stellen Sie sicher, dass neu identifizierte Verwundbarkeiten + reduziert oder als akzeptierte Risiken dokumentiert werden. + fr: + name: null + description: "Veillez \xE0 r\xE9duire au maximum les failles ainsi d\xE9\ + couvertes ou r\xE9f\xE9rencez-les comme des risques acceptables." + it: + name: null + description: "Assicuratevi che le nuove vulnerabilit\xE0 individuate vengano\ + \ ridotte o documentate come rischi accettati." + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs + ref_id: RS.IM + name: 'Improvements ' + description: "Ensure that your organisation\u2019s capacity to respond to cybersecurity\ + \ incidents improves continuously by learning lessons from previous incidents." + translations: + de: + name: 'Verbesserungen (Improvements RS.IM):' + description: "Stellen Sie sicher, dass die Reaktionsf\xE4higkeit ihrer Organisation\ + \ auf eingetretene Cyber Security-Vorf\xE4lle laufend verbessert wird,\ + \ indem die Lehren aus vorangegangenen Vorf\xE4llen gezogen werden." + fr: + name: "Am\xE9liorations (Improvements RS.IM)" + description: "Am\xE9liorez r\xE9guli\xE8rement la r\xE9activit\xE9 de votre\ + \ entreprise face aux incidents de cybers\xE9curit\xE9 en tirant les enseignements\ + \ des incidents pr\xE9c\xE9dents." + it: + name: Miglioramenti (Improvements RS.IM) + description: "Assicuratevi che la capacit\xE0 di reazione del vostro organismo\ + \ o della vostra impresa in caso di eventi di cybersicurezza venga costantemente\ + \ migliorata basandovi sulle esperienze precedenti." + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.im-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.im + ref_id: RS.IM-1 + description: Ensure that the findings and lessons of previous cybersecurity + incidents are incorporated into your response plans. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Erkenntnisse und Lehren aus vorangegangenen\ + \ Cybersecurityvorf\xE4llen in ihre Reaktionspl\xE4ne einfliessen." + fr: + name: null + description: "Assurez-vous que les enseignements tir\xE9s des pr\xE9c\xE9\ + dents incidents de cybers\xE9curit\xE9 sont int\xE9gr\xE9s \xE0 vos plans\ + \ d\u2019intervention." + it: + name: null + description: Assicuratevi che gli elementi e le esperienze raccolti dagli + eventi di cybersicurezza vengano recepiti nei vostri piani di reazione. + - urn: urn:intuitem:risk:req_node:ict-minimal:rs.im-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rs.im + ref_id: RS.IM-2 + description: Update your response strategies. + translations: + de: + name: null + description: Aktualisieren sie Ihre Reaktionsstrategien. + fr: + name: null + description: "Actualisez vos strat\xE9gies de r\xE9action." + it: + name: null + description: Aggiornate le vostre strategie di reazione. + - urn: urn:intuitem:risk:req_node:ict-minimal:rc + assessable: false + depth: 1 + ref_id: RC + name: Recover + translations: + de: + name: Wiederherstellen (RC - Recover) + description: null + fr: + name: "R\xE9cup\xE9rer (RC - Recover)" + description: null + it: + name: Ripristinare (RC - Recover) + description: null + - urn: urn:intuitem:risk:req_node:ict-minimal:rc.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rc + ref_id: RC.RP + name: 'Recovery Planning ' + description: Ensure that recovery procedures are (can be) maintained and executed + to guarantee that systems can be restored swiftly. + translations: + de: + name: 'Wiederherstellungsplanung (Recovery Planning RC.RP):' + description: "Wiederherstellungsprozesse und -verfahren werden ausgef\xFC\ + hrt und aufrechterhalten, um die Wiederherstellung von Systemen oder Anlagen\ + \ zu gew\xE4hrleisten, die von Cybersicherheitsvorf\xE4llen betroffen\ + \ sind." + fr: + name: Plan de restauration (Recovery Planning RC.RP) + description: "Contr\xF4lez que les processus de r\xE9cup\xE9ration sont\ + \ tenus \xE0 jour pour \xEAtre ex\xE9cut\xE9s en tout temps, permettant\ + \ ainsi une r\xE9cup\xE9ration rapide des syst\xE8mes." + it: + name: Piano di ripristino (Recovery planning RC.RP) + description: Assicuratevi che le procedure di ripristino siano gestite e + svolte in modo tale da garantire la tempestiva riattivazione dei sistemi. + - urn: urn:intuitem:risk:req_node:ict-minimal:rc.rp-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rc.rp + ref_id: RC.RP-1 + description: Ensure that recovery plans can be executed properly after any cybersecurity + incident. + translations: + de: + name: null + description: "Stellen Sie sicher, dass der Wiederherstellungsplan nach einem\ + \ eingetretenen Cybersecurityvorfall korrekt durchgef\xFChrt werden kann." + fr: + name: null + description: "Assurez-vous que le plan de r\xE9cup\xE9ration est suivi \xE0\ + \ la lettre en cas d\u2019incident de cybers\xE9curit\xE9." + it: + name: null + description: Assicuratevi che il piano di ripristino dopo un evento di cybersicurezza + venga effettuato correttamente. + - urn: urn:intuitem:risk:req_node:ict-minimal:rc.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rc + ref_id: RC.IM + name: 'Improvements ' + description: Ensure that your recovery procedures improve continuously by learning + lessons from previous recoveries. + translations: + de: + name: 'Verbesserungen (Improvements RC.IM):' + description: "Die Wiederherstellungsplanung und -verfahren werden verbessert,\ + \ indem die gewonnenen Erkenntnisse in k\xFCnftige Aktivit\xE4ten einflie\xDF\ + en." + fr: + name: "Am\xE9liorations (Improvements RC.IM)" + description: "Am\xE9liorez constamment vos processus de r\xE9cup\xE9ration\ + \ apr\xE8s les incidents de cybers\xE9curit\xE9 en tirant les enseignements\ + \ des incidents pr\xE9c\xE9dents." + it: + name: Miglioramenti (Improvements RC.IM) + description: Assicuratevi che le vostre procedure di ripristino vengano + costantemente migliorate avvalendovi di quanto appreso da precedenti esperienze. + - urn: urn:intuitem:risk:req_node:ict-minimal:rc.im-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rc.im + ref_id: RC.IM-1 + description: Ensure that the findings and lessons of previous cybersecurity + incidents are incorporated into your recovery plans. + translations: + de: + name: null + description: "Stellen Sie sicher, dass Erkenntnisse und Lehren aus fr\xFC\ + heren Cybersecurityvorf\xE4llen in ihre Wiederherstellungspl\xE4ne einfliessen." + fr: + name: null + description: "Assurez-vous que les enseignements tir\xE9s des pr\xE9c\xE9\ + dents incidents de cybers\xE9curit\xE9 sont int\xE9gr\xE9s \xE0 vos plans\ + \ de r\xE9cup\xE9ration." + it: + name: null + description: Assicuratevi che gli elementi e le esperienze raccolti dagli + eventi di cybersicurezza vengano recepiti nei piani di ripristino.. + - urn: urn:intuitem:risk:req_node:ict-minimal:rc.im-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rc.im + ref_id: RC.IM-2 + description: Update your recovery strategy. + translations: + de: + name: null + description: Aktualisieren Sie ihre Wiederherstellungsstrategie. + fr: + name: null + description: "Actualisez vos strat\xE9gies de r\xE9cup\xE9ration." + it: + name: null + description: Aggiornate le vostre strategie di ripristino. + - urn: urn:intuitem:risk:req_node:ict-minimal:rc.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rc + ref_id: RC.CO + name: 'Communications ' + description: Coordinate your recovery activities with internal and external + partners, such as internet service providers, CERT, the authorities, system + integrators, etc. + translations: + de: + name: 'Kommunikation (Communications RC.CO):' + description: "Die Wiederherstellungsaktivit\xE4ten werden mit internen und\ + \ externen Parteien koordiniert (z. B. Beh\xF6rden, Internetdienstanbietern,\ + \ Eigent\xFCmern der angegriffenen Systeme, Opfer, andere CERTs und Anbieter)." + fr: + name: Communication (Communications RC.CO) + description: "Veillez \xE0 coordonner vos actions de r\xE9cup\xE9ration\ + \ avec vos partenaires internes et externes (fournisseurs de services\ + \ Internet, CERT, autorit\xE9s, int\xE9grateurs de syst\xE8mes, etc.)." + it: + name: Comunicazione (Communications RC.CO) + description: "Coordinate le attivit\xE0 di ripristino con partner interni\ + \ ed esterni, p.es. internet service provider, CERT, autorit\xE0, integratori\ + \ di sistemi ecc." + - urn: urn:intuitem:risk:req_node:ict-minimal:rc.co-1 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rc.co + ref_id: RC.CO-1 + description: Ensure that public perceptions of your organisation are addressed + actively. + translations: + de: + name: null + description: "Stellen Sie sicher, dass ihre \xF6ffentliche Wahrnehmung aktiv\ + \ angegangen wird." + fr: + name: null + description: "Veillez \xE0 ce que votre perception publique soit activement\ + \ prise en compte." + it: + name: null + description: Confrontatevi attivamente con la vostra immagine pubblica. + - urn: urn:intuitem:risk:req_node:ict-minimal:rc.co-2 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rc.co + ref_id: RC.CO-2 + description: Ensure that your organisation is perceived positively once again + after any cybersecurity incident. + translations: + de: + name: null + description: Stellen Sie sicher, dass ihre Organisation nach einem eingetretenen + Cybersecurityvorfall wieder positiv wahrgenommen wird (Reputation). + fr: + name: null + description: "Veillez \xE0 ce que votre entreprise retrouve vite une image\ + \ positive apr\xE8s un incident de cybers\xE9curit\xE9." + it: + name: null + description: "Assicuratevi che dopo l\u2019evento di cybersicurezza l\u2019\ + immagine del vostro organismo o della vostra impresa torni a essere positiva." + - urn: urn:intuitem:risk:req_node:ict-minimal:rc.co-3 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ict-minimal:rc.co + ref_id: RC.CO-3 + description: Communicate all of your recovery activities to internal stakeholder + groups, and especially also to (senior) management. + translations: + de: + name: null + description: "Kommunizieren Sie die Wiederherstellungsaktivit\xE4ten an\ + \ interne und externe Anspruchsgruppen sowie an das F\xFChrungs- und Managementteam." + fr: + name: null + description: "Communiquez aux groupes d\u2019int\xE9r\xEAt internes et externes\ + \ tout ce que vous avez entrepris en mati\xE8re de r\xE9cup\xE9ration,\ + \ sans oublier les cadres et la direction." + it: + name: null + description: "Comunicate tutte le attivit\xE0 di ripristino ai gruppi di\ + \ riferimento interni, in particolare al management/alla direzione." diff --git a/backend/library/libraries/iso27001-2022.yaml b/backend/library/libraries/iso27001-2022.yaml index fef3d7cad..34327e0cf 100644 --- a/backend/library/libraries/iso27001-2022.yaml +++ b/backend/library/libraries/iso27001-2022.yaml @@ -5,7 +5,7 @@ name: International standard ISO/IEC 27001:2022 description: "Information security, cybersecurity and privacy protection \u2014 Information\ \ security management systems \u2014 Requirements" copyright: See https://www.iso.org/standard/27001 -version: 3 +version: 4 provider: ISO/IEC packager: intuitem translations: @@ -328,7 +328,7 @@ objects: name: Communication description: "G\xE9rer la communication interne et externe." - urn: urn:intuitem:risk:req_node:iso27001-2022:7.5 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:iso27001-2022:7 ref_id: '7.5' @@ -458,7 +458,7 @@ objects: description: "Mettre en \u0153uvre un suivi pertinent et \xE9valuer les\ \ performances et l'efficacit\xE9 du SMSI." - urn: urn:intuitem:risk:req_node:iso27001-2022:9.2 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:iso27001-2022:9 ref_id: '9.2' @@ -495,7 +495,7 @@ objects: description: "G\xE9rer le programme d'audit interne de mani\xE8re appropri\xE9\ e." - urn: urn:intuitem:risk:req_node:iso27001-2022:9.3 - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:iso27001-2022:9 ref_id: '9.3' diff --git a/backend/library/libraries/k-isms-p.yaml b/backend/library/libraries/k-isms-p.yaml new file mode 100644 index 000000000..82dc4c91a --- /dev/null +++ b/backend/library/libraries/k-isms-p.yaml @@ -0,0 +1,32283 @@ +urn: urn:intuitem:risk:library:k_isms_p +locale: en +ref_id: K ISMS-P +name: 'K ISMS-P Certification Standard Guide ' +description: "Certification Standard Guide Information Security and Personal Information\ + \ Protection Management System (ISMS-P) \nThe 'Personal information & Information\ + \ Security Management System (ISMS-P)\u2019 is an 'integrated certification system'\ + \ that consolidated 'Personal Information Management System (PIMS) certification'\ + \ and 'Information Security Management System (ISMS) certification'.\n\nHere is\ + \ the link of the document :\nhttps://isms-p.kisa.or.kr" +copyright: KISA +version: 1 +provider: KISA +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:k_isms_p + ref_id: K ISMS-P + name: 'K ISMS-P Certification Standard Guide ' + description: "Certification Standard Guide Information Security and Personal Information\ + \ Protection Management System (ISMS-P) \nThe 'Personal information & Information\ + \ Security Management System (ISMS-P)\u2019 is an 'integrated certification\ + \ system' that consolidated 'Personal Information Management System (PIMS) certification'\ + \ and 'Information Security Management System (ISMS) certification'.\n\nHere\ + \ is the link of the document :\nhttps://isms-p.kisa.or.kr" + requirement_nodes: + - urn: urn:intuitem:risk:req_node:k_isms_p:1 + assessable: false + depth: 1 + ref_id: '1' + name: 'Establishment and Operation of Management System ' + description: (16 Items) + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1 + ref_id: '1.1' + name: Establishing the Foundation of the Management System + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.1 + name: Participation of Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.1 + description: The responsibilities and roles related to reporting, decision-making, + etc., must be documented to ensure the participation of management, who have + decision-making authority over the overall establishment and operation activities + of the Information Security and Personal Information Protection Management + System. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node5 + description: The basis for activities, such as the establishment and revision + of information security and personal information protection policies, risk + management, internal audits, etc., must be specified in the information security + and personal information protection policy or implementation documents to + allow management to participate in important matters related to the operation + of the management system. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.1 + description: Reporting, review, and approval procedures must be established + and implemented to enable management to actively participate in decision-making + concerning information security and personal information protection activities. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node7 + description: Important activities within the Information Security and Personal + Information Protection Management System that involve management should be + defined, and corresponding reporting systems (e.g., regular and irregular + reports, committee participation) should be established. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node7 + description: Reporting and decision-making procedures, targets, and frequencies + should be determined in accordance with the organization's size and characteristics, + ensuring that management can effectively participate in the establishment + and operation of the management system. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node7 + description: In line with the established internal procedures, management should + be informed about major matters within the Information Security and Personal + Information Protection Management System and participate in decision-making. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.2 + name: Designation of the Chief Officer + - urn: urn:intuitem:risk:req_node:k_isms_p:node12 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.2 + description: The Chief Executive Officer (CEO) must officially designate a Chief + Information Security Officer (CISO) and a Chief Privacy Officer (CPO) through + formal procedures such as personnel appointments to effectively oversee and + be responsible for information security and personal information protection + management activities within the organization. + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node12 + description: The CISO and CPO must be officially appointed through personnel + appointments, and in cases of ex officio appointments, their positions must + be specified in the information security and personal information protection + policy document. + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node14 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.2 + description: The CISO and CPO must be designated at an executive level with + the authority to allocate resources such as budget and personnel, and they + must meet the qualifications required by relevant laws (Refer to Article 36-7 + of the Enforcement Decree of the Information and Communications Network Act). + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node14 + description: The CISO and CPO should be individuals with knowledge and competence + in information security and personal information protection, designated at + an executive level capable of allocating resources such as budget and personnel, + to effectively oversee the organization's information security and personal + information protection tasks. + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node15 + description: Information service providers must designate an executive who meets + the criteria prescribed by Presidential Decree as the CISO to ensure the security + and safe management of information and information systems, and report this + to the Minister of Science and ICT. However, in cases where the criteria set + by Presidential Decree are met, reporting may be exempted. + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node14 + description: Compliance with legal requirements for the designation of a CISO + is necessary (Refer to Article 45-3 of the Information and Communications + Network Act). + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node14 + description: Compliance with legal requirements for the designation of a Chief + Privacy Officer (CPO) is necessary (Refer to Article 32 of the Enforcement + Decree of the Personal Information Protection Act, etc.). + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.3 + name: Organization Structure + - urn: urn:intuitem:risk:req_node:k_isms_p:node20 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.3 + description: Considering the characteristics such as the size of the organization + and the importance of tasks, the basis for the organizational structure necessary + to establish and continuously operate the Information Security and Personal + Information Protection Management System should be specified in the Information + Security and Personal Information Protection Policy or other relevant documents. + Additionally, a working group with expertise should be formed and operated. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node20 + description: The composition and operation of the Information Security and Personal + Information Protection organization, including the Chief Information Security + Officer (CISO), Chief Privacy Officer (CPO), working groups, and committees, + should be specified in policies, internal management plans, etc. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node20 + description: The structure and size of the working group should be determined + by considering the overall size of the organization, the nature of its tasks + and services, the importance and sensitivity of the information and personal + data being processed, legal regulations, etc. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node20 + description: The working group can be composed of either a dedicated team or + a combined team, but even if it is a combined team, roles and responsibilities + must be officially assigned to ensure that the team can perform its duties + effectively. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node20 + description: Members of the working group should be employees with expertise + in information security and personal information protection, as well as a + good understanding of various services and experience (e.g., holding relevant + degrees and certifications, possessing practical experience, completing relevant + training, etc.). + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node25 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.3 + description: A committee should be established and operated to review, approve, + and make decisions on important information security and personal information + protection matters across the organization. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node25 + description: The committee should be composed of individuals who represent the + interests within the organization and have real authority for review and decision-making + on information security and personal information protection, including management, + executives, the CISO, and the CPO. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node25 + description: The committee should be convened regularly or as needed based on + specific issues. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node25 + description: The committee should review, approve, and make decisions on major + matters across the organization. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node29 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.3 + description: To oversee enterprise-wide information security and personal information + protection activities, a working group composed of relevant officers and departmental + representatives should be established and operated. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node29 + description: The composition of the working group and its organizational structure + should be determined based on the size of the organization and the importance + of the services within the scope of the management system. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node29 + description: The working group should share, coordinate, review, and improve + information security and personal information protection matters at the practical + level. If decision-making or management support is required, the issues should + be submitted to the committee for discussion. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.4 + name: Setting the Scope + - urn: urn:intuitem:risk:req_node:k_isms_p:node33 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.4 + description: The scope of the management system must be defined to include key + assets that could impact the organization's core services and the processing + of personal information. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node33 + description: The management system's scope should comprehensively include all + key tangible and intangible assets related to the business (services), such + as employees, information systems, information, and facilities, without omissions. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node33 + description: Particularly for those subject to mandatory information security + management systems, the scope must include information and communication services + and related information assets as required by legal obligations. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node36 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.4 + description: If there are any exceptions within the defined scope, clear reasons, + consultation with relevant parties, and approval from responsible individuals + must be documented and managed. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node37 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node36 + description: If the scopes of the Information Security Management System (ISMS) + and the Personal Information Protection Management System (PIPMS) differ, + the list of information assets within the certification scope (e.g., personal + information, systems, networks) must be clearly identified and defined from + both the ISMS and PIPMS perspectives. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node38 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node36 + description: For services and information systems excluded from the certification + scope, the reasons and justifications must be recorded and managed after internal + consultation and approval from the responsible parties. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node39 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.4 + description: Documents containing related content (e.g., key service and business + status, list of information systems, list of documents) must be created and + managed to clearly identify the scope of the Information Security and Personal + Information Protection Management System. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node40 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Key service and business status (including personal information + processing tasks) + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node41 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Organizational status related to service provision (e.g., organizational + charts) + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node42 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Status of information security and personal information protection + organizations + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node43 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: List of key facilities + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node44 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: List of information systems and network configuration diagrams + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node45 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Criteria for identifying information assets and personal information-related + assets, and the status of these assets + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node46 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: List of Information Security and Personal Information Protection + Systems + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node47 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Service (System) Diagrams and the Flow of Personal Information + Processing (collection, use, provision, storage, management, disposal) + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node48 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: List of Documents (e.g., policies, guidelines, manuals, operation + specifications, etc.) + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node49 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Methods and procedures for establishing the Information Security + and Personal Information Protection Management System, compliance review with + related legal requirements, and internal audits + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node50 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Status of outsourced (entrusted) companies such as customer centers, + IDC (Internet Data Centers), IT development, and operations + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.5 + name: Policy Formulation + - urn: urn:intuitem:risk:req_node:k_isms_p:node52 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.5 + description: 'The highest-level Information Security and Personal Information + Protection policy, which includes the basis for all Information Security and + Personal Information Protection activities conducted by the organization, + must include the following elements:' + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node53 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node52 + description: The commitment and direction of the CEO and other executives regarding + the organization's Information Security and Personal Information Protection. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node54 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node52 + description: The roles, responsibilities, targets, and scope for Information + Security and Personal Information Protection within the organization + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node55 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node52 + description: The basis for the administrative, technical, and physical Information + Security and Personal Information Protection activities carried out by the + organization. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node56 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.5 + description: In order to specifically implement the Information Security and + Personal Information Protection measures outlined in the policy, the organization + must establish detailed guidelines, procedures, manuals, guides, and other + subordinate execution documents that define the necessary methods, procedures, + cycles, and responsible entities in accordance with the organization's characteristics. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node57 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node56 + description: Subordinate execution documents should provide a concrete basis + for all Information Security and Personal Information Protection activities + undertaken by the organization and be tailored to the organization's characteristics, + whether from the perspective of the protection targets or the responsible + entities. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node58 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node56 + description: Policies and implementation documents (such as guidelines and procedures) + must reflect the legal requirements related to personal information protection + (laws, enforcement decrees, enforcement rules, subordinate notices, guides, + etc.) that are relevant to the services and businesses provided by the organization. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node59 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node56 + description: When processing personal information, the internal management plan + must be established in accordance with the Personal Information Protection + Act, including all requirements specified by the relevant legal regulations. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node60 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.5 + description: When creating or revising Information Security and Personal Information + Protection policies and implementation documents, approval must be obtained + from the CEO or an individual delegated by the CEO. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node61 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node60 + description: Ensure thorough consultation and review with stakeholders when + creating or revising policies and implementation documents. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node62 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node60 + description: "Consider the impact of changes to policies and implementation\ + \ documents on the organization\u2019s operations, services, and legal compliance." + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node63 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node60 + description: Keep records of review discussions, such as meeting minutes, and + reflect these considerations in the policies and guidelines. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node64 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node60 + description: Report the finalized policies and implementation documents to the + management and obtain approval. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node65 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.5 + description: When creating or revising Information Security and Personal Information + Protection policies and implementation documents, the latest version must + be provided to relevant employees in an easily understandable format. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node66 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node65 + description: Provide the documents in a format that is easily accessible to + employees and external parties (e.g., electronic bulletin boards, booklets, + training materials, manuals). + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node67 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node65 + description: Immediately publish any changes to the policies and implementation + documents and ensure that the latest version is maintained. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.6 + name: Resource Allocation + - urn: urn:intuitem:risk:req_node:k_isms_p:node69 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.6 + description: The top management must ensure that personnel with expertise in + information security and personal data protection are secured to facilitate + smooth execution of activities. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node70 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node69 + description: Possess specialized knowledge and relevant qualifications (e.g., + degrees or certifications related to information security and personal data + protection). + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node71 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node69 + description: Have practical experience in information security and personal + data protection. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node72 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node69 + description: Complete job-related training in information security and personal + data protection. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node73 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.6 + description: The top management must assess the necessary resources for effective + implementation and continuous operation of the information security and personal + data protection management system and provide the required budget and personnel. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node74 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node73 + description: Annually assess the necessary budget and resources for the effective + establishment and ongoing operation of the information security and personal + data protection management system, and develop and approve budget and personnel + plans. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node75 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node73 + description: Continuously support the required resources (e.g., personnel, organization, + budget) in accordance with the budget and personnel plans. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node76 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.6 + description: Develop and implement detailed annual plans for information security + and personal data protection tasks and conduct review, analysis, and evaluation + of the results. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node77 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node76 + description: Establish detailed annual plans for executing information security + and personal data protection tasks, report to management, and implement them. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node78 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node76 + description: Review, analyze, and evaluate the results of the implementation + according to the detailed plans and report to management. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:1.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1 + ref_id: '1.2' + name: Risk Management + - urn: urn:intuitem:risk:req_node:k_isms_p:1.2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2 + ref_id: 1.2.1 + name: Identification of Information Assets + - urn: urn:intuitem:risk:req_node:k_isms_p:node81 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.1 + description: Establish criteria for classifying information assets and identify + and manage all assets within the scope of the information security and personal + data protection management system as a list. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node82 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node81 + description: Develop classification criteria for information assets that match + the characteristics of the organization and ensure that all information assets + are identified according to these criteria. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node83 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node81 + description: Verify and list asset information such as asset name, purpose, + location, responsible person and manager, and managing department. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node84 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node81 + description: Utilize an asset management system or manage assets in various + forms (e.g., documents or spreadsheets) for efficient management. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node85 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node81 + description: When using cloud services, establish classification criteria reflecting + the characteristics of the cloud service (e.g., virtual servers, object storage) + and identify and manage cloud assets accordingly. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node86 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.1 + description: Determine the importance of identified information assets and assign + security classifications based on legal requirements and their impact on business + operations. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node87 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node86 + description: Establish security classification criteria tailored to the characteristics + of each asset, considering legal requirements and their impact on business + operations. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node88 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node86 + description: Assign and manage security classifications for each information + asset according to the established security classification criteria. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node89 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.1 + description: Regularly review the status of information assets to keep the asset + list up-to-date. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node90 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node89 + description: Establish procedures to track newly introduced, changed, and discarded + assets. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node91 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node89 + description: Conduct regular reviews of the information asset status and maintain + the asset list in an up-to-date condition. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2 + ref_id: 1.2.2 + name: Analysis of Current Status and Flow + - urn: urn:intuitem:risk:req_node:k_isms_p:node93 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.2 + description: Status and flow analysis serves as a preliminary step for risk + analysis, providing foundational data that allows for risk analysis from various + perspectives. It also enables executives to effectively understand the information + security status and make decisions for risk management. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node94 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node93 + description: Status analysis involves comparing certification standards with + operational status using a GAP analysis table to identify differences between + the certification standards and the operational status. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node95 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node93 + description: Flow analysis is divided into information service flow analysis + and personal data processing stage flow analysis, with the results being illustrated + using flowcharts or diagrams. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node96 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.2 + description: Identify the status of information services across all areas of + the management system, understand and document the business procedures and + processes. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node97 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node96 + description: Identify the status of all information services within the scope + of the management system. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node98 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node96 + description: Understand the business procedures and processes for each information + service. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node99 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node96 + description: Document the business procedures and processes using tools such + as status tables and flowcharts. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node100 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.2 + description: Identify the status of personal data processing within the scope + of the management system and understand the flow of personal data, documenting + it using personal data flow charts and diagrams (for ISMS-P certification). + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node101 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node100 + description: (Step 1) Identify the individual business processes where personal + data processing occurs. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node102 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node100 + description: (Step 2) Create personal data flow charts for each business process, + detailing the lifecycle of personal data. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node103 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node100 + description: '(Step 3) Based on the created personal data flow charts, develop + an overarching personal data flow diagram and business-specific personal data + flow diagrams. These diagrams should clearly illustrate the flow of personal + data through different stages: collection, retention, use/provision, and disposal.' + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node104 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.2 + description: 'Regularly review and manage the business procedures and personal + data flows to ensure they are up-to-date, considering the following aspects, + at least once a year:' + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node105 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node104 + description: Changes in existing services, business operations, and personal + data flows (e.g., new services or service revisions, changes in business procedures, + alterations in personal data processing methods, organizational changes, modifications + in external connections and data flows). + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node106 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node104 + description: Changes in critical information and personal data categories being + processed. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node107 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node104 + description: Changes in the types, configuration, and functions of information + systems and personal data processing systems. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node108 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node104 + description: Emergence of new personal data processing tasks and flows. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node109 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node104 + description: Changes in external conditions such as updates to regulations or + the emergence of new vulnerabilities. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2 + ref_id: 1.2.3 + name: Risk Assessment + - urn: urn:intuitem:risk:req_node:k_isms_p:node111 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + description: Reflecting the characteristics of the organization, define and + document methods for identifying and assessing information security and personal + data protection risks from various aspects, including administrative, technical, + physical, and legal fields. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node112 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node111 + description: 'Select risk assessment methods: baseline approach, detailed risk + analysis, composite approach, threat and scenario-based methods, etc.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node113 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node111 + description: 'Reflect the characteristics of the business and organization: + organizational vision and mission, business objectives, service types, compliance, + etc.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node114 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node111 + description: 'Consider various perspectives: hacking, insider threats, external + management or supervision lapses, violations of personal data regulations, + etc.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node115 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node111 + description: Consider the latest vulnerabilities and threat trends. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node116 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node111 + description: Risk assessment methodologies can be defined and applied according + to the organization's characteristics, but the process must be rational, and + the results should represent the seriousness of the actual risks. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node117 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + description: Develop a risk management plan that specifies the risk management + methods and procedures (including personnel, duration, scope, methods, budget, + etc.). + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node118 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node117 + description: 'Personnel: Involve risk management experts, information security + and personal data protection specialists, legal experts, IT operational managers, + business unit managers, external consultants, etc. (Stakeholder involvement + is necessary.)' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node119 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node117 + description: 'Duration: Establish a schedule to ensure that risk assessments + are conducted at least once a year.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node120 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node117 + description: 'Scope: Include all services and assets within the certification + scope (information assets, personal data, systems, physical facilities, etc.).' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node121 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node117 + description: 'Methods: Define risk assessment methodologies that reflect the + organization''s characteristics.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node122 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node117 + description: 'Budget: Develop an annual budget plan for risk identification + and assessment and obtain approval from executives, including the Chief Information + Security Officer.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node123 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + description: According to the risk management plan, perform risk assessments + for all areas within the scope of the information security and personal data + protection management system at least once a year or as needed. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node124 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Systematically execute assessments based on the pre-established + risk management methods and plans. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node125 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Conduct risk assessments regularly at least once a year, but perform + additional assessments if significant changes occur, such as organizational + changes or the introduction of new systems. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node126 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Incorporate findings from the status and flow analysis of services + and information assets. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node127 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Verify compliance with legal requirements related to information + security and personal data protection based on the latest regulations. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node128 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Ensure compliance with the certification standards for the information + security and personal data protection management system. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node129 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Include a review of the effectiveness of implemented information + security and personal data protection measures. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node130 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + description: Define an acceptable level of risk for the organization and identify + risks that exceed this level. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node131 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node130 + description: Establish risk assessment criteria considering the impact of various + risks on the organization (likelihood, severity, etc.). + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node132 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node130 + description: Assess the level of risk for identified risks according to the + established criteria. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node133 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node130 + description: Determine the acceptable level of risk (Degree of Assurance) based + on decisions by executives, including the Chief Information Security Officer + and the Personal Data Protection Officer. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node134 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node130 + description: Identify and document risks that exceed the acceptable level of + risk. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node135 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + description: Report the results of risk identification and assessment in a manner + that is easily understood by executives, including the Chief Information Security + Officer and the Personal Data Protection Officer. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node136 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node135 + description: Prepare evaluation reports for identified risks. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node137 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node135 + description: Share and discuss the content with relevant stakeholders for each + identified risk (e.g., operational committees, review boards). + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node138 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node135 + description: Prepare and report the findings in a way that is understandable + and actionable for executives, avoiding technical jargon and focusing on clarity + for decision-making. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.2.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2 + ref_id: 1.2.4 + name: Selection of Protective Measures + - urn: urn:intuitem:risk:req_node:k_isms_p:node140 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.4 + description: Establish risk treatment strategies (such as risk reduction, risk + avoidance, risk transfer, or risk acceptance) for identified risks, and select + appropriate information security and personal data protection measures for + each risk based on these strategies. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node141 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node140 + description: It is common to develop risk treatment strategies with the goal + of reducing the risk level. However, depending on the situation, strategies + such as risk avoidance, risk transfer, and risk acceptance should also be + considered. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node142 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node140 + description: When selecting protective measures, consider the alignment of information + security and personal data protection measures with the certification standards + for the management system. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node143 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node140 + description: If risk acceptance is chosen due to unavoidable reasons, avoid + unconditional risk acceptance. Instead, carefully review the appropriateness + of the unavoidable reasons and the feasibility of implementing supplementary + measures, and base the decision on clear and objective evidence. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node144 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node140 + description: Be cautious to ensure that risks involving legal violations are + not included in the acceptable risk category. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node145 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node140 + description: For risks that do not exceed the acceptable risk level but have + a high potential for increased risk due to changes in internal or external + environments, or are considered critical by the organization, consider establishing + protective measures. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node146 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.4 + description: Considering the priority of information security and personal data + protection measures, develop an implementation plan that includes a schedule, + responsible departments and individuals, budget, and other relevant elements, + and report this plan to the Chief Information Security Officer and the Personal + Data Protection Officer, as well as other executives. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node147 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node146 + description: Determine priorities based on factors such as the severity and + urgency of the risks, ease of implementation, budget allocation, availability + of resources, and dependencies + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node148 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node146 + description: Prepare an implementation plan for information security and personal + data protection measures that includes the schedule, responsible departments + and individuals, budget, and other relevant details, and present it to executives + for approval. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1 + ref_id: '1.3' + name: Operation of the Management System + - urn: urn:intuitem:risk:req_node:k_isms_p:1.3.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3 + ref_id: 1.3.1 + name: Implementation of Protective Measures + - urn: urn:intuitem:risk:req_node:k_isms_p:node151 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.1 + description: According to the implementation plan, ensure that the selected + protective measures are effectively implemented and report the results to + management, including the Chief Information Security Officer and the Personal + Data Protection Officer, to verify the accuracy and effectiveness of the implementation. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node152 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node151 + description: Regularly report on the progress of the implementation plan, including + completion status, current progress, and reasons for any non-compliance or + delays to the Chief Information Security Officer, the Personal Data Protection + Officer, and other executives. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node153 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node151 + description: Management should review whether the information security and personal + data protection measures have been implemented accurately and effectively + according to the plan. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node154 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node151 + description: If non-compliance or delays occur, analyze the causes, adjust the + implementation plan if necessary, and report to and obtain approval from management. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node155 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node151 + description: If the results of the implementation are found to be ineffective + or raise significant doubts about their effectiveness, establish alternatives + or procedures for additional risk assessments to address the issues. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node156 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.1 + description: Prepare detailed operational specifications that document the implementation + and operational status of protective measures for each certification standard. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node157 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node156 + description: 'Confirm whether the certification standards have been selected + (Yes/No): The ''Establishment and Operation of the Management System'' area + is mandatory.' + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node158 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node156 + description: 'Operational Status: Provide a detailed account of the organization''s + policies and operational status compared to the certification standards.**' + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node159 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node156 + description: 'Related Documents: Clearly specify the names and detailed document + numbers of relevant documents (policies, guidelines, etc.) applicable to the + standards.**' + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node160 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node156 + description: 'Records (Evidence): Present documents or evidence generated during + the actual operation of the standards, such as related documents, approval + details, and meeting minutes.**' + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node161 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node156 + description: 'Reasons for Not Selecting Standards: If a service or system within + the certification scope is entirely unrelated to a given standard, provide + a detailed explanation for not selecting that standard.**' + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.3.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3 + ref_id: 1.3.2 + name: Sharing of Protective Measures + - urn: urn:intuitem:risk:req_node:k_isms_p:node163 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.2 + description: You must clearly identify the departments and individuals responsible + for operating or implementing the implemented protective measures. + annotation: 'Key Points for Verification: + + - Have you clearly identified the departments and individuals responsible + for operating or implementing the implemented protective measures? + + ) Are you sharing or providing training on the relevant content to the departments + and individuals responsible for operating or implementing the protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node164 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.2 + description: To internalize the information security and personal data protection + management system, you must share or provide training on the relevant content + to the departments and individuals responsible for operating or implementing + the implemented protective measures. + annotation: 'Key Points for Verification: + + - Have you clearly identified the departments and individuals responsible + for operating or implementing the implemented protective measures? + + ) Are you sharing or providing training on the relevant content to the departments + and individuals responsible for operating or implementing the protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node165 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node164 + description: 'Shared Content: Revisions and updates to information security + and personal data protection policies and implementation documents, implementation + plans and results for information security and personal data protection measures, + and new security system implementations and improvements.' + annotation: 'Key Points for Verification: + + - Have you clearly identified the departments and individuals responsible + for operating or implementing the implemented protective measures? + + ) Are you sharing or providing training on the relevant content to the departments + and individuals responsible for operating or implementing the protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node166 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node164 + description: 'Recipients: Departments and individuals responsible for the actual + operation or implementation of the relevant policies, guidelines, and protective + measures.' + annotation: 'Key Points for Verification: + + - Have you clearly identified the departments and individuals responsible + for operating or implementing the implemented protective measures? + + ) Are you sharing or providing training on the relevant content to the departments + and individuals responsible for operating or implementing the protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node167 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node164 + description: 'Sharing Methods: Bulletin boards and email notifications (for + simple issues), meetings, briefings, and training sessions.' + annotation: 'Key Points for Verification: + + - Have you clearly identified the departments and individuals responsible + for operating or implementing the implemented protective measures? + + ) Are you sharing or providing training on the relevant content to the departments + and individuals responsible for operating or implementing the protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.3.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3 + ref_id: 1.3.3 + name: Management of Operational Status + - urn: urn:intuitem:risk:req_node:k_isms_p:node169 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.3 + description: To ensure the effective operation of the management system, you + must identify information security and personal data protection activities + that are required to be performed daily, weekly, monthly, quarterly, semi-annually, + or annually, or on an ongoing basis. You should create and manage a document + (operational status table) that defines the performance cycle and timing, + as well as the responsible parties (departments and individuals), to easily + monitor the status of these activities. + annotation: "Key Points for Verification:\n- Are you documenting and managing\ + \ information security and personal data protection activities that need to\ + \ be performed periodically or continuously for the operation of the management\ + \ system?\n- Does management periodically review and manage the effectiveness\ + \ of the management system\u2019s operational activities?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node170 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.3 + description: "Management must periodically verify the effectiveness of the management\ + \ system\u2019s operational activities and address any issues identified through\ + \ improvements." + annotation: "Key Points for Verification:\n- Are you documenting and managing\ + \ information security and personal data protection activities that need to\ + \ be performed periodically or continuously for the operation of the management\ + \ system?\n- Does management periodically review and manage the effectiveness\ + \ of the management system\u2019s operational activities?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node171 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node170 + description: Regularly check to ensure that the operational activities are being + performed periodically or continuously according to the operational status + table, and report the findings to management. + annotation: "Key Points for Verification:\n- Are you documenting and managing\ + \ information security and personal data protection activities that need to\ + \ be performed periodically or continuously for the operation of the management\ + \ system?\n- Does management periodically review and manage the effectiveness\ + \ of the management system\u2019s operational activities?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node172 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node170 + description: "Management should evaluate the effectiveness of the management\ + \ system\u2019s operational activities and, if necessary, take corrective\ + \ actions such as changing responsible parties, adjusting performance cycles,\ + \ or adding, modifying, or removing operational activities." + annotation: "Key Points for Verification:\n- Are you documenting and managing\ + \ information security and personal data protection activities that need to\ + \ be performed periodically or continuously for the operation of the management\ + \ system?\n- Does management periodically review and manage the effectiveness\ + \ of the management system\u2019s operational activities?" + - urn: urn:intuitem:risk:req_node:k_isms_p:1.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1 + ref_id: '1.4' + name: Inspection and Improvement of the Management System + - urn: urn:intuitem:risk:req_node:k_isms_p:1.4.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4 + ref_id: 1.4.1 + name: Review of Compliance with Legal Requirements + - urn: urn:intuitem:risk:req_node:k_isms_p:node175 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.1 + description: You must identify and keep up-to-date with the legal requirements + related to information security and personal data protection that the organization + must comply with. + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node176 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node175 + description: Identify the information security and personal data protection + regulations that the organization is required to comply with. + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node177 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node175 + description: Continuously monitor the status of amendments and updates to relevant + regulations. Analyze the impact of such changes on the organization and, if + necessary, reflect these changes in internal policies, guidelines, and checklists + to maintain up-to-date compliance + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node178 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node175 + description: '[Reference] Information Security Disclosure System' + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node179 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.1 + description: Compliance with legal requirements must be reviewed regularly at + least once a year. + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node180 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node179 + description: Establish procedures for regularly reviewing compliance with legal + requirements (including review cycle, scope, responsible parties, methods, + etc.) and implement them. + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node181 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node179 + description: Promptly take corrective actions for any issues identified during + the compliance review. + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.4.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4 + ref_id: 1.4.2 + name: Inspection of the Management System + - urn: urn:intuitem:risk:req_node:k_isms_p:node183 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.2 + description: You must establish a management system inspection plan that includes + criteria, scope, frequency, and qualifications for inspection personnel to + check whether the information security and personal data protection management + system is operating effectively according to legal requirements and established + policies, and report this plan to the management. + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node184 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node183 + description: 'Inspection Criteria: Include information security and personal + data protection management system certification criteria.' + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node185 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node183 + description: 'Inspection Scope: Cover the entire organization or certification + scope.' + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node186 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node183 + description: 'Inspection Frequency: Must be conducted at least once a year.' + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node187 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node183 + description: 'Inspection Personnel Qualifications: Define qualifications to + ensure objectivity, independence, and expertise in the inspection.' + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node188 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.2 + description: According to the management system inspection plan, you must form + a team with ensured independence, objectivity, and expertise to perform inspections + at least once a year and report any issues discovered to the Chief Information + Security Officer, the Chief Privacy Officer, and other management members. + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node189 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node188 + description: Form a team to ensure objectivity, independence, and expertise + in the inspection. + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node190 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node188 + description: Conduct inspections at least once a year as per the inspection + plan. + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node191 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node188 + description: Prepare an inspection report and present it to the Chief Information + Security Officer, Chief Privacy Officer, and other management members. + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.4.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4 + ref_id: 1.4.3 + name: Improvement of the Management System + - urn: urn:intuitem:risk:req_node:k_isms_p:node193 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.3 + description: You must analyze the root causes of issues identified through legal + compliance reviews and management system inspections, and establish and implement + preventive and corrective measures. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node194 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node193 + description: For issues identified during inspections, develop and implement + action plans, and verify the completion of these actions. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node195 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node193 + description: Analyze the root causes of identified issues and defects in the + management system. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node196 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node193 + description: Based on the results of the root cause analysis, establish and + implement measures to prevent recurrence and improve the identified issues. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node197 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node193 + description: Share and provide training on the established preventive measures + to relevant parties. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node198 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.3 + description: You must establish criteria and procedures to verify the accuracy + and effectiveness of preventive and corrective actions. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node199 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node198 + description: Develop key performance indicators (KPIs) for the management system + aspects (such as security performance indicators) to measure the accuracy + and effectiveness of preventive and corrective actions. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node200 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node198 + description: Establish and implement procedures for measuring and monitoring + key performance indicators (KPIs) and security performance indicators. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node201 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node198 + description: Report the results of the verification and measurement of the accuracy + and effectiveness of preventive and corrective actions to the management. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2 + assessable: false + depth: 1 + ref_id: '2' + name: Protection Requirements + description: (64 items) + - urn: urn:intuitem:risk:req_node:k_isms_p:2.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.1' + name: Policy, Organization, Asset Management + - urn: urn:intuitem:risk:req_node:k_isms_p:2.1.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1 + ref_id: 2.1.1 + name: Policy Maintenance + - urn: urn:intuitem:risk:req_node:k_isms_p:node205 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.1 + description: Regularly establish and implement a process to review the validity + of policies and implementation documents related to information security and + personal data protection (including guidelines, procedures, and guide documents). + When necessary, update or revise the relevant policies and implementation + documents. + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node206 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node205 + description: 'Establishing Procedures: Develop and implement procedures for + the regular validity review of information security and privacy protection + policies and implementation documents.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node207 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node205 + description: 'Perform Validity Review: Conduct validity reviews considering + the following aspects to ensure that information security and privacy protection + policies and documents reflect changes in laws and regulations, align with + policies from higher organizations and related institutions, and adapt to + changes in the internal and external environment of the organization.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node208 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node207 + description: 'Alignment Analysis: Analyze the alignment with information security + and privacy protection policies of higher organizations and related institutions + to ensure mutual consistency. Review for the presence of inconsistencies and + check the appropriateness of the hierarchical structure between policies.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node209 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node207 + description: 'Document Consistency: Ensure consistency in the periodicity, level, + and method of information security and privacy protection activities across + documents.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node210 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node207 + description: 'Legal Compliance: Review any changes (including upcoming ones) + in information security and privacy protection laws and regulations to ensure + they are appropriately reflected in policies and implementation documents.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node211 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node207 + description: 'Risk Assessment: Incorporate the results of risk assessments and + management system inspections.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node212 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node207 + description: 'Environmental Changes: Consider new threats and vulnerabilities, + changes in the business environment, the introduction of new technologies, + and changes in the information security and privacy protection environment.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node213 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.1 + description: 'Review and Update During Significant Changes: When significant + changes occur in the organization''s internal and external environment, the + impact on information security and privacy protection policies and implementation + documents should be reviewed and updated if necessary.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node214 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node213 + description: 'Legal Changes: Review and update according to changes in information + security and privacy protection laws and regulations.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node215 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node213 + description: 'Business Environment Changes: Consider updates for significant + changes in the business environment (e.g., entry into new business areas, + large-scale organizational restructuring).' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node216 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node213 + description: 'Environmental Changes: Include significant changes in information + security, privacy protection, and IT environments (e.g., introduction of new + security systems or IT systems).' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node217 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node213 + description: 'Security Incidents: Review and update policies in response to + significant internal or external security incidents.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node218 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node213 + description: 'New Threats: Address new threats or discovered vulnerabilities.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node219 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.1 + description: 'Stakeholder Review for Policy Updates: When revising or creating + new information security and privacy protection policies and implementation + documents, sufficient consultation and review with stakeholders are required.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node220 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node219 + description: 'Stakeholder Identification: Identify and consult with stakeholders, + including the Chief Information Security Officer (CISO), the Chief Privacy + Officer (CPO), relevant information security and privacy protection organizations, + the IT department, departments handling critical information and personal + data, and key information and personal data handlers.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node221 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node219 + description: 'Impact Assessment: Consider the impact of policy and document + changes on operations, legal compliance, and other factors.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node222 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node219 + description: 'Documentation: Keep records of review discussions (e.g., meeting + minutes) and incorporate relevant details into policies and guidelines.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node223 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.1 + description: 'Document Change History Management: Establish and implement a + document management procedure to record and manage the history of changes + (e.g., creation, revision, distribution, disposal) in information security + and privacy protection policies and documents.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node224 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node223 + description: 'Version Control: Manage document versions, dates, reasons for + changes, authors, and approvers by recording the revision history within the + document.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node225 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node223 + description: 'Distribution and Access: Ensure that all relevant employees always + refer to the latest version of the document through proper distribution and + management.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.1.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1 + ref_id: 2.1.2 + name: Organization Maintenance + - urn: urn:intuitem:risk:req_node:k_isms_p:node227 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.2 + description: Considering the characteristics of the organization related to + the performance of information security and privacy protection tasks, the + roles and responsibilities of relevant managers and personnel must be specifically + defined in the implementation documents. + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node228 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node227 + description: ' Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO)' + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node229 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node227 + description: Information security and privacy protection managers and personnel + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node230 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node227 + description: Departmental information security and privacy protection managers + and personnel + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node231 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node227 + description: The CISO and CPO should perform tasks that reflect legal requirements + annotation: 'Conf page 56 of the guide ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node232 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node227 + description: Information security and privacy protection managers, protection + officers, and practitioners should have their roles and responsibilities specifically + defined through job descriptions and other relevant documents to ensure they + can practically support and implement the management duties of the Chief Information + Security Officer (CISO) and Chief Privacy Officer (CPO). + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node233 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.2 + description: A system for evaluating the activities of those responsible for + information security and privacy protection must be established. + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node234 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node233 + description: Develop methods to regularly evaluate information security and + privacy protection activities, such as through Key Performance Indicators + (KPI), Management By Objectives (MBO), and performance appraisals within the + organization. + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node235 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.2 + description: " A system and procedures for communication between the organization\u2019\ + s members and the information security and privacy protection teams must be\ + \ established and implemented" + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node236 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node235 + description: Develop and implement a communication management plan related to + information security and privacy protection. + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.1.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1 + ref_id: 2.1.3 + name: Information Asset Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node238 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.3 + description: The handling procedures (creation, acquisition, storage, use, disposal, + etc.) according to the security classification of information assets must + be defined, and appropriate protection measures such as encryption and access + control must be established and implemented accordingly. + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node239 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node238 + description: 'Indicate the security classification (confidential, secret, general, + etc.) of each information asset to enable employees to identify them:' + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node240 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node239 + description: '(Electronic) Documents: Indicate on the document cover or through + watermarking, etc.' + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node241 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node239 + description: 'Hardware assets such as servers: Confirm the security classification + through asset numbers or barcode labels, etc.' + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node242 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node238 + description: Establish and implement handling procedures and security control + standards according to the security classification of information assets (creation, + acquisition, storage, use, disposal, etc.). + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node243 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.3 + description: For identified information assets, the person responsible for asset + introduction, modification, disposal, transfer, security management, and the + person in charge of the actual management and operation of the assets (or + the administrator) must be designated to clearly define the responsibilities. + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node244 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node243 + description: Assign responsible persons and administrators for each information + asset and record them in the asset inventory. + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node245 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node243 + description: In the event of personnel changes due to resignation, transfer, + etc., or changes in the status of information assets due to introduction, + modification, or disposal, update the asset inventory to reflect the responsible + persons and administrators for each information asset. + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.2' + name: Human Security + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.1 + name: Designation and Management of Key Personnel + - urn: urn:intuitem:risk:req_node:k_isms_p:node248 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + description: Clear criteria for handling personal information and sensitive + information, as well as access to key systems, should be defined. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node249 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + description: Employees and external parties performing key duties should be + designated as key personnel, and their list should be kept up-to-date. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node250 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node249 + description: ' Identify key personnel and formally designate them as key personnel.' + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node251 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node249 + description: ' Maintain a list of designated key personnel.' + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node252 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node249 + description: Update the list when new key personnel are designated, or when + there are changes or removals. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node253 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node249 + description: Regularly review the designation of key personnel for appropriateness + and update the list accordingly. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node254 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + description: Individuals handling personal information as part of their duties + should be designated as personal information handlers, and their list should + be kept up-to-date. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node255 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node254 + description: Maintain a list of personal information handlers who process personal + information as part of their job. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node256 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node254 + description: The list of personal information handlers should include those + handlers employed by subcontractors who have been entrusted with personal + information processing tasks. (However, subcontractors may manage their own + list for personal information handlers who do not have access rights to the + personal information processing system.) + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node257 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + description: Regularly review the designation of personal information handlers + for appropriateness and update the list accordingly. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node258 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + description: Management measures should be established and implemented to minimize + the designation of key personnel and personal information handlers based on + business necessity. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node259 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node258 + description: Designate key personnel and personal information handlers only + when absolutely necessary for business purposes. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node260 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node258 + description: Establish approval procedures for the application and granting + of key personnel and personal information handler privileges. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node261 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node258 + description: Develop and implement management and control measures for key personnel + and personal information handlers, including training, monitoring, etc. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.2 + name: Job Role Separation + - urn: urn:intuitem:risk:req_node:k_isms_p:node263 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.2 + description: 'To prevent potential harm from the misuse or abuse of privileges, + the following job separation criteria must be established and applied:' + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node264 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of development and operational roles + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node265 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of information security officers, personal information + handlers, and information security and personal information monitoring roles + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node266 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of operational roles between information systems and + personal information processing systems (servers, databases, etc.) + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node267 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of information security and personal information protection + management from information security and personal information protection audit + functions + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node268 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of personal information protection management from the + operation of personal information processing systems + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node269 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of personal information protection management from the + development of personal information processing systems, etc. + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node270 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Prohibition of granting rights to external contractor staff for + user account registration/deletion (deactivation) and access right registration/modification/deletion + (with compensatory controls applied if unavoidable) + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node271 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.2 + description: 'If job separation is unavoidably difficult due to reasons such + as a small organization size or lack of human resources, compensatory controls, + such as mutual review among role holders and ensuring accountability, must + be established:' + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node272 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node271 + description: Management to prevent misuse or abuse through mutual review among + role holders and approval by senior management + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node273 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node271 + description: ' Ensuring accountability through the use of individual accounts, + logging, and audits/monitoring' + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.3 + name: Security Pledges + - urn: urn:intuitem:risk:req_node:k_isms_p:node275 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.3 + description: New employees must sign an information security and personal data + protection agreement that specifies their responsibilities in these areas. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node276 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node275 + description: When new employees join, they should sign an agreement outlining + the necessity and responsibilities of information security and personal data + protection, compliance with internal policies and relevant regulations, and + confidentiality obligations. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node277 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node275 + description: In the event of significant changes such as changes in employment + conditions, the agreement should be revised accordingly. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node278 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.3 + description: When granting access to information assets (including personal + data) and information systems to external personnel such as temporary staff + or outsourced workers, an agreement must be obtained that specifies their + responsibilities for information security and personal data protection, as + well as confidentiality obligations. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node279 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node278 + description: The agreement should include necessary details such as responsibilities + for information security and personal data protection, confidentiality obligations, + compliance with internal regulations and relevant laws, and liability for + damages arising from non-compliance with these obligations. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node280 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.3 + description: Upon an employee's resignation, a separate confidentiality agreement + must be obtained. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node281 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node280 + description: Ensure that departing employees are clearly aware of their legal + responsibilities in case of information leakage by obtaining a confidentiality + agreement (to be included in the resignation process). + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node282 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.3 + description: Information security, personal data protection, and confidentiality + agreements should be securely stored and managed to be easily retrievable + when needed. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node283 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node282 + description: Store and manage these agreements in a secure manner, such as in + a locked cabinet or a document repository with access controls, to be used + as evidence of legal responsibility in case of legal disputes. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.4 + name: Awareness and Training + - urn: urn:intuitem:risk:req_node:k_isms_p:node285 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + description: 'The annual information security and personal data protection training + plan must be developed with specific details including the timing, duration, + target audience, content, and methods of training, and receive approval from + management. This plan should include:' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node286 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node285 + description: 'Types of Training: Employee awareness training, training for key + personnel, personal data handlers, contractors, and specialized training.' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node287 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node285 + description: 'Training Plan: Objectives, target audience, content, methods, + schedule, and duration (differentiated based on business scale, amount of + personal data held, nature of work, target audience, and type of training).' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node288 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node285 + description: 'Approval: Review and approval of the training plan, including + budget allocation to ensure it is carried out as planned' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node289 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + description: You must conduct regular training sessions at least once a year + for all employees and external parties within the management system's scope, + according to the annual training plan, and provide additional training in + response to significant changes in relevant laws and regulations. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node290 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: 'Inclusion: All personnel with direct or indirect access to information + assets, including employees, temporary staff, and external service providers.' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node291 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: 'Contractors and Delegated Employees: Provide relevant materials + to ensure the contractor performs the training, and manage and supervise the + implementation.' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node292 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: 'Frequency: At least once a year (especially for personal data + handlers, as legal requirements mandate annual personal data protection training).' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node293 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: "Content: Ensure that the training content includes all necessary\ + \ information for employees and relevant external parties to understand and\ + \ comply with the organization\u2019s management system and policies." + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node294 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: Develop and implement methods for training personnel who missed + sessions due to business trips, vacations, or work commitments (e.g., additional + training sessions for absentees, supplementary training, online courses). + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node295 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: Conduct additional training in the event of significant changes + to internal regulations and procedures, security incidents within or outside + the organization, or changes in relevant laws and regulations. However, if + the issues are not critical, alternative methods such as bulletin board notices, + email notifications, or distribution of booklets may be used. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node296 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + description: Implement information security and personal data protection training + before new employees and external contractors start their work. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node297 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node296 + description: Provide information security and personal data protection training + either at the point of hiring or before commencing duties to ensure understanding + of organizational policies, precautions, and legal responsibilities for violations. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node298 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + description: Ensure that employees within IT and information security roles + receive specialized training to enhance their expertise in information security + and personal data protection. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node299 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node298 + description: IT staff, Chief Information Security Officer, Chief Personal Data + Protection Officer, personal data handlers, and information security personnel. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node300 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node298 + description: Participation in conferences, seminars, and workshops related to + information security and personal data protection; outsourced training from + specialized institutions; internal training with external experts. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node301 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + description: Keep records of training activities and assess the effectiveness + and appropriateness of the training to incorporate findings into future training + plans. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node302 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node301 + description: Maintain records such as training announcements, materials, and + attendance logs. Evaluate the appropriateness and effectiveness of the training + using pre-established criteria through surveys or tests. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node303 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node301 + description: Develop measures to address areas for improvement identified in + training evaluations and reflect these measures in the next training plan. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.5 + name: Management of Employee Termination and Role Changes + - urn: urn:intuitem:risk:req_node:k_isms_p:node305 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.5 + description: Personnel changes due to retirement, job changes, departmental + transfers, or leave of absence must be promptly communicated among relevant + departments such as HR, information security, personal data protection, and + systems operations. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node306 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node305 + description: Procedures must be established and implemented to ensure that personnel + change information is quickly shared among the relevant organizations and + systems. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node307 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.5 + description: When personnel (employees, temporary staff, outsourced workers, + etc.) retire or change roles within the organization, procedures must be established + and implemented for the prompt return of information assets, revocation or + adjustment of access rights, and verification of these actions. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node308 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node307 + description: Procedures must be established and implemented for the return of + access cards and assets, deletion or locking of accounts, revocation or adjustment + of access rights, and security checks during retirement or job changes. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node309 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node307 + description: If account sharing was unavoidable, the password for the shared + account must be changed immediately. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node310 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node307 + description: Records must be maintained, and compliance with the retirement + procedures should be reviewed regularly. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.6 + name: Actions in Case of Security Violations + - urn: urn:intuitem:risk:req_node:k_isms_p:node312 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.6 + description: ' Regulations must be established for penalizing employees and + relevant external parties who violate information protection and privacy responsibilities + and obligations as per laws, regulations, and internal policies.' + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node313 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node312 + description: Establish investigation, clarification, and disciplinary action + criteria and procedures for cases of non-compliance with relevant laws and + internal regulations, failure to fulfill responsibilities, and damage, misuse, + or exposure of important information and personal data. + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node314 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node312 + description: Consider compensation measures for those who diligently fulfill + their information protection and privacy responsibilities and obligations. + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node315 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.6 + description: Actions must be taken according to internal procedures when violations + of information protection and privacy are detected. + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node316 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node315 + description: Implement actions based on the reward and punishment regulations + and record the outcomes. + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node317 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node315 + description: Use the incident for company-wide announcements or as a case in + training if necessary. + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.3' + name: External Security + - urn: urn:intuitem:risk:req_node:k_isms_p:2.3.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3 + ref_id: 2.3.1 + name: Management of External Parties + - urn: urn:intuitem:risk:req_node:k_isms_p:node320 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.1 + description: You must clearly identify the status of outsourcing and the use + of external facilities and services within the scope of the management system. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node321 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node320 + description: Identify the status of outsourcing and the use of external facilities + and services within the management system's scope. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node322 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node320 + description: Develop and continuously update a list of the status of outsourcing + and the use of external facilities and services. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node323 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.1 + description: 'Identify Legal Requirements and Risks Associated with Outsourcing + and the Use of External Facilities/Services and Implement Appropriate Safeguards:' + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node324 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node323 + description: Determine if the outsourcing involves personal data processing. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node325 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node323 + description: Assess if there is any transfer of personal data abroad. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node326 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node323 + description: Identify relevant legal requirements such as those under the Personal + Information Protection Act and the Information and Communications Network + Act. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node327 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node323 + description: Perform a risk assessment related to outsourcing and the use of + external facilities/services, including compliance with legal requirements. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node328 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node323 + description: Develop and implement appropriate protective measures based on + the risk assessment results. For example, perform concentrated on-site inspections + with different frequencies and checklists for high-risk service providers. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.3.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3 + ref_id: 2.3.2 + name: Security in External Contracts + - urn: urn:intuitem:risk:req_node:k_isms_p:node330 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.2 + description: When selecting external services and contractors related to the + processing of critical information and personal data, procedures must be established + to consider their information security and privacy protection capabilities + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node331 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node330 + description: Ensure that vendors with information security and privacy protection + capabilities are selected by incorporating relevant requirements into the + Request for Proposal (RFP) and evaluation criteria. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node332 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.2 + description: 'When outsourcing organizational information processing tasks or + using external services, the following security requirements must be defined + and reflected in the contract:' + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node333 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Compliance with information security and privacy protection laws, + and submission of an information security and privacy protection pledge. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node334 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Regular information security training and periodic security inspections + for employees performing outsourced tasks. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node335 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Measures to prevent the leakage of critical information acquired + during task performance. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node336 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Restrictions on external internet access, physical protection measures + (e.g., equipment and media access control), endpoint security (e.g., antivirus + installation, secure password setup and periodic changes, screen saver settings), + and restrictions on wireless network usage. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node337 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Procedures for granting and revoking access permissions to prevent + excessive privileges when accessing information systems. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node338 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Restrictions on subcontracting, and procedures and security requirements + for any necessary subcontracting. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node339 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Penalties for non-compliance with security requirements, liability + for damages, and reporting obligations in the event of security incidents. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node340 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.2 + description: When outsourcing the development of information systems and personal + data processing systems, the contract must specify the information security + and privacy protection requirements that must be adhered to during development. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node341 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Compliance with legal requirements related to information security + and privacy protection. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node342 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Application of development security procedures, including adherence + to secure coding standards. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node343 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Vulnerability assessments and remediation for the completed information + systems and personal data processing systems. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node344 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Security management of development-related deliverables, source + code, and development data within the development environment. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node345 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Obligation to maintain confidentiality regarding information acquired + during the development process. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node346 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Liability for damages and other responsibilities in case of violations. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.3.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3 + ref_id: 2.3.3 + name: Management of Security Compliance by External Parties + - urn: urn:intuitem:risk:req_node:k_isms_p:node348 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.3 + description: External parties must undergo periodic checks or audits to ensure + compliance with the information security and privacy protection requirements + specified in contracts, agreements, and internal policies. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node349 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node348 + description: Regularly conduct checks or audits to ensure adherence to the defined + security requirements when engaging with external parties. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node350 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node348 + description: Checks or audits should be conducted before the commencement of + work, during the ongoing process, and at the end of the work, with additional + checks as needed. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node351 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node348 + description: Determine the frequency and method of inspections based on factors + such as the external party's information security and privacy protection capabilities, + possession of their own systems, and the volume and sensitivity of the information + being processed. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node352 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.3 + description: When issues are identified during checks or audits of external + parties, a corrective action plan must be developed and implemented. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node353 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node352 + description: Share the results of inspections and audits, establish and implement + measures to address identified issues and prevent recurrence. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node354 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node352 + description: Perform follow-up checks to ensure the completion and effectiveness + of corrective actions. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node355 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.3 + description: When a subcontractor entrusted with personal data processing tasks + subcontracts the work to a third party, the principal must give consent. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node356 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node355 + description: A personal data processing subcontractor may only subcontract to + a third party with the principal's consent and must ensure that the subcontractor + implements the same level of technical and managerial protective measures + as required by the principal. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.3.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3 + ref_id: 2.3.4 + name: Security in Contract Changes and Expiration + - urn: urn:intuitem:risk:req_node:k_isms_p:node358 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.4 + description: Security measures must be established and implemented to ensure + that, upon the expiration of external contracts, completion of work, or changes + in responsible personnel, procedures are followed for the return of information + assets, deletion of information system access accounts, destruction of important + information, and collection of confidentiality agreements. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node359 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node358 + description: Develop information-sharing mechanisms to ensure that the responsible + organization can promptly recognize the expiration of external contracts, + completion of work, or changes in responsible personnel. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node360 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node358 + description: Establish and implement security measures related to the expiration + of external contracts, completion of work, or changes in responsible personnel. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node361 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.4 + description: Upon the expiration of external contracts, procedures must be established + and implemented to verify whether the external party retains important information + and personal data related to the contracted work and to ensure that such information + is recovered and disposed of. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node362 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node361 + description: "To recover and dispose of personal data and other important information,\ + \ either visit the contractor\u2019s office in person or remotely delete the\ + \ personal data and obtain a confirmation of destruction." + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node363 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node361 + description: Ensure deletion measures are applied not only to information systems + and responsible personnel's PCs but also to all devices and media where the + relevant information is stored, including email inboxes. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node364 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node361 + description: Dispose of the information using secure methods to prevent recovery + or reconstruction. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.4' + name: Physical Security + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.1 + name: Designation of Protected Areas + - urn: urn:intuitem:risk:req_node:k_isms_p:node367 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.1 + description: To protect personal information, important information, documents, + storage media, major equipment, and systems from physical and environmental + threats, criteria for designating physical protection zones, such as control + zones, restricted areas, and visitor areas, must be established. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node368 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node367 + description: Designate physical protection zones such as visitor areas, restricted + areas, and control zones. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node369 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node367 + description: Select and define the terminology and distinctions for protection + zones according to the organization's environment. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node370 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.1 + description: According to the criteria for designating physical protection zones, + the zones must be designated and protection measures for each zone must be + established and implemented. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node371 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node370 + description: Apply protection measures for each zone, including access control + methods (such as ID cards or biometric authentication), authorized personnel, + access procedures, and video surveillance. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node372 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node370 + description: Since control zones are designed to limit access to authorized + personnel even within the organization, mark these zones as controlled when + necessary to prevent unauthorized access attempts, and periodically review + for any illegal access attempts. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.2 + name: Access Control + - urn: urn:intuitem:risk:req_node:k_isms_p:node374 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.2 + description: You must establish access control procedures to ensure that only + authorized individuals can enter each protected area and manage the list of + authorized personnel. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node375 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node374 + description: Define the departments, roles, and tasks that are permitted to + access each protected area, identify employees who have been granted access + rights, and manage their status. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node376 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node374 + description: For controlled areas, ensure that only a minimal number of individuals + are allowed entry based on work needs. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node377 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node374 + description: 'Access control procedures should include: access request, approval + by the responsible person, granting and revoking access rights, recording + access history, and regular review of access records.' + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node378 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node374 + description: Install access control devices such as password-based, ID card-based, + or biometric-based systems. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node379 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node374 + description: Establish and operate access control procedures, including registration + and deletion of access, management of access rights, visitor management, and + access log management. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node380 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.2 + description: Entry records for each protected area should be preserved for a + specified period, and access records and permissions should be reviewed periodically. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node381 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node380 + description: Preserve entry records for a specified period to enable post-event + monitoring, either in paper or electronic form. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node382 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node380 + description: Review access records and permissions for issues such as long-term + non-access, abnormal access attempts, or excessive access permissions. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node383 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node380 + description: Identify unauthorized access attempts and long-term non-access, + investigate the reasons, and take appropriate actions. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node384 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node380 + description: Through periodic reviews, recover access cards from former employees + and remove their access rights, and adjust access rights due to job changes. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node385 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node380 + description: If the system cannot log access, maintain a manual access log to + verify entry records. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.3 + name: Protection of Information Systems + - urn: urn:intuitem:risk:req_node:k_isms_p:node387 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.3 + description: You should separate the physical locations of information systems + based on their importance, purpose, and characteristics. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node388 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node387 + description: For information systems such as personal data processing systems, + network equipment, security systems, and backup equipment, use server racks + to protect the systems from external threats. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node389 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node387 + description: For high-importance systems like personal data processing systems, + install locking mechanisms on server racks and manage them in cages with additional + physical security measures to restrict access to only essential personnel. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node390 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.3 + description: You should establish a means to easily verify the actual physical + locations of information systems (e.g., layout diagrams, asset lists). + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node391 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node390 + description: Manage physical layout diagrams (facility cross-sections, layout + diagrams, etc.) and asset lists to facilitate prompt action in case of security + incidents or failures. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node392 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node390 + description: Include physical location information in asset lists and keep them + updated to maintain the most current records. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node393 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.3 + description: You should protect power and communication cables from physical + damage and electrical interference. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node394 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node393 + description: Implement measures such as physical separation and wiring, identification + marking, maintaining distance to avoid mutual interference, and cable burial. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node395 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node393 + description: Restrict access to distribution panels, high-voltage rooms, low-voltage + rooms, etc., to authorized personnel only. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.4 + name: Operation of Protective Equipment + - urn: urn:intuitem:risk:req_node:k_isms_p:node397 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.4 + description: For each protected area, based on its importance and characteristics, + you must equip it with necessary facilities and establish and implement operational + procedures to prepare for potential hazards such as fire, flooding, power + failures, and other man-made or natural disasters. + annotation: 'Key Points for Verification: + + - Have you equipped each protected area with necessary facilities and established + operational procedures to prepare for potential hazards such as fire, flooding, + and power failures, based on the importance and characteristics of the area? + + - If you outsource operations to an external data center (IDC), have you included + physical protection requirements in the contract and are you periodically + reviewing the operational status?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node398 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.4 + description: When outsourcing to an external data center (IDC), you must incorporate + physical security requirements into the contract and regularly review the + operational status. + annotation: 'Key Points for Verification: + + - Have you equipped each protected area with necessary facilities and established + operational procedures to prepare for potential hazards such as fire, flooding, + and power failures, based on the importance and characteristics of the area? + + - If you outsource operations to an external data center (IDC), have you included + physical protection requirements in the contract and are you periodically + reviewing the operational status?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node399 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node398 + description: Ensure compliance with information security regulations, and apply + physical security controls such as disaster and emergency preparedness (for + fire, power failures, etc.), access control, asset entry and exit control, + and video surveillance. Also, address issues related to damage compensation + in case of incidents. + annotation: 'Key Points for Verification: + + - Have you equipped each protected area with necessary facilities and established + operational procedures to prepare for potential hazards such as fire, flooding, + and power failures, based on the importance and characteristics of the area? + + - If you outsource operations to an external data center (IDC), have you included + physical protection requirements in the contract and are you periodically + reviewing the operational status?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node400 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node398 + description: Verify whether the IDC has liability insurance (failure to have + insurance may result in a fine of up to 2 million won). + annotation: 'Key Points for Verification: + + - Have you equipped each protected area with necessary facilities and established + operational procedures to prepare for potential hazards such as fire, flooding, + and power failures, based on the importance and characteristics of the area? + + - If you outsource operations to an external data center (IDC), have you included + physical protection requirements in the contract and are you periodically + reviewing the operational status?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.5 + name: Operations in Protected Areas + - urn: urn:intuitem:risk:req_node:k_isms_p:node402 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.5 + description: Official work request and execution procedures must be established + and implemented for situations requiring work within protected areas, such + as the introduction or maintenance of information systems. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node403 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node402 + description: When performing work in controlled areas, procedures such as work + requests, approvals, and recording work details must be followed. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node404 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node402 + description: Record details such as the date and time of work, purpose and content + of the work, the name of the contractor and responsible personnel, and the + names of reviewers and approvers. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node405 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node402 + description: Establish procedures for accessing protected areas for work, ensure + traceability of work details, and implement monitoring measures. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node406 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.5 + description: Work records must be periodically reviewed to verify whether work + within protected areas was appropriately conducted according to control procedures. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node407 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node406 + description: Regularly review pre-approval details, access records, and work + logs. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node408 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node406 + description: Ensure consistency between access requests and access details (logbook, + system logs, etc.) + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.6 + name: Control of Equipment Exit and Entry + - urn: urn:intuitem:risk:req_node:k_isms_p:node410 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.6 + description: When bringing in or taking out information systems, mobile devices, + storage media, etc., into or out of protected areas, control procedures must + be established and implemented to prevent security incidents such as information + leakage or malware infection. + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node411 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node410 + description: Information systems (servers, network equipment, etc.), mobile + devices (laptops, smart pads, smartphones, etc.), storage media (HDD, SSD, + USB memory, external hard disks, CD/DVD, tapes, etc.). + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node412 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node410 + description: Prior approval from the responsible person for access control to + the protected area, recording in the access control log, performing security + checks on devices (such as checking for antivirus installation, security updates, + malware infection, security sticker attachment, and any information leakage), + and periodic review of entry and exit records. + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node413 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node410 + description: Exception request and approval, recording in the access control + log, etc. + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node414 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.6 + description: Records of the entry and exit control procedures must be maintained + and managed, and the compliance with these procedures should be verified by + regularly checking the entry and exit logs. + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node415 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node414 + description: Maintain records of entry and exit history within protected areas + (e.g., entry and exit logs, access control system logs, etc.). + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node416 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.6 + description: Regularly review entry and exit logs to ensure that entries and + exits within the protected areas are appropriately conducted in accordance + with control procedures. + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.7 + name: Security of the Work Environment + - urn: urn:intuitem:risk:req_node:k_isms_p:node418 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.7 + description: Protection measures must be established and implemented for facilities + and office equipment used in common, such as document storage rooms, shared + PCs, multifunction printers, and file servers. + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node419 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'Document storage room: Minimize the number of people with access, + assign access rights based on department and job, manage access history.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node420 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'Shared PC: Assign a responsible person, set a screen saver, configure + login passwords, regularly change passwords, limit storage of important information, + install antivirus software, apply security updates, etc.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node421 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'Shared office equipment: Prohibit leaving important documents + unattended near shared office equipment like fax machines, copiers, and printers.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node422 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'File server: Assign access rights based on department and job, + minimize unnecessary information disclosure, issue user accounts per individual.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node423 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'Shared office space: Prohibit leaving important information (personal + information) documents unattended in shared office spaces such as meeting + rooms or project rooms.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node424 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'Other: Establish protection measures for other shared work environments.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node425 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.7 + description: ' Protection measures must be established and implemented to prevent + the leakage or exposure of personal information and important information + through personal work environments, such as work PCs, desks, and drawers.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node426 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node425 + description: 'Protection when leaving the workstation: Prohibit leaving personal + information and documents containing personal information or auxiliary storage + media unattended (clean desk policy), set screen savers and passwords, etc.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node427 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node425 + description: Prohibit exposure of login information (e.g., passwords) on monitors + and desks + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node428 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node425 + description: Store documents and external storage devices containing personal + or sensitive information in a secure location with a lock. + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node429 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node425 + description: Shred documents containing personal and important information using + a shredder to prevent recovery. + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node430 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node425 + description: Take measures to prevent unauthorized individuals from accessing + and tampering with management terminals. + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node431 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.7 + description: ' Necessary protection measures must be implemented to prevent + the loss, theft, or leakage of personal information included in printed materials + or copies and to safely manage these printed materials and copies.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node432 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.7 + description: 'Compliance with information protection measures in personal and + shared work environments must be regularly reviewed. ' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node433 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node432 + description: Non-compliance with security regulations in personal and shared + work environments should be managed according to disciplinary regulations. + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.5' + name: Authentication and Access Management + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.1 + name: User Account Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node436 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.1 + description: 'To control unauthorized access to information systems and personal + or sensitive information, formal procedures for the registration, modification, + deletion, and termination of user accounts and access rights should be established + and implemented, considering the following:' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node437 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node436 + description: 'Issuance of Unique User Accounts: Each user and personal information + handler should be issued a unique user account, and account sharing should + be prohibited.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node438 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node436 + description: 'Appropriate Review Procedures: When issuing or modifying accounts + and access rights, ensure proper approval procedures and appropriateness reviews + are in place.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node439 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node436 + description: 'Access Rights Adjustments: Change or revoke access rights promptly + in the event of personnel transfers, resignations, or other HR movements (including + account deletion or deactivation).' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node440 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node436 + description: 'Default and Test Accounts: After installing information systems, + remove or change default and test accounts provided by manufacturers or vendors + to obscure or difficult-to-guess credentials.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node441 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node436 + description: 'Record Maintenance: Maintain and manage records related to the + registration, modification, deletion, and termination of user accounts and + access rights.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node442 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.1 + description: 'When creating, registering, or modifying user accounts and access + rights for information systems and personal or sensitive information, only + the minimum necessary permissions required for the job should be granted according + to a role-based access control system:' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node443 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node442 + description: 'Role-Based Permissions: Grant access rights based on job requirements, + with differential access based on the necessity to perform specific duties.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node444 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node442 + description: 'Need-to-Know and Need-to-Do Principles: Grant access to important + information and personal data strictly based on the need-to-know and need-to-do + principles.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node445 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node442 + description: 'Segmentation of Rights: Avoid unnecessary or excessive access + to important or personal information by implementing granular permission settings.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node446 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node442 + description: 'Approval Procedures: Ensure appropriateness reviews through approval + procedures when granting or modifying access rights.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node447 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.1 + description: When granting user accounts and access rights, it must be clearly + communicated that the individual is responsible for the security of their + account. + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node448 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node447 + description: 'Documentation of Responsibility: Clearly specify the responsibilities + and obligations related to the account in information security and privacy + policies, agreements, or declarations. This includes prohibiting sharing or + lending accounts and passwords to others and providing guidelines for secure + login practices in public places.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node449 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node447 + description: 'Communication Methods: Utilize various methods to communicate + these responsibilities, such as agreements, emails, system notifications, + and training sessions.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.2 + name: User Identification + - urn: urn:intuitem:risk:req_node:k_isms_p:node451 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.2 + description: When registering users for information systems and personal data + processing systems, unique identifiers must be assigned to each user and personal + data handler, and the use of guessable identifiers must be restricted. + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node452 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node451 + description: 'One User, One Account Principle: Ensure accountability by issuing + a unique account to each user.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node453 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node451 + description: 'Account Sharing and Public Account Restrictions: Limit the sharing + of accounts and the use of public accounts.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node454 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node451 + description: 'Operating Accounts: Restrict general user access to system operating + accounts.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node455 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node451 + description: 'Default Accounts: After system installation, remove or change + default and test accounts from manufacturers or vendors to non-guessable identifiers + (including changing default passwords).' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node456 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node451 + description: 'Administrator Accounts: Restrict the use of easily guessable identifiers + (e.g., root, admin, administrator) for administrative and special privilege + accounts.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node457 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.2 + description: If sharing the same identifier is unavoidable for business reasons, + the reasons and validity must be reviewed and approved by the responsible + party. + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node458 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node457 + description: 'Role Separation: Even if administrator accounts are shared due + to role division, assign separate user accounts and log in with the user account + before switching to the administrator account.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node459 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node457 + description: 'Temporary Account Sharing: If accounts are temporarily shared + for maintenance or similar tasks, change the password immediately after the + task is completed.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node460 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node457 + description: 'Public Accounts: If the use of public accounts is necessary for + business reasons, review and approve the reasons and validity, and implement + additional control measures to ensure accountability.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.3 + name: User Authentication + - urn: urn:intuitem:risk:req_node:k_isms_p:node462 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.3 + description: Access to information systems and personal data processing systems + must be controlled according to secure user authentication procedures, including + user authentication, login attempt limits, and warnings for illegal login + attempts. + annotation: 'Key Points for Verification: + + - Is access to information systems and personal data processing systems controlled + according to secure user authentication procedures, including user authentication, + login attempt limits, and warnings for illegal login attempts? + + - When accessing personal data processing systems from external networks, + are secure authentication methods or secure access methods applied in accordance + with legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node463 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node462 + description: Examples of user authentication methods + annotation: ' You can find it page 95' + - urn: urn:intuitem:risk:req_node:k_isms_p:node464 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node462 + description: Examples of measures to control account misuse and unauthorized + authentication attempts + annotation: ' You can find it page 96' + - urn: urn:intuitem:risk:req_node:k_isms_p:node465 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node462 + description: When using Single Sign-On (SSO) to provide convenience in business + operations, additional protective measures should be implemented due to the + potential for increased damage in the event of account theft. Based on a risk + assessment, enhanced authentication methods and re-authentication requirements + for access to critical systems should be applied. + annotation: 'Key Points for Verification: + + - Is access to information systems and personal data processing systems controlled + according to secure user authentication procedures, including user authentication, + login attempt limits, and warnings for illegal login attempts? + + - When accessing personal data processing systems from external networks, + are secure authentication methods or secure access methods applied in accordance + with legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node466 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.3 + description: When accessing personal data processing systems from outside through + information communication networks such as the internet, secure authentication + methods must be applied in accordance with legal requirements. For personal + data processing systems that handle data from information subjects rather + than users, secure access methods or authentication methods such as Virtual + Private Networks (VPNs) can be used. + annotation: 'Key Points for Verification: + + - Is access to information systems and personal data processing systems controlled + according to secure user authentication procedures, including user authentication, + login attempt limits, and warnings for illegal login attempts? + + - When accessing personal data processing systems from external networks, + are secure authentication methods or secure access methods applied in accordance + with legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node467 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node466 + description: Secure authentication methods refer to procedures beyond entering + user accounts and passwords to identify and authenticate legitimate personal + data handlers. + annotation: 'Key Points for Verification: + + - Is access to information systems and personal data processing systems controlled + according to secure user authentication procedures, including user authentication, + login attempt limits, and warnings for illegal login attempts? + + - When accessing personal data processing systems from external networks, + are secure authentication methods or secure access methods applied in accordance + with legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node468 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node466 + description: Examples of secure authentication methods include certificates, + security tokens, and one-time passwords (OTPs). + annotation: ' You can find it page 96' + - urn: urn:intuitem:risk:req_node:k_isms_p:node469 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node466 + description: Personal data handlers must comply with legal requirements related + to authentication methods when accessing personal data processing systems + from external networks. + annotation: 'Key Points for Verification: + + - Is access to information systems and personal data processing systems controlled + according to secure user authentication procedures, including user authentication, + login attempt limits, and warnings for illegal login attempts? + + - When accessing personal data processing systems from external networks, + are secure authentication methods or secure access methods applied in accordance + with legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.4 + name: Password Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node471 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.4 + description: You must establish and implement password management procedures + and creation rules to ensure that users and administrators set and use secure + passwords. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node472 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node471 + description: 'Examples of password creation rules (enforced systemically except + in unavoidable cases):' + annotation: ' You can find it page 98' + - urn: urn:intuitem:risk:req_node:k_isms_p:node473 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node471 + description: Examples of Password Management Procedures + annotation: ' You can find it page 98' + - urn: urn:intuitem:risk:req_node:k_isms_p:node474 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.4 + description: Password rules must be established and enforced to ensure that + users set and use secure passwords. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node475 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node474 + description: Follow guidelines for user and personal data handler passwords, + but adjust rules based on the service's characteristics and risk level. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node476 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node474 + description: Implement secure procedures for password recovery in case of loss + or theft, including identity verification. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node477 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.4 + description: Authentication methods for personal data handlers or users must + be applied and managed securely. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node478 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node477 + description: When using passwords, establish and apply secure password rules. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node479 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node477 + description: For other authentication methods (e.g., certificates, PINs, biometrics, + security tokens), implement protective measures to prevent unauthorized access + or theft. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.5 + name: Management of Special Accounts and Permissions + - urn: urn:intuitem:risk:req_node:k_isms_p:node481 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.5 + description: Administrative and other special privileges should be granted only + to the minimum number of individuals necessary. Formal authorization and approval + procedures must be established and implemented. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node482 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node481 + description: Define account and privilege types for special purposes such as + information system management, personal data management, and important information + management. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node483 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node481 + description: Establish and enforce procedures for issuing, changing, and revoking + special accounts and privileges, ensuring that applications and approvals + follow formal procedures. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node484 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node481 + description: Apply stricter criteria for granting special accounts and privileges + compared to general user accounts and privileges (e.g., requiring approval + from executives or security officers). + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node485 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.5 + description: Establish and enforce control procedures to identify and manage + special accounts and privileges, maintaining a separate list. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node486 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node485 + description: Create and manage a list of individuals with special privileges. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node487 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node485 + description: Minimize exceptions and enhance monitoring for individuals with + special privileges. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node488 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node485 + description: Apply procedures to create special privileges for external parties + (e.g., for system maintenance) only when necessary and promptly delete or + suspend them after the work is completed. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node489 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node485 + description: Regularly review the status of special privilege holders to keep + the list current. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.6 + name: Access Rights Review + - urn: urn:intuitem:risk:req_node:k_isms_p:node491 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.6 + description: Records must be maintained for the creation, registration, granting, + use, modification, and revocation of user accounts and access rights related + to information systems, personal data, and critical information. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node492 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node491 + description: 'User account and access rights details should include all necessary + information to ensure accountability:' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node493 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node492 + description: 'Account/Access Rights Application Information: Applicant or proxy, + application date and time, purpose of application, usage period, etc.' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node494 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node492 + description: 'Account/Access Rights Approval Information: Approver, approval + or denial status, reasons, and date/time, etc.' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node495 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node492 + description: 'Account/Access Rights Registration Information: Registrant, registration + date, registration method (e.g., system integration, manual registration, + etc.)' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node496 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node492 + description: 'Account/Access Rights Information: Target system name, access + rights name, details of rights, etc.' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node497 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node491 + description: 'Access rights records should be retained for a period reflecting + legal requirements:' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node498 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node497 + description: 'For personal data processors under the "Personal Information Protection + Act": at least 3 years.' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node499 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.6 + description: Criteria, responsible parties, methods, and frequency for assessing + the appropriateness of user accounts and access rights to information systems, + personal data, and critical information must be established, and regular reviews + must be conducted. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node500 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node499 + description: Establish review procedures for access rights, including review + parties, methods, criteria, frequency (recommended at least quarterly), and + reporting results. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node501 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.6 + description: If issues such as excessive access rights, non-compliance with + authorization procedures, or misuse of rights are found during access rights + reviews, procedures for addressing these issues must be established and implemented. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node502 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node501 + description: Establish and implement procedures that include requesting explanations, + analyzing causes, developing corrective measures, and reporting systems if + suspicious situations such as excessive rights, procedural non-compliance, + or misuse are detected. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node503 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node501 + description: Notify users and relevant parties of any changes applied to access + rights after the review. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node504 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node501 + description: If similar issues recur, analyze the root cause and establish measures + to prevent recurrence. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.6' + name: 'Access Control + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.1 + name: Network Access + - urn: urn:intuitem:risk:req_node:k_isms_p:node507 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.1 + description: Organizations must establish and implement network access control + management procedures to identify all pathways that can access the organization's + network and effectively prevent and respond to related risks such as unauthorized + access to the network. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node508 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node507 + description: Control the use of unauthorized IPs by assigning IP addresses to + information systems, personal information processing systems, PCs, etc., following + an approval process. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node509 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node507 + description: Control unauthorized individuals and devices from accessing the + internal network. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node510 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node507 + description: Block unnecessary services and ports installed on network equipment. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node511 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.1 + description: The network must be segmented physically or logically based on + the importance of services, user groups, information assets, and legal requirements, + with access control applied between these segments. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node512 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node511 + description: Determine the level of network segmentation and access control + between areas of critical business operations through risk assessment. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node513 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node511 + description: ' Network segments separated by access control policies must be + controlled so that only services necessary for business operations are allowed + to access them. This can be achieved using intrusion prevention systems, network + equipment ACLs, and similar measures.' + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node514 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.1 + description: Organizations must establish IP address assignment standards for + different network segments and ensure that important systems, such as database + servers, that do not need to connect to external networks are assigned private + IP addresses to prevent direct external access. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node515 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node514 + description: Keep the IP address allocation status up to date and manage it + securely with a confidentiality level of at least "confidential" to prevent + external leaks. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node516 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node514 + description: Use a private IP address scheme within the internal network and + apply NAT (Network Address Translation) to prevent the internal address scheme + from being exposed externally. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node517 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node514 + description: When assigning private IP addresses, use private IP address ranges + in accordance with international standards. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node518 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.1 + description: Organizations must establish a secure connection environment when + connecting networks with physically separate locations such as IDCs, branches, + agencies, partners, and customer centers by using dedicated lines or VPNs + (Virtual Private Networks). + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.2 + name: Information System Access + - urn: urn:intuitem:risk:req_node:k_isms_p:node520 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.2 + description: Access to the operating systems (OS) of information systems such + as servers, network systems, and security systems must be controlled by defining + authorized users, accessible locations, and access methods. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node521 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Establish procedures for account and permission requests and approvals. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node522 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Assign individual accounts to each user and restrict the use of + shared accounts. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node523 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Regularly review and update account usage, including checking for + long-term inactive accounts and unnecessary accounts. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node524 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Restrict access locations by limiting the IP addresses of users. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node525 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Consider enhanced authentication methods for administrators and + other users with special privileges, such as certificates or OTP (One-Time + Password). + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node526 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Apply secure access methods such as SSH and SFTP. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node527 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Implement access control measures for connections between servers + within the same network segment. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node528 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.2 + description: If no work is performed for a certain period after accessing the + information system, measures must be taken to automatically disconnect the + session. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node529 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node528 + description: Set session timeout duration based on server characteristics, work + environment, risk level, and legal requirements. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node530 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.2 + description: Services or ports that are unrelated to the intended purpose of + the information system or that could cause security incidents must be identified + and removed or blocked. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node531 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node530 + description: Implement additional security features for insecure services, protocols, + and daemons. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node532 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node530 + description: Restrict the use of insecure services or protocols such as Netbios, + File-Sharing, Telnet, and FTP unless absolutely necessary, and use secure + technologies like SSH, SFTP, or IPSec VPN. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node533 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.2 + description: Servers that provide key services must be operated on independent + servers. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node534 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node533 + description: Web servers, database servers, and applications that provide direct + services to external users or store and process sensitive information must + be operated on independent servers, not shared equipment. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.3 + name: Application Access + - urn: urn:intuitem:risk:req_node:k_isms_p:node536 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + description: ' To control access to sensitive information, access rights to + applications must be differentiated according to the user''s job function.' + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node537 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Clearly identify internal applications (e.g., back-office systems, + member management systems). + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node538 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Identify personal information processing systems within the applications. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node539 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Establish a user and personal information handler access rights + classification system (e.g., an access rights classification table) based + on the principle of least privilege. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node540 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Implement application features that allow detailed configuration + of permissions for processing sensitive information and personal data (e.g., + input, view, modify, delete, download, print). + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node541 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Establish and enforce procedures for granting, modifying, and deleting + accounts and permissions for identified applications and personal information + processing systems. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node542 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Maintain records of permission grants, modifications, and deletions + to review the validity of access rights. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node543 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + description: Sessions without input for a certain period must be automatically + terminated, and the number of simultaneous sessions for the same user must + be limited. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node544 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node543 + description: Determine and apply session timeout settings considering the characteristics + and risk levels of each application and task. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node545 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node543 + description: For personal information processing systems, ensure that sessions + are automatically terminated if there is no activity for a specified period, + in accordance with legal requirements. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node546 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node543 + description: Display warning messages and restrict access when there is a simultaneous + login attempt with the same account. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node547 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + description: Administrator-only applications (e.g., admin web pages, management + consoles) must be controlled to prevent unauthorized access. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node548 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node547 + description: Block external access to administrator-only applications and implement + access restrictions based on IP addresses. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node549 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node547 + description: If external access is unavoidable, apply secure authentication + methods (e.g., OTP) or secure connection methods (e.g., VPN). + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node550 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node547 + description: Regularly monitor access logs and event logs for administrators + and personal information handlers. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node551 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node547 + description: When detecting suspicious activity, conduct a detailed investigation + and follow predefined procedures, including internal reporting. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node552 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + description: To ensure consistency in the application of measures limiting the + display of personal and sensitive information, related standards must be established + and applied. + annotation: 'Examples of standards for limiting the display of personal and + sensitive information: + + Name: Mask the middle character(s) of the name (for two-character names, mask + the last character; for names with four or more characters, mask all but the + first and last characters). + + Resident registration number: Mask the last 7 digits of the 13-digit number. + + Phone number, mobile number: Mask the area code. + + Address: Mask the building number and detailed address numbers below the street + name. + + Email address: Mask all but the first two characters of the ID. + + Card number: Mask six digits starting from the seventh digit. + + IP address: Mask bits 17-24 (IPv4) or bits 113-128 (IPv6), etc.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node553 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + description: ' Applications must be designed and operated to minimize unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading).' + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node554 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: When printing or displaying personal and sensitive information + (e.g., on screen, in downloads) through applications (such as personal information + processing systems), specify the purpose and minimize the output items based + on that purpose. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node555 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: Ensure that, depending on the work environment, purpose, type, + and location, only the minimum necessary personal information is output within + the scope of access rights to the personal information processing system. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node556 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: Prevent 'like' searches of personal information unless absolutely + necessary for business purposes. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node557 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: When searching for personal information, ensure that unnecessary + or excessive information is not displayed by using exact match (equal search) + or multiple search criteria. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node558 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: Take measures to ensure that personal information is not stored + in hidden fields within office files (such as Excel) + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node559 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: Ensure that unnecessary personal information is not displayed through + actions like viewing the webpage source. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.4 + name: Database Access + - urn: urn:intuitem:risk:req_node:k_isms_p:node561 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.4 + description: You must identify and continuously update the information being + stored and managed, such as the list of tables in the database. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node562 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node561 + description: Identify the list of tables used in the database, the information + stored, and their relationships. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node563 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node561 + description: Identify the storage locations (database and table names, column + names) and status (number of records, encryption status) of critical and personal + information. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node564 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node561 + description: Regularly review and update the database status. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node565 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.4 + description: You must clearly identify the applications, information systems + (servers), and users that need access to information within the database and + control access according to the access control policy. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node566 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Establish and implement access control policies for database access + rights, distinguishing between administrators (DBAs) and users (e.g., access + control at the table, view, column, and query levels based on the principle + of least privilege). + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node567 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Restrict access to tables and columns containing critical information + to authorized personnel only. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node568 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Differentiate accounts with DBA privileges from those with other + privileges such as read-only access. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node569 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Limit the shared use of accounts between applications and users. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node570 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Restrict executable commands by account. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node571 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Delete unused accounts, test accounts, and default accounts. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node572 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Automatically block access if no activity is performed for a specified + period. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node573 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Restrict unauthorized access to the database. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node574 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Ensure that databases storing personal information are not located + on publicly exposed networks such as DMZs. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node575 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Block unauthorized access from other network zones and servers. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node576 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Restrict IP addresses, ports, and applications that are allowed + to access the database. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node577 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Ensure that general users can access the database only through + authorized applications. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.5 + name: Wireless Network Access + - urn: urn:intuitem:risk:req_node:k_isms_p:node579 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.5 + description: 'If wireless networks are used for business purposes, you must + establish and implement protection measures considering the following aspects + for securing wireless access points (APs) and network segments:' + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node580 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Manage a list of wireless network devices (e.g., APs). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node581 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Configure encryption for user authentication and data transmission + (e.g., WPA2-Enterprise mode, WPA3-Enterprise mode). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node582 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Implement wireless AP access terminal authentication methods (e.g., + MAC authentication). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node583 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Enable SSID hiding. + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node584 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Set up Access Control Lists (ACLs) for the wireless network. + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node585 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Control administrator access to wireless APs (e.g., IP restrictions). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node586 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.5 + description: 'You must establish and implement procedures for access requests + and termination to ensure that only authorized employees can use the wireless + network:' + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node587 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node586 + description: Set up procedures for requesting and approving wireless network + access (e.g., user and device registration). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node588 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node586 + description: Establish procedures for revoking access when the wireless network + is no longer needed (e.g., due to retirement or expiration of access). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node589 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node586 + description: Separate wireless networks provided to external parties from those + used by employees. + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node590 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.5 + description: 'You must establish and implement protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs:' + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node591 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node590 + description: Install and operate a Wireless Intrusion Prevention System (WIPS), + and periodically check for unauthorized APs (Rogue APs). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.6 + name: Remote Access Control + - urn: urn:intuitem:risk:req_node:k_isms_p:node593 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.6 + description: 'The remote operation of critical information (personal information), + information systems, and major assets related to personal information processing + systems (servers, network equipment, security devices, etc.) through external + networks such as the internet is generally prohibited. If it is unavoidably + allowed, the following measures must be established and implemented:' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node594 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Approval from the responsible person for remote operation and access. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node595 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Use of secure authentication methods (certificates, OTPs, etc.). + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node596 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Use of secure access methods (VPNs, etc.). + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node597 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Temporary access rights provisioning and management of access rights + status. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node598 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Security of access devices through antivirus installation, security + patches, etc. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node599 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Monitoring of remote operation status (e.g., periodic review of + VPN account issuance and usage). + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node600 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Logging and periodic analysis of remote access records. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node601 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Security awareness training related to remote operation. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node602 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.6 + description: When operating information systems remotely through an internal + network, access must be restricted to specific devices only. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node603 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node602 + description: Limit accessible devices by IP address, MAC address, etc. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node604 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node602 + description: Block access paths that bypass normal remote access routes. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node605 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.6 + description: 'For remote work scenarios such as telecommuting, remote collaboration, + and smart work, protective measures must be established and implemented to + prevent the leakage of critical information, hacking, and other security incidents:' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node606 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: 'Define smart work scenarios: telecommuting, smart work centers, + remote collaboration, mobile office environments.' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node607 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: 'Set permissions based on smart work scenarios: define the scope + of remote access to internal systems and services.' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node608 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: 'Approval process for smart work: application, approval, and revocation + of remote access rights for smart work.' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node609 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: 'Technical protection measures for remote access: encryption of + transmission channels (VPNs, etc.), enhanced user authentication (OTPs, etc.).' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node610 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: 'Security of access devices (PCs, mobile devices, etc.): installation + of antivirus software, application of security patches, device authentication, + measures for lost or stolen devices (reporting procedures, device locking, + deletion of critical information, etc.), prohibition of storing critical information + (encryption if necessary), etc.' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node611 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: Establish and educate on information protection guidelines for + the smart work environment. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node612 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.6 + description: 'For devices (management devices or critical devices) accessing + the personal information processing system remotely for management, operation, + development, and security purposes, the following protective measures must + be applied:' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node613 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node612 + description: Designate and manage a list of management devices. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node614 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node612 + description: Prevent unauthorized individuals from accessing and tampering with + management devices. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node615 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node612 + description: Restrict access to only the registered management devices. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node616 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node612 + description: Ensure devices are not used for purposes other than their intended + use. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node617 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node612 + description: Apply protective measures to management devices to prevent malware + infections, etc. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.7 + name: Internet Access Control + - urn: urn:intuitem:risk:req_node:k_isms_p:node619 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.7 + description: To appropriately reduce risks such as information leakage, malware + infection, and internal network breaches via the internet, control policies + for internet access on work PCs, including those used for major job functions + and handling personal information, must be established and implemented. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node620 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: Network Configuration Policy for Internet Connections + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node621 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: User Access Policy for External Email Use, Internet Site Access, + Software Downloads, and Transfers + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node622 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: Blocking Policy for Harmful Sites (such as adult content and entertainment) + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node623 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: Blocking Policy for Sites with Potential for Information Leakage + (such as web storage, P2P networks, remote access) + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node624 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: Policies Related to Network Segregation or Internet Blocking Measures + (whether network segregation is applied, target individuals for segregation, + method of segregation, procedures for data transmission between networks, + etc.) + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node625 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: Monitoring Policy for Internet Access History + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node626 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.7 + description: Unnecessary external internet access from major information systems + (such as database servers) must be controlled. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node627 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node626 + description: Limit external internet access from internal servers (DB servers, + file servers, etc.) to prevent malware influx, information leakage, and reverse + access. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node628 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node626 + description: If external access is unavoidable, conduct a risk analysis to establish + protective measures and obtain approval from the responsible person before + allowing access. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node629 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.7 + description: If internet network blocking is mandated by relevant laws, identify + the subjects of internet network blocking and apply the blocking measures + in a secure manner. + annotation: 'Under the Personal Information Protection Act: + + - (Obligatory Targets for Personal Information Processors): Personal information + processors with an average of more than 1 million users per day in the last + three months of the previous year. + + - (Obligatory Targets for Computers, etc.): Computers and other devices used + by personal information handlers that can download, destroy, or set access + permissions for personal information. + + - (Measures When Using External Cloud Services) When using cloud computing + services as defined in Article 2, Item 3 of the "Act on the Promotion of Cloud + Computing and Protection of Users" to configure and operate personal information + processing systems, internet access must be restricted to only the necessary + cloud service, and all other internet access must be blocked.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node630 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.7 + description: 'Apply internet blocking measures in a secure manner considering + the following:' + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node631 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: Review whether internet blocking measures are mandatory and, if + so, identify the subjects of the internet blocking measures. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node632 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: If not subject to mandatory internet blocking, determine whether + to apply internet blocking measures based on risk analysis results. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node633 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: Apply internet blocking measures using physical methods (e.g., + configuring two PCs with separate networks) or logical methods (e.g., using + virtualization technologies like VDI). + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node634 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: Identify and control any bypass routes around internet blocking + measures. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node635 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: Establish control measures for secure data transmission for computers + subject to internet blocking measures. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node636 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: Conduct regular inspections of the adequacy and vulnerabilities + of the internet blocking environment. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.7 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.7' + name: Encryption Application + - urn: urn:intuitem:risk:req_node:k_isms_p:2.7.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7 + ref_id: 2.7.1 + name: Encryption Policy Application + - urn: urn:intuitem:risk:req_node:k_isms_p:node639 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7.1 + description: To protect personal and critical information, you must establish + an encryption policy that includes legal requirements such as encryption targets, + encryption strength, and encryption usage. + annotation: 'Key Points for Verification: + + - To protect personal and critical information, have you established an encryption + policy that includes legal requirements such as encryption targets, encryption + strength, and usage? + + - In accordance with the encryption policy, are you performing encryption + when storing, transmitting, or transferring personal and critical information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node640 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node639 + description: 'Encryption Targets: Defined based on legal requirements, sensitivity + of the information being processed, and its importance.' + annotation: You will find a table on page 121 + - urn: urn:intuitem:risk:req_node:k_isms_p:node641 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node639 + description: 'Encryption Algorithm: Select secure encryption algorithms and + security strength based on legal requirements and other considerations.' + annotation: You will find a table on page 122 + - urn: urn:intuitem:risk:req_node:k_isms_p:node642 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7.1 + description: 'Encryption Policy Compliance: Encrypt personal and sensitive information + during storage, transmission, and transfer according to the encryption policy.' + annotation: 'Key Points for Verification: + + - To protect personal and critical information, have you established an encryption + policy that includes legal requirements such as encryption targets, encryption + strength, and usage? + + - In accordance with the encryption policy, are you performing encryption + when storing, transmitting, or transferring personal and critical information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node643 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node642 + description: 'Encryption Method: Select and apply encryption methods considering + the encryption location and system characteristics.' + annotation: You will find a table on page 123 + - urn: urn:intuitem:risk:req_node:k_isms_p:2.7.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7 + ref_id: 2.7.2 + name: Encryption Key Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node645 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7.2 + description: 'You must establish policies and procedures that include the following + details for the generation, use, storage, distribution, and disposal of encryption + keys:' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node646 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Encryption Key Management Personnel: Designation of individuals + responsible for encryption key management.' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node647 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Key Generation and Storage Methods: Methods for generating and + storing encryption keys (including secure backup).' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node648 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Key Distribution and Recipients: Identification of those who receive + encryption keys and the methods of distribution (including decryption authority).' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node649 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Key Validity and Rotation: Duration of key validity (rotation + frequency), considering costs, business importance, and other factors when + changing keys.' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node650 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Key Recovery and Disposal Procedures: Procedures and methods for + recovering and disposing of encryption keys.' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node651 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Prohibition of Hardcoding Keys: Policies related to preventing + the hardcoding of encryption keys in source code.' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node652 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7.2 + description: 'Secure Storage and Access Control for Encryption Keys: Encryption + keys should be stored in a separate secure location to ensure they can be + recovered if needed, and access to them should be minimized:' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node653 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node652 + description: 'Secure Storage: In case of damage, encryption keys should be stored + on a separate medium and kept in a secure location (e.g., encryption key management + systems, physically separated areas).' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node654 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node652 + description: 'Access Control: Minimize access to encryption keys and implement + monitoring of access.' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.8' + name: Information System Introduction and Development Security + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.1 + name: Definition of Security Requirements + - urn: urn:intuitem:risk:req_node:k_isms_p:node657 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.1 + description: When introducing, developing, or changing an information system, + you must establish and implement procedures to review and accept the system + from the perspective of information security and privacy protection. + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node658 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node657 + description: 'Develop an introduction plan that includes feasibility analysis + for new information systems (servers, network equipment, commercial software + packages) and security systems:' + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node659 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node658 + description: Analysis of current system resource utilization, usage, and capacity + limits + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node660 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node658 + description: Requirements for performance, stability, security, reliability, + compatibility with existing systems, and interoperability + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node661 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node658 + description: Compliance with legal requirements such as the Personal Information + Protection Act (including the standards for ensuring the safety of personal + information) if the system involves personal data processing + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node662 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node657 + description: Incorporate information security and privacy protection requirements + into the Request for Proposal (RFP) and use them as criteria when selecting + vendors or products + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node663 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node657 + description: 'Establish criteria for determining system acceptance:' + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node664 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node663 + description: Develop acceptance criteria reflecting performance, security, and + legal requirements defined in the introduction plan + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node665 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node663 + description: Ensure compliance with acceptance criteria during the system introduction + process by reflecting them in purchase contracts + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node666 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.1 + description: When introducing, developing, or changing an information system, + you must clearly define security requirements, including legal obligations + and the latest vulnerabilities, and incorporate them from the design stage. + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node667 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node666 + description: 'Legal requirements related to personal data protection: access + control, encryption, access logs, etc.' + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node668 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node666 + description: Information security and privacy protection requirements based + on higher authority and internal regulations + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node669 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node666 + description: 'Technical security requirements: authentication, development security, + etc.' + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node670 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node666 + description: Latest security vulnerabilities + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node671 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.1 + description: You must establish and apply coding standards for the secure implementation + of information systems. + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node672 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node671 + description: Develop secure coding standards and guidelines to minimize threats + from known technical security vulnerabilities + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node673 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node671 + description: Include all relevant development languages and environments such + as Java, PHP, ASP, web, and mobile. + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node674 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node671 + description: Conduct training for developers on secure coding standards and + guidelines. + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.2 + name: Review and Testing of Security Requirements + - urn: urn:intuitem:risk:req_node:k_isms_p:node676 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.2 + description: When introducing, developing, or changing information systems, + establish review criteria and procedures to verify that the security requirements + defined during the analysis and design phases are effectively applied, and + conduct tests accordingly. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node677 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node676 + description: Perform tests to ensure that the system meets pre-defined security + requirements before acceptance. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node678 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node677 + description: Establish acceptance criteria and procedures to verify that the + information system meets pre-defined security requirements for development, + changes, and deployment. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node679 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node677 + description: Confirm compliance with the pre-defined acceptance criteria through + tests before deciding on acceptance. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node680 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node677 + description: Check system security settings, removal of unnecessary default + accounts, and application of the latest security patches. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node681 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node676 + description: Conduct tests to ensure that developed and changed functionalities + meet the pre-defined security requirements. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node682 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node681 + description: Reflect results in test plans, checklists, and test reports. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node683 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.2 + description: Perform vulnerability assessments to ensure that the information + system is developed securely according to coding standards. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node684 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node683 + description: After coding is complete, check compliance with secure coding standards + and perform vulnerability assessments to identify technical security weaknesses. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node685 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node684 + description: Verify source code for compliance with secure coding standards + (e.g., using source code verification tools). + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node686 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node684 + description: Test completed programs for vulnerabilities using vulnerability + assessment tools or simulated testing in an environment identical to the operational + environment. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node687 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.2 + description: In the process of testing and vulnerability assessment, establish + and implement procedures to quickly address identified issues, including developing + improvement plans and verifying implementation. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node688 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node687 + description: Develop an improvement plan for issues identified, ensure internal + reporting, and establish procedures to verify the implementation of fixes + before system launch. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node689 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node687 + description: If it is unavoidable to resolve issues before the system launch, + assess the impact, develop mitigating measures, and prepare internal reports + to minimize risks. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node690 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.2 + description: Public institutions must perform privacy impact assessments through + designated evaluation bodies during the analysis and design phases for new + or changed personal information processing systems, and incorporate the results + into development and modifications according to relevant laws. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node691 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node690 + description: When planning for new development or changes of personal information + processing systems, public institutions must review whether they are required + to conduct privacy impact assessments. If so, they should establish a plan + for the assessment and secure the necessary budget. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node692 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node690 + description: Public institutions must conduct a privacy impact assessment through + an evaluation agency designated by the Personal Information Protection Commission + during the analysis and design stages of new or changed personal information + processing systems, and incorporate the results into development and modifications. + annotation: "The list of designated evaluation agencies can be checked on the\ + \ 'Personal Information Portal' (www.privacy.go.kr). \nFor procedures and\ + \ criteria for conducting impact assessments, refer to the 'Personal Information\ + \ Impact Assessment Guide'." + - urn: urn:intuitem:risk:req_node:k_isms_p:node693 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node690 + description: Public institutions must submit the privacy impact assessment report + to the Personal Information Protection Commission before the system goes live + and within 2 months after the assessment is completed. + annotation: 'Register the assessment report on the Personal Information Protection + Comprehensive Support System (intra.privacy.go.kr). + + The Personal Information Protection Commission or the head of the public institution + may publish a summary of the assessment report.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node694 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node690 + description: Manage the implementation of improvement requirements resulting + from the privacy impact assessment. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node695 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node694 + description: Develop a detailed implementation plan for the improvement requirements. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node696 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node694 + description: Regularly check the implementation status. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node697 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node694 + description: If it is unavoidable to take action within the specified period, + record and report the valid reasons, and establish a plan for future actions. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node698 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node694 + description: The head of the public institution that received the impact assessment + report must submit a report on the implementation status of the identified + improvements to the Personal Information Protection Commission within one + year (Improvement Plan Implementation Verification Report). + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.3 + name: Separation of Testing and Operational Environments + - urn: urn:intuitem:risk:req_node:k_isms_p:node700 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.3 + description: The development and testing systems of the information system must + be separated from the operational system. + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node701 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node700 + description: The development and testing systems should be configured separately + from the operational system as a general rule. + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node702 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node700 + description: Establish and implement access control measures to prevent developers + from unnecessarily accessing the operational system from the development and + testing systems. + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node703 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.3 + description: If separation of development and production environments is unavoidable, + security measures such as mutual review, higher authority monitoring, change + approval, and responsibility tracking should be established. + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node704 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node703 + description: If it is unavoidable due to reasons like very small organizational + size, lack of human resources, or system characteristics, apply appropriate + compensatory controls to reduce security risks. + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node705 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node704 + description: 'Mutual Review: Implement mutual review among personnel.' + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node706 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node704 + description: 'Change Approval: Ensure all changes are approved.' + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node707 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node704 + description: 'Higher Authority Monitoring and Auditing: Monitor and audit by + higher authorities.' + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node708 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node704 + description: 'Backup and Recovery: Establish backup and recovery solutions, + and ensure responsibility tracking.' + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.4 + name: Security of Test Data + - urn: urn:intuitem:risk:req_node:k_isms_p:node710 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.4 + description: The use of actual operational data during the development and testing + of information systems must be restricted. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node711 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node710 + description: To prevent the leakage of personal and sensitive information during + system testing, test data should be created randomly or processed/converted + from operational data before use. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node712 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node710 + description: Establish and implement standards and procedures for data transformation + and usage. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node713 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.4 + description: If it is unavoidable to use operational data in the test environment, + procedures for control must be established and implemented, including responsible + approval, access and leakage monitoring, and data deletion after testing. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node714 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node713 + description: 'Establish an approval procedure for using operational data: define + reporting and approval systems based on data sensitivity.' + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node715 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node713 + description: Develop and implement procedures for data disposal after the testing + period expires. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node716 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node713 + description: Apply access control measures for operational data in the test + environment. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node717 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node713 + description: Conduct monitoring and regular reviews of operational data replication + and usage. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.5 + name: Source Program Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node719 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.5 + description: Procedures must be established and implemented to control unauthorized + access to source code. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node720 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node719 + description: Develop procedures for access to and use of source code. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node721 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node719 + description: Grant access rights only to authorized developers and personnel, + and block unauthorized access. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node722 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node719 + description: Implement access controls for servers where source code is stored + (e.g., version control servers). + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node723 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.5 + description: Source code must be securely stored in a location other than the + operational environment to prepare for emergencies. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node724 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node723 + description: Backup both the latest and previous versions of the source code. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node725 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node723 + description: Store and manage the source code in a separate environment from + the operational environment. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node726 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node723 + description: Control access to source code backups to prevent unauthorized access. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node727 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.5 + description: Change history of the source code must be managed. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node728 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node727 + description: Establish procedures for source code changes, including approval + and change procedures, and version control methods. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node729 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node727 + description: 'Manage source code change history: record the date of changes, + reasons for changes, and personnel involved.' + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node730 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node727 + description: Perform change control for system-related documents (e.g., design + documents) associated with source code changes. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node731 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node727 + description: Regularly review source code change history and change control + activities. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.6 + name: Migration to Operational Environment + - urn: urn:intuitem:risk:req_node:k_isms_p:node733 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.6 + description: Procedures must be established and implemented to safely transition + newly introduced, developed, and modified systems into the operational environment. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node734 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Designate a transition manager other than the developer. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node735 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Confirm completion of testing. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node736 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Define a transition strategy (e.g., phased transition, full transition). + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node737 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Prepare response measures for issues that may arise during transition + (e.g., rollback plans, storage plans for previous versions of the system). + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node738 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Obtain approval from the responsible person for the transition. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node739 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Maintain records and perform reviews of the transition. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node740 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node739 + description: If applying DevOps in a cloud environment, ensure secure deployment + to the operational environment following controlled procedures within the + CI/CD pipeline, applying DevSecOps controls. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node741 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.6 + description: Prepare response measures for potential issues that may arise during + the transition to the operational environment. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node742 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node741 + description: Develop rollback plans if the transition to the operational environment + does not proceed smoothly. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node743 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node741 + description: Establish storage plans for previous versions of the system (e.g., + software, add-ons, configuration files, parameters). + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node744 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.6 + description: Only install files necessary for service execution in the operational + environment. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node745 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node744 + description: Ensure that the operational environment does not contain unauthorized + development tools (e.g., editors), source programs, backup copies, or any + unnecessary files related to service execution. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.9' + name: System and Service Operation Management + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.1 + name: Change Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node748 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.1 + description: Procedures for changes related to information system assets (such + as hardware, operating systems, commercial software packages, etc.) must be + established and implemented. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node749 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node748 + description: When changes are needed for information system assets, such as + operating system upgrades, commercial software installations, enhancements + to running application functionalities, network configuration changes, or + expansion of CPU, memory, and storage, formal procedures for making these + changes should be established and followed. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node750 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.1 + description: Before making changes to information system assets, the impacts + on performance and security must be analyzed + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node751 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node750 + description: When changes are required for information system assets, analyze + the impacts on security, performance, and operations, such as the need for + changes to security system policies (e.g., firewall policies), potential issues, + and the extent of their impact + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node752 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node750 + description: Implement changes in a way that minimizes the impact. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node753 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node750 + description: Consider recovery plans in advance in case of change failures. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.2 + name: Performance and Fault Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node755 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: 'To ensure the availability of information systems, procedures + must be established and implemented for continuously monitoring performance + and capacity, including the following aspects:' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node756 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node755 + description: 'Identification Criteria for Performance and Capacity Management + Targets: Identify key information systems and security systems that could + impact service and business operations and include them in the monitoring + targets.' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node757 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node755 + description: 'Definition of Performance and Capacity Requirements (Thresholds) + for Each Information System: Determine thresholds for CPU, memory, storage, + etc., that could affect system availability.' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node758 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node755 + description: 'Monitoring Methods: Establish methods to continuously monitor + for threshold breaches and respond accordingly (e.g., alarms).' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node759 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node755 + description: Recording, Analyzing, and Reporting Monitoring Results. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node760 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node755 + description: Designation of Performance and Capacity Management Personnel and + Responsibilities. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node761 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: 'Procedures must be established and implemented for responding + when information system performance and capacity requirements (thresholds) + are exceeded:' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node762 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node761 + description: Continuously monitor the performance and capacity status of information + systems and establish and implement action plans (e.g., upgrading systems, + memory, storage) when thresholds are exceeded. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node763 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: 'Procedures must be established and implemented to immediately + detect and respond to information system failures, including the following:' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node764 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node763 + description: Definition of Failure Types and Severity Levels. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node765 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node763 + description: Reporting Procedures by Failure Type and Severity Level. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node766 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node763 + description: 'Detection Methods for Each Failure Type: Utilize management systems + such as Network Management Systems (NMS).' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node767 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node763 + description: Definition of Responsibilities and Roles for Failure Response and + Recovery. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node768 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node763 + description: Recording and Analyzing Failures. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node769 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: 'For customer-facing services: procedures for informing customers.' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node770 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: Emergency contact system (maintenance vendors, information system + manufacturers), etc. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node771 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node770 + description: In the event of a failure, actions must be taken according to the + procedures, and the details of the failure response must be recorded and managed + through failure response reports and similar documentation. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node772 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: For high-severity incidents, a root cause analysis must be conducted + to establish and implement measures to prevent recurrence. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node773 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node772 + description: For severe incidents such as those causing disruption to daily + operations, excessive costs (damage), or recurring issues, the root cause + must be identified, and measures to prevent recurrence should be established + and implemented. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.3 + name: Backup and Recovery Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node775 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.3 + description: Backup and recovery procedures, including the backup targets, frequency, + methods, and processes, must be established and implemented to ensure timely + recovery of information systems in the event of damage caused by disasters, + failures, or security incidents. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node776 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Establish criteria for selecting backup targets. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node777 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Designate backup personnel and responsible parties. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node778 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Define backup frequency and retention periods for each backup target. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node779 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Determine backup methods and procedures, such as using backup systems + or manual methods. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node780 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Manage backup media, including labeling, storage locations, and + access controls. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node781 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: 'Implement backup recovery procedures: For major information systems, + conduct regular recovery tests to verify the completeness and accuracy of + backup information from a disaster recovery perspective.' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node782 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Maintain a backup management ledger. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node783 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.3 + description: To ensure the completeness and accuracy of backed-up information + and the adequacy of recovery procedures, regular recovery tests must be conducted. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node784 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node783 + description: 'Develop a recovery test plan: This plan should include the frequency + and timing of recovery tests, designated personnel, and methods.' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node785 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node783 + description: 'Establish recovery test scenarios: Create scenarios to simulate + various types of recovery situations to effectively evaluate the recovery + process.' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node786 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node783 + description: 'Conduct and report on recovery tests: Perform recovery tests as + planned and document the results.' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node787 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node783 + description: Establish and implement improvement plans if issues are discovered + during the recovery tests. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node788 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.3 + description: 'For backup media containing critical information, ensure that + it is physically dispersed to locations that can handle disasters and emergencies:' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node789 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node788 + description: 'Store and manage backup media in locations physically distant + from the operational information systems or backup systems. Maintain a log + of dispersal activities including:' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node790 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node789 + description: "Dispersal dates\_(e.g., transport in and out)" + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node791 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node789 + description: Details of dispersed backup media and backup information + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node792 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node788 + description: "Regularly check\_whether the dispersal is being carried out appropriately." + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node793 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node788 + description: "Implement security measures\_at the dispersal locations, such\ + \ as:" + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node794 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node793 + description: Measures against natural disasters (e.g., fireproof safes, flame + retardant treatments) + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node795 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node793 + description: Access controls for the dispersal site and media. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.4 + name: Log and Access Record Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node797 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.4 + description: ' Procedures for log management for information systems such as + servers, applications, security systems, and network systems must be established, + and necessary logs must be generated and retained according to these procedures.' + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node798 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node797 + description: Identify the types of logs and the target systems that need to + be preserved. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node799 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node797 + description: ' The types of logs, retention periods, and methods of log preservation + (including backups) must be defined for each system and device. ' + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node800 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node797 + description: ' Establish log management procedures and ensure logs are generated + and stored according to these procedures.' + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node801 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.4 + description: Logs from information systems must be securely stored to prevent + tampering, theft, or loss, and access to log records must be minimized + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node802 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node801 + description: Log records should be backed up using separate storage devices, + such as dedicated storage, and access rights to these records should be minimized + to prevent unauthorized individuals from tampering with, altering, or deleting + logs. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node803 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.4 + description: Access records for personal information processing systems must + be electronically recorded to include all required elements in compliance + with legal requirements and must be securely stored for a specified period. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node804 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node803 + description: Mandatory elements that must be included in access records for + personal information processing systems. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node805 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node803 + description: Retention period for access records of personal information processing + systems. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node806 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node803 + description: Access records for personal information must be securely stored + to prevent tampering, theft, or loss. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.5 + name: Log and Access Record Review + - urn: urn:intuitem:risk:req_node:k_isms_p:node808 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.5 + description: 'Procedures for log review and monitoring must be established and + implemented to detect anomalies such as errors, misuse (unauthorized access, + excessive queries), and fraudulent activities in information systems, including:' + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node809 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node808 + description: Review frequency + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node810 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node808 + description: Review targets + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node811 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node808 + description: Review criteria and methods + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node812 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node808 + description: Review personnel and responsibilities + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node813 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node808 + description: Procedures for responding to detected anomalies + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node814 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.5 + description: 'The results of log review and monitoring must be reported to the + responsible person, and appropriate actions must be taken according to procedures + if anomalies are detected:' + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node815 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node814 + description: Perform reviews according to log review and monitoring criteria + and report the results, including any detected anomalies, to the relevant + responsible person + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node816 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node814 + description: Establish and follow procedures for responding to detected anomalies, + including verifying incidents such as information leakage, hacking, misuse, + and fraudulent activities + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node817 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node814 + description: If unauthorized downloading of personal information is confirmed, + verify the reasons according to the internal management plan and log review + criteria. If it is confirmed that personal information was downloaded for + misuse or leakage, promptly retrieve and dispose of the personal information + downloaded by the data handler, and take necessary actions. + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node818 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.5 + description: 'Access records of personal information processing systems must + be regularly inspected in accordance with the intervals specified by relevant + laws and regulations:' + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node819 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node818 + description: 'Legal requirement for checking personal information access records: + at least once a month' + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.6 + name: Time Synchronization + - urn: urn:intuitem:risk:req_node:k_isms_p:node821 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.6 + description: To ensure the accuracy of logs and access records and to enable + reliable log analysis, each information system must be synchronized with the + standard time. + annotation: 'Key Points for Verification: + + - Is the time of the information system synchronized with the standard time? + + - Are you regularly checking to ensure that time synchronization is functioning + correctly?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node822 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node821 + description: Use methods such as NTP (Network Time Protocol) to synchronize + time across systems. + annotation: 'Key Points for Verification: + + - Is the time of the information system synchronized with the standard time? + + - Are you regularly checking to ensure that time synchronization is functioning + correctly?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node823 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node821 + description: Ensure that all information systems requiring time accuracy (e.g., + access control systems, CCTV storage devices) are synchronized without exception. + annotation: 'Key Points for Verification: + + - Is the time of the information system synchronized with the standard time? + + - Are you regularly checking to ensure that time synchronization is functioning + correctly?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node824 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.6 + description: Regularly check to ensure that time synchronization is functioning + correctly. + annotation: 'Key Points for Verification: + + - Is the time of the information system synchronized with the standard time? + + - Are you regularly checking to ensure that time synchronization is functioning + correctly?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node825 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node824 + description: Check for time synchronization errors and verify that synchronization + is applied correctly after OS reinstallations or configuration changes. + annotation: 'Key Points for Verification: + + - Is the time of the information system synchronized with the standard time? + + - Are you regularly checking to ensure that time synchronization is functioning + correctly?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.7 + name: Reuse and Disposal of Information Assets + - urn: urn:intuitem:risk:req_node:k_isms_p:node827 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + description: Establish and implement procedures for the safe reuse and disposal + of information assets. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node828 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node827 + description: 'Reuse Procedures for Information Assets: Methods for data initialization, + reuse processes, etc.' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node829 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node827 + description: 'Disposal Procedures for Information Assets: Methods of disposal, + disposal processes (including approval), disposal confirmation, and recording + in the disposal management log.' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node830 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + description: When reusing or disposing of information assets and storage media, + ensure that personal data and sensitive information are processed in a way + that prevents recovery. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node831 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node830 + description: 'For personal data destruction: Ensure safe destruction methods + so that recovery or regeneration is not possible, in accordance with relevant + regulations.' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node832 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node830 + description: Irreversible methods' refer to measures taken to ensure that personal + data, once destroyed, cannot be recovered with current technology and at a + reasonable cost, according to common social standards (Article 10 of the Standard + Privacy Protection Guidelines). + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node833 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + description: 'When disposing of information assets and storage media on your + own, you must maintain a disposal log that includes the following information + and keep evidence of the disposal:' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node834 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node833 + description: Date of Disposal + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node835 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node833 + description: Names of Disposal Responsible Person and Verifier + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node836 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node833 + description: Disposal Method + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node837 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node833 + description: Disposal Confirmation Evidence (e.g., photographs) + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node838 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + description: 'When disposing of information assets and storage media through + an external company, the disposal procedures should be specified in the contract, + and it must be verified that the disposal was completed according to these + procedures:' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node839 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node838 + description: Include disposal procedures and protection measures, as well as + responsibility allocation, in the contract. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node840 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node838 + description: Verify compliance with the disposal procedures specified in the + contract through evidence such as photographs and on-site inspections. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node841 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + description: 'In the case of maintenance or repair of information systems, PCs, + etc., measures should be established to protect information within storage + media during media replacement or recovery:' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node842 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node841 + description: Data transfer and destruction prior to maintenance request. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node843 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node841 + description: Data encryption. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node844 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node841 + description: Confidentiality agreement in the contract. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node845 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node841 + description: Complete data deletion or complete destruction of storage media, + etc. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.10' + name: System and Service Security Management + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.1 + name: Security System Operation + - urn: urn:intuitem:risk:req_node:k_isms_p:node848 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: 'For the security systems operated by the organization, the following + operational procedures must be established and implemented:' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node849 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Designate responsible persons and administrators for each type + of security system. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node850 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Establish procedures for applying security system policies (such + as rule sets), including registration, modification, and deletion. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node851 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: 'Implement measures for updating policies: For security systems + like IDS and IPS, continuously update the latest patterns (signatures) and + engines to detect new attack techniques.' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node852 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Establish procedures for monitoring security system events, including + detecting and confirming anomalies that violate policies. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node853 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Set policies for controlling access to security systems, such as + user authentication and IP or MAC address restrictions for administrator terminals. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node854 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Regularly review the operational status of security systems. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node855 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Implement access control measures for the security systems themselves. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node856 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: You must minimize the number of authorized personnel, such as security + system administrators, and strictly control access by unauthorized individuals. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node857 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node856 + description: Apply enhanced user authentication measures (such as OTP) and access + control for administrator terminal IPs or MAC addresses to strictly control + access by unauthorized individuals. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node858 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node856 + description: Regularly analyze security system access logs to check for any + unauthorized access attempts. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node859 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: For each security system, establish and implement formal procedures + for registering, modifying, and deleting policies. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node860 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node859 + description: Establish application and approval procedures for policy registration, + modification, and deletion for security systems like firewalls and DLP. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node861 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node859 + description: Maintain records of policy application, approval, and implementation + to ensure accountability. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node862 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node859 + description: 'Considerations when applying security system policies (rule sets):' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node863 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node862 + description: Follow the principle of least privilege, granting only the minimum + necessary permissions. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node864 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node862 + description: Network access control policies should be set to block all by default, + allowing only specific IPs and ports that are necessary for work. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node865 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node862 + description: Limit the application period of security policies according to + their purpose. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node866 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node862 + description: Manage the registration and modification of security policies through + formal procedures. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node867 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: Manage exception policies for security systems according to procedures, + and ensure that exception policy users are given the minimum necessary permissions. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node868 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node867 + description: Review the validity of the reason for the exception request. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node869 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node867 + description: 'Conduct a security review: Evaluate and prepare countermeasures + for the security of exception policies' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node870 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node867 + description: 'Exception policy application and approval: Obtain approval from + responsible persons or administrators for each security system.' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node871 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node867 + description: Monitor the expiration of exception policies and the use of exceptions. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node872 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: 'Periodically review the validity of the policies set on the security + systems, considering the following:' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node873 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Internal policy or guideline violations (e.g., overly permissive + rules). + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node874 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Policies registered without formal approval procedures. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node875 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Policies not used for a long time. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node876 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Duplicate or expired policies. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node877 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Policies related to resignations or job changes. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node878 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Exception-related policies. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node879 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: To prevent illegal access and leakage of personal information, + install and operate security systems that perform functions required by relevant + laws and regulations. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node880 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node879 + description: 'Mandatory Functional Requirements for Access Control Systems Required + by Personal Information Protection Laws:' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node881 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node880 + description: 1. Restrict access to the personal information processing system + by IP address or other means to prevent unauthorized access. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node882 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node880 + description: 2. Analyze IP addresses and other access details to detect and + respond to attempts of personal information leakage. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node883 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node879 + description: If a personal information processing system is configured in a + cloud environment, access control functions can be implemented using security + features or services provided by the cloud service provider. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.2 + name: Cloud Security + - urn: urn:intuitem:risk:req_node:k_isms_p:node885 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.2 + description: You must clearly define the responsibilities and roles related + to information security and personal data protection with the cloud service + provider and reflect these in the contract (e.g., SLA). + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node886 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node885 + description: 'Roles and Responsibilities According to Cloud Service Type (Examples): ' + annotation: 'You will find a table on page 155. + + Note: May vary depending on the cloud service provider, service configuration, + and characteristics.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node887 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.2 + description: When using cloud services, you must evaluate the security risks + associated with the service type and establish and implement security control + policies to prevent unauthorized access, configuration errors, and other risks. + This includes security configuration and setting standards, procedures for + changing and approving security settings, secure access methods, and authorization + frameworks. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node888 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node887 + description: 'Risk Assessment for External Cloud Services: Consider service + quality and continuity, legal compliance, and security aspects.' + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node889 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node887 + description: Establish and implement security control policies based on the + risk assessment results for cloud services. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node890 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.2 + description: Administrative privileges for cloud service management must be + minimized according to roles, and protective measures such as enhanced authentication, + encryption, access control, and audit logging should be applied to prevent + unauthorized access and abuse of privileges. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node891 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node890 + description: 'Granular Cloud Service Administrator Privileges: Chief Administrator, + Virtual Network Administrator, Security Administrator, DevOps Administrator, + etc.' + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node892 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node890 + description: Minimize administrator privileges according to job roles and responsibilities. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node893 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node890 + description: 'Apply enhanced authentication for cloud administrator access: + OTP, security keys, etc.' + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node894 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node890 + description: Apply communication encryption or VPN for remote access. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node895 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node890 + description: Maintain detailed logs and monitoring for cloud administrator access + and privilege settings. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node896 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.2 + description: You must monitor changes to cloud service security settings and + operational status and regularly review their appropriateness. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node897 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node896 + description: Set up alarms and monitoring to detect unauthorized environment + and security setting changes in cloud services. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node898 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node896 + description: Regularly review and address the appropriateness of cloud service + security settings. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.3 + name: Public Server Security + - urn: urn:intuitem:risk:req_node:k_isms_p:node900 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.3 + description: 'If operating public servers such as web servers, you must establish + and implement protective measures:' + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node901 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: For transmitting personal data via web servers, establish a secure + server with SSL (Secure Socket Layer) / TLS (Transport Layer Security) certificates. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node902 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Install and update antivirus software. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node903 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Apply the latest security patches to applications (e.g., web servers, + OpenSSL) and operating systems. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node904 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Remove unnecessary services and block unused ports. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node905 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Prohibit the installation of unnecessary software, scripts, and + executable files. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node906 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Prevent the exposure of unnecessary pages such as error handling + or test pages. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node907 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Conduct regular vulnerability assessments. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node908 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.3 + description: 'Public servers should be installed in a DMZ (Demilitarized Zone) + that is separated from the internal network and protected by security systems + such as intrusion prevention systems:' + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node909 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node908 + description: Apply access control policies through intrusion prevention systems + to ensure that even if the public server is compromised, internal network + access through the public server is not possible. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node910 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node908 + description: Apply strict access control policies when the public server in + the DMZ needs to connect to internal network information systems such as databases + or Web Application Servers (WAS). + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node911 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.3 + description: 'If personal data and important information need to be posted or + stored on public servers, establish and implement approval and posting procedures, + including responsibility authorization:' + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node912 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node911 + description: As a general rule, storing personal data and important information + on web servers in the DMZ is prohibited. If it is unavoidable for business + purposes, apply approval procedures and protective measures. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node913 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node911 + description: Perform pre-review and approval procedures before posting personal + data and important information on websites. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node914 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node911 + description: Take measures to prevent exposure of personal data and important + information to unauthorized persons via external search engines. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node915 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.3 + description: You must regularly check whether the organization's important information + is being exposed through websites and web servers, and take immediate action + to block the exposure if it is detected. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node916 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node915 + description: Regularly inspect using search engines and apply necessary measures. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node917 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node915 + description: If exposure of important information is detected, take blocking + measures on the website and request the search engine provider to prevent + continued exposure through caches or other means. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.4 + name: Electronic Transactions and Fintech Security + - urn: urn:intuitem:risk:req_node:k_isms_p:node919 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.4 + description: If you provide electronic transactions and fintech services, you + must establish and implement protective measures to ensure the safety and + reliability of transactions. + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node920 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node919 + description: Electronic transactions' refer to transactions where all or part + of the transaction is processed using electronic documents (Electronic Documents + and Electronic Transactions Basic Act, Article 2). + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node921 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node919 + description: Electronic commerce' refers to commercial transactions conducted + using electronic transaction methods (Act on Consumer Protection in Electronic + Commerce, etc., Article 2). + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node922 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node919 + description: Fintech' is a combination of finance (Finance) and technology (Technology), + and it encompasses the changes in financial services and industry through + the convergence of finance and IT (Financial Services Commission Financial + Terminology Dictionary). + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node923 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node919 + description: Electronic (commerce) businesses and fintech service providers + must establish and implement protective measures to prevent security incidents + in the collection, storage management, and disposal of users' personal information, + trade secrets (such as client identification information, and prices of goods + or services which may cause business losses if disclosed), and payment information + (such as authentication, encryption, and access control). + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node924 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node919 + description: For fintech services, it is necessary to identify all possible + risk factors associated with the fintech service, reflecting the service's + type and characteristics, and apply the necessary protective measures. + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node925 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.4 + description: When providing electronic transactions and fintech services, if + you are integrating with external systems such as payment systems, you must + establish and implement measures to protect the related information being + transmitted and received, and regularly check its security. + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node926 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node925 + description: 'Electronic payment operators'' are entities involved in the issuance + of electronic payment methods, provision of electronic payment services, or + assisting or mediating the implementation of such services through electronic + payment methods (Act on Consumer Protection in Electronic Commerce, etc., + Enforcement Decree, Article 8), and include the following:' + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node927 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node926 + description: Financial institutions, credit card companies, issuers of payment + methods (entities that record and store monetary value or equivalent value + in electronic media or information processing systems, and provide it upon + purchase of goods, etc.), telecommunications payment service providers, and + electronic payment processing or mediation service providers (such as payment + gateway companies). + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node928 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node925 + description: Appropriate protection measures must be established and implemented + to prevent damage between parties involved in transactions due to breaches + such as leakage, tampering, or fraud of payment-related information transmitted + between e-commerce operators and electronic payment service providers or fintech + service providers. Additionally, the safety of these measures must be regularly + checked. + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.5 + name: Information Transmission Security + - urn: urn:intuitem:risk:req_node:k_isms_p:node930 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.5 + description: When transmitting personal and sensitive information to external + organizations, a secure transmission policy must be established. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node931 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node930 + description: 'Information Transmission Technology Standards: Encryption methods, + key exchange and management, protocol standards, and communication methods.' + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node932 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node930 + description: 'Information Transmission Review Procedures: Reporting and approval + processes, roles and responsibilities between relevant organizations, and + security reviews.' + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node933 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node930 + description: 'Information Transmission Agreement Standards: Standard security + agreements or contract templates.' + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node934 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node930 + description: 'Other Protection Measures Application Standards: Protection measures + reflecting legal requirements.' + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node935 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.5 + description: When exchanging important and personal information between organizations + for business purposes, protection measures such as establishing agreements + for secure transmission must be established and implemented. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node936 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node935 + description: For the electronic exchange of important information between organizations + or affiliates, establish agreements (security agreements, contracts, annexes, + SLAs, etc.) for secure transmission and implement them accordingly. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node937 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node936 + description: 'Related Business Definitions: Transmission of personal information + for direct mail (DM) purposes to DM service providers, transfer of collection + information to debt collection agencies, provision of personal information + to third parties, transmission of credit card payment information to VAN (Value + Added Network) companies, etc.' + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node938 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node936 + description: Exchange only the minimum necessary information to comply with + regulations or prevent information leakage. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node939 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node936 + description: Designate responsible persons and authorities. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node940 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node936 + description: Define information transmission technology standards. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node941 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node936 + description: Administrative, technical, and physical protection measures for + information transmission, storage, and disposal. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node942 + assessable: false + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node941 + description: 'DM (Direct Mail): Refers to promotional activities conducted through + mail, including the delivery of letters, postcards, notices, leaflets, catalogs, + and bills directly or through postal means.' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.6 + name: Security of Work Terminals + - urn: urn:intuitem:risk:req_node:k_isms_p:node944 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.6 + description: Security control policies for devices used for work, such as PCs, + laptops, virtual PCs, and tablets, must be established and implemented. This + includes device authentication, approval, access range settings, and device + security configurations. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node945 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: Criteria for Allowing Work Devices + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node946 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: Scope of Work Use Through Work Devices + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node947 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: Approval Procedures and Methods for Using Work Devices + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node948 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: 'Authentication Methods for Connecting to Work Networks: Device + Authentication, MAC Authentication, etc.' + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node949 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: 'Security Configuration Policies for Work Devices: Installation + of Antivirus Software, Security Programs, etc.' + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node950 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: Security Configuration Policies for Using Work Devices and Monitoring + Measures for Misuse or Abuse + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node951 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.6 + description: To prevent the leakage of personal and sensitive information through + work devices, policies must be established and implemented, including prohibiting + the use of file-sharing programs, limiting sharing settings, and controlling + wireless network usage. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node952 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node951 + description: When sharing settings are unavoidable, set access rights passwords + for work devices and remove sharing settings after use. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node953 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node951 + description: If file transfers are necessary, provide only read permissions + by default and grant write permissions individually when required. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node954 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node951 + description: Prevent the leakage or exposure of personal and sensitive information + through P2P programs, commercial webmail, web storage, messaging services, + and social networking services due to intentional or careless actions. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node955 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node951 + description: Utilize wireless networks that apply security protocols like WPA2 + (Wi-Fi Protected Access 2). + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node956 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.6 + description: To prevent the leakage or exposure of personal and sensitive information + due to the loss or theft of mobile devices used for work, security measures + such as setting passwords must be applied. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node957 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.6 + description: The appropriateness of access control measures for work devices + must be periodically checked. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node958 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node957 + description: Application and approval processes for work devices, registration + and de-registration, and device authentication history. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node959 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node957 + description: Current status of security settings on work devices. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.7 + name: Management of Auxiliary Storage Media + - urn: urn:intuitem:risk:req_node:k_isms_p:node961 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + description: External hard drives, USB memory sticks, CDs, and other auxiliary + storage media must have established and implemented policies and procedures + for their handling (use), storage, disposal, and reuse. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node962 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node961 + description: 'Management Plan for Auxiliary Storage Media Holdings: Maintenance + of an auxiliary storage media management ledger, etc.' + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node963 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node961 + description: Procedures for Authorization and Registration of Auxiliary Storage + Media Use + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node964 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node961 + description: Procedures for Managing the Inbound and Outbound Transfer of Auxiliary + Storage Media + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node965 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node961 + description: Procedures for Disposal and Reuse of Auxiliary Storage Media + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node966 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node961 + description: 'Scope of Auxiliary Storage Media Use: Policies and procedures + for usage within protected areas such as controlled and restricted zones' + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node967 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + description: You must periodically inspect the status of auxiliary storage media + holdings, usage, and management practices. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node968 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node967 + description: Check management practices such as evidence of approval for use, + current holdings, management ledgers, and usage history. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node969 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + description: The use of auxiliary storage media must be restricted in controlled + areas, critical restricted zones, and other protected areas where major information + systems are located. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node970 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node969 + description: In unavoidable cases, use must be authorized by a responsible person + and conducted following proper procedures. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node971 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node969 + description: Conduct regular reviews of the use of auxiliary storage media within + controlled and critical restricted zones. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node972 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + description: You must establish measures to prevent malware infections and the + leakage of sensitive information through auxiliary storage media. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node973 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node972 + description: Establish and implement protective measures such as disabling automatic + execution of auxiliary storage media and using antivirus programs before use. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node974 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + description: Auxiliary storage media containing personal information or sensitive + information must be stored in a secure location with a locking device. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node975 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node974 + description: Auxiliary storage media containing personal or sensitive information + (e.g., portable hard drives, USB memory sticks, SSDs) should be kept in a + safe or another secure location equipped with a locking mechanism. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.8 + name: Patch Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node977 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + description: Establish and implement OS and software patch management policies + and procedures according to the characteristics and importance of assets such + as servers, network systems, security systems, and PCs. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node978 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Establish and implement OS and software patch management policies + and procedures according to the characteristics and importance of assets such + as servers, network systems, security systems, and PCs. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node979 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: "Patch Frequency:\_Reflect the importance and characteristics of\ + \ the assets." + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node980 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Patch Information Verification Methods + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node981 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Pre-Deployment Review Procedures + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node982 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Emergency Patch Application Procedures + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node983 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Security Review for Unapplied Patches + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node984 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Patch Managers and Responsible Personnel + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node985 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Patch-related vendor (manufacturer) contact information + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node986 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + description: Regularly manage the OS and software patch application status for + major servers, network systems, security systems, etc. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node987 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node986 + description: Manage as a list that includes version information, patch application + status, and application dates for the OS and software installed on major servers, + network systems, security systems, etc. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node988 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node986 + description: Regularly check the need for applying the latest security patches. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node989 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + description: If it is difficult to apply the latest patches to address vulnerabilities + due to service impact, supplementary measures must be established. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node990 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node989 + description: When applying patches to operational systems, consider the importance + and characteristics of the system, and thoroughly analyze the impact following + established procedures, as applying patches may affect system availability + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node991 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node989 + description: If immediate patch application is challenging due to the operational + environment, document the reasons, develop additional supplementary measures, + report to the responsible party, and manage the status. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node992 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + description: For major servers, network systems, and security systems, restrict + patching through public internet access. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node993 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node992 + description: However, if unavoidable, conduct a risk analysis beforehand, establish + protective measures, and apply them after obtaining approval from the responsible + party. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node994 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + description: When using a Patch Management System (PMS), ensure sufficient protective + measures, such as access control, as the PMS server or management console + could be exploited to distribute malware to internal network servers or PCs. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node995 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node994 + description: 'Implement access control measures for the Patch Management System + itself: block access for unauthorized administrators, change default passwords, + and eliminate security vulnerabilities.' + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node996 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node994 + description: Perform file integrity checks when distributing update files. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.9 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.9 + name: Malware Control + - urn: urn:intuitem:risk:req_node:k_isms_p:node998 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.9 + description: 'To protect information systems and business terminals from malware + such as viruses, worms, Trojans, and ransomware, protective measures must + be established and implemented, including the following:' + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node999 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Guidelines for PC usage (e.g., prohibiting the opening of suspicious + emails and files, prohibiting the download and installation of unauthorized + programs). + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1000 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Malware response guidelines for information systems and personal + information processing systems. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1001 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Scope of antivirus program installation (targeting information + assets vulnerable to malware infection). + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1002 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Procedures for installing antivirus programs. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1003 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Preventive and detection activities for the latest malware through + antivirus programs and other security tools. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1004 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Policies for regular monitoring of malware infections via antivirus + programs and other tools. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1005 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Configuration of automatic updates for antivirus software or performing + updates at least once a day. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1006 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Prohibition of unauthorized programs, such as P2P and web hard + services, on information systems and business computers. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1007 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: User education and information provision. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1008 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.9 + description: 'Ongoing activities must be conducted to prevent and detect the + latest malware through antivirus software and other security programs:' + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1009 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1008 + description: Scanning email attachments for malware infections. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1010 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1008 + description: Real-time monitoring and remediation of malware. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1011 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1008 + description: 'Regular malware checks: setting up automated virus scan schedules.' + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1012 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1008 + description: Maintaining the latest version of the antivirus engine through + regular updates. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1013 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.9 + description: Antivirus software and other security programs must be kept up + to date, and emergency security updates should be performed when necessary. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1014 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1013 + description: 'Compliance with antivirus update frequency: Ensure automatic updates + or perform updates at least once a day.' + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1015 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1013 + description: Perform updates in response to malware alerts or emergency update + notifications. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1016 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1013 + description: When managing antivirus programs via a central management system, + implement protective measures such as access control for the management server + and integrity verification of distribution files. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1017 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.9 + description: When managing antivirus programs via a central management system, + implement protective measures such as access control for the management server + and integrity verification of distribution files. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1018 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1017 + description: Establish response procedures upon detecting malware infections + (e.g., disconnecting network cables). + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1019 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1017 + description: Maintain an emergency contact list (e.g., contacts for antivirus + software vendors and relevant organizations). + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1020 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1017 + description: Prepare a response report template (including the date and time + of detection, response procedures and methods, responsible personnel, and + preventive measures). + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.11' + name: Incident Prevention and Response + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + ref_id: 2.11.1 + name: ' Establishing Incident Prevention and Response Systems' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.1 + description: 'A system and procedures must be established to prevent security + breaches and personal information leakage incidents, and to respond quickly + and effectively in case of an incident. The following elements should be included:' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1024 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Definition and scope of security breaches (e.g., personal information + leakage, hacking incidents, denial-of-service attacks). + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1025 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Types and severity of security breaches. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1026 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Procedures and methods for declaring a security breach. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1027 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Communication systems, including emergency contact lists. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1028 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Systems for detecting security breaches. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1029 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Procedures for recording and reporting security breaches. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1030 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Procedures for reporting and notifying relevant agencies, data + subjects, and users in the event of a security breach. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1031 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Preparation of security breach reports. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1032 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Response and recovery procedures based on the severity and type + of security breach. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1033 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Formation, responsibilities, and roles of the recovery team for + security breaches. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1034 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Procurement of recovery equipment and resources. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1035 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Training for security breach response and recovery, including training + scenarios. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1036 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Utilization of external experts and specialized institutions. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1037 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Other necessary measures for preventing and recovering from security + incidents + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1038 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.1 + description: When establishing and operating a security incident response system + through external organizations such as security monitoring services, the details + of the incident response procedures must be reflected in the contract (e.g., + SLA). + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1039 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1038 + description: Scope of the security monitoring service. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1040 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1038 + description: Reporting and response procedures upon detection of security threats. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1041 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1038 + description: Reporting and response procedures in case of a security incident. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1042 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1038 + description: Responsibilities and roles related to security incidents. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1043 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.1 + description: A coordination system with external experts, specialized companies, + and professional institutions must be established for monitoring, responding + to, and handling security incidents. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + ref_id: 2.11.2 + name: Vulnerability Inspection and Remediation + - urn: urn:intuitem:risk:req_node:k_isms_p:node1045 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.2 + description: You must establish and regularly perform procedures for vulnerability + assessment of information systems. + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1045 + description: 'Items to include in the vulnerability assessment procedure:' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1047 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: "Vulnerability Assessment Targets:\_(e.g., servers, network devices,\ + \ etc.)" + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1048 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: "Assessment Frequency:\_(considering legal requirements, importance,\ + \ etc.)" + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1049 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Designated Assessors and Responsible Persons + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1050 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Assessment Procedures and Methods + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1051 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Action Criteria Based on Importance + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1052 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Reporting Procedures for Assessment Results + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1053 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Security Review for Unaddressed Vulnerabilities + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1054 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Other necessary measures for preventing and recovering from security + incidents + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1045 + description: 'Vulnerability Assessment Targets:' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1056 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Vulnerabilities in network systems configuration and settings (e.g., + routers, switches) + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1057 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Security settings vulnerabilities in server operating systems + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1058 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Vulnerabilities in security systems (e.g., firewalls) + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1059 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Application vulnerabilities + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1060 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Web service vulnerabilities + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1061 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Vulnerabilities in smart devices and mobile services (e.g., mobile + apps) + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1062 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1045 + description: You should consider performing penetration testing based on the + company's size and the importance of the information held. + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1063 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1045 + description: Data controllers are required to include vulnerability assessment + measures to prevent data leakage or theft in their internal management plans + and to establish and implement them (Article 4, Paragraph 1, Item 10 of the + Personal Information Safety Measures Standards). + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1064 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.2 + description: Actions must be taken for identified vulnerabilities, and the results + must be reported to the responsible person. + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1065 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1064 + description: 'Report Preparation: Include details such as the date of the assessment, + targets, methods, contents and results, findings, and corrective actions in + the report to ensure proper record-keeping.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1066 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1064 + description: 'Verification: Confirm the completion of corrective actions through + follow-up checks for each identified vulnerability.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1067 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1064 + description: 'Unresolved Vulnerabilities: Clearly identify the reasons for any + vulnerabilities that cannot be addressed, report the associated risks and + supplementary measures to the responsible person.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1068 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.2 + description: Continuously identify and analyze the impact of the latest security + vulnerabilities on information systems and take necessary actions. + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1069 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1068 + description: 'Ongoing Monitoring: In addition to regular security vulnerability + assessments, continuously identify the latest vulnerabilities.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1070 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1068 + description: 'Impact Analysis: When new security vulnerabilities are discovered, + analyze their impact on the information systems and take necessary corrective + measures.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1071 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.2 + description: Maintain records of vulnerability assessment history and establish + measures to address issues such as the recurrence of vulnerabilities identified + in the previous year. + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1072 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1071 + description: 'Record Management: Keep records of the vulnerability assessment + history.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1073 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1071 + description: 'Comparison Analysis: Compare and analyze current vulnerability + assessment results with previous assessments to check for recurrences.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1074 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1071 + description: 'Root Cause Analysis: If similar vulnerabilities reoccur, conduct + a root cause analysis and develop measures to prevent recurrence.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + ref_id: 2.11.3 + name: Analyzing and Monitoring Unusual Activity + - urn: urn:intuitem:risk:req_node:k_isms_p:node1076 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.3 + description: To detect abnormal activities such as intrusion attempts, personal + data leakage attempts, and fraudulent behavior by internal and external sources, + you must collect, analyze, and monitor network traffic, data flows, and event + logs from major information systems, applications, networks, and security + systems. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1076 + description: You should establish a system for collecting and analyzing logs + from information systems, security systems, applications, and network equipment + to determine abnormal behavior. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1078 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + description: Targets and scope for collecting or monitoring event logs + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1079 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + description: Methods for collection, analysis, and monitoring + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1080 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + description: Designation of responsible personnel and accountability + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1081 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + description: Reporting system for analysis and monitoring results + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1082 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + description: Response procedures for detecting abnormal behavior + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1083 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1076 + description: For organizations with high importance of information systems, + consider 24-hour real-time monitoring. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1084 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.3 + description: You must define criteria and thresholds for determining intrusion + attempts, personal data leakage attempts, and fraudulent activities, and ensure + that judgments, investigations, and subsequent actions are carried out promptly + according to these criteria. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1085 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1084 + description: Establish criteria and thresholds for identifying abnormal behavior + and reflect them in the system as necessary. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1086 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1084 + description: Regularly review and optimize the defined criteria and thresholds. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1087 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1084 + description: When abnormal behavior is confirmed, perform emergency responses, + request explanations, and conduct cause investigations according to regulations. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + ref_id: 2.11.4 + name: Incident Response Training and Improvement + - urn: urn:intuitem:risk:req_node:k_isms_p:node1089 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.4 + description: You must establish a simulation training plan for responding to + security incidents and personal data leakage incidents, and conduct such training + at least once a year. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1090 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1089 + description: Review the adequacy of the incident response procedures and ensure + that the simulation training plan is established and implemented to enable + prompt response in the event of an incident. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1091 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1089 + description: Develop realistic and practical simulation training scenarios that + reflect the latest incident cases, hacking trends, and business characteristics. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1092 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1089 + description: Form a simulation training team that includes all relevant organizational + units involved in incident response, such as information security, personal + data protection, IT, legal, HR, and public relations. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1093 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1089 + description: Conduct simulation training at least once a year to ensure that + relevant employees are familiar with the incident response procedures. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1094 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.4 + description: You must improve the incident response system for security incidents + and personal data leakage incidents based on the results of the training exercises. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1095 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1094 + description: Prepare and report an internal report on the results of the simulation + training. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1096 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1094 + description: Identify areas for improvement based on the simulation training + results and reflect these improvements in the response procedures as necessary. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + ref_id: 2.11.5 + name: Incident Response and Recovery + - urn: urn:intuitem:risk:req_node:k_isms_p:node1098 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.5 + description: When signs of or an actual incident of a security breach or personal + data leak are detected, a prompt response and reporting must be carried out + according to the defined incident response procedures. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1099 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1098 + description: Initial Response and Evidence Preservation for Security Incidents + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1100 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1099 + description: Action to delete, change, or block access rights to information + systems suspected of being compromised + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1101 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1099 + description: Security checks and vulnerability remediation for network, firewall, + and other internal and external systems + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1102 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1099 + description: Preservation of evidence, such as external access logs, necessary + for incident investigation + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1103 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1099 + description: Verification of personal and sensitive data leaks through log analysis, + etc. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1098 + description: Preparation and Internal Reporting of Incident Reports Including + the Following + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1105 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + description: Date and time of the incident + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1106 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + description: Reporter and reporting time + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1107 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + description: Details of the incident (findings, damage, etc.) + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1108 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + description: Response process details + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1109 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + description: Time taken to respond to the incident, etc. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1110 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1098 + description: If the impact of the incident on the organization is severe, report + it promptly to top management according to the reporting procedures. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1111 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.5 + description: In the event of a personal data breach, the notification of data + subjects and reporting to relevant authorities must be carried out in accordance + with applicable laws and regulations. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1112 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1111 + description: Requirements for notifying data subjects in the case of loss, theft, + or leakage of personal data (hereinafter referred to as "leakage") + annotation: You will find a table on page 183 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1113 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1111 + description: Requirements for Reporting to Relevant Authorities in the Event + of Personal Data Leakage + annotation: You will find a table on page 184 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1114 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.5 + description: After a Security Incident is Resolved, Analyze the Cause and Report + the Results, Sharing Them with Relevant Organizations and Personnel. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1115 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1114 + description: ' After handling and concluding a security incident, perform an + analysis of the incident''s cause and prepare a report for the responsible + person. ' + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1116 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1114 + description: Share the incident information, discovered vulnerabilities, causes, + and countermeasures with relevant organizations and personnel. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1117 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.5 + description: Utilize the Information Obtained from Incident Analysis to Establish + Measures to Prevent Recurrence of Similar Incidents, and Modify the Incident + Response Procedures if Necessary. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1118 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1117 + description: 'Establish measures to prevent recurrence of similar incidents + using information obtained from the incident analysis. ' + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1119 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1117 + description: Modify incident response procedures, information security policies, + and related procedures based on the analysis results, if necessary. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.12 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.12' + name: Disaster Recovery + - urn: urn:intuitem:risk:req_node:k_isms_p:2.12.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12 + ref_id: 2.12.1 + name: Safety Measures for Disaster Preparedness + - urn: urn:intuitem:risk:req_node:k_isms_p:node1122 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12.1 + description: "Identify IT disaster types that could threaten the continuity\ + \ of the organization\u2019s core services (operations), analyze the impact\ + \ scale and effects on operations for each type, and identify the core IT\ + \ services (operations) and systems." + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1123 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1122 + description: "Identify IT disaster types that could threaten the continuity\ + \ of the organization\u2019s core services (operations), such as natural disasters,\ + \ hacking, communication failures, etc." + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1124 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1122 + description: "Analyze the impact scale and effects on the organization\u2019\ + s core services (operations) for each type of disaster, considering the following\ + \ factors, and identify the core IT services and systems:" + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1125 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1124 + description: "Financial aspects:\_Decrease in revenue, contract penalty payments,\ + \ etc." + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1126 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1124 + description: "Legal aspects:\_Damage compensation lawsuits, etc." + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1127 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1124 + description: "Qualitative aspects:\_Deterioration of external image, loss of\ + \ competitiveness, etc." + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1128 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12.1 + description: 'Define the Recovery Time Objectives (RTO) and Recovery Point Objectives + (RPO) based on the importance and characteristics of core IT services and + systems:' + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1129 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1128 + description: 'Recovery Time Objective (RTO): Define the target recovery time + from the point of IT service or system disruption until it is restored and + operational. + + Recovery Point Objective (RPO): Define the target point in time to which data + must be recovered.' + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1130 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12.1 + description: 'Establish and implement disaster recovery plans to ensure the + continuity of core services and systems even during disasters and emergencies. + This includes recovery strategies, emergency recovery teams, emergency contact + systems, and recovery procedures:' + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1131 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1130 + description: 'Develop Cost-Effective Recovery Strategies and Measures: Create + strategies and measures to achieve predefined service and system recovery + time and recovery point objectives in case of IT disasters.' + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1130 + description: 'Build IT Disaster Recovery Systems: Ensure rapid recovery by including + the following elements:' + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1133 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + description: Assign roles and responsibilities to relevant departments and personnel + for recovery in the event of an IT disaster. + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1134 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + description: Establish a contact system among relevant department personnel + and maintenance vendors within the organization. + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1135 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + description: Includes business impact analysis, definition of recovery time + and recovery point objectives, and identification of core IT services and + systems. + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1136 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + description: Determine the recovery sequence for information systems according + to recovery time objectives. + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1137 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + description: Include disaster occurrence, recovery completion, and post-recovery + management stages. + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1138 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1130 + description: For personal data controllers, develop and regularly review crisis + response manuals and procedures for protecting personal data processing systems + in the event of disasters such as fires, floods, or power outages (as per + the Personal Data Safety Measures Standards Article 11). + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:2.12.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12 + ref_id: 2.12.2 + name: Disaster Recovery Testing and Improvement + - urn: urn:intuitem:risk:req_node:k_isms_p:node1140 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12.2 + description: To assess the effectiveness of the established IT disaster recovery + system, a disaster recovery test plan must be established and implemented. + annotation: 'Key Points for Verification: + + - Are disaster recovery test plans established and implemented to assess the + effectiveness of the established IT disaster recovery system? + + - Are recovery strategies and measures regularly reviewed and updated to reflect + test results, changes in the information system environment, and legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1141 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1140 + description: ' Regular tests should be conducted according to the test plan + to check if the recovery strategies and measures are effective, and if the + disaster recovery team members respond quickly according to the recovery procedures + during emergencies.' + annotation: 'Key Points for Verification: + + - Are disaster recovery test plans established and implemented to assess the + effectiveness of the established IT disaster recovery system? + + - Are recovery strategies and measures regularly reviewed and updated to reflect + test results, changes in the information system environment, and legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1142 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12.2 + description: Recovery strategies and measures should be regularly reviewed and + updated to reflect changes based on test results, changes in the information + system environment, and legal requirements. + annotation: 'Key Points for Verification: + + - Are disaster recovery test plans established and implemented to assess the + effectiveness of the established IT disaster recovery system? + + - Are recovery strategies and measures regularly reviewed and updated to reflect + test results, changes in the information system environment, and legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1143 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1142 + description: Establish an official change management procedure for the IT disaster + recovery plan. + annotation: 'Key Points for Verification: + + - Are disaster recovery test plans established and implemented to assess the + effectiveness of the established IT disaster recovery system? + + - Are recovery strategies and measures regularly reviewed and updated to reflect + test results, changes in the information system environment, and legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1144 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1142 + description: Regularly review and update the recovery plan considering the results + of disaster recovery tests and changes in the information system environment. + annotation: 'Key Points for Verification: + + - Are disaster recovery test plans established and implemented to assess the + effectiveness of the established IT disaster recovery system? + + - Are recovery strategies and measures regularly reviewed and updated to reflect + test results, changes in the information system environment, and legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3 + assessable: false + depth: 1 + ref_id: '3' + name: Requirements for Each Stage of Personal Information Processing + description: (21 items) + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3 + ref_id: '3.1' + name: Protection Measures During the Collection of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.1 + name: Collection and Use of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1148 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: When collecting personal information, the lawful requirements as + per relevant laws, such as obtaining the data subject's consent, complying + with legal obligations, and the execution and fulfillment of contracts, must + be clearly identified and followed to ensure the lawful collection of personal + information. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1149 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1148 + description: The legal requirements for the collection of personal information + must be clearly identified for each method of collection, and the relevant + evidence should be documented and managed to demonstrate compliance. + annotation: 'For example, if personal information is collected without the data + subject''s consent due to specific legal provisions or to comply with legal + obligations, the relevant legal provisions or clauses should be documented + as evidence. ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1150 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1148 + description: A personal information controller may collect personal information + under any of the following circumstances and may use it within the scope of + the stated purpose of collection. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1151 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: ' When obtaining consent for the collection of personal information + from the data subject, the consent must be obtained in an appropriate manner + that reflects the characteristics of the collection medium, and the information + should be collected at the point when it is needed. ' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1152 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1151 + description: Consent for the collection of personal information must be obtained + in an appropriate manner, taking into account the following factors based + on the characteristics of the collection medium. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1153 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1151 + description: Personal information should not be collected broadly in advance + during the membership registration process; it should be collected at the + point when it is actually needed. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1154 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1153 + description: Consent for the collection and use of personal information should + be obtained only for the information necessary to initiate the service, and + for any additional services, consent should be obtained at the time those + services are provided. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1155 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1153 + description: When registering on a website, personal information that is only + required for specific services within the website should be collected at the + time those specific services are used. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1156 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1153 + description: However, for repeated services, personal information can be collected + and used if consent is obtained at the initial service point by classifying + it as an optional consent item. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1157 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: When obtaining consent for the collection of personal information + from the data subject, the legally required notifications must be clearly + communicated, and consent must be obtained. Important information, as specified + by law, should be clearly marked to ensure that the data subject can easily + understand it. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1158 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1157 + description: When obtaining consent for the collection and use of personal information + from the data subject, the four legally required notifications must be clearly + and specifically communicated, and consent must be obtained. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1159 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1157 + description: ' For the consent of the data subject to be legally valid, it must + meet all legal requirements, including the data subject''s ability to make + a decision based on their free will, and the specificity and clarity of the + consent content.' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1160 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1157 + description: 'According to Article 22(2) of the Personal Information Protection + Act, when obtaining consent for the processing of personal information in + writing (including electronic documents as defined in Article 2(1) of the + Electronic Documents and Transactions Act), the following important information + must be clearly displayed and easily understandable:' + annotation: 'You will find it on page 192. + + For detailed information, refer to the "Personal Information Processing Consent + Guide" provided by the Personal Information Protection Commission.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1161 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: When obtaining consent for the collection, use, or provision of + personal information from children under the age of 14, it is necessary to + inform the legal guardian of the required details and obtain their consent. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1162 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1161 + description: If there is no need to process the personal information of children + under the age of 14, implement appropriate age verification procedures to + prevent the collection of such information. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1163 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1161 + description: If there is a need to process the personal information of children + under the age of 14, establish a separate consent form and legal guardian + verification procedures to obtain the required consent from the legal guardian. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1164 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: To obtain the consent of a legal guardian, only the minimum necessary + information (such as name and contact details) should be collected, and procedures + and methods must be established to verify whether the legal guardian meets + the eligibility requirements. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1165 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1164 + description: The minimum information required to obtain the legal guardian's + consent (such as the guardian's name and contact details) can be collected + directly from the child without the guardian's consent. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1166 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1165 + description: However, when collecting the guardian's name and contact details, + the child must be informed of the purpose of collecting their own identity + and contact information, as well as the reason for collecting the guardian's + name and contact details (Standard Personal Information Protection Guidelines + Article 13(1)). + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1167 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1165 + description: The personal information of the legal guardian collected from the + child should be used solely for obtaining consent. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1168 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1164 + description: To obtain the legal guardian's consent, it is necessary to verify + that the information provided by the child pertains to a legitimate legal + guardian and confirm the authenticity of the guardian. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1169 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1168 + description: Verify the legal guardian's status as a minor. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1170 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1168 + description: Confirm the age difference between the child and the guardian. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1171 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1164 + description: If the legal guardian refuses consent or if the consent of the + legal guardian cannot be confirmed, the collected data must be destroyed within + 5 days from the collection date (Standard Personal Information Protection + Guidelines Article 13(2)). + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1172 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: When notifying children under the age of 14 about matters related + to personal data processing, the information must be presented in a format + and language that is easy to understand. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1173 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1172 + description: Information should be transparently conveyed in child-friendly + ways, such as using simple language, illustrations, videos, etc. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1174 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1172 + description: Consider the child's age, capabilities, and usage behavior. + annotation: For detailed information, refer to the 'Children and Youth Personal + Information Protection Guidelines' (Personal Information Protection Commission). + - urn: urn:intuitem:risk:req_node:k_isms_p:node1175 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: Records of consent obtained from the data subject and legal guardian + must be maintained to prove the legal basis for data collection and use. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1176 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1175 + description: 'Records should include: date and time of consent, consent items, + consent giver (legal guardian''s information if applicable), and method of + consent.' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1177 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1175 + description: 'Retention period: Until the personal data is destroyed, such as + when membership is canceled.' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1178 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: For personal data that can be processed without the data subject's + consent, clearly disclose the items and legal basis for processing in the + privacy policy or notify the data subject through written means. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1179 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1178 + description: 'Cases where personal data collection and use are allowed without + consent: Personal Information Protection Act Article 15(1)(2) to (7).' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1180 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1178 + description: 'Information to notify: Items of personal data processed without + consent and legal basis for processing.' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1181 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1178 + description: 'Method of notification: Separate from personal data collected + with consent, either through the privacy policy or written methods (e.g., + mail, email, fax, phone, text message, or equivalent).' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1182 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: When using personal data for additional purposes without consent, + establish and implement criteria considering relevance to the original purpose, + predictability, potential infringement on rights, and safety measures. If + additional use continues, disclose this in the privacy policy and check compliance + with the criteria. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.2 + name: Limitation on the Collection of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1184 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.2 + description: When collecting personal data, you must collect only the minimum + amount of information necessary for the stated purpose, whether based on legal + grounds, compliance with legal obligations, or contract performance + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1185 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1184 + description: "Even if collecting personal data without the data subject\u2019\ + s consent, based on legal grounds or compliance with legal obligations, you\ + \ must still collect only the minimum required data for the intended purpose." + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1186 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1184 + description: The responsibility to prove the necessity of collecting minimal + personal data lies with the data processor, so you must be able to demonstrate + that the information collected is essential for providing the service (with + "minimal personal data" referring to information necessary for the core functionality + of the service). + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1187 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.2 + description: When collecting personal data with the data subject's consent, + you must clearly inform them that they can refuse to provide information beyond + what is necessary. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1188 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1187 + description: Distinguish and clearly indicate which information is essential + and which is not, so that the data subject can easily identify it. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1189 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1187 + description: Inform the data subject that they can freely refuse to provide + non-essential information without affecting their ability to use goods or + services. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1190 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.2 + description: Ensure that refusal to provide non-essential personal data does + not result in denial of services or goods. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1191 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1190 + description: Clearly state that opting out of optional information does not + affect the ability to use the essential services. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1192 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1190 + description: Implement systems so that essential services, like membership registration, + remain accessible even if optional data is not provided. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.3 + name: Limitation on the Processing of Resident Registration Numbers + - urn: urn:intuitem:risk:req_node:k_isms_p:node1194 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.3 + description: Resident registration numbers cannot be collected or processed + except in cases where there are legal grounds as outlined below. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1195 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1194 + description: Cases where the collection and processing of resident registration + numbers are permitted (collection based on consent is not allowed). + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1196 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.3 + description: When processing resident registration numbers, you must specifically + identify and be able to prove the legal provisions that justify such processing. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1197 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1196 + description: The phrase "when laws, Presidential Decrees, rules of the National + Assembly, Supreme Court, Constitutional Court, National Election Commission, + or Board of Audit and Inspection specifically require or allow the processing + of resident registration numbers" means that there must be a specific provision + in at least one of these legal texts that explicitly requires or permits the + processing of resident registration numbers by a data controller. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1198 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1196 + description: Under Article 24-2(1)(1) of the Personal Information Protection + Act, the scope of laws that allow the processing of resident registration + numbers is limited, so it is not permitted to process them based solely on + enforcement rules. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1199 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1196 + description: According to Article 24-2(1)(2) of the Personal Information Protection + Act, processing of resident registration numbers is exceptionally permitted + if it is clearly necessary to protect the urgent life, body, or property interests + of the data subject or a third party. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1200 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1196 + description: Collection, provision to third parties, storage, or retention of + resident registration numbers is prohibited unless it falls under one of the + exceptions specified in each subparagraph of Article 24-2(1) of the Personal + Information Protection Act. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1201 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.3 + description: Even when processing resident registration numbers based on legal + grounds, an alternative method for membership registration must be provided, + allowing users to sign up on the website without using their resident registration + number. + annotation: 'Examples of alternative registration methods: i-PIN, mobile phone + verification, credit card, digital certificate, etc.' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.4 + name: Limitation on the Processing of Sensitive and Unique Identifying Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1203 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.4 + description: Sensitive information is, in principle, prohibited from being processed. + However, it can be processed if separate consent is obtained from the data + subject or if there is a legal basis for it. + annotation: 'Scope of Sensitive Information: + + 1. Ideologies and Beliefs: Information on various ideologies or ideological + tendencies, and religious beliefs. + + 2. Political Views: Information on one''s stance on political issues or support + for a particular political party. + + 3. Union or Party Membership: Information regarding membership or withdrawal + from labor unions or political parties. + + 4. Health and Sexual Life: Information on past or present medical history, + physical or mental disabilities (including disability grades), and sexual + preferences. + + 5. Personal Information That May Seriously Infringe Privacy: + + - Genetic information obtained from genetic testing and criminal records. + + - Information on sentencing or exemption from sentences of fines or higher, + protective custody, treatment custody, probation, the invalidation of probation, + the cancellation of suspended sentences, forfeiture, confiscation, community + service orders, detention orders, etc. + + - Information on the physical, physiological, or behavioral characteristics + of an individual, created using specific technical means for the purpose of + identifying the individual (biometric characteristic information). + + - Information on race or ethnicity.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1204 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1203 + description: 'Cases Where Sensitive Information Processing is Permissible: + + When separate consent is obtained from the data subject, distinct from the + consent for the processing of other personal information. + + When the processing of sensitive information is required or permitted by law.' + annotation: 'Key Points for Verification: + + - Is sensitive information processed only when separate consent is obtained + from the data subject or when there is a legal basis for it? + + - Is unique identification information (excluding resident registration numbers) + processed only when separate consent is obtained from the data subject or + when there is a specific legal basis for it? + + - When there is a risk of privacy invasion due to the inclusion of the data + subject''s sensitive information in information disclosed during the provision + of goods or services, is the data subject clearly informed of the possibility + of disclosure and the method to choose non-disclosure before providing the + goods or services?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1205 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.4 + description: Unique Identifying Information (excluding Resident Registration + Numbers) must only be processed if separate consent is obtained from the data + subject or if there is a specific legal basis for it. + annotation: 'Scope of Unique Identifying Information: + + 1. Resident Registration Number: (However, collection based on consent is + not permitted due to legal restrictions on its collection.) + + 2. Passport Number + + 3. Driver''s License Number + + 4. Alien Registration Number' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1206 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1205 + description: 'Cases Where the Processing of Unique Identifying Information (excluding + Resident Registration Numbers) is Permissible: + + + When separate consent is obtained from the data subject, distinct from the + consent for the processing of other personal information. + + When the processing of unique identifying information is specifically required + or permitted by law.' + annotation: 'Key Points for Verification: + + - Is sensitive information processed only when separate consent is obtained + from the data subject or when there is a legal basis for it? + + - Is unique identification information (excluding resident registration numbers) + processed only when separate consent is obtained from the data subject or + when there is a specific legal basis for it? + + - When there is a risk of privacy invasion due to the inclusion of the data + subject''s sensitive information in information disclosed during the provision + of goods or services, is the data subject clearly informed of the possibility + of disclosure and the method to choose non-disclosure before providing the + goods or services?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1207 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.4 + description: When providing goods or services, if it is determined that the + disclosure of the data subject's sensitive information could pose a risk to + privacy, the data subject must be clearly informed in an easily understandable + way about the possibility of sensitive information being disclosed and how + to opt for non-disclosure before the goods or services are provided. + annotation: 'Key Points for Verification: + + - Is sensitive information processed only when separate consent is obtained + from the data subject or when there is a legal basis for it? + + - Is unique identification information (excluding resident registration numbers) + processed only when separate consent is obtained from the data subject or + when there is a specific legal basis for it? + + - When there is a risk of privacy invasion due to the inclusion of the data + subject''s sensitive information in information disclosed during the provision + of goods or services, is the data subject clearly informed of the possibility + of disclosure and the method to choose non-disclosure before providing the + goods or services?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1208 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1207 + description: If applicable, this must also be disclosed in the privacy policy. + annotation: 'Key Points for Verification: + + - Is sensitive information processed only when separate consent is obtained + from the data subject or when there is a legal basis for it? + + - Is unique identification information (excluding resident registration numbers) + processed only when separate consent is obtained from the data subject or + when there is a specific legal basis for it? + + - When there is a risk of privacy invasion due to the inclusion of the data + subject''s sensitive information in information disclosed during the provision + of goods or services, is the data subject clearly informed of the possibility + of disclosure and the method to choose non-disclosure before providing the + goods or services?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.5 + name: ' Indirect Collection of Personal Information' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1210 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: When receiving personal information from a third party other than + the data subject, it is necessary to verify whether the information was collected + and provided through lawful procedures. Additionally, the contract must clearly + specify that the responsibility for obtaining consent for the collection of + personal information lies with the provider. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1211 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: When collecting personal information from publicly available media + or locations such as SNS or websites, the information can only be used within + the scope where the data subject's consent is clearly indicated or within + the extent where consent is reasonably assumed based on social norms (Standard + Guidelines for Personal Information Protection, Article 6, Paragraph 4). + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1212 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: Even when collecting or generating personal information through + automatic collection devices (e.g., call records, access logs, payment records, + usage history) during the service provision process, only the minimum necessary + personal information required to fulfill and provide the service contract + should be collected. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1213 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1212 + description: However, if the information is collected for purposes unrelated + to service provision, it should be classified as an optional consent item, + and separate prior consent must be obtained (e.g., using behavioral information + collected through cookies for personalized advertising). + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1214 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: If personal information is collected from sources other than the + data subject, and the data subject requests it, the necessary details must + be promptly communicated to the data subject. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1215 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1214 + description: 'When a data subject requests information, the following details + must be provided:' + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1216 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1215 + description: The source of the collected personal information. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1217 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1215 + description: The purpose of processing the personal information. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1218 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1215 + description: The fact that the data subject has the right to request the cessation + of processing or to withdraw consent. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1219 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1214 + description: Unless there is a legitimate reason, the information must be communicated + to the data subject within 3 days from the date of the request (Standard Guidelines + for Personal Information Protection, Article 9, Paragraph 1). + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1220 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1214 + description: If the request is refused due to concerns such as potential harm + to another person's life or body, the grounds and reasons for refusal must + be communicated to the data subject within 3 days from the date of the request, + unless there is a legitimate reason (Standard Guidelines for Personal Information + Protection, Article 9, Paragraph 2). + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1221 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: When processing personal information collected from sources other + than the data subject, the necessary details must be communicated to the data + subject if the type and scope of the information meet legal requirements. + annotation: You will find a table of Requirements and Methods for Notification + on page 204 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1222 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1221 + description: The obligation to notify the source of personal information applies + only to personal information collected from personal information controllers + who have provided the information with the data subject's consent under Article + 17(1)1 of the Personal Information Protection Act. This does not apply to + personal information collected from entities that provided it under the Credit + Information Act or other legal provisions (Personal Information Protection + Act regulations and guidelines). + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1223 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1221 + description: If the collected information does not include contact information + or other data that can be used to inform the data subject, there is no obligation + to notify. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1224 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: Records of notifying the data subject about the source of the collected + information must be retained and managed until the personal information is + destroyed. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1225 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1224 + description: 'Information to be retained and managed related to source notification + (Personal Information Protection Act Enforcement Decree Article 15-2(4)):' + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1226 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1225 + description: Facts notified to the data subject + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1227 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1225 + description: Timing of notification + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1228 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1225 + description: Method of notification + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.6 + name: Installation and Operation of Video Information Processing Devices + - urn: urn:intuitem:risk:req_node:k_isms_p:node1230 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When installing and operating fixed surveillance cameras in public + places, you must review whether they meet the legal requirements. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1231 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1230 + description: These are devices installed in a specific location that continuously + or periodically capture images of people or objects, or transmit these images + via wired or wireless networks. This includes closed-circuit television (CCTV) + and network cameras (as defined in Article 2, Item 7 of the Personal Information + Protection Act and Article 3, Paragraph 1 of the Enforcement Decree of the + same Act). + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1230 + description: 'Fixed surveillance cameras can be installed and operated in public + places only under the following circumstances:' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1233 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: When specifically permitted by law. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1234 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: When necessary for the prevention and investigation of crime. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1235 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: When installed and operated by authorized personnel for the safety + and management of facilities, and fire prevention. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1236 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: When installed and operated by authorized personnel for traffic + enforcement. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1237 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: When installed and operated by authorized personnel for collecting, + analyzing, and providing traffic information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1238 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: 'When the captured video information is not stored and falls under + one of the following cases:' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1239 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1238 + description: For calculating statistics such as the number of visitors. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1240 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1238 + description: To derive statistical characteristics such as gender and age group. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1241 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1238 + description: In other cases similar to the above two, subject to review and + resolution by the Personal Information Protection Commission. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1242 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1230 + description: It is prohibited to install and operate surveillance cameras in + places such as public baths, restrooms, sweat rooms, and changing rooms, where + there is a significant risk of infringing on personal privacy. However, exceptions + are made for facilities that detain or protect individuals based on legal + grounds, such as prisons and mental health facilities designated by Presidential + Decree (correctional facilities, mental health institutions with detention + facilities, mental health care facilities, and mental rehabilitation facilities). + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1243 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When public institutions wish to install and operate fixed surveillance + cameras in public places, they must follow legal procedures such as public + hearings or briefings to collect opinions from relevant experts and stakeholders. + annotation: 'Entities Required to Collect Opinions: + + - Heads of public institutions intending to install and operate fixed surveillance + cameras in public places. + + - Correctional facilities, mental health institutions, mental health care + facilities, and mental rehabilitation facilities intending to install cameras + that may significantly infringe on personal privacy. + + + Opinion Collection Procedures: + + - Conducting administrative notices or soliciting opinions according to the + Administrative Procedure Act. + + - Holding briefings, surveys, or public opinion polls for local residents + directly affected by the installation of the surveillance cameras. + + + Opinion Collectors: + + - Relevant experts. + + - Individuals working at the facility, those detained or protected at the + facility, or their guardians and other stakeholders.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1244 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When installing and operating fixed surveillance cameras, an information + board must be installed to ensure that individuals can easily recognize the + presence of the cameras. + annotation: 'Information to Include on the Board:[Details about what should + be included on the board were not provided in your request. Typically, this + information would include the purpose of the surveillance, contact information + for the responsible entity, and details about how the footage will be used + and managed.] + + 1.Purpose and Location of Installation + + 2.Range and Time of Surveillance + + 3.Contact Information of the Responsible Manager + + 4.Name and Contact Information of the Entrusted Party (if the operation and + management of the surveillance system are outsourced) + + + Exceptions for Installing Information Boards: + + 1.Military Facilities + + 2.National Key Facilities + + 3.National Security Facilities' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1245 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1244 + description: "Considerations for Installing Information Boards:\nInstall the\ + \ board in a location that is easily noticeable by the individuals concerned.\n\ + If multiple fixed surveillance cameras are installed within a building, a\ + \ single information board indicating that the entire facility or area is\ + \ under surveillance can be installed in a prominent location, such as at\ + \ the entrance.\nIn cases where a public institution installs fixed surveillance\ + \ cameras for long-distance recording, monitoring speeding or signal violations,\ + \ traffic flow studies, or monitoring forest fires\u2014where there is minimal\ + \ concern for privacy violations\u2014if it is impossible to install an information\ + \ board or if an information board would not be easily visible to individuals\ + \ due to the specific characteristics of the location, the relevant information\ + \ can be posted on the institution's website." + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1246 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When operating mobile surveillance cameras in public places for + work purposes, you must verify that they meet legal requirements and take + the necessary actions accordingly. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1247 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1246 + description: Devices worn or carried on the body, attached to, or mounted on + a mobile object, used to capture images or videos of people or objects, or + to transmit this footage via wired or wireless networks, as defined by Presidential + Decree (Article 2, Paragraph 7-2 of the Personal Information Protection Act, + and Article 3, Paragraph 2 of the Enforcement Decree). + annotation: 'Cases Where Mobile Surveillance Cameras Can Be Operated in Public + Places for Work Purposes: + + + 1. When any of the conditions in Article 15, Paragraph 1 of the Personal Information + Protection Act are met (e.g., with the consent of the data subject). + + + 2. When the fact that recording is taking place is clearly indicated, allowing + the data subject to be aware of the recording, and the data subject has not + expressed a refusal to be recorded. In such cases, it must be ensured that + the recording does not unfairly infringe on the rights of the data subject + and remains within reasonable limits. + + + 3. Other cases similar to the above, as specified by Presidential Decree.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1248 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1246 + description: ' It is prohibited to film people or objects related to them with + mobile surveillance cameras in places where the privacy of individuals is + at significant risk, such as public baths, restrooms, saunas, and changing + rooms. However, exceptions are made in situations like crimes, disasters, + fires, or similar emergencies where video recording is necessary for rescuing + or assisting lives.' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1249 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When filming people or objects related to them with mobile surveillance + cameras in public places for work purposes, the filming should be clearly + indicated using lights, sounds, signs, or other methods to ensure that the + data subject is easily aware of the filming. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1250 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1249 + description: 'Methods to Indicate Filming: Lights, sounds, signs, written notices, + announcements, or other similar means. + + ' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1251 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1249 + description: 'Exceptions to Indicating Filming: If it is difficult to notify + data subjects due to the nature of filming, such as aerial photography by + drones, the fact and purpose of filming, as well as the date, time, and location, + must be announced through a website managed by the Personal Information Protection + Commission to support the indication of mobile surveillance camera filming + (Standard Personal Information Protection Guidelines, Article 39-2, Paragraph + 2)' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: Operators of surveillance cameras must establish and implement + policies for the safe management of surveillance cameras and the video information + collected by them. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1253 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + description: Operators of fixed surveillance cameras should establish fixed + surveillance camera operation and management policies, while operators of + mobile surveillance cameras should establish mobile surveillance camera operation + and management policies. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + description: 'Information that must be included in the surveillance camera operation + and management policy:' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1255 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: The legal basis and purpose of installing the surveillance cameras. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1256 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: The number of cameras installed, their locations, and the range + of coverage. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1257 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: The person responsible for management, the department in charge, + and the individuals with access to the video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1258 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: The recording times, retention periods, storage locations, and + processing methods of the video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1259 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: Methods and locations for verifying video information by the operator. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1260 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: Measures for handling requests from data subjects for access to + their video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1261 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: Technical, administrative, and physical measures for the protection + of video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1262 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: Other necessary matters regarding the installation, operation, + and management of surveillance cameras. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1263 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + description: If a privacy policy already includes matters related to the operation + and management of surveillance cameras, a separate surveillance camera operation + and management policy may not be required. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1264 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + description: Regulations should include provisions to prevent fixed surveillance + cameras from being manipulated or pointed at unintended locations, ensuring + management and supervision. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1265 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + description: Fixed surveillance cameras should not have their audio recording + functions activated. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1266 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: A retention period must be established for the video information, + and the information must be promptly destroyed once the retention period expires. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1267 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1266 + description: The retention period should be determined to be the minimum necessary + to achieve the purpose of retaining the video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1268 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1266 + description: However, if there are specific provisions in other laws regarding + the retention period, those provisions should be followed. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1269 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1266 + description: If the operator of the surveillance cameras finds it difficult + to determine the minimum period required to achieve the purpose of retention, + the retention period should be set to within 30 days from the date of collection + of personal video information (Standard Personal Information Protection Guidelines, + Article 41, Paragraph 2). + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1270 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When delegating the installation and operation of video surveillance + systems to an external party, the necessary details must be included in the + contract according to the relevant procedures and requirements. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1270 + description: 'Items that must be included in the contract for public institutions + when outsourcing the installation and operation of video surveillance systems + (Article 26, Paragraph 1 of the Enforcement Decree of the Personal Information + Protection Act):' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1272 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + description: The purpose and scope of the delegated tasks. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1273 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + description: Restrictions on further subcontracting. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1274 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + description: Measures to ensure security, such as restricting access to video + information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1275 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + description: Provisions for inspecting the management status of video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1276 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + description: Liability, including compensation for damages, in case the subcontractor + violates the obligations they must adhere to. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.7 + name: Collection and Use of Personal Information for Marketing Purposes + - urn: urn:intuitem:risk:req_node:k_isms_p:node1278 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.7 + description: When intending to process personal information to promote or sell + goods or services to the data subject, you must inform the data subject in + a way that is clear and understandable and obtain separate consent. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1279 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1278 + description: "It is prohibited to collect personal information for \u2018promotion\ + \ and marketing\u2019 purposes while describing the purpose as \u2018providing\ + \ additional services\u2019 or \u2018providing partnership services\u2019." + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1280 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1278 + description: Personal information collected for product promotion or marketing + purposes must be clearly distinguished from information collected for other + purposes, and consent must be obtained separately. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1281 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1278 + description: The fact that the personal information will be used to contact + the data subject for the promotion or solicitation of goods or services must + be clearly indicated, and the consent form should be designed to be easily + understood (using font size, color, bolding, or underlining to make the information + stand out). + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.7 + description: When sending commercial advertising information using electronic + transmission media, explicit prior consent from the recipient must be obtained, + and the recipient's consent status must be regularly checked every two years. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1283 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: "\u2018Electronic transmission media\u2019 includes mobile phones,\ + \ landlines, faxes, messengers, emails, and bulletin boards." + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1284 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: To send commercial advertising information, explicit consent from + the recipient must be obtained through a document (including electronic documents) + or verbal means. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1285 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: "Consent for the promotion or solicitation of goods or services\ + \ under Article 22, Paragraph 1, Subparagraph 7 of the Personal Information\ + \ Protection Act corresponds to the consent for the collection and use of\ + \ the recipient\u2019s personal information by the sender to transmit advertising\ + \ information. Meanwhile, the consent under Article 50, Paragraph 1 of the\ + \ Information and Communications Network Act pertains to the recipient agreeing\ + \ to receive advertising information from the sender. These two types of consent\ + \ must be distinguished and obtained separately." + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1286 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: Simply downloading and installing a smartphone app (application) + does not allow the transmission of advertising information (app push notifications). + Advertising should only be sent after checking whether the recipient agrees + to receive advertising information when the app is first launched and obtaining + their consent. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1287 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: However, if the exception based on a transaction relationship applies, + it is possible to send advertising information without obtaining consent to + receive it. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1288 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: A sender who transmits advertising information after obtaining + the recipient's consent must verify the recipient's consent every two years + from the date the consent was initially obtained. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1289 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1288 + description: This obligation is to inform the recipient that they have consented + to receive the information, so there is no need to obtain consent again. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1290 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1288 + description: If the recipient does not express any intention, it is assumed + that the consent for receiving messages remains valid. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1291 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1288 + description: 'When confirming the recipient''s consent, the following details + must be provided:' + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1292 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1291 + description: The sender's name + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1293 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1291 + description: The date of consent and confirmation of consent + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1294 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1291 + description: How to express the intention to maintain or withdraw consent + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1295 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.7 + description: If a recipient indicates refusal to receive or withdraws their + prior consent for advertising messages sent via electronic means, the sender + must stop sending such advertising information. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1296 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1295 + description: Even if there is an existing business relationship, if the recipient + expresses refusal to receive, sending advertising messages is prohibited. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1297 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1295 + description: Unsubscribing from membership is also considered as expressing + refusal to receive, so no advertising messages should be sent to those who + have unsubscribed. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1298 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1295 + description: Unless the recipient specifically limits their refusal or withdrawal + of consent to particular messages, the refusal applies to all advertising + messages from the sender. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1299 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.7 + description: 'When sending advertising information for commercial purposes, + the following details must be clearly stated:' + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1300 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1299 + description: The sender's name and contact information + annotation: Compliance with the "Information and Communication Network Act Enforcement + Decree Appendix 6 (Details and Methods for Commercial Advertising Information)" + is required. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1301 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1300 + description: Details and methods for easily expressing refusal or withdrawal + of consent + annotation: Compliance with the "Information and Communication Network Act Enforcement + Decree Appendix 6 (Details and Methods for Commercial Advertising Information)" + is required. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1302 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1299 + description: Advertising messages cannot be sent via electronic means during + night hours (from 9 PM to 8 AM the next day) unless there is separate consent. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1303 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1302 + description: However, sending advertising emails during the night is permissible + without additional consent. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1304 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1302 + description: For more detailed information, refer to the "Information and Communication + Network Act Guide for Preventing Illegal Spam." + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3 + ref_id: '3.2' + name: Protection Measures During Retention and Use of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + ref_id: 3.2.1 + name: Management of Personal Information Status + - urn: urn:intuitem:risk:req_node:k_isms_p:node1307 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.1 + description: You must regularly manage the status of the personal data you collect + and retain, including the items of data, quantity, processing purposes and + methods, and retention periods. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1308 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1307 + description: Data controllers (information and communication service providers) + must identify and record/manage the items of personal data, quantity, processing + basis (consent, legal provisions, etc.), processing purposes and methods, + and retention periods using personal data status tables, flow charts, or diagrams. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1309 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1307 + description: Additionally, you should regularly review the personal data status + and update the relevant documents. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1310 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.1 + description: When public institutions operate or modify personal data files, + they must register the relevant information with the heads of the related + agencies as required by law, and update the registration if there are any + changes. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1311 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1310 + description: The data protection officer who receives the personal data file + registration or modification application must review and assess the appropriateness + of the registration or modification and submit it to the Personal Information + Protection Commission within 60 days. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1312 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1310 + description: Central administrative agencies, local government agencies, and + other public institutions must request review and appropriateness judgment + from their higher management bodies for personal data file registration or + modification, and obtain confirmation from the higher management body before + registering with the Personal Information Protection Commission within 60 + days. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1313 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1310 + description: For the National Assembly, the judiciary, the Constitutional Court, + and the Central Election Commission (including its affiliated bodies), personal + data file registration and disclosure follow the rules of the National Assembly, + Supreme Court, Constitutional Court, and Central Election Commission. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1314 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1310 + description: However, personal data files falling under Article 32(2) of the + Personal Information Protection Act do not need to be registered with the + Personal Information Protection Commission. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1315 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.1 + description: Public institutions must disclose the status of personal data files + in their personal data processing policies. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1316 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1315 + description: The data protection officer of a public institution must regularly + investigate the status of personal data file retention and destruction and + disclose the results in the institution's personal data processing policy. + (Standard Personal Data Protection Guidelines, Article 61) + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1317 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1315 + description: The Personal Information Protection Commission must make the status + of personal data file registrations publicly available on the internet, so + that anyone can easily access it. (Personal Information Portal, www.privacy.go.kr) + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + ref_id: 3.2.2 + name: Ensuring the Quality of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1319 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.2 + description: Procedures and measures must be established and implemented to + ensure that personal data is maintained accurately and up-to-date. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1320 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1319 + description: Apply safety measures to prevent personal data from being forged, + altered, or damaged. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1321 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1319 + description: Build and implement systems for backup and recovery to ensure the + accuracy and completeness of personal data, even in the event of illegal changes, + damage due to external hacking, internal abuse of authority, or disasters. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1322 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1319 + description: Apply administrative and technical measures to prevent errors in + personal data input when it is altered by data handlers. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1323 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1319 + description: Establish and implement procedures to update personal data when + data subjects change their name or resident registration number, such as due + to name changes or data breaches. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1324 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.2 + description: Methods must be provided for data subjects to ensure the accuracy, + completeness, and timeliness of their personal data. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1325 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1324 + description: Notify data subjects regularly about the ability to update their + personal data via the website. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1326 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1324 + description: Provide various methods for data subjects to easily view and update + their personal data, both online and offline. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1327 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1324 + description: Develop and implement secure identity verification procedures for + personal data changes. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1328 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1324 + description: Make it easy for data subjects to understand changes and updates + to the privacy policy and the history of personal data processing by posting + relevant information clearly. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + ref_id: 3.2.3 + name: Protection of Access to User Devices + - urn: urn:intuitem:risk:req_node:k_isms_p:node1330 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.3 + description: If access to information stored on the data subject's (user's) + mobile communication device or to features installed on the mobile communication + device is required, you must clearly inform the data subject (user) about + this requirement and obtain their consent. + annotation: 'Key Points for Verification: + + - If access to information stored on the data subject''s (user''s) mobile + communication device or to features installed on the mobile communication + device is required, is it clearly communicated to the data subject (user) + and is their consent obtained? + + - If the access permission is not essential for providing the service, are + you ensuring that the service is not denied if the data subject (user) does + not consent? + + - Have you established and provided methods for obtaining and withdrawing + consent from the data subject (user) for the required access permissions on + the mobile communication device?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1331 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1330 + description: The permission to access information and features stored on a smartphone + should be minimized to the extent necessary for the service. + annotation: 'Key Points for Verification: + + - If access to information stored on the data subject''s (user''s) mobile + communication device or to features installed on the mobile communication + device is required, is it clearly communicated to the data subject (user) + and is their consent obtained? + + - If the access permission is not essential for providing the service, are + you ensuring that the service is not denied if the data subject (user) does + not consent? + + - Have you established and provided methods for obtaining and withdrawing + consent from the data subject (user) for the required access permissions on + the mobile communication device?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1332 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1330 + description: Before obtaining consent for access permissions, distinguish between + access permissions that are absolutely necessary for providing the service + (referred to as 'essential access permissions') and those that are not strictly + necessary (referred to as 'optional access permissions'). Clearly inform the + data subject (user) about the items and reasons for each type of access permission, + and obtain separate consent from them for both essential and optional access + permissions. + annotation: 'Key Points for Verification: + + - If access to information stored on the data subject''s (user''s) mobile + communication device or to features installed on the mobile communication + device is required, is it clearly communicated to the data subject (user) + and is their consent obtained? + + - If the access permission is not essential for providing the service, are + you ensuring that the service is not denied if the data subject (user) does + not consent? + + - Have you established and provided methods for obtaining and withdrawing + consent from the data subject (user) for the required access permissions on + the mobile communication device?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1333 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1332 + description: '(For essential access permissions): 1. Inform the data subject + (user) of the items of information and features that require access permissions. + 2. Explain the reasons why access to these information and features is necessary.' + annotation: 'Key Points for Verification: + + - If access to information stored on the data subject''s (user''s) mobile + communication device or to features installed on the mobile communication + device is required, is it clearly communicated to the data subject (user) + and is their consent obtained? + + - If the access permission is not essential for providing the service, are + you ensuring that the service is not denied if the data subject (user) does + not consent? + + - Have you established and provided methods for obtaining and withdrawing + consent from the data subject (user) for the required access permissions on + the mobile communication device?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1334 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1332 + description: '(For optional access permissions): In addition to the items 1 + and 2 above, you must also inform the data subject (user) that they have the + option to refuse to consent to the access permission.' + annotation: 'Key Points for Verification: + + - If access to information stored on the data subject''s (user''s) mobile + communication device or to features installed on the mobile communication + device is required, is it clearly communicated to the data subject (user) + and is their consent obtained? + + - If the access permission is not essential for providing the service, are + you ensuring that the service is not denied if the data subject (user) does + not consent? + + - Have you established and provided methods for obtaining and withdrawing + consent from the data subject (user) for the required access permissions on + the mobile communication device?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1335 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.3 + description: If access permissions that are not essential for providing the + service are required on a mobile communication device, the data subject (user) + should not be denied service if they choose not to consent. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1336 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.3 + description: You must establish and provide methods for the data subject (user) + to consent to or withdraw consent for access permissions on the mobile communication + device. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1337 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1336 + description: '(For operating systems with individual consent selection capability, + such as Android 6.0 or higher and iPhone): Even if the data subject (user) + has already consented to access permissions, they can use the app-specific + or permission-specific consent withdrawal features provided by the operating + system to reset permissions for each app.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1338 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1336 + description: "(For operating systems without individual consent selection capability):\ + \ Since the system does not support denial of permissions on a per-permission\ + \ basis and generally only allows setting essential permissions, if the data\ + \ subject (user) wishes to withdraw consent for these essential permissions,\ + \ they should uninstall the app. However, if the app itself provides a feature\ + \ to set optional permissions and choose whether to consent, the data subject\ + \ can use the app\u2019s consent withdrawal feature to reset the permissions." + annotation: 'Note: For more detailed information, refer to the ''Smartphone + App Access Permission Privacy Protection Guide.''' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + ref_id: 3.2.4 + name: Use and Provision of Personal Information Beyond the Original Purpose + - urn: urn:intuitem:risk:req_node:k_isms_p:node1340 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: Personal data must be used or provided only within the scope of + the purpose for which consent was obtained from the data subject at the time + of initial collection or based on legal grounds. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1341 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1340 + description: You must notify the data subject of the purpose of use or provision + and obtain consent within the scope allowed by the Personal Information Protection + Act or other laws. It is prohibited to use or provide personal data beyond + the scope permitted by the consent obtained or by law. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1342 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: When receiving personal data from a data processor, it must be + used or provided only within the scope of the purpose for which it was provided. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1343 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1342 + description: The recipient of personal data is prohibited from using or providing + the data for purposes other than those for which it was provided or from providing + it to third parties. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1344 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: If personal data is used or provided beyond the scope of the collection + purpose or the purpose for which it was provided by the data processor, it + should be limited to cases where separate consent from the data subject is + obtained or where there is a legal basis for such use. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1345 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1344 + description: Exceptions may apply where the use or provision of personal data + for purposes other than those initially intended is allowed (except where + there is a risk of unjustly infringing on the rights of the data subject or + third parties). + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1344 + description: 'When obtaining consent for using or providing personal data for + purposes other than those originally intended, the following information must + be provided:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1347 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + description: The recipient of the personal data + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1348 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + description: The purpose of using the personal data (for provision, the recipient's + purpose) + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1349 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + description: The items of personal data to be used or provided + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1350 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + description: The retention and use period of the personal data (for provision, + the recipient's retention and use period) + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1351 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + description: The right to refuse consent and, if refusal results in any disadvantages, + the details of those disadvantages + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1352 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1344 + description: 'The recipient of personal data from another data processor must + not use the data for purposes other than those for which it was provided or + provide it to third parties, except in the following cases:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1353 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1352 + description: When separate consent has been obtained from the data subject + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1354 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1352 + description: When there are specific provisions in other laws + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1355 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: 'When providing personal data to a third party for purposes other + than those originally intended, the recipient should be requested to:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1356 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1355 + description: Restrict the purpose, method, duration, and form of use of the + personal data + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1357 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1355 + description: Take specific measures to ensure the security of the personal data, + and these measures should be requested in writing (including electronic documents) + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1358 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1355 + description: Clarification of Responsibilities Regarding the Recipient of Personal + Data and Measures for Ensuring Data Security + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1359 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: When a public institution uses personal data for purposes other + than those originally intended or provides it to a third party, it must publish + the necessary details about the legal basis, purpose, and scope of the use + or provision in the Official Gazette or on its website. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1360 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1359 + description: 'Exceptions to Publication in the Official Gazette or on the Website:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1361 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1360 + description: When the use or provision of personal data for purposes other than + those originally intended is based on the consent of the data subject. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1362 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1360 + description: When the use or provision of personal data for purposes other than + those originally intended is for the investigation of crimes or the initiation + and maintenance of prosecution. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1363 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1359 + description: 'Details to be Published in the Official Gazette or on the Website:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1364 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1363 + description: The date of the use or provision of personal data for purposes + other than those originally intended. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1365 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1363 + description: The legal basis for the use or provision of personal data for purposes + other than those originally intended. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1366 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1363 + description: The purpose of the use or provision of personal data for purposes + other than those originally intended. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1367 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1363 + description: The items of personal data used or provided for purposes other + than those originally intended. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1368 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1359 + description: 'Timing and Duration of Publication:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1369 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1368 + description: "Publication Timing:\_Within 30 days from the date of the use or\ + \ provision of personal data for purposes other than those originally intended." + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1370 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1368 + description: "Publication Duration:\_If published on the website, it must remain\ + \ for at least 10 days." + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1371 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: When public institutions or other entities use personal data for + purposes other than those initially intended or provide it to third parties, + they must record and manage this information in a 'Register of Unauthorized + Use and Provision of Personal Data.' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1372 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1371 + description: For public institutions, when personal data is used for purposes + other than those intended or provided to third parties, it must be recorded + and managed in the 'Register of Unauthorized Use and Provision of Personal + Data.' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1373 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1371 + description: Procedures must be established to systematically respond to requests + for personal data or other materials from judicial or government authorities + (such as warrants, orders, or demands for data submission). + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + ref_id: 3.2.5 + name: Processing of Pseudonymized Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: When processing pseudonymous information, procedures must be established + and implemented to ensure appropriate handling of pseudonymous information, + including purpose limitation, pseudonymization methods and criteria, adequacy + review, prohibition of re-identification, and measures to be taken in case + re-identification occurs. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1376 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: Pseudonymization' refers to the processing of personal data in + a way that renders an individual unidentifiable without additional information, + which can include deleting or replacing part of the data. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1377 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: Pseudonymous information' refers to information that has been pseudonymized + in such a way that it cannot identify a specific individual without using + or combining additional information, and this information remains within the + category of personal data. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1378 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: Pseudonymous information' refers to information that has been pseudonymized + in such a way that it cannot identify a specific individual without using + or combining additional information, and this information remains within the + category of personal data. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1379 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: According to the special provisions for pseudonymous information + processing, pseudonymous information can be processed without the data subject's + consent only for the purposes of statistical analysis, scientific research, + and public interest record preservation. Therefore, pseudonymizing personal + data for storage without a defined processing purpose does not fall under + the special provisions for pseudonymous information processing. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1380 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: Procedures for pseudonymization must be established and implemented + to ensure an appropriate level of pseudonymization, taking into account the + processing purposes, usage environment, and data characteristics. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1381 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: Examples of Pseudonymization Procedures (Pseudonymous Information + Processing Guidelines) + annotation: You will find a table on page 228 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1382 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: If separate pseudonymized data processing guidelines exist for + the relevant field, apply the contents of those guidelines as a priority. + annotation: 'Examples include: Health and Medical Data Utilization Guidelines + (Ministry of Health and Welfare), Education Field Pseudonymous and Anonymous + Information Processing Guidelines (Ministry of Education), Public Sector Pseudonymous + Information Provision Practical Guide (Ministry of the Interior and Safety), + Financial Sector Pseudonymous and Anonymous Processing Guide (Financial Services + Commission), etc.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1383 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: When pseudonymizing personal data for use or provision, it must + be processed in a manner that ensures individuals cannot be identified without + using or combining additional information. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1384 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1383 + description: 'Personal Identifiable Information: When necessary, replace it + with values that cannot identify a specific individual but can distinguish + between individuals, such as generating random values or hash values.' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1385 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1383 + description: 'Identifiable Information: If not required for the pseudonymous + information processing purposes, it should be deleted. For the remaining identifiable + information, pseudonymization should be performed using appropriate methods + and levels, considering the processing purposes and the risk of identification.' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1386 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: When combining pseudonymous information with other data controllers, + it should be done through a designated combination expert institution or data + specialist institution. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1387 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1386 + description: If combining pseudonymous information held by different data controllers + for purposes such as statistical analysis, scientific research, or public + interest record preservation, it should be done through a combination expert + institution designated by the Personal Information Protection Commission or + relevant central administrative agencies. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1388 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1387 + description: 'Expert Institutions: Refer to the Comprehensive Pseudonymous Information + Combination Support System (link.privacy.go.kr)' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1389 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1387 + description: 'Financial Sector: When combining with datasets held by financial + companies, it should be performed through a data specialist institution in + accordance with the Credit Information Act.' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1390 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1386 + description: Pseudonymous Information Processing Procedures (Pseudonymous Information + Processing Guidelines) + annotation: You will find a table on page 229 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: When processing pseudonymous information, additional information + must be deleted or separated and stored/managed securely, and relevant records + must be created and maintained with necessary technical, managerial, and physical + measures to ensure security. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1392 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + description: '(Administrative Protection Measures) + + Establishing and implementing internal management plans to safely manage pseudonymous + information and additional information + + Managing and supervising pseudonymous information processing contractors + + Including provisions in contracts for pseudonymous information processing + tasks and third-party provision, such as prohibiting re-identification + + Establishing and disclosing privacy policies related to pseudonymous information + processing + + Implementing training on pseudonymous information protection' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1393 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + description: '(Technical Protection Measures) + + Separating or deleting additional information + + Restricting access rights to pseudonymous information and additional information + + Creating and maintaining records related to pseudonymous information processing' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1394 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + description: (Physical Protection Measures) When storing pseudonymous information + or additional information in computer rooms or data storage rooms, establish + and implement procedures such as access control to protect against unauthorized + access. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1395 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + description: (Other Protection Measures) Since pseudonymous information is considered + personal data, adhere to the security measures required by Article 29 of the + Personal Information Protection Act, including prohibiting pseudonymous processing + for the purpose of identifying individuals. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1396 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + description: (Re-identification Monitoring, etc.) If information that can identify + a specific individual is generated during the processing of pseudonymous information, + immediately cease processing the information and take prompt action to recover + and destroy it. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1397 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: 'Processing Duration: Determine an appropriate period for processing + pseudonymous information based on its intended purpose. Destroy the information + promptly once the processing period has expired.' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1398 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1397 + description: Set the processing period appropriately to achieve the purpose + of pseudonymous information processing. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1399 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1397 + description: Destroy the pseudonymous information without delay once the processing + period has expired. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1400 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: When anonymizing personal data, ensure that the level of anonymization + is sufficient such that the individual can no longer be identified, considering + factors such as time, cost, and technology. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1401 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1400 + description: '"Anonymous Information" refers to data that cannot identify an + individual even if other information is used, considering reasonable time, + cost, and technology.' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1402 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1400 + description: When anonymizing, delete personally identifiable information and + use a combination of anonymization methods to ensure that personally identifiable + information is anonymized to an adequate level. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1403 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1400 + description: To ensure the adequacy of anonymization, establish and implement + a review process, such as forming a review committee composed of internal + and external experts. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3 + ref_id: '3.3' + name: Protection Measures When Providing Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3 + ref_id: 3.3.1 + name: Provision of Personal Information to Third Parties + - urn: urn:intuitem:risk:req_node:k_isms_p:node1406 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: When providing personal data to third parties, you must clearly + identify and comply with legal requirements, such as obtaining the data subject's + consent and adhering to legal obligations, to ensure the lawful provision + of personal data. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1407 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1406 + description: 'Scope of Third Parties:' + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1408 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1407 + description: All entities except for the data subject and the personal data + controller who collects and retains the data (departments and organizations + within the same personal data controller are not considered third parties). + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1409 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1406 + description: 'For each method of providing personal data, clearly identify the + legal requirements for data provision and maintain related evidence to prove + compliance:' + annotation: For example, if personal data is provided without the data subject's + consent due to specific legal provisions or to comply with legal obligations, + document the relevant legal provisions or regulations. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1410 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1406 + description: 'A personal data controller may provide (including sharing) personal + data to a third party in the following cases:' + annotation: (Specific details to be listed depending on the applicable laws + or regulations.) + - urn: urn:intuitem:risk:req_node:k_isms_p:node1411 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: Consent for providing personal data to a third party must be obtained + separately from consent for collection and use. If providing data to a third + party is not essential for performing the core functions of the service, then + service provision should not be refused on the grounds of not consenting to + the third-party data provision. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1412 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: When obtaining consent from the data subject for providing personal + data to a third party, relevant information must be clearly communicated, + and important details required by law must be explicitly indicated to make + it easily understandable. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1413 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1412 + description: When obtaining consent for the provision of personal data to a + third party from the data subject, five statutory notices must be communicated + in a specific and clear manner. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1414 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1412 + description: "For consent from the data subject to be lawful, it must meet all\ + \ legal requirements, including the data subject\u2019s free will in making\ + \ the decision, and the specificity and clarity of the consent details." + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1415 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1412 + description: 'According to Article 22, Section 2 of the Personal Information + Protection Act, when obtaining consent for the processing of personal data + in writing (including electronic documents as defined in Article 2, Section + 1 of the Electronic Transactions Basic Act), important details must be clearly + highlighted and made easily understandable as follows:' + annotation: For detailed information, refer to the 'User-Friendly Personal Data + Processing Consent Guide' (Personal Information Protection Commission). + - urn: urn:intuitem:risk:req_node:k_isms_p:node1416 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: When providing personal data to a third party, it must be limited + to the minimum necessary data items that match the purpose of the provision. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1417 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1416 + description: 'When providing data based on consent: Only provide the minimum + necessary personal data required to achieve the purpose disclosed at the time + of consent.' + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1418 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1416 + description: 'When providing data based on legal grounds: Provide only the minimum + necessary personal data required as specifically stated by the law or to comply + with legal obligations.' + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1419 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: During the process of providing personal data to a third party, + ensure that the data is protected from exposure or leakage by using secure + procedures and methods, and record and store the related provision details. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1420 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: When allowing third parties access to personal data, control access + according to protection procedures to ensure the data is safely protected. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1421 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1420 + description: Implement secure authentication and access control measures to + ensure only authorized individuals can access the data. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1422 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1420 + description: Use encryption measures to prevent eavesdropping during transmission. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1423 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1420 + description: Maintain access logs to ensure accountability and traceability. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1424 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: When providing additional personal data without the information + subject's consent, establish and implement criteria for considerations such + as relevance to the original collection purpose, predictability, potential + harm to interests, and safety measures. If additional provision of data continues + to occur, disclose this in the personal data processing policy and check for + compliance with these criteria. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.3.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3 + ref_id: 3.3.2 + name: Outsourcing of Personal Information Processing Tasks + - urn: urn:intuitem:risk:req_node:k_isms_p:node1426 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.2 + description: When outsourcing (including subcontracting) personal data processing + tasks to a third party, the details of the outsourced tasks and the subcontractor + must be continuously updated and made publicly available on the website, so + that data subjects can easily check them at any time. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1427 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1426 + description: 'Information to be provided to data subjects:' + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1428 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1427 + description: Details of the outsourced tasks. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1429 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1427 + description: The third party (subcontractor) responsible for processing the + personal data. + annotation: The term "subcontractor" includes third parties (sub-subcontractors) + who receive tasks from the original subcontractor. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1430 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1426 + description: 'Disclosure methods for personal data processing outsourcing details + (according to Article 28(2) and (3) of the Enforcement Decree of the Personal + Information Protection Act):' + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1431 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1430 + description: Posting the details of the outsourced tasks and the subcontractor + on the website of the outsourcing party. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1432 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1430 + description: 'If posting on the website is not possible, one or more of the + following methods should be used:' + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1433 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1432 + description: "1. Posting in a visible location at the outsourcing party\u2019\ + s business premises." + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1434 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1432 + description: "2. Publishing in the Official Gazette (only if the outsourcing\ + \ party is a public institution) or in general daily newspapers, weekly newspapers,\ + \ or online newspapers that are distributed in the region where the outsourcing\ + \ party\u2019s business is located, as defined by the Newspaper Promotion\ + \ Act." + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1435 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1432 + description: 3.Including in publications, newsletters, promotional materials, + or invoices distributed to data subjects at least twice a year under the same + title. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1436 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1432 + description: 4.Including in contracts or agreements made between the outsourcing + party and the data subject for the provision of goods or services. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1437 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1426 + description: 'Important considerations:' + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1438 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1437 + description: Even if there are many subcontractors, all subcontractor names + must be listed and disclosed. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1439 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1437 + description: If there is subcontracting, information about the subcontracting + must also be disclosed. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1440 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1437 + description: If the content of the outsourced tasks or the subcontractor changes, + the updated information must be promptly reflected and disclosed on the website + or through other means. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1441 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.2 + description: When outsourcing tasks related to promoting or selling goods or + services, the details of the outsourced tasks and the subcontractor must be + communicated to the data subject via written methods such as email, text messages, + etc. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1442 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1441 + description: "Notification methods:\_Written methods (including written documents,\ + \ email, fax, phone, text messages, or equivalent methods)" + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1443 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1441 + description: "Notification details:\_Content of the outsourced tasks, subcontractor" + annotation: For matters related to the outsourcing of personal data processing + tasks, such as outsourcing contracts, consent for subcontracting, and management + and supervision of subcontractors, refer to the certification standards for + the "External Security" section (2.3). + - urn: urn:intuitem:risk:req_node:k_isms_p:3.3.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3 + ref_id: 3.3.3 + name: Transfer of Personal Information Due to Business Transfer, etc. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1445 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.3 + description: 'When transferring all or part of a business, or in cases of mergers, + where personal data is transferred to another party, the following information + must be provided to the data subject in advance:' + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1446 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1445 + description: 'Information to be Provided:' + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1447 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1446 + description: The fact that personal data is being transferred. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1448 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1446 + description: The name, address, phone number, and other contact details of the + person receiving the personal data. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1449 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1446 + description: Methods and procedures for the data subject to take action if they + do not wish for their personal data to be transferred. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1450 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1445 + description: 'Methods of Notification:' + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1451 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1450 + description: Through email, written notice, fax, phone, or similar methods. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1452 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1450 + description: "If the data subject\u2019s contact information cannot be obtained\ + \ without negligence, the information should be posted on the website for\ + \ at least 30 days." + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1453 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1452 + description: If the transferor does not operate a website, the information should + be posted at a visible location at their business premises for at least 30 + days. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1454 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1452 + description: Alternatively, the information can be published in a daily newspaper, + weekly newspaper, or online newspaper within the main distribution area of + the business location according to the Newspaper Promotion Act. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1455 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.3 + description: If the transferee is subject to legal notification requirements, + they must promptly inform the data subject of the fact that they have received + the personal data and other necessary details. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1456 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1455 + description: If the transferor has already notified the data subject of the + transfer, the transferee does not need to provide additional notice. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1457 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1455 + description: However, if the personal data has been transferred without the + transferor notifying the data subject, the transferee must inform the data + subject of the transfer. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1458 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.3 + description: The recipient of the personal data must use the data only for the + original purposes at the time of the transfer or provide it to third parties + only for those purposes. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1459 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1458 + description: If the recipient of personal data intends to use or provide the + data beyond the original purpose for which it was transferred, they must obtain + separate consent from the data subject. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.3.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3 + ref_id: 3.3.4 + name: International Transfer of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1461 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.4 + description: When providing (including in cases of retrieval), outsourcing, + or storing personal data to a third party abroad (hereinafter referred to + as 'transfer'), all required notifications about the overseas transfer must + be provided to the data subject, and separate consent must be obtained or + legal requirements such as certification or acknowledgment must be complied + with. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1462 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1461 + description: 'Conditions under which the transfer of personal data abroad is + permissible (Article 28-8, Paragraph 1 of the Personal Information Protection + Act):' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1463 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1461 + description: When agreeing to transfer personal information overseas, all five + items below must be notified and consent must be obtained. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1464 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.4 + description: 'When outsourcing the processing or storage of personal data abroad + for the purpose of contract execution with the data subject, the following + must be communicated adequately:' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1465 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1464 + description: 'Methods for Informing the Data Subject:' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1466 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1465 + description: 1. Disclosure in the Privacy Policy. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1467 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1465 + description: "2. Written methods\_(such as written notice, email, fax, phone,\ + \ text messaging, or similar methods)." + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1464 + description: 'Information to be Provided to the Data Subject:' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1469 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + description: 1.The items of personal data being transferred. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1470 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + description: 2. The countries, timing, and methods of data transfer. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1471 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + description: 3. The name (or designation and contact information, if a corporation) + of the entity receiving the data. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1472 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + description: 4.The purpose and retention period of the data by the recipient. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1473 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + description: 5. How to refuse the data transfer, the procedure for refusal, + and the consequences of refusal. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1474 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.4 + description: Contracts for overseas transfers must comply with data protection + laws and include terms related to the protection of personal data. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1475 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1474 + description: 'Key Aspects to Include in the Contract:' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1476 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1475 + description: 1. Safety measures for data protection as per Article 30(1) of + the Enforcement Decree of the Personal Information Protection Act. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1477 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1475 + description: 2. Measures for handling complaints and resolving disputes related + to data breaches. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1478 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1475 + description: "3. Additional necessary measures for protecting the data subject\u2019\ + s personal data." + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1474 + description: 'Protection Measures Required for Overseas Transfers:' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1480 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: 1. Compliance with relevant regulations on overseas data transfers + under the Personal Information Protection Act. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1481 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: 2. Adherence to Articles 17 through 19 of the Personal Information + Protection Act. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1482 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: "3. Compliance with Chapter 5 of the Personal Information Protection\ + \ Act, concerning the protection of the data subject\u2019s rights." + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1483 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: 4. Safety measures as per Article 30(1) of the Enforcement Decree + of the Personal Information Protection Act. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1484 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: 5. Measures for handling complaints and resolving disputes related + to data breaches. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1485 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: "6. Additional necessary measures to protect the data subject\u2019\ + s personal data." + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3 + ref_id: '3.4' + name: Protection Measures When Destroying Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:3.4.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4 + ref_id: 3.4.1 + name: ' Destruction of Personal Information' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1488 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.1 + description: 'Internal policies regarding the retention period and destruction + of personal data should include the following:' + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1489 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1488 + description: 'For each collection item, purpose, and method: Storage location + (e.g., databases, backup data), destruction method, timing of destruction, + and legal basis.' + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1490 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1488 + description: Public institutions must establish and implement a personal data + destruction plan reflecting the retention period and processing purpose of + personal data files and may include this plan in their internal management + plan. (Standard Personal Data Protection Guidelines, Article 55, Paragraph + 2) + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1491 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.1 + description: When the purpose of processing personal data is achieved or the + retention period has expired, the data must be destroyed without delay. + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1492 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1491 + description: When personal data is no longer needed, due to achievement of processing + purposes, discontinuation of the service, termination of business, or expiration + of the legal retention period, the data must be destroyed within 5 days unless + there is a valid reason. + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.1 + description: When destroying personal data, it must be done in a manner that + prevents recovery or reconstruction. + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1494 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + description: Complete destruction (e.g., incineration, shredding) + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1495 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + description: Use of specialized equipment (e.g., devices that use magnetic fields + to delete data from storage) + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1496 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + description: Initialization or overwriting to prevent data recovery + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1497 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + description: 'If only part of the data is destroyed, and the above methods are + difficult, implement the following measures:' + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1498 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1497 + description: '1. For electronic files: Manage and supervise to prevent recovery + and reconstruction after deletion.' + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1499 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1497 + description: '2. For non-electronic records, printed materials, written documents, + etc.: Delete using methods such as masking or punching.' + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1500 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + description: If the above methods are significantly difficult due to technical + reasons, process the data as information covered by Article 58-2 of the Act + (anonymization) to make recovery impossible. + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1501 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.1 + description: Records of personal data destruction must be maintained and managed. + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1502 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1501 + description: "The destruction and results\_must be verified under the responsibility\ + \ of the personal data protection officer, and matters related to destruction\ + \ must be recorded and managed." + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1503 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1501 + description: "Records of destruction\_should be recorded in a destruction management\ + \ ledger or stored as records, such as photos of the destruction." + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1504 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1501 + description: "Public institutions\_must verify the destruction results and create\ + \ a destruction management ledger for personal data files. (Standard Personal\ + \ Data Protection Guidelines, Article 55)" + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.4.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4 + ref_id: 3.4.2 + name: Measures When Retaining Information After Achieving Processing Purpose + - urn: urn:intuitem:risk:req_node:k_isms_p:node1506 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.2 + description: If personal data is retained beyond the retention period or after + the purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, it must be managed to retain only the + minimum information necessary for the minimum period required by those laws. + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1507 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1506 + description: "Limit the personal data items\_to the minimum required for the\ + \ intended purpose." + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1508 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1506 + description: "Set the retention period\_according to the minimum duration specified\ + \ by the relevant laws." + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1509 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.2 + description: 'If personal data is retained beyond the retention period or after + the purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, the personal data or personal data files + must be stored and managed separately from other personal data. + + ' + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1510 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1509 + description: "Separate databases\_should be configured either physically or\ + \ logically." + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1511 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.2 + description: "Manage the separated personal data\_so that it can only be processed\ + \ within the scope of purposes specified by the laws." + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1512 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1511 + description: Separated personal data must not be used for purposes other than + those specified by law, such as marketing. + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1513 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.2 + description: Access to separated personal data should be restricted to the minimum + number of people. + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1514 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1513 + description: Limit access permissions to the smallest number of individuals + for separated databases. + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1515 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1513 + description: Maintain access logs for separated databases and review them regularly. + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3 + ref_id: '3.5' + name: Protection of Data Subject Rights + - urn: urn:intuitem:risk:req_node:k_isms_p:3.5.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5 + ref_id: 3.5.1 + name: Disclosure of Personal Information Processing Policy + - urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.1 + description: The privacy policy must be written in a clear and specific manner + using easy-to-understand terms, including all content required by law. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1519 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + description: Mandatory items to include in the privacy policy (refer to Article + 30 of the Personal Information Protection Act and Article 31 of the Enforcement + Decree of the same Act). + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1520 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + description: Other items to include in the privacy policy (refer to Article + 19 of the Standard Privacy Protection Guidelines). + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1521 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + description: For personal data that can be processed without consent, differentiate + it from personal data that requires consent by disclosing the items and legal + grounds for processing in the privacy policy. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1522 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + description: The content of the privacy policy, including the purpose of processing, + the items of personal data processed, and third-party provision details, must + accurately reflect the actual data processing situation and be written clearly + and specifically in easy-to-understand terms, considering the characteristics + of the service and the data subjects. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1523 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1522 + description: 1. Establish specific and appropriate details on processing grounds, + data subject rights, and other legally required aspects. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1524 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1522 + description: 2. Prepare the privacy policy in clear and understandable language + for the data subjects. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1525 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + description: In cases where exceptions apply under the Personal Information + Protection Act, it may not be necessary to establish a privacy policy. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1526 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.1 + description: The privacy policy must be continuously updated and made accessible + on the internet homepage or other platforms so that data subjects can easily + review it. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1527 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1526 + description: Use the standardized term "Privacy Policy". + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1528 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1526 + description: When posting on the homepage, differentiate it from other notices + by using font size, color, etc., to make it easily noticeable to data subjects. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1529 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1526 + description: If no website is available, the privacy policy can be disclosed + using other legally prescribed methods. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1530 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.1 + description: When changes are made to the privacy policy, promptly notify the + reasons and details of the changes, and ensure that data subjects can easily + access and understand the updated information. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1531 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1530 + description: Compare and disclose the changes before and after the update so + that data subjects can easily review the modifications. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5 + ref_id: 3.5.2 + name: Guaranteeing the Rights of Data Subjects + - urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: The method and procedure for exercising the rights to access, correct, + delete, suspend processing, and withdraw consent regarding personal information + (hereinafter referred to as 'requests for access, etc.') by the data subject + or their representative must be established and disclosed in a manner that + is not more difficult than the methods and procedures for collecting personal + information. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1534 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: A specific method and procedure must be established for the data + subject to make requests for access, etc., and this must be made easily accessible + to the data subject. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1535 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: The method and procedure for the data subject to exercise their + rights must be at least as easy and convenient as the procedure for collecting + personal information or signing up as a member, and additional documents that + were not required during the collection of personal information should not + be requested. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1536 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: It is necessary to provide a variety of methods for exercising + these rights (e.g., in-person, written request, phone, email, website) to + ensure the data subject can choose the most convenient option. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1537 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: It must be verified that the person making the request for access, + etc. is the data subject themselves or a legitimate representative. The verification + method should be an objectively recognized reasonable means (e.g., electronic + signature, i-PIN, ID verification, etc.). + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1538 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: If the personal information controller is a public institution, + identity verification should be conducted through the joint use of administrative + information in accordance with the "Electronic Government Act" if possible. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1539 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: You may charge the person requesting access, etc., a fee and postage + within the scope of the actual cost required to perform the related work. + However, if the reason for the request is due to the personal information + controller, fees and postage cannot be charged. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1540 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: When the data subject or their representative requests access to + personal information, the necessary measures must be taken within 10 days + to allow the data subject to view the relevant personal information. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1541 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1540 + description: 'The data subject may request access to the following items regarding + their personal information processed by the personal information controller:' + annotation: You will find it on page 253 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1542 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1540 + description: If there is a legitimate reason why access cannot be provided within + 10 days, the data subject must be informed of the reason, and the access can + be postponed. After the reason for the postponement has been resolved, access + to the personal information must be granted within 10 days from the date the + reason is resolved. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1543 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1540 + description: If there is a reason to restrict or deny access to personal information, + the data subject must be informed of the reason, and access may be restricted + or denied + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1544 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1540 + description: If certain parts of the requested information have reasons for + access restriction or denial, access to those specific parts can be restricted, + while allowing access to the remaining parts. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1545 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: If you are subject to legal obligations, procedures and measures + must be established and implemented to respond to requests for the transfer + of personal information from the data subject or their representative. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1546 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1545 + description: The legal obligations to respond to a data subject's request for + the transfer of personal information (data transferor). + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1547 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1545 + description: 'Information that can be requested for transfer (personal data + that meets all of the following requirements):' + annotation: You will find it on page 254 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1548 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1545 + description: 'Requirements for the personal information processor who can receive + the transferred personal data under the transfer request (information recipient):' + annotation: The amended provisions of the Personal Information Protection Act + related to the right to data portability (Article 35-2) will come into effect + from the date specified by Presidential Decree, which will be within one to + two years after one year has passed since its announcement (March 14, 2023). + - urn: urn:intuitem:risk:req_node:k_isms_p:node1549 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: 'When the data subject or their representative requests correction + or deletion of personal information, if the request is deemed justified, the + personal information must be examined within 10 days, and actions such as + correction or deletion must be taken accordingly, with the results communicated + to the data subject:' + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1550 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1549 + description: Respond with the results of the action within 10 days of receiving + the request for correction or deletion of personal information. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1551 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1549 + description: If the personal information has been outsourced or provided to + a third party, notify the contractor or third party to take action upon receiving + the correction request or withdrawal of consent. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1552 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1549 + description: If the collection of that personal information is specified by + other laws, the request for deletion may be refused. In such cases, the decision + not to comply, the content of the relevant laws, the reasons, and the methods + for objection must be communicated to the data subject within 10 days of receiving + the correction or deletion request, using a personal information correction + or deletion notification (e.g., records related to contract or withdrawal + of subscription under the Electronic Commerce Act). + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1553 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: 'When the data subject or their representative requests the suspension + of personal information processing, unless there is a special reason, the + processing must be partially or fully suspended immediately, and the result + must be communicated to the data subject:' + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1554 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1553 + description: Respond with the results within 10 days of receiving the request + for suspension of personal information processing. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1555 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1553 + description: If there are reasons to refuse the suspension of personal information + processing, notify the requester within 10 days of receiving the request. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1556 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: When the data subject or their representative withdraws consent + for the collection, use, or provision of personal information, necessary actions, + including the immediate destruction of the collected personal information, + must be taken. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1557 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: When the data subject or their representative requests to refuse + or obtain an explanation for decisions made through fully automated systems + (including those using artificial intelligence technology), necessary actions + must be taken. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1558 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1557 + description: The data subject has the right to refuse automated decisions or + request an explanation. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1559 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1557 + description: If the data subject requests to refuse or seek explanations for + automated decisions, unless there are legitimate reasons, the automated decision + should not be applied, or necessary actions such as human intervention or + reprocessing and explanations should be taken. Procedures should be established + and implemented accordingly. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1560 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1557 + description: When making automated decisions, the criteria and procedures for + the automated decision, as well as how personal information is processed, + should be disclosed in a manner easily accessible to the data subject. + annotation: 'Note: The revised provisions of Article 37-2 of the Personal Information + Protection Act related to refusal and explanation of automated decisions will + come into effect one year after its promulgation (March 15, 2024).' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1561 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: "If there is any dispute regarding the measures taken in response\ + \ to the data subject\u2019s request for access or other actions, necessary\ + \ procedures must be established to allow for objections." + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1562 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1561 + description: In such cases, the objection procedures should be operated fairly, + possibly involving external experts or internal checks and balances. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1563 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: Records of the data subject's requests and the results of processing + those requests must be maintained. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1564 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1563 + description: Regular reviews of records related to data subject requests should + be conducted to ensure that rights are being appropriately protected, and + corrective measures should be taken if necessary. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1565 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: When personal rights are infringed upon through information communication + networks, procedures must be established and implemented to allow the affected + party to request the deletion of the information or other remedies from the + information communication service provider, and necessary measures should + be taken to prevent personal information from being exposed to the public + through these networks. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1566 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1565 + description: If personal information is disclosed to the public through information + communication networks and infringes on privacy or defames others, the affected + party should be able to request the deletion or posting of rebuttals from + the service provider by proving the infringement. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1567 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1565 + description: If a service provider receives a request to delete or take temporary + action regarding information that infringes on others' rights, they must take + necessary actions promptly and notify the requester and the information publisher + immediately. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1568 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1565 + description: The terms and procedures related to remedies for infringed rights + should be clearly specified in the terms of service. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1569 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1565 + description: Personal information controllers must ensure that unique identification + information, account information, credit card information, and other personal + data are not exposed to the public through information communication networks, + and must take necessary actions, such as deleting or blocking the information, + if requested by the Personal Information Protection Commission or the Korea + Internet & Security Agency. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.5.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5 + ref_id: 3.5.3 + name: Notification to Data Subjects + - urn: urn:intuitem:risk:req_node:k_isms_p:node1571 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.3 + description: 'If the entity is subject to legal obligations, they must periodically + notify the data subject of the method to access information systems where + they can verify the details of personal data usage or provision. + + ' + annotation: 'Key Points for Verification: + + - If the entity is subject to legal obligations, are they regularly notifying + the data subject of the method to access information systems that allow for + checking the details of personal data usage or provision? + + - Are the notification items regarding personal data usage and provision details + including all legally required items?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1572 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1571 + description: Legal Requirements for Notifying Personal Data Usage and Provision + Details + annotation: 'Key Points for Verification: + + - If the entity is subject to legal obligations, are they regularly notifying + the data subject of the method to access information systems that allow for + checking the details of personal data usage or provision? + + - Are the notification items regarding personal data usage and provision details + including all legally required items?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1573 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.3 + description: The notification of personal data usage and provision details must + include all legally required items. + annotation: 'Items to Include in the Notification of Personal Data Usage and + Provision Details + + 1. The purpose of collecting and using personal data and the items of personal + data collected. + + 2. The recipients of the personal data and the purpose of provision, as well + as the items of personal data provided (excluding information provided under + the Communication Privacy Protection Act, Articles 13, 13-2, 13-4, and the + Telecommunications Business Act, Article 83, Paragraph 3).' diff --git a/backend/locale/fr/LC_MESSAGES/django.mo b/backend/locale/fr/LC_MESSAGES/django.mo new file mode 100644 index 000000000..2c90dd0c8 Binary files /dev/null and b/backend/locale/fr/LC_MESSAGES/django.mo differ diff --git a/backend/locale/fr/LC_MESSAGES/django.po b/backend/locale/fr/LC_MESSAGES/django.po new file mode 100644 index 000000000..3501710da --- /dev/null +++ b/backend/locale/fr/LC_MESSAGES/django.po @@ -0,0 +1,156 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2024-08-26 08:54+0000\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" +#: iam/models.py:67 +msgid "GLOBAL" +msgstr "" + +#: iam/models.py:68 +msgid "DOMAIN" +msgstr "" + +#: iam/models.py:77 +msgid "parent folder" +msgstr "" + +#: iam/models.py:87 +msgid "Folder" +msgstr "" + +#: iam/models.py:88 +msgid "Folders" +msgstr "" + +#: iam/models.py:209 +msgid "user group" +msgstr "" + +#: iam/models.py:210 iam/models.py:317 +msgid "user groups" +msgstr "" + +#: iam/models.py:255 +msgid "Welcome to Ciso Assistant!" +msgstr "" + +#: iam/models.py:294 +msgid "last name" +msgstr "" + +#: iam/models.py:295 +msgid "first name" +msgstr "" + +#: iam/models.py:300 +msgid "active" +msgstr "" + +#: iam/models.py:303 +msgid "" +"Designates whether this user should be treated as active. Unselect this " +"instead of deleting accounts." +msgstr "" + +#: iam/models.py:307 +msgid "date joined" +msgstr "" + +#: iam/models.py:309 +msgid "superuser status" +msgstr "" + +#: iam/models.py:312 +msgid "" +"Designates that this user has all permissions without explicitly assigning " +"them." +msgstr "" + +#: iam/models.py:320 +msgid "" +"The user groups this user belongs to. A user will get all permissions " +"granted to each of their user groups." +msgstr "" + +#: iam/models.py:335 +msgid "user" +msgstr "" + +#: iam/models.py:336 +msgid "users" +msgstr "" + +#: iam/models.py:479 +msgid "permissions" +msgstr "" + +#: iam/models.py:494 +msgid "Domain" +msgstr "" + +#: iam/models.py:500 +msgid "Role" +msgstr "" + +#: iam/models.py:501 +msgid "sub folders are visible" +msgstr "" + +#: iam/sso/models.py:61 +msgid "is enabled" +msgstr "" + +#: iam/sso/models.py:66 +msgid "provider" +msgstr "" + +#: iam/sso/models.py:70 +msgid "provider ID" +msgstr "" + +#: iam/sso/models.py:74 +msgid "name" +msgstr "" + +#: iam/sso/models.py:76 +msgid "client id" +msgstr "" + +#: iam/sso/models.py:78 +msgid "App ID, or consumer key" +msgstr "" + +#: iam/sso/models.py:82 +msgid "secret key" +msgstr "" + +#: iam/sso/models.py:85 +msgid "API secret, client secret, or consumer secret" +msgstr "" + +#: iam/sso/models.py:88 +msgid "key" +msgstr "" + +#: iam/sso/models.py:88 +msgid "Key" +msgstr "" + +#: iam/views.py:96 +msgid "CISO Assistant: Password Reset" +msgstr "" diff --git a/backend/poetry.lock b/backend/poetry.lock new file mode 100644 index 000000000..4d60ebf38 --- /dev/null +++ b/backend/poetry.lock @@ -0,0 +1,2198 @@ +# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand. + +[[package]] +name = "argon2-cffi" +version = "23.1.0" +description = "Argon2 for Python" +optional = false +python-versions = ">=3.7" +files = [ + {file = "argon2_cffi-23.1.0-py3-none-any.whl", hash = "sha256:c670642b78ba29641818ab2e68bd4e6a78ba53b7eff7b4c3815ae16abf91c7ea"}, + {file = "argon2_cffi-23.1.0.tar.gz", hash = "sha256:879c3e79a2729ce768ebb7d36d4609e3a78a4ca2ec3a9f12286ca057e3d0db08"}, +] + +[package.dependencies] +argon2-cffi-bindings = "*" + +[package.extras] +dev = ["argon2-cffi[tests,typing]", "tox (>4)"] +docs = ["furo", "myst-parser", "sphinx", "sphinx-copybutton", "sphinx-notfound-page"] +tests = ["hypothesis", "pytest"] +typing = ["mypy"] + +[[package]] +name = "argon2-cffi-bindings" +version = "21.2.0" +description = "Low-level CFFI bindings for Argon2" +optional = false +python-versions = ">=3.6" +files = [ + {file = "argon2-cffi-bindings-21.2.0.tar.gz", hash = "sha256:bb89ceffa6c791807d1305ceb77dbfacc5aa499891d2c55661c6459651fc39e3"}, + {file = "argon2_cffi_bindings-21.2.0-cp36-abi3-macosx_10_9_x86_64.whl", hash = "sha256:ccb949252cb2ab3a08c02024acb77cfb179492d5701c7cbdbfd776124d4d2367"}, + {file = "argon2_cffi_bindings-21.2.0-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9524464572e12979364b7d600abf96181d3541da11e23ddf565a32e70bd4dc0d"}, + {file = "argon2_cffi_bindings-21.2.0-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b746dba803a79238e925d9046a63aa26bf86ab2a2fe74ce6b009a1c3f5c8f2ae"}, + {file = "argon2_cffi_bindings-21.2.0-cp36-abi3-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:58ed19212051f49a523abb1dbe954337dc82d947fb6e5a0da60f7c8471a8476c"}, + {file = "argon2_cffi_bindings-21.2.0-cp36-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:bd46088725ef7f58b5a1ef7ca06647ebaf0eb4baff7d1d0d177c6cc8744abd86"}, + {file = "argon2_cffi_bindings-21.2.0-cp36-abi3-musllinux_1_1_i686.whl", hash = "sha256:8cd69c07dd875537a824deec19f978e0f2078fdda07fd5c42ac29668dda5f40f"}, + {file = "argon2_cffi_bindings-21.2.0-cp36-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:f1152ac548bd5b8bcecfb0b0371f082037e47128653df2e8ba6e914d384f3c3e"}, + {file = "argon2_cffi_bindings-21.2.0-cp36-abi3-win32.whl", hash = "sha256:603ca0aba86b1349b147cab91ae970c63118a0f30444d4bc80355937c950c082"}, + {file = "argon2_cffi_bindings-21.2.0-cp36-abi3-win_amd64.whl", hash = "sha256:b2ef1c30440dbbcba7a5dc3e319408b59676e2e039e2ae11a8775ecf482b192f"}, + {file = "argon2_cffi_bindings-21.2.0-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:e415e3f62c8d124ee16018e491a009937f8cf7ebf5eb430ffc5de21b900dad93"}, + {file = "argon2_cffi_bindings-21.2.0-pp37-pypy37_pp73-macosx_10_9_x86_64.whl", hash = "sha256:3e385d1c39c520c08b53d63300c3ecc28622f076f4c2b0e6d7e796e9f6502194"}, + {file = "argon2_cffi_bindings-21.2.0-pp37-pypy37_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2c3e3cc67fdb7d82c4718f19b4e7a87123caf8a93fde7e23cf66ac0337d3cb3f"}, + {file = "argon2_cffi_bindings-21.2.0-pp37-pypy37_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6a22ad9800121b71099d0fb0a65323810a15f2e292f2ba450810a7316e128ee5"}, + {file = "argon2_cffi_bindings-21.2.0-pp37-pypy37_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f9f8b450ed0547e3d473fdc8612083fd08dd2120d6ac8f73828df9b7d45bb351"}, + {file = "argon2_cffi_bindings-21.2.0-pp37-pypy37_pp73-win_amd64.whl", hash = "sha256:93f9bf70084f97245ba10ee36575f0c3f1e7d7724d67d8e5b08e61787c320ed7"}, + {file = "argon2_cffi_bindings-21.2.0-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:3b9ef65804859d335dc6b31582cad2c5166f0c3e7975f324d9ffaa34ee7e6583"}, + {file = "argon2_cffi_bindings-21.2.0-pp38-pypy38_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d4966ef5848d820776f5f562a7d45fdd70c2f330c961d0d745b784034bd9f48d"}, + {file = "argon2_cffi_bindings-21.2.0-pp38-pypy38_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:20ef543a89dee4db46a1a6e206cd015360e5a75822f76df533845c3cbaf72670"}, + {file = "argon2_cffi_bindings-21.2.0-pp38-pypy38_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ed2937d286e2ad0cc79a7087d3c272832865f779430e0cc2b4f3718d3159b0cb"}, + {file = "argon2_cffi_bindings-21.2.0-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:5e00316dabdaea0b2dd82d141cc66889ced0cdcbfa599e8b471cf22c620c329a"}, +] + +[package.dependencies] +cffi = ">=1.0.1" + +[package.extras] +dev = ["cogapp", "pre-commit", "pytest", "wheel"] +tests = ["pytest"] + +[[package]] +name = "asgiref" +version = "3.8.1" +description = "ASGI specs, helper code, and adapters" +optional = false +python-versions = ">=3.8" +files = [ + {file = "asgiref-3.8.1-py3-none-any.whl", hash = "sha256:3e1e3ecc849832fe52ccf2cb6686b7a55f82bb1d6aee72a58826471390335e47"}, + {file = "asgiref-3.8.1.tar.gz", hash = "sha256:c343bd80a0bec947a9860adb4c432ffa7db769836c64238fc34bdc3fec84d590"}, +] + +[package.extras] +tests = ["mypy (>=0.800)", "pytest", "pytest-asyncio"] + +[[package]] +name = "attrs" +version = "24.2.0" +description = "Classes Without Boilerplate" +optional = false +python-versions = ">=3.7" +files = [ + {file = "attrs-24.2.0-py3-none-any.whl", hash = "sha256:81921eb96de3191c8258c199618104dd27ac608d9366f5e35d011eae1867ede2"}, + {file = "attrs-24.2.0.tar.gz", hash = "sha256:5cfb1b9148b5b086569baec03f20d7b6bf3bcacc9a42bebf87ffaaca362f6346"}, +] + +[package.extras] +benchmark = ["cloudpickle", "hypothesis", "mypy (>=1.11.1)", "pympler", "pytest (>=4.3.0)", "pytest-codspeed", "pytest-mypy-plugins", "pytest-xdist[psutil]"] +cov = ["cloudpickle", "coverage[toml] (>=5.3)", "hypothesis", "mypy (>=1.11.1)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "pytest-xdist[psutil]"] +dev = ["cloudpickle", "hypothesis", "mypy (>=1.11.1)", "pre-commit", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "pytest-xdist[psutil]"] +docs = ["cogapp", "furo", "myst-parser", "sphinx", "sphinx-notfound-page", "sphinxcontrib-towncrier", "towncrier (<24.7)"] +tests = ["cloudpickle", "hypothesis", "mypy (>=1.11.1)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "pytest-xdist[psutil]"] +tests-mypy = ["mypy (>=1.11.1)", "pytest-mypy-plugins"] + +[[package]] +name = "brotli" +version = "1.1.0" +description = "Python bindings for the Brotli compression library" +optional = false +python-versions = "*" +files = [ + {file = "Brotli-1.1.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:e1140c64812cb9b06c922e77f1c26a75ec5e3f0fb2bf92cc8c58720dec276752"}, + {file = "Brotli-1.1.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:c8fd5270e906eef71d4a8d19b7c6a43760c6abcfcc10c9101d14eb2357418de9"}, + {file = "Brotli-1.1.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1ae56aca0402a0f9a3431cddda62ad71666ca9d4dc3a10a142b9dce2e3c0cda3"}, + {file = "Brotli-1.1.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:43ce1b9935bfa1ede40028054d7f48b5469cd02733a365eec8a329ffd342915d"}, + {file = "Brotli-1.1.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:7c4855522edb2e6ae7fdb58e07c3ba9111e7621a8956f481c68d5d979c93032e"}, + {file = "Brotli-1.1.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:38025d9f30cf4634f8309c6874ef871b841eb3c347e90b0851f63d1ded5212da"}, + {file = "Brotli-1.1.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:e6a904cb26bfefc2f0a6f240bdf5233be78cd2488900a2f846f3c3ac8489ab80"}, + {file = "Brotli-1.1.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:a37b8f0391212d29b3a91a799c8e4a2855e0576911cdfb2515487e30e322253d"}, + {file = "Brotli-1.1.0-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:e84799f09591700a4154154cab9787452925578841a94321d5ee8fb9a9a328f0"}, + {file = "Brotli-1.1.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:f66b5337fa213f1da0d9000bc8dc0cb5b896b726eefd9c6046f699b169c41b9e"}, + {file = "Brotli-1.1.0-cp310-cp310-win32.whl", hash = "sha256:be36e3d172dc816333f33520154d708a2657ea63762ec16b62ece02ab5e4daf2"}, + {file = "Brotli-1.1.0-cp310-cp310-win_amd64.whl", hash = "sha256:0c6244521dda65ea562d5a69b9a26120769b7a9fb3db2fe9545935ed6735b128"}, + {file = "Brotli-1.1.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:a3daabb76a78f829cafc365531c972016e4aa8d5b4bf60660ad8ecee19df7ccc"}, + {file = "Brotli-1.1.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:c8146669223164fc87a7e3de9f81e9423c67a79d6b3447994dfb9c95da16e2d6"}, + {file = "Brotli-1.1.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:30924eb4c57903d5a7526b08ef4a584acc22ab1ffa085faceb521521d2de32dd"}, + {file = "Brotli-1.1.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ceb64bbc6eac5a140ca649003756940f8d6a7c444a68af170b3187623b43bebf"}, + {file = "Brotli-1.1.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a469274ad18dc0e4d316eefa616d1d0c2ff9da369af19fa6f3daa4f09671fd61"}, + {file = "Brotli-1.1.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:524f35912131cc2cabb00edfd8d573b07f2d9f21fa824bd3fb19725a9cf06327"}, + {file = "Brotli-1.1.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:5b3cc074004d968722f51e550b41a27be656ec48f8afaeeb45ebf65b561481dd"}, + {file = "Brotli-1.1.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:19c116e796420b0cee3da1ccec3b764ed2952ccfcc298b55a10e5610ad7885f9"}, + {file = "Brotli-1.1.0-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:510b5b1bfbe20e1a7b3baf5fed9e9451873559a976c1a78eebaa3b86c57b4265"}, + {file = "Brotli-1.1.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:a1fd8a29719ccce974d523580987b7f8229aeace506952fa9ce1d53a033873c8"}, + {file = "Brotli-1.1.0-cp311-cp311-win32.whl", hash = "sha256:39da8adedf6942d76dc3e46653e52df937a3c4d6d18fdc94a7c29d263b1f5b50"}, + {file = "Brotli-1.1.0-cp311-cp311-win_amd64.whl", hash = "sha256:aac0411d20e345dc0920bdec5548e438e999ff68d77564d5e9463a7ca9d3e7b1"}, + {file = "Brotli-1.1.0-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:316cc9b17edf613ac76b1f1f305d2a748f1b976b033b049a6ecdfd5612c70409"}, + {file = "Brotli-1.1.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:caf9ee9a5775f3111642d33b86237b05808dafcd6268faa492250e9b78046eb2"}, + {file = "Brotli-1.1.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:70051525001750221daa10907c77830bc889cb6d865cc0b813d9db7fefc21451"}, + {file = "Brotli-1.1.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7f4bf76817c14aa98cc6697ac02f3972cb8c3da93e9ef16b9c66573a68014f91"}, + {file = "Brotli-1.1.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d0c5516f0aed654134a2fc936325cc2e642f8a0e096d075209672eb321cff408"}, + {file = "Brotli-1.1.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6c3020404e0b5eefd7c9485ccf8393cfb75ec38ce75586e046573c9dc29967a0"}, + {file = "Brotli-1.1.0-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:4ed11165dd45ce798d99a136808a794a748d5dc38511303239d4e2363c0695dc"}, + {file = "Brotli-1.1.0-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:4093c631e96fdd49e0377a9c167bfd75b6d0bad2ace734c6eb20b348bc3ea180"}, + {file = "Brotli-1.1.0-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:7e4c4629ddad63006efa0ef968c8e4751c5868ff0b1c5c40f76524e894c50248"}, + {file = "Brotli-1.1.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:861bf317735688269936f755fa136a99d1ed526883859f86e41a5d43c61d8966"}, + {file = "Brotli-1.1.0-cp312-cp312-win32.whl", hash = "sha256:5f4d5ea15c9382135076d2fb28dde923352fe02951e66935a9efaac8f10e81b0"}, + {file = "Brotli-1.1.0-cp312-cp312-win_amd64.whl", hash = "sha256:906bc3a79de8c4ae5b86d3d75a8b77e44404b0f4261714306e3ad248d8ab0951"}, + {file = "Brotli-1.1.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:a090ca607cbb6a34b0391776f0cb48062081f5f60ddcce5d11838e67a01928d1"}, + {file = "Brotli-1.1.0-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2de9d02f5bda03d27ede52e8cfe7b865b066fa49258cbab568720aa5be80a47d"}, + {file = "Brotli-1.1.0-cp36-cp36m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2333e30a5e00fe0fe55903c8832e08ee9c3b1382aacf4db26664a16528d51b4b"}, + {file = "Brotli-1.1.0-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:4d4a848d1837973bf0f4b5e54e3bec977d99be36a7895c61abb659301b02c112"}, + {file = "Brotli-1.1.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:fdc3ff3bfccdc6b9cc7c342c03aa2400683f0cb891d46e94b64a197910dc4064"}, + {file = "Brotli-1.1.0-cp36-cp36m-musllinux_1_1_aarch64.whl", hash = "sha256:5eeb539606f18a0b232d4ba45adccde4125592f3f636a6182b4a8a436548b914"}, + {file = "Brotli-1.1.0-cp36-cp36m-musllinux_1_1_i686.whl", hash = "sha256:fd5f17ff8f14003595ab414e45fce13d073e0762394f957182e69035c9f3d7c2"}, + {file = "Brotli-1.1.0-cp36-cp36m-musllinux_1_1_ppc64le.whl", hash = "sha256:069a121ac97412d1fe506da790b3e69f52254b9df4eb665cd42460c837193354"}, + {file = "Brotli-1.1.0-cp36-cp36m-musllinux_1_1_x86_64.whl", hash = "sha256:e93dfc1a1165e385cc8239fab7c036fb2cd8093728cbd85097b284d7b99249a2"}, + {file = "Brotli-1.1.0-cp36-cp36m-win32.whl", hash = "sha256:a599669fd7c47233438a56936988a2478685e74854088ef5293802123b5b2460"}, + {file = "Brotli-1.1.0-cp36-cp36m-win_amd64.whl", hash = "sha256:d143fd47fad1db3d7c27a1b1d66162e855b5d50a89666af46e1679c496e8e579"}, + {file = "Brotli-1.1.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:11d00ed0a83fa22d29bc6b64ef636c4552ebafcef57154b4ddd132f5638fbd1c"}, + {file = "Brotli-1.1.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f733d788519c7e3e71f0855c96618720f5d3d60c3cb829d8bbb722dddce37985"}, + {file = "Brotli-1.1.0-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:929811df5462e182b13920da56c6e0284af407d1de637d8e536c5cd00a7daf60"}, + {file = "Brotli-1.1.0-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:0b63b949ff929fbc2d6d3ce0e924c9b93c9785d877a21a1b678877ffbbc4423a"}, + {file = "Brotli-1.1.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:d192f0f30804e55db0d0e0a35d83a9fead0e9a359a9ed0285dbacea60cc10a84"}, + {file = "Brotli-1.1.0-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:f296c40e23065d0d6650c4aefe7470d2a25fffda489bcc3eb66083f3ac9f6643"}, + {file = "Brotli-1.1.0-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:919e32f147ae93a09fe064d77d5ebf4e35502a8df75c29fb05788528e330fe74"}, + {file = "Brotli-1.1.0-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:23032ae55523cc7bccb4f6a0bf368cd25ad9bcdcc1990b64a647e7bbcce9cb5b"}, + {file = "Brotli-1.1.0-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:224e57f6eac61cc449f498cc5f0e1725ba2071a3d4f48d5d9dffba42db196438"}, + {file = "Brotli-1.1.0-cp37-cp37m-win32.whl", hash = "sha256:587ca6d3cef6e4e868102672d3bd9dc9698c309ba56d41c2b9c85bbb903cdb95"}, + {file = "Brotli-1.1.0-cp37-cp37m-win_amd64.whl", hash = "sha256:2954c1c23f81c2eaf0b0717d9380bd348578a94161a65b3a2afc62c86467dd68"}, + {file = "Brotli-1.1.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:efa8b278894b14d6da122a72fefcebc28445f2d3f880ac59d46c90f4c13be9a3"}, + {file = "Brotli-1.1.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:03d20af184290887bdea3f0f78c4f737d126c74dc2f3ccadf07e54ceca3bf208"}, + {file = "Brotli-1.1.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6172447e1b368dcbc458925e5ddaf9113477b0ed542df258d84fa28fc45ceea7"}, + {file = "Brotli-1.1.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a743e5a28af5f70f9c080380a5f908d4d21d40e8f0e0c8901604d15cfa9ba751"}, + {file = "Brotli-1.1.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:0541e747cce78e24ea12d69176f6a7ddb690e62c425e01d31cc065e69ce55b48"}, + {file = "Brotli-1.1.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:cdbc1fc1bc0bff1cef838eafe581b55bfbffaed4ed0318b724d0b71d4d377619"}, + {file = "Brotli-1.1.0-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:890b5a14ce214389b2cc36ce82f3093f96f4cc730c1cffdbefff77a7c71f2a97"}, + {file = "Brotli-1.1.0-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:1ab4fbee0b2d9098c74f3057b2bc055a8bd92ccf02f65944a241b4349229185a"}, + {file = "Brotli-1.1.0-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:141bd4d93984070e097521ed07e2575b46f817d08f9fa42b16b9b5f27b5ac088"}, + {file = "Brotli-1.1.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:fce1473f3ccc4187f75b4690cfc922628aed4d3dd013d047f95a9b3919a86596"}, + {file = "Brotli-1.1.0-cp38-cp38-win32.whl", hash = "sha256:db85ecf4e609a48f4b29055f1e144231b90edc90af7481aa731ba2d059226b1b"}, + {file = "Brotli-1.1.0-cp38-cp38-win_amd64.whl", hash = "sha256:3d7954194c36e304e1523f55d7042c59dc53ec20dd4e9ea9d151f1b62b4415c0"}, + {file = "Brotli-1.1.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:5fb2ce4b8045c78ebbc7b8f3c15062e435d47e7393cc57c25115cfd49883747a"}, + {file = "Brotli-1.1.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:7905193081db9bfa73b1219140b3d315831cbff0d8941f22da695832f0dd188f"}, + {file = "Brotli-1.1.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a77def80806c421b4b0af06f45d65a136e7ac0bdca3c09d9e2ea4e515367c7e9"}, + {file = "Brotli-1.1.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8dadd1314583ec0bf2d1379f7008ad627cd6336625d6679cf2f8e67081b83acf"}, + {file = "Brotli-1.1.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:901032ff242d479a0efa956d853d16875d42157f98951c0230f69e69f9c09bac"}, + {file = "Brotli-1.1.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:22fc2a8549ffe699bfba2256ab2ed0421a7b8fadff114a3d201794e45a9ff578"}, + {file = "Brotli-1.1.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:ae15b066e5ad21366600ebec29a7ccbc86812ed267e4b28e860b8ca16a2bc474"}, + {file = "Brotli-1.1.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:949f3b7c29912693cee0afcf09acd6ebc04c57af949d9bf77d6101ebb61e388c"}, + {file = "Brotli-1.1.0-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:89f4988c7203739d48c6f806f1e87a1d96e0806d44f0fba61dba81392c9e474d"}, + {file = "Brotli-1.1.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:de6551e370ef19f8de1807d0a9aa2cdfdce2e85ce88b122fe9f6b2b076837e59"}, + {file = "Brotli-1.1.0-cp39-cp39-win32.whl", hash = "sha256:f0d8a7a6b5983c2496e364b969f0e526647a06b075d034f3297dc66f3b360c64"}, + {file = "Brotli-1.1.0-cp39-cp39-win_amd64.whl", hash = "sha256:cdad5b9014d83ca68c25d2e9444e28e967ef16e80f6b436918c700c117a85467"}, + {file = "Brotli-1.1.0.tar.gz", hash = "sha256:81de08ac11bcb85841e440c13611c00b67d3bf82698314928d0b676362546724"}, +] + +[[package]] +name = "brotlicffi" +version = "1.1.0.0" +description = "Python CFFI bindings to the Brotli library" +optional = false +python-versions = ">=3.7" +files = [ + {file = "brotlicffi-1.1.0.0-cp37-abi3-macosx_10_9_x86_64.whl", hash = "sha256:9b7ae6bd1a3f0df532b6d67ff674099a96d22bc0948955cb338488c31bfb8851"}, + {file = "brotlicffi-1.1.0.0-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:19ffc919fa4fc6ace69286e0a23b3789b4219058313cf9b45625016bf7ff996b"}, + {file = "brotlicffi-1.1.0.0-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9feb210d932ffe7798ee62e6145d3a757eb6233aa9a4e7db78dd3690d7755814"}, + {file = "brotlicffi-1.1.0.0-cp37-abi3-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:84763dbdef5dd5c24b75597a77e1b30c66604725707565188ba54bab4f114820"}, + {file = "brotlicffi-1.1.0.0-cp37-abi3-win32.whl", hash = "sha256:1b12b50e07c3911e1efa3a8971543e7648100713d4e0971b13631cce22c587eb"}, + {file = "brotlicffi-1.1.0.0-cp37-abi3-win_amd64.whl", hash = "sha256:994a4f0681bb6c6c3b0925530a1926b7a189d878e6e5e38fae8efa47c5d9c613"}, + {file = "brotlicffi-1.1.0.0-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:2e4aeb0bd2540cb91b069dbdd54d458da8c4334ceaf2d25df2f4af576d6766ca"}, + {file = "brotlicffi-1.1.0.0-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4b7b0033b0d37bb33009fb2fef73310e432e76f688af76c156b3594389d81391"}, + {file = "brotlicffi-1.1.0.0-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:54a07bb2374a1eba8ebb52b6fafffa2afd3c4df85ddd38fcc0511f2bb387c2a8"}, + {file = "brotlicffi-1.1.0.0-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7901a7dc4b88f1c1475de59ae9be59799db1007b7d059817948d8e4f12e24e35"}, + {file = "brotlicffi-1.1.0.0-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:ce01c7316aebc7fce59da734286148b1d1b9455f89cf2c8a4dfce7d41db55c2d"}, + {file = "brotlicffi-1.1.0.0-pp37-pypy37_pp73-macosx_10_9_x86_64.whl", hash = "sha256:246f1d1a90279bb6069de3de8d75a8856e073b8ff0b09dcca18ccc14cec85979"}, + {file = "brotlicffi-1.1.0.0-pp37-pypy37_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cc4bc5d82bc56ebd8b514fb8350cfac4627d6b0743382e46d033976a5f80fab6"}, + {file = "brotlicffi-1.1.0.0-pp37-pypy37_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:37c26ecb14386a44b118ce36e546ce307f4810bc9598a6e6cb4f7fca725ae7e6"}, + {file = "brotlicffi-1.1.0.0-pp37-pypy37_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ca72968ae4eaf6470498d5c2887073f7efe3b1e7d7ec8be11a06a79cc810e990"}, + {file = "brotlicffi-1.1.0.0-pp37-pypy37_pp73-win_amd64.whl", hash = "sha256:add0de5b9ad9e9aa293c3aa4e9deb2b61e99ad6c1634e01d01d98c03e6a354cc"}, + {file = "brotlicffi-1.1.0.0-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:9b6068e0f3769992d6b622a1cd2e7835eae3cf8d9da123d7f51ca9c1e9c333e5"}, + {file = "brotlicffi-1.1.0.0-pp38-pypy38_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8557a8559509b61e65083f8782329188a250102372576093c88930c875a69838"}, + {file = "brotlicffi-1.1.0.0-pp38-pypy38_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2a7ae37e5d79c5bdfb5b4b99f2715a6035e6c5bf538c3746abc8e26694f92f33"}, + {file = "brotlicffi-1.1.0.0-pp38-pypy38_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:391151ec86bb1c683835980f4816272a87eaddc46bb91cbf44f62228b84d8cca"}, + {file = "brotlicffi-1.1.0.0-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:2f3711be9290f0453de8eed5275d93d286abe26b08ab4a35d7452caa1fef532f"}, + {file = "brotlicffi-1.1.0.0-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:1a807d760763e398bbf2c6394ae9da5815901aa93ee0a37bca5efe78d4ee3171"}, + {file = "brotlicffi-1.1.0.0-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fa8ca0623b26c94fccc3a1fdd895be1743b838f3917300506d04aa3346fd2a14"}, + {file = "brotlicffi-1.1.0.0-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3de0cf28a53a3238b252aca9fed1593e9d36c1d116748013339f0949bfc84112"}, + {file = "brotlicffi-1.1.0.0-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6be5ec0e88a4925c91f3dea2bb0013b3a2accda6f77238f76a34a1ea532a1cb0"}, + {file = "brotlicffi-1.1.0.0-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:d9eb71bb1085d996244439154387266fd23d6ad37161f6f52f1cd41dd95a3808"}, + {file = "brotlicffi-1.1.0.0.tar.gz", hash = "sha256:b77827a689905143f87915310b93b273ab17888fd43ef350d4832c4a71083c13"}, +] + +[package.dependencies] +cffi = ">=1.0.0" + +[[package]] +name = "certifi" +version = "2024.7.4" +description = "Python package for providing Mozilla's CA Bundle." +optional = false +python-versions = ">=3.6" +files = [ + {file = "certifi-2024.7.4-py3-none-any.whl", hash = "sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90"}, + {file = "certifi-2024.7.4.tar.gz", hash = "sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b"}, +] + +[[package]] +name = "cffi" +version = "1.17.0" +description = "Foreign Function Interface for Python calling C code." +optional = false +python-versions = ">=3.8" +files = [ + {file = "cffi-1.17.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:f9338cc05451f1942d0d8203ec2c346c830f8e86469903d5126c1f0a13a2bcbb"}, + {file = "cffi-1.17.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:a0ce71725cacc9ebf839630772b07eeec220cbb5f03be1399e0457a1464f8e1a"}, + {file = "cffi-1.17.0-cp310-cp310-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c815270206f983309915a6844fe994b2fa47e5d05c4c4cef267c3b30e34dbe42"}, + {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d6bdcd415ba87846fd317bee0774e412e8792832e7805938987e4ede1d13046d"}, + {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8a98748ed1a1df4ee1d6f927e151ed6c1a09d5ec21684de879c7ea6aa96f58f2"}, + {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0a048d4f6630113e54bb4b77e315e1ba32a5a31512c31a273807d0027a7e69ab"}, + {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:24aa705a5f5bd3a8bcfa4d123f03413de5d86e497435693b638cbffb7d5d8a1b"}, + {file = "cffi-1.17.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:856bf0924d24e7f93b8aee12a3a1095c34085600aa805693fb7f5d1962393206"}, + {file = "cffi-1.17.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:4304d4416ff032ed50ad6bb87416d802e67139e31c0bde4628f36a47a3164bfa"}, + {file = "cffi-1.17.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:331ad15c39c9fe9186ceaf87203a9ecf5ae0ba2538c9e898e3a6967e8ad3db6f"}, + {file = "cffi-1.17.0-cp310-cp310-win32.whl", hash = "sha256:669b29a9eca6146465cc574659058ed949748f0809a2582d1f1a324eb91054dc"}, + {file = "cffi-1.17.0-cp310-cp310-win_amd64.whl", hash = "sha256:48b389b1fd5144603d61d752afd7167dfd205973a43151ae5045b35793232aa2"}, + {file = "cffi-1.17.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:c5d97162c196ce54af6700949ddf9409e9833ef1003b4741c2b39ef46f1d9720"}, + {file = "cffi-1.17.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:5ba5c243f4004c750836f81606a9fcb7841f8874ad8f3bf204ff5e56332b72b9"}, + {file = "cffi-1.17.0-cp311-cp311-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bb9333f58fc3a2296fb1d54576138d4cf5d496a2cc118422bd77835e6ae0b9cb"}, + {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:435a22d00ec7d7ea533db494da8581b05977f9c37338c80bc86314bec2619424"}, + {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d1df34588123fcc88c872f5acb6f74ae59e9d182a2707097f9e28275ec26a12d"}, + {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:df8bb0010fdd0a743b7542589223a2816bdde4d94bb5ad67884348fa2c1c67e8"}, + {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a8b5b9712783415695663bd463990e2f00c6750562e6ad1d28e072a611c5f2a6"}, + {file = "cffi-1.17.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:ffef8fd58a36fb5f1196919638f73dd3ae0db1a878982b27a9a5a176ede4ba91"}, + {file = "cffi-1.17.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:4e67d26532bfd8b7f7c05d5a766d6f437b362c1bf203a3a5ce3593a645e870b8"}, + {file = "cffi-1.17.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:45f7cd36186db767d803b1473b3c659d57a23b5fa491ad83c6d40f2af58e4dbb"}, + {file = "cffi-1.17.0-cp311-cp311-win32.whl", hash = "sha256:a9015f5b8af1bb6837a3fcb0cdf3b874fe3385ff6274e8b7925d81ccaec3c5c9"}, + {file = "cffi-1.17.0-cp311-cp311-win_amd64.whl", hash = "sha256:b50aaac7d05c2c26dfd50c3321199f019ba76bb650e346a6ef3616306eed67b0"}, + {file = "cffi-1.17.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:aec510255ce690d240f7cb23d7114f6b351c733a74c279a84def763660a2c3bc"}, + {file = "cffi-1.17.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:2770bb0d5e3cc0e31e7318db06efcbcdb7b31bcb1a70086d3177692a02256f59"}, + {file = "cffi-1.17.0-cp312-cp312-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:db9a30ec064129d605d0f1aedc93e00894b9334ec74ba9c6bdd08147434b33eb"}, + {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a47eef975d2b8b721775a0fa286f50eab535b9d56c70a6e62842134cf7841195"}, + {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f3e0992f23bbb0be00a921eae5363329253c3b86287db27092461c887b791e5e"}, + {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6107e445faf057c118d5050560695e46d272e5301feffda3c41849641222a828"}, + {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:eb862356ee9391dc5a0b3cbc00f416b48c1b9a52d252d898e5b7696a5f9fe150"}, + {file = "cffi-1.17.0-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:c1c13185b90bbd3f8b5963cd8ce7ad4ff441924c31e23c975cb150e27c2bf67a"}, + {file = "cffi-1.17.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:17c6d6d3260c7f2d94f657e6872591fe8733872a86ed1345bda872cfc8c74885"}, + {file = "cffi-1.17.0-cp312-cp312-win32.whl", hash = "sha256:c3b8bd3133cd50f6b637bb4322822c94c5ce4bf0d724ed5ae70afce62187c492"}, + {file = "cffi-1.17.0-cp312-cp312-win_amd64.whl", hash = "sha256:dca802c8db0720ce1c49cce1149ff7b06e91ba15fa84b1d59144fef1a1bc7ac2"}, + {file = "cffi-1.17.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:6ce01337d23884b21c03869d2f68c5523d43174d4fc405490eb0091057943118"}, + {file = "cffi-1.17.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:cab2eba3830bf4f6d91e2d6718e0e1c14a2f5ad1af68a89d24ace0c6b17cced7"}, + {file = "cffi-1.17.0-cp313-cp313-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:14b9cbc8f7ac98a739558eb86fabc283d4d564dafed50216e7f7ee62d0d25377"}, + {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b00e7bcd71caa0282cbe3c90966f738e2db91e64092a877c3ff7f19a1628fdcb"}, + {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:41f4915e09218744d8bae14759f983e466ab69b178de38066f7579892ff2a555"}, + {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e4760a68cab57bfaa628938e9c2971137e05ce48e762a9cb53b76c9b569f1204"}, + {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:011aff3524d578a9412c8b3cfaa50f2c0bd78e03eb7af7aa5e0df59b158efb2f"}, + {file = "cffi-1.17.0-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:a003ac9edc22d99ae1286b0875c460351f4e101f8c9d9d2576e78d7e048f64e0"}, + {file = "cffi-1.17.0-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:ef9528915df81b8f4c7612b19b8628214c65c9b7f74db2e34a646a0a2a0da2d4"}, + {file = "cffi-1.17.0-cp313-cp313-win32.whl", hash = "sha256:70d2aa9fb00cf52034feac4b913181a6e10356019b18ef89bc7c12a283bf5f5a"}, + {file = "cffi-1.17.0-cp313-cp313-win_amd64.whl", hash = "sha256:b7b6ea9e36d32582cda3465f54c4b454f62f23cb083ebc7a94e2ca6ef011c3a7"}, + {file = "cffi-1.17.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:964823b2fc77b55355999ade496c54dde161c621cb1f6eac61dc30ed1b63cd4c"}, + {file = "cffi-1.17.0-cp38-cp38-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:516a405f174fd3b88829eabfe4bb296ac602d6a0f68e0d64d5ac9456194a5b7e"}, + {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dec6b307ce928e8e112a6bb9921a1cb00a0e14979bf28b98e084a4b8a742bd9b"}, + {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e4094c7b464cf0a858e75cd14b03509e84789abf7b79f8537e6a72152109c76e"}, + {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2404f3de742f47cb62d023f0ba7c5a916c9c653d5b368cc966382ae4e57da401"}, + {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3aa9d43b02a0c681f0bfbc12d476d47b2b2b6a3f9287f11ee42989a268a1833c"}, + {file = "cffi-1.17.0-cp38-cp38-win32.whl", hash = "sha256:0bb15e7acf8ab35ca8b24b90af52c8b391690ef5c4aec3d31f38f0d37d2cc499"}, + {file = "cffi-1.17.0-cp38-cp38-win_amd64.whl", hash = "sha256:93a7350f6706b31f457c1457d3a3259ff9071a66f312ae64dc024f049055f72c"}, + {file = "cffi-1.17.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:1a2ddbac59dc3716bc79f27906c010406155031a1c801410f1bafff17ea304d2"}, + {file = "cffi-1.17.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:6327b572f5770293fc062a7ec04160e89741e8552bf1c358d1a23eba68166759"}, + {file = "cffi-1.17.0-cp39-cp39-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:dbc183e7bef690c9abe5ea67b7b60fdbca81aa8da43468287dae7b5c046107d4"}, + {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5bdc0f1f610d067c70aa3737ed06e2726fd9d6f7bfee4a351f4c40b6831f4e82"}, + {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6d872186c1617d143969defeadac5a904e6e374183e07977eedef9c07c8953bf"}, + {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0d46ee4764b88b91f16661a8befc6bfb24806d885e27436fdc292ed7e6f6d058"}, + {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6f76a90c345796c01d85e6332e81cab6d70de83b829cf1d9762d0a3da59c7932"}, + {file = "cffi-1.17.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0e60821d312f99d3e1569202518dddf10ae547e799d75aef3bca3a2d9e8ee693"}, + {file = "cffi-1.17.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:eb09b82377233b902d4c3fbeeb7ad731cdab579c6c6fda1f763cd779139e47c3"}, + {file = "cffi-1.17.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:24658baf6224d8f280e827f0a50c46ad819ec8ba380a42448e24459daf809cf4"}, + {file = "cffi-1.17.0-cp39-cp39-win32.whl", hash = "sha256:0fdacad9e0d9fc23e519efd5ea24a70348305e8d7d85ecbb1a5fa66dc834e7fb"}, + {file = "cffi-1.17.0-cp39-cp39-win_amd64.whl", hash = "sha256:7cbc78dc018596315d4e7841c8c3a7ae31cc4d638c9b627f87d52e8abaaf2d29"}, + {file = "cffi-1.17.0.tar.gz", hash = "sha256:f3157624b7558b914cb039fd1af735e5e8049a87c817cc215109ad1c8779df76"}, +] + +[package.dependencies] +pycparser = "*" + +[[package]] +name = "cfgv" +version = "3.4.0" +description = "Validate configuration and produce human readable error messages." +optional = false +python-versions = ">=3.8" +files = [ + {file = "cfgv-3.4.0-py2.py3-none-any.whl", hash = "sha256:b7265b1f29fd3316bfcd2b330d63d024f2bfd8bcb8b0272f8e19a504856c48f9"}, + {file = "cfgv-3.4.0.tar.gz", hash = "sha256:e52591d4c5f5dead8e0f673fb16db7949d2cfb3f7da4582893288f0ded8fe560"}, +] + +[[package]] +name = "charset-normalizer" +version = "3.3.2" +description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." +optional = false +python-versions = ">=3.7.0" +files = [ + {file = "charset-normalizer-3.3.2.tar.gz", hash = "sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-win32.whl", hash = "sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73"}, + {file = "charset_normalizer-3.3.2-cp310-cp310-win_amd64.whl", hash = "sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-win32.whl", hash = "sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab"}, + {file = "charset_normalizer-3.3.2-cp311-cp311-win_amd64.whl", hash = "sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-win32.whl", hash = "sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7"}, + {file = "charset_normalizer-3.3.2-cp312-cp312-win_amd64.whl", hash = "sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-win32.whl", hash = "sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4"}, + {file = "charset_normalizer-3.3.2-cp37-cp37m-win_amd64.whl", hash = "sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-win32.whl", hash = "sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25"}, + {file = "charset_normalizer-3.3.2-cp38-cp38-win_amd64.whl", hash = "sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-win32.whl", hash = "sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f"}, + {file = "charset_normalizer-3.3.2-cp39-cp39-win_amd64.whl", hash = "sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d"}, + {file = "charset_normalizer-3.3.2-py3-none-any.whl", hash = "sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc"}, +] + +[[package]] +name = "colorama" +version = "0.4.6" +description = "Cross-platform colored terminal text." +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" +files = [ + {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"}, + {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"}, +] + +[[package]] +name = "coverage" +version = "7.5.4" +description = "Code coverage measurement for Python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "coverage-7.5.4-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:6cfb5a4f556bb51aba274588200a46e4dd6b505fb1a5f8c5ae408222eb416f99"}, + {file = "coverage-7.5.4-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:2174e7c23e0a454ffe12267a10732c273243b4f2d50d07544a91198f05c48f47"}, + {file = "coverage-7.5.4-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2214ee920787d85db1b6a0bd9da5f8503ccc8fcd5814d90796c2f2493a2f4d2e"}, + {file = "coverage-7.5.4-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1137f46adb28e3813dec8c01fefadcb8c614f33576f672962e323b5128d9a68d"}, + {file = "coverage-7.5.4-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b385d49609f8e9efc885790a5a0e89f2e3ae042cdf12958b6034cc442de428d3"}, + {file = "coverage-7.5.4-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:b4a474f799456e0eb46d78ab07303286a84a3140e9700b9e154cfebc8f527016"}, + {file = "coverage-7.5.4-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:5cd64adedf3be66f8ccee418473c2916492d53cbafbfcff851cbec5a8454b136"}, + {file = "coverage-7.5.4-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:e564c2cf45d2f44a9da56f4e3a26b2236504a496eb4cb0ca7221cd4cc7a9aca9"}, + {file = "coverage-7.5.4-cp310-cp310-win32.whl", hash = "sha256:7076b4b3a5f6d2b5d7f1185fde25b1e54eb66e647a1dfef0e2c2bfaf9b4c88c8"}, + {file = "coverage-7.5.4-cp310-cp310-win_amd64.whl", hash = "sha256:018a12985185038a5b2bcafab04ab833a9a0f2c59995b3cec07e10074c78635f"}, + {file = "coverage-7.5.4-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:db14f552ac38f10758ad14dd7b983dbab424e731588d300c7db25b6f89e335b5"}, + {file = "coverage-7.5.4-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:3257fdd8e574805f27bb5342b77bc65578e98cbc004a92232106344053f319ba"}, + {file = "coverage-7.5.4-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3a6612c99081d8d6134005b1354191e103ec9705d7ba2754e848211ac8cacc6b"}, + {file = "coverage-7.5.4-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d45d3cbd94159c468b9b8c5a556e3f6b81a8d1af2a92b77320e887c3e7a5d080"}, + {file = "coverage-7.5.4-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ed550e7442f278af76d9d65af48069f1fb84c9f745ae249c1a183c1e9d1b025c"}, + {file = "coverage-7.5.4-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:7a892be37ca35eb5019ec85402c3371b0f7cda5ab5056023a7f13da0961e60da"}, + {file = "coverage-7.5.4-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:8192794d120167e2a64721d88dbd688584675e86e15d0569599257566dec9bf0"}, + {file = "coverage-7.5.4-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:820bc841faa502e727a48311948e0461132a9c8baa42f6b2b84a29ced24cc078"}, + {file = "coverage-7.5.4-cp311-cp311-win32.whl", hash = "sha256:6aae5cce399a0f065da65c7bb1e8abd5c7a3043da9dceb429ebe1b289bc07806"}, + {file = "coverage-7.5.4-cp311-cp311-win_amd64.whl", hash = "sha256:d2e344d6adc8ef81c5a233d3a57b3c7d5181f40e79e05e1c143da143ccb6377d"}, + {file = "coverage-7.5.4-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:54317c2b806354cbb2dc7ac27e2b93f97096912cc16b18289c5d4e44fc663233"}, + {file = "coverage-7.5.4-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:042183de01f8b6d531e10c197f7f0315a61e8d805ab29c5f7b51a01d62782747"}, + {file = "coverage-7.5.4-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a6bb74ed465d5fb204b2ec41d79bcd28afccf817de721e8a807d5141c3426638"}, + {file = "coverage-7.5.4-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b3d45ff86efb129c599a3b287ae2e44c1e281ae0f9a9bad0edc202179bcc3a2e"}, + {file = "coverage-7.5.4-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5013ed890dc917cef2c9f765c4c6a8ae9df983cd60dbb635df8ed9f4ebc9f555"}, + {file = "coverage-7.5.4-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:1014fbf665fef86cdfd6cb5b7371496ce35e4d2a00cda501cf9f5b9e6fced69f"}, + {file = "coverage-7.5.4-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:3684bc2ff328f935981847082ba4fdc950d58906a40eafa93510d1b54c08a66c"}, + {file = "coverage-7.5.4-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:581ea96f92bf71a5ec0974001f900db495488434a6928a2ca7f01eee20c23805"}, + {file = "coverage-7.5.4-cp312-cp312-win32.whl", hash = "sha256:73ca8fbc5bc622e54627314c1a6f1dfdd8db69788f3443e752c215f29fa87a0b"}, + {file = "coverage-7.5.4-cp312-cp312-win_amd64.whl", hash = "sha256:cef4649ec906ea7ea5e9e796e68b987f83fa9a718514fe147f538cfeda76d7a7"}, + {file = "coverage-7.5.4-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:cdd31315fc20868c194130de9ee6bfd99755cc9565edff98ecc12585b90be882"}, + {file = "coverage-7.5.4-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:02ff6e898197cc1e9fa375581382b72498eb2e6d5fc0b53f03e496cfee3fac6d"}, + {file = "coverage-7.5.4-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d05c16cf4b4c2fc880cb12ba4c9b526e9e5d5bb1d81313d4d732a5b9fe2b9d53"}, + {file = "coverage-7.5.4-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c5986ee7ea0795a4095ac4d113cbb3448601efca7f158ec7f7087a6c705304e4"}, + {file = "coverage-7.5.4-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5df54843b88901fdc2f598ac06737f03d71168fd1175728054c8f5a2739ac3e4"}, + {file = "coverage-7.5.4-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:ab73b35e8d109bffbda9a3e91c64e29fe26e03e49addf5b43d85fc426dde11f9"}, + {file = "coverage-7.5.4-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:aea072a941b033813f5e4814541fc265a5c12ed9720daef11ca516aeacd3bd7f"}, + {file = "coverage-7.5.4-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:16852febd96acd953b0d55fc842ce2dac1710f26729b31c80b940b9afcd9896f"}, + {file = "coverage-7.5.4-cp38-cp38-win32.whl", hash = "sha256:8f894208794b164e6bd4bba61fc98bf6b06be4d390cf2daacfa6eca0a6d2bb4f"}, + {file = "coverage-7.5.4-cp38-cp38-win_amd64.whl", hash = "sha256:e2afe743289273209c992075a5a4913e8d007d569a406ffed0bd080ea02b0633"}, + {file = "coverage-7.5.4-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:b95c3a8cb0463ba9f77383d0fa8c9194cf91f64445a63fc26fb2327e1e1eb088"}, + {file = "coverage-7.5.4-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:3d7564cc09dd91b5a6001754a5b3c6ecc4aba6323baf33a12bd751036c998be4"}, + {file = "coverage-7.5.4-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:44da56a2589b684813f86d07597fdf8a9c6ce77f58976727329272f5a01f99f7"}, + {file = "coverage-7.5.4-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e16f3d6b491c48c5ae726308e6ab1e18ee830b4cdd6913f2d7f77354b33f91c8"}, + {file = "coverage-7.5.4-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dbc5958cb471e5a5af41b0ddaea96a37e74ed289535e8deca404811f6cb0bc3d"}, + {file = "coverage-7.5.4-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:a04e990a2a41740b02d6182b498ee9796cf60eefe40cf859b016650147908029"}, + {file = "coverage-7.5.4-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:ddbd2f9713a79e8e7242d7c51f1929611e991d855f414ca9996c20e44a895f7c"}, + {file = "coverage-7.5.4-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:b1ccf5e728ccf83acd313c89f07c22d70d6c375a9c6f339233dcf792094bcbf7"}, + {file = "coverage-7.5.4-cp39-cp39-win32.whl", hash = "sha256:56b4eafa21c6c175b3ede004ca12c653a88b6f922494b023aeb1e836df953ace"}, + {file = "coverage-7.5.4-cp39-cp39-win_amd64.whl", hash = "sha256:65e528e2e921ba8fd67d9055e6b9f9e34b21ebd6768ae1c1723f4ea6ace1234d"}, + {file = "coverage-7.5.4-pp38.pp39.pp310-none-any.whl", hash = "sha256:79b356f3dd5b26f3ad23b35c75dbdaf1f9e2450b6bcefc6d0825ea0aa3f86ca5"}, + {file = "coverage-7.5.4.tar.gz", hash = "sha256:a44963520b069e12789d0faea4e9fdb1e410cdc4aab89d94f7f55cbb7fef0353"}, +] + +[package.extras] +toml = ["tomli"] + +[[package]] +name = "cryptography" +version = "43.0.1" +description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." +optional = false +python-versions = ">=3.7" +files = [ + {file = "cryptography-43.0.1-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:8385d98f6a3bf8bb2d65a73e17ed87a3ba84f6991c155691c51112075f9ffc5d"}, + {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:27e613d7077ac613e399270253259d9d53872aaf657471473ebfc9a52935c062"}, + {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:68aaecc4178e90719e95298515979814bda0cbada1256a4485414860bd7ab962"}, + {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:de41fd81a41e53267cb020bb3a7212861da53a7d39f863585d13ea11049cf277"}, + {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:f98bf604c82c416bc829e490c700ca1553eafdf2912a91e23a79d97d9801372a"}, + {file = "cryptography-43.0.1-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:61ec41068b7b74268fa86e3e9e12b9f0c21fcf65434571dbb13d954bceb08042"}, + {file = "cryptography-43.0.1-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:014f58110f53237ace6a408b5beb6c427b64e084eb451ef25a28308270086494"}, + {file = "cryptography-43.0.1-cp37-abi3-win32.whl", hash = "sha256:2bd51274dcd59f09dd952afb696bf9c61a7a49dfc764c04dd33ef7a6b502a1e2"}, + {file = "cryptography-43.0.1-cp37-abi3-win_amd64.whl", hash = "sha256:666ae11966643886c2987b3b721899d250855718d6d9ce41b521252a17985f4d"}, + {file = "cryptography-43.0.1-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:ac119bb76b9faa00f48128b7f5679e1d8d437365c5d26f1c2c3f0da4ce1b553d"}, + {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1bbcce1a551e262dfbafb6e6252f1ae36a248e615ca44ba302df077a846a8806"}, + {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58d4e9129985185a06d849aa6df265bdd5a74ca6e1b736a77959b498e0505b85"}, + {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:d03a475165f3134f773d1388aeb19c2d25ba88b6a9733c5c590b9ff7bbfa2e0c"}, + {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:511f4273808ab590912a93ddb4e3914dfd8a388fed883361b02dea3791f292e1"}, + {file = "cryptography-43.0.1-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:80eda8b3e173f0f247f711eef62be51b599b5d425c429b5d4ca6a05e9e856baa"}, + {file = "cryptography-43.0.1-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:38926c50cff6f533f8a2dae3d7f19541432610d114a70808f0926d5aaa7121e4"}, + {file = "cryptography-43.0.1-cp39-abi3-win32.whl", hash = "sha256:a575913fb06e05e6b4b814d7f7468c2c660e8bb16d8d5a1faf9b33ccc569dd47"}, + {file = "cryptography-43.0.1-cp39-abi3-win_amd64.whl", hash = "sha256:d75601ad10b059ec832e78823b348bfa1a59f6b8d545db3a24fd44362a1564cb"}, + {file = "cryptography-43.0.1-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:ea25acb556320250756e53f9e20a4177515f012c9eaea17eb7587a8c4d8ae034"}, + {file = "cryptography-43.0.1-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:c1332724be35d23a854994ff0b66530119500b6053d0bd3363265f7e5e77288d"}, + {file = "cryptography-43.0.1-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:fba1007b3ef89946dbbb515aeeb41e30203b004f0b4b00e5e16078b518563289"}, + {file = "cryptography-43.0.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:5b43d1ea6b378b54a1dc99dd8a2b5be47658fe9a7ce0a58ff0b55f4b43ef2b84"}, + {file = "cryptography-43.0.1-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:88cce104c36870d70c49c7c8fd22885875d950d9ee6ab54df2745f83ba0dc365"}, + {file = "cryptography-43.0.1-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:9d3cdb25fa98afdd3d0892d132b8d7139e2c087da1712041f6b762e4f807cc96"}, + {file = "cryptography-43.0.1-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:e710bf40870f4db63c3d7d929aa9e09e4e7ee219e703f949ec4073b4294f6172"}, + {file = "cryptography-43.0.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:7c05650fe8023c5ed0d46793d4b7d7e6cd9c04e68eabe5b0aeea836e37bdcec2"}, + {file = "cryptography-43.0.1.tar.gz", hash = "sha256:203e92a75716d8cfb491dc47c79e17d0d9207ccffcbcb35f598fbe463ae3444d"}, +] + +[package.dependencies] +cffi = {version = ">=1.12", markers = "platform_python_implementation != \"PyPy\""} + +[package.extras] +docs = ["sphinx (>=5.3.0)", "sphinx-rtd-theme (>=1.1.1)"] +docstest = ["pyenchant (>=1.6.11)", "readme-renderer", "sphinxcontrib-spelling (>=4.0.1)"] +nox = ["nox"] +pep8test = ["check-sdist", "click", "mypy", "ruff"] +sdist = ["build"] +ssh = ["bcrypt (>=3.1.5)"] +test = ["certifi", "cryptography-vectors (==43.0.1)", "pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"] +test-randomorder = ["pytest-randomly"] + +[[package]] +name = "cssselect2" +version = "0.7.0" +description = "CSS selectors for Python ElementTree" +optional = false +python-versions = ">=3.7" +files = [ + {file = "cssselect2-0.7.0-py3-none-any.whl", hash = "sha256:fd23a65bfd444595913f02fc71f6b286c29261e354c41d722ca7a261a49b5969"}, + {file = "cssselect2-0.7.0.tar.gz", hash = "sha256:1ccd984dab89fc68955043aca4e1b03e0cf29cad9880f6e28e3ba7a74b14aa5a"}, +] + +[package.dependencies] +tinycss2 = "*" +webencodings = "*" + +[package.extras] +doc = ["sphinx", "sphinx_rtd_theme"] +test = ["flake8", "isort", "pytest"] + +[[package]] +name = "distlib" +version = "0.3.8" +description = "Distribution utilities" +optional = false +python-versions = "*" +files = [ + {file = "distlib-0.3.8-py2.py3-none-any.whl", hash = "sha256:034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784"}, + {file = "distlib-0.3.8.tar.gz", hash = "sha256:1530ea13e350031b6312d8580ddb6b27a104275a31106523b8f123787f494f64"}, +] + +[[package]] +name = "django" +version = "5.0.8" +description = "A high-level Python web framework that encourages rapid development and clean, pragmatic design." +optional = false +python-versions = ">=3.10" +files = [ + {file = "Django-5.0.8-py3-none-any.whl", hash = "sha256:333a7988f7ca4bc14d360d3d8f6b793704517761ae3813b95432043daec22a45"}, + {file = "Django-5.0.8.tar.gz", hash = "sha256:ebe859c9da6fead9c9ee6dbfa4943b04f41342f4cea2c4d8c978ef0d10694f2b"}, +] + +[package.dependencies] +asgiref = ">=3.7.0,<4" +sqlparse = ">=0.3.1" +tzdata = {version = "*", markers = "sys_platform == \"win32\""} + +[package.extras] +argon2 = ["argon2-cffi (>=19.1.0)"] +bcrypt = ["bcrypt"] + +[[package]] +name = "django-allauth" +version = "0.63.5" +description = "Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication." +optional = false +python-versions = ">=3.7" +files = [ + {file = "django_allauth-0.63.5.tar.gz", hash = "sha256:ab612c58dac10e64ab7c1ef1389610c56e43e4a39ce36abaf11b8564a6b2e998"}, +] + +[package.dependencies] +Django = ">=3.2" + +[package.extras] +mfa = ["qrcode (>=7.0.0)"] +openid = ["python3-openid (>=3.0.8)"] +saml = ["python3-saml (>=1.15.0,<2.0.0)"] +socialaccount = ["pyjwt[crypto] (>=1.7)", "requests (>=2.0.0)", "requests-oauthlib (>=0.3.0)"] +steam = ["python3-openid (>=3.0.8)"] + +[[package]] +name = "django-filter" +version = "24.2" +description = "Django-filter is a reusable Django application for allowing users to filter querysets dynamically." +optional = false +python-versions = ">=3.8" +files = [ + {file = "django-filter-24.2.tar.gz", hash = "sha256:48e5fc1da3ccd6ca0d5f9bb550973518ce977a4edde9d2a8a154a7f4f0b9f96e"}, + {file = "django_filter-24.2-py3-none-any.whl", hash = "sha256:df2ee9857e18d38bed203c8745f62a803fa0f31688c9fe6f8e868120b1848e48"}, +] + +[package.dependencies] +Django = ">=4.2" + +[[package]] +name = "django-ipware" +version = "7.0.1" +description = "A Django application to retrieve user's IP address" +optional = false +python-versions = ">=3.8" +files = [ + {file = "django-ipware-7.0.1.tar.gz", hash = "sha256:d9ec43d2bf7cdf216fed8d494a084deb5761a54860a53b2e74346a4f384cff47"}, + {file = "django_ipware-7.0.1-py2.py3-none-any.whl", hash = "sha256:db16bbee920f661ae7f678e4270460c85850f03c6761a4eaeb489bdc91f64709"}, +] + +[package.dependencies] +python-ipware = ">=2.0.3" + +[[package]] +name = "django-rest-knox" +version = "4.2.0" +description = "Authentication for django rest framework" +optional = false +python-versions = ">=3.6" +files = [ + {file = "django-rest-knox-4.2.0.tar.gz", hash = "sha256:4595f1dc23d6e41af7939e5f2d8fdaf6ade0a74a656218e7b56683db5566fcc9"}, + {file = "django_rest_knox-4.2.0-py3-none-any.whl", hash = "sha256:62b8e374a44cd4e9617eaefe27c915b301bf224fa6550633d3013d3f9f415113"}, +] + +[package.dependencies] +cryptography = "*" +django = ">=3.2" +djangorestframework = "*" + +[[package]] +name = "django-structlog" +version = "8.1.0" +description = "Structured Logging for Django" +optional = false +python-versions = ">=3.8" +files = [ + {file = "django_structlog-8.1.0-py3-none-any.whl", hash = "sha256:1072564bd6f36e8d3ba9893e7b31c1c46e94301189fedaecc0fb8a46525a3214"}, + {file = "django_structlog-8.1.0.tar.gz", hash = "sha256:0229b9a2efbd24a4e3500169788e53915c2429521e34e41dd58ccc56039bef3f"}, +] + +[package.dependencies] +asgiref = ">=3.6.0" +django = ">=4.2" +django-ipware = ">=6.0.2" +structlog = ">=21.4.0" + +[package.extras] +celery = ["celery (>=5.1)"] +commands = ["django-extensions (>=1.4.9)"] + +[[package]] +name = "django-stubs" +version = "5.0.2" +description = "Mypy stubs for Django" +optional = false +python-versions = ">=3.8" +files = [ + {file = "django_stubs-5.0.2-py3-none-any.whl", hash = "sha256:cb0c506cb5c54c64612e4a2ee8d6b913c6178560ec168009fe847c09747c304b"}, + {file = "django_stubs-5.0.2.tar.gz", hash = "sha256:236bc5606e5607cb968f92b648471f9edaa461a774bc013bf9e6bff8730f6bdf"}, +] + +[package.dependencies] +asgiref = "*" +django = "*" +django-stubs-ext = ">=5.0.2" +types-PyYAML = "*" +typing-extensions = ">=4.11.0" + +[package.extras] +compatible-mypy = ["mypy (>=1.10.0,<1.11.0)"] +oracle = ["oracledb"] +redis = ["redis"] + +[[package]] +name = "django-stubs-ext" +version = "5.0.4" +description = "Monkey-patching and extensions for django-stubs" +optional = false +python-versions = ">=3.8" +files = [ + {file = "django_stubs_ext-5.0.4-py3-none-any.whl", hash = "sha256:910cbaff3d1e8e806a5c27d5ddd4088535aae8371ea921b7fd680fdfa5f14e30"}, + {file = "django_stubs_ext-5.0.4.tar.gz", hash = "sha256:85da065224204774208be29c7d02b4482d5a69218a728465c2fbe41725fdc819"}, +] + +[package.dependencies] +django = "*" +typing-extensions = "*" + +[[package]] +name = "django-tailwind" +version = "3.8.0" +description = "Tailwind CSS Framework for Django projects" +optional = false +python-versions = ">=3.10.0,<4.0.0" +files = [ + {file = "django_tailwind-3.8.0-py3-none-any.whl", hash = "sha256:fa969c5b95d314b173fe2b2ed2cb2c03f2e2c94fdc2c01ff73a993fa159085da"}, + {file = "django_tailwind-3.8.0.tar.gz", hash = "sha256:31c2f4a7879d685c2de0feaf0b63f246200b37337bea4d7dbafb59bc3f10c008"}, +] + +[package.dependencies] +django = ">=3.2.14" + +[package.extras] +reload = ["django-browser-reload (>=1.12.1,<2.0.0)"] + +[[package]] +name = "djangorestframework" +version = "3.15.2" +description = "Web APIs for Django, made easy." +optional = false +python-versions = ">=3.8" +files = [ + {file = "djangorestframework-3.15.2-py3-none-any.whl", hash = "sha256:2b8871b062ba1aefc2de01f773875441a961fefbf79f5eed1e32b2f096944b20"}, + {file = "djangorestframework-3.15.2.tar.gz", hash = "sha256:36fe88cd2d6c6bec23dca9804bab2ba5517a8bb9d8f47ebc68981b56840107ad"}, +] + +[package.dependencies] +django = ">=4.2" + +[[package]] +name = "drf-spectacular" +version = "0.27.2" +description = "Sane and flexible OpenAPI 3 schema generation for Django REST framework" +optional = false +python-versions = ">=3.7" +files = [ + {file = "drf-spectacular-0.27.2.tar.gz", hash = "sha256:a199492f2163c4101055075ebdbb037d59c6e0030692fc83a1a8c0fc65929981"}, + {file = "drf_spectacular-0.27.2-py3-none-any.whl", hash = "sha256:b1c04bf8b2fbbeaf6f59414b4ea448c8787aba4d32f76055c3b13335cf7ec37b"}, +] + +[package.dependencies] +Django = ">=2.2" +djangorestframework = ">=3.10.3" +inflection = ">=0.3.1" +jsonschema = ">=2.6.0" +PyYAML = ">=5.1" +uritemplate = ">=2.0.0" + +[package.extras] +offline = ["drf-spectacular-sidecar"] +sidecar = ["drf-spectacular-sidecar"] + +[[package]] +name = "filelock" +version = "3.15.4" +description = "A platform independent file lock." +optional = false +python-versions = ">=3.8" +files = [ + {file = "filelock-3.15.4-py3-none-any.whl", hash = "sha256:6ca1fffae96225dab4c6eaf1c4f4f28cd2568d3ec2a44e15a08520504de468e7"}, + {file = "filelock-3.15.4.tar.gz", hash = "sha256:2207938cbc1844345cb01a5a95524dae30f0ce089eba5b00378295a17e3e90cb"}, +] + +[package.extras] +docs = ["furo (>=2023.9.10)", "sphinx (>=7.2.6)", "sphinx-autodoc-typehints (>=1.25.2)"] +testing = ["covdefaults (>=2.3)", "coverage (>=7.3.2)", "diff-cover (>=8.0.1)", "pytest (>=7.4.3)", "pytest-asyncio (>=0.21)", "pytest-cov (>=4.1)", "pytest-mock (>=3.12)", "pytest-timeout (>=2.2)", "virtualenv (>=20.26.2)"] +typing = ["typing-extensions (>=4.8)"] + +[[package]] +name = "fonttools" +version = "4.53.1" +description = "Tools to manipulate font files" +optional = false +python-versions = ">=3.8" +files = [ + {file = "fonttools-4.53.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0679a30b59d74b6242909945429dbddb08496935b82f91ea9bf6ad240ec23397"}, + {file = "fonttools-4.53.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:e8bf06b94694251861ba7fdeea15c8ec0967f84c3d4143ae9daf42bbc7717fe3"}, + {file = "fonttools-4.53.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b96cd370a61f4d083c9c0053bf634279b094308d52fdc2dd9a22d8372fdd590d"}, + {file = "fonttools-4.53.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a1c7c5aa18dd3b17995898b4a9b5929d69ef6ae2af5b96d585ff4005033d82f0"}, + {file = "fonttools-4.53.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:e013aae589c1c12505da64a7d8d023e584987e51e62006e1bb30d72f26522c41"}, + {file = "fonttools-4.53.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:9efd176f874cb6402e607e4cc9b4a9cd584d82fc34a4b0c811970b32ba62501f"}, + {file = "fonttools-4.53.1-cp310-cp310-win32.whl", hash = "sha256:c8696544c964500aa9439efb6761947393b70b17ef4e82d73277413f291260a4"}, + {file = "fonttools-4.53.1-cp310-cp310-win_amd64.whl", hash = "sha256:8959a59de5af6d2bec27489e98ef25a397cfa1774b375d5787509c06659b3671"}, + {file = "fonttools-4.53.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:da33440b1413bad53a8674393c5d29ce64d8c1a15ef8a77c642ffd900d07bfe1"}, + {file = "fonttools-4.53.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:5ff7e5e9bad94e3a70c5cd2fa27f20b9bb9385e10cddab567b85ce5d306ea923"}, + {file = "fonttools-4.53.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c6e7170d675d12eac12ad1a981d90f118c06cf680b42a2d74c6c931e54b50719"}, + {file = "fonttools-4.53.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bee32ea8765e859670c4447b0817514ca79054463b6b79784b08a8df3a4d78e3"}, + {file = "fonttools-4.53.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:6e08f572625a1ee682115223eabebc4c6a2035a6917eac6f60350aba297ccadb"}, + {file = "fonttools-4.53.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:b21952c092ffd827504de7e66b62aba26fdb5f9d1e435c52477e6486e9d128b2"}, + {file = "fonttools-4.53.1-cp311-cp311-win32.whl", hash = "sha256:9dfdae43b7996af46ff9da520998a32b105c7f098aeea06b2226b30e74fbba88"}, + {file = "fonttools-4.53.1-cp311-cp311-win_amd64.whl", hash = "sha256:d4d0096cb1ac7a77b3b41cd78c9b6bc4a400550e21dc7a92f2b5ab53ed74eb02"}, + {file = "fonttools-4.53.1-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:d92d3c2a1b39631a6131c2fa25b5406855f97969b068e7e08413325bc0afba58"}, + {file = "fonttools-4.53.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:3b3c8ebafbee8d9002bd8f1195d09ed2bd9ff134ddec37ee8f6a6375e6a4f0e8"}, + {file = "fonttools-4.53.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:32f029c095ad66c425b0ee85553d0dc326d45d7059dbc227330fc29b43e8ba60"}, + {file = "fonttools-4.53.1-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:10f5e6c3510b79ea27bb1ebfcc67048cde9ec67afa87c7dd7efa5c700491ac7f"}, + {file = "fonttools-4.53.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:f677ce218976496a587ab17140da141557beb91d2a5c1a14212c994093f2eae2"}, + {file = "fonttools-4.53.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:9e6ceba2a01b448e36754983d376064730690401da1dd104ddb543519470a15f"}, + {file = "fonttools-4.53.1-cp312-cp312-win32.whl", hash = "sha256:791b31ebbc05197d7aa096bbc7bd76d591f05905d2fd908bf103af4488e60670"}, + {file = "fonttools-4.53.1-cp312-cp312-win_amd64.whl", hash = "sha256:6ed170b5e17da0264b9f6fae86073be3db15fa1bd74061c8331022bca6d09bab"}, + {file = "fonttools-4.53.1-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:c818c058404eb2bba05e728d38049438afd649e3c409796723dfc17cd3f08749"}, + {file = "fonttools-4.53.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:651390c3b26b0c7d1f4407cad281ee7a5a85a31a110cbac5269de72a51551ba2"}, + {file = "fonttools-4.53.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e54f1bba2f655924c1138bbc7fa91abd61f45c68bd65ab5ed985942712864bbb"}, + {file = "fonttools-4.53.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c9cd19cf4fe0595ebdd1d4915882b9440c3a6d30b008f3cc7587c1da7b95be5f"}, + {file = "fonttools-4.53.1-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:2af40ae9cdcb204fc1d8f26b190aa16534fcd4f0df756268df674a270eab575d"}, + {file = "fonttools-4.53.1-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:35250099b0cfb32d799fb5d6c651220a642fe2e3c7d2560490e6f1d3f9ae9169"}, + {file = "fonttools-4.53.1-cp38-cp38-win32.whl", hash = "sha256:f08df60fbd8d289152079a65da4e66a447efc1d5d5a4d3f299cdd39e3b2e4a7d"}, + {file = "fonttools-4.53.1-cp38-cp38-win_amd64.whl", hash = "sha256:7b6b35e52ddc8fb0db562133894e6ef5b4e54e1283dff606fda3eed938c36fc8"}, + {file = "fonttools-4.53.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:75a157d8d26c06e64ace9df037ee93a4938a4606a38cb7ffaf6635e60e253b7a"}, + {file = "fonttools-4.53.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:4824c198f714ab5559c5be10fd1adf876712aa7989882a4ec887bf1ef3e00e31"}, + {file = "fonttools-4.53.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:becc5d7cb89c7b7afa8321b6bb3dbee0eec2b57855c90b3e9bf5fb816671fa7c"}, + {file = "fonttools-4.53.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:84ec3fb43befb54be490147b4a922b5314e16372a643004f182babee9f9c3407"}, + {file = "fonttools-4.53.1-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:73379d3ffdeecb376640cd8ed03e9d2d0e568c9d1a4e9b16504a834ebadc2dfb"}, + {file = "fonttools-4.53.1-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:02569e9a810f9d11f4ae82c391ebc6fb5730d95a0657d24d754ed7763fb2d122"}, + {file = "fonttools-4.53.1-cp39-cp39-win32.whl", hash = "sha256:aae7bd54187e8bf7fd69f8ab87b2885253d3575163ad4d669a262fe97f0136cb"}, + {file = "fonttools-4.53.1-cp39-cp39-win_amd64.whl", hash = "sha256:e5b708073ea3d684235648786f5f6153a48dc8762cdfe5563c57e80787c29fbb"}, + {file = "fonttools-4.53.1-py3-none-any.whl", hash = "sha256:f1f8758a2ad110bd6432203a344269f445a2907dc24ef6bccfd0ac4e14e0d71d"}, + {file = "fonttools-4.53.1.tar.gz", hash = "sha256:e128778a8e9bc11159ce5447f76766cefbd876f44bd79aff030287254e4752c4"}, +] + +[package.dependencies] +brotli = {version = ">=1.0.1", optional = true, markers = "platform_python_implementation == \"CPython\" and extra == \"woff\""} +brotlicffi = {version = ">=0.8.0", optional = true, markers = "platform_python_implementation != \"CPython\" and extra == \"woff\""} +zopfli = {version = ">=0.1.4", optional = true, markers = "extra == \"woff\""} + +[package.extras] +all = ["brotli (>=1.0.1)", "brotlicffi (>=0.8.0)", "fs (>=2.2.0,<3)", "lxml (>=4.0)", "lz4 (>=1.7.4.2)", "matplotlib", "munkres", "pycairo", "scipy", "skia-pathops (>=0.5.0)", "sympy", "uharfbuzz (>=0.23.0)", "unicodedata2 (>=15.1.0)", "xattr", "zopfli (>=0.1.4)"] +graphite = ["lz4 (>=1.7.4.2)"] +interpolatable = ["munkres", "pycairo", "scipy"] +lxml = ["lxml (>=4.0)"] +pathops = ["skia-pathops (>=0.5.0)"] +plot = ["matplotlib"] +repacker = ["uharfbuzz (>=0.23.0)"] +symfont = ["sympy"] +type1 = ["xattr"] +ufo = ["fs (>=2.2.0,<3)"] +unicode = ["unicodedata2 (>=15.1.0)"] +woff = ["brotli (>=1.0.1)", "brotlicffi (>=0.8.0)", "zopfli (>=0.1.4)"] + +[[package]] +name = "gunicorn" +version = "22.0.0" +description = "WSGI HTTP Server for UNIX" +optional = false +python-versions = ">=3.7" +files = [ + {file = "gunicorn-22.0.0-py3-none-any.whl", hash = "sha256:350679f91b24062c86e386e198a15438d53a7a8207235a78ba1b53df4c4378d9"}, + {file = "gunicorn-22.0.0.tar.gz", hash = "sha256:4a0b436239ff76fb33f11c07a16482c521a7e09c1ce3cc293c2330afe01bec63"}, +] + +[package.dependencies] +packaging = "*" + +[package.extras] +eventlet = ["eventlet (>=0.24.1,!=0.36.0)"] +gevent = ["gevent (>=1.4.0)"] +setproctitle = ["setproctitle"] +testing = ["coverage", "eventlet", "gevent", "pytest", "pytest-cov"] +tornado = ["tornado (>=0.2)"] + +[[package]] +name = "html5lib" +version = "1.1" +description = "HTML parser based on the WHATWG HTML specification" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" +files = [ + {file = "html5lib-1.1-py2.py3-none-any.whl", hash = "sha256:0d78f8fde1c230e99fe37986a60526d7049ed4bf8a9fadbad5f00e22e58e041d"}, + {file = "html5lib-1.1.tar.gz", hash = "sha256:b2e5b40261e20f354d198eae92afc10d750afb487ed5e50f9c4eaf07c184146f"}, +] + +[package.dependencies] +six = ">=1.9" +webencodings = "*" + +[package.extras] +all = ["chardet (>=2.2)", "genshi", "lxml"] +chardet = ["chardet (>=2.2)"] +genshi = ["genshi"] +lxml = ["lxml"] + +[[package]] +name = "identify" +version = "2.6.0" +description = "File identification library for Python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "identify-2.6.0-py2.py3-none-any.whl", hash = "sha256:e79ae4406387a9d300332b5fd366d8994f1525e8414984e1a59e058b2eda2dd0"}, + {file = "identify-2.6.0.tar.gz", hash = "sha256:cb171c685bdc31bcc4c1734698736a7d5b6c8bf2e0c15117f4d469c8640ae5cf"}, +] + +[package.extras] +license = ["ukkonen"] + +[[package]] +name = "idna" +version = "3.7" +description = "Internationalized Domain Names in Applications (IDNA)" +optional = false +python-versions = ">=3.5" +files = [ + {file = "idna-3.7-py3-none-any.whl", hash = "sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0"}, + {file = "idna-3.7.tar.gz", hash = "sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc"}, +] + +[[package]] +name = "inflection" +version = "0.5.1" +description = "A port of Ruby on Rails inflector to Python" +optional = false +python-versions = ">=3.5" +files = [ + {file = "inflection-0.5.1-py2.py3-none-any.whl", hash = "sha256:f38b2b640938a4f35ade69ac3d053042959b62a0f1076a5bbaa1b9526605a8a2"}, + {file = "inflection-0.5.1.tar.gz", hash = "sha256:1a29730d366e996aaacffb2f1f1cb9593dc38e2ddd30c91250c6dde09ea9b417"}, +] + +[[package]] +name = "iniconfig" +version = "2.0.0" +description = "brain-dead simple config-ini parsing" +optional = false +python-versions = ">=3.7" +files = [ + {file = "iniconfig-2.0.0-py3-none-any.whl", hash = "sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374"}, + {file = "iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3"}, +] + +[[package]] +name = "isodate" +version = "0.6.1" +description = "An ISO 8601 date/time/duration parser and formatter" +optional = false +python-versions = "*" +files = [ + {file = "isodate-0.6.1-py2.py3-none-any.whl", hash = "sha256:0751eece944162659049d35f4f549ed815792b38793f07cf73381c1c87cbed96"}, + {file = "isodate-0.6.1.tar.gz", hash = "sha256:48c5881de7e8b0a0d648cb024c8062dc84e7b840ed81e864c7614fd3c127bde9"}, +] + +[package.dependencies] +six = "*" + +[[package]] +name = "jinja2" +version = "3.1.4" +description = "A very fast and expressive template engine." +optional = false +python-versions = ">=3.7" +files = [ + {file = "jinja2-3.1.4-py3-none-any.whl", hash = "sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d"}, + {file = "jinja2-3.1.4.tar.gz", hash = "sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369"}, +] + +[package.dependencies] +MarkupSafe = ">=2.0" + +[package.extras] +i18n = ["Babel (>=2.7)"] + +[[package]] +name = "jsonschema" +version = "4.23.0" +description = "An implementation of JSON Schema validation for Python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "jsonschema-4.23.0-py3-none-any.whl", hash = "sha256:fbadb6f8b144a8f8cf9f0b89ba94501d143e50411a1278633f56a7acf7fd5566"}, + {file = "jsonschema-4.23.0.tar.gz", hash = "sha256:d71497fef26351a33265337fa77ffeb82423f3ea21283cd9467bb03999266bc4"}, +] + +[package.dependencies] +attrs = ">=22.2.0" +jsonschema-specifications = ">=2023.03.6" +referencing = ">=0.28.4" +rpds-py = ">=0.7.1" + +[package.extras] +format = ["fqdn", "idna", "isoduration", "jsonpointer (>1.13)", "rfc3339-validator", "rfc3987", "uri-template", "webcolors (>=1.11)"] +format-nongpl = ["fqdn", "idna", "isoduration", "jsonpointer (>1.13)", "rfc3339-validator", "rfc3986-validator (>0.1.0)", "uri-template", "webcolors (>=24.6.0)"] + +[[package]] +name = "jsonschema-specifications" +version = "2023.12.1" +description = "The JSON Schema meta-schemas and vocabularies, exposed as a Registry" +optional = false +python-versions = ">=3.8" +files = [ + {file = "jsonschema_specifications-2023.12.1-py3-none-any.whl", hash = "sha256:87e4fdf3a94858b8a2ba2778d9ba57d8a9cafca7c7489c46ba0d30a8bc6a9c3c"}, + {file = "jsonschema_specifications-2023.12.1.tar.gz", hash = "sha256:48a76787b3e70f5ed53f1160d2b81f586e4ca6d1548c5de7085d1682674764cc"}, +] + +[package.dependencies] +referencing = ">=0.31.0" + +[[package]] +name = "lxml" +version = "5.3.0" +description = "Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API." +optional = false +python-versions = ">=3.6" +files = [ + {file = "lxml-5.3.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:dd36439be765e2dde7660212b5275641edbc813e7b24668831a5c8ac91180656"}, + {file = "lxml-5.3.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:ae5fe5c4b525aa82b8076c1a59d642c17b6e8739ecf852522c6321852178119d"}, + {file = "lxml-5.3.0-cp310-cp310-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:501d0d7e26b4d261fca8132854d845e4988097611ba2531408ec91cf3fd9d20a"}, + {file = "lxml-5.3.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fb66442c2546446944437df74379e9cf9e9db353e61301d1a0e26482f43f0dd8"}, + {file = "lxml-5.3.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9e41506fec7a7f9405b14aa2d5c8abbb4dbbd09d88f9496958b6d00cb4d45330"}, + {file = "lxml-5.3.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f7d4a670107d75dfe5ad080bed6c341d18c4442f9378c9f58e5851e86eb79965"}, + {file = "lxml-5.3.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:41ce1f1e2c7755abfc7e759dc34d7d05fd221723ff822947132dc934d122fe22"}, + {file = "lxml-5.3.0-cp310-cp310-manylinux_2_28_aarch64.whl", hash = "sha256:44264ecae91b30e5633013fb66f6ddd05c006d3e0e884f75ce0b4755b3e3847b"}, + {file = "lxml-5.3.0-cp310-cp310-manylinux_2_28_ppc64le.whl", hash = "sha256:3c174dc350d3ec52deb77f2faf05c439331d6ed5e702fc247ccb4e6b62d884b7"}, + {file = "lxml-5.3.0-cp310-cp310-manylinux_2_28_s390x.whl", hash = "sha256:2dfab5fa6a28a0b60a20638dc48e6343c02ea9933e3279ccb132f555a62323d8"}, + {file = "lxml-5.3.0-cp310-cp310-manylinux_2_28_x86_64.whl", hash = "sha256:b1c8c20847b9f34e98080da785bb2336ea982e7f913eed5809e5a3c872900f32"}, + {file = "lxml-5.3.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:2c86bf781b12ba417f64f3422cfc302523ac9cd1d8ae8c0f92a1c66e56ef2e86"}, + {file = "lxml-5.3.0-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:c162b216070f280fa7da844531169be0baf9ccb17263cf5a8bf876fcd3117fa5"}, + {file = "lxml-5.3.0-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:36aef61a1678cb778097b4a6eeae96a69875d51d1e8f4d4b491ab3cfb54b5a03"}, + {file = "lxml-5.3.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:f65e5120863c2b266dbcc927b306c5b78e502c71edf3295dfcb9501ec96e5fc7"}, + {file = "lxml-5.3.0-cp310-cp310-win32.whl", hash = "sha256:ef0c1fe22171dd7c7c27147f2e9c3e86f8bdf473fed75f16b0c2e84a5030ce80"}, + {file = "lxml-5.3.0-cp310-cp310-win_amd64.whl", hash = "sha256:052d99051e77a4f3e8482c65014cf6372e61b0a6f4fe9edb98503bb5364cfee3"}, + {file = "lxml-5.3.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:74bcb423462233bc5d6066e4e98b0264e7c1bed7541fff2f4e34fe6b21563c8b"}, + {file = "lxml-5.3.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:a3d819eb6f9b8677f57f9664265d0a10dd6551d227afb4af2b9cd7bdc2ccbf18"}, + {file = "lxml-5.3.0-cp311-cp311-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:5b8f5db71b28b8c404956ddf79575ea77aa8b1538e8b2ef9ec877945b3f46442"}, + {file = "lxml-5.3.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2c3406b63232fc7e9b8783ab0b765d7c59e7c59ff96759d8ef9632fca27c7ee4"}, + {file = "lxml-5.3.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2ecdd78ab768f844c7a1d4a03595038c166b609f6395e25af9b0f3f26ae1230f"}, + {file = "lxml-5.3.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:168f2dfcfdedf611eb285efac1516c8454c8c99caf271dccda8943576b67552e"}, + {file = "lxml-5.3.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:aa617107a410245b8660028a7483b68e7914304a6d4882b5ff3d2d3eb5948d8c"}, + {file = "lxml-5.3.0-cp311-cp311-manylinux_2_28_aarch64.whl", hash = "sha256:69959bd3167b993e6e710b99051265654133a98f20cec1d9b493b931942e9c16"}, + {file = "lxml-5.3.0-cp311-cp311-manylinux_2_28_ppc64le.whl", hash = "sha256:bd96517ef76c8654446fc3db9242d019a1bb5fe8b751ba414765d59f99210b79"}, + {file = "lxml-5.3.0-cp311-cp311-manylinux_2_28_s390x.whl", hash = "sha256:ab6dd83b970dc97c2d10bc71aa925b84788c7c05de30241b9e96f9b6d9ea3080"}, + {file = "lxml-5.3.0-cp311-cp311-manylinux_2_28_x86_64.whl", hash = "sha256:eec1bb8cdbba2925bedc887bc0609a80e599c75b12d87ae42ac23fd199445654"}, + {file = "lxml-5.3.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:6a7095eeec6f89111d03dabfe5883a1fd54da319c94e0fb104ee8f23616b572d"}, + {file = "lxml-5.3.0-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:6f651ebd0b21ec65dfca93aa629610a0dbc13dbc13554f19b0113da2e61a4763"}, + {file = "lxml-5.3.0-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:f422a209d2455c56849442ae42f25dbaaba1c6c3f501d58761c619c7836642ec"}, + {file = "lxml-5.3.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:62f7fdb0d1ed2065451f086519865b4c90aa19aed51081979ecd05a21eb4d1be"}, + {file = "lxml-5.3.0-cp311-cp311-win32.whl", hash = "sha256:c6379f35350b655fd817cd0d6cbeef7f265f3ae5fedb1caae2eb442bbeae9ab9"}, + {file = "lxml-5.3.0-cp311-cp311-win_amd64.whl", hash = "sha256:9c52100e2c2dbb0649b90467935c4b0de5528833c76a35ea1a2691ec9f1ee7a1"}, + {file = "lxml-5.3.0-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:e99f5507401436fdcc85036a2e7dc2e28d962550afe1cbfc07c40e454256a859"}, + {file = "lxml-5.3.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:384aacddf2e5813a36495233b64cb96b1949da72bef933918ba5c84e06af8f0e"}, + {file = "lxml-5.3.0-cp312-cp312-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:874a216bf6afaf97c263b56371434e47e2c652d215788396f60477540298218f"}, + {file = "lxml-5.3.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:65ab5685d56914b9a2a34d67dd5488b83213d680b0c5d10b47f81da5a16b0b0e"}, + {file = "lxml-5.3.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:aac0bbd3e8dd2d9c45ceb82249e8bdd3ac99131a32b4d35c8af3cc9db1657179"}, + {file = "lxml-5.3.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b369d3db3c22ed14c75ccd5af429086f166a19627e84a8fdade3f8f31426e52a"}, + {file = "lxml-5.3.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c24037349665434f375645fa9d1f5304800cec574d0310f618490c871fd902b3"}, + {file = "lxml-5.3.0-cp312-cp312-manylinux_2_28_aarch64.whl", hash = "sha256:62d172f358f33a26d6b41b28c170c63886742f5b6772a42b59b4f0fa10526cb1"}, + {file = "lxml-5.3.0-cp312-cp312-manylinux_2_28_ppc64le.whl", hash = "sha256:c1f794c02903c2824fccce5b20c339a1a14b114e83b306ff11b597c5f71a1c8d"}, + {file = "lxml-5.3.0-cp312-cp312-manylinux_2_28_s390x.whl", hash = "sha256:5d6a6972b93c426ace71e0be9a6f4b2cfae9b1baed2eed2006076a746692288c"}, + {file = "lxml-5.3.0-cp312-cp312-manylinux_2_28_x86_64.whl", hash = "sha256:3879cc6ce938ff4eb4900d901ed63555c778731a96365e53fadb36437a131a99"}, + {file = "lxml-5.3.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:74068c601baff6ff021c70f0935b0c7bc528baa8ea210c202e03757c68c5a4ff"}, + {file = "lxml-5.3.0-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:ecd4ad8453ac17bc7ba3868371bffb46f628161ad0eefbd0a855d2c8c32dd81a"}, + {file = "lxml-5.3.0-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:7e2f58095acc211eb9d8b5771bf04df9ff37d6b87618d1cbf85f92399c98dae8"}, + {file = "lxml-5.3.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:e63601ad5cd8f860aa99d109889b5ac34de571c7ee902d6812d5d9ddcc77fa7d"}, + {file = "lxml-5.3.0-cp312-cp312-win32.whl", hash = "sha256:17e8d968d04a37c50ad9c456a286b525d78c4a1c15dd53aa46c1d8e06bf6fa30"}, + {file = "lxml-5.3.0-cp312-cp312-win_amd64.whl", hash = "sha256:c1a69e58a6bb2de65902051d57fde951febad631a20a64572677a1052690482f"}, + {file = "lxml-5.3.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:8c72e9563347c7395910de6a3100a4840a75a6f60e05af5e58566868d5eb2d6a"}, + {file = "lxml-5.3.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:e92ce66cd919d18d14b3856906a61d3f6b6a8500e0794142338da644260595cd"}, + {file = "lxml-5.3.0-cp313-cp313-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1d04f064bebdfef9240478f7a779e8c5dc32b8b7b0b2fc6a62e39b928d428e51"}, + {file = "lxml-5.3.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5c2fb570d7823c2bbaf8b419ba6e5662137f8166e364a8b2b91051a1fb40ab8b"}, + {file = "lxml-5.3.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0c120f43553ec759f8de1fee2f4794452b0946773299d44c36bfe18e83caf002"}, + {file = "lxml-5.3.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:562e7494778a69086f0312ec9689f6b6ac1c6b65670ed7d0267e49f57ffa08c4"}, + {file = "lxml-5.3.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:423b121f7e6fa514ba0c7918e56955a1d4470ed35faa03e3d9f0e3baa4c7e492"}, + {file = "lxml-5.3.0-cp313-cp313-manylinux_2_28_aarch64.whl", hash = "sha256:c00f323cc00576df6165cc9d21a4c21285fa6b9989c5c39830c3903dc4303ef3"}, + {file = "lxml-5.3.0-cp313-cp313-manylinux_2_28_ppc64le.whl", hash = "sha256:1fdc9fae8dd4c763e8a31e7630afef517eab9f5d5d31a278df087f307bf601f4"}, + {file = "lxml-5.3.0-cp313-cp313-manylinux_2_28_s390x.whl", hash = "sha256:658f2aa69d31e09699705949b5fc4719cbecbd4a97f9656a232e7d6c7be1a367"}, + {file = "lxml-5.3.0-cp313-cp313-manylinux_2_28_x86_64.whl", hash = "sha256:1473427aff3d66a3fa2199004c3e601e6c4500ab86696edffdbc84954c72d832"}, + {file = "lxml-5.3.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:a87de7dd873bf9a792bf1e58b1c3887b9264036629a5bf2d2e6579fe8e73edff"}, + {file = "lxml-5.3.0-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:0d7b36afa46c97875303a94e8f3ad932bf78bace9e18e603f2085b652422edcd"}, + {file = "lxml-5.3.0-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:cf120cce539453ae086eacc0130a324e7026113510efa83ab42ef3fcfccac7fb"}, + {file = "lxml-5.3.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:df5c7333167b9674aa8ae1d4008fa4bc17a313cc490b2cca27838bbdcc6bb15b"}, + {file = "lxml-5.3.0-cp313-cp313-win32.whl", hash = "sha256:c802e1c2ed9f0c06a65bc4ed0189d000ada8049312cfeab6ca635e39c9608957"}, + {file = "lxml-5.3.0-cp313-cp313-win_amd64.whl", hash = "sha256:406246b96d552e0503e17a1006fd27edac678b3fcc9f1be71a2f94b4ff61528d"}, + {file = "lxml-5.3.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:8f0de2d390af441fe8b2c12626d103540b5d850d585b18fcada58d972b74a74e"}, + {file = "lxml-5.3.0-cp36-cp36m-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1afe0a8c353746e610bd9031a630a95bcfb1a720684c3f2b36c4710a0a96528f"}, + {file = "lxml-5.3.0-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:56b9861a71575f5795bde89256e7467ece3d339c9b43141dbdd54544566b3b94"}, + {file = "lxml-5.3.0-cp36-cp36m-manylinux_2_28_x86_64.whl", hash = "sha256:9fb81d2824dff4f2e297a276297e9031f46d2682cafc484f49de182aa5e5df99"}, + {file = "lxml-5.3.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:2c226a06ecb8cdef28845ae976da407917542c5e6e75dcac7cc33eb04aaeb237"}, + {file = "lxml-5.3.0-cp36-cp36m-musllinux_1_2_x86_64.whl", hash = "sha256:7d3d1ca42870cdb6d0d29939630dbe48fa511c203724820fc0fd507b2fb46577"}, + {file = "lxml-5.3.0-cp36-cp36m-win32.whl", hash = "sha256:094cb601ba9f55296774c2d57ad68730daa0b13dc260e1f941b4d13678239e70"}, + {file = "lxml-5.3.0-cp36-cp36m-win_amd64.whl", hash = "sha256:eafa2c8658f4e560b098fe9fc54539f86528651f61849b22111a9b107d18910c"}, + {file = "lxml-5.3.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:cb83f8a875b3d9b458cada4f880fa498646874ba4011dc974e071a0a84a1b033"}, + {file = "lxml-5.3.0-cp37-cp37m-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:25f1b69d41656b05885aa185f5fdf822cb01a586d1b32739633679699f220391"}, + {file = "lxml-5.3.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:23e0553b8055600b3bf4a00b255ec5c92e1e4aebf8c2c09334f8368e8bd174d6"}, + {file = "lxml-5.3.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9ada35dd21dc6c039259596b358caab6b13f4db4d4a7f8665764d616daf9cc1d"}, + {file = "lxml-5.3.0-cp37-cp37m-manylinux_2_28_aarch64.whl", hash = "sha256:81b4e48da4c69313192d8c8d4311e5d818b8be1afe68ee20f6385d0e96fc9512"}, + {file = "lxml-5.3.0-cp37-cp37m-manylinux_2_28_x86_64.whl", hash = "sha256:2bc9fd5ca4729af796f9f59cd8ff160fe06a474da40aca03fcc79655ddee1a8b"}, + {file = "lxml-5.3.0-cp37-cp37m-musllinux_1_2_aarch64.whl", hash = "sha256:07da23d7ee08577760f0a71d67a861019103e4812c87e2fab26b039054594cc5"}, + {file = "lxml-5.3.0-cp37-cp37m-musllinux_1_2_x86_64.whl", hash = "sha256:ea2e2f6f801696ad7de8aec061044d6c8c0dd4037608c7cab38a9a4d316bfb11"}, + {file = "lxml-5.3.0-cp37-cp37m-win32.whl", hash = "sha256:5c54afdcbb0182d06836cc3d1be921e540be3ebdf8b8a51ee3ef987537455f84"}, + {file = "lxml-5.3.0-cp37-cp37m-win_amd64.whl", hash = "sha256:f2901429da1e645ce548bf9171784c0f74f0718c3f6150ce166be39e4dd66c3e"}, + {file = "lxml-5.3.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:c56a1d43b2f9ee4786e4658c7903f05da35b923fb53c11025712562d5cc02753"}, + {file = "lxml-5.3.0-cp38-cp38-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6ee8c39582d2652dcd516d1b879451500f8db3fe3607ce45d7c5957ab2596040"}, + {file = "lxml-5.3.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0fdf3a3059611f7585a78ee10399a15566356116a4288380921a4b598d807a22"}, + {file = "lxml-5.3.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:146173654d79eb1fc97498b4280c1d3e1e5d58c398fa530905c9ea50ea849b22"}, + {file = "lxml-5.3.0-cp38-cp38-manylinux_2_28_aarch64.whl", hash = "sha256:0a7056921edbdd7560746f4221dca89bb7a3fe457d3d74267995253f46343f15"}, + {file = "lxml-5.3.0-cp38-cp38-manylinux_2_28_x86_64.whl", hash = "sha256:9e4b47ac0f5e749cfc618efdf4726269441014ae1d5583e047b452a32e221920"}, + {file = "lxml-5.3.0-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:f914c03e6a31deb632e2daa881fe198461f4d06e57ac3d0e05bbcab8eae01945"}, + {file = "lxml-5.3.0-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:213261f168c5e1d9b7535a67e68b1f59f92398dd17a56d934550837143f79c42"}, + {file = "lxml-5.3.0-cp38-cp38-win32.whl", hash = "sha256:218c1b2e17a710e363855594230f44060e2025b05c80d1f0661258142b2add2e"}, + {file = "lxml-5.3.0-cp38-cp38-win_amd64.whl", hash = "sha256:315f9542011b2c4e1d280e4a20ddcca1761993dda3afc7a73b01235f8641e903"}, + {file = "lxml-5.3.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:1ffc23010330c2ab67fac02781df60998ca8fe759e8efde6f8b756a20599c5de"}, + {file = "lxml-5.3.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:2b3778cb38212f52fac9fe913017deea2fdf4eb1a4f8e4cfc6b009a13a6d3fcc"}, + {file = "lxml-5.3.0-cp39-cp39-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4b0c7a688944891086ba192e21c5229dea54382f4836a209ff8d0a660fac06be"}, + {file = "lxml-5.3.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:747a3d3e98e24597981ca0be0fd922aebd471fa99d0043a3842d00cdcad7ad6a"}, + {file = "lxml-5.3.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:86a6b24b19eaebc448dc56b87c4865527855145d851f9fc3891673ff97950540"}, + {file = "lxml-5.3.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b11a5d918a6216e521c715b02749240fb07ae5a1fefd4b7bf12f833bc8b4fe70"}, + {file = "lxml-5.3.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:68b87753c784d6acb8a25b05cb526c3406913c9d988d51f80adecc2b0775d6aa"}, + {file = "lxml-5.3.0-cp39-cp39-manylinux_2_28_aarch64.whl", hash = "sha256:109fa6fede314cc50eed29e6e56c540075e63d922455346f11e4d7a036d2b8cf"}, + {file = "lxml-5.3.0-cp39-cp39-manylinux_2_28_ppc64le.whl", hash = "sha256:02ced472497b8362c8e902ade23e3300479f4f43e45f4105c85ef43b8db85229"}, + {file = "lxml-5.3.0-cp39-cp39-manylinux_2_28_s390x.whl", hash = "sha256:6b038cc86b285e4f9fea2ba5ee76e89f21ed1ea898e287dc277a25884f3a7dfe"}, + {file = "lxml-5.3.0-cp39-cp39-manylinux_2_28_x86_64.whl", hash = "sha256:7437237c6a66b7ca341e868cda48be24b8701862757426852c9b3186de1da8a2"}, + {file = "lxml-5.3.0-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:7f41026c1d64043a36fda21d64c5026762d53a77043e73e94b71f0521939cc71"}, + {file = "lxml-5.3.0-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:482c2f67761868f0108b1743098640fbb2a28a8e15bf3f47ada9fa59d9fe08c3"}, + {file = "lxml-5.3.0-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:1483fd3358963cc5c1c9b122c80606a3a79ee0875bcac0204149fa09d6ff2727"}, + {file = "lxml-5.3.0-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:2dec2d1130a9cda5b904696cec33b2cfb451304ba9081eeda7f90f724097300a"}, + {file = "lxml-5.3.0-cp39-cp39-win32.whl", hash = "sha256:a0eabd0a81625049c5df745209dc7fcef6e2aea7793e5f003ba363610aa0a3ff"}, + {file = "lxml-5.3.0-cp39-cp39-win_amd64.whl", hash = "sha256:89e043f1d9d341c52bf2af6d02e6adde62e0a46e6755d5eb60dc6e4f0b8aeca2"}, + {file = "lxml-5.3.0-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:7b1cd427cb0d5f7393c31b7496419da594fe600e6fdc4b105a54f82405e6626c"}, + {file = "lxml-5.3.0-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:51806cfe0279e06ed8500ce19479d757db42a30fd509940b1701be9c86a5ff9a"}, + {file = "lxml-5.3.0-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ee70d08fd60c9565ba8190f41a46a54096afa0eeb8f76bd66f2c25d3b1b83005"}, + {file = "lxml-5.3.0-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:8dc2c0395bea8254d8daebc76dcf8eb3a95ec2a46fa6fae5eaccee366bfe02ce"}, + {file = "lxml-5.3.0-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:6ba0d3dcac281aad8a0e5b14c7ed6f9fa89c8612b47939fc94f80b16e2e9bc83"}, + {file = "lxml-5.3.0-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:6e91cf736959057f7aac7adfc83481e03615a8e8dd5758aa1d95ea69e8931dba"}, + {file = "lxml-5.3.0-pp37-pypy37_pp73-macosx_10_9_x86_64.whl", hash = "sha256:94d6c3782907b5e40e21cadf94b13b0842ac421192f26b84c45f13f3c9d5dc27"}, + {file = "lxml-5.3.0-pp37-pypy37_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c300306673aa0f3ed5ed9372b21867690a17dba38c68c44b287437c362ce486b"}, + {file = "lxml-5.3.0-pp37-pypy37_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:78d9b952e07aed35fe2e1a7ad26e929595412db48535921c5013edc8aa4a35ce"}, + {file = "lxml-5.3.0-pp37-pypy37_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:01220dca0d066d1349bd6a1726856a78f7929f3878f7e2ee83c296c69495309e"}, + {file = "lxml-5.3.0-pp37-pypy37_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:2d9b8d9177afaef80c53c0a9e30fa252ff3036fb1c6494d427c066a4ce6a282f"}, + {file = "lxml-5.3.0-pp37-pypy37_pp73-win_amd64.whl", hash = "sha256:20094fc3f21ea0a8669dc4c61ed7fa8263bd37d97d93b90f28fc613371e7a875"}, + {file = "lxml-5.3.0-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:ace2c2326a319a0bb8a8b0e5b570c764962e95818de9f259ce814ee666603f19"}, + {file = "lxml-5.3.0-pp38-pypy38_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:92e67a0be1639c251d21e35fe74df6bcc40cba445c2cda7c4a967656733249e2"}, + {file = "lxml-5.3.0-pp38-pypy38_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dd5350b55f9fecddc51385463a4f67a5da829bc741e38cf689f38ec9023f54ab"}, + {file = "lxml-5.3.0-pp38-pypy38_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:4c1fefd7e3d00921c44dc9ca80a775af49698bbfd92ea84498e56acffd4c5469"}, + {file = "lxml-5.3.0-pp38-pypy38_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:71a8dd38fbd2f2319136d4ae855a7078c69c9a38ae06e0c17c73fd70fc6caad8"}, + {file = "lxml-5.3.0-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:97acf1e1fd66ab53dacd2c35b319d7e548380c2e9e8c54525c6e76d21b1ae3b1"}, + {file = "lxml-5.3.0-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:68934b242c51eb02907c5b81d138cb977b2129a0a75a8f8b60b01cb8586c7b21"}, + {file = "lxml-5.3.0-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b710bc2b8292966b23a6a0121f7a6c51d45d2347edcc75f016ac123b8054d3f2"}, + {file = "lxml-5.3.0-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:18feb4b93302091b1541221196a2155aa296c363fd233814fa11e181adebc52f"}, + {file = "lxml-5.3.0-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:3eb44520c4724c2e1a57c0af33a379eee41792595023f367ba3952a2d96c2aab"}, + {file = "lxml-5.3.0-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:609251a0ca4770e5a8768ff902aa02bf636339c5a93f9349b48eb1f606f7f3e9"}, + {file = "lxml-5.3.0-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:516f491c834eb320d6c843156440fe7fc0d50b33e44387fcec5b02f0bc118a4c"}, + {file = "lxml-5.3.0.tar.gz", hash = "sha256:4e109ca30d1edec1ac60cdbe341905dc3b8f55b16855e03a54aaf59e51ec8c6f"}, +] + +[package.extras] +cssselect = ["cssselect (>=0.7)"] +html-clean = ["lxml-html-clean"] +html5 = ["html5lib"] +htmlsoup = ["BeautifulSoup4"] +source = ["Cython (>=3.0.11)"] + +[[package]] +name = "markupsafe" +version = "2.1.5" +description = "Safely add untrusted strings to HTML/XML markup." +optional = false +python-versions = ">=3.7" +files = [ + {file = "MarkupSafe-2.1.5-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:a17a92de5231666cfbe003f0e4b9b3a7ae3afb1ec2845aadc2bacc93ff85febc"}, + {file = "MarkupSafe-2.1.5-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:72b6be590cc35924b02c78ef34b467da4ba07e4e0f0454a2c5907f473fc50ce5"}, + {file = "MarkupSafe-2.1.5-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e61659ba32cf2cf1481e575d0462554625196a1f2fc06a1c777d3f48e8865d46"}, + {file = "MarkupSafe-2.1.5-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2174c595a0d73a3080ca3257b40096db99799265e1c27cc5a610743acd86d62f"}, + {file = "MarkupSafe-2.1.5-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ae2ad8ae6ebee9d2d94b17fb62763125f3f374c25618198f40cbb8b525411900"}, + {file = "MarkupSafe-2.1.5-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:075202fa5b72c86ad32dc7d0b56024ebdbcf2048c0ba09f1cde31bfdd57bcfff"}, + {file = "MarkupSafe-2.1.5-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:598e3276b64aff0e7b3451b72e94fa3c238d452e7ddcd893c3ab324717456bad"}, + {file = "MarkupSafe-2.1.5-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:fce659a462a1be54d2ffcacea5e3ba2d74daa74f30f5f143fe0c58636e355fdd"}, + {file = "MarkupSafe-2.1.5-cp310-cp310-win32.whl", hash = "sha256:d9fad5155d72433c921b782e58892377c44bd6252b5af2f67f16b194987338a4"}, + {file = "MarkupSafe-2.1.5-cp310-cp310-win_amd64.whl", hash = "sha256:bf50cd79a75d181c9181df03572cdce0fbb75cc353bc350712073108cba98de5"}, + {file = "MarkupSafe-2.1.5-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:629ddd2ca402ae6dbedfceeba9c46d5f7b2a61d9749597d4307f943ef198fc1f"}, + {file = "MarkupSafe-2.1.5-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:5b7b716f97b52c5a14bffdf688f971b2d5ef4029127f1ad7a513973cfd818df2"}, + {file = "MarkupSafe-2.1.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6ec585f69cec0aa07d945b20805be741395e28ac1627333b1c5b0105962ffced"}, + {file = "MarkupSafe-2.1.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b91c037585eba9095565a3556f611e3cbfaa42ca1e865f7b8015fe5c7336d5a5"}, + {file = "MarkupSafe-2.1.5-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7502934a33b54030eaf1194c21c692a534196063db72176b0c4028e140f8f32c"}, + {file = "MarkupSafe-2.1.5-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:0e397ac966fdf721b2c528cf028494e86172b4feba51d65f81ffd65c63798f3f"}, + {file = "MarkupSafe-2.1.5-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:c061bb86a71b42465156a3ee7bd58c8c2ceacdbeb95d05a99893e08b8467359a"}, + {file = "MarkupSafe-2.1.5-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:3a57fdd7ce31c7ff06cdfbf31dafa96cc533c21e443d57f5b1ecc6cdc668ec7f"}, + {file = "MarkupSafe-2.1.5-cp311-cp311-win32.whl", hash = "sha256:397081c1a0bfb5124355710fe79478cdbeb39626492b15d399526ae53422b906"}, + {file = "MarkupSafe-2.1.5-cp311-cp311-win_amd64.whl", hash = "sha256:2b7c57a4dfc4f16f7142221afe5ba4e093e09e728ca65c51f5620c9aaeb9a617"}, + {file = "MarkupSafe-2.1.5-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:8dec4936e9c3100156f8a2dc89c4b88d5c435175ff03413b443469c7c8c5f4d1"}, + {file = "MarkupSafe-2.1.5-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:3c6b973f22eb18a789b1460b4b91bf04ae3f0c4234a0a6aa6b0a92f6f7b951d4"}, + {file = "MarkupSafe-2.1.5-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ac07bad82163452a6884fe8fa0963fb98c2346ba78d779ec06bd7a6262132aee"}, + {file = "MarkupSafe-2.1.5-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f5dfb42c4604dddc8e4305050aa6deb084540643ed5804d7455b5df8fe16f5e5"}, + {file = "MarkupSafe-2.1.5-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ea3d8a3d18833cf4304cd2fc9cbb1efe188ca9b5efef2bdac7adc20594a0e46b"}, + {file = "MarkupSafe-2.1.5-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:d050b3361367a06d752db6ead6e7edeb0009be66bc3bae0ee9d97fb326badc2a"}, + {file = "MarkupSafe-2.1.5-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:bec0a414d016ac1a18862a519e54b2fd0fc8bbfd6890376898a6c0891dd82e9f"}, + {file = "MarkupSafe-2.1.5-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:58c98fee265677f63a4385256a6d7683ab1832f3ddd1e66fe948d5880c21a169"}, + {file = "MarkupSafe-2.1.5-cp312-cp312-win32.whl", hash = "sha256:8590b4ae07a35970728874632fed7bd57b26b0102df2d2b233b6d9d82f6c62ad"}, + {file = "MarkupSafe-2.1.5-cp312-cp312-win_amd64.whl", hash = "sha256:823b65d8706e32ad2df51ed89496147a42a2a6e01c13cfb6ffb8b1e92bc910bb"}, + {file = "MarkupSafe-2.1.5-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:c8b29db45f8fe46ad280a7294f5c3ec36dbac9491f2d1c17345be8e69cc5928f"}, + {file = "MarkupSafe-2.1.5-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ec6a563cff360b50eed26f13adc43e61bc0c04d94b8be985e6fb24b81f6dcfdf"}, + {file = "MarkupSafe-2.1.5-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a549b9c31bec33820e885335b451286e2969a2d9e24879f83fe904a5ce59d70a"}, + {file = "MarkupSafe-2.1.5-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4f11aa001c540f62c6166c7726f71f7573b52c68c31f014c25cc7901deea0b52"}, + {file = "MarkupSafe-2.1.5-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:7b2e5a267c855eea6b4283940daa6e88a285f5f2a67f2220203786dfa59b37e9"}, + {file = "MarkupSafe-2.1.5-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:2d2d793e36e230fd32babe143b04cec8a8b3eb8a3122d2aceb4a371e6b09b8df"}, + {file = "MarkupSafe-2.1.5-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:ce409136744f6521e39fd8e2a24c53fa18ad67aa5bc7c2cf83645cce5b5c4e50"}, + {file = "MarkupSafe-2.1.5-cp37-cp37m-win32.whl", hash = "sha256:4096e9de5c6fdf43fb4f04c26fb114f61ef0bf2e5604b6ee3019d51b69e8c371"}, + {file = "MarkupSafe-2.1.5-cp37-cp37m-win_amd64.whl", hash = "sha256:4275d846e41ecefa46e2015117a9f491e57a71ddd59bbead77e904dc02b1bed2"}, + {file = "MarkupSafe-2.1.5-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:656f7526c69fac7f600bd1f400991cc282b417d17539a1b228617081106feb4a"}, + {file = "MarkupSafe-2.1.5-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:97cafb1f3cbcd3fd2b6fbfb99ae11cdb14deea0736fc2b0952ee177f2b813a46"}, + {file = "MarkupSafe-2.1.5-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1f3fbcb7ef1f16e48246f704ab79d79da8a46891e2da03f8783a5b6fa41a9532"}, + {file = "MarkupSafe-2.1.5-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fa9db3f79de01457b03d4f01b34cf91bc0048eb2c3846ff26f66687c2f6d16ab"}, + {file = "MarkupSafe-2.1.5-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ffee1f21e5ef0d712f9033568f8344d5da8cc2869dbd08d87c84656e6a2d2f68"}, + {file = "MarkupSafe-2.1.5-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:5dedb4db619ba5a2787a94d877bc8ffc0566f92a01c0ef214865e54ecc9ee5e0"}, + {file = "MarkupSafe-2.1.5-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:30b600cf0a7ac9234b2638fbc0fb6158ba5bdcdf46aeb631ead21248b9affbc4"}, + {file = "MarkupSafe-2.1.5-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:8dd717634f5a044f860435c1d8c16a270ddf0ef8588d4887037c5028b859b0c3"}, + {file = "MarkupSafe-2.1.5-cp38-cp38-win32.whl", hash = "sha256:daa4ee5a243f0f20d528d939d06670a298dd39b1ad5f8a72a4275124a7819eff"}, + {file = "MarkupSafe-2.1.5-cp38-cp38-win_amd64.whl", hash = "sha256:619bc166c4f2de5caa5a633b8b7326fbe98e0ccbfacabd87268a2b15ff73a029"}, + {file = "MarkupSafe-2.1.5-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:7a68b554d356a91cce1236aa7682dc01df0edba8d043fd1ce607c49dd3c1edcf"}, + {file = "MarkupSafe-2.1.5-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:db0b55e0f3cc0be60c1f19efdde9a637c32740486004f20d1cff53c3c0ece4d2"}, + {file = "MarkupSafe-2.1.5-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3e53af139f8579a6d5f7b76549125f0d94d7e630761a2111bc431fd820e163b8"}, + {file = "MarkupSafe-2.1.5-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:17b950fccb810b3293638215058e432159d2b71005c74371d784862b7e4683f3"}, + {file = "MarkupSafe-2.1.5-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4c31f53cdae6ecfa91a77820e8b151dba54ab528ba65dfd235c80b086d68a465"}, + {file = "MarkupSafe-2.1.5-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:bff1b4290a66b490a2f4719358c0cdcd9bafb6b8f061e45c7a2460866bf50c2e"}, + {file = "MarkupSafe-2.1.5-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:bc1667f8b83f48511b94671e0e441401371dfd0f0a795c7daa4a3cd1dde55bea"}, + {file = "MarkupSafe-2.1.5-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:5049256f536511ee3f7e1b3f87d1d1209d327e818e6ae1365e8653d7e3abb6a6"}, + {file = "MarkupSafe-2.1.5-cp39-cp39-win32.whl", hash = "sha256:00e046b6dd71aa03a41079792f8473dc494d564611a8f89bbbd7cb93295ebdcf"}, + {file = "MarkupSafe-2.1.5-cp39-cp39-win_amd64.whl", hash = "sha256:fa173ec60341d6bb97a89f5ea19c85c5643c1e7dedebc22f5181eb73573142c5"}, + {file = "MarkupSafe-2.1.5.tar.gz", hash = "sha256:d283d37a890ba4c1ae73ffadf8046435c76e7bc2247bbb63c00bd1a709c6544b"}, +] + +[[package]] +name = "nodeenv" +version = "1.9.1" +description = "Node.js virtual environment builder" +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" +files = [ + {file = "nodeenv-1.9.1-py2.py3-none-any.whl", hash = "sha256:ba11c9782d29c27c70ffbdda2d7415098754709be8a7056d79a737cd901155c9"}, + {file = "nodeenv-1.9.1.tar.gz", hash = "sha256:6ec12890a2dab7946721edbfbcd91f3319c6ccc9aec47be7c7e6b7011ee6645f"}, +] + +[[package]] +name = "packaging" +version = "24.1" +description = "Core utilities for Python packages" +optional = false +python-versions = ">=3.8" +files = [ + {file = "packaging-24.1-py3-none-any.whl", hash = "sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124"}, + {file = "packaging-24.1.tar.gz", hash = "sha256:026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002"}, +] + +[[package]] +name = "pillow" +version = "10.4.0" +description = "Python Imaging Library (Fork)" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pillow-10.4.0-cp310-cp310-macosx_10_10_x86_64.whl", hash = "sha256:4d9667937cfa347525b319ae34375c37b9ee6b525440f3ef48542fcf66f2731e"}, + {file = "pillow-10.4.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:543f3dc61c18dafb755773efc89aae60d06b6596a63914107f75459cf984164d"}, + {file = "pillow-10.4.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7928ecbf1ece13956b95d9cbcfc77137652b02763ba384d9ab508099a2eca856"}, + {file = "pillow-10.4.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e4d49b85c4348ea0b31ea63bc75a9f3857869174e2bf17e7aba02945cd218e6f"}, + {file = "pillow-10.4.0-cp310-cp310-manylinux_2_28_aarch64.whl", hash = "sha256:6c762a5b0997f5659a5ef2266abc1d8851ad7749ad9a6a5506eb23d314e4f46b"}, + {file = "pillow-10.4.0-cp310-cp310-manylinux_2_28_x86_64.whl", hash = "sha256:a985e028fc183bf12a77a8bbf36318db4238a3ded7fa9df1b9a133f1cb79f8fc"}, + {file = "pillow-10.4.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:812f7342b0eee081eaec84d91423d1b4650bb9828eb53d8511bcef8ce5aecf1e"}, + {file = "pillow-10.4.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:ac1452d2fbe4978c2eec89fb5a23b8387aba707ac72810d9490118817d9c0b46"}, + {file = "pillow-10.4.0-cp310-cp310-win32.whl", hash = "sha256:bcd5e41a859bf2e84fdc42f4edb7d9aba0a13d29a2abadccafad99de3feff984"}, + {file = "pillow-10.4.0-cp310-cp310-win_amd64.whl", hash = "sha256:ecd85a8d3e79cd7158dec1c9e5808e821feea088e2f69a974db5edf84dc53141"}, + {file = "pillow-10.4.0-cp310-cp310-win_arm64.whl", hash = "sha256:ff337c552345e95702c5fde3158acb0625111017d0e5f24bf3acdb9cc16b90d1"}, + {file = "pillow-10.4.0-cp311-cp311-macosx_10_10_x86_64.whl", hash = "sha256:0a9ec697746f268507404647e531e92889890a087e03681a3606d9b920fbee3c"}, + {file = "pillow-10.4.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:dfe91cb65544a1321e631e696759491ae04a2ea11d36715eca01ce07284738be"}, + {file = "pillow-10.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5dc6761a6efc781e6a1544206f22c80c3af4c8cf461206d46a1e6006e4429ff3"}, + {file = "pillow-10.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5e84b6cc6a4a3d76c153a6b19270b3526a5a8ed6b09501d3af891daa2a9de7d6"}, + {file = "pillow-10.4.0-cp311-cp311-manylinux_2_28_aarch64.whl", hash = "sha256:bbc527b519bd3aa9d7f429d152fea69f9ad37c95f0b02aebddff592688998abe"}, + {file = "pillow-10.4.0-cp311-cp311-manylinux_2_28_x86_64.whl", hash = "sha256:76a911dfe51a36041f2e756b00f96ed84677cdeb75d25c767f296c1c1eda1319"}, + {file = "pillow-10.4.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:59291fb29317122398786c2d44427bbd1a6d7ff54017075b22be9d21aa59bd8d"}, + {file = "pillow-10.4.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:416d3a5d0e8cfe4f27f574362435bc9bae57f679a7158e0096ad2beb427b8696"}, + {file = "pillow-10.4.0-cp311-cp311-win32.whl", hash = "sha256:7086cc1d5eebb91ad24ded9f58bec6c688e9f0ed7eb3dbbf1e4800280a896496"}, + {file = "pillow-10.4.0-cp311-cp311-win_amd64.whl", hash = "sha256:cbed61494057c0f83b83eb3a310f0bf774b09513307c434d4366ed64f4128a91"}, + {file = "pillow-10.4.0-cp311-cp311-win_arm64.whl", hash = "sha256:f5f0c3e969c8f12dd2bb7e0b15d5c468b51e5017e01e2e867335c81903046a22"}, + {file = "pillow-10.4.0-cp312-cp312-macosx_10_10_x86_64.whl", hash = "sha256:673655af3eadf4df6b5457033f086e90299fdd7a47983a13827acf7459c15d94"}, + {file = "pillow-10.4.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:866b6942a92f56300012f5fbac71f2d610312ee65e22f1aa2609e491284e5597"}, + {file = "pillow-10.4.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:29dbdc4207642ea6aad70fbde1a9338753d33fb23ed6956e706936706f52dd80"}, + {file = "pillow-10.4.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bf2342ac639c4cf38799a44950bbc2dfcb685f052b9e262f446482afaf4bffca"}, + {file = "pillow-10.4.0-cp312-cp312-manylinux_2_28_aarch64.whl", hash = "sha256:f5b92f4d70791b4a67157321c4e8225d60b119c5cc9aee8ecf153aace4aad4ef"}, + {file = "pillow-10.4.0-cp312-cp312-manylinux_2_28_x86_64.whl", hash = "sha256:86dcb5a1eb778d8b25659d5e4341269e8590ad6b4e8b44d9f4b07f8d136c414a"}, + {file = "pillow-10.4.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:780c072c2e11c9b2c7ca37f9a2ee8ba66f44367ac3e5c7832afcfe5104fd6d1b"}, + {file = "pillow-10.4.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:37fb69d905be665f68f28a8bba3c6d3223c8efe1edf14cc4cfa06c241f8c81d9"}, + {file = "pillow-10.4.0-cp312-cp312-win32.whl", hash = "sha256:7dfecdbad5c301d7b5bde160150b4db4c659cee2b69589705b6f8a0c509d9f42"}, + {file = "pillow-10.4.0-cp312-cp312-win_amd64.whl", hash = "sha256:1d846aea995ad352d4bdcc847535bd56e0fd88d36829d2c90be880ef1ee4668a"}, + {file = "pillow-10.4.0-cp312-cp312-win_arm64.whl", hash = "sha256:e553cad5179a66ba15bb18b353a19020e73a7921296a7979c4a2b7f6a5cd57f9"}, + {file = "pillow-10.4.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:8bc1a764ed8c957a2e9cacf97c8b2b053b70307cf2996aafd70e91a082e70df3"}, + {file = "pillow-10.4.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:6209bb41dc692ddfee4942517c19ee81b86c864b626dbfca272ec0f7cff5d9fb"}, + {file = "pillow-10.4.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bee197b30783295d2eb680b311af15a20a8b24024a19c3a26431ff83eb8d1f70"}, + {file = "pillow-10.4.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1ef61f5dd14c300786318482456481463b9d6b91ebe5ef12f405afbba77ed0be"}, + {file = "pillow-10.4.0-cp313-cp313-manylinux_2_28_aarch64.whl", hash = "sha256:297e388da6e248c98bc4a02e018966af0c5f92dfacf5a5ca22fa01cb3179bca0"}, + {file = "pillow-10.4.0-cp313-cp313-manylinux_2_28_x86_64.whl", hash = "sha256:e4db64794ccdf6cb83a59d73405f63adbe2a1887012e308828596100a0b2f6cc"}, + {file = "pillow-10.4.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:bd2880a07482090a3bcb01f4265f1936a903d70bc740bfcb1fd4e8a2ffe5cf5a"}, + {file = "pillow-10.4.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:4b35b21b819ac1dbd1233317adeecd63495f6babf21b7b2512d244ff6c6ce309"}, + {file = "pillow-10.4.0-cp313-cp313-win32.whl", hash = "sha256:551d3fd6e9dc15e4c1eb6fc4ba2b39c0c7933fa113b220057a34f4bb3268a060"}, + {file = "pillow-10.4.0-cp313-cp313-win_amd64.whl", hash = "sha256:030abdbe43ee02e0de642aee345efa443740aa4d828bfe8e2eb11922ea6a21ea"}, + {file = "pillow-10.4.0-cp313-cp313-win_arm64.whl", hash = "sha256:5b001114dd152cfd6b23befeb28d7aee43553e2402c9f159807bf55f33af8a8d"}, + {file = "pillow-10.4.0-cp38-cp38-macosx_10_10_x86_64.whl", hash = "sha256:8d4d5063501b6dd4024b8ac2f04962d661222d120381272deea52e3fc52d3736"}, + {file = "pillow-10.4.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:7c1ee6f42250df403c5f103cbd2768a28fe1a0ea1f0f03fe151c8741e1469c8b"}, + {file = "pillow-10.4.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b15e02e9bb4c21e39876698abf233c8c579127986f8207200bc8a8f6bb27acf2"}, + {file = "pillow-10.4.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7a8d4bade9952ea9a77d0c3e49cbd8b2890a399422258a77f357b9cc9be8d680"}, + {file = "pillow-10.4.0-cp38-cp38-manylinux_2_28_aarch64.whl", hash = "sha256:43efea75eb06b95d1631cb784aa40156177bf9dd5b4b03ff38979e048258bc6b"}, + {file = "pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl", hash = "sha256:950be4d8ba92aca4b2bb0741285a46bfae3ca699ef913ec8416c1b78eadd64cd"}, + {file = "pillow-10.4.0-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:d7480af14364494365e89d6fddc510a13e5a2c3584cb19ef65415ca57252fb84"}, + {file = "pillow-10.4.0-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:73664fe514b34c8f02452ffb73b7a92c6774e39a647087f83d67f010eb9a0cf0"}, + {file = "pillow-10.4.0-cp38-cp38-win32.whl", hash = "sha256:e88d5e6ad0d026fba7bdab8c3f225a69f063f116462c49892b0149e21b6c0a0e"}, + {file = "pillow-10.4.0-cp38-cp38-win_amd64.whl", hash = "sha256:5161eef006d335e46895297f642341111945e2c1c899eb406882a6c61a4357ab"}, + {file = "pillow-10.4.0-cp39-cp39-macosx_10_10_x86_64.whl", hash = "sha256:0ae24a547e8b711ccaaf99c9ae3cd975470e1a30caa80a6aaee9a2f19c05701d"}, + {file = "pillow-10.4.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:298478fe4f77a4408895605f3482b6cc6222c018b2ce565c2b6b9c354ac3229b"}, + {file = "pillow-10.4.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:134ace6dc392116566980ee7436477d844520a26a4b1bd4053f6f47d096997fd"}, + {file = "pillow-10.4.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:930044bb7679ab003b14023138b50181899da3f25de50e9dbee23b61b4de2126"}, + {file = "pillow-10.4.0-cp39-cp39-manylinux_2_28_aarch64.whl", hash = "sha256:c76e5786951e72ed3686e122d14c5d7012f16c8303a674d18cdcd6d89557fc5b"}, + {file = "pillow-10.4.0-cp39-cp39-manylinux_2_28_x86_64.whl", hash = "sha256:b2724fdb354a868ddf9a880cb84d102da914e99119211ef7ecbdc613b8c96b3c"}, + {file = "pillow-10.4.0-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:dbc6ae66518ab3c5847659e9988c3b60dc94ffb48ef9168656e0019a93dbf8a1"}, + {file = "pillow-10.4.0-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:06b2f7898047ae93fad74467ec3d28fe84f7831370e3c258afa533f81ef7f3df"}, + {file = "pillow-10.4.0-cp39-cp39-win32.whl", hash = "sha256:7970285ab628a3779aecc35823296a7869f889b8329c16ad5a71e4901a3dc4ef"}, + {file = "pillow-10.4.0-cp39-cp39-win_amd64.whl", hash = "sha256:961a7293b2457b405967af9c77dcaa43cc1a8cd50d23c532e62d48ab6cdd56f5"}, + {file = "pillow-10.4.0-cp39-cp39-win_arm64.whl", hash = "sha256:32cda9e3d601a52baccb2856b8ea1fc213c90b340c542dcef77140dfa3278a9e"}, + {file = "pillow-10.4.0-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:5b4815f2e65b30f5fbae9dfffa8636d992d49705723fe86a3661806e069352d4"}, + {file = "pillow-10.4.0-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:8f0aef4ef59694b12cadee839e2ba6afeab89c0f39a3adc02ed51d109117b8da"}, + {file = "pillow-10.4.0-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9f4727572e2918acaa9077c919cbbeb73bd2b3ebcfe033b72f858fc9fbef0026"}, + {file = "pillow-10.4.0-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ff25afb18123cea58a591ea0244b92eb1e61a1fd497bf6d6384f09bc3262ec3e"}, + {file = "pillow-10.4.0-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:dc3e2db6ba09ffd7d02ae9141cfa0ae23393ee7687248d46a7507b75d610f4f5"}, + {file = "pillow-10.4.0-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:02a2be69f9c9b8c1e97cf2713e789d4e398c751ecfd9967c18d0ce304efbf885"}, + {file = "pillow-10.4.0-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:0755ffd4a0c6f267cccbae2e9903d95477ca2f77c4fcf3a3a09570001856c8a5"}, + {file = "pillow-10.4.0-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:a02364621fe369e06200d4a16558e056fe2805d3468350df3aef21e00d26214b"}, + {file = "pillow-10.4.0-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:1b5dea9831a90e9d0721ec417a80d4cbd7022093ac38a568db2dd78363b00908"}, + {file = "pillow-10.4.0-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9b885f89040bb8c4a1573566bbb2f44f5c505ef6e74cec7ab9068c900047f04b"}, + {file = "pillow-10.4.0-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:87dd88ded2e6d74d31e1e0a99a726a6765cda32d00ba72dc37f0651f306daaa8"}, + {file = "pillow-10.4.0-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:2db98790afc70118bd0255c2eeb465e9767ecf1f3c25f9a1abb8ffc8cfd1fe0a"}, + {file = "pillow-10.4.0-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:f7baece4ce06bade126fb84b8af1c33439a76d8a6fd818970215e0560ca28c27"}, + {file = "pillow-10.4.0-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:cfdd747216947628af7b259d274771d84db2268ca062dd5faf373639d00113a3"}, + {file = "pillow-10.4.0.tar.gz", hash = "sha256:166c1cd4d24309b30d61f79f4a9114b7b2313d7450912277855ff5dfd7cd4a06"}, +] + +[package.extras] +docs = ["furo", "olefile", "sphinx (>=7.3)", "sphinx-copybutton", "sphinx-inline-tabs", "sphinxext-opengraph"] +fpx = ["olefile"] +mic = ["olefile"] +tests = ["check-manifest", "coverage", "defusedxml", "markdown2", "olefile", "packaging", "pyroma", "pytest", "pytest-cov", "pytest-timeout"] +typing = ["typing-extensions"] +xmp = ["defusedxml"] + +[[package]] +name = "platformdirs" +version = "4.2.2" +description = "A small Python package for determining appropriate platform-specific dirs, e.g. a `user data dir`." +optional = false +python-versions = ">=3.8" +files = [ + {file = "platformdirs-4.2.2-py3-none-any.whl", hash = "sha256:2d7a1657e36a80ea911db832a8a6ece5ee53d8de21edd5cc5879af6530b1bfee"}, + {file = "platformdirs-4.2.2.tar.gz", hash = "sha256:38b7b51f512eed9e84a22788b4bce1de17c0adb134d6becb09836e37d8654cd3"}, +] + +[package.extras] +docs = ["furo (>=2023.9.10)", "proselint (>=0.13)", "sphinx (>=7.2.6)", "sphinx-autodoc-typehints (>=1.25.2)"] +test = ["appdirs (==1.4.4)", "covdefaults (>=2.3)", "pytest (>=7.4.3)", "pytest-cov (>=4.1)", "pytest-mock (>=3.12)"] +type = ["mypy (>=1.8)"] + +[[package]] +name = "pluggy" +version = "1.5.0" +description = "plugin and hook calling mechanisms for python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pluggy-1.5.0-py3-none-any.whl", hash = "sha256:44e1ad92c8ca002de6377e165f3e0f1be63266ab4d554740532335b9d75ea669"}, + {file = "pluggy-1.5.0.tar.gz", hash = "sha256:2cffa88e94fdc978c4c574f15f9e59b7f4201d439195c3715ca9e2486f1d0cf1"}, +] + +[package.extras] +dev = ["pre-commit", "tox"] +testing = ["pytest", "pytest-benchmark"] + +[[package]] +name = "pre-commit" +version = "3.7.1" +description = "A framework for managing and maintaining multi-language pre-commit hooks." +optional = false +python-versions = ">=3.9" +files = [ + {file = "pre_commit-3.7.1-py2.py3-none-any.whl", hash = "sha256:fae36fd1d7ad7d6a5a1c0b0d5adb2ed1a3bda5a21bf6c3e5372073d7a11cd4c5"}, + {file = "pre_commit-3.7.1.tar.gz", hash = "sha256:8ca3ad567bc78a4972a3f1a477e94a79d4597e8140a6e0b651c5e33899c3654a"}, +] + +[package.dependencies] +cfgv = ">=2.0.0" +identify = ">=1.0.0" +nodeenv = ">=0.11.1" +pyyaml = ">=5.1" +virtualenv = ">=20.10.0" + +[[package]] +name = "psycopg2-binary" +version = "2.9.9" +description = "psycopg2 - Python-PostgreSQL Database Adapter" +optional = false +python-versions = ">=3.7" +files = [ + {file = "psycopg2-binary-2.9.9.tar.gz", hash = "sha256:7f01846810177d829c7692f1f5ada8096762d9172af1b1a28d4ab5b77c923c1c"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:c2470da5418b76232f02a2fcd2229537bb2d5a7096674ce61859c3229f2eb202"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c6af2a6d4b7ee9615cbb162b0738f6e1fd1f5c3eda7e5da17861eacf4c717ea7"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:75723c3c0fbbf34350b46a3199eb50638ab22a0228f93fb472ef4d9becc2382b"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:83791a65b51ad6ee6cf0845634859d69a038ea9b03d7b26e703f94c7e93dbcf9"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0ef4854e82c09e84cc63084a9e4ccd6d9b154f1dbdd283efb92ecd0b5e2b8c84"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ed1184ab8f113e8d660ce49a56390ca181f2981066acc27cf637d5c1e10ce46e"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:d2997c458c690ec2bc6b0b7ecbafd02b029b7b4283078d3b32a852a7ce3ddd98"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:b58b4710c7f4161b5e9dcbe73bb7c62d65670a87df7bcce9e1faaad43e715245"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:0c009475ee389757e6e34611d75f6e4f05f0cf5ebb76c6037508318e1a1e0d7e"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:8dbf6d1bc73f1d04ec1734bae3b4fb0ee3cb2a493d35ede9badbeb901fb40f6f"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-win32.whl", hash = "sha256:3f78fd71c4f43a13d342be74ebbc0666fe1f555b8837eb113cb7416856c79682"}, + {file = "psycopg2_binary-2.9.9-cp310-cp310-win_amd64.whl", hash = "sha256:876801744b0dee379e4e3c38b76fc89f88834bb15bf92ee07d94acd06ec890a0"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:ee825e70b1a209475622f7f7b776785bd68f34af6e7a46e2e42f27b659b5bc26"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1ea665f8ce695bcc37a90ee52de7a7980be5161375d42a0b6c6abedbf0d81f0f"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:143072318f793f53819048fdfe30c321890af0c3ec7cb1dfc9cc87aa88241de2"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c332c8d69fb64979ebf76613c66b985414927a40f8defa16cf1bc028b7b0a7b0"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f7fc5a5acafb7d6ccca13bfa8c90f8c51f13d8fb87d95656d3950f0158d3ce53"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:977646e05232579d2e7b9c59e21dbe5261f403a88417f6a6512e70d3f8a046be"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:b6356793b84728d9d50ead16ab43c187673831e9d4019013f1402c41b1db9b27"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:bc7bb56d04601d443f24094e9e31ae6deec9ccb23581f75343feebaf30423359"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:77853062a2c45be16fd6b8d6de2a99278ee1d985a7bd8b103e97e41c034006d2"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:78151aa3ec21dccd5cdef6c74c3e73386dcdfaf19bced944169697d7ac7482fc"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-win32.whl", hash = "sha256:dc4926288b2a3e9fd7b50dc6a1909a13bbdadfc67d93f3374d984e56f885579d"}, + {file = "psycopg2_binary-2.9.9-cp311-cp311-win_amd64.whl", hash = "sha256:b76bedd166805480ab069612119ea636f5ab8f8771e640ae103e05a4aae3e417"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:8532fd6e6e2dc57bcb3bc90b079c60de896d2128c5d9d6f24a63875a95a088cf"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:b0605eaed3eb239e87df0d5e3c6489daae3f7388d455d0c0b4df899519c6a38d"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8f8544b092a29a6ddd72f3556a9fcf249ec412e10ad28be6a0c0d948924f2212"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2d423c8d8a3c82d08fe8af900ad5b613ce3632a1249fd6a223941d0735fce493"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2e5afae772c00980525f6d6ecf7cbca55676296b580c0e6abb407f15f3706996"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6e6f98446430fdf41bd36d4faa6cb409f5140c1c2cf58ce0bbdaf16af7d3f119"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:c77e3d1862452565875eb31bdb45ac62502feabbd53429fdc39a1cc341d681ba"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:cb16c65dcb648d0a43a2521f2f0a2300f40639f6f8c1ecbc662141e4e3e1ee07"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:911dda9c487075abd54e644ccdf5e5c16773470a6a5d3826fda76699410066fb"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:57fede879f08d23c85140a360c6a77709113efd1c993923c59fde17aa27599fe"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-win32.whl", hash = "sha256:64cf30263844fa208851ebb13b0732ce674d8ec6a0c86a4e160495d299ba3c93"}, + {file = "psycopg2_binary-2.9.9-cp312-cp312-win_amd64.whl", hash = "sha256:81ff62668af011f9a48787564ab7eded4e9fb17a4a6a74af5ffa6a457400d2ab"}, + {file = "psycopg2_binary-2.9.9-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:2293b001e319ab0d869d660a704942c9e2cce19745262a8aba2115ef41a0a42a"}, + {file = "psycopg2_binary-2.9.9-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:03ef7df18daf2c4c07e2695e8cfd5ee7f748a1d54d802330985a78d2a5a6dca9"}, + {file = "psycopg2_binary-2.9.9-cp37-cp37m-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0a602ea5aff39bb9fac6308e9c9d82b9a35c2bf288e184a816002c9fae930b77"}, + {file = "psycopg2_binary-2.9.9-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8359bf4791968c5a78c56103702000105501adb557f3cf772b2c207284273984"}, + {file = "psycopg2_binary-2.9.9-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:275ff571376626195ab95a746e6a04c7df8ea34638b99fc11160de91f2fef503"}, + {file = "psycopg2_binary-2.9.9-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:f9b5571d33660d5009a8b3c25dc1db560206e2d2f89d3df1cb32d72c0d117d52"}, + {file = "psycopg2_binary-2.9.9-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:420f9bbf47a02616e8554e825208cb947969451978dceb77f95ad09c37791dae"}, + {file = "psycopg2_binary-2.9.9-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:4154ad09dac630a0f13f37b583eae260c6aa885d67dfbccb5b02c33f31a6d420"}, + {file = "psycopg2_binary-2.9.9-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:a148c5d507bb9b4f2030a2025c545fccb0e1ef317393eaba42e7eabd28eb6041"}, + {file = "psycopg2_binary-2.9.9-cp37-cp37m-win32.whl", hash = "sha256:68fc1f1ba168724771e38bee37d940d2865cb0f562380a1fb1ffb428b75cb692"}, + {file = "psycopg2_binary-2.9.9-cp37-cp37m-win_amd64.whl", hash = "sha256:281309265596e388ef483250db3640e5f414168c5a67e9c665cafce9492eda2f"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:60989127da422b74a04345096c10d416c2b41bd7bf2a380eb541059e4e999980"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:246b123cc54bb5361588acc54218c8c9fb73068bf227a4a531d8ed56fa3ca7d6"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:34eccd14566f8fe14b2b95bb13b11572f7c7d5c36da61caf414d23b91fcc5d94"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:18d0ef97766055fec15b5de2c06dd8e7654705ce3e5e5eed3b6651a1d2a9a152"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d3f82c171b4ccd83bbaf35aa05e44e690113bd4f3b7b6cc54d2219b132f3ae55"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ead20f7913a9c1e894aebe47cccf9dc834e1618b7aa96155d2091a626e59c972"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:ca49a8119c6cbd77375ae303b0cfd8c11f011abbbd64601167ecca18a87e7cdd"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:323ba25b92454adb36fa425dc5cf6f8f19f78948cbad2e7bc6cdf7b0d7982e59"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:1236ed0952fbd919c100bc839eaa4a39ebc397ed1c08a97fc45fee2a595aa1b3"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:729177eaf0aefca0994ce4cffe96ad3c75e377c7b6f4efa59ebf003b6d398716"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-win32.whl", hash = "sha256:804d99b24ad523a1fe18cc707bf741670332f7c7412e9d49cb5eab67e886b9b5"}, + {file = "psycopg2_binary-2.9.9-cp38-cp38-win_amd64.whl", hash = "sha256:a6cdcc3ede532f4a4b96000b6362099591ab4a3e913d70bcbac2b56c872446f7"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:72dffbd8b4194858d0941062a9766f8297e8868e1dd07a7b36212aaa90f49472"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:30dcc86377618a4c8f3b72418df92e77be4254d8f89f14b8e8f57d6d43603c0f"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:31a34c508c003a4347d389a9e6fcc2307cc2150eb516462a7a17512130de109e"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:15208be1c50b99203fe88d15695f22a5bed95ab3f84354c494bcb1d08557df67"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1873aade94b74715be2246321c8650cabf5a0d098a95bab81145ffffa4c13876"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3a58c98a7e9c021f357348867f537017057c2ed7f77337fd914d0bedb35dace7"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:4686818798f9194d03c9129a4d9a702d9e113a89cb03bffe08c6cf799e053291"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:ebdc36bea43063116f0486869652cb2ed7032dbc59fbcb4445c4862b5c1ecf7f"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:ca08decd2697fdea0aea364b370b1249d47336aec935f87b8bbfd7da5b2ee9c1"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:ac05fb791acf5e1a3e39402641827780fe44d27e72567a000412c648a85ba860"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-win32.whl", hash = "sha256:9dba73be7305b399924709b91682299794887cbbd88e38226ed9f6712eabee90"}, + {file = "psycopg2_binary-2.9.9-cp39-cp39-win_amd64.whl", hash = "sha256:f7ae5d65ccfbebdfa761585228eb4d0df3a8b15cfb53bd953e713e09fbb12957"}, +] + +[[package]] +name = "pycparser" +version = "2.22" +description = "C parser in Python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pycparser-2.22-py3-none-any.whl", hash = "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"}, + {file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"}, +] + +[[package]] +name = "pydyf" +version = "0.11.0" +description = "A low-level PDF generator." +optional = false +python-versions = ">=3.8" +files = [ + {file = "pydyf-0.11.0-py3-none-any.whl", hash = "sha256:0aaf9e2ebbe786ec7a78ec3fbffa4cdcecde53fd6f563221d53c6bc1328848a3"}, + {file = "pydyf-0.11.0.tar.gz", hash = "sha256:394dddf619cca9d0c55715e3c55ea121a9bf9cbc780cdc1201a2427917b86b64"}, +] + +[package.extras] +doc = ["sphinx", "sphinx_rtd_theme"] +test = ["pillow", "pytest", "ruff"] + +[[package]] +name = "pyphen" +version = "0.16.0" +description = "Pure Python module to hyphenate text" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pyphen-0.16.0-py3-none-any.whl", hash = "sha256:b4a4c6d7d5654b698b5fc68123148bb799b3debe0175d1d5dc3edfe93066fc4c"}, + {file = "pyphen-0.16.0.tar.gz", hash = "sha256:2c006b3ddf072c9571ab97606d9ab3c26a92eaced4c0d59fd1d26988f308f413"}, +] + +[package.extras] +doc = ["sphinx", "sphinx_rtd_theme"] +test = ["pytest", "ruff"] + +[[package]] +name = "pytest" +version = "8.3.2" +description = "pytest: simple powerful testing with Python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pytest-8.3.2-py3-none-any.whl", hash = "sha256:4ba08f9ae7dcf84ded419494d229b48d0903ea6407b030eaec46df5e6a73bba5"}, + {file = "pytest-8.3.2.tar.gz", hash = "sha256:c132345d12ce551242c87269de812483f5bcc87cdbb4722e48487ba194f9fdce"}, +] + +[package.dependencies] +colorama = {version = "*", markers = "sys_platform == \"win32\""} +iniconfig = "*" +packaging = "*" +pluggy = ">=1.5,<2" + +[package.extras] +dev = ["argcomplete", "attrs (>=19.2)", "hypothesis (>=3.56)", "mock", "pygments (>=2.7.2)", "requests", "setuptools", "xmlschema"] + +[[package]] +name = "pytest-django" +version = "4.8.0" +description = "A Django plugin for pytest." +optional = false +python-versions = ">=3.8" +files = [ + {file = "pytest-django-4.8.0.tar.gz", hash = "sha256:5d054fe011c56f3b10f978f41a8efb2e5adfc7e680ef36fb571ada1f24779d90"}, + {file = "pytest_django-4.8.0-py3-none-any.whl", hash = "sha256:ca1ddd1e0e4c227cf9e3e40a6afc6d106b3e70868fd2ac5798a22501271cd0c7"}, +] + +[package.dependencies] +pytest = ">=7.0.0" + +[package.extras] +docs = ["sphinx", "sphinx-rtd-theme"] +testing = ["Django", "django-configurations (>=2.0)"] + +[[package]] +name = "pytest-html" +version = "4.1.1" +description = "pytest plugin for generating HTML reports" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pytest_html-4.1.1-py3-none-any.whl", hash = "sha256:c8152cea03bd4e9bee6d525573b67bbc6622967b72b9628dda0ea3e2a0b5dd71"}, + {file = "pytest_html-4.1.1.tar.gz", hash = "sha256:70a01e8ae5800f4a074b56a4cb1025c8f4f9b038bba5fe31e3c98eb996686f07"}, +] + +[package.dependencies] +jinja2 = ">=3.0.0" +pytest = ">=7.0.0" +pytest-metadata = ">=2.0.0" + +[package.extras] +docs = ["pip-tools (>=6.13.0)"] +test = ["assertpy (>=1.1)", "beautifulsoup4 (>=4.11.1)", "black (>=22.1.0)", "flake8 (>=4.0.1)", "pre-commit (>=2.17.0)", "pytest-mock (>=3.7.0)", "pytest-rerunfailures (>=11.1.2)", "pytest-xdist (>=2.4.0)", "selenium (>=4.3.0)", "tox (>=3.24.5)"] + +[[package]] +name = "pytest-metadata" +version = "3.1.1" +description = "pytest plugin for test session metadata" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pytest_metadata-3.1.1-py3-none-any.whl", hash = "sha256:c8e0844db684ee1c798cfa38908d20d67d0463ecb6137c72e91f418558dd5f4b"}, + {file = "pytest_metadata-3.1.1.tar.gz", hash = "sha256:d2a29b0355fbc03f168aa96d41ff88b1a3b44a3b02acbe491801c98a048017c8"}, +] + +[package.dependencies] +pytest = ">=7.0.0" + +[package.extras] +test = ["black (>=22.1.0)", "flake8 (>=4.0.1)", "pre-commit (>=2.17.0)", "tox (>=3.24.5)"] + +[[package]] +name = "python-dotenv" +version = "1.0.1" +description = "Read key-value pairs from a .env file and set them as environment variables" +optional = false +python-versions = ">=3.8" +files = [ + {file = "python-dotenv-1.0.1.tar.gz", hash = "sha256:e324ee90a023d808f1959c46bcbc04446a10ced277783dc6ee09987c37ec10ca"}, + {file = "python_dotenv-1.0.1-py3-none-any.whl", hash = "sha256:f7b63ef50f1b690dddf550d03497b66d609393b40b564ed0d674909a68ebf16a"}, +] + +[package.extras] +cli = ["click (>=5.0)"] + +[[package]] +name = "python-ipware" +version = "3.0.0" +description = "A Python package to retrieve user's IP address" +optional = false +python-versions = ">=3.7" +files = [ + {file = "python_ipware-3.0.0-py3-none-any.whl", hash = "sha256:fc936e6e7ec9fcc107f9315df40658f468ac72f739482a707181742882e36b60"}, + {file = "python_ipware-3.0.0.tar.gz", hash = "sha256:9117b1c4dddcb5d5ca49e6a9617de2fc66aec2ef35394563ac4eecabdf58c062"}, +] + +[package.extras] +dev = ["coverage[toml]", "coveralls (>=3.3,<4.0)", "ruff", "twine"] + +[[package]] +name = "python3-saml" +version = "1.16.0" +description = "Saml Python Toolkit. Add SAML support to your Python software using this library" +optional = false +python-versions = "*" +files = [ + {file = "python3-saml-1.16.0.tar.gz", hash = "sha256:97c9669aecabc283c6e5fb4eb264f446b6e006f5267d01c9734f9d8bffdac133"}, + {file = "python3_saml-1.16.0-py2-none-any.whl", hash = "sha256:c49097863c278ff669a337a96c46dc1f25d16307b4bb2679d2d1733cc4f5176a"}, + {file = "python3_saml-1.16.0-py3-none-any.whl", hash = "sha256:20b97d11b04f01ee22e98f4a38242e2fea2e28fbc7fbc9bdd57cab5ac7fc2d0d"}, +] + +[package.dependencies] +isodate = ">=0.6.1" +lxml = ">=4.6.5,<4.7.0 || >4.7.0" +xmlsec = ">=1.3.9" + +[package.extras] +test = ["coverage (>=4.5.2)", "flake8 (>=3.6.0,<=5.0.0)", "freezegun (>=0.3.11,<=1.1.0)", "pytest (>=4.6)"] + +[[package]] +name = "pyyaml" +version = "6.0.1" +description = "YAML parser and emitter for Python" +optional = false +python-versions = ">=3.6" +files = [ + {file = "PyYAML-6.0.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d858aa552c999bc8a8d57426ed01e40bef403cd8ccdd0fc5f6f04a00414cac2a"}, + {file = "PyYAML-6.0.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:fd66fc5d0da6d9815ba2cebeb4205f95818ff4b79c3ebe268e75d961704af52f"}, + {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938"}, + {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d"}, + {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515"}, + {file = "PyYAML-6.0.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290"}, + {file = "PyYAML-6.0.1-cp310-cp310-win32.whl", hash = "sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924"}, + {file = "PyYAML-6.0.1-cp310-cp310-win_amd64.whl", hash = "sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d"}, + {file = "PyYAML-6.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007"}, + {file = "PyYAML-6.0.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:f003ed9ad21d6a4713f0a9b5a7a0a79e08dd0f221aff4525a2be4c346ee60aab"}, + {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d"}, + {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc"}, + {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673"}, + {file = "PyYAML-6.0.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b"}, + {file = "PyYAML-6.0.1-cp311-cp311-win32.whl", hash = "sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741"}, + {file = "PyYAML-6.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34"}, + {file = "PyYAML-6.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28"}, + {file = "PyYAML-6.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9"}, + {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a08c6f0fe150303c1c6b71ebcd7213c2858041a7e01975da3a99aed1e7a378ef"}, + {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0"}, + {file = "PyYAML-6.0.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4"}, + {file = "PyYAML-6.0.1-cp312-cp312-win32.whl", hash = "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54"}, + {file = "PyYAML-6.0.1-cp312-cp312-win_amd64.whl", hash = "sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df"}, + {file = "PyYAML-6.0.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47"}, + {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98"}, + {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c"}, + {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:afd7e57eddb1a54f0f1a974bc4391af8bcce0b444685d936840f125cf046d5bd"}, + {file = "PyYAML-6.0.1-cp36-cp36m-win32.whl", hash = "sha256:fca0e3a251908a499833aa292323f32437106001d436eca0e6e7833256674585"}, + {file = "PyYAML-6.0.1-cp36-cp36m-win_amd64.whl", hash = "sha256:f22ac1c3cac4dbc50079e965eba2c1058622631e526bd9afd45fedd49ba781fa"}, + {file = "PyYAML-6.0.1-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:b1275ad35a5d18c62a7220633c913e1b42d44b46ee12554e5fd39c70a243d6a3"}, + {file = "PyYAML-6.0.1-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:18aeb1bf9a78867dc38b259769503436b7c72f7a1f1f4c93ff9a17de54319b27"}, + {file = "PyYAML-6.0.1-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:596106435fa6ad000c2991a98fa58eeb8656ef2325d7e158344fb33864ed87e3"}, + {file = "PyYAML-6.0.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:baa90d3f661d43131ca170712d903e6295d1f7a0f595074f151c0aed377c9b9c"}, + {file = "PyYAML-6.0.1-cp37-cp37m-win32.whl", hash = "sha256:9046c58c4395dff28dd494285c82ba00b546adfc7ef001486fbf0324bc174fba"}, + {file = "PyYAML-6.0.1-cp37-cp37m-win_amd64.whl", hash = "sha256:4fb147e7a67ef577a588a0e2c17b6db51dda102c71de36f8549b6816a96e1867"}, + {file = "PyYAML-6.0.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:1d4c7e777c441b20e32f52bd377e0c409713e8bb1386e1099c2415f26e479595"}, + {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5"}, + {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696"}, + {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735"}, + {file = "PyYAML-6.0.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6"}, + {file = "PyYAML-6.0.1-cp38-cp38-win32.whl", hash = "sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206"}, + {file = "PyYAML-6.0.1-cp38-cp38-win_amd64.whl", hash = "sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62"}, + {file = "PyYAML-6.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8"}, + {file = "PyYAML-6.0.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:c8098ddcc2a85b61647b2590f825f3db38891662cfc2fc776415143f599bb859"}, + {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6"}, + {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0"}, + {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c"}, + {file = "PyYAML-6.0.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5"}, + {file = "PyYAML-6.0.1-cp39-cp39-win32.whl", hash = "sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c"}, + {file = "PyYAML-6.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486"}, + {file = "PyYAML-6.0.1.tar.gz", hash = "sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43"}, +] + +[[package]] +name = "referencing" +version = "0.35.1" +description = "JSON Referencing + Python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "referencing-0.35.1-py3-none-any.whl", hash = "sha256:eda6d3234d62814d1c64e305c1331c9a3a6132da475ab6382eaa997b21ee75de"}, + {file = "referencing-0.35.1.tar.gz", hash = "sha256:25b42124a6c8b632a425174f24087783efb348a6f1e0008e63cd4466fedf703c"}, +] + +[package.dependencies] +attrs = ">=22.2.0" +rpds-py = ">=0.7.0" + +[[package]] +name = "requests" +version = "2.32.3" +description = "Python HTTP for Humans." +optional = false +python-versions = ">=3.8" +files = [ + {file = "requests-2.32.3-py3-none-any.whl", hash = "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6"}, + {file = "requests-2.32.3.tar.gz", hash = "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760"}, +] + +[package.dependencies] +certifi = ">=2017.4.17" +charset-normalizer = ">=2,<4" +idna = ">=2.5,<4" +urllib3 = ">=1.21.1,<3" + +[package.extras] +socks = ["PySocks (>=1.5.6,!=1.5.7)"] +use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"] + +[[package]] +name = "rpds-py" +version = "0.20.0" +description = "Python bindings to Rust's persistent data structures (rpds)" +optional = false +python-versions = ">=3.8" +files = [ + {file = "rpds_py-0.20.0-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:3ad0fda1635f8439cde85c700f964b23ed5fc2d28016b32b9ee5fe30da5c84e2"}, + {file = "rpds_py-0.20.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9bb4a0d90fdb03437c109a17eade42dfbf6190408f29b2744114d11586611d6f"}, + {file = "rpds_py-0.20.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c6377e647bbfd0a0b159fe557f2c6c602c159fc752fa316572f012fc0bf67150"}, + {file = "rpds_py-0.20.0-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:eb851b7df9dda52dc1415ebee12362047ce771fc36914586b2e9fcbd7d293b3e"}, + {file = "rpds_py-0.20.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1e0f80b739e5a8f54837be5d5c924483996b603d5502bfff79bf33da06164ee2"}, + {file = "rpds_py-0.20.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5a8c94dad2e45324fc74dce25e1645d4d14df9a4e54a30fa0ae8bad9a63928e3"}, + {file = "rpds_py-0.20.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f8e604fe73ba048c06085beaf51147eaec7df856824bfe7b98657cf436623daf"}, + {file = "rpds_py-0.20.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:df3de6b7726b52966edf29663e57306b23ef775faf0ac01a3e9f4012a24a4140"}, + {file = "rpds_py-0.20.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:cf258ede5bc22a45c8e726b29835b9303c285ab46fc7c3a4cc770736b5304c9f"}, + {file = "rpds_py-0.20.0-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:55fea87029cded5df854ca7e192ec7bdb7ecd1d9a3f63d5c4eb09148acf4a7ce"}, + {file = "rpds_py-0.20.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:ae94bd0b2f02c28e199e9bc51485d0c5601f58780636185660f86bf80c89af94"}, + {file = "rpds_py-0.20.0-cp310-none-win32.whl", hash = "sha256:28527c685f237c05445efec62426d285e47a58fb05ba0090a4340b73ecda6dee"}, + {file = "rpds_py-0.20.0-cp310-none-win_amd64.whl", hash = "sha256:238a2d5b1cad28cdc6ed15faf93a998336eb041c4e440dd7f902528b8891b399"}, + {file = "rpds_py-0.20.0-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:ac2f4f7a98934c2ed6505aead07b979e6f999389f16b714448fb39bbaa86a489"}, + {file = "rpds_py-0.20.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:220002c1b846db9afd83371d08d239fdc865e8f8c5795bbaec20916a76db3318"}, + {file = "rpds_py-0.20.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8d7919548df3f25374a1f5d01fbcd38dacab338ef5f33e044744b5c36729c8db"}, + {file = "rpds_py-0.20.0-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:758406267907b3781beee0f0edfe4a179fbd97c0be2e9b1154d7f0a1279cf8e5"}, + {file = "rpds_py-0.20.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3d61339e9f84a3f0767b1995adfb171a0d00a1185192718a17af6e124728e0f5"}, + {file = "rpds_py-0.20.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1259c7b3705ac0a0bd38197565a5d603218591d3f6cee6e614e380b6ba61c6f6"}, + {file = "rpds_py-0.20.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5c1dc0f53856b9cc9a0ccca0a7cc61d3d20a7088201c0937f3f4048c1718a209"}, + {file = "rpds_py-0.20.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:7e60cb630f674a31f0368ed32b2a6b4331b8350d67de53c0359992444b116dd3"}, + {file = "rpds_py-0.20.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:dbe982f38565bb50cb7fb061ebf762c2f254ca3d8c20d4006878766e84266272"}, + {file = "rpds_py-0.20.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:514b3293b64187172bc77c8fb0cdae26981618021053b30d8371c3a902d4d5ad"}, + {file = "rpds_py-0.20.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:d0a26ffe9d4dd35e4dfdd1e71f46401cff0181c75ac174711ccff0459135fa58"}, + {file = "rpds_py-0.20.0-cp311-none-win32.whl", hash = "sha256:89c19a494bf3ad08c1da49445cc5d13d8fefc265f48ee7e7556839acdacf69d0"}, + {file = "rpds_py-0.20.0-cp311-none-win_amd64.whl", hash = "sha256:c638144ce971df84650d3ed0096e2ae7af8e62ecbbb7b201c8935c370df00a2c"}, + {file = "rpds_py-0.20.0-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:a84ab91cbe7aab97f7446652d0ed37d35b68a465aeef8fc41932a9d7eee2c1a6"}, + {file = "rpds_py-0.20.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:56e27147a5a4c2c21633ff8475d185734c0e4befd1c989b5b95a5d0db699b21b"}, + {file = "rpds_py-0.20.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2580b0c34583b85efec8c5c5ec9edf2dfe817330cc882ee972ae650e7b5ef739"}, + {file = "rpds_py-0.20.0-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:b80d4a7900cf6b66bb9cee5c352b2d708e29e5a37fe9bf784fa97fc11504bf6c"}, + {file = "rpds_py-0.20.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:50eccbf054e62a7b2209b28dc7a22d6254860209d6753e6b78cfaeb0075d7bee"}, + {file = "rpds_py-0.20.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:49a8063ea4296b3a7e81a5dfb8f7b2d73f0b1c20c2af401fb0cdf22e14711a96"}, + {file = "rpds_py-0.20.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ea438162a9fcbee3ecf36c23e6c68237479f89f962f82dae83dc15feeceb37e4"}, + {file = "rpds_py-0.20.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:18d7585c463087bddcfa74c2ba267339f14f2515158ac4db30b1f9cbdb62c8ef"}, + {file = "rpds_py-0.20.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:d4c7d1a051eeb39f5c9547e82ea27cbcc28338482242e3e0b7768033cb083821"}, + {file = "rpds_py-0.20.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:e4df1e3b3bec320790f699890d41c59d250f6beda159ea3c44c3f5bac1976940"}, + {file = "rpds_py-0.20.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:2cf126d33a91ee6eedc7f3197b53e87a2acdac63602c0f03a02dd69e4b138174"}, + {file = "rpds_py-0.20.0-cp312-none-win32.whl", hash = "sha256:8bc7690f7caee50b04a79bf017a8d020c1f48c2a1077ffe172abec59870f1139"}, + {file = "rpds_py-0.20.0-cp312-none-win_amd64.whl", hash = "sha256:0e13e6952ef264c40587d510ad676a988df19adea20444c2b295e536457bc585"}, + {file = "rpds_py-0.20.0-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:aa9a0521aeca7d4941499a73ad7d4f8ffa3d1affc50b9ea11d992cd7eff18a29"}, + {file = "rpds_py-0.20.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:4a1f1d51eccb7e6c32ae89243cb352389228ea62f89cd80823ea7dd1b98e0b91"}, + {file = "rpds_py-0.20.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8a86a9b96070674fc88b6f9f71a97d2c1d3e5165574615d1f9168ecba4cecb24"}, + {file = "rpds_py-0.20.0-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:6c8ef2ebf76df43f5750b46851ed1cdf8f109d7787ca40035fe19fbdc1acc5a7"}, + {file = "rpds_py-0.20.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b74b25f024b421d5859d156750ea9a65651793d51b76a2e9238c05c9d5f203a9"}, + {file = "rpds_py-0.20.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:57eb94a8c16ab08fef6404301c38318e2c5a32216bf5de453e2714c964c125c8"}, + {file = "rpds_py-0.20.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e1940dae14e715e2e02dfd5b0f64a52e8374a517a1e531ad9412319dc3ac7879"}, + {file = "rpds_py-0.20.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d20277fd62e1b992a50c43f13fbe13277a31f8c9f70d59759c88f644d66c619f"}, + {file = "rpds_py-0.20.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:06db23d43f26478303e954c34c75182356ca9aa7797d22c5345b16871ab9c45c"}, + {file = "rpds_py-0.20.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:b2a5db5397d82fa847e4c624b0c98fe59d2d9b7cf0ce6de09e4d2e80f8f5b3f2"}, + {file = "rpds_py-0.20.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:5a35df9f5548fd79cb2f52d27182108c3e6641a4feb0f39067911bf2adaa3e57"}, + {file = "rpds_py-0.20.0-cp313-none-win32.whl", hash = "sha256:fd2d84f40633bc475ef2d5490b9c19543fbf18596dcb1b291e3a12ea5d722f7a"}, + {file = "rpds_py-0.20.0-cp313-none-win_amd64.whl", hash = "sha256:9bc2d153989e3216b0559251b0c260cfd168ec78b1fac33dd485750a228db5a2"}, + {file = "rpds_py-0.20.0-cp38-cp38-macosx_10_12_x86_64.whl", hash = "sha256:f2fbf7db2012d4876fb0d66b5b9ba6591197b0f165db8d99371d976546472a24"}, + {file = "rpds_py-0.20.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:1e5f3cd7397c8f86c8cc72d5a791071431c108edd79872cdd96e00abd8497d29"}, + {file = "rpds_py-0.20.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ce9845054c13696f7af7f2b353e6b4f676dab1b4b215d7fe5e05c6f8bb06f965"}, + {file = "rpds_py-0.20.0-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c3e130fd0ec56cb76eb49ef52faead8ff09d13f4527e9b0c400307ff72b408e1"}, + {file = "rpds_py-0.20.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4b16aa0107ecb512b568244ef461f27697164d9a68d8b35090e9b0c1c8b27752"}, + {file = "rpds_py-0.20.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:aa7f429242aae2947246587d2964fad750b79e8c233a2367f71b554e9447949c"}, + {file = "rpds_py-0.20.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:af0fc424a5842a11e28956e69395fbbeab2c97c42253169d87e90aac2886d751"}, + {file = "rpds_py-0.20.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:b8c00a3b1e70c1d3891f0db1b05292747f0dbcfb49c43f9244d04c70fbc40eb8"}, + {file = "rpds_py-0.20.0-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:40ce74fc86ee4645d0a225498d091d8bc61f39b709ebef8204cb8b5a464d3c0e"}, + {file = "rpds_py-0.20.0-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:4fe84294c7019456e56d93e8ababdad5a329cd25975be749c3f5f558abb48253"}, + {file = "rpds_py-0.20.0-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:338ca4539aad4ce70a656e5187a3a31c5204f261aef9f6ab50e50bcdffaf050a"}, + {file = "rpds_py-0.20.0-cp38-none-win32.whl", hash = "sha256:54b43a2b07db18314669092bb2de584524d1ef414588780261e31e85846c26a5"}, + {file = "rpds_py-0.20.0-cp38-none-win_amd64.whl", hash = "sha256:a1862d2d7ce1674cffa6d186d53ca95c6e17ed2b06b3f4c476173565c862d232"}, + {file = "rpds_py-0.20.0-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:3fde368e9140312b6e8b6c09fb9f8c8c2f00999d1823403ae90cc00480221b22"}, + {file = "rpds_py-0.20.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:9824fb430c9cf9af743cf7aaf6707bf14323fb51ee74425c380f4c846ea70789"}, + {file = "rpds_py-0.20.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:11ef6ce74616342888b69878d45e9f779b95d4bd48b382a229fe624a409b72c5"}, + {file = "rpds_py-0.20.0-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c52d3f2f82b763a24ef52f5d24358553e8403ce05f893b5347098014f2d9eff2"}, + {file = "rpds_py-0.20.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9d35cef91e59ebbeaa45214861874bc6f19eb35de96db73e467a8358d701a96c"}, + {file = "rpds_py-0.20.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d72278a30111e5b5525c1dd96120d9e958464316f55adb030433ea905866f4de"}, + {file = "rpds_py-0.20.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b4c29cbbba378759ac5786730d1c3cb4ec6f8ababf5c42a9ce303dc4b3d08cda"}, + {file = "rpds_py-0.20.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:6632f2d04f15d1bd6fe0eedd3b86d9061b836ddca4c03d5cf5c7e9e6b7c14580"}, + {file = "rpds_py-0.20.0-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:d0b67d87bb45ed1cd020e8fbf2307d449b68abc45402fe1a4ac9e46c3c8b192b"}, + {file = "rpds_py-0.20.0-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:ec31a99ca63bf3cd7f1a5ac9fe95c5e2d060d3c768a09bc1d16e235840861420"}, + {file = "rpds_py-0.20.0-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:22e6c9976e38f4d8c4a63bd8a8edac5307dffd3ee7e6026d97f3cc3a2dc02a0b"}, + {file = "rpds_py-0.20.0-cp39-none-win32.whl", hash = "sha256:569b3ea770c2717b730b61998b6c54996adee3cef69fc28d444f3e7920313cf7"}, + {file = "rpds_py-0.20.0-cp39-none-win_amd64.whl", hash = "sha256:e6900ecdd50ce0facf703f7a00df12374b74bbc8ad9fe0f6559947fb20f82364"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:617c7357272c67696fd052811e352ac54ed1d9b49ab370261a80d3b6ce385045"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:9426133526f69fcaba6e42146b4e12d6bc6c839b8b555097020e2b78ce908dcc"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:deb62214c42a261cb3eb04d474f7155279c1a8a8c30ac89b7dcb1721d92c3c02"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:fcaeb7b57f1a1e071ebd748984359fef83ecb026325b9d4ca847c95bc7311c92"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d454b8749b4bd70dd0a79f428731ee263fa6995f83ccb8bada706e8d1d3ff89d"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d807dc2051abe041b6649681dce568f8e10668e3c1c6543ebae58f2d7e617855"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c3c20f0ddeb6e29126d45f89206b8291352b8c5b44384e78a6499d68b52ae511"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:b7f19250ceef892adf27f0399b9e5afad019288e9be756d6919cb58892129f51"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:4f1ed4749a08379555cebf4650453f14452eaa9c43d0a95c49db50c18b7da075"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-musllinux_1_2_i686.whl", hash = "sha256:dcedf0b42bcb4cfff4101d7771a10532415a6106062f005ab97d1d0ab5681c60"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:39ed0d010457a78f54090fafb5d108501b5aa5604cc22408fc1c0c77eac14344"}, + {file = "rpds_py-0.20.0-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:bb273176be34a746bdac0b0d7e4e2c467323d13640b736c4c477881a3220a989"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:f918a1a130a6dfe1d7fe0f105064141342e7dd1611f2e6a21cd2f5c8cb1cfb3e"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:f60012a73aa396be721558caa3a6fd49b3dd0033d1675c6d59c4502e870fcf0c"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3d2b1ad682a3dfda2a4e8ad8572f3100f95fad98cb99faf37ff0ddfe9cbf9d03"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:614fdafe9f5f19c63ea02817fa4861c606a59a604a77c8cdef5aa01d28b97921"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:fa518bcd7600c584bf42e6617ee8132869e877db2f76bcdc281ec6a4113a53ab"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f0475242f447cc6cb8a9dd486d68b2ef7fbee84427124c232bff5f63b1fe11e5"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f90a4cd061914a60bd51c68bcb4357086991bd0bb93d8aa66a6da7701370708f"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:def7400461c3a3f26e49078302e1c1b38f6752342c77e3cf72ce91ca69fb1bc1"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:65794e4048ee837494aea3c21a28ad5fc080994dfba5b036cf84de37f7ad5074"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-musllinux_1_2_i686.whl", hash = "sha256:faefcc78f53a88f3076b7f8be0a8f8d35133a3ecf7f3770895c25f8813460f08"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:5b4f105deeffa28bbcdff6c49b34e74903139afa690e35d2d9e3c2c2fba18cec"}, + {file = "rpds_py-0.20.0-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:fdfc3a892927458d98f3d55428ae46b921d1f7543b89382fdb483f5640daaec8"}, + {file = "rpds_py-0.20.0.tar.gz", hash = "sha256:d72a210824facfdaf8768cf2d7ca25a042c30320b3020de2fa04640920d4e121"}, +] + +[[package]] +name = "six" +version = "1.16.0" +description = "Python 2 and 3 compatibility utilities" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" +files = [ + {file = "six-1.16.0-py2.py3-none-any.whl", hash = "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"}, + {file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"}, +] + +[[package]] +name = "sqlparse" +version = "0.5.1" +description = "A non-validating SQL parser." +optional = false +python-versions = ">=3.8" +files = [ + {file = "sqlparse-0.5.1-py3-none-any.whl", hash = "sha256:773dcbf9a5ab44a090f3441e2180efe2560220203dc2f8c0b0fa141e18b505e4"}, + {file = "sqlparse-0.5.1.tar.gz", hash = "sha256:bb6b4df465655ef332548e24f08e205afc81b9ab86cb1c45657a7ff173a3a00e"}, +] + +[package.extras] +dev = ["build", "hatch"] +doc = ["sphinx"] + +[[package]] +name = "structlog" +version = "24.2.0" +description = "Structured Logging for Python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "structlog-24.2.0-py3-none-any.whl", hash = "sha256:983bd49f70725c5e1e3867096c0c09665918936b3db27341b41d294283d7a48a"}, + {file = "structlog-24.2.0.tar.gz", hash = "sha256:0e3fe74924a6d8857d3f612739efb94c72a7417d7c7c008d12276bca3b5bf13b"}, +] + +[package.extras] +dev = ["freezegun (>=0.2.8)", "mypy (>=1.4)", "pretend", "pytest (>=6.0)", "pytest-asyncio (>=0.17)", "rich", "simplejson", "twisted"] +docs = ["furo", "myst-parser", "sphinx", "sphinx-notfound-page", "sphinxcontrib-mermaid", "sphinxext-opengraph", "twisted"] +tests = ["freezegun (>=0.2.8)", "pretend", "pytest (>=6.0)", "pytest-asyncio (>=0.17)", "simplejson"] +typing = ["mypy (>=1.4)", "rich", "twisted"] + +[[package]] +name = "tinycss2" +version = "1.3.0" +description = "A tiny CSS parser" +optional = false +python-versions = ">=3.8" +files = [ + {file = "tinycss2-1.3.0-py3-none-any.whl", hash = "sha256:54a8dbdffb334d536851be0226030e9505965bb2f30f21a4a82c55fb2a80fae7"}, + {file = "tinycss2-1.3.0.tar.gz", hash = "sha256:152f9acabd296a8375fbca5b84c961ff95971fcfc32e79550c8df8e29118c54d"}, +] + +[package.dependencies] +webencodings = ">=0.4" + +[package.extras] +doc = ["sphinx", "sphinx_rtd_theme"] +test = ["pytest", "ruff"] + +[[package]] +name = "types-pyyaml" +version = "6.0.12.20240808" +description = "Typing stubs for PyYAML" +optional = false +python-versions = ">=3.8" +files = [ + {file = "types-PyYAML-6.0.12.20240808.tar.gz", hash = "sha256:b8f76ddbd7f65440a8bda5526a9607e4c7a322dc2f8e1a8c405644f9a6f4b9af"}, + {file = "types_PyYAML-6.0.12.20240808-py3-none-any.whl", hash = "sha256:deda34c5c655265fc517b546c902aa6eed2ef8d3e921e4765fe606fe2afe8d35"}, +] + +[[package]] +name = "typing-extensions" +version = "4.12.2" +description = "Backported and Experimental Type Hints for Python 3.8+" +optional = false +python-versions = ">=3.8" +files = [ + {file = "typing_extensions-4.12.2-py3-none-any.whl", hash = "sha256:04e5ca0351e0f3f85c6853954072df659d0d13fac324d0072316b67d7794700d"}, + {file = "typing_extensions-4.12.2.tar.gz", hash = "sha256:1a7ead55c7e559dd4dee8856e3a88b41225abfe1ce8df57b7c13915fe121ffb8"}, +] + +[[package]] +name = "tzdata" +version = "2024.1" +description = "Provider of IANA time zone data" +optional = false +python-versions = ">=2" +files = [ + {file = "tzdata-2024.1-py2.py3-none-any.whl", hash = "sha256:9068bc196136463f5245e51efda838afa15aaeca9903f49050dfa2679db4d252"}, + {file = "tzdata-2024.1.tar.gz", hash = "sha256:2674120f8d891909751c38abcdfd386ac0a5a1127954fbc332af6b5ceae07efd"}, +] + +[[package]] +name = "uritemplate" +version = "4.1.1" +description = "Implementation of RFC 6570 URI Templates" +optional = false +python-versions = ">=3.6" +files = [ + {file = "uritemplate-4.1.1-py2.py3-none-any.whl", hash = "sha256:830c08b8d99bdd312ea4ead05994a38e8936266f84b9a7878232db50b044e02e"}, + {file = "uritemplate-4.1.1.tar.gz", hash = "sha256:4346edfc5c3b79f694bccd6d6099a322bbeb628dbf2cd86eea55a456ce5124f0"}, +] + +[[package]] +name = "urllib3" +version = "2.2.2" +description = "HTTP library with thread-safe connection pooling, file post, and more." +optional = false +python-versions = ">=3.8" +files = [ + {file = "urllib3-2.2.2-py3-none-any.whl", hash = "sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472"}, + {file = "urllib3-2.2.2.tar.gz", hash = "sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168"}, +] + +[package.extras] +brotli = ["brotli (>=1.0.9)", "brotlicffi (>=0.8.0)"] +h2 = ["h2 (>=4,<5)"] +socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"] +zstd = ["zstandard (>=0.18.0)"] + +[[package]] +name = "virtualenv" +version = "20.26.3" +description = "Virtual Python Environment builder" +optional = false +python-versions = ">=3.7" +files = [ + {file = "virtualenv-20.26.3-py3-none-any.whl", hash = "sha256:8cc4a31139e796e9a7de2cd5cf2489de1217193116a8fd42328f1bd65f434589"}, + {file = "virtualenv-20.26.3.tar.gz", hash = "sha256:4c43a2a236279d9ea36a0d76f98d84bd6ca94ac4e0f4a3b9d46d05e10fea542a"}, +] + +[package.dependencies] +distlib = ">=0.3.7,<1" +filelock = ">=3.12.2,<4" +platformdirs = ">=3.9.1,<5" + +[package.extras] +docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx (>=7.1.2,!=7.3)", "sphinx-argparse (>=0.4)", "sphinxcontrib-towncrier (>=0.2.1a0)", "towncrier (>=23.6)"] +test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23.1)", "pytest (>=7.4)", "pytest-env (>=0.8.2)", "pytest-freezer (>=0.4.8)", "pytest-mock (>=3.11.1)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)", "setuptools (>=68)", "time-machine (>=2.10)"] + +[[package]] +name = "weasyprint" +version = "62.3" +description = "The Awesome Document Factory" +optional = false +python-versions = ">=3.9" +files = [ + {file = "weasyprint-62.3-py3-none-any.whl", hash = "sha256:d31048646ce15084e135b33e334a61f526aa68d2f679fcc109ed0e0f5edaed21"}, + {file = "weasyprint-62.3.tar.gz", hash = "sha256:8d8680d732f7fa0fcbc587692a5a5cb095c3525627066918d6e203cbf42b7fcd"}, +] + +[package.dependencies] +cffi = ">=0.6" +cssselect2 = ">=0.1" +fonttools = {version = ">=4.0.0", extras = ["woff"]} +html5lib = ">=1.1" +Pillow = ">=9.1.0" +pydyf = ">=0.10.0" +Pyphen = ">=0.9.1" +tinycss2 = ">=1.3.0" + +[package.extras] +doc = ["sphinx", "sphinx_rtd_theme"] +test = ["pytest", "ruff"] + +[[package]] +name = "webencodings" +version = "0.5.1" +description = "Character encoding aliases for legacy web content" +optional = false +python-versions = "*" +files = [ + {file = "webencodings-0.5.1-py2.py3-none-any.whl", hash = "sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78"}, + {file = "webencodings-0.5.1.tar.gz", hash = "sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923"}, +] + +[[package]] +name = "whitenoise" +version = "6.7.0" +description = "Radically simplified static file serving for WSGI applications" +optional = false +python-versions = ">=3.8" +files = [ + {file = "whitenoise-6.7.0-py3-none-any.whl", hash = "sha256:a1ae85e01fdc9815d12fa33f17765bc132ed2c54fa76daf9e39e879dd93566f6"}, + {file = "whitenoise-6.7.0.tar.gz", hash = "sha256:58c7a6cd811e275a6c91af22e96e87da0b1109e9a53bb7464116ef4c963bf636"}, +] + +[package.extras] +brotli = ["brotli"] + +[[package]] +name = "xmlsec" +version = "1.3.14" +description = "Python bindings for the XML Security Library" +optional = false +python-versions = ">=3.5" +files = [ + {file = "xmlsec-1.3.14-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:4dea6df3ffcb65d0b215678c3a0fe7bbc66785d6eae81291296e372498bad43a"}, + {file = "xmlsec-1.3.14-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:1fa1311f7489d050dde9028f5a2b5849c2927bb09c9a93491cb2f28fdc563912"}, + {file = "xmlsec-1.3.14-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:28cd9f513cf01dc0c5b9d9f0728714ecde2e7f46b3b6f63de91f4ae32f3008b3"}, + {file = "xmlsec-1.3.14-cp310-cp310-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:77749b338503fb6e151052c664064b34264f4168e2cb0cca1de78b7e5312a783"}, + {file = "xmlsec-1.3.14-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4af81ce8044862ec865782efd353d22abdcd95b92364eef3c934de57ae6d5852"}, + {file = "xmlsec-1.3.14-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:cf35a25be3eb6263b2e0544ba26294651113fab79064f994d347a2ca5973e8e2"}, + {file = "xmlsec-1.3.14-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:004e8a82e26728bf8a60f8ece1ef3ffafdac30ef538139dfe28870e8503ca64a"}, + {file = "xmlsec-1.3.14-cp310-cp310-win32.whl", hash = "sha256:e6cbc914d77678db0c8bc39e723d994174633d18f9d6be4665ec29cce978a96d"}, + {file = "xmlsec-1.3.14-cp310-cp310-win_amd64.whl", hash = "sha256:4922afa9234d1c5763950b26c328a5320019e55eb6000272a79dfe54fee8e704"}, + {file = "xmlsec-1.3.14-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:7799a9ff3593f9dd43464e18b1a621640bffc40456c47c23383727f937dca7fc"}, + {file = "xmlsec-1.3.14-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1fe23c2dd5f5dbcb24f40e2c1061e2672a32aabee7cf8ac5337036a485607d72"}, + {file = "xmlsec-1.3.14-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0be3b7a28e54a03b87faf07fb3c6dc3e50a2c79b686718c3ad08300b8bf6bb67"}, + {file = "xmlsec-1.3.14-cp311-cp311-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:48e894ad3e7de373f56efc09d6a56f7eae73a8dd4cec8943313134849e9c6607"}, + {file = "xmlsec-1.3.14-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:204d3c586b8bd6f02a5d4c59850a8157205569d40c32567f49576fa5795d897d"}, + {file = "xmlsec-1.3.14-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:6679cec780386d848e7351d4b0de92c4483289ea4f0a2187e216159f939a4c6b"}, + {file = "xmlsec-1.3.14-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:c4d41c83c8a2b8d8030204391ebeb6174fbdb044f0331653c4b5a4ce4150bcc0"}, + {file = "xmlsec-1.3.14-cp311-cp311-win32.whl", hash = "sha256:df4aa0782a53032fd35e18dcd6d328d6126324bfcfdef0cb5c2856f25b4b6f94"}, + {file = "xmlsec-1.3.14-cp311-cp311-win_amd64.whl", hash = "sha256:1072878301cb9243a54679e0520e6a5be2266c07a28b0ecef9e029d05a90ffcd"}, + {file = "xmlsec-1.3.14-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:1eb3dcf244a52f796377112d8f238dbb522eb87facffb498425dc8582a84a6bf"}, + {file = "xmlsec-1.3.14-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:330147ce59fbe56a9be5b2085d739c55a569f112576b3f1b33681f87416eaf33"}, + {file = "xmlsec-1.3.14-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ed4034939d8566ccdcd3b4e4f23c63fd807fb8763ae5668d59a19e11640a8242"}, + {file = "xmlsec-1.3.14-cp312-cp312-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a98eadfcb0c3b23ccceb7a2f245811f8d784bd287640dcfe696a26b9db1e2fc0"}, + {file = "xmlsec-1.3.14-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:86ff7b2711557c1087b72b0a1a88d82eafbf2a6d38b97309a6f7101d4a7041c3"}, + {file = "xmlsec-1.3.14-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:774d5d1e45f07f953c1cc14fd055c1063f0725f7248b6b0e681f59fd8638934d"}, + {file = "xmlsec-1.3.14-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:bd10ca3201f164482775a7ce61bf7ee9aade2e7d032046044dd0f6f52c91d79d"}, + {file = "xmlsec-1.3.14-cp312-cp312-win32.whl", hash = "sha256:19c86bab1498e4c2e56d8e2c878f461ccb6e56b67fd7522b0c8fda46d8910781"}, + {file = "xmlsec-1.3.14-cp312-cp312-win_amd64.whl", hash = "sha256:d0762f4232bce2c7f6c0af329db8b821b4460bbe123a2528fb5677d03db7a4b5"}, + {file = "xmlsec-1.3.14-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:03ccba7dacf197850de954666af0221c740a5de631a80136362a1559223fab75"}, + {file = "xmlsec-1.3.14-cp36-cp36m-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c12900e1903e289deb84eb893dca88591d6884d3e3cda4fb711b8812118416e8"}, + {file = "xmlsec-1.3.14-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6566434e2e5c58e472362a6187f208601f1627a148683a6f92bd16479f1d9e20"}, + {file = "xmlsec-1.3.14-cp36-cp36m-musllinux_1_1_x86_64.whl", hash = "sha256:2401e162aaab7d9416c3405bac7a270e5f370988a0f1f46f0f29b735edba87e1"}, + {file = "xmlsec-1.3.14-cp36-cp36m-win32.whl", hash = "sha256:ba3b39c493e3b04354615068a3218f30897fcc2f42c6d8986d0c1d63aca87782"}, + {file = "xmlsec-1.3.14-cp36-cp36m-win_amd64.whl", hash = "sha256:4edd8db4df04bbac9c4a5ab4af855b74fe2bf2c248d07cac2e6d92a485f1a685"}, + {file = "xmlsec-1.3.14-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:b6dd86f440fec9242515c64f0be93fec8b4289287db1f6de2651eee9995aaecb"}, + {file = "xmlsec-1.3.14-cp37-cp37m-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ad1634cabe0915fe2a12e142db0ed2daf5be80cbe3891a2cecbba0750195cc6b"}, + {file = "xmlsec-1.3.14-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dba457ff87c39cbae3c5020475a728d24bbd9d00376df9af9724cd3bb59ff07a"}, + {file = "xmlsec-1.3.14-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:12d90059308bb0c1b94bde065784e6852999d08b91bcb2048c17e62b954acb07"}, + {file = "xmlsec-1.3.14-cp37-cp37m-win32.whl", hash = "sha256:ce4e165a1436697e5e39587c4fba24db4545a5c9801e0d749f1afd09ad3ab901"}, + {file = "xmlsec-1.3.14-cp37-cp37m-win_amd64.whl", hash = "sha256:7e8e0171916026cbe8e2022c959558d02086655fd3c3466f2bc0451b09cf9ee8"}, + {file = "xmlsec-1.3.14-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:c42735cc68fdb4c6065cf0a0701dfff3a12a1734c63a36376349af9a5481f27b"}, + {file = "xmlsec-1.3.14-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:38e035bf48300b7dbde2dd01d3b8569f8584fc9c73809be13886e6b6c77b74fb"}, + {file = "xmlsec-1.3.14-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:73eabf5ef58189d81655058cf328c1dfa9893d89f1bff5fc941481f08533f338"}, + {file = "xmlsec-1.3.14-cp38-cp38-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bddd2a2328b4e08c8a112e06cf2cd2b4d281f4ad94df15b4cef18f06cdc49d78"}, + {file = "xmlsec-1.3.14-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:57fed3bc7943681c9ed4d2221600ab440f060d8d1a8f92f346f2b41effe175b8"}, + {file = "xmlsec-1.3.14-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:147934bd39dfd840663fb6b920ea9201455fa886427975713f1b42d9f20b9b29"}, + {file = "xmlsec-1.3.14-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:e732a75fcb6b84872b168f972fbbf3749baf76308635f14015d1d35ed0c5719c"}, + {file = "xmlsec-1.3.14-cp38-cp38-win32.whl", hash = "sha256:b109cdf717257fd4daa77c1d3ec8a3fb2a81318a6d06a36c55a8a53ae381ae5e"}, + {file = "xmlsec-1.3.14-cp38-cp38-win_amd64.whl", hash = "sha256:b7ba2ea38e3d9efa520b14f3c0b7d99a7c055244ae5ba8bc9f4ca73b18f3a215"}, + {file = "xmlsec-1.3.14-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:1b9b5de6bc69fdec23147e5f712cb05dc86df105462f254f140d743cc680cc7b"}, + {file = "xmlsec-1.3.14-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:82ac81deb7d7bf5cc8a748148948e5df5386597ff43fb92ec651cc5c7addb0e7"}, + {file = "xmlsec-1.3.14-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0bae37b2920115cf00759ee9fb7841cbdebcef3a8a92734ab93ae8fa41ac581d"}, + {file = "xmlsec-1.3.14-cp39-cp39-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4fac2a787ae3b9fb761f9aec6b9f10f2d1c1b87abb574ebd8ff68435bdc97e3d"}, + {file = "xmlsec-1.3.14-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:34c61ec0c0e70fda710290ae74b9efe1928d9242ed82c4eecf97aa696cff68e6"}, + {file = "xmlsec-1.3.14-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:995e87acecc263a2f6f2aa3cc204268f651cac8f4d7a2047f11b2cd49979cc38"}, + {file = "xmlsec-1.3.14-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:2f84a1c509c52773365645a87949081ee9ea9c535cd452048cc8ca4ad3b45666"}, + {file = "xmlsec-1.3.14-cp39-cp39-win32.whl", hash = "sha256:7882963e9cb9c0bd0e8c2715a29159a366417ff4a30d8baf42b05bc5cf249446"}, + {file = "xmlsec-1.3.14-cp39-cp39-win_amd64.whl", hash = "sha256:a487c3d144f791c32f5e560aa27a705fba23171728b8a8511f36de053ff6bc93"}, + {file = "xmlsec-1.3.14.tar.gz", hash = "sha256:934f804f2f895bcdb86f1eaee236b661013560ee69ec108d29cdd6e5f292a2d9"}, +] + +[package.dependencies] +lxml = ">=3.8" + +[[package]] +name = "zopfli" +version = "0.2.3" +description = "Zopfli module for python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "zopfli-0.2.3-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:52438999888715a378fc6fe1477ab7813e9e9b58a27a38d2ad7be0e396b1ab2e"}, + {file = "zopfli-0.2.3-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:6020a3533c6c7be09db9e59c2a8f3f894bf5d8e95cc01890d82114c923317c57"}, + {file = "zopfli-0.2.3-cp310-cp310-manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:72349c78da402e6784bd9c5f4aff5cc7017bd969016ec07b656722f7f29fc975"}, + {file = "zopfli-0.2.3-cp310-cp310-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:711d4fde9cb99e1a9158978e9d1624a37cdd170ff057f6340059514fcf38e808"}, + {file = "zopfli-0.2.3-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ae890df6e5f1e8fa0697cafd848826decce0ac53e54e5a018fd97775e3a354c0"}, + {file = "zopfli-0.2.3-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:40b830244e6458ef982b4a5ebb0f228986d481408bae557a95eeece2c5ede4e6"}, + {file = "zopfli-0.2.3-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:7bc89b71d1c4677f708cc162f40a4560f78f5f4c6aa6d884b423df7d38e8ba0b"}, + {file = "zopfli-0.2.3-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:f07997453e7777e19ef0a2445cc1b90e1bb90c623dd77554325932dea6350fee"}, + {file = "zopfli-0.2.3-cp310-cp310-win32.whl", hash = "sha256:978395a4ce5cc46db29a36cdb80549b564dc7706237abaca5aac328dd5842f65"}, + {file = "zopfli-0.2.3-cp310-cp310-win_amd64.whl", hash = "sha256:61a2fcc624e8b038d4fca84ba927dc3f31df53a7284692d46aa44d16fb3f47b2"}, + {file = "zopfli-0.2.3-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:97d2f993142fed4f9c11c1766eb53409efe7298c755cf4599c171bfedcbaddae"}, + {file = "zopfli-0.2.3-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:92ca61eaa1df774908c173683e23c512189bf791a7ebb49fac61324658cff490"}, + {file = "zopfli-0.2.3-cp311-cp311-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:975d45745cf6c3e3b61127e0140dcf145fa515f2021f669bd82768937b7bb1fb"}, + {file = "zopfli-0.2.3-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d0a8e556916088fadb098ddb6eed034d5c2df3b8fba7f2488e87e8c224002eca"}, + {file = "zopfli-0.2.3-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:61abe5f11400f9c6b22be578091e28dfb9f1a61efaaeaa2da66138b03ee93072"}, + {file = "zopfli-0.2.3-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:b30a922b9d73f22da2b589b35e594dcc6d144eb38ad890c542f2b92902ba9892"}, + {file = "zopfli-0.2.3-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:08d105a49576a9e629f53a710f0009c4bf0a1d8a3239a74e41d0944f26e28a61"}, + {file = "zopfli-0.2.3-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:ad2a98890045d13b0cdc93c1637990c211dc877493469afc61a097a00a70cf22"}, + {file = "zopfli-0.2.3-cp311-cp311-win32.whl", hash = "sha256:27f2b58050f84fa059db7a6ec17d98b388c18f9783551e5f97605f790f25e155"}, + {file = "zopfli-0.2.3-cp311-cp311-win_amd64.whl", hash = "sha256:ff86a2cd6b9864027861a129d6d73231b6d463f0d364ca0fdca4492390357cba"}, + {file = "zopfli-0.2.3-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:2073b07c3ec4fcbc895bb02565a90f9f31373233979f6be398e82eacbd1105f3"}, + {file = "zopfli-0.2.3-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:1f25f1bb6440ed90a1d458772fa6ce53632f5fb61e435b12ae6b9b39af98d758"}, + {file = "zopfli-0.2.3-cp312-cp312-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:39d8a73bee07cf7f2c73e08508bf788bfdf28a527da353b5d3e2a0ee4aaf770c"}, + {file = "zopfli-0.2.3-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d40373db61883f6fc8b7040c9196a16f737e3063632afd15e8b3f25e871a30e8"}, + {file = "zopfli-0.2.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:31c467a300ba46f55aa0ea958ea388e350eefd039cf15764bf4cd737d5eeb8a6"}, + {file = "zopfli-0.2.3-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:c3c61787a90439cf68f751b2a1ab789b0805876c0cd9b58398adc212d1eeace5"}, + {file = "zopfli-0.2.3-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:3e4675ca4c7b1215b8a53cec1831cbdb6914f91ea2f183817a06fc7b38e27642"}, + {file = "zopfli-0.2.3-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:f48de4818c10c539fdd01276512043ae4ae738e0301e9cace1dd38f4bcffad6a"}, + {file = "zopfli-0.2.3-cp312-cp312-win32.whl", hash = "sha256:7769f6ca73f37dff92159127bd25b0cc7d81d3feb819d355dc7ac01ad05c673d"}, + {file = "zopfli-0.2.3-cp312-cp312-win_amd64.whl", hash = "sha256:1c5fd29730024f5fb0e2623e3853ca422bd3cf57042389c8e0e771dc47f88084"}, + {file = "zopfli-0.2.3-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:c6555293e42e7a9154940bb18613de2abce21a855780baff8a6c372e395c59b3"}, + {file = "zopfli-0.2.3-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:40665bf0bacc8b82652a1af4016648dd69f896afa59fc481c1d19a222aa746ea"}, + {file = "zopfli-0.2.3-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7599ce108386d91a402969cba4f17247e33a594b21cbd662e008414ccb0b4cf7"}, + {file = "zopfli-0.2.3-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:dc59299eda2aaf57f0ee5c4b42ada0b80e3dc4c09c5bdda8ee9ae5cf93fafa9e"}, + {file = "zopfli-0.2.3-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:7ddcbc258bb5c07ebb7f6ee64c46d4e35c39c6abba2b3dfa72c0ea4daf9e65fc"}, + {file = "zopfli-0.2.3-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:eef08c02295bb99c7fdca380c52e5454fa1c08025fb0bea2c7ae6c0e1e9c034b"}, + {file = "zopfli-0.2.3-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:7ebb4e1b0f102d431830151041777c55700d12afd1e5adb5bcbce72037c1a10e"}, + {file = "zopfli-0.2.3-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:9dcf7af42c11b3cf5d3fbf665799e10f54f66caea2020fe304602df83b9a1a69"}, + {file = "zopfli-0.2.3-cp38-cp38-win32.whl", hash = "sha256:0fbb6e7fc0da56835167e3c83a45b28e99ba14b671ecb8e51100ad03dfffc3d0"}, + {file = "zopfli-0.2.3-cp38-cp38-win_amd64.whl", hash = "sha256:ca9a6df3d11c2f8f0356c141523c4914a2850dd39fc213d968c0272db635eea9"}, + {file = "zopfli-0.2.3-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:2770cf6b88e9985c79b90fd6d4c15d8dab0caa37c1c3b17773e61ce857eab586"}, + {file = "zopfli-0.2.3-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:5e52aaab3a93470cf0ff2bb2135a8628dda7b70f675c46f35b6a1b30e8e482f4"}, + {file = "zopfli-0.2.3-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:082f030b2b7d6d4597ac517816e499c63b92130aa8f4f74a3788ebaa5770f974"}, + {file = "zopfli-0.2.3-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:0574372283befa5af98fb31407e1fe6822f2f9c437ef69e7fa260e49022d8a65"}, + {file = "zopfli-0.2.3-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:8293062567917201609b28b865289d5ddee55030c779fa9264caae4cc2e00fb3"}, + {file = "zopfli-0.2.3-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:e4068d4d35b2e63898d22e1b7777d986b8f5d61fe83a77973730ce9cff1b4ba1"}, + {file = "zopfli-0.2.3-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:2da6f30632cefda8ebe032fdcb69cf062f5a6435af9d32de82ccef320e0261f5"}, + {file = "zopfli-0.2.3-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:e5f62ca9a947f09f531c721e2a3f2e0094523436b8eb5df18d71245c1924f89a"}, + {file = "zopfli-0.2.3-cp39-cp39-win32.whl", hash = "sha256:7463b42a2cee33f0a018bf8f1304da2379d6cb8111aa4e04d8f8590d0f1099e1"}, + {file = "zopfli-0.2.3-cp39-cp39-win_amd64.whl", hash = "sha256:22b1cfc398a87754730f7e268693c8eb480cb688fd645648fda85614a8b1c08c"}, + {file = "zopfli-0.2.3-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:09ad5f8d7e0fe1975ca6d9fd5ad61c74233ae277982d3bc8814b599bbeb92f44"}, + {file = "zopfli-0.2.3-pp310-pypy310_pp73-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:78022777139ac973286219e9e085d9496fb6c935502d93a52bd1bed01dfc2002"}, + {file = "zopfli-0.2.3-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:13d151d5c83980f384439c87a5511853890182c05d93444f3cb05e5ceed37d82"}, + {file = "zopfli-0.2.3-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:c1afe5ba0d957e462afbd3da116ac1a2a6d23e8a94436a95b692c5c324694a16"}, + {file = "zopfli-0.2.3-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:81d61eba5a8e221b297a1dd27f1dae2785a14a5524cc1e144da53705cf90d5c4"}, + {file = "zopfli-0.2.3-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:f69b161b4d49e256ab285c6c6ee1cf217fda864a9b175d24fa0a0b8c2de9ff13"}, + {file = "zopfli-0.2.3-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:57f93802e5ddb20647747ee4039a2e18a26e91bac4c41d3d75a2b2c97f270549"}, + {file = "zopfli-0.2.3-pp39-pypy39_pp73-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6225bbc33c4f803cdc1e71e3028af96dd0e1ed3cf061780d1bf05648df616a05"}, + {file = "zopfli-0.2.3-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:deffa15253a43a597e8ebf82ca1908bd70b3bf899da163b017d49ddd5e12732a"}, + {file = "zopfli-0.2.3-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:84321886cf3e80e086e0f6f7b765975343aafa61165315bb8db514d0bec2d887"}, + {file = "zopfli-0.2.3.zip", hash = "sha256:dbc9841bedd736041eb5e6982cd92da93bee145745f5422f3795f6f258cdc6ef"}, +] + +[package.extras] +test = ["pytest"] + +[metadata] +lock-version = "2.0" +python-versions = "^3.11" +content-hash = "06e4089dd9b5f0f36e3f1947f69aa11fcb3dac8a26416dc14ba264fa93b00f4e" diff --git a/backend/pyproject.toml b/backend/pyproject.toml new file mode 100644 index 000000000..4f09b4d1e --- /dev/null +++ b/backend/pyproject.toml @@ -0,0 +1,39 @@ +[tool.poetry] +name = "ciso-assistant-community" +version = "0.1.0" +description = "" +authors = ["intuitem "] +readme = "README.md" +package-mode = false + +[tool.poetry.dependencies] +python = "^3.11" +django = "5.0.8" +weasyprint = "62.3" +psycopg2-binary = "2.9.9" +gunicorn = "22.0.0" +django-filter = "24.2" +whitenoise = "6.7.0" +argon2-cffi = "23.1.0" +djangorestframework = "3.15.2" +django-tailwind = "3.8.0" +pyyaml = "6.0.1" +django-structlog = "8.1.0" +structlog = "24.2.0" +python-dotenv = "1.0.1" +drf-spectacular = "0.27.2" +django-rest-knox = "4.2.0" +django-allauth = "0.63.5" +python3-saml = "^1.16" +requests = "^2.32" + +[tool.poetry.group.dev.dependencies] +pytest-django = "4.8.0" +pytest-html = "4.1.1" +django-stubs = "5.0.2" +coverage = "7.5.4" +pre-commit = "3.7.1" + +[build-system] +requires = ["poetry-core"] +build-backend = "poetry.core.masonry.api" diff --git a/backend/requirements.txt b/backend/requirements.txt index 5f20d49f5..d50e5eb9a 100644 --- a/backend/requirements.txt +++ b/backend/requirements.txt @@ -1,24 +1,24 @@ -django==5.0.8 +django==5.1.1 weasyprint==62.3 psycopg2-binary==2.9.9 -gunicorn==22.0.0 -pytest-django==4.8.0 +gunicorn==23.0.0 +pytest-django==4.9.0 pytest-html==4.1.1 -django-filter==24.2 +django-filter==24.3 whitenoise==6.7.0 argon2-cffi==23.1.0 typing-extensions==4.12.2 djangorestframework==3.15.2 -django-stubs==5.0.2 -coverage==7.5.4 +django-stubs==5.0.4 +coverage==7.6.1 django-tailwind==3.8.0 -pyyaml==6.0.1 +pyyaml==6.0.2 django-structlog==8.1.0 -structlog==24.2.0 +structlog==24.4.0 python-dotenv==1.0.1 drf-spectacular==0.27.2 -django-rest-knox==4.2.0 -django-allauth[socialaccount]==0.63.5 -pre-commit==3.7.1 -django-allauth[saml]==0.63.5 -django-allauth==0.63.5 +django-rest-knox==5.0.1 +django-allauth[socialaccount]==64.2.1 +pre-commit==3.8.0 +django-allauth[saml]==64.2.1 +django-allauth==64.2.1 diff --git a/backend/serdes/views.py b/backend/serdes/views.py index 926d5ebcc..b15e6d6e5 100644 --- a/backend/serdes/views.py +++ b/backend/serdes/views.py @@ -1,17 +1,18 @@ +import gzip import io import json import sys from datetime import datetime -from ciso_assistant.settings import VERSION from django.core import management from django.core.management.commands import dumpdata, loaddata from django.http import HttpResponse from rest_framework import status -from rest_framework.parsers import JSONParser +from rest_framework.parsers import FileUploadParser from rest_framework.response import Response from rest_framework.views import APIView +from ciso_assistant.settings import VERSION from serdes.serializers import LoadBackupSerializer @@ -25,7 +26,8 @@ def get(self, request, *args, **kwargs): f'attachment; filename="ciso-assistant-db-{timestamp}.json"' ) - response.write(f'[{{"meta": [{{"media_version": "{VERSION}"}}]}},\n') + buffer = io.StringIO() + buffer.write(f'[{{"meta": [{{"media_version": "{VERSION}"}}]}},\n') # Here we dump th data to stdout # NOTE: We will not be able to dump selected folders with this method. management.call_command( @@ -38,22 +40,34 @@ def get(self, request, *args, **kwargs): "knox.authtoken", ], indent=4, - stdout=response, + stdout=buffer, natural_foreign=True, ) - response.write("]") + buffer.write("]") + buffer.seek(0) + buffer_data = gzip.compress(buffer.getvalue().encode()) + response.write(buffer_data) return response class LoadBackupView(APIView): - parser_classes = (JSONParser,) + parser_classes = (FileUploadParser,) serializer_class = LoadBackupSerializer def post(self, request, *args, **kwargs): if not request.user.has_backup_permission: return Response(status=status.HTTP_403_FORBIDDEN) if request.data: - sys.stdin = io.StringIO(json.dumps(request.data[1])) + backup_file = request.data["file"] + is_json = backup_file.name.split(".")[-1].lower() == "json" + data = backup_file.read() + decompressed_data = data if is_json else gzip.decompress(data) + # Performances could be improved (by avoiding the json.loads + json.dumps calls with a direct raw manipulation on the JSON body) + # But performances of the backup loading is not that much important. + decompressed_data = json.loads(decompressed_data)[1] + decompressed_data = json.dumps(decompressed_data) + + sys.stdin = io.StringIO(decompressed_data) request.session.flush() management.call_command("flush", interactive=False) # Here we load the data from stdin @@ -66,6 +80,7 @@ def post(self, request, *args, **kwargs): "contenttypes", "auth.permission", "sessions.session", + "iam.ssosettings", "knox.authtoken", ], ) diff --git a/docker-compose-build.sh b/docker-compose-build.sh index ed5eed373..cee3087bb 100755 --- a/docker-compose-build.sh +++ b/docker-compose-build.sh @@ -14,7 +14,7 @@ prepare_meta_file() { # Check if the database already exists if [ -f db/ciso-assistant.sqlite3 ]; then echo "The database seems already created." - echo "You should launch 'docker compose up -d'." + echo "You should launch 'docker compose -f docker-compose-build.yml up -d'." else prepare_meta_file diff --git a/docker-compose-remote-api.sh b/docker-compose-remote-api.sh index 7e4c00402..10e04b9f7 100755 --- a/docker-compose-remote-api.sh +++ b/docker-compose-remote-api.sh @@ -2,7 +2,7 @@ if [ -f db/ciso-assistant.sqlite3 ] ; then echo "the database seems already created" - echo "you should launch docker compose up -d" + echo "you should launch docker compose -f docker-compose-remote-api.yml up -d" echo "for clean start, you can remove the database file, run docker compose down and then docker compose rm and start again" else echo "Cleaning up old images and pulling the new ones ..." diff --git a/documentation/architecture/data-model.md b/documentation/architecture/data-model.md index 1acbe4a0e..48280e3ef 100644 --- a/documentation/architecture/data-model.md +++ b/documentation/architecture/data-model.md @@ -46,7 +46,6 @@ erDiagram DOMAIN ||--o{ RISK_ASSESSMENT_REVIEW : contains DOMAIN ||--o{ COMPLIANCE_ASSESSMENT_REVIEW: contains ROOT_FOLDER ||--o{ FRAMEWORK : contains - ROOT_FOLDER ||--o{ REFERENCE_CONTROL : contains ROOT_FOLDER ||--o{ STORED_LIBRARY : contains ROOT_FOLDER ||--o{ LOADED_LIBRARY : contains ROOT_FOLDER ||--o{ USER : contains @@ -54,10 +53,13 @@ erDiagram ROOT_FOLDER ||--o{ ROLE : contains ROOT_FOLDER ||--o{ ROLE_ASSIGNMENT : contains ROOT_FOLDER_OR_DOMAIN ||--o{ EVIDENCE : contains + ROOT_FOLDER_OR_DOMAIN ||--o{ REFERENCE_CONTROL : contains ROOT_FOLDER_OR_DOMAIN ||--o{ APPLIED_CONTROL : contains ROOT_FOLDER_OR_DOMAIN ||--o{ RISK_ACCEPTANCE : contains ROOT_FOLDER_OR_DOMAIN ||--o{ ASSET : contains ROOT_FOLDER_OR_DOMAIN ||--o{ THREAT : contains + ROOT_FOLDER_OR_DOMAIN ||--o{ COMPLIANCE_ASSESSMENT : contains + ROOT_FOLDER_OR_DOMAIN ||--o{ RISK_ASSESSMENT : contains DOMAIN { string name @@ -89,7 +91,7 @@ erDiagram COMPLIANCE_ASSESSMENT_REVIEW }o--|| COMPLIANCE_ASSESSMENT : reviews REQUIREMENT_NODE }o--o{ REFERENCE_CONTROL : leverages COMPLIANCE_ASSESSMENT }o--|| FRAMEWORK : is_based_on - PROJECT ||--o{ COMPLIANCE_ASSESSMENT : contains + PROJECT |o--o{ COMPLIANCE_ASSESSMENT : contains COMPLIANCE_ASSESSMENT ||--o{ REQUIREMENT_ASSESSMENT: contains REQUIREMENT_ASSESSMENT }o--|| REQUIREMENT_NODE : implements REQUIREMENT_ASSESSMENT }o--o{ APPLIED_CONTROL : is_answered_by @@ -99,7 +101,7 @@ erDiagram FRAMEWORK ||--o{ REQUIREMENT_NODE : contains APPLIED_CONTROL }o--o{ EVIDENCE : is_proved_by RISK_ASSESSMENT }o--|| RISK_MATRIX : applies - PROJECT ||--o{ RISK_ASSESSMENT : contains + PROJECT |o--o{ RISK_ASSESSMENT : contains RISK_ASSESSMENT ||--o{ RISK_SCENARIO : contains RISK_SCENARIO }o--o{ APPLIED_CONTROL : is_mitigated_by RISK_SCENARIO }o--o{ THREAT : derives_from @@ -143,6 +145,8 @@ erDiagram principal[] author principal[] reviewer string[] tags + string observation + string[] selected_implementation_groups int min_score int max_score @@ -160,6 +164,7 @@ erDiagram principal[] author principal[] reviewer string[] tags + string observation string risk_assessment_method } @@ -199,8 +204,7 @@ erDiagram int order_id json implementation_groups boolean assessable - string question - boolean no_result + json question } REFERENCE_CONTROL { @@ -228,6 +232,7 @@ erDiagram date expiration url link string effort + float cost string[] tags } @@ -242,6 +247,7 @@ erDiagram bool selected string review_conclusion string review_observation + json answer } EVIDENCE { @@ -288,6 +294,7 @@ erDiagram json target_risk_vector string strength_of_knowledge string justification + json qualifications principal[] owner } @@ -597,6 +604,7 @@ namespace DomainObjects { +DateField expiry_date +CharField link +CharField effort + +Decimal cost +RiskScenario[] risk_scenarios() +RiskAssessments[] risk_assessments() @@ -702,7 +710,10 @@ Projects are fundamental context objects defined by the entity using CISO Assist The domain is the fundamental perimeter for access control. All objects, in particular domains, within a domain, have consistent access rights. If this granularity is not sufficient, the entity shall define new domains. -Note: the IAM model is based on folders. A domain is a type of folder (the other one being the root folder). +Note: the IAM model is based on folders. A folder has a type among: +- ROOT: the root folder, which is also called "global domain". +- DOMAIN: a user-defined domain. +- ENCLAVE: a invisible folder used to confine the actions of a third party. Projects have the following fields: - Name @@ -776,11 +787,14 @@ A applied control has the following specific fields: - an Estimated Time of Arrival date - a validity date (expiration field) - an effort (--/S/M/L/XL) +- a cost (--/float value) - a url link - a list of user-defined tags When a applied control derives from a reference control, the same category and csf_function are proposed, but this can be changed. +Costs are measured in a global currency/multiple that is defined in global settings. + ## Compliance and risk assessments Both types of assessments have common fields: @@ -863,6 +877,8 @@ A risk scenario contains a treatment option with the values --/open/mitigate/acc A risk scenario also contains a "strength of knowledge", within the values --/0 (Low)/1 (Medium)/2 (High). This can be used to represent a third dimension of risk, as recommended by the Society for Risk Analysis. The field "justification" can be used to expose the knowledge. +A risk scenario also contains a "qualification" field, containing an array with the following possible values: Confidentiality, Integrity, Availability, Authenticity, Reputation, Operational, Legal, Financial. The qualification can cover none, one or several of the values. + The risk evaluation is automatically done based on the selected risk matrix. ## Risk matrices @@ -1063,15 +1079,15 @@ Currently, the folder organization is as follows: To simplify access control, we use a RBAC model. -Role | Permissions --------------------|------------ -Administrator | full access (except approval), and specifically management of domains, users and users rights -referential_manager| capacity to manage referentials in the root folder -Domain manager | full access to selected domains (except approval), in particular managing rights for these domains. Read access to global objects -Analyst | readwrite acces to selected projects/domains. Read access to global and domain objects -Reader | read access to selected projects/domains -Risk approver | like reader, but with additional capability to approve risk acceptances -Reviewer | like reader, but with additional capability to review assessments. +| Role | Permissions | +| ------------------- | --------------------------------------------------------------------------------------------------------------------------------- | +| Administrator | full access (except approval), and specifically management of domains, users and users rights | +| referential_manager | capacity to manage referentials in the root folder | +| Domain manager | full access to selected domains (except approval), in particular managing rights for these domains. Read access to global objects | +| Analyst | readwrite acces to selected projects/domains. Read access to global and domain objects | +| Reader | read access to selected projects/domains | +| Risk approver | like reader, but with additional capability to approve risk acceptances | +| Reviewer | like reader, but with additional capability to review assessments. | Note: a DJANGO superuser is given administrator rights automatically on startup. @@ -1108,6 +1124,10 @@ SSO Settings are defined in a dedicated object SSO_SETTINGS. ## TPRM evolution +### Objective + +The goal of Third-Party Risk Management is to manage the risk incurred by a provider (vendor, partner, supplier, contractor, service provider). The point of view for the modeling is focusing on risk. + ### Retained approach The following approach has been retained: @@ -1118,31 +1138,31 @@ The following approach has been retained: - This compliance assessment is reviewed by the client, requirement by requirement. - An import/export functionality for compliance assessments shall be available to transmit a filled questionnaire from the third-party to the client. - Review features are added to compliance assessment to enable this workflow in a generic way. -- A requirement node can include a question (which is a generic improvement, as many frameworks have questions). -- A requirement node has a boolean named "no_result" to indicate that no result is waited for the assessment (e.g. "what is your annual turnover?") +- A requirement node can include a question (which is a generic improvement, as many frameworks have questions), as a JSON form. This will correspond to a JSON answer in the corresponding requirement assessment. ### Entity-relationship diagram ```mermaid erDiagram - ASSET }o--o{ SOLUTION : contains - ENTITY2 }o--o| DOMAIN : owns - VULNERABILITY }o--o{ SOLUTION : affects - SOLUTION }o--o| ENTITY : provided_by + ASSET }o--o{ SOLUTION : leverages + ENTITY |o--o{ DOMAIN : owns + SOLUTION }o--|| ENTITY : is_provided_to + SOLUTION }o--|| ENTITY : is_provided_by CONTRACT }o--o{ SOLUTION : formalizes CONTRACT }o--o{ EVIDENCE : has APPLIED_CONTROL }o--o| CONTRACT : leverages - ENTITY_EVALUATION }o--|| ENTITY : evaluates - ENTITY }o--o{ PERSON : employs - ENTITY_EVALUATION }o--|| COMPLIANCE_ASSESSMENT : leverages - ENTITY }o--o{ ENTITY2 : is_provider_of + ENTITY_ASSESSMENT }o--|| ENTITY : evaluates + ENTITY ||--o{ REPRESENTATIVE : mandates + ENTITY_ASSESSMENT }o--o| COMPLIANCE_ASSESSMENT : leverages + ENTITY_ASSESSMENT }o--o| EVIDENCE : leverages COMPLIANCE_ASSESSMENT }o--|| FRAMEWORK : uses + PROJECT |o--o{ ENTITY_ASSESSMENT : contains + ENTITY { string name string description string missions - entity parent_entity url reference_link } @@ -1158,11 +1178,11 @@ erDiagram SOLUTION { string name string description - string solution_type string ref_id - string version + int criticality } + CONTRACT { string name string description @@ -1170,55 +1190,115 @@ erDiagram date end_date } - ENTITY_EVALUATION { - string name - string description - date send_date - date due_date - int penetration - int dependency - int maturity - int trust + ENTITY_ASSESSMENT { + string name + string description + string version + date eta + date due_date + string status + principal[] author + principal[] reviewer + string[] tags + string observation + + string conclusion + int criticality + int penetration + int dependency + int maturity + int trust } - PERSON { - string email - string first_name - string last_name - string phone - string role - string description + REPRESENTATIVE { + string email + string first_name + string last_name + string phone + string role + string description } -``` + COMPLIANCE_ASSESSMENT { + string review_conclusion + string review_observation + json implementation_groups_selector + } -```mermaid -erDiagram - DOMAIN ||--o{ ENTITY_EVALUATION : contains - DOMAIN ||--o{ SOLUTION : contains ``` + ```mermaid erDiagram - GLOBAL_DOMAIN ||--o{ ENTITY : contains - GLOBAL_DOMAIN ||--o{ PERSON : contains + DOMAIN ||--o{ ENTITY_ASSESSMENT : contains + DOMAIN ||--o{ SOLUTION : contains + DOMAIN ||--o{ ENTITY : contains + DOMAIN ||--o{ ENCLAVE : contains + ENCLAVE ||--o{ COMPLIANCE_ASSESSMENT : contains + ENCLAVE ||--o{ EVIDENCE : contains ``` -- The solution_type of a solution is a string with the following possible values: --|product|maintenance|hosting. -- The ref_id for a solution can be null or use a formal id like CPE. - +### New models + +#### Entity + +An entity represents a legal entity, a corporate body, an administrative body, an association. An entity can be: +- the main subject for the current CISO Assistant instance ("main entity"). +- a subisdiary of another entity. +- a provider of another entity. +- a threat actor. +- ... + +An entity can own a domain. The entity that owns the global domain is the main subject for the current CISO Assistant instance. + +An entity can provides a solution to another entity (see solution model). TPRM is done mainly for providers of the main entity, but nothing prevents doing an entity evaluation for any entity. + +#### Entity assessment + +An entity assessment is similar to a risk assessment, but focused on the risk incurred by the provider of a solution. + +An entity assessment is based on a questionnaire/compliance assessment, and/or on an existing document, stored in an evidence (variable "external_questionnaire"). This allows beginning the assessment without questionnaire, adding an existing external questionnaire if available, and starting a new integrated questionnaire later. + +Typically, the main entity can use the requirement group selector to tailor the questionnaire before sending it to the third-party, then a self-assessment is done by the provider, then a review is done by the main entity. + +An entity assessment has the following specific fields: + - conclusion: --|blocker|warning|ok|N/A + - penetration: as defined by ebios RM + - dependency: as defined by ebios RM + - maturity: as defined by ebios RM + - trust: as defined by ebios RM + +#### Solution + +A solution represents what en entity provides to one another. + +The criticality of a solution is an integer representing the importance of the solution for the client of the solution in decreasing sensitivity (0: most critical). This can be determined grossly at the beginning, and revised after an entity or risk assessment. This number is used to prioritize entity assessments. + +#### Representative + +This represents a person that is linked to an entity (typically an employee), and that is relevant for the main entity, like a contact person for an assessment. + +There is no link between representatives (modeling of the ecosystem) and users of the solution (access control mechanism). + ### Evolution of existing models +## Assessments (risk/compliance/entity) + +- add field observation + #### Requirement assessment - add the following fields: - - review_conclusion: --|blocker|warning|ok|N/A - - review_observation + - answer: a json corresponding to the optional question of the requirement node. + +#### Compliance assessment + +- add the following fields: + - implementation_group_selector: a json describing a form that allows the selection of relevant implementation groups by answering simple questions. #### Requirement node - Add the following fields: - - no_result - - question + - question: a json field describing a form. #### Applied control @@ -1228,3 +1308,32 @@ erDiagram The foreign key contract shall be non-null only if the category is set to "contract". The UX shall reflect this constraint. Note: in the future, we will use the same approach for policies. + +### Question and answer format + +The format for question and answer json fields will evolve over time. The initial format is the following: + +- question: +```json +{ + "question": { + "version": 1 + "schema": {...} + } +} +``` + +The schema variable follows JSON Schema standard (WIP). + +### Enclave security approach + +The objects manipulated by the third party (compliance assessment and evidences) are put in a dedicated folder called an "enclave". This folder is a subfolder of the domain. Enclaves are not shown in the UI, they are only used for security implementation. + +### Simplifications for the MVP version + +- The main entity is automatically created and owns the global domain. The name is set to "Main", and can be changed. +- Other entities own no domain. +- Solutions are automatically provided to the main entity. +- The change in applied control is not retained. +- implementation_group_selector is not retained. +- ebios-RM parameters are not retained. diff --git a/enterprise/LICENSE.txt b/enterprise/LICENSE.txt new file mode 100644 index 000000000..20f50883d --- /dev/null +++ b/enterprise/LICENSE.txt @@ -0,0 +1,3 @@ +Usage of files in this directory and its subdirectories, and of CISO Assistant PRO and Enterprise features, is subject to the intuitem Commercial License (https://intuitem.com/license/commercial/), and conditional on having a valid license from intuitem. + +Access to files in this directory and its subdirectories does not constitute permission to use this code. diff --git a/enterprise/README.md b/enterprise/README.md new file mode 100644 index 000000000..e69de29bb diff --git a/enterprise/backend/.gitignore b/enterprise/backend/.gitignore new file mode 100644 index 000000000..c7570ae91 --- /dev/null +++ b/enterprise/backend/.gitignore @@ -0,0 +1,19 @@ +!__init__.py +*.pyc +__pycache__ +*.DS_Store +*~$* +staticfiles/* +static/ +.env +.vscode +*.sqlite3 +staticfiles/ +venv/ +temp/ +db/attachments/ +db/django_secret_key +db/pg_password.txt +./db/ +.coverage +pytest-report.html diff --git a/enterprise/backend/Dockerfile b/enterprise/backend/Dockerfile new file mode 100644 index 000000000..c21288639 --- /dev/null +++ b/enterprise/backend/Dockerfile @@ -0,0 +1,39 @@ +# syntax=docker/dockerfile:1 +# Based on https://docs.docker.com/samples/django/ + +FROM python:3.11-alpine +ENV PYTHONUNBUFFERED=1 +ENV PYTHONDONTWRITEBYTECODE=1 + +ENV POETRY_NO_INTERACTION=1 \ + POETRY_VIRTUALENVS_IN_PROJECT=1 \ + POETRY_VIRTUALENVS_CREATE=1 \ + POETRY_CACHE_DIR=/tmp/poetry_cache + +ENV DJANGO_SETTINGS_MODULE=enterprise_core.settings +ENV SQLITE_FILE=/code/db/ciso-assistant.sqlite3 + +WORKDIR /code + +# Configure locales +RUN apk update +RUN apk add --no-cache bash yaml-cpp +RUN apk add --no-cache py3-cffi libc-dev libffi-dev gcc python3-dev glib pango cairo +RUN apk add --no-cache musl musl-utils musl-locales tzdata lang +RUN apk add --no-cache gettext fontconfig ttf-freefont font-noto terminus-font + +COPY backend /code/ +COPY enterprise/backend /code/enterprise +COPY backend/startup.sh /code/ +COPY backend/pyproject.toml /code/ +COPY backend/poetry.lock /code/ + +RUN pip install --upgrade pip && \ + pip install poetry==1.8.3 + +RUN poetry install --without dev +RUN poetry add enterprise/ +RUN rm -rf $POETRY_CACHE_DIR + +ENTRYPOINT ["poetry", "run", "bash", "startup.sh"] +EXPOSE 8000 diff --git a/enterprise/backend/README.md b/enterprise/backend/README.md new file mode 100644 index 000000000..d6625615a --- /dev/null +++ b/enterprise/backend/README.md @@ -0,0 +1,23 @@ +# Quick start (development) + +1. Install the `enterprise_core` package + +```bash +cd enterprise/backend +poetry install +``` + +2. Start the development server with the enterprise settings file + +```bash +python manage.py runserver --settings=enterprise_core.settings +``` + +# Running a white label instance + +This can be done by running the development server with the `FF_WHITE_LABEL` environment variable set to `true`. + +```bash +export FF_WHITE_LABEL=true +python manage.py runserver --settings=enterprise_core.settings +``` diff --git a/enterprise/backend/__init__.py b/enterprise/backend/__init__.py new file mode 100644 index 000000000..7953c07e0 --- /dev/null +++ b/enterprise/backend/__init__.py @@ -0,0 +1 @@ +from .ciso_assistant import * diff --git a/enterprise/backend/enterprise_core/__init__.py b/enterprise/backend/enterprise_core/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/enterprise/backend/enterprise_core/apps.py b/enterprise/backend/enterprise_core/apps.py new file mode 100644 index 000000000..e91850776 --- /dev/null +++ b/enterprise/backend/enterprise_core/apps.py @@ -0,0 +1,33 @@ +from django.apps import AppConfig +from django.db.models.signals import post_migrate +import os + +ADMINISTRATOR_PERMISSIONS = [ + "view_clientsettings", + "change_clientsettings", +] + + +def startup(sender, **kwargs): + from .models import ClientSettings + from iam.models import Role + from django.contrib.auth.models import Permission + + ClientSettings.objects.get_or_create() + administrator_permissions = Permission.objects.filter( + codename__in=ADMINISTRATOR_PERMISSIONS + ) + administrator = Role.objects.get(name="BI-RL-ADM", builtin=True) + for p in administrator_permissions: + administrator.permissions.add(p) + + +class EnterpriseCoreConfig(AppConfig): + default_auto_field = "django.db.models.BigAutoField" + name = "enterprise_core" + label = "enterprise_core" + + def ready(self): + # avoid post_migrate handler if we are in the main, as it interferes with restore + if not os.environ.get("RUN_MAIN"): + post_migrate.connect(startup, sender=self) diff --git a/enterprise/backend/enterprise_core/migrations/0001_initial.py b/enterprise/backend/enterprise_core/migrations/0001_initial.py new file mode 100644 index 000000000..0146ce874 --- /dev/null +++ b/enterprise/backend/enterprise_core/migrations/0001_initial.py @@ -0,0 +1,34 @@ +# Generated by Django 5.1 on 2024-08-20 13:06 + +import django.db.models.deletion +import iam.models +import uuid +from django.db import migrations, models + + +class Migration(migrations.Migration): + + initial = True + + dependencies = [ + ('iam', '0005_alter_user_managers'), + ] + + operations = [ + migrations.CreateModel( + name='ClientSettings', + fields=[ + ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), + ('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')), + ('updated_at', models.DateTimeField(auto_now=True, verbose_name='Updated at')), + ('is_published', models.BooleanField(default=False, verbose_name='published')), + ('name', models.CharField(blank=True, max_length=255)), + ('logo', models.ImageField(blank=True, null=True, upload_to='client_logos')), + ('favicon', models.ImageField(blank=True, null=True, upload_to='client_favicons')), + ('folder', models.ForeignKey(default=iam.models.Folder.get_root_folder, on_delete=django.db.models.deletion.CASCADE, related_name='%(class)s_folder', to='iam.folder')), + ], + options={ + 'abstract': False, + }, + ), + ] diff --git a/enterprise/backend/enterprise_core/migrations/__init__.py b/enterprise/backend/enterprise_core/migrations/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/enterprise/backend/enterprise_core/models.py b/enterprise/backend/enterprise_core/models.py new file mode 100644 index 000000000..a3e21bb50 --- /dev/null +++ b/enterprise/backend/enterprise_core/models.py @@ -0,0 +1,21 @@ +from enum import Enum +import os +from django.db import models +from iam.models import FolderMixin +from core.base_models import AbstractBaseModel + + +class ClientSettings(AbstractBaseModel, FolderMixin): + class FileField(Enum): + LOGO = "logo" + FAVICON = "favicon" + + name = models.CharField(max_length=255, blank=True) + logo = models.ImageField(upload_to="client_logos", null=True, blank=True) + favicon = models.ImageField(upload_to="client_favicons", null=True, blank=True) + + def __str__(self): + return self.name + + def filename(self, field: FileField): + return os.path.basename(getattr(self, field.value).name) diff --git a/enterprise/backend/enterprise_core/serializers.py b/enterprise/backend/enterprise_core/serializers.py new file mode 100644 index 000000000..a7dcfd8ba --- /dev/null +++ b/enterprise/backend/enterprise_core/serializers.py @@ -0,0 +1,32 @@ +from core.serializers import BaseModelSerializer +from iam.models import Folder + +from .models import ClientSettings + + +class FolderWriteSerializer(BaseModelSerializer): + class Meta: + model = Folder + exclude = [ + "builtin", + "content_type", + ] + + +class ClientSettingsWriteSerializer(BaseModelSerializer): + class Meta: + model = ClientSettings + exclude = ["is_published", "folder"] + + +class ClientSettingsReadSerializer(BaseModelSerializer): + class Meta: + model = ClientSettings + exclude = ["is_published", "folder"] + + def update(self, instance, validated_data): + instance = self.instance + for key, value in validated_data.items(): + setattr(instance, key, value) + instance.save() + return instance diff --git a/enterprise/backend/enterprise_core/settings.py b/enterprise/backend/enterprise_core/settings.py new file mode 100644 index 000000000..057ed8e16 --- /dev/null +++ b/enterprise/backend/enterprise_core/settings.py @@ -0,0 +1,402 @@ +""" +Django settings for ciso_assistant project. + +CORS are not managed by backend, so CORS library is not used + +if "POSTGRES_NAME" environment variable defined, the database engine is posgresql +and the other env variables are POSTGRES_USER, POSTGRES_PASSWORD, DB_HOST, DB_PORT +else it is sqlite, and no env variable is required + +""" + +from pathlib import Path +import os +from dotenv import load_dotenv +from datetime import timedelta +import logging.config +import structlog +from django.core.management.utils import get_random_secret_key + +BASE_DIR_ENTERPRISE = Path(__file__).resolve().parent.parent +BASE_DIR = BASE_DIR_ENTERPRISE.parent.parent / "backend" + +load_dotenv(BASE_DIR / ".meta") + +VERSION = os.getenv("CISO_ASSISTANT_VERSION", "unset") +BUILD = os.getenv("CISO_ASSISTANT_BUILD", "unset") + +LOG_LEVEL = os.environ.get("LOG_LEVEL", "INFO") +LOG_FORMAT = os.environ.get("LOG_FORMAT", "plain") + +CISO_ASSISTANT_URL = os.environ.get("CISO_ASSISTANT_URL", "http://localhost:5173") + + +def set_ciso_assistant_url(_, __, event_dict): + event_dict["ciso_assistant_url"] = CISO_ASSISTANT_URL + return event_dict + + +LOGGING = { + "version": 1, + "disable_existing_loggers": False, + "formatters": { + "json": { + "()": structlog.stdlib.ProcessorFormatter, + "processor": structlog.processors.JSONRenderer(), + }, + "plain": { + "()": structlog.stdlib.ProcessorFormatter, + "processor": structlog.dev.ConsoleRenderer(), + }, + }, + "handlers": { + "console": { + "class": "logging.StreamHandler", + "formatter": LOG_FORMAT, + }, + }, + "loggers": { + "": {"handlers": ["console"], "level": LOG_LEVEL}, + }, +} + +structlog.configure( + processors=[ + structlog.contextvars.merge_contextvars, + set_ciso_assistant_url, + structlog.stdlib.filter_by_level, + structlog.processors.TimeStamper(fmt="iso"), # ISO 8601 timestamps + structlog.stdlib.add_logger_name, + structlog.stdlib.add_log_level, + structlog.stdlib.PositionalArgumentsFormatter(), + # Include stack information in log entries + structlog.processors.StackInfoRenderer(), + structlog.processors.format_exc_info, + structlog.processors.UnicodeDecoder(), + structlog.stdlib.ProcessorFormatter.wrap_for_formatter, + ], + logger_factory=structlog.stdlib.LoggerFactory(), + cache_logger_on_first_use=True, +) + +logging.config.dictConfig(LOGGING) +logger = structlog.getLogger(__name__) + +FEATURE_FLAGS = {} +MODULE_PATHS = {} +ROUTES = {} + +logger.info("Launchup CISO Assistant Enterprise") + +logger.info("BASE_DIR: %s", BASE_DIR) +logger.info("VERSION: %s", VERSION) +logger.info("BUILD: %s", BUILD) + +# TODO: multiple paths are explicit, it should use path join to be more generic + +# Quick-start development settings - unsuitable for production +# See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/ + +# SECURITY WARNING: keep the secret key used in production secret! +SECRET_KEY = os.environ.get("DJANGO_SECRET_KEY", get_random_secret_key()) + +# SECURITY WARNING: don't run with debug turned on in production! +DEBUG = os.environ.get("DJANGO_DEBUG", "False") == "True" + +logger.info("DEBUG mode: %s", DEBUG) +logger.info("CISO_ASSISTANT_URL: %s", CISO_ASSISTANT_URL) +# ALLOWED_HOSTS should contain the backend address +ALLOWED_HOSTS = os.environ.get("ALLOWED_HOSTS", "localhost,127.0.0.1").split(",") +logger.info("ALLOWED_HOSTS: %s", ALLOWED_HOSTS) +CSRF_TRUSTED_ORIGINS = [CISO_ASSISTANT_URL] +LOCAL_STORAGE_DIRECTORY = os.environ.get( + "LOCAL_STORAGE_DIRECTORY", BASE_DIR / "db/attachments" +) +ATTACHMENT_MAX_SIZE_MB = os.environ.get("ATTACHMENT_MAX_SIZE_MB", 10) +MEDIA_ROOT = LOCAL_STORAGE_DIRECTORY +MEDIA_URL = "" + +PAGINATE_BY = os.environ.get("PAGINATE_BY", default=500) + +# Application definition + +INSTALLED_APPS = [ + "django.contrib.auth", + "django.contrib.contenttypes", + "django.contrib.sessions", + "django.contrib.messages", + "django.forms", + "django_structlog", + "tailwind", + "iam", + "global_settings", + "core", + "cal", + "django_filters", + # "debug_toolbar", + "library", + "serdes", + "rest_framework", + "knox", + "drf_spectacular", + "allauth", + "allauth.account", + "allauth.headless", + "allauth.socialaccount", + "allauth.socialaccount.providers.saml", +] + +MIDDLEWARE = [ + "django.middleware.security.SecurityMiddleware", + "django.contrib.sessions.middleware.SessionMiddleware", + "django.middleware.locale.LocaleMiddleware", + "django.middleware.common.CommonMiddleware", + "django.middleware.csrf.CsrfViewMiddleware", + "django.contrib.auth.middleware.AuthenticationMiddleware", + "django.contrib.messages.middleware.MessageMiddleware", + "django.middleware.clickjacking.XFrameOptionsMiddleware", + "django_structlog.middlewares.RequestMiddleware", + "allauth.account.middleware.AccountMiddleware", +] + +ROOT_URLCONF = "ciso_assistant.urls" +# we leave these for the API UI tools - even if Django templates and Admin are not used anymore +LOGIN_REDIRECT_URL = "/api" +LOGOUT_REDIRECT_URL = "/api" + +AUTH_TOKEN_TTL = int( + os.environ.get("AUTH_TOKEN_TTL", default=60 * 60) +) # defaults to 60 minutes +AUTH_TOKEN_AUTO_REFRESH = ( + os.environ.get("AUTH_TOKEN_AUTO_REFRESH", default="True") == "True" +) # prevents token from expiring while user is active + +CISO_ASSISTANT_SUPERUSER_EMAIL = os.environ.get("CISO_ASSISTANT_SUPERUSER_EMAIL") +DEFAULT_FROM_EMAIL = os.environ.get("DEFAULT_FROM_EMAIL") + +EMAIL_HOST = os.environ.get("EMAIL_HOST") +EMAIL_PORT = os.environ.get("EMAIL_PORT") +EMAIL_HOST_USER = os.environ.get("EMAIL_HOST_USER") +EMAIL_HOST_PASSWORD = os.environ.get("EMAIL_HOST_PASSWORD") +EMAIL_USE_TLS = os.environ.get("EMAIL_USE_TLS") +# rescue mail +EMAIL_HOST_RESCUE = os.environ.get("EMAIL_HOST_RESCUE") +EMAIL_PORT_RESCUE = os.environ.get("EMAIL_PORT_RESCUE") +EMAIL_HOST_USER_RESCUE = os.environ.get("EMAIL_HOST_USER_RESCUE") +EMAIL_HOST_PASSWORD_RESCUE = os.environ.get("EMAIL_HOST_PASSWORD_RESCUE") +EMAIL_USE_TLS_RESCUE = os.environ.get("EMAIL_USE_TLS_RESCUE") + +EMAIL_TIMEOUT = int(os.environ.get("EMAIL_TIMEOUT", default="5")) # seconds + +REST_FRAMEWORK = { + "DEFAULT_RENDERER_CLASSES": [ + "rest_framework.renderers.JSONRenderer", + ], + "DEFAULT_AUTHENTICATION_CLASSES": [ + "knox.auth.TokenAuthentication", + ], + "DEFAULT_PERMISSION_CLASSES": [ + "rest_framework.permissions.IsAuthenticated", + "core.permissions.RBACPermissions", + ], + "DEFAULT_FILTER_CLASSES": ["django_filters.rest_framework.DjangoFilterBackend"], + "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.PageNumberPagination", + "PAGE_SIZE": PAGINATE_BY, + "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema", + "EXCEPTION_HANDLER": "core.helpers.handle", +} + +REST_KNOX = { + "SECURE_HASH_ALGORITHM": "cryptography.hazmat.primitives.hashes.SHA512", + "AUTH_TOKEN_CHARACTER_LENGTH": 64, + "TOKEN_TTL": timedelta(seconds=AUTH_TOKEN_TTL), + "TOKEN_LIMIT_PER_USER": None, + "AUTO_REFRESH": AUTH_TOKEN_AUTO_REFRESH, + "MIN_REFRESH_INTERVAL": 60, +} + +# Empty outside of debug mode so that allauth middleware does not raise an error +STATIC_URL = "" + +if DEBUG: + REST_FRAMEWORK["DEFAULT_RENDERER_CLASSES"].append( + "rest_framework.renderers.BrowsableAPIRenderer" + ) + # Add session authentication to allow using the browsable API + REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].append( + "rest_framework.authentication.SessionAuthentication" + ) + + INSTALLED_APPS.append("django.contrib.staticfiles") + STATIC_URL = "/static/" + STATIC_ROOT = BASE_DIR / "static" + + INTERNAL_IPS = [ + "127.0.0.1", + ] + + DEBUG_TOOLBAR_CONFIG = { + "SHOW_TOOLBAR_CALLBACK": lambda request: True, + } + +TEMPLATES = [ + { + "BACKEND": "django.template.backends.django.DjangoTemplates", + "APP_DIRS": True, + "OPTIONS": { + "context_processors": [ + "django.template.context_processors.debug", + "django.template.context_processors.request", + "django.contrib.auth.context_processors.auth", + "django.contrib.messages.context_processors.messages", + ], + }, + }, +] +FORM_RENDERER = "django.forms.renderers.TemplatesSetting" + +WSGI_APPLICATION = "ciso_assistant.wsgi.application" + +AUTH_USER_MODEL = "iam.User" + +# Password validation +# https://docs.djangoproject.com/en/4.2/ref/settings/#auth-password-validators + +AUTH_PASSWORD_VALIDATORS = [ + { + "NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator", + }, + { + "NAME": "django.contrib.auth.password_validation.MinimumLengthValidator", + }, + { + "NAME": "django.contrib.auth.password_validation.CommonPasswordValidator", + }, + { + "NAME": "django.contrib.auth.password_validation.NumericPasswordValidator", + }, +] + +# Internationalization +# https://docs.djangoproject.com/en/4.2/topics/i18n/ + +LANGUAGE_CODE = "en" + +TIME_ZONE = "UTC" + +USE_I18N = True + +USE_TZ = True + +LANGUAGES = [ + ("en", "English"), + ("fr", "French"), + ("es", "Spanish"), + ("de", "German"), + ("it", "Italian"), + ("nd", "Dutch"), + ("pl", "Polish"), + ("pt", "Portuguese"), +] + +PROJECT_PATH = os.path.dirname(os.path.abspath(__file__)) + +LOCALE_PATHS = (os.path.join(PROJECT_PATH, "../locale"),) + + +# Default primary key field type +# https://docs.djangoproject.com/en/4.2/ref/settings/#default-auto-field + +DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField" + +# Database +# https://docs.djangoproject.com/en/4.2/ref/settings/#databases + +# SQLIte file can be changed, useful for tests +SQLITE_FILE = os.environ.get("SQLITE_FILE", BASE_DIR / "db/ciso-assistant.sqlite3") +LIBRARIES_PATH = library_path = BASE_DIR / "library/libraries" + +if "POSTGRES_NAME" in os.environ: + DATABASES = { + "default": { + "ENGINE": "django.db.backends.postgresql_psycopg2", + "NAME": os.environ["POSTGRES_NAME"], + "USER": os.environ["POSTGRES_USER"], + "PASSWORD": os.environ["POSTGRES_PASSWORD"], + "HOST": os.environ["DB_HOST"], + "PORT": os.environ.get("DB_PORT", "5432"), + } + } +else: + DATABASES = { + "default": { + "ENGINE": "django.db.backends.sqlite3", + "NAME": SQLITE_FILE, + "OPTIONS": { + "timeout": 120, + }, + } + } + logger.info("SQLITE_FILE: %s", SQLITE_FILE) + +logger.info("DATABASE ENGINE: %s", DATABASES["default"]["ENGINE"]) + +PASSWORD_HASHERS = [ + "django.contrib.auth.hashers.Argon2PasswordHasher", + "django.contrib.auth.hashers.PBKDF2PasswordHasher", + "django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher", + "django.contrib.auth.hashers.BCryptSHA256PasswordHasher", + "django.contrib.auth.hashers.ScryptPasswordHasher", +] + +SPECTACULAR_SETTINGS = { + "TITLE": "CISO Assistant API - Experimental", + "DESCRIPTION": "CISO Assistant - API Documentation for automating all your GRC needs", + "VERSION": "0.7.0", + "SERVE_INCLUDE_SCHEMA": False, + # OTHER SETTINGS +} + +# SSO with allauth + +ACCOUNT_USER_MODEL_USERNAME_FIELD = None +ACCOUNT_EMAIL_REQUIRED = True +ACCOUNT_USERNAME_REQUIRED = False +ACCOUNT_AUTHENTICATION_METHOD = "email" + +SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https") + +ACCOUNT_ADAPTER = "iam.adapter.AccountAdapter" +SOCIALACCOUNT_ADAPTER = "iam.adapter.SocialAccountAdapter" + +SOCIALACCOUNT_EMAIL_AUTHENTICATION = True +SOCIALACCOUNT_EMAIL_AUTHENTICATION_AUTO_CONNECT = True + +HEADLESS_ONLY = True + +HEADLESS_FRONTEND_URLS = { + "socialaccount_login_error": CISO_ASSISTANT_URL + "/login", +} + +SOCIALACCOUNT_PROVIDERS = { + "saml": { + "EMAIL_AUTHENTICATION": True, + "VERIFIED_EMAIL": True, + }, +} + +MODULE_PATHS["serializers"] = ["enterprise_core.serializers"] + +FEATURE_FLAGS["whiteLabel"] = os.environ.get("FF_WHITE_LABEL", "false") == "true" + +if FEATURE_FLAGS["whiteLabel"]: + ROUTES["client-settings"] = { + "viewset": "enterprise_core.views.ClientSettingsViewSet", + "basename": "client-settings", + } + +logger.info( + "Enterprise startup info", feature_flags=FEATURE_FLAGS, module_paths=MODULE_PATHS +) + +INSTALLED_APPS.append("enterprise_core") diff --git a/enterprise/backend/enterprise_core/views.py b/enterprise/backend/enterprise_core/views.py new file mode 100644 index 000000000..af8e467f2 --- /dev/null +++ b/enterprise/backend/enterprise_core/views.py @@ -0,0 +1,119 @@ +import mimetypes + +import structlog +from core.views import BaseModelViewSet +from django.http import HttpResponse +from rest_framework import status +from rest_framework.permissions import AllowAny +from rest_framework.decorators import ( + action, + permission_classes, +) +from rest_framework.parsers import FileUploadParser +from rest_framework.response import Response + +from .models import ClientSettings +from .serializers import ClientSettingsReadSerializer + +logger = structlog.get_logger(__name__) + + +class ClientSettingsViewSet(BaseModelViewSet): + model = ClientSettings + + def create(self, request, *args, **kwargs): + return Response( + { + "detail": "Client settings object cannot be created outside of AppConfig." + }, + status=status.HTTP_405_METHOD_NOT_ALLOWED, + ) + + def delete(self, request, *args, **kwargs): + return Response( + {"detail": "Client settings object cannot be deleted."}, + status=status.HTTP_405_METHOD_NOT_ALLOWED, + ) + + def _get_file_response(self, request, pk, file_field): + client = ClientSettings.objects.get(pk=pk) + file = getattr(client, file_field) + + if not file: + return Response(status=status.HTTP_404_NOT_FOUND) + + if request.method != "GET": + return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED) + + filename = client.filename( + field=getattr(ClientSettings.FileField, file_field.upper()) + ) + content_type = mimetypes.guess_type(filename)[0] + + return HttpResponse( + file, + content_type=content_type, + headers={"Content-Disposition": f"attachment; filename={filename}"}, + status=status.HTTP_200_OK, + ) + + @action(methods=["get"], detail=False, permission_classes=[AllowAny]) + def info(self, request): + try: + client = ClientSettings.objects.get() + return Response( + ClientSettingsReadSerializer(client).data, status=status.HTTP_200_OK + ) + except ClientSettings.DoesNotExist: + return Response( + {"error": "Client settings not found"}, status=status.HTTP_404_NOT_FOUND + ) + + @action(methods=["get"], detail=True, permission_classes=[AllowAny]) + def logo(self, request, pk): + return self._get_file_response(request, pk, "logo") + + @permission_classes((AllowAny,)) + @action(methods=["get"], detail=True) + def favicon(self, request, pk): + return self._get_file_response(request, pk, "favicon") + + def handle_file_upload(self, request, pk, field_name): + if "file" not in request.FILES: + return Response( + {"error": "No file provided"}, status=status.HTTP_400_BAD_REQUEST + ) + + try: + settings = ClientSettings.objects.get(id=pk) + setattr(settings, field_name, request.FILES["file"]) + settings.save() + return Response(status=status.HTTP_200_OK) + except ClientSettings.DoesNotExist: + return Response( + {"error": "Client settings not found"}, status=status.HTTP_404_NOT_FOUND + ) + except Exception as e: + logger.error("Error uploading file", exc_info=e) + return Response( + {"error": "Error uploading file"}, + status=status.HTTP_400_BAD_REQUEST, + ) + + @action( + methods=["post"], + detail=True, + url_path="logo/upload", + parser_classes=(FileUploadParser,), + ) + def upload_logo(self, request, pk): + return self.handle_file_upload(request, pk, "logo") + + @action( + methods=["post"], + detail=True, + url_path="favicon/upload", + parser_classes=(FileUploadParser,), + ) + def upload_favicon(self, request, pk): + return self.handle_file_upload(request, pk, "favicon") diff --git a/enterprise/backend/poetry.lock b/enterprise/backend/poetry.lock new file mode 100644 index 000000000..7476db1d8 --- /dev/null +++ b/enterprise/backend/poetry.lock @@ -0,0 +1,134 @@ +# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand. + +[[package]] +name = "asgiref" +version = "3.8.1" +description = "ASGI specs, helper code, and adapters" +optional = false +python-versions = ">=3.8" +files = [ + {file = "asgiref-3.8.1-py3-none-any.whl", hash = "sha256:3e1e3ecc849832fe52ccf2cb6686b7a55f82bb1d6aee72a58826471390335e47"}, + {file = "asgiref-3.8.1.tar.gz", hash = "sha256:c343bd80a0bec947a9860adb4c432ffa7db769836c64238fc34bdc3fec84d590"}, +] + +[package.extras] +tests = ["mypy (>=0.800)", "pytest", "pytest-asyncio"] + +[[package]] +name = "colorama" +version = "0.4.6" +description = "Cross-platform colored terminal text." +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" +files = [ + {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"}, + {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"}, +] + +[[package]] +name = "django" +version = "5.0.8" +description = "A high-level Python web framework that encourages rapid development and clean, pragmatic design." +optional = false +python-versions = ">=3.10" +files = [ + {file = "Django-5.0.8-py3-none-any.whl", hash = "sha256:333a7988f7ca4bc14d360d3d8f6b793704517761ae3813b95432043daec22a45"}, + {file = "Django-5.0.8.tar.gz", hash = "sha256:ebe859c9da6fead9c9ee6dbfa4943b04f41342f4cea2c4d8c978ef0d10694f2b"}, +] + +[package.dependencies] +asgiref = ">=3.7.0,<4" +sqlparse = ">=0.3.1" +tzdata = {version = "*", markers = "sys_platform == \"win32\""} + +[package.extras] +argon2 = ["argon2-cffi (>=19.1.0)"] +bcrypt = ["bcrypt"] + +[[package]] +name = "iniconfig" +version = "2.0.0" +description = "brain-dead simple config-ini parsing" +optional = false +python-versions = ">=3.7" +files = [ + {file = "iniconfig-2.0.0-py3-none-any.whl", hash = "sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374"}, + {file = "iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3"}, +] + +[[package]] +name = "packaging" +version = "24.1" +description = "Core utilities for Python packages" +optional = false +python-versions = ">=3.8" +files = [ + {file = "packaging-24.1-py3-none-any.whl", hash = "sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124"}, + {file = "packaging-24.1.tar.gz", hash = "sha256:026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002"}, +] + +[[package]] +name = "pluggy" +version = "1.5.0" +description = "plugin and hook calling mechanisms for python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pluggy-1.5.0-py3-none-any.whl", hash = "sha256:44e1ad92c8ca002de6377e165f3e0f1be63266ab4d554740532335b9d75ea669"}, + {file = "pluggy-1.5.0.tar.gz", hash = "sha256:2cffa88e94fdc978c4c574f15f9e59b7f4201d439195c3715ca9e2486f1d0cf1"}, +] + +[package.extras] +dev = ["pre-commit", "tox"] +testing = ["pytest", "pytest-benchmark"] + +[[package]] +name = "pytest" +version = "8.3.2" +description = "pytest: simple powerful testing with Python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pytest-8.3.2-py3-none-any.whl", hash = "sha256:4ba08f9ae7dcf84ded419494d229b48d0903ea6407b030eaec46df5e6a73bba5"}, + {file = "pytest-8.3.2.tar.gz", hash = "sha256:c132345d12ce551242c87269de812483f5bcc87cdbb4722e48487ba194f9fdce"}, +] + +[package.dependencies] +colorama = {version = "*", markers = "sys_platform == \"win32\""} +iniconfig = "*" +packaging = "*" +pluggy = ">=1.5,<2" + +[package.extras] +dev = ["argcomplete", "attrs (>=19.2)", "hypothesis (>=3.56)", "mock", "pygments (>=2.7.2)", "requests", "setuptools", "xmlschema"] + +[[package]] +name = "sqlparse" +version = "0.5.1" +description = "A non-validating SQL parser." +optional = false +python-versions = ">=3.8" +files = [ + {file = "sqlparse-0.5.1-py3-none-any.whl", hash = "sha256:773dcbf9a5ab44a090f3441e2180efe2560220203dc2f8c0b0fa141e18b505e4"}, + {file = "sqlparse-0.5.1.tar.gz", hash = "sha256:bb6b4df465655ef332548e24f08e205afc81b9ab86cb1c45657a7ff173a3a00e"}, +] + +[package.extras] +dev = ["build", "hatch"] +doc = ["sphinx"] + +[[package]] +name = "tzdata" +version = "2024.1" +description = "Provider of IANA time zone data" +optional = false +python-versions = ">=2" +files = [ + {file = "tzdata-2024.1-py2.py3-none-any.whl", hash = "sha256:9068bc196136463f5245e51efda838afa15aaeca9903f49050dfa2679db4d252"}, + {file = "tzdata-2024.1.tar.gz", hash = "sha256:2674120f8d891909751c38abcdfd386ac0a5a1127954fbc332af6b5ceae07efd"}, +] + +[metadata] +lock-version = "2.0" +python-versions = "^3.11" +content-hash = "cc7e46f673197f61548eaf89f87c904516e90d78ce6085f9e541d32a651bf6dd" diff --git a/enterprise/backend/pyproject.toml b/enterprise/backend/pyproject.toml new file mode 100644 index 000000000..09a5608cc --- /dev/null +++ b/enterprise/backend/pyproject.toml @@ -0,0 +1,17 @@ +[tool.poetry] +name = "enterprise_core" +version = "0.1.0" +description = "" +authors = ["intuitem "] +readme = "README.md" + +[tool.poetry.dependencies] +python = "^3.11" +Django = "5.0.8" + +[tool.poetry.group.dev.dependencies] +pytest = "^8.3.2" + +[build-system] +requires = ["poetry-core"] +build-backend = "poetry.core.masonry.api" diff --git a/enterprise/frontend/.gitignore b/enterprise/frontend/.gitignore new file mode 100644 index 000000000..8089601cf --- /dev/null +++ b/enterprise/frontend/.gitignore @@ -0,0 +1,26 @@ +.DS_Store +node_modules +dist +tests/results/ +tests/reports/ +yarn.lock +vite.config.js.timestamp-* +/packages/create-svelte/template/CHANGELOG.md +/packages/package/test/**/package +/documentation/types.js +/build +.env +.vercel_build_output +.svelte-kit +.cloudflare +.pnpm-debug.log +.netlify +.turbo +.vercel +.test-tmp +.testhistory +.testbackendoutput.out +symlink-from +coverage/** +.build +package.json diff --git a/enterprise/frontend/Dockerfile b/enterprise/frontend/Dockerfile new file mode 100644 index 000000000..3b4b4b120 --- /dev/null +++ b/enterprise/frontend/Dockerfile @@ -0,0 +1,25 @@ +FROM node:21-alpine AS builder +WORKDIR /app + +ENV PUBLIC_BACKEND_API_URL=foo + +COPY frontend/package*.json ./ +COPY frontend/project.inlang . +COPY frontend/ . +COPY enterprise/frontend . + +RUN npm install -g pnpm +RUN pnpm install --frozen-lockfile +RUN pnpm run build +RUN pnpm prune + +FROM node:21-alpine +WORKDIR /app +COPY --from=builder /app/build build/ +COPY --from=builder /app/server server/ +COPY --from=builder /app/node_modules node_modules/ +COPY frontend/package.json . +EXPOSE 3000 +ENV NODE_ENV=production +ENV BODY_SIZE_LIMIT=20000000 +CMD [ "node", "server" ] diff --git a/enterprise/frontend/Makefile b/enterprise/frontend/Makefile new file mode 100644 index 000000000..7c2d275b9 --- /dev/null +++ b/enterprise/frontend/Makefile @@ -0,0 +1,66 @@ +.PHONY: build-enterprise clean all watch dev + +SHELL := /usr/bin/env bash + +PM := pnpm +BUILD_DIR := .build +COMMUNITY_DIR := ../../frontend +ENTERPRISE_DIR := ../../enterprise/frontend +RM := rm -rf +ARTIFACTS := $(BUILD_DIR) node_modules package.json build +FRONTEND_DIR := $(BUILD_DIR)/frontend + +.DEFAULT_GOAL := build-enterprise + +pre-build: + @mkdir -p $(BUILD_DIR) + @rsync -av --exclude=build/ --exclude=node_modules/ $(COMMUNITY_DIR) $(BUILD_DIR) + @rsync -avI $(ENTERPRISE_DIR) $(BUILD_DIR) + @$(PM) install --frozen-lockfile -C $(FRONTEND_DIR) + +build-enterprise: pre-build + @$(PM) run -C $(FRONTEND_DIR) build + @mv $(FRONTEND_DIR)/build $(ENTERPRISE_DIR)/build + @mv $(FRONTEND_DIR)/node_modules $(ENTERPRISE_DIR)/node_modules + @mv $(FRONTEND_DIR)/package.json $(ENTERPRISE_DIR)/package.json + +CHANGED_FILES = + +# The rule to watch the filesystem for changes +watch: + @fswatch --batch-marker='EOF' -xn . ../../frontend | while read file event; do \ + if [ "$$file" = "EOF" ]; then \ + $(MAKE) copy_files CHANGED_FILES="$$list"; \ + list=(); \ + else \ + basename_file="$$(basename "$$file")"; \ + if [[ "$$file" != *~ ]] && [[ ! "$$basename_file" =~ ^[0-9]+$$ ]] && [[ ! "$$basename_file" =~ ^\. ]] && ! git check-ignore -q "$$file"; then \ + echo "Tracking: $$file $$event"; \ + list+=("$$file"); \ + fi; \ + fi; \ + done + +copy_files: + @for file in "$(CHANGED_FILES)"; do \ + if [ -n "$$file" ]; then \ + relative_path="$${file#*/frontend/}"; \ + target_dir="$(FRONTEND_DIR)/$$(dirname "$$relative_path")"; \ + mkdir -p "$$target_dir"; \ + rsync -av "$${file}" "$$target_dir"; \ + echo "Copied $$file to $$target_dir"; \ + fi; \ + done + +dev: + @if [ -z "$$(ls -A $(FRONTEND_DIR))" ]; then \ + echo "Please run make pre-build first."; \ + exit 1; \ + else \ + $(PM) -C ${FRONTEND_DIR} run dev & \ + $(MAKE) watch & \ + wait; \ + fi + +clean: + $(RM) $(ARTIFACTS) diff --git a/enterprise/frontend/README.md b/enterprise/frontend/README.md new file mode 100644 index 000000000..16382469d --- /dev/null +++ b/enterprise/frontend/README.md @@ -0,0 +1,43 @@ +# Quick start (development) + +1. Clone the repository +2. Create a `.env` file with environment variables or export them. + +```bash +echo "PUBLIC_BACKEND_API_URL=http://127.0.0.1:8000/api" > .env +``` + +OR + +```bash +export PUBLIC_BACKEND_API_URL=http://127.0.0.1:8000/api +``` + +3. Move community and enterprise code to a single directory and install dependencies + +```bash +make pre-build +``` + +4. Start a development server (ensure that the django app is running) + +```bash +make dev +``` + +## Building + +To create a production version of your app: + +```bash +make +``` + +# Running a white label instance + +This can be done by running the development server with the `FF_WHITE_LABEL` environment variable set to `true`. + +```bash +export FF_WHITE_LABEL=true +make dev +``` diff --git a/enterprise/frontend/pnpm-lock.yaml b/enterprise/frontend/pnpm-lock.yaml new file mode 100644 index 000000000..762874806 --- /dev/null +++ b/enterprise/frontend/pnpm-lock.yaml @@ -0,0 +1,10124 @@ +lockfileVersion: '9.0' + +settings: + autoInstallPeers: true + excludeLinksFromLockfile: false + +importers: + + .: + dependencies: + '@floating-ui/dom': + specifier: ^1.6.10 + version: 1.6.10 + '@fortawesome/fontawesome-free': + specifier: ^6.6.0 + version: 6.6.0 + '@inlang/paraglide-js-adapter-vite': + specifier: ^1.2.40 + version: 1.2.40 + dotenv: + specifier: ^16.4.5 + version: 16.4.5 + echarts: + specifier: ^5.5.1 + version: 5.5.1 + svelte-multiselect: + specifier: ^10.3.0 + version: 10.3.0 + svelte-persisted-store: + specifier: ^0.11.0 + version: 0.11.0(svelte@4.2.18) + devDependencies: + '@inlang/paraglide-js': + specifier: 1.11.1 + version: 1.11.1 + '@playwright/test': + specifier: ^1.46.0 + version: 1.46.0 + '@skeletonlabs/skeleton': + specifier: ^2.10.2 + version: 2.10.2(svelte@4.2.18) + '@skeletonlabs/tw-plugin': + specifier: ^0.4.0 + version: 0.4.0(tailwindcss@3.4.10) + '@storybook/addon-essentials': + specifier: ^8.2.9 + version: 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/addon-interactions': + specifier: ^8.2.9 + version: 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1)) + '@storybook/addon-links': + specifier: ^8.2.9 + version: 8.2.9(react@18.3.1)(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/blocks': + specifier: ^8.2.9 + version: 8.2.9(react-dom@18.3.1(react@18.3.1))(react@18.3.1)(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/svelte': + specifier: ^8.2.9 + version: 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(svelte@4.2.18) + '@storybook/sveltekit': + specifier: ^8.2.9 + version: 8.2.9(@babel/core@7.25.2)(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(postcss-load-config@4.0.2(postcss@8.4.41))(postcss@8.4.41)(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(svelte@4.2.18)(typescript@5.5.4)(vite@5.4.1(@types/node@20.14.15)) + '@storybook/test': + specifier: ^8.2.9 + version: 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1)) + '@sveltejs/adapter-auto': + specifier: ^3.2.4 + version: 3.2.4(@sveltejs/kit@2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15))) + '@sveltejs/adapter-node': + specifier: ^5.2.2 + version: 5.2.2(@sveltejs/kit@2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15))) + '@sveltejs/kit': + specifier: ^2.5.22 + version: 2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)) + '@sveltejs/vite-plugin-svelte': + specifier: ^3.1.1 + version: 3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)) + '@tailwindcss/forms': + specifier: ^0.5.7 + version: 0.5.7(tailwindcss@3.4.10) + '@tailwindcss/typography': + specifier: ^0.5.14 + version: 0.5.14(tailwindcss@3.4.10) + '@testing-library/dom': + specifier: ^10.4.0 + version: 10.4.0 + '@testing-library/jest-dom': + specifier: ^6.4.8 + version: 6.4.8 + '@testing-library/svelte': + specifier: ^5.2.1 + version: 5.2.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15))(vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1)) + '@types/node': + specifier: ^20.14.15 + version: 20.14.15 + '@typescript-eslint/eslint-plugin': + specifier: ^7.18.0 + version: 7.18.0(@typescript-eslint/parser@7.18.0(eslint@8.57.0)(typescript@5.5.4))(eslint@8.57.0)(typescript@5.5.4) + '@typescript-eslint/parser': + specifier: ^7.18.0 + version: 7.18.0(eslint@8.57.0)(typescript@5.5.4) + '@vincjo/datatables': + specifier: ^1.14.10 + version: 1.14.10(svelte@4.2.18) + '@vitest/coverage-v8': + specifier: ^1.6.0 + version: 1.6.0(vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1)) + '@vitest/ui': + specifier: ^1.6.0 + version: 1.6.0(vitest@1.6.0) + autoprefixer: + specifier: ^10.4.20 + version: 10.4.20(postcss@8.4.41) + eslint: + specifier: ^8.57.0 + version: 8.57.0 + eslint-config-prettier: + specifier: ^9.1.0 + version: 9.1.0(eslint@8.57.0) + eslint-plugin-storybook: + specifier: ^0.8.0 + version: 0.8.0(eslint@8.57.0)(typescript@5.5.4) + eslint-plugin-svelte: + specifier: ^2.43.0 + version: 2.43.0(eslint@8.57.0)(svelte@4.2.18) + jsdom: + specifier: ^24.1.1 + version: 24.1.1 + postcss: + specifier: ^8.4.41 + version: 8.4.41 + prettier: + specifier: ^3.3.3 + version: 3.3.3 + prettier-plugin-svelte: + specifier: ^3.2.6 + version: 3.2.6(prettier@3.3.3)(svelte@4.2.18) + react: + specifier: ^18.3.1 + version: 18.3.1 + react-dom: + specifier: ^18.3.1 + version: 18.3.1(react@18.3.1) + storybook: + specifier: ^8.2.9 + version: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + svelte: + specifier: ^4.2.18 + version: 4.2.18 + svelte-check: + specifier: ^3.8.5 + version: 3.8.5(@babel/core@7.25.2)(postcss-load-config@4.0.2(postcss@8.4.41))(postcss@8.4.41)(svelte@4.2.18) + svelte-typewriter: + specifier: ^3.2.3 + version: 3.2.3(svelte@4.2.18) + sveltekit-flash-message: + specifier: ^2.4.4 + version: 2.4.4(@sveltejs/kit@2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18) + sveltekit-rate-limiter: + specifier: ^0.5.2 + version: 0.5.2(@sveltejs/kit@2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15))) + sveltekit-superforms: + specifier: ^2.17.0 + version: 2.17.0(@sveltejs/kit@2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18) + tailwindcss: + specifier: ^3.4.10 + version: 3.4.10 + tslib: + specifier: ^2.6.3 + version: 2.6.3 + typescript: + specifier: ^5.5.4 + version: 5.5.4 + vite: + specifier: ^5.4.1 + version: 5.4.1(@types/node@20.14.15) + vite-plugin-tailwind-purgecss: + specifier: ^0.3.3 + version: 0.3.3(tailwindcss@3.4.10)(vite@5.4.1(@types/node@20.14.15)) + vitest: + specifier: ^1.6.0 + version: 1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1) + zod: + specifier: ^3.23.8 + version: 3.23.8 + +packages: + + '@adobe/css-tools@4.4.0': + resolution: {integrity: sha512-Ff9+ksdQQB3rMncgqDK78uLznstjyfIf2Arnh22pW8kBpLs6rpKDwgnZT46hin5Hl1WzazzK64DOrhSwYpS7bQ==} + + '@alloc/quick-lru@5.2.0': + resolution: {integrity: sha512-UrcABB+4bUrFABwbluTIBErXwvbsU/V7TZWfmbgJfbkwiBuziS9gxdODUyuiecfdGQ85jglMW6juS3+z5TsKLw==} + engines: {node: '>=10'} + + '@ampproject/remapping@2.3.0': + resolution: {integrity: sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==} + engines: {node: '>=6.0.0'} + + '@ark/schema@0.2.0': + resolution: {integrity: sha512-IkNWCSHdjaoemMXpps4uFHEAQzwJPbTAS8K2vcQpk90sa+eNBuPSVyB/81/Qyl1VYW0iX3ceGC5NL/OznQv1jg==} + + '@ark/util@0.1.0': + resolution: {integrity: sha512-qCLYICQoCy3kEKDVwirQp8qvxhY7NJd8BhhoHaj1l3wCFAk9NUbcDsxAkPStZEMdPI/d7NcbGJe8SWZuRG2twQ==} + + '@babel/code-frame@7.24.7': + resolution: {integrity: sha512-BcYH1CVJBO9tvyIZ2jVeXgSIMvGZ2FDRvDdOIVQyuklNKSsx+eppDEBq/g47Ayw+RqNFE+URvOShmf+f/qwAlA==} + engines: {node: '>=6.9.0'} + + '@babel/compat-data@7.25.2': + resolution: {integrity: sha512-bYcppcpKBvX4znYaPEeFau03bp89ShqNMLs+rmdptMw+heSZh9+z84d2YG+K7cYLbWwzdjtDoW/uqZmPjulClQ==} + engines: {node: '>=6.9.0'} + + '@babel/core@7.25.2': + resolution: {integrity: sha512-BBt3opiCOxUr9euZ5/ro/Xv8/V7yJ5bjYMqG/C1YAo8MIKAnumZalCN+msbci3Pigy4lIQfPUpfMM27HMGaYEA==} + engines: {node: '>=6.9.0'} + + '@babel/generator@7.25.0': + resolution: {integrity: sha512-3LEEcj3PVW8pW2R1SR1M89g/qrYk/m/mB/tLqn7dn4sbBUQyTqnlod+II2U4dqiGtUmkcnAmkMDralTFZttRiw==} + engines: {node: '>=6.9.0'} + + '@babel/helper-annotate-as-pure@7.24.7': + resolution: {integrity: sha512-BaDeOonYvhdKw+JoMVkAixAAJzG2jVPIwWoKBPdYuY9b452e2rPuI9QPYh3KpofZ3pW2akOmwZLOiOsHMiqRAg==} + engines: {node: '>=6.9.0'} + + '@babel/helper-builder-binary-assignment-operator-visitor@7.24.7': + resolution: {integrity: sha512-xZeCVVdwb4MsDBkkyZ64tReWYrLRHlMN72vP7Bdm3OUOuyFZExhsHUUnuWnm2/XOlAJzR0LfPpB56WXZn0X/lA==} + engines: {node: '>=6.9.0'} + + '@babel/helper-compilation-targets@7.25.2': + resolution: {integrity: sha512-U2U5LsSaZ7TAt3cfaymQ8WHh0pxvdHoEk6HVpaexxixjyEquMh0L0YNJNM6CTGKMXV1iksi0iZkGw4AcFkPaaw==} + engines: {node: '>=6.9.0'} + + '@babel/helper-create-class-features-plugin@7.25.0': + resolution: {integrity: sha512-GYM6BxeQsETc9mnct+nIIpf63SAyzvyYN7UB/IlTyd+MBg06afFGp0mIeUqGyWgS2mxad6vqbMrHVlaL3m70sQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/helper-create-regexp-features-plugin@7.25.2': + resolution: {integrity: sha512-+wqVGP+DFmqwFD3EH6TMTfUNeqDehV3E/dl+Sd54eaXqm17tEUNbEIn4sVivVowbvUpOtIGxdo3GoXyDH9N/9g==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/helper-define-polyfill-provider@0.6.2': + resolution: {integrity: sha512-LV76g+C502biUK6AyZ3LK10vDpDyCzZnhZFXkH1L75zHPj68+qc8Zfpx2th+gzwA2MzyK+1g/3EPl62yFnVttQ==} + peerDependencies: + '@babel/core': ^7.4.0 || ^8.0.0-0 <8.0.0 + + '@babel/helper-member-expression-to-functions@7.24.8': + resolution: {integrity: sha512-LABppdt+Lp/RlBxqrh4qgf1oEH/WxdzQNDJIu5gC/W1GyvPVrOBiItmmM8wan2fm4oYqFuFfkXmlGpLQhPY8CA==} + engines: {node: '>=6.9.0'} + + '@babel/helper-module-imports@7.24.7': + resolution: {integrity: sha512-8AyH3C+74cgCVVXow/myrynrAGv+nTVg5vKu2nZph9x7RcRwzmh0VFallJuFTZ9mx6u4eSdXZfcOzSqTUm0HCA==} + engines: {node: '>=6.9.0'} + + '@babel/helper-module-transforms@7.25.2': + resolution: {integrity: sha512-BjyRAbix6j/wv83ftcVJmBt72QtHI56C7JXZoG2xATiLpmoC7dpd8WnkikExHDVPpi/3qCmO6WY1EaXOluiecQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/helper-optimise-call-expression@7.24.7': + resolution: {integrity: sha512-jKiTsW2xmWwxT1ixIdfXUZp+P5yURx2suzLZr5Hi64rURpDYdMW0pv+Uf17EYk2Rd428Lx4tLsnjGJzYKDM/6A==} + engines: {node: '>=6.9.0'} + + '@babel/helper-plugin-utils@7.24.8': + resolution: {integrity: sha512-FFWx5142D8h2Mgr/iPVGH5G7w6jDn4jUSpZTyDnQO0Yn7Ks2Kuz6Pci8H6MPCoUJegd/UZQ3tAvfLCxQSnWWwg==} + engines: {node: '>=6.9.0'} + + '@babel/helper-remap-async-to-generator@7.25.0': + resolution: {integrity: sha512-NhavI2eWEIz/H9dbrG0TuOicDhNexze43i5z7lEqwYm0WEZVTwnPpA0EafUTP7+6/W79HWIP2cTe3Z5NiSTVpw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/helper-replace-supers@7.25.0': + resolution: {integrity: sha512-q688zIvQVYtZu+i2PsdIu/uWGRpfxzr5WESsfpShfZECkO+d2o+WROWezCi/Q6kJ0tfPa5+pUGUlfx2HhrA3Bg==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/helper-simple-access@7.24.7': + resolution: {integrity: sha512-zBAIvbCMh5Ts+b86r/CjU+4XGYIs+R1j951gxI3KmmxBMhCg4oQMsv6ZXQ64XOm/cvzfU1FmoCyt6+owc5QMYg==} + engines: {node: '>=6.9.0'} + + '@babel/helper-skip-transparent-expression-wrappers@7.24.7': + resolution: {integrity: sha512-IO+DLT3LQUElMbpzlatRASEyQtfhSE0+m465v++3jyyXeBTBUjtVZg28/gHeV5mrTJqvEKhKroBGAvhW+qPHiQ==} + engines: {node: '>=6.9.0'} + + '@babel/helper-string-parser@7.24.8': + resolution: {integrity: sha512-pO9KhhRcuUyGnJWwyEgnRJTSIZHiT+vMD0kPeD+so0l7mxkMT19g3pjY9GTnHySck/hDzq+dtW/4VgnMkippsQ==} + engines: {node: '>=6.9.0'} + + '@babel/helper-validator-identifier@7.24.7': + resolution: {integrity: sha512-rR+PBcQ1SMQDDyF6X0wxtG8QyLCgUB0eRAGguqRLfkCA87l7yAP7ehq8SNj96OOGTO8OBV70KhuFYcIkHXOg0w==} + engines: {node: '>=6.9.0'} + + '@babel/helper-validator-option@7.24.8': + resolution: {integrity: sha512-xb8t9tD1MHLungh/AIoWYN+gVHaB9kwlu8gffXGSt3FFEIT7RjS+xWbc2vUD1UTZdIpKj/ab3rdqJ7ufngyi2Q==} + engines: {node: '>=6.9.0'} + + '@babel/helper-wrap-function@7.25.0': + resolution: {integrity: sha512-s6Q1ebqutSiZnEjaofc/UKDyC4SbzV5n5SrA2Gq8UawLycr3i04f1dX4OzoQVnexm6aOCh37SQNYlJ/8Ku+PMQ==} + engines: {node: '>=6.9.0'} + + '@babel/helpers@7.25.0': + resolution: {integrity: sha512-MjgLZ42aCm0oGjJj8CtSM3DB8NOOf8h2l7DCTePJs29u+v7yO/RBX9nShlKMgFnRks/Q4tBAe7Hxnov9VkGwLw==} + engines: {node: '>=6.9.0'} + + '@babel/highlight@7.24.7': + resolution: {integrity: sha512-EStJpq4OuY8xYfhGVXngigBJRWxftKX9ksiGDnmlY3o7B/V7KIAc9X4oiK87uPJSc/vs5L869bem5fhZa8caZw==} + engines: {node: '>=6.9.0'} + + '@babel/parser@7.25.3': + resolution: {integrity: sha512-iLTJKDbJ4hMvFPgQwwsVoxtHyWpKKPBrxkANrSYewDPaPpT5py5yeVkgPIJ7XYXhndxJpaA3PyALSXQ7u8e/Dw==} + engines: {node: '>=6.0.0'} + hasBin: true + + '@babel/plugin-bugfix-firefox-class-in-computed-class-key@7.25.3': + resolution: {integrity: sha512-wUrcsxZg6rqBXG05HG1FPYgsP6EvwF4WpBbxIpWIIYnH8wG0gzx3yZY3dtEHas4sTAOGkbTsc9EGPxwff8lRoA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/plugin-bugfix-safari-class-field-initializer-scope@7.25.0': + resolution: {integrity: sha512-Bm4bH2qsX880b/3ziJ8KD711LT7z4u8CFudmjqle65AZj/HNUFhEf90dqYv6O86buWvSBmeQDjv0Tn2aF/bIBA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@7.25.0': + resolution: {integrity: sha512-lXwdNZtTmeVOOFtwM/WDe7yg1PL8sYhRk/XH0FzbR2HDQ0xC+EnQ/JHeoMYSavtU115tnUk0q9CDyq8si+LMAA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.24.7': + resolution: {integrity: sha512-+izXIbke1T33mY4MSNnrqhPXDz01WYhEf3yF5NbnUtkiNnm+XBZJl3kNfoK6NKmYlz/D07+l2GWVK/QfDkNCuQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.13.0 + + '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@7.25.0': + resolution: {integrity: sha512-tggFrk1AIShG/RUQbEwt2Tr/E+ObkfwrPjR6BjbRvsx24+PSjK8zrq0GWPNCjo8qpRx4DuJzlcvWJqlm+0h3kw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/plugin-proposal-private-property-in-object@7.21.0-placeholder-for-preset-env.2': + resolution: {integrity: sha512-SOSkfJDddaM7mak6cPEpswyTRnuRltl429hMraQEglW+OkovnCzsiszTmsrlY//qLFjCpQDFRvjdm2wA5pPm9w==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-async-generators@7.8.4': + resolution: {integrity: sha512-tycmZxkGfZaxhMRbXlPXuVFpdWlXpir2W4AMhSJgRKzk/eDlIXOhb2LHWoLpDF7TEHylV5zNhykX6KAgHJmTNw==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-class-properties@7.12.13': + resolution: {integrity: sha512-fm4idjKla0YahUNgFNLCB0qySdsoPiZP3iQE3rky0mBUtMZ23yDJ9SJdg6dXTSDnulOVqiF3Hgr9nbXvXTQZYA==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-class-static-block@7.14.5': + resolution: {integrity: sha512-b+YyPmr6ldyNnM6sqYeMWE+bgJcJpO6yS4QD7ymxgH34GBPNDM/THBh8iunyvKIZztiwLH4CJZ0RxTk9emgpjw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-dynamic-import@7.8.3': + resolution: {integrity: sha512-5gdGbFon+PszYzqs83S3E5mpi7/y/8M9eC90MRTZfduQOYW76ig6SOSPNe41IG5LoP3FGBn2N0RjVDSQiS94kQ==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-export-namespace-from@7.8.3': + resolution: {integrity: sha512-MXf5laXo6c1IbEbegDmzGPwGNTsHZmEy6QGznu5Sh2UCWvueywb2ee+CCE4zQiZstxU9BMoQO9i6zUFSY0Kj0Q==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-flow@7.24.7': + resolution: {integrity: sha512-9G8GYT/dxn/D1IIKOUBmGX0mnmj46mGH9NnZyJLwtCpgh5f7D2VbuKodb+2s9m1Yavh1s7ASQN8lf0eqrb1LTw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-import-assertions@7.24.7': + resolution: {integrity: sha512-Ec3NRUMoi8gskrkBe3fNmEQfxDvY8bgfQpz6jlk/41kX9eUjvpyqWU7PBP/pLAvMaSQjbMNKJmvX57jP+M6bPg==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-import-attributes@7.24.7': + resolution: {integrity: sha512-hbX+lKKeUMGihnK8nvKqmXBInriT3GVjzXKFriV3YC6APGxMbP8RZNFwy91+hocLXq90Mta+HshoB31802bb8A==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-import-meta@7.10.4': + resolution: {integrity: sha512-Yqfm+XDx0+Prh3VSeEQCPU81yC+JWZ2pDPFSS4ZdpfZhp4MkFMaDC1UqseovEKwSUpnIL7+vK+Clp7bfh0iD7g==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-json-strings@7.8.3': + resolution: {integrity: sha512-lY6kdGpWHvjoe2vk4WrAapEuBR69EMxZl+RoGRhrFGNYVK8mOPAW8VfbT/ZgrFbXlDNiiaxQnAtgVCZ6jv30EA==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-jsx@7.24.7': + resolution: {integrity: sha512-6ddciUPe/mpMnOKv/U+RSd2vvVy+Yw/JfBB0ZHYjEZt9NLHmCUylNYlsbqCCS1Bffjlb0fCwC9Vqz+sBz6PsiQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-logical-assignment-operators@7.10.4': + resolution: {integrity: sha512-d8waShlpFDinQ5MtvGU9xDAOzKH47+FFoney2baFIoMr952hKOLp1HR7VszoZvOsV/4+RRszNY7D17ba0te0ig==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-nullish-coalescing-operator@7.8.3': + resolution: {integrity: sha512-aSff4zPII1u2QD7y+F8oDsz19ew4IGEJg9SVW+bqwpwtfFleiQDMdzA/R+UlWDzfnHFCxxleFT0PMIrR36XLNQ==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-numeric-separator@7.10.4': + resolution: {integrity: sha512-9H6YdfkcK/uOnY/K7/aA2xpzaAgkQn37yzWUMRK7OaPOqOpGS1+n0H5hxT9AUw9EsSjPW8SVyMJwYRtWs3X3ug==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-object-rest-spread@7.8.3': + resolution: {integrity: sha512-XoqMijGZb9y3y2XskN+P1wUGiVwWZ5JmoDRwx5+3GmEplNyVM2s2Dg8ILFQm8rWM48orGy5YpI5Bl8U1y7ydlA==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-optional-catch-binding@7.8.3': + resolution: {integrity: sha512-6VPD0Pc1lpTqw0aKoeRTMiB+kWhAoT24PA+ksWSBrFtl5SIRVpZlwN3NNPQjehA2E/91FV3RjLWoVTglWcSV3Q==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-optional-chaining@7.8.3': + resolution: {integrity: sha512-KoK9ErH1MBlCPxV0VANkXW2/dw4vlbGDrFgz8bmUsBGYkFRcbRwMh6cIJubdPrkxRwuGdtCk0v/wPTKbQgBjkg==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-private-property-in-object@7.14.5': + resolution: {integrity: sha512-0wVnp9dxJ72ZUJDV27ZfbSj6iHLoytYZmh3rFcxNnvsJF3ktkzLDZPy/mA17HGsaQT3/DQsWYX1f1QGWkCoVUg==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-top-level-await@7.14.5': + resolution: {integrity: sha512-hx++upLv5U1rgYfwe1xBQUhRmU41NEvpUvrp8jkrSCdvGSnM5/qdRMtylJ6PG5OFkBaHkbTAKTnd3/YyESRHFw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-typescript@7.24.7': + resolution: {integrity: sha512-c/+fVeJBB0FeKsFvwytYiUD+LBvhHjGSI0g446PRGdSVGZLRNArBUno2PETbAly3tpiNAQR5XaZ+JslxkotsbA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-syntax-unicode-sets-regex@7.18.6': + resolution: {integrity: sha512-727YkEAPwSIQTv5im8QHz3upqp92JTWhidIC81Tdx4VJYIte/VndKf1qKrfnnhPLiPghStWfvC/iFaMCQu7Nqg==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/plugin-transform-arrow-functions@7.24.7': + resolution: {integrity: sha512-Dt9LQs6iEY++gXUwY03DNFat5C2NbO48jj+j/bSAz6b3HgPs39qcPiYt77fDObIcFwj3/C2ICX9YMwGflUoSHQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-async-generator-functions@7.25.0': + resolution: {integrity: sha512-uaIi2FdqzjpAMvVqvB51S42oC2JEVgh0LDsGfZVDysWE8LrJtQC2jvKmOqEYThKyB7bDEb7BP1GYWDm7tABA0Q==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-async-to-generator@7.24.7': + resolution: {integrity: sha512-SQY01PcJfmQ+4Ash7NE+rpbLFbmqA2GPIgqzxfFTL4t1FKRq4zTms/7htKpoCUI9OcFYgzqfmCdH53s6/jn5fA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-block-scoped-functions@7.24.7': + resolution: {integrity: sha512-yO7RAz6EsVQDaBH18IDJcMB1HnrUn2FJ/Jslc/WtPPWcjhpUJXU/rjbwmluzp7v/ZzWcEhTMXELnnsz8djWDwQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-block-scoping@7.25.0': + resolution: {integrity: sha512-yBQjYoOjXlFv9nlXb3f1casSHOZkWr29NX+zChVanLg5Nc157CrbEX9D7hxxtTpuFy7Q0YzmmWfJxzvps4kXrQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-class-properties@7.24.7': + resolution: {integrity: sha512-vKbfawVYayKcSeSR5YYzzyXvsDFWU2mD8U5TFeXtbCPLFUqe7GyCgvO6XDHzje862ODrOwy6WCPmKeWHbCFJ4w==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-class-static-block@7.24.7': + resolution: {integrity: sha512-HMXK3WbBPpZQufbMG4B46A90PkuuhN9vBCb5T8+VAHqvAqvcLi+2cKoukcpmUYkszLhScU3l1iudhrks3DggRQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.12.0 + + '@babel/plugin-transform-classes@7.25.0': + resolution: {integrity: sha512-xyi6qjr/fYU304fiRwFbekzkqVJZ6A7hOjWZd+89FVcBqPV3S9Wuozz82xdpLspckeaafntbzglaW4pqpzvtSw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-computed-properties@7.24.7': + resolution: {integrity: sha512-25cS7v+707Gu6Ds2oY6tCkUwsJ9YIDbggd9+cu9jzzDgiNq7hR/8dkzxWfKWnTic26vsI3EsCXNd4iEB6e8esQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-destructuring@7.24.8': + resolution: {integrity: sha512-36e87mfY8TnRxc7yc6M9g9gOB7rKgSahqkIKwLpz4Ppk2+zC2Cy1is0uwtuSG6AE4zlTOUa+7JGz9jCJGLqQFQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-dotall-regex@7.24.7': + resolution: {integrity: sha512-ZOA3W+1RRTSWvyqcMJDLqbchh7U4NRGqwRfFSVbOLS/ePIP4vHB5e8T8eXcuqyN1QkgKyj5wuW0lcS85v4CrSw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-duplicate-keys@7.24.7': + resolution: {integrity: sha512-JdYfXyCRihAe46jUIliuL2/s0x0wObgwwiGxw/UbgJBr20gQBThrokO4nYKgWkD7uBaqM7+9x5TU7NkExZJyzw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-duplicate-named-capturing-groups-regex@7.25.0': + resolution: {integrity: sha512-YLpb4LlYSc3sCUa35un84poXoraOiQucUTTu8X1j18JV+gNa8E0nyUf/CjZ171IRGr4jEguF+vzJU66QZhn29g==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/plugin-transform-dynamic-import@7.24.7': + resolution: {integrity: sha512-sc3X26PhZQDb3JhORmakcbvkeInvxz+A8oda99lj7J60QRuPZvNAk9wQlTBS1ZynelDrDmTU4pw1tyc5d5ZMUg==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-exponentiation-operator@7.24.7': + resolution: {integrity: sha512-Rqe/vSc9OYgDajNIK35u7ot+KeCoetqQYFXM4Epf7M7ez3lWlOjrDjrwMei6caCVhfdw+mIKD4cgdGNy5JQotQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-export-namespace-from@7.24.7': + resolution: {integrity: sha512-v0K9uNYsPL3oXZ/7F9NNIbAj2jv1whUEtyA6aujhekLs56R++JDQuzRcP2/z4WX5Vg/c5lE9uWZA0/iUoFhLTA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-flow-strip-types@7.25.2': + resolution: {integrity: sha512-InBZ0O8tew5V0K6cHcQ+wgxlrjOw1W4wDXLkOTjLRD8GYhTSkxTVBtdy3MMtvYBrbAWa1Qm3hNoTc1620Yj+Mg==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-for-of@7.24.7': + resolution: {integrity: sha512-wo9ogrDG1ITTTBsy46oGiN1dS9A7MROBTcYsfS8DtsImMkHk9JXJ3EWQM6X2SUw4x80uGPlwj0o00Uoc6nEE3g==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-function-name@7.25.1': + resolution: {integrity: sha512-TVVJVdW9RKMNgJJlLtHsKDTydjZAbwIsn6ySBPQaEAUU5+gVvlJt/9nRmqVbsV/IBanRjzWoaAQKLoamWVOUuA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-json-strings@7.24.7': + resolution: {integrity: sha512-2yFnBGDvRuxAaE/f0vfBKvtnvvqU8tGpMHqMNpTN2oWMKIR3NqFkjaAgGwawhqK/pIN2T3XdjGPdaG0vDhOBGw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-literals@7.25.2': + resolution: {integrity: sha512-HQI+HcTbm9ur3Z2DkO+jgESMAMcYLuN/A7NRw9juzxAezN9AvqvUTnpKP/9kkYANz6u7dFlAyOu44ejuGySlfw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-logical-assignment-operators@7.24.7': + resolution: {integrity: sha512-4D2tpwlQ1odXmTEIFWy9ELJcZHqrStlzK/dAOWYyxX3zT0iXQB6banjgeOJQXzEc4S0E0a5A+hahxPaEFYftsw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-member-expression-literals@7.24.7': + resolution: {integrity: sha512-T/hRC1uqrzXMKLQ6UCwMT85S3EvqaBXDGf0FaMf4446Qx9vKwlghvee0+uuZcDUCZU5RuNi4781UQ7R308zzBw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-modules-amd@7.24.7': + resolution: {integrity: sha512-9+pB1qxV3vs/8Hdmz/CulFB8w2tuu6EB94JZFsjdqxQokwGa9Unap7Bo2gGBGIvPmDIVvQrom7r5m/TCDMURhg==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-modules-commonjs@7.24.8': + resolution: {integrity: sha512-WHsk9H8XxRs3JXKWFiqtQebdh9b/pTk4EgueygFzYlTKAg0Ud985mSevdNjdXdFBATSKVJGQXP1tv6aGbssLKA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-modules-systemjs@7.25.0': + resolution: {integrity: sha512-YPJfjQPDXxyQWg/0+jHKj1llnY5f/R6a0p/vP4lPymxLu7Lvl4k2WMitqi08yxwQcCVUUdG9LCUj4TNEgAp3Jw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-modules-umd@7.24.7': + resolution: {integrity: sha512-3aytQvqJ/h9z4g8AsKPLvD4Zqi2qT+L3j7XoFFu1XBlZWEl2/1kWnhmAbxpLgPrHSY0M6UA02jyTiwUVtiKR6A==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-named-capturing-groups-regex@7.24.7': + resolution: {integrity: sha512-/jr7h/EWeJtk1U/uz2jlsCioHkZk1JJZVcc8oQsJ1dUlaJD83f4/6Zeh2aHt9BIFokHIsSeDfhUmju0+1GPd6g==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/plugin-transform-new-target@7.24.7': + resolution: {integrity: sha512-RNKwfRIXg4Ls/8mMTza5oPF5RkOW8Wy/WgMAp1/F1yZ8mMbtwXW+HDoJiOsagWrAhI5f57Vncrmr9XeT4CVapA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-nullish-coalescing-operator@7.24.7': + resolution: {integrity: sha512-Ts7xQVk1OEocqzm8rHMXHlxvsfZ0cEF2yomUqpKENHWMF4zKk175Y4q8H5knJes6PgYad50uuRmt3UJuhBw8pQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-numeric-separator@7.24.7': + resolution: {integrity: sha512-e6q1TiVUzvH9KRvicuxdBTUj4AdKSRwzIyFFnfnezpCfP2/7Qmbb8qbU2j7GODbl4JMkblitCQjKYUaX/qkkwA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-object-rest-spread@7.24.7': + resolution: {integrity: sha512-4QrHAr0aXQCEFni2q4DqKLD31n2DL+RxcwnNjDFkSG0eNQ/xCavnRkfCUjsyqGC2OviNJvZOF/mQqZBw7i2C5Q==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-object-super@7.24.7': + resolution: {integrity: sha512-A/vVLwN6lBrMFmMDmPPz0jnE6ZGx7Jq7d6sT/Ev4H65RER6pZ+kczlf1DthF5N0qaPHBsI7UXiE8Zy66nmAovg==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-optional-catch-binding@7.24.7': + resolution: {integrity: sha512-uLEndKqP5BfBbC/5jTwPxLh9kqPWWgzN/f8w6UwAIirAEqiIVJWWY312X72Eub09g5KF9+Zn7+hT7sDxmhRuKA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-optional-chaining@7.24.8': + resolution: {integrity: sha512-5cTOLSMs9eypEy8JUVvIKOu6NgvbJMnpG62VpIHrTmROdQ+L5mDAaI40g25k5vXti55JWNX5jCkq3HZxXBQANw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-parameters@7.24.7': + resolution: {integrity: sha512-yGWW5Rr+sQOhK0Ot8hjDJuxU3XLRQGflvT4lhlSY0DFvdb3TwKaY26CJzHtYllU0vT9j58hc37ndFPsqT1SrzA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-private-methods@7.24.7': + resolution: {integrity: sha512-COTCOkG2hn4JKGEKBADkA8WNb35TGkkRbI5iT845dB+NyqgO8Hn+ajPbSnIQznneJTa3d30scb6iz/DhH8GsJQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-private-property-in-object@7.24.7': + resolution: {integrity: sha512-9z76mxwnwFxMyxZWEgdgECQglF2Q7cFLm0kMf8pGwt+GSJsY0cONKj/UuO4bOH0w/uAel3ekS4ra5CEAyJRmDA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-property-literals@7.24.7': + resolution: {integrity: sha512-EMi4MLQSHfd2nrCqQEWxFdha2gBCqU4ZcCng4WBGZ5CJL4bBRW0ptdqqDdeirGZcpALazVVNJqRmsO8/+oNCBA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-regenerator@7.24.7': + resolution: {integrity: sha512-lq3fvXPdimDrlg6LWBoqj+r/DEWgONuwjuOuQCSYgRroXDH/IdM1C0IZf59fL5cHLpjEH/O6opIRBbqv7ELnuA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-reserved-words@7.24.7': + resolution: {integrity: sha512-0DUq0pHcPKbjFZCfTss/pGkYMfy3vFWydkUBd9r0GHpIyfs2eCDENvqadMycRS9wZCXR41wucAfJHJmwA0UmoQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-shorthand-properties@7.24.7': + resolution: {integrity: sha512-KsDsevZMDsigzbA09+vacnLpmPH4aWjcZjXdyFKGzpplxhbeB4wYtury3vglQkg6KM/xEPKt73eCjPPf1PgXBA==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-spread@7.24.7': + resolution: {integrity: sha512-x96oO0I09dgMDxJaANcRyD4ellXFLLiWhuwDxKZX5g2rWP1bTPkBSwCYv96VDXVT1bD9aPj8tppr5ITIh8hBng==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-sticky-regex@7.24.7': + resolution: {integrity: sha512-kHPSIJc9v24zEml5geKg9Mjx5ULpfncj0wRpYtxbvKyTtHCYDkVE3aHQ03FrpEo4gEe2vrJJS1Y9CJTaThA52g==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-template-literals@7.24.7': + resolution: {integrity: sha512-AfDTQmClklHCOLxtGoP7HkeMw56k1/bTQjwsfhL6pppo/M4TOBSq+jjBUBLmV/4oeFg4GWMavIl44ZeCtmmZTw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-typeof-symbol@7.24.8': + resolution: {integrity: sha512-adNTUpDCVnmAE58VEqKlAA6ZBlNkMnWD0ZcW76lyNFN3MJniyGFZfNwERVk8Ap56MCnXztmDr19T4mPTztcuaw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-typescript@7.25.2': + resolution: {integrity: sha512-lBwRvjSmqiMYe/pS0+1gggjJleUJi7NzjvQ1Fkqtt69hBa/0t1YuW/MLQMAPixfwaQOHUXsd6jeU3Z+vdGv3+A==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-unicode-escapes@7.24.7': + resolution: {integrity: sha512-U3ap1gm5+4edc2Q/P+9VrBNhGkfnf+8ZqppY71Bo/pzZmXhhLdqgaUl6cuB07O1+AQJtCLfaOmswiNbSQ9ivhw==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-unicode-property-regex@7.24.7': + resolution: {integrity: sha512-uH2O4OV5M9FZYQrwc7NdVmMxQJOCCzFeYudlZSzUAHRFeOujQefa92E74TQDVskNHCzOXoigEuoyzHDhaEaK5w==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-unicode-regex@7.24.7': + resolution: {integrity: sha512-hlQ96MBZSAXUq7ltkjtu3FJCCSMx/j629ns3hA3pXnBXjanNP0LHi+JpPeA81zaWgVK1VGH95Xuy7u0RyQ8kMg==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/plugin-transform-unicode-sets-regex@7.24.7': + resolution: {integrity: sha512-2G8aAvF4wy1w/AGZkemprdGMRg5o6zPNhbHVImRz3lss55TYCBd6xStN19rt8XJHq20sqV0JbyWjOWwQRwV/wg==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0 + + '@babel/preset-env@7.25.3': + resolution: {integrity: sha512-QsYW7UeAaXvLPX9tdVliMJE7MD7M6MLYVTovRTIwhoYQVFHR1rM4wO8wqAezYi3/BpSD+NzVCZ69R6smWiIi8g==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/preset-flow@7.24.7': + resolution: {integrity: sha512-NL3Lo0NorCU607zU3NwRyJbpaB6E3t0xtd3LfAQKDfkeX4/ggcDXvkmkW42QWT5owUeW/jAe4hn+2qvkV1IbfQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/preset-modules@0.1.6-no-external-plugins': + resolution: {integrity: sha512-HrcgcIESLm9aIR842yhJ5RWan/gebQUJ6E/E5+rf0y9o6oj7w0Br+sWuL6kEQ/o/AdfvR1Je9jG18/gnpwjEyA==} + peerDependencies: + '@babel/core': ^7.0.0-0 || ^8.0.0-0 <8.0.0 + + '@babel/preset-typescript@7.24.7': + resolution: {integrity: sha512-SyXRe3OdWwIwalxDg5UtJnJQO+YPcTfwiIY2B0Xlddh9o7jpWLvv8X1RthIeDOxQ+O1ML5BLPCONToObyVQVuQ==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/register@7.24.6': + resolution: {integrity: sha512-WSuFCc2wCqMeXkz/i3yfAAsxwWflEgbVkZzivgAmXl/MxrXeoYFZOOPllbC8R8WTF7u61wSRQtDVZ1879cdu6w==} + engines: {node: '>=6.9.0'} + peerDependencies: + '@babel/core': ^7.0.0-0 + + '@babel/regjsgen@0.8.0': + resolution: {integrity: sha512-x/rqGMdzj+fWZvCOYForTghzbtqPDZ5gPwaoNGHdgDfF2QA/XZbCBp4Moo5scrkAMPhB7z26XM/AaHuIJdgauA==} + + '@babel/runtime@7.25.0': + resolution: {integrity: sha512-7dRy4DwXwtzBrPbZflqxnvfxLF8kdZXPkhymtDeFoFqE6ldzjQFgYTtYIFARcLEYDrqfBfYcZt1WqFxRoyC9Rw==} + engines: {node: '>=6.9.0'} + + '@babel/template@7.25.0': + resolution: {integrity: sha512-aOOgh1/5XzKvg1jvVz7AVrx2piJ2XBi227DHmbY6y+bM9H2FlN+IfecYu4Xl0cNiiVejlsCri89LUsbj8vJD9Q==} + engines: {node: '>=6.9.0'} + + '@babel/traverse@7.25.3': + resolution: {integrity: sha512-HefgyP1x754oGCsKmV5reSmtV7IXj/kpaE1XYY+D9G5PvKKoFfSbiS4M77MdjuwlZKDIKFCffq9rPU+H/s3ZdQ==} + engines: {node: '>=6.9.0'} + + '@babel/types@7.25.2': + resolution: {integrity: sha512-YTnYtra7W9e6/oAZEHj0bJehPRUlLH9/fbpT5LfB0NhQXyALCRkRs3zH9v07IYhkgpqX6Z78FnuccZr/l4Fs4Q==} + engines: {node: '>=6.9.0'} + + '@bcoe/v8-coverage@0.2.3': + resolution: {integrity: sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==} + + '@esbuild/aix-ppc64@0.21.5': + resolution: {integrity: sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==} + engines: {node: '>=12'} + cpu: [ppc64] + os: [aix] + + '@esbuild/aix-ppc64@0.23.0': + resolution: {integrity: sha512-3sG8Zwa5fMcA9bgqB8AfWPQ+HFke6uD3h1s3RIwUNK8EG7a4buxvuFTs3j1IMs2NXAk9F30C/FF4vxRgQCcmoQ==} + engines: {node: '>=18'} + cpu: [ppc64] + os: [aix] + + '@esbuild/android-arm64@0.21.5': + resolution: {integrity: sha512-c0uX9VAUBQ7dTDCjq+wdyGLowMdtR/GoC2U5IYk/7D1H1JYC0qseD7+11iMP2mRLN9RcCMRcjC4YMclCzGwS/A==} + engines: {node: '>=12'} + cpu: [arm64] + os: [android] + + '@esbuild/android-arm64@0.23.0': + resolution: {integrity: sha512-EuHFUYkAVfU4qBdyivULuu03FhJO4IJN9PGuABGrFy4vUuzk91P2d+npxHcFdpUnfYKy0PuV+n6bKIpHOB3prQ==} + engines: {node: '>=18'} + cpu: [arm64] + os: [android] + + '@esbuild/android-arm@0.21.5': + resolution: {integrity: sha512-vCPvzSjpPHEi1siZdlvAlsPxXl7WbOVUBBAowWug4rJHb68Ox8KualB+1ocNvT5fjv6wpkX6o/iEpbDrf68zcg==} + engines: {node: '>=12'} + cpu: [arm] + os: [android] + + '@esbuild/android-arm@0.23.0': + resolution: {integrity: sha512-+KuOHTKKyIKgEEqKbGTK8W7mPp+hKinbMBeEnNzjJGyFcWsfrXjSTNluJHCY1RqhxFurdD8uNXQDei7qDlR6+g==} + engines: {node: '>=18'} + cpu: [arm] + os: [android] + + '@esbuild/android-x64@0.21.5': + resolution: {integrity: sha512-D7aPRUUNHRBwHxzxRvp856rjUHRFW1SdQATKXH2hqA0kAZb1hKmi02OpYRacl0TxIGz/ZmXWlbZgjwWYaCakTA==} + engines: {node: '>=12'} + cpu: [x64] + os: [android] + + '@esbuild/android-x64@0.23.0': + resolution: {integrity: sha512-WRrmKidLoKDl56LsbBMhzTTBxrsVwTKdNbKDalbEZr0tcsBgCLbEtoNthOW6PX942YiYq8HzEnb4yWQMLQuipQ==} + engines: {node: '>=18'} + cpu: [x64] + os: [android] + + '@esbuild/darwin-arm64@0.21.5': + resolution: {integrity: sha512-DwqXqZyuk5AiWWf3UfLiRDJ5EDd49zg6O9wclZ7kUMv2WRFr4HKjXp/5t8JZ11QbQfUS6/cRCKGwYhtNAY88kQ==} + engines: {node: '>=12'} + cpu: [arm64] + os: [darwin] + + '@esbuild/darwin-arm64@0.23.0': + resolution: {integrity: sha512-YLntie/IdS31H54Ogdn+v50NuoWF5BDkEUFpiOChVa9UnKpftgwzZRrI4J132ETIi+D8n6xh9IviFV3eXdxfow==} + engines: {node: '>=18'} + cpu: [arm64] + os: [darwin] + + '@esbuild/darwin-x64@0.21.5': + resolution: {integrity: sha512-se/JjF8NlmKVG4kNIuyWMV/22ZaerB+qaSi5MdrXtd6R08kvs2qCN4C09miupktDitvh8jRFflwGFBQcxZRjbw==} + engines: {node: '>=12'} + cpu: [x64] + os: [darwin] + + '@esbuild/darwin-x64@0.23.0': + resolution: {integrity: sha512-IMQ6eme4AfznElesHUPDZ+teuGwoRmVuuixu7sv92ZkdQcPbsNHzutd+rAfaBKo8YK3IrBEi9SLLKWJdEvJniQ==} + engines: {node: '>=18'} + cpu: [x64] + os: [darwin] + + '@esbuild/freebsd-arm64@0.21.5': + resolution: {integrity: sha512-5JcRxxRDUJLX8JXp/wcBCy3pENnCgBR9bN6JsY4OmhfUtIHe3ZW0mawA7+RDAcMLrMIZaf03NlQiX9DGyB8h4g==} + engines: {node: '>=12'} + cpu: [arm64] + os: [freebsd] + + '@esbuild/freebsd-arm64@0.23.0': + resolution: {integrity: sha512-0muYWCng5vqaxobq6LB3YNtevDFSAZGlgtLoAc81PjUfiFz36n4KMpwhtAd4he8ToSI3TGyuhyx5xmiWNYZFyw==} + engines: {node: '>=18'} + cpu: [arm64] + os: [freebsd] + + '@esbuild/freebsd-x64@0.21.5': + resolution: {integrity: sha512-J95kNBj1zkbMXtHVH29bBriQygMXqoVQOQYA+ISs0/2l3T9/kj42ow2mpqerRBxDJnmkUDCaQT/dfNXWX/ZZCQ==} + engines: {node: '>=12'} + cpu: [x64] + os: [freebsd] + + '@esbuild/freebsd-x64@0.23.0': + resolution: {integrity: sha512-XKDVu8IsD0/q3foBzsXGt/KjD/yTKBCIwOHE1XwiXmrRwrX6Hbnd5Eqn/WvDekddK21tfszBSrE/WMaZh+1buQ==} + engines: {node: '>=18'} + cpu: [x64] + os: [freebsd] + + '@esbuild/linux-arm64@0.21.5': + resolution: {integrity: sha512-ibKvmyYzKsBeX8d8I7MH/TMfWDXBF3db4qM6sy+7re0YXya+K1cem3on9XgdT2EQGMu4hQyZhan7TeQ8XkGp4Q==} + engines: {node: '>=12'} + cpu: [arm64] + os: [linux] + + '@esbuild/linux-arm64@0.23.0': + resolution: {integrity: sha512-j1t5iG8jE7BhonbsEg5d9qOYcVZv/Rv6tghaXM/Ug9xahM0nX/H2gfu6X6z11QRTMT6+aywOMA8TDkhPo8aCGw==} + engines: {node: '>=18'} + cpu: [arm64] + os: [linux] + + '@esbuild/linux-arm@0.21.5': + resolution: {integrity: sha512-bPb5AHZtbeNGjCKVZ9UGqGwo8EUu4cLq68E95A53KlxAPRmUyYv2D6F0uUI65XisGOL1hBP5mTronbgo+0bFcA==} + engines: {node: '>=12'} + cpu: [arm] + os: [linux] + + '@esbuild/linux-arm@0.23.0': + resolution: {integrity: sha512-SEELSTEtOFu5LPykzA395Mc+54RMg1EUgXP+iw2SJ72+ooMwVsgfuwXo5Fn0wXNgWZsTVHwY2cg4Vi/bOD88qw==} + engines: {node: '>=18'} + cpu: [arm] + os: [linux] + + '@esbuild/linux-ia32@0.21.5': + resolution: {integrity: sha512-YvjXDqLRqPDl2dvRODYmmhz4rPeVKYvppfGYKSNGdyZkA01046pLWyRKKI3ax8fbJoK5QbxblURkwK/MWY18Tg==} + engines: {node: '>=12'} + cpu: [ia32] + os: [linux] + + '@esbuild/linux-ia32@0.23.0': + resolution: {integrity: sha512-P7O5Tkh2NbgIm2R6x1zGJJsnacDzTFcRWZyTTMgFdVit6E98LTxO+v8LCCLWRvPrjdzXHx9FEOA8oAZPyApWUA==} + engines: {node: '>=18'} + cpu: [ia32] + os: [linux] + + '@esbuild/linux-loong64@0.21.5': + resolution: {integrity: sha512-uHf1BmMG8qEvzdrzAqg2SIG/02+4/DHB6a9Kbya0XDvwDEKCoC8ZRWI5JJvNdUjtciBGFQ5PuBlpEOXQj+JQSg==} + engines: {node: '>=12'} + cpu: [loong64] + os: [linux] + + '@esbuild/linux-loong64@0.23.0': + resolution: {integrity: sha512-InQwepswq6urikQiIC/kkx412fqUZudBO4SYKu0N+tGhXRWUqAx+Q+341tFV6QdBifpjYgUndV1hhMq3WeJi7A==} + engines: {node: '>=18'} + cpu: [loong64] + os: [linux] + + '@esbuild/linux-mips64el@0.21.5': + resolution: {integrity: sha512-IajOmO+KJK23bj52dFSNCMsz1QP1DqM6cwLUv3W1QwyxkyIWecfafnI555fvSGqEKwjMXVLokcV5ygHW5b3Jbg==} + engines: {node: '>=12'} + cpu: [mips64el] + os: [linux] + + '@esbuild/linux-mips64el@0.23.0': + resolution: {integrity: sha512-J9rflLtqdYrxHv2FqXE2i1ELgNjT+JFURt/uDMoPQLcjWQA5wDKgQA4t/dTqGa88ZVECKaD0TctwsUfHbVoi4w==} + engines: {node: '>=18'} + cpu: [mips64el] + os: [linux] + + '@esbuild/linux-ppc64@0.21.5': + resolution: {integrity: sha512-1hHV/Z4OEfMwpLO8rp7CvlhBDnjsC3CttJXIhBi+5Aj5r+MBvy4egg7wCbe//hSsT+RvDAG7s81tAvpL2XAE4w==} + engines: {node: '>=12'} + cpu: [ppc64] + os: [linux] + + '@esbuild/linux-ppc64@0.23.0': + resolution: {integrity: sha512-cShCXtEOVc5GxU0fM+dsFD10qZ5UpcQ8AM22bYj0u/yaAykWnqXJDpd77ublcX6vdDsWLuweeuSNZk4yUxZwtw==} + engines: {node: '>=18'} + cpu: [ppc64] + os: [linux] + + '@esbuild/linux-riscv64@0.21.5': + resolution: {integrity: sha512-2HdXDMd9GMgTGrPWnJzP2ALSokE/0O5HhTUvWIbD3YdjME8JwvSCnNGBnTThKGEB91OZhzrJ4qIIxk/SBmyDDA==} + engines: {node: '>=12'} + cpu: [riscv64] + os: [linux] + + '@esbuild/linux-riscv64@0.23.0': + resolution: {integrity: sha512-HEtaN7Y5UB4tZPeQmgz/UhzoEyYftbMXrBCUjINGjh3uil+rB/QzzpMshz3cNUxqXN7Vr93zzVtpIDL99t9aRw==} + engines: {node: '>=18'} + cpu: [riscv64] + os: [linux] + + '@esbuild/linux-s390x@0.21.5': + resolution: {integrity: sha512-zus5sxzqBJD3eXxwvjN1yQkRepANgxE9lgOW2qLnmr8ikMTphkjgXu1HR01K4FJg8h1kEEDAqDcZQtbrRnB41A==} + engines: {node: '>=12'} + cpu: [s390x] + os: [linux] + + '@esbuild/linux-s390x@0.23.0': + resolution: {integrity: sha512-WDi3+NVAuyjg/Wxi+o5KPqRbZY0QhI9TjrEEm+8dmpY9Xir8+HE/HNx2JoLckhKbFopW0RdO2D72w8trZOV+Wg==} + engines: {node: '>=18'} + cpu: [s390x] + os: [linux] + + '@esbuild/linux-x64@0.21.5': + resolution: {integrity: sha512-1rYdTpyv03iycF1+BhzrzQJCdOuAOtaqHTWJZCWvijKD2N5Xu0TtVC8/+1faWqcP9iBCWOmjmhoH94dH82BxPQ==} + engines: {node: '>=12'} + cpu: [x64] + os: [linux] + + '@esbuild/linux-x64@0.23.0': + resolution: {integrity: sha512-a3pMQhUEJkITgAw6e0bWA+F+vFtCciMjW/LPtoj99MhVt+Mfb6bbL9hu2wmTZgNd994qTAEw+U/r6k3qHWWaOQ==} + engines: {node: '>=18'} + cpu: [x64] + os: [linux] + + '@esbuild/netbsd-x64@0.21.5': + resolution: {integrity: sha512-Woi2MXzXjMULccIwMnLciyZH4nCIMpWQAs049KEeMvOcNADVxo0UBIQPfSmxB3CWKedngg7sWZdLvLczpe0tLg==} + engines: {node: '>=12'} + cpu: [x64] + os: [netbsd] + + '@esbuild/netbsd-x64@0.23.0': + resolution: {integrity: sha512-cRK+YDem7lFTs2Q5nEv/HHc4LnrfBCbH5+JHu6wm2eP+d8OZNoSMYgPZJq78vqQ9g+9+nMuIsAO7skzphRXHyw==} + engines: {node: '>=18'} + cpu: [x64] + os: [netbsd] + + '@esbuild/openbsd-arm64@0.23.0': + resolution: {integrity: sha512-suXjq53gERueVWu0OKxzWqk7NxiUWSUlrxoZK7usiF50C6ipColGR5qie2496iKGYNLhDZkPxBI3erbnYkU0rQ==} + engines: {node: '>=18'} + cpu: [arm64] + os: [openbsd] + + '@esbuild/openbsd-x64@0.21.5': + resolution: {integrity: sha512-HLNNw99xsvx12lFBUwoT8EVCsSvRNDVxNpjZ7bPn947b8gJPzeHWyNVhFsaerc0n3TsbOINvRP2byTZ5LKezow==} + engines: {node: '>=12'} + cpu: [x64] + os: [openbsd] + + '@esbuild/openbsd-x64@0.23.0': + resolution: {integrity: sha512-6p3nHpby0DM/v15IFKMjAaayFhqnXV52aEmv1whZHX56pdkK+MEaLoQWj+H42ssFarP1PcomVhbsR4pkz09qBg==} + engines: {node: '>=18'} + cpu: [x64] + os: [openbsd] + + '@esbuild/sunos-x64@0.21.5': + resolution: {integrity: sha512-6+gjmFpfy0BHU5Tpptkuh8+uw3mnrvgs+dSPQXQOv3ekbordwnzTVEb4qnIvQcYXq6gzkyTnoZ9dZG+D4garKg==} + engines: {node: '>=12'} + cpu: [x64] + os: [sunos] + + '@esbuild/sunos-x64@0.23.0': + resolution: {integrity: sha512-BFelBGfrBwk6LVrmFzCq1u1dZbG4zy/Kp93w2+y83Q5UGYF1d8sCzeLI9NXjKyujjBBniQa8R8PzLFAUrSM9OA==} + engines: {node: '>=18'} + cpu: [x64] + os: [sunos] + + '@esbuild/win32-arm64@0.21.5': + resolution: {integrity: sha512-Z0gOTd75VvXqyq7nsl93zwahcTROgqvuAcYDUr+vOv8uHhNSKROyU961kgtCD1e95IqPKSQKH7tBTslnS3tA8A==} + engines: {node: '>=12'} + cpu: [arm64] + os: [win32] + + '@esbuild/win32-arm64@0.23.0': + resolution: {integrity: sha512-lY6AC8p4Cnb7xYHuIxQ6iYPe6MfO2CC43XXKo9nBXDb35krYt7KGhQnOkRGar5psxYkircpCqfbNDB4uJbS2jQ==} + engines: {node: '>=18'} + cpu: [arm64] + os: [win32] + + '@esbuild/win32-ia32@0.21.5': + resolution: {integrity: sha512-SWXFF1CL2RVNMaVs+BBClwtfZSvDgtL//G/smwAc5oVK/UPu2Gu9tIaRgFmYFFKrmg3SyAjSrElf0TiJ1v8fYA==} + engines: {node: '>=12'} + cpu: [ia32] + os: [win32] + + '@esbuild/win32-ia32@0.23.0': + resolution: {integrity: sha512-7L1bHlOTcO4ByvI7OXVI5pNN6HSu6pUQq9yodga8izeuB1KcT2UkHaH6118QJwopExPn0rMHIseCTx1CRo/uNA==} + engines: {node: '>=18'} + cpu: [ia32] + os: [win32] + + '@esbuild/win32-x64@0.21.5': + resolution: {integrity: sha512-tQd/1efJuzPC6rCFwEvLtci/xNFcTZknmXs98FYDfGE4wP9ClFV98nyKrzJKVPMhdDnjzLhdUyMX4PsQAPjwIw==} + engines: {node: '>=12'} + cpu: [x64] + os: [win32] + + '@esbuild/win32-x64@0.23.0': + resolution: {integrity: sha512-Arm+WgUFLUATuoxCJcahGuk6Yj9Pzxd6l11Zb/2aAuv5kWWvvfhLFo2fni4uSK5vzlUdCGZ/BdV5tH8klj8p8g==} + engines: {node: '>=18'} + cpu: [x64] + os: [win32] + + '@eslint-community/eslint-utils@4.4.0': + resolution: {integrity: sha512-1/sA4dwrzBAyeUoQ6oxahHKmrZvsnLCg4RfxW3ZFGGmQkSNQPFNLV9CUEFQP1x9EYXHTo5p6xdhZM1Ne9p/AfA==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + peerDependencies: + eslint: ^6.0.0 || ^7.0.0 || >=8.0.0 + + '@eslint-community/regexpp@4.11.0': + resolution: {integrity: sha512-G/M/tIiMrTAxEWRfLfQJMmGNX28IxBg4PBz8XqQhqUHLFI6TL2htpIB1iQCj144V5ee/JaKyT9/WZ0MGZWfA7A==} + engines: {node: ^12.0.0 || ^14.0.0 || >=16.0.0} + + '@eslint/eslintrc@1.4.1': + resolution: {integrity: sha512-XXrH9Uarn0stsyldqDYq8r++mROmWRI1xKMXa640Bb//SY1+ECYX6VzT6Lcx5frD0V30XieqJ0oX9I2Xj5aoMA==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + + '@eslint/eslintrc@2.1.4': + resolution: {integrity: sha512-269Z39MS6wVJtsoUl10L60WdkhJVdPG24Q4eZTH3nnF6lpvSShEK3wQjDX9JRWAUPvPh7COouPpU9IrqaZFvtQ==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + + '@eslint/js@8.57.0': + resolution: {integrity: sha512-Ys+3g2TaW7gADOJzPt83SJtCDhMjndcDMFVQ/Tj9iA1BfJzFKD9mAUXT3OenpuPHbI6P/myECxRJrofUsDx/5g==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + + '@exodus/schemasafe@1.3.0': + resolution: {integrity: sha512-5Aap/GaRupgNx/feGBwLLTVv8OQFfv3pq2lPRzPg9R+IOBnDgghTGW7l7EuVXOvg5cc/xSAlRW8rBrjIC3Nvqw==} + + '@floating-ui/core@1.6.7': + resolution: {integrity: sha512-yDzVT/Lm101nQ5TCVeK65LtdN7Tj4Qpr9RTXJ2vPFLqtLxwOrpoxAHAJI8J3yYWUc40J0BDBheaitK5SJmno2g==} + + '@floating-ui/dom@1.6.10': + resolution: {integrity: sha512-fskgCFv8J8OamCmyun8MfjB1Olfn+uZKjOKZ0vhYF3gRmEUXcGOjxWL8bBr7i4kIuPZ2KD2S3EUIOxnjC8kl2A==} + + '@floating-ui/utils@0.2.7': + resolution: {integrity: sha512-X8R8Oj771YRl/w+c1HqAC1szL8zWQRwFvgDwT129k9ACdBoud/+/rX9V0qiMl6LWUdP9voC2nDVZYPMQQsb6eA==} + + '@formatjs/ecma402-abstract@2.0.0': + resolution: {integrity: sha512-rRqXOqdFmk7RYvj4khklyqzcfQl9vEL/usogncBHRZfZBDOwMGuSRNFl02fu5KGHXdbinju+YXyuR+Nk8xlr/g==} + + '@formatjs/intl-localematcher@0.5.4': + resolution: {integrity: sha512-zTwEpWOzZ2CiKcB93BLngUX59hQkuZjT2+SAQEscSm52peDW/getsawMcWF1rGRpMCX6D7nSJA3CzJ8gn13N/g==} + + '@formatjs/intl-segmenter@11.5.7': + resolution: {integrity: sha512-MPvUKOURPY1aHc/d3YtLKp4hamrJtdBRc/AZVt9zRitrNeRszSwpIIYDHka9chQJTRIJlIfS4S9FGMdA1PE3Xw==} + + '@fortawesome/fontawesome-free@6.6.0': + resolution: {integrity: sha512-60G28ke/sXdtS9KZCpZSHHkCbdsOGEhIUGlwq6yhY74UpTiToIh8np7A8yphhM4BWsvNFtIvLpi4co+h9Mr9Ow==} + engines: {node: '>=6'} + + '@gcornut/valibot-json-schema@0.31.0': + resolution: {integrity: sha512-3xGptCurm23e7nuPQkdrE5rEs1FeTPHhAUsBuwwqG4/YeZLwJOoYZv+fmsppUEfo5y9lzUwNQrNqLS/q7HMc7g==} + hasBin: true + + '@hapi/hoek@9.3.0': + resolution: {integrity: sha512-/c6rf4UJlmHlC9b5BaNvzAcFv7HZ2QHaV0D4/HNlBdvFnvQq8RI4kYdhyPCl7Xj+oWvTWQ8ujhqS53LIgAe6KQ==} + + '@hapi/topo@5.1.0': + resolution: {integrity: sha512-foQZKJig7Ob0BMAYBfcJk8d77QtOe7Wo4ox7ff1lQYoNNAb6jwcY1ncdoy2e9wQZzvNy7ODZCYJkK8kzmcAnAg==} + + '@humanwhocodes/config-array@0.11.14': + resolution: {integrity: sha512-3T8LkOmg45BV5FICb15QQMsyUSWrQ8AygVfC7ZG32zOalnqrilm018ZVCw0eapXux8FtA33q8PSRSstjee3jSg==} + engines: {node: '>=10.10.0'} + deprecated: Use @eslint/config-array instead + + '@humanwhocodes/config-array@0.9.5': + resolution: {integrity: sha512-ObyMyWxZiCu/yTisA7uzx81s40xR2fD5Cg/2Kq7G02ajkNubJf6BopgDTmDyc3U7sXpNKM8cYOw7s7Tyr+DnCw==} + engines: {node: '>=10.10.0'} + deprecated: Use @eslint/config-array instead + + '@humanwhocodes/module-importer@1.0.1': + resolution: {integrity: sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==} + engines: {node: '>=12.22'} + + '@humanwhocodes/object-schema@1.2.1': + resolution: {integrity: sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==} + deprecated: Use @eslint/object-schema instead + + '@humanwhocodes/object-schema@2.0.3': + resolution: {integrity: sha512-93zYdMES/c1D69yZiKDBj0V24vqNzB/koF26KPaagAfd3P/4gUlh3Dys5ogAK+Exi9QyzlD8x/08Zt7wIKcDcA==} + deprecated: Use @eslint/object-schema instead + + '@inlang/detect-json-formatting@1.0.0': + resolution: {integrity: sha512-o0jeI8U4TgNlsPwI0y92jld8/18Loh2KEgHCYCJ42rCOdxFrA8R60cydlEd2/6jkdHFn5DxKj8rOyiKv3z9uOw==} + + '@inlang/json-types@1.1.0': + resolution: {integrity: sha512-n6vS6AqETsCFbV4TdBvR/EH57waVXzKsMqeUQ+eH2Q6NUATfKhfLabgNms2A+QV3aedH/hLtb1pRmjl2ykBVZg==} + peerDependencies: + '@sinclair/typebox': ^0.31.0 + + '@inlang/language-tag@1.5.1': + resolution: {integrity: sha512-+NlYDxDvN5h/TKUmkuQv+Ct1flxaVRousCbek7oFEk3/afZPVLNTJhm+cX2xiOg3tmi2KKrBLfy/V9oUDHj6GQ==} + + '@inlang/message-lint-rule@1.4.5': + resolution: {integrity: sha512-pyLSUhcoOYaFlYrk8d/OSpev/IaxAv/LBhKIa/ZEaycwFOBtuxDnFXEwQf9cWuPMeiPVsU83X8rgEEfOzWwupw==} + peerDependencies: + '@sinclair/typebox': ^0.31.17 + + '@inlang/message@2.1.0': + resolution: {integrity: sha512-Gr3wiErI7fW4iW11xgZzsJEUTjlZuz02fB/EO+ENTBlSHGyI1kzbCCeNqLr1mnGdQYiOxfuZxY0S4G5C6Pju3Q==} + peerDependencies: + '@sinclair/typebox': ^0.31.17 + + '@inlang/module@1.2.9': + resolution: {integrity: sha512-+nGyReKCcqtzhkryEguN8ftL2gvr8vukGBKWzGx0hq3ul0i3JNVwlzFohU+TKpRyUE36DzffngVQX3khH0Gu8g==} + peerDependencies: + '@sinclair/typebox': ^0.31.17 + + '@inlang/paraglide-js-adapter-unplugin@1.4.29': + resolution: {integrity: sha512-CDhQ69M9Ej8wfY/8P2rdNzwq6ux69A4nlFJqPcWffEX21xMaWGlt8JNspjMjc158KpAYyBGB8bFgTZ5K6o1fwg==} + deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. + + '@inlang/paraglide-js-adapter-vite@1.2.40': + resolution: {integrity: sha512-2+mAYI4hDMTr7AAei5CNzjqpjzOvsnlGrVvHrohtYs+Jn+tayokDaO7iL5o9k9SYrlXBZ7tUshAw88UQ1+f82Q==} + deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. + + '@inlang/paraglide-js@1.11.1': + resolution: {integrity: sha512-WSAsGiSQ1lRWMB4sj/gIykrlRvyXWNde+Lv+/4DYxIc5122FBnWl3X2dGJeBCUHOFKmQbgJL1XKrjVDfWyRrXg==} + hasBin: true + + '@inlang/paraglide-js@1.7.0': + resolution: {integrity: sha512-FkyOqMAPd8iks66xZpIqzepzlnMPT/t7sHmZkwN9QzjFu6RUjdSbHSP6dZPdmD1puobhtDQcbbub6NA/OmpuzA==} + hasBin: true + + '@inlang/plugin@2.4.9': + resolution: {integrity: sha512-zWYUUlHsHvjAnwz7ep2eIBE+3PNQ6QKDSuF4HezJaBnJGC2fkijuPhuNqPfn+1tH8rxHQbfuNeWqwfco0dsf+A==} + peerDependencies: + '@sinclair/typebox': ^0.31.17 + + '@inlang/project-settings@2.4.0': + resolution: {integrity: sha512-hzrO07YiZM6rf6HwgdYofQa+rfcy13MV2u0pEPyfthnz/wB3Il4JOUKw0fIhQMj5Hz8097LWVi1mniJ6xWGyqA==} + peerDependencies: + '@sinclair/typebox': ^0.31.17 + + '@inlang/result@1.1.0': + resolution: {integrity: sha512-zLGroi9EUiHuOjUOaglUVTFO7EWdo2OARMJLBO1Q5Ga/xJmSQb6XS1lhqEXBFAjgFarfEMX5YEJWWALogYV3wA==} + + '@inlang/sdk@0.33.0': + resolution: {integrity: sha512-bwSGay4kg9RmqxqBVQuSxCl8ZFqOKDvvvxpb7oAQoMVbDL+dX0J5pc8Yh7AMzY9TYWXwt7yT2umeZtHz9UvfZw==} + engines: {node: '>=18.0.0'} + + '@inlang/translatable@1.3.1': + resolution: {integrity: sha512-VAtle21vRpIrB+axtHFrFB0d1HtDaaNj+lV77eZQTJyOWbTFYTVIQJ8WAbyw9eu4F6h6QC2FutLyxjMomxfpcQ==} + + '@isaacs/cliui@8.0.2': + resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==} + engines: {node: '>=12'} + + '@isaacs/ttlcache@1.4.1': + resolution: {integrity: sha512-RQgQ4uQ+pLbqXfOmieB91ejmLwvSgv9nLx6sT6sD83s7umBypgg+OIBOBbEUiJXrfpnp9j0mRhYYdzp9uqq3lA==} + engines: {node: '>=12'} + + '@istanbuljs/schema@0.1.3': + resolution: {integrity: sha512-ZXRY4jNvVgSVQ8DL3LTcakaAtXwTVUxE81hslsyD2AtoXW/wVob10HkOJ1X/pAlcI7D+2YoZKg5do8G/w6RYgA==} + engines: {node: '>=8'} + + '@jest/schemas@29.6.3': + resolution: {integrity: sha512-mo5j5X+jIZmJQveBKeS/clAueipV7KgiX1vMgCxam1RNYiqE1w62n0/tJJnHtjW8ZHcQco5gY85jA3mi0L+nSA==} + engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0} + + '@jridgewell/gen-mapping@0.3.5': + resolution: {integrity: sha512-IzL8ZoEDIBRWEzlCcRhOaCupYyN5gdIK+Q6fbFdPDg6HqX6jpkItn7DFIpW9LQzXG6Df9sA7+OKnq0qlz/GaQg==} + engines: {node: '>=6.0.0'} + + '@jridgewell/resolve-uri@3.1.2': + resolution: {integrity: sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==} + engines: {node: '>=6.0.0'} + + '@jridgewell/set-array@1.2.1': + resolution: {integrity: sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==} + engines: {node: '>=6.0.0'} + + '@jridgewell/sourcemap-codec@1.5.0': + resolution: {integrity: sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==} + + '@jridgewell/trace-mapping@0.3.25': + resolution: {integrity: sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ==} + + '@lix-js/client@1.2.1': + resolution: {integrity: sha512-9EjzAWX2GAUk1LPdG8JZoAjQUYVSENQ7GesDMdvvkbE86cwpOfIf79aRcVCDF0zuBk5ferikGLSv5IJD/+i6Ig==} + + '@lix-js/fs@1.0.0': + resolution: {integrity: sha512-B3gnR0B7mOiYePnxh+XNU1OpVvvRYcLJ3MrdqkFVKiXz1fbKKCEMA53Vwhu3ehAMFFDB1Mo9+GVjiY2ssbA/ZQ==} + + '@mdx-js/react@3.0.1': + resolution: {integrity: sha512-9ZrPIU4MGf6et1m1ov3zKf+q9+deetI51zprKB1D/z3NOb+rUxxtEl3mCjW5wTGh6VhRdwPueh1oRzi6ezkA8A==} + peerDependencies: + '@types/react': '>=16' + react: '>=16' + + '@nodelib/fs.scandir@2.1.5': + resolution: {integrity: sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==} + engines: {node: '>= 8'} + + '@nodelib/fs.stat@2.0.5': + resolution: {integrity: sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==} + engines: {node: '>= 8'} + + '@nodelib/fs.walk@1.2.8': + resolution: {integrity: sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==} + engines: {node: '>= 8'} + + '@octokit/app@14.1.0': + resolution: {integrity: sha512-g3uEsGOQCBl1+W1rgfwoRFUIR6PtvB2T1E4RpygeUU5LrLvlOqcxrt5lfykIeRpUPpupreGJUYl70fqMDXdTpw==} + engines: {node: '>= 18'} + + '@octokit/auth-app@6.1.1': + resolution: {integrity: sha512-VrTtzRpyuT5nYGUWeGWQqH//hqEZDV+/yb6+w5wmWpmmUA1Tx950XsAc2mBBfvusfcdF2E7w8jZ1r1WwvfZ9pA==} + engines: {node: '>= 18'} + + '@octokit/auth-oauth-app@7.1.0': + resolution: {integrity: sha512-w+SyJN/b0l/HEb4EOPRudo7uUOSW51jcK1jwLa+4r7PA8FPFpoxEnHBHMITqCsc/3Vo2qqFjgQfz/xUUvsSQnA==} + engines: {node: '>= 18'} + + '@octokit/auth-oauth-device@6.1.0': + resolution: {integrity: sha512-FNQ7cb8kASufd6Ej4gnJ3f1QB5vJitkoV1O0/g6e6lUsQ7+VsSNRHRmFScN2tV4IgKA12frrr/cegUs0t+0/Lw==} + engines: {node: '>= 18'} + + '@octokit/auth-oauth-user@4.1.0': + resolution: {integrity: sha512-FrEp8mtFuS/BrJyjpur+4GARteUCrPeR/tZJzD8YourzoVhRics7u7we/aDcKv+yywRNwNi/P4fRi631rG/OyQ==} + engines: {node: '>= 18'} + + '@octokit/auth-token@4.0.0': + resolution: {integrity: sha512-tY/msAuJo6ARbK6SPIxZrPBms3xPbfwBrulZe0Wtr/DIY9lje2HeV1uoebShn6mx7SjCHif6EjMvoREj+gZ+SA==} + engines: {node: '>= 18'} + + '@octokit/auth-unauthenticated@5.0.1': + resolution: {integrity: sha512-oxeWzmBFxWd+XolxKTc4zr+h3mt+yofn4r7OfoIkR/Cj/o70eEGmPsFbueyJE2iBAGpjgTnEOKM3pnuEGVmiqg==} + engines: {node: '>= 18'} + + '@octokit/core@5.2.0': + resolution: {integrity: sha512-1LFfa/qnMQvEOAdzlQymH0ulepxbxnCYAKJZfMci/5XJyIHWgEYnDmgnKakbTh7CH2tFQ5O60oYDvns4i9RAIg==} + engines: {node: '>= 18'} + + '@octokit/endpoint@9.0.5': + resolution: {integrity: sha512-ekqR4/+PCLkEBF6qgj8WqJfvDq65RH85OAgrtnVp1mSxaXF03u2xW/hUdweGS5654IlC0wkNYC18Z50tSYTAFw==} + engines: {node: '>= 18'} + + '@octokit/graphql@7.1.0': + resolution: {integrity: sha512-r+oZUH7aMFui1ypZnAvZmn0KSqAUgE1/tUXIWaqUCa1758ts/Jio84GZuzsvUkme98kv0WFY8//n0J1Z+vsIsQ==} + engines: {node: '>= 18'} + + '@octokit/oauth-app@6.1.0': + resolution: {integrity: sha512-nIn/8eUJ/BKUVzxUXd5vpzl1rwaVxMyYbQkNZjHrF7Vk/yu98/YDF/N2KeWO7uZ0g3b5EyiFXFkZI8rJ+DH1/g==} + engines: {node: '>= 18'} + + '@octokit/oauth-authorization-url@6.0.2': + resolution: {integrity: sha512-CdoJukjXXxqLNK4y/VOiVzQVjibqoj/xHgInekviUJV73y/BSIcwvJ/4aNHPBPKcPWFnd4/lO9uqRV65jXhcLA==} + engines: {node: '>= 18'} + + '@octokit/oauth-methods@4.1.0': + resolution: {integrity: sha512-4tuKnCRecJ6CG6gr0XcEXdZtkTDbfbnD5oaHBmLERTjTMZNi2CbfEHZxPU41xXLDG4DfKf+sonu00zvKI9NSbw==} + engines: {node: '>= 18'} + + '@octokit/openapi-types@19.1.0': + resolution: {integrity: sha512-6G+ywGClliGQwRsjvqVYpklIfa7oRPA0vyhPQG/1Feh+B+wU0vGH1JiJ5T25d3g1JZYBHzR2qefLi9x8Gt+cpw==} + + '@octokit/openapi-types@20.0.0': + resolution: {integrity: sha512-EtqRBEjp1dL/15V7WiX5LJMIxxkdiGJnabzYx5Apx4FkQIFgAfKumXeYAqqJCj1s+BMX4cPFIFC4OLCR6stlnA==} + + '@octokit/openapi-types@22.2.0': + resolution: {integrity: sha512-QBhVjcUa9W7Wwhm6DBFu6ZZ+1/t/oYxqc2tp81Pi41YNuJinbFRx8B133qVOrAaBbF7D/m0Et6f9/pZt9Rc+tg==} + + '@octokit/plugin-paginate-graphql@4.0.1': + resolution: {integrity: sha512-R8ZQNmrIKKpHWC6V2gum4x9LG2qF1RxRjo27gjQcG3j+vf2tLsEfE7I/wRWEPzYMaenr1M+qDAtNcwZve1ce1A==} + engines: {node: '>= 18'} + peerDependencies: + '@octokit/core': '>=5' + + '@octokit/plugin-paginate-rest@9.2.1': + resolution: {integrity: sha512-wfGhE/TAkXZRLjksFXuDZdmGnJQHvtU/joFQdweXUgzo1XwvBCD4o4+75NtFfjfLK5IwLf9vHTfSiU3sLRYpRw==} + engines: {node: '>= 18'} + peerDependencies: + '@octokit/core': '5' + + '@octokit/plugin-rest-endpoint-methods@10.4.1': + resolution: {integrity: sha512-xV1b+ceKV9KytQe3zCVqjg+8GTGfDYwaT1ATU5isiUyVtlVAO3HNdzpS4sr4GBx4hxQ46s7ITtZrAsxG22+rVg==} + engines: {node: '>= 18'} + peerDependencies: + '@octokit/core': '5' + + '@octokit/plugin-retry@6.0.1': + resolution: {integrity: sha512-SKs+Tz9oj0g4p28qkZwl/topGcb0k0qPNX/i7vBKmDsjoeqnVfFUquqrE/O9oJY7+oLzdCtkiWSXLpLjvl6uog==} + engines: {node: '>= 18'} + peerDependencies: + '@octokit/core': '>=5' + + '@octokit/plugin-throttling@8.2.0': + resolution: {integrity: sha512-nOpWtLayKFpgqmgD0y3GqXafMFuKcA4tRPZIfu7BArd2lEZeb1988nhWhwx4aZWmjDmUfdgVf7W+Tt4AmvRmMQ==} + engines: {node: '>= 18'} + peerDependencies: + '@octokit/core': ^5.0.0 + + '@octokit/request-error@5.1.0': + resolution: {integrity: sha512-GETXfE05J0+7H2STzekpKObFe765O5dlAKUTLNGeH+x47z7JjXHfsHKo5z21D/o/IOZTUEI6nyWyR+bZVP/n5Q==} + engines: {node: '>= 18'} + + '@octokit/request@8.4.0': + resolution: {integrity: sha512-9Bb014e+m2TgBeEJGEbdplMVWwPmL1FPtggHQRkV+WVsMggPtEkLKPlcVYm/o8xKLkpJ7B+6N8WfQMtDLX2Dpw==} + engines: {node: '>= 18'} + + '@octokit/types@12.4.0': + resolution: {integrity: sha512-FLWs/AvZllw/AGVs+nJ+ELCDZZJk+kY0zMen118xhL2zD0s1etIUHm1odgjP7epxYU1ln7SZxEUWYop5bhsdgQ==} + + '@octokit/types@12.6.0': + resolution: {integrity: sha512-1rhSOfRa6H9w4YwK0yrf5faDaDTb+yLyBUKOCV4xtCDB5VmIPqd/v9yr9o6SAzOAlRxMiRiCic6JVM1/kunVkw==} + + '@octokit/types@13.5.0': + resolution: {integrity: sha512-HdqWTf5Z3qwDVlzCrP8UJquMwunpDiMPt5er+QjGzL4hqr/vBVY/MauQgS1xWxCDT1oMx1EULyqxncdCY/NVSQ==} + + '@octokit/webhooks-methods@4.1.0': + resolution: {integrity: sha512-zoQyKw8h9STNPqtm28UGOYFE7O6D4Il8VJwhAtMHFt2C4L0VQT1qGKLeefUOqHNs1mNRYSadVv7x0z8U2yyeWQ==} + engines: {node: '>= 18'} + + '@octokit/webhooks-types@7.4.0': + resolution: {integrity: sha512-FE2V+QZ2UYlh+9wWd5BPLNXG+J/XUD/PPq0ovS+nCcGX4+3qVbi3jYOmCTW48hg9SBBLtInx9+o7fFt4H5iP0Q==} + + '@octokit/webhooks@12.2.0': + resolution: {integrity: sha512-CyuLJ0/P7bKZ+kIYw+fnkeVdhUzNuDKgNSI7pU/m7Nod0T7kP+s4s2f0pNmG9HL8/RZN1S0ZWTDll3VTMrFLAw==} + engines: {node: '>= 18'} + + '@pkgjs/parseargs@0.11.0': + resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==} + engines: {node: '>=14'} + + '@playwright/test@1.46.0': + resolution: {integrity: sha512-/QYft5VArOrGRP5pgkrfKksqsKA6CEFyGQ/gjNe6q0y4tZ1aaPfq4gIjudr1s3D+pXyrPRdsy4opKDrjBabE5w==} + engines: {node: '>=18'} + hasBin: true + + '@polka/url@1.0.0-next.25': + resolution: {integrity: sha512-j7P6Rgr3mmtdkeDGTe0E/aYyWEWVtc5yFXtHCRHs28/jptDEWfaVOc5T7cblqy1XKPPfCxJc/8DwQ5YgLOZOVQ==} + + '@poppinss/macroable@1.0.2': + resolution: {integrity: sha512-xhhEcEvhQC8mP5oOr5hbE4CmUgmw/IPV1jhpGg2xSkzoFrt9i8YVqBQt9744EFesi5F7pBheWozg63RUBM/5JA==} + engines: {node: '>=18.16.0'} + + '@rollup/plugin-commonjs@26.0.1': + resolution: {integrity: sha512-UnsKoZK6/aGIH6AdkptXhNvhaqftcjq3zZdT+LY5Ftms6JR06nADcDsYp5hTU9E2lbJUEOhdlY5J4DNTneM+jQ==} + engines: {node: '>=16.0.0 || 14 >= 14.17'} + peerDependencies: + rollup: ^2.68.0||^3.0.0||^4.0.0 + peerDependenciesMeta: + rollup: + optional: true + + '@rollup/plugin-json@6.1.0': + resolution: {integrity: sha512-EGI2te5ENk1coGeADSIwZ7G2Q8CJS2sF120T7jLw4xFw9n7wIOXHo+kIYRAoVpJAN+kmqZSoO3Fp4JtoNF4ReA==} + engines: {node: '>=14.0.0'} + peerDependencies: + rollup: ^1.20.0||^2.0.0||^3.0.0||^4.0.0 + peerDependenciesMeta: + rollup: + optional: true + + '@rollup/plugin-node-resolve@15.2.3': + resolution: {integrity: sha512-j/lym8nf5E21LwBT4Df1VD6hRO2L2iwUeUmP7litikRsVp1H6NWx20NEp0Y7su+7XGc476GnXXc4kFeZNGmaSQ==} + engines: {node: '>=14.0.0'} + peerDependencies: + rollup: ^2.78.0||^3.0.0||^4.0.0 + peerDependenciesMeta: + rollup: + optional: true + + '@rollup/pluginutils@5.1.0': + resolution: {integrity: sha512-XTIWOPPcpvyKI6L1NHo0lFlCyznUEyPmPY1mc3KpPVDYulHSTvyeLNVW00QTLIAFNhR3kYnJTQHeGqU4M3n09g==} + engines: {node: '>=14.0.0'} + peerDependencies: + rollup: ^1.20.0||^2.0.0||^3.0.0||^4.0.0 + peerDependenciesMeta: + rollup: + optional: true + + '@rollup/rollup-android-arm-eabi@4.20.0': + resolution: {integrity: sha512-TSpWzflCc4VGAUJZlPpgAJE1+V60MePDQnBd7PPkpuEmOy8i87aL6tinFGKBFKuEDikYpig72QzdT3QPYIi+oA==} + cpu: [arm] + os: [android] + + '@rollup/rollup-android-arm64@4.20.0': + resolution: {integrity: sha512-u00Ro/nok7oGzVuh/FMYfNoGqxU5CPWz1mxV85S2w9LxHR8OoMQBuSk+3BKVIDYgkpeOET5yXkx90OYFc+ytpQ==} + cpu: [arm64] + os: [android] + + '@rollup/rollup-darwin-arm64@4.20.0': + resolution: {integrity: sha512-uFVfvzvsdGtlSLuL0ZlvPJvl6ZmrH4CBwLGEFPe7hUmf7htGAN+aXo43R/V6LATyxlKVC/m6UsLb7jbG+LG39Q==} + cpu: [arm64] + os: [darwin] + + '@rollup/rollup-darwin-x64@4.20.0': + resolution: {integrity: sha512-xbrMDdlev53vNXexEa6l0LffojxhqDTBeL+VUxuuIXys4x6xyvbKq5XqTXBCEUA8ty8iEJblHvFaWRJTk/icAQ==} + cpu: [x64] + os: [darwin] + + '@rollup/rollup-linux-arm-gnueabihf@4.20.0': + resolution: {integrity: sha512-jMYvxZwGmoHFBTbr12Xc6wOdc2xA5tF5F2q6t7Rcfab68TT0n+r7dgawD4qhPEvasDsVpQi+MgDzj2faOLsZjA==} + cpu: [arm] + os: [linux] + + '@rollup/rollup-linux-arm-musleabihf@4.20.0': + resolution: {integrity: sha512-1asSTl4HKuIHIB1GcdFHNNZhxAYEdqML/MW4QmPS4G0ivbEcBr1JKlFLKsIRqjSwOBkdItn3/ZDlyvZ/N6KPlw==} + cpu: [arm] + os: [linux] + + '@rollup/rollup-linux-arm64-gnu@4.20.0': + resolution: {integrity: sha512-COBb8Bkx56KldOYJfMf6wKeYJrtJ9vEgBRAOkfw6Ens0tnmzPqvlpjZiLgkhg6cA3DGzCmLmmd319pmHvKWWlQ==} + cpu: [arm64] + os: [linux] + + '@rollup/rollup-linux-arm64-musl@4.20.0': + resolution: {integrity: sha512-+it+mBSyMslVQa8wSPvBx53fYuZK/oLTu5RJoXogjk6x7Q7sz1GNRsXWjn6SwyJm8E/oMjNVwPhmNdIjwP135Q==} + cpu: [arm64] + os: [linux] + + '@rollup/rollup-linux-powerpc64le-gnu@4.20.0': + resolution: {integrity: sha512-yAMvqhPfGKsAxHN8I4+jE0CpLWD8cv4z7CK7BMmhjDuz606Q2tFKkWRY8bHR9JQXYcoLfopo5TTqzxgPUjUMfw==} + cpu: [ppc64] + os: [linux] + + '@rollup/rollup-linux-riscv64-gnu@4.20.0': + resolution: {integrity: sha512-qmuxFpfmi/2SUkAw95TtNq/w/I7Gpjurx609OOOV7U4vhvUhBcftcmXwl3rqAek+ADBwSjIC4IVNLiszoj3dPA==} + cpu: [riscv64] + os: [linux] + + '@rollup/rollup-linux-s390x-gnu@4.20.0': + resolution: {integrity: sha512-I0BtGXddHSHjV1mqTNkgUZLnS3WtsqebAXv11D5BZE/gfw5KoyXSAXVqyJximQXNvNzUo4GKlCK/dIwXlz+jlg==} + cpu: [s390x] + os: [linux] + + '@rollup/rollup-linux-x64-gnu@4.20.0': + resolution: {integrity: sha512-y+eoL2I3iphUg9tN9GB6ku1FA8kOfmF4oUEWhztDJ4KXJy1agk/9+pejOuZkNFhRwHAOxMsBPLbXPd6mJiCwew==} + cpu: [x64] + os: [linux] + + '@rollup/rollup-linux-x64-musl@4.20.0': + resolution: {integrity: sha512-hM3nhW40kBNYUkZb/r9k2FKK+/MnKglX7UYd4ZUy5DJs8/sMsIbqWK2piZtVGE3kcXVNj3B2IrUYROJMMCikNg==} + cpu: [x64] + os: [linux] + + '@rollup/rollup-win32-arm64-msvc@4.20.0': + resolution: {integrity: sha512-psegMvP+Ik/Bg7QRJbv8w8PAytPA7Uo8fpFjXyCRHWm6Nt42L+JtoqH8eDQ5hRP7/XW2UiIriy1Z46jf0Oa1kA==} + cpu: [arm64] + os: [win32] + + '@rollup/rollup-win32-ia32-msvc@4.20.0': + resolution: {integrity: sha512-GabekH3w4lgAJpVxkk7hUzUf2hICSQO0a/BLFA11/RMxQT92MabKAqyubzDZmMOC/hcJNlc+rrypzNzYl4Dx7A==} + cpu: [ia32] + os: [win32] + + '@rollup/rollup-win32-x64-msvc@4.20.0': + resolution: {integrity: sha512-aJ1EJSuTdGnM6qbVC4B5DSmozPTqIag9fSzXRNNo+humQLG89XpPgdt16Ia56ORD7s+H8Pmyx44uczDQ0yDzpg==} + cpu: [x64] + os: [win32] + + '@sideway/address@4.1.5': + resolution: {integrity: sha512-IqO/DUQHUkPeixNQ8n0JA6102hT9CmaljNTPmQ1u8MEhBo/R4Q8eKLN/vGZxuebwOroDB4cbpjheD4+/sKFK4Q==} + + '@sideway/formula@3.0.1': + resolution: {integrity: sha512-/poHZJJVjx3L+zVD6g9KgHfYnb443oi7wLu/XKojDviHy6HOEOA6z1Trk5aR1dGcmPenJEgb2sK2I80LeS3MIg==} + + '@sideway/pinpoint@2.0.0': + resolution: {integrity: sha512-RNiOoTPkptFtSVzQevY/yWtZwf/RxyVnPy/OcA9HBM3MlGDnBEYL5B41H0MTn0Uec8Hi+2qUtTfG2WWZBmMejQ==} + + '@sinclair/typebox@0.27.8': + resolution: {integrity: sha512-+Fj43pSMwJs4KRrH/938Uf+uAELIgVBmQzg/q1YG10djyfA3TnrU8N8XzqCh/okZdszqBQTZf96idMfE5lnwTA==} + + '@sinclair/typebox@0.31.28': + resolution: {integrity: sha512-/s55Jujywdw/Jpan+vsy6JZs1z2ZTGxTmbZTPiuSL2wz9mfzA2gN1zzaqmvfi4pq+uOt7Du85fkiwv5ymW84aQ==} + + '@sinclair/typebox@0.32.35': + resolution: {integrity: sha512-Ul3YyOTU++to8cgNkttakC0dWvpERr6RYoHO2W47DLbFvrwBDJUY31B1sImH6JZSYc4Kt4PyHtoPNu+vL2r2dA==} + + '@sindresorhus/merge-streams@2.3.0': + resolution: {integrity: sha512-LtoMMhxAlorcGhmFYI+LhPgbPZCkgP6ra1YL604EeF6U98pLlQ3iWIGMdWSC+vWmPBWBNgmDBAhnAobLROJmwg==} + engines: {node: '>=18'} + + '@skeletonlabs/skeleton@2.10.2': + resolution: {integrity: sha512-TV2yWjvHpmtaF1F5luB8n7UbjKZcsrJMMiiJQHbZvqXjBWvudAcL8zywhE/NFKW5rYU//MtgOODdMZPZxvKu6w==} + peerDependencies: + svelte: ^3.56.0 || ^4.0.0 + + '@skeletonlabs/tw-plugin@0.4.0': + resolution: {integrity: sha512-v6Y4deBq9ByRx3kTRGgekhhYkWEYgNNNu8UXOwJngCStB7w8SwmbNFSeHkluxMbgCgMnJyp220EMpw9nj/rEsQ==} + peerDependencies: + tailwindcss: '>=3.0.0' + + '@sodaru/yup-to-json-schema@2.0.1': + resolution: {integrity: sha512-lWb0Wiz8KZ9ip/dY1eUqt7fhTPmL24p6Hmv5Fd9pzlzAdw/YNcWZr+tiCT4oZ4Zyxzi9+1X4zv82o7jYvcFxYA==} + + '@storybook/addon-actions@8.2.9': + resolution: {integrity: sha512-eh2teOqjga7aoClDVV+/b1gHJqsPwjiU1t+Hg/l4i2CkaBUNdYMEL90nR6fgReOdvvL5YhcPwJ8w38f9TrQcoQ==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/addon-backgrounds@8.2.9': + resolution: {integrity: sha512-eGmZAd742ORBbQ6JepzBCko/in62T4Xg9j9LVa+Cvz/7L1C/RQSuU6sUwbRAsXaz+PMVDksPDCUUNsXl3zUL7w==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/addon-controls@8.2.9': + resolution: {integrity: sha512-vaSE78KOE7SO0GrW4e+mdQphSNpvCX/FGybIRxyaKX9h8smoyUwRNHVyCS3ROHTwH324QWu7GDzsOVrnyXOv0A==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/addon-docs@8.2.9': + resolution: {integrity: sha512-flDOxFIGmXg+6lVdwTLMOKsGob1WrT7rG98mn1SNW0Nxhg3Wg+9pQuq1GLxEzKtAgSflmu+xcBRfYhsogyDXkw==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/addon-essentials@8.2.9': + resolution: {integrity: sha512-B2d3eznGZvPIyCVtYX0UhrYcEfK+3Y2sACmEWpSwtk8KXomFEsZnD95m397BYDRw3/X6qeSLWxqgMfqDTEDeMA==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/addon-highlight@8.2.9': + resolution: {integrity: sha512-qdcazeNQoo9QKIq+LJJZZXvFZoLn+i4uhbt1Uf9WtW6oU/c1qxORGVD7jc3zsxbQN9nROVPbJ76sfthogxeqWA==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/addon-interactions@8.2.9': + resolution: {integrity: sha512-oSxBkqpmp1Vm9v/G8mZeFNXD8k6T1NMgzUWzAx7R5m31rfObhoi5Fo1bKQT5BAhSSsdjjd7owTAFKdhwSotSKg==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/addon-links@8.2.9': + resolution: {integrity: sha512-RhJzUNdDb7lbliwXb64HMwieIeJ+OQ2Ditue1vmSox6NsSd+pshR+okHpAyoP1+fW+dahNENwAS2Kt2QiI78FA==} + peerDependencies: + react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0-beta + storybook: ^8.2.9 + peerDependenciesMeta: + react: + optional: true + + '@storybook/addon-measure@8.2.9': + resolution: {integrity: sha512-XUfQtYRKWB2dfbPRmHuos816wt1JrLbtRld5ZC8J8ljeqZ4hFBPTQcgI5GAzZqjQuclLC0KuhlA/0bKxdxMMGA==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/addon-outline@8.2.9': + resolution: {integrity: sha512-p22kI4W7MT0YJOCmg/FfhfH+NpZEDA5tgwstjazSg4ertyhaxziMwWZWiK2JCg0gOAfRJjoYjHz+6/u56iXwgQ==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/addon-toolbars@8.2.9': + resolution: {integrity: sha512-9LMZZ2jRD86Jh6KXedDbAYs4eHj9HtJA9VhSEE2wiqMGwXozpySi7B1GWniNzmFfcgMQ4JHfmD/OrBVTK7Ca/w==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/addon-viewport@8.2.9': + resolution: {integrity: sha512-lyM24+DJEt8R0YZkJKee34NQWv0REACU6lYDalqJNdKS1sEwzLGWxg1hZXnw2JFdBID9NGVvyYU2w6LDozOB0g==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/blocks@8.2.9': + resolution: {integrity: sha512-5276q/s/UL8arwftuBXovUNHqYo/HPQFMGXEmjVVAMXUyFjzEAfKj3+xU897J6AuL+7XVZG32WnqA+X6LJMrcQ==} + peerDependencies: + react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0-beta + react-dom: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0-beta + storybook: ^8.2.9 + peerDependenciesMeta: + react: + optional: true + react-dom: + optional: true + + '@storybook/builder-vite@8.2.9': + resolution: {integrity: sha512-MHD3ezRjKkJkOl0u7CRQoQD/LKd28YMWIcaz4YrV6ygokc0c3RFTlOefICQFgboc+1RwIUowxN1CJ2kJ7p4SWw==} + peerDependencies: + '@preact/preset-vite': '*' + storybook: ^8.2.9 + typescript: '>= 4.3.x' + vite: ^4.0.0 || ^5.0.0 + vite-plugin-glimmerx: '*' + peerDependenciesMeta: + '@preact/preset-vite': + optional: true + typescript: + optional: true + vite-plugin-glimmerx: + optional: true + + '@storybook/codemod@8.2.9': + resolution: {integrity: sha512-3yRx1lFMm1FXWVv+CKDiYM4gOQPEfpcZAQrjfcumxSDUrB091pnU1PeI92Prj3vCdi4+0oPNuN4yDGNUYTMP/A==} + + '@storybook/components@8.2.9': + resolution: {integrity: sha512-OkkcZ/f/6o3GdFEEK9ZHKIGHWUHmavZUYs5xaSgU64bOrA2aqEFtfeWWitZYTv3Euhk8MVLWfyEMDfez0AlvDg==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/core@8.2.9': + resolution: {integrity: sha512-wSER8FpA6Il/jPyDfKm3yohxDtuhisNPTonMVzd3ulNWR4zERLddyO3HrHJJwdqYHLNk4SBFzwMGpQZVws1y0w==} + + '@storybook/csf-plugin@8.2.9': + resolution: {integrity: sha512-QQCFb3g12VQQEraDV1UfCmniGhQZKyT6oEt1Im6dzzPJj9NQk+6BjWoDep33CZhBHWoLryrMQd2fjuHxnFRNEA==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/csf@0.0.1': + resolution: {integrity: sha512-USTLkZze5gkel8MYCujSRBVIrUQ3YPBrLOx7GNk/0wttvVtlzWXAq9eLbQ4p/NicGxP+3T7KPEMVV//g+yubpw==} + + '@storybook/csf@0.1.11': + resolution: {integrity: sha512-dHYFQH3mA+EtnCkHXzicbLgsvzYjcDJ1JWsogbItZogkPHgSJM/Wr71uMkcvw8v9mmCyP4NpXJuu6bPoVsOnzg==} + + '@storybook/global@5.0.0': + resolution: {integrity: sha512-FcOqPAXACP0I3oJ/ws6/rrPT9WGhu915Cg8D02a9YxLo0DE9zI+a9A5gRGvmQ09fiWPukqI8ZAEoQEdWUKMQdQ==} + + '@storybook/icons@1.2.10': + resolution: {integrity: sha512-310apKdDcjbbX2VSLWPwhEwAgjxTzVagrwucVZIdGPErwiAppX8KvBuWZgPo+rQLVrtH8S+pw1dbUwjcE6d7og==} + engines: {node: '>=14.0.0'} + peerDependencies: + react: ^16.8.0 || ^17.0.0 || ^18.0.0 + react-dom: ^16.8.0 || ^17.0.0 || ^18.0.0 + + '@storybook/instrumenter@8.2.9': + resolution: {integrity: sha512-+DNjTbsMzlDggsvkhRuOy7aGvQJ4oLCPgunP5Se/3yBjG+M2bYDa0EmC5jC2nwZ3ffpuvbzaVe7fWf7R8W9F2Q==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/manager-api@8.2.9': + resolution: {integrity: sha512-mkYvUlfqDw+0WbxIynh5TcrotmoXlumEsOA4+45zuNea8XpEgj5cNBUCnmfEO6yQ85swqkS8YYbMpg1cZyu/Vw==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/preview-api@8.2.9': + resolution: {integrity: sha512-D8/t+a78OJqQAcT/ABa1C4YM/OaLGQ9IvCsp3Q9ruUqDCwuZBj8bG3D4477dlY4owX2ycC0rWYu3VvuK0EmJjA==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/react-dom-shim@8.2.9': + resolution: {integrity: sha512-uCAjSQEsNk8somVn1j/I1G9G/uUax5byHseIIV0Eq3gVXttGd7gaWcP+TDHtqIaenWHx4l+hCSuCesxiLWmx4Q==} + peerDependencies: + react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0-beta + react-dom: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0-beta + storybook: ^8.2.9 + + '@storybook/svelte-vite@8.2.9': + resolution: {integrity: sha512-rW/0TLjrXdJUvzH3YvUGeeBbR1iB5dPMad1YMsJUP9lZysteHq5iPxIDK4UBCvH2zfae95n7Aab3w2hHhJjNCA==} + engines: {node: '>=18.0.0'} + peerDependencies: + '@sveltejs/vite-plugin-svelte': ^2.0.0 || ^3.0.0 + storybook: ^8.2.9 + svelte: ^4.0.0 || ^5.0.0-next.65 + vite: ^4.0.0 || ^5.0.0 + + '@storybook/svelte@8.2.9': + resolution: {integrity: sha512-jq9gQ2wB7kolSbdLeDD1nsZURcuzPSIXObm3/DYeZlG9PVkxozaO9OczrbFkP+iQm4y4cGvA8+v94YBEe2U09A==} + engines: {node: '>=18.0.0'} + peerDependencies: + storybook: ^8.2.9 + svelte: ^4.0.0 || ^5.0.0-next.65 + + '@storybook/sveltekit@8.2.9': + resolution: {integrity: sha512-Ft4PebDbYeSemSmSgV387o9D7Xsx0V/DBybZFS/jv0rQp3zLTOaUc8/hCY/VcBWKtV9v9/oZ+Nq5tfrEzVaUqg==} + engines: {node: '>=18.0.0'} + peerDependencies: + storybook: ^8.2.9 + svelte: ^4.0.0 || ^5.0.0-next.65 + vite: ^4.0.0 || ^5.0.0 + + '@storybook/test@8.2.9': + resolution: {integrity: sha512-O5JZ5S8UVVR7V0ru5AiF/uRO+srAVwji0Iik7ihy8gw3V91WQNMmJh2KkdhG0R1enYeBsYZlipOm+AW7f/MmOA==} + peerDependencies: + storybook: ^8.2.9 + + '@storybook/theming@8.2.9': + resolution: {integrity: sha512-OL0NFvowPX85N5zIYdgeKKaFm7V4Vgtci093vL3cDZT13LGH6GuEzJKkUFGuUGNPFlJc+EgTj0o6PYKrOLyQ6w==} + peerDependencies: + storybook: ^8.2.9 + + '@sveltejs/adapter-auto@3.2.4': + resolution: {integrity: sha512-a64AKYbfTUrVwU0xslzv1Jf3M8bj0IwhptaXmhgIkjXspBXhD0od9JiItQHchijpLMGdEDcYBlvqySkEawv6mQ==} + peerDependencies: + '@sveltejs/kit': ^2.0.0 + + '@sveltejs/adapter-node@5.2.2': + resolution: {integrity: sha512-BCX4zP0cf86TXpmvLQTnnT/tp7P12UMezf+5LwljP1MJC1fFzn9XOXpAHQCyP+pyHGy2K7p5gY0LyLcZFAL02w==} + peerDependencies: + '@sveltejs/kit': ^2.4.0 + + '@sveltejs/kit@2.5.22': + resolution: {integrity: sha512-PQ98baF2WzvG5yiO4cZKJZJG60XjHTZD1jyho3u9Kmthx2ytdGYyVPPvKXgKXpKSq4wwctD9dl0d2blSbJMcOg==} + engines: {node: '>=18.13'} + hasBin: true + peerDependencies: + '@sveltejs/vite-plugin-svelte': ^3.0.0 + svelte: ^4.0.0 || ^5.0.0-next.0 + vite: ^5.0.3 + + '@sveltejs/vite-plugin-svelte-inspector@2.1.0': + resolution: {integrity: sha512-9QX28IymvBlSCqsCll5t0kQVxipsfhFFL+L2t3nTWfXnddYwxBuAEtTtlaVQpRz9c37BhJjltSeY4AJSC03SSg==} + engines: {node: ^18.0.0 || >=20} + peerDependencies: + '@sveltejs/vite-plugin-svelte': ^3.0.0 + svelte: ^4.0.0 || ^5.0.0-next.0 + vite: ^5.0.0 + + '@sveltejs/vite-plugin-svelte@3.1.1': + resolution: {integrity: sha512-rimpFEAboBBHIlzISibg94iP09k/KYdHgVhJlcsTfn7KMBhc70jFX/GRWkRdFCc2fdnk+4+Bdfej23cMDnJS6A==} + engines: {node: ^18.0.0 || >=20} + peerDependencies: + svelte: ^4.0.0 || ^5.0.0-next.0 + vite: ^5.0.0 + + '@tailwindcss/forms@0.5.7': + resolution: {integrity: sha512-QE7X69iQI+ZXwldE+rzasvbJiyV/ju1FGHH0Qn2W3FKbuYtqp8LKcy6iSw79fVUT5/Vvf+0XgLCeYVG+UV6hOw==} + peerDependencies: + tailwindcss: '>=3.0.0 || >= 3.0.0-alpha.1' + + '@tailwindcss/typography@0.5.14': + resolution: {integrity: sha512-ZvOCjUbsJBjL9CxQBn+VEnFpouzuKhxh2dH8xMIWHILL+HfOYtlAkWcyoon8LlzE53d2Yo6YO6pahKKNW3q1YQ==} + peerDependencies: + tailwindcss: '>=3.0.0 || insiders' + + '@testing-library/dom@10.1.0': + resolution: {integrity: sha512-wdsYKy5zupPyLCW2Je5DLHSxSfbIp6h80WoHOQc+RPtmPGA52O9x5MJEkv92Sjonpq+poOAtUKhh1kBGAXBrNA==} + engines: {node: '>=18'} + + '@testing-library/dom@10.4.0': + resolution: {integrity: sha512-pemlzrSESWbdAloYml3bAJMEfNh1Z7EduzqPKprCH5S341frlpYnUEW0H72dLxa6IsYr+mPno20GiSm+h9dEdQ==} + engines: {node: '>=18'} + + '@testing-library/jest-dom@6.4.5': + resolution: {integrity: sha512-AguB9yvTXmCnySBP1lWjfNNUwpbElsaQ567lt2VdGqAdHtpieLgjmcVyv1q7PMIvLbgpDdkWV5Ydv3FEejyp2A==} + engines: {node: '>=14', npm: '>=6', yarn: '>=1'} + peerDependencies: + '@jest/globals': '>= 28' + '@types/bun': latest + '@types/jest': '>= 28' + jest: '>= 28' + vitest: '>= 0.32' + peerDependenciesMeta: + '@jest/globals': + optional: true + '@types/bun': + optional: true + '@types/jest': + optional: true + jest: + optional: true + vitest: + optional: true + + '@testing-library/jest-dom@6.4.8': + resolution: {integrity: sha512-JD0G+Zc38f5MBHA4NgxQMR5XtO5Jx9g86jqturNTt2WUfRmLDIY7iKkWHDCCTiDuFMre6nxAD5wHw9W5kI4rGw==} + engines: {node: '>=14', npm: '>=6', yarn: '>=1'} + + '@testing-library/svelte@5.2.1': + resolution: {integrity: sha512-yXSqBsYaQAeP2xt7gqKu135Q67+NTsBDcpL1akv5MVAQ/amb7AQ0zW5nzrquTIE2lvrc6q58KZhQA61Vc05ZOg==} + engines: {node: '>= 10'} + peerDependencies: + svelte: ^3 || ^4 || ^5 || ^5.0.0-next.0 + vite: '*' + vitest: '*' + peerDependenciesMeta: + vite: + optional: true + vitest: + optional: true + + '@testing-library/user-event@14.5.2': + resolution: {integrity: sha512-YAh82Wh4TIrxYLmfGcixwD18oIjyC1pFQC2Y01F2lzV2HTMiYrI0nze0FD0ocB//CKS/7jIUgae+adPqxK5yCQ==} + engines: {node: '>=12', npm: '>=6'} + peerDependencies: + '@testing-library/dom': '>=7.21.4' + + '@types/aria-query@5.0.4': + resolution: {integrity: sha512-rfT93uj5s0PRL7EzccGMs3brplhcrghnDoV26NqKhCAS1hVo+WdNsPvE/yb6ilfr5hi2MEk6d5EWJTKdxg8jVw==} + + '@types/aws-lambda@8.10.143': + resolution: {integrity: sha512-u5vzlcR14ge/4pMTTMDQr3MF0wEe38B2F9o84uC4F43vN5DGTy63npRrB6jQhyt+C0lGv4ZfiRcRkqJoZuPnmg==} + + '@types/body-parser@1.19.5': + resolution: {integrity: sha512-fB3Zu92ucau0iQ0JMCFQE7b/dv8Ot07NI3KaZIkIUNXq82k4eBAqUaneXfleGY9JWskeS9y+u0nXMyspcuQrCg==} + + '@types/btoa-lite@1.0.2': + resolution: {integrity: sha512-ZYbcE2x7yrvNFJiU7xJGrpF/ihpkM7zKgw8bha3LNJSesvTtUNxbpzaT7WXBIryf6jovisrxTBvymxMeLLj1Mg==} + + '@types/connect@3.4.38': + resolution: {integrity: sha512-K6uROf1LD88uDQqJCktA4yzL1YYAK6NgfsI0v/mTgyPKWsX1CnJ0XPSDhViejru1GcRkLWb8RlzFYJRqGUbaug==} + + '@types/cookie@0.6.0': + resolution: {integrity: sha512-4Kh9a6B2bQciAhf7FSuMRRkUWecJgJu9nPnx3yzpsfXX/c50REIqpHY4C82bXP90qrLtXtkDxTZosYO3UpOwlA==} + + '@types/cross-spawn@6.0.6': + resolution: {integrity: sha512-fXRhhUkG4H3TQk5dBhQ7m/JDdSNHKwR2BBia62lhwEIq9xGiQKLxd6LymNhn47SjXhsUEPmxi+PKw2OkW4LLjA==} + + '@types/emscripten@1.39.13': + resolution: {integrity: sha512-cFq+fO/isvhvmuP/+Sl4K4jtU6E23DoivtbO4r50e3odaxAiVdbfSYRDdJ4gCdxx+3aRjhphS5ZMwIH4hFy/Cw==} + + '@types/estree@1.0.5': + resolution: {integrity: sha512-/kYRxGDLWzHOB7q+wtSUQlFrtcdUccpfy+X+9iMBpHK8QLLhx2wIPYuS5DYtR9Wa/YlZAbIovy7qVdB1Aq6Lyw==} + + '@types/express-serve-static-core@4.19.5': + resolution: {integrity: sha512-y6W03tvrACO72aijJ5uF02FRq5cgDR9lUxddQ8vyF+GvmjJQqbzDcJngEjURc+ZsG31VI3hODNZJ2URj86pzmg==} + + '@types/express@4.17.21': + resolution: {integrity: sha512-ejlPM315qwLpaQlQDTjPdsUFSc6ZsP4AN6AlWnogPjQ7CVi7PYF3YVz+CY3jE2pwYf7E/7HlDAN0rV2GxTG0HQ==} + + '@types/find-cache-dir@3.2.1': + resolution: {integrity: sha512-frsJrz2t/CeGifcu/6uRo4b+SzAwT4NYCVPu1GN8IB9XTzrpPkGuV0tmh9mN+/L0PklAlsC3u5Fxt0ju00LXIw==} + + '@types/hast@3.0.4': + resolution: {integrity: sha512-WPs+bbQw5aCj+x6laNGWLH3wviHtoCv/P3+otBhbOhJgG8qtpdAMlTCxLtsTWA7LH1Oh/bFCHsBn0TPS5m30EQ==} + + '@types/http-errors@2.0.4': + resolution: {integrity: sha512-D0CFMMtydbJAegzOyHjtiKPLlvnm3iTZyZRSZoLq2mRhDdmLfIWOCYPfQJ4cu2erKghU++QvjcUjp/5h7hESpA==} + + '@types/json-schema@7.0.15': + resolution: {integrity: sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==} + + '@types/jsonwebtoken@9.0.6': + resolution: {integrity: sha512-/5hndP5dCjloafCXns6SZyESp3Ldq7YjH3zwzwczYnjxIT0Fqzk5ROSYVGfFyczIue7IUEj8hkvLbPoLQ18vQw==} + + '@types/lodash@4.17.7': + resolution: {integrity: sha512-8wTvZawATi/lsmNu10/j2hk1KEP0IvjubqPE3cu1Xz7xfXXt5oCq3SNUz4fMIP4XGF9Ky+Ue2tBA3hcS7LSBlA==} + + '@types/mdx@2.0.13': + resolution: {integrity: sha512-+OWZQfAYyio6YkJb3HLxDrvnx6SWWDbC0zVPfBRzUk0/nqoDyf6dNxQi3eArPe8rJ473nobTMQ/8Zk+LxJ+Yuw==} + + '@types/mime@1.3.5': + resolution: {integrity: sha512-/pyBZWSLD2n0dcHE3hq8s8ZvcETHtEuF+3E7XVt0Ig2nvsVQXdghHVcEkIWjy9A0wKfTn97a/PSDYohKIlnP/w==} + + '@types/node@18.19.44': + resolution: {integrity: sha512-ZsbGerYg72WMXUIE9fYxtvfzLEuq6q8mKERdWFnqTmOvudMxnz+CBNRoOwJ2kNpFOncrKjT1hZwxjlFgQ9qvQA==} + + '@types/node@20.14.15': + resolution: {integrity: sha512-Fz1xDMCF/B00/tYSVMlmK7hVeLh7jE5f3B7X1/hmV0MJBwE27KlS7EvD/Yp+z1lm8mVhwV5w+n8jOZG8AfTlKw==} + + '@types/prop-types@15.7.12': + resolution: {integrity: sha512-5zvhXYtRNRluoE/jAp4GVsSduVUzNWKkOZrCDBWYtE7biZywwdC2AcEzg+cSMLFRfVgeAFqpfNabiPjxFddV1Q==} + + '@types/pug@2.0.10': + resolution: {integrity: sha512-Sk/uYFOBAB7mb74XcpizmH0KOR2Pv3D2Hmrh1Dmy5BmK3MpdSa5kqZcg6EKBdklU0bFXX9gCfzvpnyUehrPIuA==} + + '@types/qs@6.9.15': + resolution: {integrity: sha512-uXHQKES6DQKKCLh441Xv/dwxOq1TVS3JPUMlEqoEglvlhR6Mxnlew/Xq/LRVHpLyk7iK3zODe1qYHIMltO7XGg==} + + '@types/range-parser@1.2.7': + resolution: {integrity: sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ==} + + '@types/react@18.3.3': + resolution: {integrity: sha512-hti/R0pS0q1/xx+TsI73XIqk26eBsISZ2R0wUijXIngRK9R/e7Xw/cXVxQK7R5JjW+SV4zGcn5hXjudkN/pLIw==} + + '@types/resolve@1.20.2': + resolution: {integrity: sha512-60BCwRFOZCQhDncwQdxxeOEEkbc5dIMccYLwbxsS4TUNeVECQ/pBJ0j09mrHOl/JJvpRPGwO9SvE4nR2Nb/a4Q==} + + '@types/semver@7.5.8': + resolution: {integrity: sha512-I8EUhyrgfLrcTkzV3TSsGyl1tSuPrEDzr0yd5m90UgNxQkyDXULk3b6MlQqTCpZpNtWe1K0hzclnZkTcLBe2UQ==} + + '@types/send@0.17.4': + resolution: {integrity: sha512-x2EM6TJOybec7c52BX0ZspPodMsQUd5L6PRwOunVyVUhXiBSKf3AezDL8Dgvgt5o0UfKNfuA0eMLr2wLT4AiBA==} + + '@types/serve-static@1.15.7': + resolution: {integrity: sha512-W8Ym+h8nhuRwaKPaDw34QUkwsGi6Rc4yYqvKFo5rm2FUEhCFbzVWrxXUxuKK8TASjWsysJY0nsmNCGhCOIsrOw==} + + '@types/unist@3.0.3': + resolution: {integrity: sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q==} + + '@types/uuid@9.0.8': + resolution: {integrity: sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA==} + + '@types/validator@13.12.0': + resolution: {integrity: sha512-nH45Lk7oPIJ1RVOF6JgFI6Dy0QpHEzq4QecZhvguxYPDwT8c93prCMqAtiIttm39voZ+DDR+qkNnMpJmMBRqag==} + + '@typescript-eslint/eslint-plugin@7.18.0': + resolution: {integrity: sha512-94EQTWZ40mzBc42ATNIBimBEDltSJ9RQHCC8vc/PDbxi4k8dVwUAv4o98dk50M1zB+JGFxp43FP7f8+FP8R6Sw==} + engines: {node: ^18.18.0 || >=20.0.0} + peerDependencies: + '@typescript-eslint/parser': ^7.0.0 + eslint: ^8.56.0 + typescript: '*' + peerDependenciesMeta: + typescript: + optional: true + + '@typescript-eslint/parser@7.18.0': + resolution: {integrity: sha512-4Z+L8I2OqhZV8qA132M4wNL30ypZGYOQVBfMgxDH/K5UX0PNqTu1c6za9ST5r9+tavvHiTWmBnKzpCJ/GlVFtg==} + engines: {node: ^18.18.0 || >=20.0.0} + peerDependencies: + eslint: ^8.56.0 + typescript: '*' + peerDependenciesMeta: + typescript: + optional: true + + '@typescript-eslint/scope-manager@5.62.0': + resolution: {integrity: sha512-VXuvVvZeQCQb5Zgf4HAxc04q5j+WrNAtNh9OwCsCgpKqESMTu3tF/jhZ3xG6T4NZwWl65Bg8KuS2uEvhSfLl0w==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + + '@typescript-eslint/scope-manager@7.18.0': + resolution: {integrity: sha512-jjhdIE/FPF2B7Z1uzc6i3oWKbGcHb87Qw7AWj6jmEqNOfDFbJWtjt/XfwCpvNkpGWlcJaog5vTR+VV8+w9JflA==} + engines: {node: ^18.18.0 || >=20.0.0} + + '@typescript-eslint/type-utils@7.18.0': + resolution: {integrity: sha512-XL0FJXuCLaDuX2sYqZUUSOJ2sG5/i1AAze+axqmLnSkNEVMVYLF+cbwlB2w8D1tinFuSikHmFta+P+HOofrLeA==} + engines: {node: ^18.18.0 || >=20.0.0} + peerDependencies: + eslint: ^8.56.0 + typescript: '*' + peerDependenciesMeta: + typescript: + optional: true + + '@typescript-eslint/types@5.62.0': + resolution: {integrity: sha512-87NVngcbVXUahrRTqIK27gD2t5Cu1yuCXxbLcFtCzZGlfyVWWh8mLHkoxzjsB6DDNnvdL+fW8MiwPEJyGJQDgQ==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + + '@typescript-eslint/types@7.18.0': + resolution: {integrity: sha512-iZqi+Ds1y4EDYUtlOOC+aUmxnE9xS/yCigkjA7XpTKV6nCBd3Hp/PRGGmdwnfkV2ThMyYldP1wRpm/id99spTQ==} + engines: {node: ^18.18.0 || >=20.0.0} + + '@typescript-eslint/typescript-estree@5.62.0': + resolution: {integrity: sha512-CmcQ6uY7b9y694lKdRB8FEel7JbU/40iSAPomu++SjLMntB+2Leay2LO6i8VnJk58MtE9/nQSFIH6jpyRWyYzA==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + peerDependencies: + typescript: '*' + peerDependenciesMeta: + typescript: + optional: true + + '@typescript-eslint/typescript-estree@7.18.0': + resolution: {integrity: sha512-aP1v/BSPnnyhMHts8cf1qQ6Q1IFwwRvAQGRvBFkWlo3/lH29OXA3Pts+c10nxRxIBrDnoMqzhgdwVe5f2D6OzA==} + engines: {node: ^18.18.0 || >=20.0.0} + peerDependencies: + typescript: '*' + peerDependenciesMeta: + typescript: + optional: true + + '@typescript-eslint/utils@5.62.0': + resolution: {integrity: sha512-n8oxjeb5aIbPFEtmQxQYOLI0i9n5ySBEY/ZEHHZqKQSFnxio1rv6dthascc9dLuwrL0RC5mPCxB7vnAVGAYWAQ==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + peerDependencies: + eslint: ^6.0.0 || ^7.0.0 || ^8.0.0 + + '@typescript-eslint/utils@7.18.0': + resolution: {integrity: sha512-kK0/rNa2j74XuHVcoCZxdFBMF+aq/vH83CXAOHieC+2Gis4mF8jJXT5eAfyD3K0sAxtPuwxaIOIOvhwzVDt/kw==} + engines: {node: ^18.18.0 || >=20.0.0} + peerDependencies: + eslint: ^8.56.0 + + '@typescript-eslint/visitor-keys@5.62.0': + resolution: {integrity: sha512-07ny+LHRzQXepkGg6w0mFY41fVUNBrL2Roj/++7V1txKugfjm/Ci/qSND03r2RhlJhJYMcTn9AhhSSqQp0Ysyw==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + + '@typescript-eslint/visitor-keys@7.18.0': + resolution: {integrity: sha512-cDF0/Gf81QpY3xYyJKDV14Zwdmid5+uuENhjH2EqFaF0ni+yAyq/LzMaIJdhNJXZI7uLzwIlA+V7oWoyn6Curg==} + engines: {node: ^18.18.0 || >=20.0.0} + + '@ungap/structured-clone@1.2.0': + resolution: {integrity: sha512-zuVdFrMJiuCDQUMCzQaD6KL28MjnqqN8XnAqiEq9PNm/hCPTSGfrXCOfwj1ow4LFb/tNymJPwsNbVePc1xFqrQ==} + + '@vincjo/datatables@1.14.10': + resolution: {integrity: sha512-gtojSC/LKDHbh2ZGZeaAQ+lLltcmcSDDLkecgb9WpG7lHmd4b/1HUTtFWAJt43TnaK8SrciGugh9VRRZN53bpw==} + peerDependencies: + svelte: ^3.56.0 || ^4.0.0 || ^5.0.0-next.120 + + '@vinejs/compiler@2.5.0': + resolution: {integrity: sha512-hg4ekaB5Y2zh+IWzBiC/WCDWrIfpVnKu/ubUvelKlidc/VbulsexoFRw5kJGHZenPVI5YzNnDeTdYSALkTV7jQ==} + engines: {node: '>=18.0.0'} + + '@vinejs/vine@1.8.0': + resolution: {integrity: sha512-Qq3XxbA26jzqS9ICifkqzT399lMQZ2fWtqeV3luI2as+UIK7qDifJFU2Q4W3q3IB5VXoWxgwAZSZEO0em9I/qQ==} + engines: {node: '>=18.16.0'} + + '@vitest/coverage-v8@1.6.0': + resolution: {integrity: sha512-KvapcbMY/8GYIG0rlwwOKCVNRc0OL20rrhFkg/CHNzncV03TE2XWvO5w9uZYoxNiMEBacAJt3unSOiZ7svePew==} + peerDependencies: + vitest: 1.6.0 + + '@vitest/expect@1.6.0': + resolution: {integrity: sha512-ixEvFVQjycy/oNgHjqsL6AZCDduC+tflRluaHIzKIsdbzkLn2U/iBnVeJwB6HsIjQBdfMR8Z0tRxKUsvFJEeWQ==} + + '@vitest/runner@1.6.0': + resolution: {integrity: sha512-P4xgwPjwesuBiHisAVz/LSSZtDjOTPYZVmNAnpHHSR6ONrf8eCJOFRvUwdHn30F5M1fxhqtl7QZQUk2dprIXAg==} + + '@vitest/snapshot@1.6.0': + resolution: {integrity: sha512-+Hx43f8Chus+DCmygqqfetcAZrDJwvTj0ymqjQq4CvmpKFSTVteEOBzCusu1x2tt4OJcvBflyHUE0DZSLgEMtQ==} + + '@vitest/spy@1.6.0': + resolution: {integrity: sha512-leUTap6B/cqi/bQkXUu6bQV5TZPx7pmMBKBQiI0rJA8c3pB56ZsaTbREnF7CJfmvAS4V2cXIBAh/3rVwrrCYgw==} + + '@vitest/ui@1.6.0': + resolution: {integrity: sha512-k3Lyo+ONLOgylctiGovRKy7V4+dIN2yxstX3eY5cWFXH6WP+ooVX79YSyi0GagdTQzLmT43BF27T0s6dOIPBXA==} + peerDependencies: + vitest: 1.6.0 + + '@vitest/utils@1.6.0': + resolution: {integrity: sha512-21cPiuGMoMZwiOHa2i4LXkMkMkCGzA+MVFV70jRwHo95dL4x/ts5GZhML1QWuy7yfp3WzK3lRvZi3JnXTYqrBw==} + + '@yarnpkg/fslib@2.10.3': + resolution: {integrity: sha512-41H+Ga78xT9sHvWLlFOZLIhtU6mTGZ20pZ29EiZa97vnxdohJD2AF42rCoAoWfqUz486xY6fhjMH+DYEM9r14A==} + engines: {node: '>=12 <14 || 14.2 - 14.9 || >14.10.0'} + + '@yarnpkg/libzip@2.3.0': + resolution: {integrity: sha512-6xm38yGVIa6mKm/DUCF2zFFJhERh/QWp1ufm4cNUvxsONBmfPg8uZ9pZBdOmF6qFGr/HlT6ABBkCSx/dlEtvWg==} + engines: {node: '>=12 <14 || 14.2 - 14.9 || >14.10.0'} + + accepts@1.3.8: + resolution: {integrity: sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==} + engines: {node: '>= 0.6'} + + acorn-jsx@5.3.2: + resolution: {integrity: sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==} + peerDependencies: + acorn: ^6.0.0 || ^7.0.0 || ^8.0.0 + + acorn-walk@8.3.3: + resolution: {integrity: sha512-MxXdReSRhGO7VlFe1bRG/oI7/mdLV9B9JJT0N8vZOhF7gFRR5l3M8W9G8JxmKV+JC5mGqJ0QvqfSOLsCPa4nUw==} + engines: {node: '>=0.4.0'} + + acorn@8.12.1: + resolution: {integrity: sha512-tcpGyI9zbizT9JbV6oYE477V6mTlXvvi0T0G3SNIYE2apm/G5huBa1+K89VGeovbg+jycCrfhl3ADxErOuO6Jg==} + engines: {node: '>=0.4.0'} + hasBin: true + + agent-base@7.1.1: + resolution: {integrity: sha512-H0TSyFNDMomMNJQBn8wFV5YC/2eJ+VXECwOadZJT554xP6cODZHPX3H9QMQECxvrgiSOP1pHjy1sMWQVYJOUOA==} + engines: {node: '>= 14'} + + aggregate-error@3.1.0: + resolution: {integrity: sha512-4I7Td01quW/RpocfNayFdFVk1qSuoh0E7JrbRJ16nH01HhKFQ88INq9Sd+nd72zqRySlr9BmDA8xlEJ6vJMrYA==} + engines: {node: '>=8'} + + ajv@6.12.6: + resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==} + + ansi-colors@4.1.3: + resolution: {integrity: sha512-/6w/C21Pm1A7aZitlI5Ni/2J6FFQN8i1Cvz3kHABAAbw93v/NlvKdVOqz7CCWz/3iv/JplRSEEZ83XION15ovw==} + engines: {node: '>=6'} + + ansi-regex@5.0.1: + resolution: {integrity: sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==} + engines: {node: '>=8'} + + ansi-regex@6.0.1: + resolution: {integrity: sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==} + engines: {node: '>=12'} + + ansi-styles@3.2.1: + resolution: {integrity: sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==} + engines: {node: '>=4'} + + ansi-styles@4.3.0: + resolution: {integrity: sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==} + engines: {node: '>=8'} + + ansi-styles@5.2.0: + resolution: {integrity: sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA==} + engines: {node: '>=10'} + + ansi-styles@6.2.1: + resolution: {integrity: sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==} + engines: {node: '>=12'} + + any-promise@1.3.0: + resolution: {integrity: sha512-7UvmKalWRt1wgjL1RrGxoSJW/0QZFIegpeGvZG9kjp8vrRu55XTHbwnqq2GpXm9uLbcuhxm3IqX9OB4MZR1b2A==} + + anymatch@3.1.3: + resolution: {integrity: sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==} + engines: {node: '>= 8'} + + arg@5.0.2: + resolution: {integrity: sha512-PYjyFOLKQ9y57JvQ6QLo8dAgNqswh8M1RMJYdQduT6xbWSgK36P/Z/v+p888pM69jMMfS8Xd8F6I1kQ/I9HUGg==} + + argparse@2.0.1: + resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==} + + aria-query@5.3.0: + resolution: {integrity: sha512-b0P0sZPKtyu8HkeRAfCq0IfURZK+SuwMjY1UXGBU27wpAiTwQAIlq56IbIO+ytk/JjS1fMR14ee5WBBfKi5J6A==} + + arktype@2.0.0-beta.0: + resolution: {integrity: sha512-fE3ssMiXjr/bLqFPzlDhRlXngdyHQreu7p7i8+dtcY1CA+f8WrVUcue6JxywhnqEJXPG4HOcIwQcC+q4VfeUMQ==} + + array-flatten@1.1.1: + resolution: {integrity: sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==} + + array-union@2.1.0: + resolution: {integrity: sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw==} + engines: {node: '>=8'} + + assertion-error@1.1.0: + resolution: {integrity: sha512-jgsaNduz+ndvGyFt3uSuWqvy4lCnIJiovtouQN5JZHOKCS2QuhEdbcQHFhVksz2N2U9hXJo8odG7ETyWlEeuDw==} + + ast-types@0.16.1: + resolution: {integrity: sha512-6t10qk83GOG8p0vKmaCr8eiilZwO171AvbROMtvvNiwrTly62t+7XkA8RdIIVbpMhCASAsxgAzdRSwh6nw/5Dg==} + engines: {node: '>=4'} + + async-lock@1.4.1: + resolution: {integrity: sha512-Az2ZTpuytrtqENulXwO3GGv1Bztugx6TT37NIo7imr/Qo0gsYiGtSdBa2B6fsXhTpVZDNfu1Qn3pk531e3q+nQ==} + + asynckit@0.4.0: + resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==} + + autoprefixer@10.4.20: + resolution: {integrity: sha512-XY25y5xSv/wEoqzDyXXME4AFfkZI0P23z6Fs3YgymDnKJkCGOnkL0iTxCa85UTqaSgfcqyf3UA6+c7wUvx/16g==} + engines: {node: ^10 || ^12 || >=14} + hasBin: true + peerDependencies: + postcss: ^8.1.0 + + available-typed-arrays@1.0.7: + resolution: {integrity: sha512-wvUjBtSGN7+7SjNpq/9M2Tg350UZD3q62IFZLbRAR1bSMlCo1ZaeW+BJ+D090e4hIIZLBcTDWe4Mh4jvUDajzQ==} + engines: {node: '>= 0.4'} + + axios@1.7.4: + resolution: {integrity: sha512-DukmaFRnY6AzAALSH4J2M3k6PkaC+MfaAGdEERRWcC9q3/TWQwLpHR8ZRLKTdQ3aBDL64EdluRDjJqKw+BPZEw==} + + axobject-query@4.1.0: + resolution: {integrity: sha512-qIj0G9wZbMGNLjLmg1PT6v2mE9AH2zlnADJD/2tC6E00hgmhUOfEB6greHPAfLRSufHqROIUTkw6E+M3lH0PTQ==} + engines: {node: '>= 0.4'} + + babel-core@7.0.0-bridge.0: + resolution: {integrity: sha512-poPX9mZH/5CSanm50Q+1toVci6pv5KSRv/5TWCwtzQS5XEwn40BcCrgIeMFWP9CKKIniKXNxoIOnOq4VVlGXhg==} + peerDependencies: + '@babel/core': ^7.0.0-0 + + babel-plugin-polyfill-corejs2@0.4.11: + resolution: {integrity: sha512-sMEJ27L0gRHShOh5G54uAAPaiCOygY/5ratXuiyb2G46FmlSpc9eFCzYVyDiPxfNbwzA7mYahmjQc5q+CZQ09Q==} + peerDependencies: + '@babel/core': ^7.4.0 || ^8.0.0-0 <8.0.0 + + babel-plugin-polyfill-corejs3@0.10.6: + resolution: {integrity: sha512-b37+KR2i/khY5sKmWNVQAnitvquQbNdWy6lJdsr0kmquCKEEUgMKK4SboVM3HtfnZilfjr4MMQ7vY58FVWDtIA==} + peerDependencies: + '@babel/core': ^7.4.0 || ^8.0.0-0 <8.0.0 + + babel-plugin-polyfill-regenerator@0.6.2: + resolution: {integrity: sha512-2R25rQZWP63nGwaAswvDazbPXfrM3HwVoBXK6HcqeKrSrL/JqcC/rDcf95l4r7LXLyxDXc8uQDa064GubtCABg==} + peerDependencies: + '@babel/core': ^7.4.0 || ^8.0.0-0 <8.0.0 + + balanced-match@1.0.2: + resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} + + base64-js@1.5.1: + resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==} + + before-after-hook@2.2.3: + resolution: {integrity: sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==} + + binary-extensions@2.3.0: + resolution: {integrity: sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==} + engines: {node: '>=8'} + + bl@4.1.0: + resolution: {integrity: sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==} + + body-parser@1.20.2: + resolution: {integrity: sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==} + engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16} + + bottleneck@2.19.5: + resolution: {integrity: sha512-VHiNCbI1lKdl44tGrhNfU3lup0Tj/ZBMJB5/2ZbNXRCPuRCO7ed2mgcK4r17y+KB2EfuYuRaVlwNbAeaWGSpbw==} + + brace-expansion@1.1.11: + resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==} + + brace-expansion@2.0.1: + resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==} + + braces@3.0.3: + resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==} + engines: {node: '>=8'} + + browser-assert@1.2.1: + resolution: {integrity: sha512-nfulgvOR6S4gt9UKCeGJOuSGBPGiFT6oQ/2UBnvTY/5aQ1PnksW72fhZkM30DzoRRv2WpwZf1vHHEr3mtuXIWQ==} + + browserslist@4.23.3: + resolution: {integrity: sha512-btwCFJVjI4YWDNfau8RhZ+B1Q/VLoUITrm3RlP6y1tYGWIOa+InuYiRGXUBXo8nA1qKmHMyLB/iVQg5TT4eFoA==} + engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7} + hasBin: true + + btoa-lite@1.0.0: + resolution: {integrity: sha512-gvW7InbIyF8AicrqWoptdW08pUxuhq8BEgowNajy9RhiE86fmGAGl+bLKo6oB8QP0CkqHLowfN0oJdKC/J6LbA==} + + buffer-crc32@1.0.0: + resolution: {integrity: sha512-Db1SbgBS/fg/392AblrMJk97KggmvYhr4pB5ZIMTWtaivCPMWLkmb7m21cJvpvgK+J3nsU2CmmixNBZx4vFj/w==} + engines: {node: '>=8.0.0'} + + buffer-equal-constant-time@1.0.1: + resolution: {integrity: sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==} + + buffer-from@1.1.2: + resolution: {integrity: sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==} + + buffer@5.7.1: + resolution: {integrity: sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==} + + builtin-modules@3.3.0: + resolution: {integrity: sha512-zhaCDicdLuWN5UbN5IMnFqNMhNfo919sH85y2/ea+5Yg9TsTkeZxpL+JLbp6cgYFS4sRLp3YV4S6yDuqVWHYOw==} + engines: {node: '>=6'} + + bytes@3.1.2: + resolution: {integrity: sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==} + engines: {node: '>= 0.8'} + + cac@6.7.14: + resolution: {integrity: sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ==} + engines: {node: '>=8'} + + call-bind@1.0.7: + resolution: {integrity: sha512-GHTSNSYICQ7scH7sZ+M2rFopRoLh8t2bLSW6BbgrtLsahOIB5iyAVJf9GjWK3cYTDaMj4XdBpM1cA6pIS0Kv2w==} + engines: {node: '>= 0.4'} + + callsites@3.1.0: + resolution: {integrity: sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==} + engines: {node: '>=6'} + + camelcase-css@2.0.1: + resolution: {integrity: sha512-QOSvevhslijgYwRx6Rv7zKdMF8lbRmx+uQGx2+vDc+KI/eBnsy9kit5aj23AgGu3pa4t9AgwbnXWqS+iOY+2aA==} + engines: {node: '>= 6'} + + camelcase@8.0.0: + resolution: {integrity: sha512-8WB3Jcas3swSvjIeA2yvCJ+Miyz5l1ZmB6HFb9R1317dt9LCQoswg/BGrmAmkWVEszSrrg4RwmO46qIm2OEnSA==} + engines: {node: '>=16'} + + caniuse-lite@1.0.30001651: + resolution: {integrity: sha512-9Cf+Xv1jJNe1xPZLGuUXLNkE1BoDkqRqYyFJ9TDYSqhduqA4hu4oR9HluGoWYQC/aj8WHjsGVV+bwkh0+tegRg==} + + chai@4.5.0: + resolution: {integrity: sha512-RITGBfijLkBddZvnn8jdqoTypxvqbOLYQkGGxXzeFjVHvudaPw0HNFD9x928/eUwYWd2dPCugVqspGALTZZQKw==} + engines: {node: '>=4'} + + chalk@2.4.2: + resolution: {integrity: sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==} + engines: {node: '>=4'} + + chalk@3.0.0: + resolution: {integrity: sha512-4D3B6Wf41KOYRFdszmDqMCGq5VV/uMAB273JILmO+3jAlh8X4qDtdtgCR3fxtbLEMzSx22QdhnDcJvu2u1fVwg==} + engines: {node: '>=8'} + + chalk@4.1.2: + resolution: {integrity: sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==} + engines: {node: '>=10'} + + chalk@5.3.0: + resolution: {integrity: sha512-dLitG79d+GV1Nb/VYcCDFivJeK1hiukt9QjRNVOsUtTy1rR1YJsmpGGTZ3qJos+uw7WmWF4wUwBd9jxjocFC2w==} + engines: {node: ^12.17.0 || ^14.13 || >=16.0.0} + + check-error@1.0.3: + resolution: {integrity: sha512-iKEoDYaRmd1mxM90a2OEfWhjsjPpYPuQ+lMYsoxB126+t8fw7ySEO48nmDg5COTjxDI65/Y2OWpeEHk3ZOe8zg==} + + chokidar@3.6.0: + resolution: {integrity: sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==} + engines: {node: '>= 8.10.0'} + + chownr@2.0.0: + resolution: {integrity: sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==} + engines: {node: '>=10'} + + citty@0.1.6: + resolution: {integrity: sha512-tskPPKEs8D2KPafUypv2gxwJP8h/OaJmC82QQGGDQcHvXX43xF2VDACcJVmZ0EuSxkpO9Kc4MlrA3q0+FG58AQ==} + + clean-git-ref@2.0.1: + resolution: {integrity: sha512-bLSptAy2P0s6hU4PzuIMKmMJJSE6gLXGH1cntDu7bWJUksvuM+7ReOK61mozULErYvP6a15rnYl0zFDef+pyPw==} + + clean-stack@2.2.0: + resolution: {integrity: sha512-4diC9HaTE+KRAMWhDhrGOECgWZxoevMc5TlkObMqNSsVU62PYzXZ/SMTjzyGAFF1YusgxGcSWTEXBhp0CPwQ1A==} + engines: {node: '>=6'} + + cli-cursor@3.1.0: + resolution: {integrity: sha512-I/zHAwsKf9FqGoXM4WWRACob9+SNukZTd94DWF57E4toouRulbCxcUh6RKUEOQlYTHJnzkPMySvPNaaSLNfLZw==} + engines: {node: '>=8'} + + cli-spinners@2.9.2: + resolution: {integrity: sha512-ywqV+5MmyL4E7ybXgKys4DugZbX0FC6LnwrhjuykIjnK9k8OQacQ7axGKnjDXWNhns0xot3bZI5h55H8yo9cJg==} + engines: {node: '>=6'} + + clone-deep@4.0.1: + resolution: {integrity: sha512-neHB9xuzh/wk0dIHweyAXv2aPGZIVk3pLMe+/RNzINf17fe0OG96QroktYAUm7SM1PBnzTabaLboqqxDyMU+SQ==} + engines: {node: '>=6'} + + clone@1.0.4: + resolution: {integrity: sha512-JQHZ2QMW6l3aH/j6xCqQThY/9OH4D/9ls34cgkUBiEeocRTU04tHfKPBsUK1PqZCUQM7GiA0IIXJSuXHI64Kbg==} + engines: {node: '>=0.8'} + + code-red@1.0.4: + resolution: {integrity: sha512-7qJWqItLA8/VPVlKJlFXU+NBlo/qyfs39aJcuMT/2ere32ZqvF5OSxgdM5xOfJJ7O429gg2HM47y8v9P+9wrNw==} + + color-convert@1.9.3: + resolution: {integrity: sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==} + + color-convert@2.0.1: + resolution: {integrity: sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==} + engines: {node: '>=7.0.0'} + + color-name@1.1.3: + resolution: {integrity: sha512-72fSenhMw2HZMTVHeCA9KCmpEIbzWiQsjN+BHcBbS9vr1mtt+vJjPdksIBNUmKAW8TFUDPJK5SUU3QhE9NEXDw==} + + color-name@1.1.4: + resolution: {integrity: sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==} + + combined-stream@1.0.8: + resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==} + engines: {node: '>= 0.8'} + + commander@11.1.0: + resolution: {integrity: sha512-yPVavfyCcRhmorC7rWlkHn15b4wDVgVmBA7kV4QVBsF7kv/9TKJAbAXVTxvTnwP8HHKjRCJDClKbciiYS7p0DQ==} + engines: {node: '>=16'} + + commander@12.1.0: + resolution: {integrity: sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==} + engines: {node: '>=18'} + + commander@4.1.1: + resolution: {integrity: sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA==} + engines: {node: '>= 6'} + + commander@6.2.1: + resolution: {integrity: sha512-U7VdrJFnJgo4xjrHpTzu0yrHPGImdsmD95ZlgYSEajAn2JKzDhDTPG9kBTefmObL2w/ngeZnilk+OV9CG3d7UA==} + engines: {node: '>= 6'} + + commondir@1.0.1: + resolution: {integrity: sha512-W9pAhw0ja1Edb5GVdIF1mjZw/ASI0AlShXM83UUGe2DVr5TdAPEA1OA8m/g8zWp9x6On7gqufY+FatDbC3MDQg==} + + concat-map@0.0.1: + resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==} + + confbox@0.1.7: + resolution: {integrity: sha512-uJcB/FKZtBMCJpK8MQji6bJHgu1tixKPxRLeGkNzBoOZzpnZUJm0jm2/sBDWcuBx1dYgxV4JU+g5hmNxCyAmdA==} + + consola@3.2.3: + resolution: {integrity: sha512-I5qxpzLv+sJhTVEoLYNcTW+bThDCPsit0vLNKShZx6rLtpilNpmmeTPaeqJb9ZE9dV3DGaeby6Vuhrw38WjeyQ==} + engines: {node: ^14.18.0 || >=16.10.0} + + content-disposition@0.5.4: + resolution: {integrity: sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==} + engines: {node: '>= 0.6'} + + content-type@1.0.5: + resolution: {integrity: sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==} + engines: {node: '>= 0.6'} + + convert-source-map@2.0.0: + resolution: {integrity: sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==} + + cookie-signature@1.0.6: + resolution: {integrity: sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==} + + cookie@0.6.0: + resolution: {integrity: sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==} + engines: {node: '>= 0.6'} + + core-js-compat@3.38.0: + resolution: {integrity: sha512-75LAicdLa4OJVwFxFbQR3NdnZjNgX6ILpVcVzcC4T2smerB5lELMrJQQQoWV6TiuC/vlaFqgU2tKQx9w5s0e0A==} + + crc-32@1.2.2: + resolution: {integrity: sha512-ROmzCKrTnOwybPcJApAA6WBWij23HVfGVNKqqrZpuyZOHqK2CwHSvpGuyt/UNNvaIjEd8X5IFGp4Mh+Ie1IHJQ==} + engines: {node: '>=0.8'} + hasBin: true + + cross-spawn@7.0.3: + resolution: {integrity: sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==} + engines: {node: '>= 8'} + + crypto-random-string@4.0.0: + resolution: {integrity: sha512-x8dy3RnvYdlUcPOjkEHqozhiwzKNSq7GcPuXFbnyMOCHxX8V3OgIg/pYuabl2sbUPfIJaeAQB7PMOK8DFIdoRA==} + engines: {node: '>=12'} + + css-tree@2.3.1: + resolution: {integrity: sha512-6Fv1DV/TYw//QF5IzQdqsNDjx/wc8TrMBZsqjL9eW01tWb7R7k/mq+/VXfJCl7SoD5emsJop9cOByJZfs8hYIw==} + engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0} + + css.escape@1.5.1: + resolution: {integrity: sha512-YUifsXXuknHlUsmlgyY0PKzgPOr7/FjCePfHNt0jxm83wHZi44VDMQ7/fGNkjY3/jV1MC+1CmZbaHzugyeRtpg==} + + cssesc@3.0.0: + resolution: {integrity: sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==} + engines: {node: '>=4'} + hasBin: true + + cssstyle@4.0.1: + resolution: {integrity: sha512-8ZYiJ3A/3OkDd093CBT/0UKDWry7ak4BdPTFP2+QEP7cmhouyq/Up709ASSj2cK02BbZiMgk7kYjZNS4QP5qrQ==} + engines: {node: '>=18'} + + csstype@3.1.3: + resolution: {integrity: sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw==} + + data-urls@5.0.0: + resolution: {integrity: sha512-ZYP5VBHshaDAiVZxjbRVcFJpc+4xGgT0bK3vzy1HLN8jTO975HEbuYzZJcHoQEY5K1a0z8YayJkyVETa08eNTg==} + engines: {node: '>=18'} + + dayjs@1.11.12: + resolution: {integrity: sha512-Rt2g+nTbLlDWZTwwrIXjy9MeiZmSDI375FvZs72ngxx8PDC6YXOeR3q5LAuPzjZQxhiWdRKac7RKV+YyQYfYIg==} + + debug@2.6.9: + resolution: {integrity: sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==} + peerDependencies: + supports-color: '*' + peerDependenciesMeta: + supports-color: + optional: true + + debug@4.3.6: + resolution: {integrity: sha512-O/09Bd4Z1fBrU4VzkhFqVgpPzaGbw6Sm9FEkBT1A/YBXQFGuuSxa1dN2nxgxS34JmKXqYx8CZAwEVoJFImUXIg==} + engines: {node: '>=6.0'} + peerDependencies: + supports-color: '*' + peerDependenciesMeta: + supports-color: + optional: true + + decimal.js@10.4.3: + resolution: {integrity: sha512-VBBaLc1MgL5XpzgIP7ny5Z6Nx3UrRkIViUkPUdtl9aya5amy3De1gsUUSB1g3+3sExYNjCAsAznmukyxCb1GRA==} + + dedent@1.5.1: + resolution: {integrity: sha512-+LxW+KLWxu3HW3M2w2ympwtqPrqYRzU8fqi6Fhd18fBALe15blJPI/I4+UHveMVG6lJqB4JNd4UG0S5cnVHwIg==} + peerDependencies: + babel-plugin-macros: ^3.1.0 + peerDependenciesMeta: + babel-plugin-macros: + optional: true + + deep-eql@4.1.4: + resolution: {integrity: sha512-SUwdGfqdKOwxCPeVYjwSyRpJ7Z+fhpwIAtmCUdZIWZ/YP5R9WAsyuSgpLVDi9bjWoN2LXHNss/dk3urXtdQxGg==} + engines: {node: '>=6'} + + deep-is@0.1.4: + resolution: {integrity: sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==} + + deepmerge-ts@5.1.0: + resolution: {integrity: sha512-eS8dRJOckyo9maw9Tu5O5RUi/4inFLrnoLkBe3cPfDMx3WZioXtmOew4TXQaxq7Rhl4xjDtR7c6x8nNTxOvbFw==} + engines: {node: '>=16.0.0'} + + deepmerge@4.3.1: + resolution: {integrity: sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==} + engines: {node: '>=0.10.0'} + + defaults@1.0.4: + resolution: {integrity: sha512-eFuaLoy/Rxalv2kr+lqMlUnrDWV+3j4pljOIJgLIhI058IQfWJ7vXhyEIHu+HtC738klGALYxOKDO0bQP3tg8A==} + + define-data-property@1.1.4: + resolution: {integrity: sha512-rBMvIzlpA8v6E+SJZoo++HAYqsLrkg7MSfIinMPFhmkorw7X+dOXVJQs+QT69zGkzMyfDnIMN2Wid1+NbL3T+A==} + engines: {node: '>= 0.4'} + + defu@6.1.4: + resolution: {integrity: sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==} + + delayed-stream@1.0.0: + resolution: {integrity: sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==} + engines: {node: '>=0.4.0'} + + depd@2.0.0: + resolution: {integrity: sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==} + engines: {node: '>= 0.8'} + + deprecation@2.3.1: + resolution: {integrity: sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==} + + dequal@2.0.3: + resolution: {integrity: sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==} + engines: {node: '>=6'} + + destroy@1.2.0: + resolution: {integrity: sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==} + engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16} + + detect-indent@6.1.0: + resolution: {integrity: sha512-reYkTUJAZb9gUuZ2RvVCNhVHdg62RHnJ7WJl8ftMi4diZ6NWlciOzQN88pUhSELEwflJht4oQDv0F0BMlwaYtA==} + engines: {node: '>=8'} + + devalue@5.0.0: + resolution: {integrity: sha512-gO+/OMXF7488D+u3ue+G7Y4AA3ZmUnB3eHJXmBTgNHvr4ZNzl36A0ZtG+XCRNYCkYx/bFmw4qtkoFLa+wSrwAA==} + + didyoumean@1.2.2: + resolution: {integrity: sha512-gxtyfqMg7GKyhQmb056K7M3xszy/myH8w+B4RT+QXBQsvAOdc3XymqDDPHx1BgPgsdAA5SIifona89YtRATDzw==} + + diff-sequences@29.6.3: + resolution: {integrity: sha512-EjePK1srD3P08o2j4f0ExnylqRs5B9tJjcp9t1krH2qRi8CCdsYfwe9JgSLurFBWwq4uOlipzfk5fHNvwFKr8Q==} + engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0} + + diff3@0.0.4: + resolution: {integrity: sha512-f1rQ7jXDn/3i37hdwRk9ohqcvLRH3+gEIgmA6qEM280WUOh7cOr3GXV8Jm5sPwUs46Nzl48SE8YNLGJoaLuodg==} + + dir-glob@3.0.1: + resolution: {integrity: sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==} + engines: {node: '>=8'} + + dlv@1.1.3: + resolution: {integrity: sha512-+HlytyjlPKnIG8XuRG8WvmBP8xs8P71y+SKKS6ZXWoEgLuePxtDoUEiH7WkdePWrQ5JBpE6aoVqfZfJUQkjXwA==} + + doctrine@3.0.0: + resolution: {integrity: sha512-yS+Q5i3hBf7GBkd4KG8a7eBNNWNGLTaEwwYWUijIYM7zrlYDM0BFXHjjPWlWZ1Rg7UaddZeIDmi9jF3HmqiQ2w==} + engines: {node: '>=6.0.0'} + + dom-accessibility-api@0.5.16: + resolution: {integrity: sha512-X7BJ2yElsnOJ30pZF4uIIDfBEVgF4XEBxL9Bxhy6dnrm5hkzqmsWHGTiHqRiITNhMyFLyAiWndIJP7Z1NTteDg==} + + dom-accessibility-api@0.6.3: + resolution: {integrity: sha512-7ZgogeTnjuHbo+ct10G9Ffp0mif17idi0IyWNVA/wcwcm7NPOD/WEHVP3n7n3MhXqxoIYm8d6MuZohYWIZ4T3w==} + + dom-serializer@1.4.1: + resolution: {integrity: sha512-VHwB3KfrcOOkelEG2ZOfxqLZdfkil8PtJi4P8N2MMXucZq2yLp75ClViUlOVwyoHEDjYU433Aq+5zWP61+RGag==} + + domelementtype@2.3.0: + resolution: {integrity: sha512-OLETBj6w0OsagBwdXnPdN0cnMfF9opN69co+7ZrbfPGrdpPVNBUj02spi6B1N7wChLQiPn4CSH/zJvXw56gmHw==} + + domhandler@3.3.0: + resolution: {integrity: sha512-J1C5rIANUbuYK+FuFL98650rihynUOEzRLxW+90bKZRWB6A1X1Tf82GxR1qAWLyfNPRvjqfip3Q5tdYlmAa9lA==} + engines: {node: '>= 4'} + + domhandler@4.3.1: + resolution: {integrity: sha512-GrwoxYN+uWlzO8uhUXRl0P+kHE4GtVPfYzVLcUxPL7KNdHKj66vvlhiweIHqYYXWlw+T8iLMp42Lm67ghw4WMQ==} + engines: {node: '>= 4'} + + domhandler@5.0.3: + resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==} + engines: {node: '>= 4'} + + domutils@2.8.0: + resolution: {integrity: sha512-w96Cjofp72M5IIhpjgobBimYEfoPjx1Vx0BSX9P30WBdZW2WIKU0T1Bd0kz2eNZ9ikjKgHbEyKx8BB6H1L3h3A==} + + dotenv@16.4.5: + resolution: {integrity: sha512-ZmdL2rui+eB2YwhsWzjInR8LldtZHGDoQ1ugH85ppHKwpUHL7j7rN0Ti9NCnGiQbhaZ11FpR+7ao1dNsmduNUg==} + engines: {node: '>=12'} + + eastasianwidth@0.2.0: + resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==} + + ecdsa-sig-formatter@1.0.11: + resolution: {integrity: sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==} + + echarts@5.5.1: + resolution: {integrity: sha512-Fce8upazaAXUVUVsjgV6mBnGuqgO+JNDlcgF79Dksy4+wgGpQB2lmYoO4TSweFg/mZITdpGHomw/cNBJZj1icA==} + + ee-first@1.1.1: + resolution: {integrity: sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==} + + electron-to-chromium@1.5.8: + resolution: {integrity: sha512-4Nx0gP2tPNBLTrFxBMHpkQbtn2hidPVr/+/FTtcCiBYTucqc70zRyVZiOLj17Ui3wTO7SQ1/N+hkHYzJjBzt6A==} + + emoji-regex@8.0.0: + resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==} + + emoji-regex@9.2.2: + resolution: {integrity: sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==} + + encodeurl@1.0.2: + resolution: {integrity: sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==} + engines: {node: '>= 0.8'} + + enquirer@2.4.1: + resolution: {integrity: sha512-rRqJg/6gd538VHvR3PSrdRBb/1Vy2YfzHqzvbhGIQpDRKIa4FgV/54b5Q1xYSxOOwKvjXweS26E0Q+nAMwp2pQ==} + engines: {node: '>=8.6'} + + entities@2.2.0: + resolution: {integrity: sha512-p92if5Nz619I0w+akJrLZH0MX0Pb5DX39XOwQTtXSdQQOaYH03S1uIQp4mhOZtAXrxq4ViO67YTiLBo2638o9A==} + + entities@4.5.0: + resolution: {integrity: sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==} + engines: {node: '>=0.12'} + + envinfo@7.13.0: + resolution: {integrity: sha512-cvcaMr7KqXVh4nyzGTVqTum+gAiL265x5jUWQIDLq//zOGbW+gSW/C+OWLleY/rs9Qole6AZLMXPbtIFQbqu+Q==} + engines: {node: '>=4'} + hasBin: true + + es-define-property@1.0.0: + resolution: {integrity: sha512-jxayLKShrEqqzJ0eumQbVhTYQM27CfT1T35+gCgDFoL82JLsXqTJ76zv6A0YLOgEnLUMvLzsDsGIrl8NFpT2gQ==} + engines: {node: '>= 0.4'} + + es-errors@1.3.0: + resolution: {integrity: sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==} + engines: {node: '>= 0.4'} + + es-module-lexer@1.5.4: + resolution: {integrity: sha512-MVNK56NiMrOwitFB7cqDwq0CQutbw+0BvLshJSse0MUNU+y1FC3bUS/AQg7oUng+/wKrrki7JfmwtVHkVfPLlw==} + + es6-promise@3.3.1: + resolution: {integrity: sha512-SOp9Phqvqn7jtEUxPWdWfWoLmyt2VaJ6MpvP9Comy1MceMXqE6bxvaTu4iaxpYYPzhny28Lc+M87/c2cPK6lDg==} + + esbuild-register@3.6.0: + resolution: {integrity: sha512-H2/S7Pm8a9CL1uhp9OvjwrBh5Pvx0H8qVOxNu8Wed9Y7qv56MPtq+GGM8RJpq6glYJn9Wspr8uw7l55uyinNeg==} + peerDependencies: + esbuild: '>=0.12 <1' + + esbuild-runner@2.2.2: + resolution: {integrity: sha512-fRFVXcmYVmSmtYm2mL8RlUASt2TDkGh3uRcvHFOKNr/T58VrfVeKD9uT9nlgxk96u0LS0ehS/GY7Da/bXWKkhw==} + hasBin: true + peerDependencies: + esbuild: '*' + + esbuild@0.21.5: + resolution: {integrity: sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw==} + engines: {node: '>=12'} + hasBin: true + + esbuild@0.23.0: + resolution: {integrity: sha512-1lvV17H2bMYda/WaFb2jLPeHU3zml2k4/yagNMG8Q/YtfMjCwEUZa2eXXMgZTVSL5q1n4H7sQ0X6CdJDqqeCFA==} + engines: {node: '>=18'} + hasBin: true + + escalade@3.1.2: + resolution: {integrity: sha512-ErCHMCae19vR8vQGe50xIsVomy19rg6gFu3+r3jkEO46suLMWBksvVyoGgQV+jOfl84ZSOSlmv6Gxa89PmTGmA==} + engines: {node: '>=6'} + + escape-html@1.0.3: + resolution: {integrity: sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==} + + escape-string-regexp@1.0.5: + resolution: {integrity: sha512-vbRorB5FUQWvla16U8R/qgaFIya2qGzwDrNmCZuYKrbdSUMG6I1ZCGQRefkRVhuOkIGVne7BQ35DSfo1qvJqFg==} + engines: {node: '>=0.8.0'} + + escape-string-regexp@4.0.0: + resolution: {integrity: sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==} + engines: {node: '>=10'} + + eslint-compat-utils@0.5.1: + resolution: {integrity: sha512-3z3vFexKIEnjHE3zCMRo6fn/e44U7T1khUjg+Hp0ZQMCigh28rALD0nPFBcGZuiLC5rLZa2ubQHDRln09JfU2Q==} + engines: {node: '>=12'} + peerDependencies: + eslint: '>=6.0.0' + + eslint-config-prettier@9.1.0: + resolution: {integrity: sha512-NSWl5BFQWEPi1j4TjVNItzYV7dZXZ+wP6I6ZhrBGpChQhZRUaElihE9uRRkcbRnNb76UMKDF3r+WTmNcGPKsqw==} + hasBin: true + peerDependencies: + eslint: '>=7.0.0' + + eslint-plugin-storybook@0.8.0: + resolution: {integrity: sha512-CZeVO5EzmPY7qghO2t64oaFM+8FTaD4uzOEjHKp516exyTKo+skKAL9GI3QALS2BXhyALJjNtwbmr1XinGE8bA==} + engines: {node: '>= 18'} + peerDependencies: + eslint: '>=6' + + eslint-plugin-svelte@2.43.0: + resolution: {integrity: sha512-REkxQWvg2pp7QVLxQNa+dJ97xUqRe7Y2JJbSWkHSuszu0VcblZtXkPBPckkivk99y5CdLw4slqfPylL2d/X4jQ==} + engines: {node: ^14.17.0 || >=16.0.0} + peerDependencies: + eslint: ^7.0.0 || ^8.0.0-0 || ^9.0.0-0 + svelte: ^3.37.0 || ^4.0.0 || ^5.0.0-next.191 + peerDependenciesMeta: + svelte: + optional: true + + eslint-scope@5.1.1: + resolution: {integrity: sha512-2NxwbF/hZ0KpepYN0cNbo+FN6XoK7GaHlQhgx/hIZl6Va0bF45RQOOwhLIy8lQDbuCiadSLCBnH2CFYquit5bw==} + engines: {node: '>=8.0.0'} + + eslint-scope@7.2.2: + resolution: {integrity: sha512-dOt21O7lTMhDM+X9mB4GX+DZrZtCUJPL/wlcTqxyrx5IvO0IYtILdtrQGQp+8n5S0gwSVmOf9NQrjMOgfQZlIg==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + + eslint-utils@3.0.0: + resolution: {integrity: sha512-uuQC43IGctw68pJA1RgbQS8/NP7rch6Cwd4j3ZBtgo4/8Flj4eGE7ZYSZRN3iq5pVUv6GPdW5Z1RFleo84uLDA==} + engines: {node: ^10.0.0 || ^12.0.0 || >= 14.0.0} + peerDependencies: + eslint: '>=5' + + eslint-visitor-keys@2.1.0: + resolution: {integrity: sha512-0rSmRBzXgDzIsD6mGdJgevzgezI534Cer5L/vyMX0kHzT/jiB43jRhd9YUlMGYLQy2zprNmoT8qasCGtY+QaKw==} + engines: {node: '>=10'} + + eslint-visitor-keys@3.4.3: + resolution: {integrity: sha512-wpc+LXeiyiisxPlEkUzU6svyS1frIO3Mgxj1fdy7Pm8Ygzguax2N3Fa/D/ag1WqbOprdI+uY6wMUl8/a2G+iag==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + + eslint@8.4.1: + resolution: {integrity: sha512-TxU/p7LB1KxQ6+7aztTnO7K0i+h0tDi81YRY9VzB6Id71kNz+fFYnf5HD5UOQmxkzcoa0TlVZf9dpMtUv0GpWg==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + hasBin: true + + eslint@8.57.0: + resolution: {integrity: sha512-dZ6+mexnaTIbSBZWgou51U6OmzIhYM2VcNdtiTtI7qPNZm35Akpr0f6vtw3w1Kmn5PYo+tZVfh13WrhpS6oLqQ==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + hasBin: true + + esm-env@1.0.0: + resolution: {integrity: sha512-Cf6VksWPsTuW01vU9Mk/3vRue91Zevka5SjyNf3nEpokFRuqt/KjUQoGAwq9qMmhpLTHmXzSIrFRw8zxWzmFBA==} + + espree@9.2.0: + resolution: {integrity: sha512-oP3utRkynpZWF/F2x/HZJ+AGtnIclaR7z1pYPxy7NYM2fSO6LgK/Rkny8anRSPK/VwEA1eqm2squui0T7ZMOBg==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + + espree@9.6.1: + resolution: {integrity: sha512-oruZaFkjorTpF32kDSI5/75ViwGeZginGGy2NoOSg3Q9bnwlnmDm4HLnkl0RE3n+njDXR037aY1+x58Z/zFdwQ==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + + esprima@4.0.1: + resolution: {integrity: sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==} + engines: {node: '>=4'} + hasBin: true + + esquery@1.6.0: + resolution: {integrity: sha512-ca9pw9fomFcKPvFLXhBKUK90ZvGibiGOvRJNbjljY7s7uq/5YO4BOzcYtJqExdx99rF6aAcnRxHmcUHcz6sQsg==} + engines: {node: '>=0.10'} + + esrecurse@4.3.0: + resolution: {integrity: sha512-KmfKL3b6G+RXvP8N1vr3Tq1kL/oCFgn2NYXEtqP8/L3pKapUA4G8cFVaoF3SU323CD4XypR/ffioHmkti6/Tag==} + engines: {node: '>=4.0'} + + estraverse@4.3.0: + resolution: {integrity: sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==} + engines: {node: '>=4.0'} + + estraverse@5.3.0: + resolution: {integrity: sha512-MMdARuVEQziNTeJD8DgMqmhwR11BRQ/cBP+pLtYdSTnf3MIO8fFeiINEbX36ZdNlfU/7A9f3gUw49B3oQsvwBA==} + engines: {node: '>=4.0'} + + estree-walker@2.0.2: + resolution: {integrity: sha512-Rfkk/Mp/DL7JVje3u18FxFujQlTNR2q6QfMSMB7AvCBx91NGj/ba3kCfza0f6dVDbw7YlRf/nDrn7pQrCCyQ/w==} + + estree-walker@3.0.3: + resolution: {integrity: sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==} + + esutils@2.0.3: + resolution: {integrity: sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==} + engines: {node: '>=0.10.0'} + + etag@1.8.1: + resolution: {integrity: sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==} + engines: {node: '>= 0.6'} + + execa@5.1.1: + resolution: {integrity: sha512-8uSpZZocAZRBAPIEINJj3Lo9HyGitllczc27Eh5YYojjMFMn8yHMDMaUHE2Jqfq05D/wucwI4JGURyXt1vchyg==} + engines: {node: '>=10'} + + execa@8.0.1: + resolution: {integrity: sha512-VyhnebXciFV2DESc+p6B+y0LjSm0krU4OgJN44qFAhBY0TJ+1V61tYD2+wHusZ6F9n5K+vl8k0sTy7PEfV4qpg==} + engines: {node: '>=16.17'} + + express@4.19.2: + resolution: {integrity: sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==} + engines: {node: '>= 0.10.0'} + + fast-deep-equal@3.1.3: + resolution: {integrity: sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==} + + fast-glob@3.3.2: + resolution: {integrity: sha512-oX2ruAFQwf/Orj8m737Y5adxDQO0LAB7/S5MnxCdTNDd4p6BsyIVsv9JQsATbTSq8KHRpLwIHbVlUNatxd+1Ow==} + engines: {node: '>=8.6.0'} + + fast-json-stable-stringify@2.1.0: + resolution: {integrity: sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==} + + fast-levenshtein@2.0.6: + resolution: {integrity: sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==} + + fastq@1.17.1: + resolution: {integrity: sha512-sRVD3lWVIXWg6By68ZN7vho9a1pQcN/WBFaAAsDDFzlJjvoGx0P8z7V1t72grFJfJhu3YPZBuu25f7Kaw2jN1w==} + + fd-package-json@1.2.0: + resolution: {integrity: sha512-45LSPmWf+gC5tdCQMNH4s9Sr00bIkiD9aN7dc5hqkrEw1geRYyDQS1v1oMHAW3ysfxfndqGsrDREHHjNNbKUfA==} + + fflate@0.8.2: + resolution: {integrity: sha512-cPJU47OaAoCbg0pBvzsgpTPhmhqI5eJjh/JIu8tPj5q+T7iLvW/JAYUqmE7KOB4R1ZyEhzBaIQpQpardBF5z8A==} + + file-entry-cache@6.0.1: + resolution: {integrity: sha512-7Gps/XWymbLk2QLYK4NzpMOrYjMhdIxXuIvy2QBsLE6ljuodKvdkWs/cpyJJ3CVIVpH0Oi1Hvg1ovbMzLdFBBg==} + engines: {node: ^10.12.0 || >=12.0.0} + + fill-range@7.1.1: + resolution: {integrity: sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==} + engines: {node: '>=8'} + + finalhandler@1.2.0: + resolution: {integrity: sha512-5uXcUVftlQMFnWC9qu/svkWv3GTd2PfUhK/3PLkYNAe7FbqJMt3515HaxE6eRL74GdsriiwujiawdaB1BpEISg==} + engines: {node: '>= 0.8'} + + find-cache-dir@2.1.0: + resolution: {integrity: sha512-Tq6PixE0w/VMFfCgbONnkiQIVol/JJL7nRMi20fqzA4NRs9AfeqMGeRdPi3wIhYkxjeBaWh2rxwapn5Tu3IqOQ==} + engines: {node: '>=6'} + + find-cache-dir@3.3.2: + resolution: {integrity: sha512-wXZV5emFEjrridIgED11OoUKLxiYjAcqot/NJdAkOhlJ+vGzwhOAfcG5OX1jP+S0PcjEn8bdMJv+g2jwQ3Onig==} + engines: {node: '>=8'} + + find-up@3.0.0: + resolution: {integrity: sha512-1yD6RmLI1XBfxugvORwlck6f75tYL+iR0jqwsOrOxMZyGYqUuDhJ0l4AXdO1iX/FTs9cBAMEk1gWSEx1kSbylg==} + engines: {node: '>=6'} + + find-up@4.1.0: + resolution: {integrity: sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==} + engines: {node: '>=8'} + + find-up@5.0.0: + resolution: {integrity: sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==} + engines: {node: '>=10'} + + flat-cache@3.2.0: + resolution: {integrity: sha512-CYcENa+FtcUKLmhhqyctpclsq7QF38pKjZHsGNiSQF5r4FtoKDWabFDl3hzaEQMvT1LHEysw5twgLvpYYb4vbw==} + engines: {node: ^10.12.0 || >=12.0.0} + + flatted@3.3.1: + resolution: {integrity: sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==} + + flow-parser@0.243.0: + resolution: {integrity: sha512-HCDBfH+kZcY5etWYeAqatjW78gkIryzb9XixRsA8lGI1uyYc7aCpElkkO4H+KIpoyQMiY0VAZPI4cyac3wQe8w==} + engines: {node: '>=0.4.0'} + + follow-redirects@1.15.6: + resolution: {integrity: sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==} + engines: {node: '>=4.0'} + peerDependencies: + debug: '*' + peerDependenciesMeta: + debug: + optional: true + + for-each@0.3.3: + resolution: {integrity: sha512-jqYfLp7mo9vIyQf8ykW2v7A+2N4QjeCeI5+Dz9XraiO1ign81wjiH7Fb9vSOWvQfNtmSa4H2RoQTrrXivdUZmw==} + + foreground-child@3.3.0: + resolution: {integrity: sha512-Ld2g8rrAyMYFXBhEqMz8ZAHBi4J4uS1i/CxGMDnjyFWddMXLVcDp051DZfu+t7+ab7Wv6SMqpWmyFIj5UbfFvg==} + engines: {node: '>=14'} + + form-data@4.0.0: + resolution: {integrity: sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==} + engines: {node: '>= 6'} + + forwarded@0.2.0: + resolution: {integrity: sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==} + engines: {node: '>= 0.6'} + + fraction.js@4.3.7: + resolution: {integrity: sha512-ZsDfxO51wGAXREY55a7la9LScWpwv9RxIrYABrlvOFBlH/ShPnrtsXeuUIfXKKOVicNxQ+o8JTbJvjS4M89yew==} + + fresh@0.5.2: + resolution: {integrity: sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==} + engines: {node: '>= 0.6'} + + fs-extra@11.2.0: + resolution: {integrity: sha512-PmDi3uwK5nFuXh7XDTlVnS17xJS7vW36is2+w3xcv8SVxiB4NyATf4ctkVY5bkSjX0Y4nbvZCq1/EjtEyr9ktw==} + engines: {node: '>=14.14'} + + fs-minipass@2.1.0: + resolution: {integrity: sha512-V/JgOLFCS+R6Vcq0slCuaeWEdNC3ouDlJMNIsacH2VtALiu9mV4LPrHc5cDl8k5aw6J8jwgWWpiTo5RYhmIzvg==} + engines: {node: '>= 8'} + + fs.realpath@1.0.0: + resolution: {integrity: sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==} + + fsevents@2.3.2: + resolution: {integrity: sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==} + engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0} + os: [darwin] + + fsevents@2.3.3: + resolution: {integrity: sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==} + engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0} + os: [darwin] + + function-bind@1.1.2: + resolution: {integrity: sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==} + + functional-red-black-tree@1.0.1: + resolution: {integrity: sha512-dsKNQNdj6xA3T+QlADDA7mOSlX0qiMINjn0cgr+eGHGsbSHzTabcIogz2+p/iqP1Xs6EP/sS2SbqH+brGTbq0g==} + + gensync@1.0.0-beta.2: + resolution: {integrity: sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==} + engines: {node: '>=6.9.0'} + + get-func-name@2.0.2: + resolution: {integrity: sha512-8vXOvuE167CtIc3OyItco7N/dpRtBbYOsPsXCz7X/PMnlGjYjSGuZJgM1Y7mmew7BKf9BqvLX2tnOVy1BBUsxQ==} + + get-intrinsic@1.2.4: + resolution: {integrity: sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ==} + engines: {node: '>= 0.4'} + + get-stream@6.0.1: + resolution: {integrity: sha512-ts6Wi+2j3jQjqi70w5AlN8DFnkSwC+MqmxEzdEALB2qXZYV3X/b1CTfgPLGJNMeAWxdPfU8FO1ms3NUfaHCPYg==} + engines: {node: '>=10'} + + get-stream@8.0.1: + resolution: {integrity: sha512-VaUJspBffn/LMCJVoMvSAdmscJyS1auj5Zulnn5UoYcY531UWmdwhRWkcGKnGU93m5HSXP9LP2usOryrBtQowA==} + engines: {node: '>=16'} + + giget@1.2.3: + resolution: {integrity: sha512-8EHPljDvs7qKykr6uw8b+lqLiUc/vUg+KVTI0uND4s63TdsZM2Xus3mflvF0DDG9SiM4RlCkFGL+7aAjRmV7KA==} + hasBin: true + + github-slugger@2.0.0: + resolution: {integrity: sha512-IaOQ9puYtjrkq7Y0Ygl9KDZnrf/aiUJYUpVf89y8kyaxbRG7Y1SrX/jaumrv81vc61+kiMempujsM3Yw7w5qcw==} + + glob-parent@5.1.2: + resolution: {integrity: sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==} + engines: {node: '>= 6'} + + glob-parent@6.0.2: + resolution: {integrity: sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==} + engines: {node: '>=10.13.0'} + + glob@10.4.5: + resolution: {integrity: sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==} + hasBin: true + + glob@7.2.3: + resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==} + deprecated: Glob versions prior to v9 are no longer supported + + globals@11.12.0: + resolution: {integrity: sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA==} + engines: {node: '>=4'} + + globals@13.24.0: + resolution: {integrity: sha512-AhO5QUcj8llrbG09iWhPU2B204J1xnPeL8kQmVorSsy+Sjj1sk8gIyh6cUocGmH4L0UuhAJy+hJMRA4mgA4mFQ==} + engines: {node: '>=8'} + + globalyzer@0.1.0: + resolution: {integrity: sha512-40oNTM9UfG6aBmuKxk/giHn5nQ8RVz/SS4Ir6zgzOv9/qC3kKZ9v4etGTcJbEl/NyVQH7FGU7d+X1egr57Md2Q==} + + globby@11.1.0: + resolution: {integrity: sha512-jhIXaOzy1sb8IyocaruWSn1TjmnBVs8Ayhcy83rmxNJ8q2uWKCAj3CnJY+KpGSXCueAPc0i05kVvVKtP1t9S3g==} + engines: {node: '>=10'} + + globby@14.0.2: + resolution: {integrity: sha512-s3Fq41ZVh7vbbe2PN3nrW7yC7U7MFVc5c98/iTl9c2GawNMKx/J648KQRW6WKkuU8GIbbh2IXfIRQjOZnXcTnw==} + engines: {node: '>=18'} + + globrex@0.1.2: + resolution: {integrity: sha512-uHJgbwAMwNFf5mLst7IWLNg14x1CkeqglJb/K3doi4dw6q2IvAAmM/Y81kevy83wP+Sst+nutFTYOGg3d1lsxg==} + + gopd@1.0.1: + resolution: {integrity: sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA==} + + graceful-fs@4.2.11: + resolution: {integrity: sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==} + + graphemer@1.4.0: + resolution: {integrity: sha512-EtKwoO6kxCL9WO5xipiHTZlSzBm7WLT627TqC/uVRd0HKmq8NXyebnNYxDoBi7wt8eTWrUrKXCOVaFq9x1kgag==} + + guess-json-indent@2.0.0: + resolution: {integrity: sha512-3Tm6R43KhtZWEVSHZnFmYMV9+gf3Vu0HXNNYtPVk2s7o8eGwYlJPHrjLtYw/7HBc10YxV+bfzKMuOf24z5qFng==} + engines: {node: '>=16.17.0'} + + has-flag@3.0.0: + resolution: {integrity: sha512-sKJf1+ceQBr4SMkvQnBDNDtf4TXpVhVGateu0t918bl30FnbE2m4vNLX+VWe/dpjlb+HugGYzW7uQXH98HPEYw==} + engines: {node: '>=4'} + + has-flag@4.0.0: + resolution: {integrity: sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==} + engines: {node: '>=8'} + + has-property-descriptors@1.0.2: + resolution: {integrity: sha512-55JNKuIW+vq4Ke1BjOTjM2YctQIvCT7GFzHwmfZPGo5wnrgkid0YQtnAleFSqumZm4az3n2BS+erby5ipJdgrg==} + + has-proto@1.0.3: + resolution: {integrity: sha512-SJ1amZAJUiZS+PhsVLf5tGydlaVB8EdFpaSO4gmiUKUOxk8qzn5AIy4ZeJUmh22znIdk/uMAUT2pl3FxzVUH+Q==} + engines: {node: '>= 0.4'} + + has-symbols@1.0.3: + resolution: {integrity: sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==} + engines: {node: '>= 0.4'} + + has-tostringtag@1.0.2: + resolution: {integrity: sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==} + engines: {node: '>= 0.4'} + + hasown@2.0.2: + resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==} + engines: {node: '>= 0.4'} + + hast-util-heading-rank@3.0.0: + resolution: {integrity: sha512-EJKb8oMUXVHcWZTDepnr+WNbfnXKFNf9duMesmr4S8SXTJBJ9M4Yok08pu9vxdJwdlGRhVumk9mEhkEvKGifwA==} + + hast-util-is-element@3.0.0: + resolution: {integrity: sha512-Val9mnv2IWpLbNPqc/pUem+a7Ipj2aHacCwgNfTiK0vJKl0LF+4Ba4+v1oPHFpf3bLYmreq0/l3Gud9S5OH42g==} + + hast-util-to-string@3.0.0: + resolution: {integrity: sha512-OGkAxX1Ua3cbcW6EJ5pT/tslVb90uViVkcJ4ZZIMW/R33DX/AkcJcRrPebPwJkHYwlDHXz4aIwvAAaAdtrACFA==} + + html-encoding-sniffer@4.0.0: + resolution: {integrity: sha512-Y22oTqIU4uuPgEemfz7NDJz6OeKf12Lsu+QC+s3BVpda64lTiMYCyGwg5ki4vFxkMwQdeZDl2adZoqUgdFuTgQ==} + engines: {node: '>=18'} + + html-escaper@2.0.2: + resolution: {integrity: sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==} + + htmlparser2-svelte@4.1.0: + resolution: {integrity: sha512-+4f4RBFz7Rj2Hp0ZbFbXC+Kzbd6S9PgjiuFtdT76VMNgKogrEZy0pG2UrPycPbrZzVEIM5lAT3lAdkSTCHLPjg==} + + http-errors@2.0.0: + resolution: {integrity: sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==} + engines: {node: '>= 0.8'} + + http-proxy-agent@7.0.2: + resolution: {integrity: sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==} + engines: {node: '>= 14'} + + https-proxy-agent@7.0.5: + resolution: {integrity: sha512-1e4Wqeblerz+tMKPIq2EMGiiWW1dIjZOksyHWSUm1rmuvw/how9hBHZ38lAGj5ID4Ik6EdkOw7NmWPy6LAwalw==} + engines: {node: '>= 14'} + + human-signals@2.1.0: + resolution: {integrity: sha512-B4FFZ6q/T2jhhksgkbEW3HBvWIfDW85snkQgawt07S7J5QXTk6BkNV+0yAeZrM5QpMAdYlocGoljn0sJ/WQkFw==} + engines: {node: '>=10.17.0'} + + human-signals@5.0.0: + resolution: {integrity: sha512-AXcZb6vzzrFAUE61HnN4mpLqd/cSIwNQjtNWR0euPm6y0iqx3G4gOXaIDdtdDwZmhwe82LA6+zinmW4UBWVePQ==} + engines: {node: '>=16.17.0'} + + iconv-lite@0.4.24: + resolution: {integrity: sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==} + engines: {node: '>=0.10.0'} + + iconv-lite@0.6.3: + resolution: {integrity: sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==} + engines: {node: '>=0.10.0'} + + ieee754@1.2.1: + resolution: {integrity: sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==} + + ignore@4.0.6: + resolution: {integrity: sha512-cyFDKrqc/YdcWFniJhzI42+AzS+gNwmUzOSFcRCQYwySuBBBy/KjuxWLZ/FHEH6Moq1NizMOBWyTcv8O4OZIMg==} + engines: {node: '>= 4'} + + ignore@5.3.2: + resolution: {integrity: sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==} + engines: {node: '>= 4'} + + import-fresh@3.3.0: + resolution: {integrity: sha512-veYYhQa+D1QBKznvhUHxb8faxlrwUnxseDAbAp457E0wLNio2bOSKnjYDhMj+YiAq61xrMGhQk9iXVk5FzgQMw==} + engines: {node: '>=6'} + + import-meta-resolve@4.1.0: + resolution: {integrity: sha512-I6fiaX09Xivtk+THaMfAwnA3MVA5Big1WHF1Dfx9hFuvNIWpXnorlkzhcQf6ehrqQiiZECRt1poOAkPmer3ruw==} + + imurmurhash@0.1.4: + resolution: {integrity: sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==} + engines: {node: '>=0.8.19'} + + indent-string@4.0.0: + resolution: {integrity: sha512-EdDDZu4A2OyIK7Lr/2zG+w5jmbuk1DVBnEwREQvBzspBJkCEbRa8GxU1lghYcaGJCnRWibjDXlq779X1/y5xwg==} + engines: {node: '>=8'} + + inflight@1.0.6: + resolution: {integrity: sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==} + deprecated: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. + + inherits@2.0.4: + resolution: {integrity: sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==} + + ipaddr.js@1.9.1: + resolution: {integrity: sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==} + engines: {node: '>= 0.10'} + + is-absolute-url@4.0.1: + resolution: {integrity: sha512-/51/TKE88Lmm7Gc4/8btclNXWS+g50wXhYJq8HWIBAGUBnoAdRu1aXeh364t/O7wXDAcTJDP8PNuNKWUDWie+A==} + engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0} + + is-arguments@1.1.1: + resolution: {integrity: sha512-8Q7EARjzEnKpt/PCD7e1cgUS0a6X8u5tdSiMqXhojOdoV9TsMsiO+9VLC5vAmO8N7/GmXn7yjR8qnA6bVAEzfA==} + engines: {node: '>= 0.4'} + + is-binary-path@2.1.0: + resolution: {integrity: sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==} + engines: {node: '>=8'} + + is-builtin-module@3.2.1: + resolution: {integrity: sha512-BSLE3HnV2syZ0FK0iMA/yUGplUeMmNz4AW5fnTunbCIqZi4vG3WjJT9FHMy5D69xmAYBHXQhJdALdpwVxV501A==} + engines: {node: '>=6'} + + is-callable@1.2.7: + resolution: {integrity: sha512-1BC0BVFhS/p0qtw6enp8e+8OD0UrK0oFLztSjNzhcKA3WDuJxxAPXzPuPtKkjEY9UUoEWlX/8fgKeu2S8i9JTA==} + engines: {node: '>= 0.4'} + + is-core-module@2.15.0: + resolution: {integrity: sha512-Dd+Lb2/zvk9SKy1TGCt1wFJFo/MWBPMX5x7KcvLajWTGuomczdQX61PvY5yK6SVACwpoexWo81IfFyoKY2QnTA==} + engines: {node: '>= 0.4'} + + is-extglob@2.1.1: + resolution: {integrity: sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==} + engines: {node: '>=0.10.0'} + + is-fullwidth-code-point@3.0.0: + resolution: {integrity: sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==} + engines: {node: '>=8'} + + is-generator-function@1.0.10: + resolution: {integrity: sha512-jsEjy9l3yiXEQ+PsXdmBwEPcOxaXWLspKdplFUVI9vq1iZgIekeC0L167qeu86czQaxed3q/Uzuw0swL0irL8A==} + engines: {node: '>= 0.4'} + + is-glob@4.0.3: + resolution: {integrity: sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==} + engines: {node: '>=0.10.0'} + + is-interactive@1.0.0: + resolution: {integrity: sha512-2HvIEKRoqS62guEC+qBjpvRubdX910WCMuJTZ+I9yvqKU2/12eSL549HMwtabb4oupdj2sMP50k+XJfB/8JE6w==} + engines: {node: '>=8'} + + is-module@1.0.0: + resolution: {integrity: sha512-51ypPSPCoTEIN9dy5Oy+h4pShgJmPCygKfyRCISBI+JoWT/2oJvK8QPxmwv7b/p239jXrm9M1mlQbyKJ5A152g==} + + is-number@7.0.0: + resolution: {integrity: sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==} + engines: {node: '>=0.12.0'} + + is-path-inside@3.0.3: + resolution: {integrity: sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ==} + engines: {node: '>=8'} + + is-plain-object@2.0.4: + resolution: {integrity: sha512-h5PpgXkWitc38BBMYawTYMWJHFZJVnBquFE57xFpjB8pJFiF6gZ+bU+WyI/yqXiFR5mdLsgYNaPe8uao6Uv9Og==} + engines: {node: '>=0.10.0'} + + is-potential-custom-element-name@1.0.1: + resolution: {integrity: sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==} + + is-reference@1.2.1: + resolution: {integrity: sha512-U82MsXXiFIrjCK4otLT+o2NA2Cd2g5MLoOVXUZjIOhLurrRxpEXzI8O0KZHr3IjLvlAH1kTPYSuqer5T9ZVBKQ==} + + is-reference@3.0.2: + resolution: {integrity: sha512-v3rht/LgVcsdZa3O2Nqs+NMowLOxeOm7Ay9+/ARQ2F+qEoANRcqrjAZKGN0v8ymUetZGgkp26LTnGT7H0Qo9Pg==} + + is-stream@2.0.1: + resolution: {integrity: sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==} + engines: {node: '>=8'} + + is-stream@3.0.0: + resolution: {integrity: sha512-LnQR4bZ9IADDRSkvpqMGvt/tEJWclzklNgSw48V5EAaAeDd6qGvN8ei6k5p0tvxSR171VmGyHuTiAOfxAbr8kA==} + engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0} + + is-typed-array@1.1.13: + resolution: {integrity: sha512-uZ25/bUAlUY5fR4OKT4rZQEBrzQWYV9ZJYGGsUmEJ6thodVJ1HX64ePQ6Z0qPWP+m+Uq6e9UugrE38jeYsDSMw==} + engines: {node: '>= 0.4'} + + is-unicode-supported@0.1.0: + resolution: {integrity: sha512-knxG2q4UC3u8stRGyAVJCOdxFmv5DZiRcdlIaAQXAbSfJya+OhopNotLQrstBhququ4ZpuKbDc/8S6mgXgPFPw==} + engines: {node: '>=10'} + + isexe@2.0.0: + resolution: {integrity: sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==} + + isobject@3.0.1: + resolution: {integrity: sha512-WhB9zCku7EGTj/HQQRz5aUQEUeoQZH2bWcltRErOpymJ4boYE6wL9Tbr23krRPSZ+C5zqNSrSw+Cc7sZZ4b7vg==} + engines: {node: '>=0.10.0'} + + istanbul-lib-coverage@3.2.2: + resolution: {integrity: sha512-O8dpsF+r0WV/8MNRKfnmrtCWhuKjxrq2w+jpzBL5UZKTi2LeVWnWOmWRxFlesJONmc+wLAGvKQZEOanko0LFTg==} + engines: {node: '>=8'} + + istanbul-lib-report@3.0.1: + resolution: {integrity: sha512-GCfE1mtsHGOELCU8e/Z7YWzpmybrx/+dSTfLrvY8qRmaY6zXTKWn6WQIjaAFw069icm6GVMNkgu0NzI4iPZUNw==} + engines: {node: '>=10'} + + istanbul-lib-source-maps@5.0.6: + resolution: {integrity: sha512-yg2d+Em4KizZC5niWhQaIomgf5WlL4vOOjZ5xGCmF8SnPE/mDWWXgvRExdcpCgh9lLRRa1/fSYp2ymmbJ1pI+A==} + engines: {node: '>=10'} + + istanbul-reports@3.1.7: + resolution: {integrity: sha512-BewmUXImeuRk2YY0PVbxgKAysvhRPUQE0h5QRM++nVWyubKGV0l8qQ5op8+B2DOmwSe63Jivj0BjkPQVf8fP5g==} + engines: {node: '>=8'} + + jackspeak@3.4.3: + resolution: {integrity: sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==} + + jiti@1.21.6: + resolution: {integrity: sha512-2yTgeWTWzMWkHu6Jp9NKgePDaYHbntiwvYuuJLbbN9vl7DC9DvXKOB2BC3ZZ92D3cvV/aflH0osDfwpHepQ53w==} + hasBin: true + + joi@17.13.3: + resolution: {integrity: sha512-otDA4ldcIx+ZXsKHWmp0YizCweVRZG96J10b0FevjfuncLO1oX59THoAmHkNubYJ+9gWsYsp5k8v4ib6oDv1fA==} + + js-tokens@4.0.0: + resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==} + + js-tokens@9.0.0: + resolution: {integrity: sha512-WriZw1luRMlmV3LGJaR6QOJjWwgLUTf89OwT2lUOyjX2dJGBwgmIkbcz+7WFZjrZM635JOIR517++e/67CP9dQ==} + + js-yaml@4.1.0: + resolution: {integrity: sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==} + hasBin: true + + jscodeshift@0.15.2: + resolution: {integrity: sha512-FquR7Okgmc4Sd0aEDwqho3rEiKR3BdvuG9jfdHjLJ6JQoWSMpavug3AoIfnfWhxFlf+5pzQh8qjqz0DWFrNQzA==} + hasBin: true + peerDependencies: + '@babel/preset-env': ^7.1.6 + peerDependenciesMeta: + '@babel/preset-env': + optional: true + + jsdom@24.1.1: + resolution: {integrity: sha512-5O1wWV99Jhq4DV7rCLIoZ/UIhyQeDR7wHVyZAHAshbrvZsLs+Xzz7gtwnlJTJDjleiTKh54F4dXrX70vJQTyJQ==} + engines: {node: '>=18'} + peerDependencies: + canvas: ^2.11.2 + peerDependenciesMeta: + canvas: + optional: true + + jsesc@0.5.0: + resolution: {integrity: sha512-uZz5UnB7u4T9LvwmFqXii7pZSouaRPorGs5who1Ip7VO0wxanFvBL7GkM6dTHlgX+jhBApRetaWpnDabOeTcnA==} + hasBin: true + + jsesc@2.5.2: + resolution: {integrity: sha512-OYu7XEzjkCQ3C5Ps3QIZsQfNpqoJyZZA99wd9aWd05NCtC5pWOkShK2mkL6HXQR6/Cy2lbNdPlZBpuQHXE63gA==} + engines: {node: '>=4'} + hasBin: true + + json-buffer@3.0.1: + resolution: {integrity: sha512-4bV5BfR2mqfQTJm+V5tPPdf+ZpuhiIvTuAB5g8kcrXOZpTT/QwwVRWBywX1ozr6lEuPdbHxwaJlm9G6mI2sfSQ==} + + json-schema-to-ts@3.1.0: + resolution: {integrity: sha512-UeVN/ery4/JeXI8h4rM8yZPxsH+KqPi/84qFxHfTGHZnWnK9D0UU9ZGYO+6XAaJLqCWMiks+ARuFOKAiSxJCHA==} + engines: {node: '>=16'} + + json-schema-traverse@0.4.1: + resolution: {integrity: sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==} + + json-stable-stringify-without-jsonify@1.0.1: + resolution: {integrity: sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==} + + json5@2.2.3: + resolution: {integrity: sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==} + engines: {node: '>=6'} + hasBin: true + + jsonfile@6.1.0: + resolution: {integrity: sha512-5dgndWOriYSm5cnYaJNhalLNDKOqFwyDB/rr1E9ZsGciGvKPs8R2xYGCacuf3z6K1YKDz182fd+fY3cn3pMqXQ==} + + jsonwebtoken@9.0.2: + resolution: {integrity: sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ==} + engines: {node: '>=12', npm: '>=6'} + + just-clone@6.2.0: + resolution: {integrity: sha512-1IynUYEc/HAwxhi3WDpIpxJbZpMCvvrrmZVqvj9EhpvbH8lls7HhdhiByjL7DkAaWlLIzpC0Xc/VPvy/UxLNjA==} + + jwa@1.4.1: + resolution: {integrity: sha512-qiLX/xhEEFKUAJ6FiBMbes3w9ATzyk5W7Hvzpa/SLYdxNtng+gcurvrI7TbACjIXlsJyr05/S1oUhZrc63evQA==} + + jws@3.2.2: + resolution: {integrity: sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==} + + keyv@4.5.4: + resolution: {integrity: sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==} + + kind-of@6.0.3: + resolution: {integrity: sha512-dcS1ul+9tmeD95T+x28/ehLgd9mENa3LsvDTtzm3vyBEO7RPptvAD+t44WVXaUjTBRcrpFeFlC8WCruUR456hw==} + engines: {node: '>=0.10.0'} + + kleur@3.0.3: + resolution: {integrity: sha512-eTIzlVOSUR+JxdDFepEYcBMtZ9Qqdef+rnzWdRZuMbOywu5tO2w2N7rqjoANZ5k9vywhL6Br1VRjUIgTQx4E8w==} + engines: {node: '>=6'} + + kleur@4.1.5: + resolution: {integrity: sha512-o+NO+8WrRiQEE4/7nwRJhN1HWpVmJm511pBHUxPLtp0BUISzlBplORYSmTclCnJvQq2tKu/sgl3xVpkc7ZWuQQ==} + engines: {node: '>=6'} + + known-css-properties@0.34.0: + resolution: {integrity: sha512-tBECoUqNFbyAY4RrbqsBQqDFpGXAEbdD5QKr8kACx3+rnArmuuR22nKQWKazvp07N9yjTyDZaw/20UIH8tL9DQ==} + + leven@3.1.0: + resolution: {integrity: sha512-qsda+H8jTaUaN/x5vzW2rzc+8Rw4TAQ/4KjB46IwK5VH+IlVeeeje/EoZRpiXvIqjFgK84QffqPztGI3VBLG1A==} + engines: {node: '>=6'} + + levn@0.4.1: + resolution: {integrity: sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==} + engines: {node: '>= 0.8.0'} + + lilconfig@2.1.0: + resolution: {integrity: sha512-utWOt/GHzuUxnLKxB6dk81RoOeoNeHgbrXiuGk4yyF5qlRz+iIVWu56E2fqGHFrXz0QNUhLB/8nKqvRH66JKGQ==} + engines: {node: '>=10'} + + lilconfig@3.1.2: + resolution: {integrity: sha512-eop+wDAvpItUys0FWkHIKeC9ybYrTGbU41U5K7+bttZZeohvnY7M9dZ5kB21GNWiFT2q1OoPTvncPCgSOVO5ow==} + engines: {node: '>=14'} + + lines-and-columns@1.2.4: + resolution: {integrity: sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==} + + local-pkg@0.5.0: + resolution: {integrity: sha512-ok6z3qlYyCDS4ZEU27HaU6x/xZa9Whf8jD4ptH5UZTQYZVYeb9bnZ3ojVhiJNLiXK1Hfc0GNbLXcmZ5plLDDBg==} + engines: {node: '>=14'} + + locate-character@3.0.0: + resolution: {integrity: sha512-SW13ws7BjaeJ6p7Q6CO2nchbYEc3X3J6WrmTTDto7yMPqVSZTUyY5Tjbid+Ab8gLnATtygYtiDIJGQRRn2ZOiA==} + + locate-path@3.0.0: + resolution: {integrity: sha512-7AO748wWnIhNqAuaty2ZWHkQHRSNfPVIsPIfwEOWO22AmaoVrWavlOcMR5nzTLNYvp36X220/maaRsrec1G65A==} + engines: {node: '>=6'} + + locate-path@5.0.0: + resolution: {integrity: sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==} + engines: {node: '>=8'} + + locate-path@6.0.0: + resolution: {integrity: sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==} + engines: {node: '>=10'} + + lodash.castarray@4.4.0: + resolution: {integrity: sha512-aVx8ztPv7/2ULbArGJ2Y42bG1mEQ5mGjpdvrbJcJFU3TbYybe+QlLS4pst9zV52ymy2in1KpFPiZnAOATxD4+Q==} + + lodash.debounce@4.0.8: + resolution: {integrity: sha512-FT1yDzDYEoYWhnSGnpE/4Kj1fLZkDFyqRb7fNt6FdYOSxlUWAtp42Eh6Wb0rGIv/m9Bgo7x4GhQbm5Ys4SG5ow==} + + lodash.includes@4.3.0: + resolution: {integrity: sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==} + + lodash.isboolean@3.0.3: + resolution: {integrity: sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==} + + lodash.isinteger@4.0.4: + resolution: {integrity: sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==} + + lodash.isnumber@3.0.3: + resolution: {integrity: sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==} + + lodash.isplainobject@4.0.6: + resolution: {integrity: sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==} + + lodash.isstring@4.0.1: + resolution: {integrity: sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==} + + lodash.merge@4.6.2: + resolution: {integrity: sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==} + + lodash.once@4.1.1: + resolution: {integrity: sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==} + + lodash@4.17.21: + resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==} + + log-symbols@4.1.0: + resolution: {integrity: sha512-8XPvpAA8uyhfteu8pIvQxpJZ7SYYdpUivZpGy6sFsBuKRY/7rQGavedeB8aK+Zkyq6upMFVL/9AW6vOYzfRyLg==} + engines: {node: '>=10'} + + loose-envify@1.4.0: + resolution: {integrity: sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==} + hasBin: true + + loupe@2.3.7: + resolution: {integrity: sha512-zSMINGVYkdpYSOBmLi0D1Uo7JU9nVdQKrHxC8eYlV+9YKK9WePqAlL7lSlorG/U2Fw1w0hTBmaa/jrQ3UbPHtA==} + + lru-cache@10.4.3: + resolution: {integrity: sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==} + + lru-cache@5.1.1: + resolution: {integrity: sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==} + + lz-string@1.5.0: + resolution: {integrity: sha512-h5bgJWpxJNswbU7qCrV0tIKQCaS3blPDrqKWx+QxzuzL1zGUzij9XCWLrSLsJPu5t+eWA/ycetzYAO5IOMcWAQ==} + hasBin: true + + magic-string@0.30.11: + resolution: {integrity: sha512-+Wri9p0QHMy+545hKww7YAu5NyzF8iomPL/RQazugQ9+Ez4Ic3mERMd8ZTX5rfK944j+560ZJi8iAwgak1Ac7A==} + + magicast@0.3.4: + resolution: {integrity: sha512-TyDF/Pn36bBji9rWKHlZe+PZb6Mx5V8IHCSxk7X4aljM4e/vyDvZZYwHewdVaqiA0nb3ghfHU/6AUpDxWoER2Q==} + + make-dir@2.1.0: + resolution: {integrity: sha512-LS9X+dc8KLxXCb8dni79fLIIUA5VyZoyjSMCwTluaXA0o27cCK0bhXkpgw+sTXVpPy/lSO57ilRixqk0vDmtRA==} + engines: {node: '>=6'} + + make-dir@3.1.0: + resolution: {integrity: sha512-g3FeP20LNwhALb/6Cz6Dd4F2ngze0jz7tbzrD2wAV+o9FeNHe4rL+yK2md0J/fiSf1sa1ADhXqi5+oVwOM/eGw==} + engines: {node: '>=8'} + + make-dir@4.0.0: + resolution: {integrity: sha512-hXdUTZYIVOt1Ex//jAQi+wTZZpUpwBj/0QsOzqegb3rGMMeJiSEu5xLHnYfBrRV4RH2+OCSOO95Is/7x1WJ4bw==} + engines: {node: '>=10'} + + map-or-similar@1.5.0: + resolution: {integrity: sha512-0aF7ZmVon1igznGI4VS30yugpduQW3y3GkcgGJOp7d8x8QrizhigUxjI/m2UojsXXto+jLAH3KSz+xOJTiORjg==} + + markdown-to-jsx@7.4.7: + resolution: {integrity: sha512-0+ls1IQZdU6cwM1yu0ZjjiVWYtkbExSyUIFU2ZeDIFuZM1W42Mh4OlJ4nb4apX4H8smxDHRdFaoIVJGwfv5hkg==} + engines: {node: '>= 10'} + peerDependencies: + react: '>= 0.14.0' + + mdn-data@2.0.30: + resolution: {integrity: sha512-GaqWWShW4kv/G9IEucWScBx9G1/vsFZZJUO+tD26M8J8z3Kw5RDQjaoZe03YAClgeS/SWPOcb4nkFBTEi5DUEA==} + + media-typer@0.3.0: + resolution: {integrity: sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==} + engines: {node: '>= 0.6'} + + memoize-weak@1.0.2: + resolution: {integrity: sha512-gj39xkrjEw7nCn4nJ1M5ms6+MyMlyiGmttzsqAUsAKn6bYKwuTHh/AO3cKPF8IBrTIYTxb0wWXFs3E//Y8VoWQ==} + + memoizerific@1.11.3: + resolution: {integrity: sha512-/EuHYwAPdLtXwAwSZkh/Gutery6pD2KYd44oQLhAvQp/50mpyduZh8Q7PYHXTCJ+wuXxt7oij2LXyIJOOYFPog==} + + merge-descriptors@1.0.1: + resolution: {integrity: sha512-cCi6g3/Zr1iqQi6ySbseM1Xvooa98N0w31jzUYrXPX2xqObmFGHJ0tQ5u74H3mVh7wLouTseZyYIq39g8cNp1w==} + + merge-stream@2.0.0: + resolution: {integrity: sha512-abv/qOcuPfk3URPfDzmZU1LKmuw8kT+0nIHvKrKgFrwifol/doWcdA4ZqsWQ8ENrFKkd67Mfpo/LovbIUsbt3w==} + + merge2@1.4.1: + resolution: {integrity: sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==} + engines: {node: '>= 8'} + + methods@1.1.2: + resolution: {integrity: sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==} + engines: {node: '>= 0.6'} + + micromatch@4.0.7: + resolution: {integrity: sha512-LPP/3KorzCwBxfeUuZmaR6bG2kdeHSbe0P2tY3FLRU4vYrjYz5hI4QZwV0njUx3jeuKe67YukQ1LSPZBKDqO/Q==} + engines: {node: '>=8.6'} + + mime-db@1.52.0: + resolution: {integrity: sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==} + engines: {node: '>= 0.6'} + + mime-types@2.1.35: + resolution: {integrity: sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==} + engines: {node: '>= 0.6'} + + mime@1.6.0: + resolution: {integrity: sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==} + engines: {node: '>=4'} + hasBin: true + + mimic-fn@2.1.0: + resolution: {integrity: sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==} + engines: {node: '>=6'} + + mimic-fn@4.0.0: + resolution: {integrity: sha512-vqiC06CuhBTUdZH+RYl8sFrL096vA45Ok5ISO6sE/Mr1jRbGH4Csnhi8f3wKVl7x8mO4Au7Ir9D3Oyv1VYMFJw==} + engines: {node: '>=12'} + + min-indent@1.0.1: + resolution: {integrity: sha512-I9jwMn07Sy/IwOj3zVkVik2JTvgpaykDZEigL6Rx6N9LbMywwUSMtxET+7lVoDLLd3O3IXwJwvuuns8UB/HeAg==} + engines: {node: '>=4'} + + mini-svg-data-uri@1.4.4: + resolution: {integrity: sha512-r9deDe9p5FJUPZAk3A59wGH7Ii9YrjjWw0jmw/liSbHl2CHiyXj6FcDXDu2K3TjVAXqiJdaw3xxwlZZr9E6nHg==} + hasBin: true + + minimatch@3.1.2: + resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==} + + minimatch@9.0.5: + resolution: {integrity: sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==} + engines: {node: '>=16 || 14 >=14.17'} + + minimist@1.2.8: + resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==} + + minipass@3.3.6: + resolution: {integrity: sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==} + engines: {node: '>=8'} + + minipass@5.0.0: + resolution: {integrity: sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==} + engines: {node: '>=8'} + + minipass@7.1.2: + resolution: {integrity: sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==} + engines: {node: '>=16 || 14 >=14.17'} + + minizlib@2.1.2: + resolution: {integrity: sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==} + engines: {node: '>= 8'} + + mkdirp@0.5.6: + resolution: {integrity: sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==} + hasBin: true + + mkdirp@1.0.4: + resolution: {integrity: sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==} + engines: {node: '>=10'} + hasBin: true + + mlly@1.7.1: + resolution: {integrity: sha512-rrVRZRELyQzrIUAVMHxP97kv+G786pHmOKzuFII8zDYahFBS7qnHh2AlYSl1GAHhaMPCz6/oHjVMcfFYgFYHgA==} + + mri@1.2.0: + resolution: {integrity: sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==} + engines: {node: '>=4'} + + mrmime@2.0.0: + resolution: {integrity: sha512-eu38+hdgojoyq63s+yTpN4XMBdt5l8HhMhc4VKLO9KM5caLIBvUm4thi7fFaxyTmCKeNnXZ5pAlBwCUnhA09uw==} + engines: {node: '>=10'} + + ms@2.0.0: + resolution: {integrity: sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==} + + ms@2.1.2: + resolution: {integrity: sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==} + + ms@2.1.3: + resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==} + + murmurhash3js@3.0.1: + resolution: {integrity: sha512-KL8QYUaxq7kUbcl0Yto51rMcYt7E/4N4BG3/c96Iqw1PQrTRspu8Cpx4TZ4Nunib1d4bEkIH3gjCYlP2RLBdow==} + engines: {node: '>=0.10.0'} + + mz@2.7.0: + resolution: {integrity: sha512-z81GNO7nnYMEhrGh9LeymoE4+Yr0Wn5McHIZMK5cfQCl+NDX08sCZgUc9/6MHni9IWuFLm1Z3HTCXu2z9fN62Q==} + + nanoid@3.3.7: + resolution: {integrity: sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g==} + engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1} + hasBin: true + + natural-compare@1.4.0: + resolution: {integrity: sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==} + + negotiator@0.6.3: + resolution: {integrity: sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==} + engines: {node: '>= 0.6'} + + neo-async@2.6.2: + resolution: {integrity: sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw==} + + node-dir@0.1.17: + resolution: {integrity: sha512-tmPX422rYgofd4epzrNoOXiE8XFZYOcCq1vD7MAXCDO+O+zndlA2ztdKKMa+EeuBG5tHETpr4ml4RGgpqDCCAg==} + engines: {node: '>= 0.10.5'} + + node-fetch-native@1.6.4: + resolution: {integrity: sha512-IhOigYzAKHd244OC0JIMIUrjzctirCmPkaIfhDeGcEETWof5zKYUW7e7MYvChGWh/4CJeXEgsRyGzuF334rOOQ==} + + node-releases@2.0.18: + resolution: {integrity: sha512-d9VeXT4SJ7ZeOqGX6R5EM022wpL+eWPooLI+5UpWn2jCT1aosUQEhQP214x33Wkwx3JQMvIm+tIoVOdodFS40g==} + + normalize-path@3.0.0: + resolution: {integrity: sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==} + engines: {node: '>=0.10.0'} + + normalize-range@0.1.2: + resolution: {integrity: sha512-bdok/XvKII3nUpklnV6P2hxtMNrCboOjAcyBuQnWEhO665FwrSNRxU+AqpsyvO6LgGYPspN+lu5CLtw4jPRKNA==} + engines: {node: '>=0.10.0'} + + normalize-url@8.0.1: + resolution: {integrity: sha512-IO9QvjUMWxPQQhs60oOu10CRkWCiZzSUkzbXGGV9pviYl1fXYcvkzQ5jV9z8Y6un8ARoVRl4EtC6v6jNqbaJ/w==} + engines: {node: '>=14.16'} + + npm-run-path@4.0.1: + resolution: {integrity: sha512-S48WzZW777zhNIrn7gxOlISNAqi9ZC/uQFnRdbeIHhZhCA6UqpkOT8T1G7BvfdgP4Er8gF4sUbaS0i7QvIfCWw==} + engines: {node: '>=8'} + + npm-run-path@5.3.0: + resolution: {integrity: sha512-ppwTtiJZq0O/ai0z7yfudtBpWIoxM8yE6nHi1X47eFR2EWORqfbu6CnPlNsjeN683eT0qG6H/Pyf9fCcvjnnnQ==} + engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0} + + nwsapi@2.2.12: + resolution: {integrity: sha512-qXDmcVlZV4XRtKFzddidpfVP4oMSGhga+xdMc25mv8kaLUHtgzCDhUxkrN8exkGdTlLNaXj7CV3GtON7zuGZ+w==} + + nypm@0.3.9: + resolution: {integrity: sha512-BI2SdqqTHg2d4wJh8P9A1W+bslg33vOE9IZDY6eR2QC+Pu1iNBVZUqczrd43rJb+fMzHU7ltAYKsEFY/kHMFcw==} + engines: {node: ^14.16.0 || >=16.10.0} + hasBin: true + + object-assign@4.1.1: + resolution: {integrity: sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==} + engines: {node: '>=0.10.0'} + + object-hash@3.0.0: + resolution: {integrity: sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw==} + engines: {node: '>= 6'} + + object-inspect@1.13.2: + resolution: {integrity: sha512-IRZSRuzJiynemAXPYtPe5BoI/RESNYR7TYm50MC5Mqbd3Jmw5y790sErYw3V6SryFJD64b74qQQs9wn5Bg/k3g==} + engines: {node: '>= 0.4'} + + octokit@3.1.2: + resolution: {integrity: sha512-MG5qmrTL5y8KYwFgE1A4JWmgfQBaIETE/lOlfwNYx1QOtCQHGVxkRJmdUJltFc1HVn73d61TlMhMyNTOtMl+ng==} + engines: {node: '>= 18'} + + ohash@1.1.3: + resolution: {integrity: sha512-zuHHiGTYTA1sYJ/wZN+t5HKZaH23i4yI1HMwbuXm24Nid7Dv0KcuRlKoNKS9UNfAVSBlnGLcuQrnOKWOZoEGaw==} + + on-finished@2.4.1: + resolution: {integrity: sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==} + engines: {node: '>= 0.8'} + + once@1.4.0: + resolution: {integrity: sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==} + + onetime@5.1.2: + resolution: {integrity: sha512-kbpaSSGJTWdAY5KPVeMOKXSrPtr8C8C7wodJbcsd51jRnmD+GZu8Y0VoU6Dm5Z4vWr0Ig/1NKuWRKf7j5aaYSg==} + engines: {node: '>=6'} + + onetime@6.0.0: + resolution: {integrity: sha512-1FlR+gjXK7X+AsAHso35MnyN5KqGwJRi/31ft6x0M194ht7S+rWAvd7PHss9xSKMzE0asv1pyIHaJYq+BbacAQ==} + engines: {node: '>=12'} + + optionator@0.9.4: + resolution: {integrity: sha512-6IpQ7mKUxRcZNLIObR0hz7lxsapSSIYNZJwXPGeF0mTVqGKFIXj1DQcMoT22S3ROcLyY/rz0PWaWZ9ayWmad9g==} + engines: {node: '>= 0.8.0'} + + ora@5.4.1: + resolution: {integrity: sha512-5b6Y85tPxZZ7QytO+BQzysW31HJku27cRIlkbAXaNx+BdcVi+LlRFmVXzeF6a7JCwJpyw5c4b+YSVImQIrBpuQ==} + engines: {node: '>=10'} + + p-limit@2.3.0: + resolution: {integrity: sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==} + engines: {node: '>=6'} + + p-limit@3.1.0: + resolution: {integrity: sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==} + engines: {node: '>=10'} + + p-limit@5.0.0: + resolution: {integrity: sha512-/Eaoq+QyLSiXQ4lyYV23f14mZRQcXnxfHrN0vCai+ak9G0pp9iEQukIIZq5NccEvwRB8PUnZT0KsOoDCINS1qQ==} + engines: {node: '>=18'} + + p-locate@3.0.0: + resolution: {integrity: sha512-x+12w/To+4GFfgJhBEpiDcLozRJGegY+Ei7/z0tSLkMmxGZNybVMSfWj9aJn8Z5Fc7dBUNJOOVgPv2H7IwulSQ==} + engines: {node: '>=6'} + + p-locate@4.1.0: + resolution: {integrity: sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==} + engines: {node: '>=8'} + + p-locate@5.0.0: + resolution: {integrity: sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==} + engines: {node: '>=10'} + + p-try@2.2.0: + resolution: {integrity: sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==} + engines: {node: '>=6'} + + package-json-from-dist@1.0.0: + resolution: {integrity: sha512-dATvCeZN/8wQsGywez1mzHtTlP22H8OEfPrVMLNr4/eGa+ijtLn/6M5f0dY8UKNrC2O9UCU6SSoG3qRKnt7STw==} + + pako@1.0.11: + resolution: {integrity: sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==} + + parent-module@1.0.1: + resolution: {integrity: sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==} + engines: {node: '>=6'} + + parse5-htmlparser2-tree-adapter@7.0.0: + resolution: {integrity: sha512-B77tOZrqqfUfnVcOrUvfdLbz4pu4RopLD/4vmu3HUPswwTA8OH0EMW9BlWR2B0RCoiZRAHEUu7IxeP1Pd1UU+g==} + + parse5@7.1.2: + resolution: {integrity: sha512-Czj1WaSVpaoj0wbhMzLmWD69anp2WH7FXMB9n1Sy8/ZFF9jolSQVMu1Ij5WIyGmcBmhk7EOndpO4mIpihVqAXw==} + + parseurl@1.3.3: + resolution: {integrity: sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==} + engines: {node: '>= 0.8'} + + path-exists@3.0.0: + resolution: {integrity: sha512-bpC7GYwiDYQ4wYLe+FA8lhRjhQCMcQGuSgGGqDkg/QerRWw9CmGRT0iSOVRSZJ29NMLZgIzqaljJ63oaL4NIJQ==} + engines: {node: '>=4'} + + path-exists@4.0.0: + resolution: {integrity: sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==} + engines: {node: '>=8'} + + path-is-absolute@1.0.1: + resolution: {integrity: sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==} + engines: {node: '>=0.10.0'} + + path-key@3.1.1: + resolution: {integrity: sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==} + engines: {node: '>=8'} + + path-key@4.0.0: + resolution: {integrity: sha512-haREypq7xkM7ErfgIyA0z+Bj4AGKlMSdlQE2jvJo6huWD1EdkKYV+G/T4nq0YEF2vgTT8kqMFKo1uHn950r4SQ==} + engines: {node: '>=12'} + + path-parse@1.0.7: + resolution: {integrity: sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==} + + path-scurry@1.11.1: + resolution: {integrity: sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==} + engines: {node: '>=16 || 14 >=14.18'} + + path-to-regexp@0.1.7: + resolution: {integrity: sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ==} + + path-type@4.0.0: + resolution: {integrity: sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==} + engines: {node: '>=8'} + + path-type@5.0.0: + resolution: {integrity: sha512-5HviZNaZcfqP95rwpv+1HDgUamezbqdSYTyzjTvwtJSnIH+3vnbmWsItli8OFEndS984VT55M3jduxZbX351gg==} + engines: {node: '>=12'} + + pathe@1.1.2: + resolution: {integrity: sha512-whLdWMYL2TwI08hn8/ZqAbrVemu0LNaNNJZX73O6qaIdCTfXutsLhMkjdENX0qhsQ9uIimo4/aQOmXkoon2nDQ==} + + pathval@1.1.1: + resolution: {integrity: sha512-Dp6zGqpTdETdR63lehJYPeIOqpiNBNtc7BpWSLrOje7UaIsE5aY92r/AunQA7rsXvet3lrJ3JnZX29UPTKXyKQ==} + + periscopic@3.1.0: + resolution: {integrity: sha512-vKiQ8RRtkl9P+r/+oefh25C3fhybptkHKCZSPlcXiJux2tJF55GnEj3BVn4A5gKfq9NWWXXrxkHBwVPUfH0opw==} + + picocolors@1.0.1: + resolution: {integrity: sha512-anP1Z8qwhkbmu7MFP5iTt+wQKXgwzf7zTyGlcdzabySa9vd0Xt392U0rVmz9poOaBj0uHJKyyo9/upk0HrEQew==} + + picomatch@2.3.1: + resolution: {integrity: sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==} + engines: {node: '>=8.6'} + + pify@2.3.0: + resolution: {integrity: sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog==} + engines: {node: '>=0.10.0'} + + pify@4.0.1: + resolution: {integrity: sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g==} + engines: {node: '>=6'} + + pify@5.0.0: + resolution: {integrity: sha512-eW/gHNMlxdSP6dmG6uJip6FXN0EQBwm2clYYd8Wul42Cwu/DK8HEftzsapcNdYe2MfLiIwZqsDk2RDEsTE79hA==} + engines: {node: '>=10'} + + pirates@4.0.6: + resolution: {integrity: sha512-saLsH7WeYYPiD25LDuLRRY/i+6HaPYr6G1OUlN39otzkSTxKnubR9RTxS3/Kk50s1g2JTgFwWQDQyplC5/SHZg==} + engines: {node: '>= 6'} + + pkg-dir@3.0.0: + resolution: {integrity: sha512-/E57AYkoeQ25qkxMj5PBOVgF8Kiu/h7cYS30Z5+R7WaiCCBfLq58ZI/dSeaEKb9WVJV5n/03QwrN3IeWIFllvw==} + engines: {node: '>=6'} + + pkg-dir@4.2.0: + resolution: {integrity: sha512-HRDzbaKjC+AOWVXxAU/x54COGeIv9eb+6CkDSQoNTt4XyWoIJvuPsXizxu/Fr23EiekbtZwmh1IcIG/l/a10GQ==} + engines: {node: '>=8'} + + pkg-types@1.1.3: + resolution: {integrity: sha512-+JrgthZG6m3ckicaOB74TwQ+tBWsFl3qVQg7mN8ulwSOElJ7gBhKzj2VkCPnZ4NlF6kEquYU+RIYNVAvzd54UA==} + + playwright-core@1.46.0: + resolution: {integrity: sha512-9Y/d5UIwuJk8t3+lhmMSAJyNP1BUC/DqP3cQJDQQL/oWqAiuPTLgy7Q5dzglmTLwcBRdetzgNM/gni7ckfTr6A==} + engines: {node: '>=18'} + hasBin: true + + playwright@1.46.0: + resolution: {integrity: sha512-XYJ5WvfefWONh1uPAUAi0H2xXV5S3vrtcnXe6uAOgdGi3aSpqOSXX08IAjXW34xitfuOJsvXU5anXZxPSEQiJw==} + engines: {node: '>=18'} + hasBin: true + + polished@4.3.1: + resolution: {integrity: sha512-OBatVyC/N7SCW/FaDHrSd+vn0o5cS855TOmYi4OkdWUMSJCET/xip//ch8xGUvtr3i44X9LVyWwQlRMTN3pwSA==} + engines: {node: '>=10'} + + possible-typed-array-names@1.0.0: + resolution: {integrity: sha512-d7Uw+eZoloe0EHDIYoe+bQ5WXnGMOpmiZFTuMWCwpjzzkL2nTjcKiAk4hh8TjnGye2TwWOk3UXucZ+3rbmBa8Q==} + engines: {node: '>= 0.4'} + + postcss-import@15.1.0: + resolution: {integrity: sha512-hpr+J05B2FVYUAXHeK1YyI267J/dDDhMU6B6civm8hSY1jYJnBXxzKDKDswzJmtLHryrjhnDjqqp/49t8FALew==} + engines: {node: '>=14.0.0'} + peerDependencies: + postcss: ^8.0.0 + + postcss-js@4.0.1: + resolution: {integrity: sha512-dDLF8pEO191hJMtlHFPRa8xsizHaM82MLfNkUHdUtVEV3tgTp5oj+8qbEqYM57SLfc74KSbw//4SeJma2LRVIw==} + engines: {node: ^12 || ^14 || >= 16} + peerDependencies: + postcss: ^8.4.21 + + postcss-load-config@3.1.4: + resolution: {integrity: sha512-6DiM4E7v4coTE4uzA8U//WhtPwyhiim3eyjEMFCnUpzbrkK9wJHgKDT2mR+HbtSrd/NubVaYTOpSpjUl8NQeRg==} + engines: {node: '>= 10'} + peerDependencies: + postcss: '>=8.0.9' + ts-node: '>=9.0.0' + peerDependenciesMeta: + postcss: + optional: true + ts-node: + optional: true + + postcss-load-config@4.0.2: + resolution: {integrity: sha512-bSVhyJGL00wMVoPUzAVAnbEoWyqRxkjv64tUl427SKnPrENtq6hJwUojroMz2VB+Q1edmi4IfrAPpami5VVgMQ==} + engines: {node: '>= 14'} + peerDependencies: + postcss: '>=8.0.9' + ts-node: '>=9.0.0' + peerDependenciesMeta: + postcss: + optional: true + ts-node: + optional: true + + postcss-nested@6.2.0: + resolution: {integrity: sha512-HQbt28KulC5AJzG+cZtj9kvKB93CFCdLvog1WFLf1D+xmMvPGlBstkpTEZfK5+AN9hfJocyBFCNiqyS48bpgzQ==} + engines: {node: '>=12.0'} + peerDependencies: + postcss: ^8.2.14 + + postcss-safe-parser@6.0.0: + resolution: {integrity: sha512-FARHN8pwH+WiS2OPCxJI8FuRJpTVnn6ZNFiqAM2aeW2LwTHWWmWgIyKC6cUo0L8aeKiF/14MNvnpls6R2PBeMQ==} + engines: {node: '>=12.0'} + peerDependencies: + postcss: ^8.3.3 + + postcss-scss@4.0.9: + resolution: {integrity: sha512-AjKOeiwAitL/MXxQW2DliT28EKukvvbEWx3LBmJIRN8KfBGZbRTxNYW0kSqi1COiTZ57nZ9NW06S6ux//N1c9A==} + engines: {node: '>=12.0'} + peerDependencies: + postcss: ^8.4.29 + + postcss-selector-parser@6.0.10: + resolution: {integrity: sha512-IQ7TZdoaqbT+LCpShg46jnZVlhWD2w6iQYAcYXfHARZ7X1t/UGhhceQDs5X0cGqKvYlHNOuv7Oa1xmb0oQuA3w==} + engines: {node: '>=4'} + + postcss-selector-parser@6.1.2: + resolution: {integrity: sha512-Q8qQfPiZ+THO/3ZrOrO0cJJKfpYCagtMUkXbnEfmgUjwXg6z/WBeOyS9APBBPCTSiDV+s4SwQGu8yFsiMRIudg==} + engines: {node: '>=4'} + + postcss-value-parser@4.2.0: + resolution: {integrity: sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==} + + postcss@8.4.41: + resolution: {integrity: sha512-TesUflQ0WKZqAvg52PWL6kHgLKP6xB6heTOdoYM0Wt2UHyxNa4K25EZZMgKns3BH1RLVbZCREPpLY0rhnNoHVQ==} + engines: {node: ^10 || ^12 || >=14} + + posthog-node@3.1.3: + resolution: {integrity: sha512-UaOOoWEUYTcaaDe1w0fgHW/sXvFr3RO0l7yI7RUDzkZNZCfwXNO9r3pc14d1EtNppF/SHBrV5hNiZZATpf/vUw==} + engines: {node: '>=15.0.0'} + + prelude-ls@1.2.1: + resolution: {integrity: sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==} + engines: {node: '>= 0.8.0'} + + prettier-plugin-svelte@3.2.6: + resolution: {integrity: sha512-Y1XWLw7vXUQQZmgv1JAEiLcErqUniAF2wO7QJsw8BVMvpLET2dI5WpEIEJx1r11iHVdSMzQxivyfrH9On9t2IQ==} + peerDependencies: + prettier: ^3.0.0 + svelte: ^3.2.0 || ^4.0.0-next.0 || ^5.0.0-next.0 + + prettier@3.3.3: + resolution: {integrity: sha512-i2tDNA0O5IrMO757lfrdQZCc2jPNDVntV0m/+4whiDfWaTKfMNgR7Qz0NAeGz/nRqF4m5/6CLzbP4/liHt12Ew==} + engines: {node: '>=14'} + hasBin: true + + pretty-format@27.5.1: + resolution: {integrity: sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==} + engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} + + pretty-format@29.7.0: + resolution: {integrity: sha512-Pdlw/oPxN+aXdmM9R00JVC9WVFoCLTKJvDVLgmJ+qAffBMxsV85l/Lu7sNx4zSzPyoL2euImuEwHhOXdEgNFZQ==} + engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0} + + process@0.11.10: + resolution: {integrity: sha512-cdGef/drWFoydD1JsMzuFf8100nZl+GT+yacc2bEced5f9Rjk4z+WtFUTBu9PhOi9j/jfmBPu0mMEY4wIdAF8A==} + engines: {node: '>= 0.6.0'} + + progress@2.0.3: + resolution: {integrity: sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==} + engines: {node: '>=0.4.0'} + + prompts@2.4.2: + resolution: {integrity: sha512-NxNv/kLguCA7p3jE8oL2aEBsrJWgAakBpgmgK6lpPWV+WuOmY6r2/zbAVnP+T8bQlA0nzHXSJSJW0Hq7ylaD2Q==} + engines: {node: '>= 6'} + + property-expr@2.0.6: + resolution: {integrity: sha512-SVtmxhRE/CGkn3eZY1T6pC8Nln6Fr/lu1mKSgRud0eC73whjGfoAogbn78LkD8aFL0zz3bAFerKSnOl7NlErBA==} + + proxy-addr@2.0.7: + resolution: {integrity: sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==} + engines: {node: '>= 0.10'} + + proxy-from-env@1.1.0: + resolution: {integrity: sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==} + + psl@1.9.0: + resolution: {integrity: sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==} + + punycode@2.3.1: + resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==} + engines: {node: '>=6'} + + purgecss-from-html@6.0.0: + resolution: {integrity: sha512-GkgAUzgyC4kwcVY5+QOI2eqQghV1Lq7q2uIODAPIueiBn3mHpJOh9boSMjfUQg0/YU/ZEWq7SzjwetuqxTvD4g==} + + purgecss@6.0.0: + resolution: {integrity: sha512-s3EBxg5RSWmpqd0KGzNqPiaBbWDz1/As+2MzoYVGMqgDqRTLBhJW6sywfTBek7OwNfoS/6pS0xdtvChNhFj2cw==} + hasBin: true + + qs@6.11.0: + resolution: {integrity: sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==} + engines: {node: '>=0.6'} + + querystringify@2.2.0: + resolution: {integrity: sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==} + + queue-microtask@1.2.3: + resolution: {integrity: sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==} + + range-parser@1.2.1: + resolution: {integrity: sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==} + engines: {node: '>= 0.6'} + + raw-body@2.5.2: + resolution: {integrity: sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==} + engines: {node: '>= 0.8'} + + react-colorful@5.6.1: + resolution: {integrity: sha512-1exovf0uGTGyq5mXQT0zgQ80uvj2PCwvF8zY1RN9/vbJVSjSo3fsB/4L3ObbF7u70NduSiK4xu4Y6q1MHoUGEw==} + peerDependencies: + react: '>=16.8.0' + react-dom: '>=16.8.0' + + react-dom@18.3.1: + resolution: {integrity: sha512-5m4nQKp+rZRb09LNH59GM4BxTh9251/ylbKIbpe7TpGxfJ+9kv6BLkLBXIjjspbgbnIBNqlI23tRnTWT0snUIw==} + peerDependencies: + react: ^18.3.1 + + react-is@17.0.2: + resolution: {integrity: sha512-w2GsyukL62IJnlaff/nRegPQR94C/XXamvMWmSHRJ4y7Ts/4ocGRmTHvOs8PSE6pB3dWOrD/nueuU5sduBsQ4w==} + + react-is@18.3.1: + resolution: {integrity: sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==} + + react@18.3.1: + resolution: {integrity: sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==} + engines: {node: '>=0.10.0'} + + read-cache@1.0.0: + resolution: {integrity: sha512-Owdv/Ft7IjOgm/i0xvNDZ1LrRANRfew4b2prF3OWMQLxLfu3bS8FVhCsrSCMK4lR56Y9ya+AThoTpDCTxCmpRA==} + + readable-stream@3.6.2: + resolution: {integrity: sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==} + engines: {node: '>= 6'} + + readdirp@3.6.0: + resolution: {integrity: sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==} + engines: {node: '>=8.10.0'} + + recast@0.23.9: + resolution: {integrity: sha512-Hx/BGIbwj+Des3+xy5uAtAbdCyqK9y9wbBcDFDYanLS9JnMqf7OeF87HQwUimE87OEc72mr6tkKUKMBBL+hF9Q==} + engines: {node: '>= 4'} + + redent@3.0.0: + resolution: {integrity: sha512-6tDA8g98We0zd0GvVeMT9arEOnTw9qM03L9cJXaCjrip1OO764RDBLBfrB4cwzNGDj5OA5ioymC9GkizgWJDUg==} + engines: {node: '>=8'} + + regenerate-unicode-properties@10.1.1: + resolution: {integrity: sha512-X007RyZLsCJVVrjgEFVpLUTZwyOZk3oiL75ZcuYjlIWd6rNJtOjkBwQc5AsRrpbKVkxN6sklw/k/9m2jJYOf8Q==} + engines: {node: '>=4'} + + regenerate@1.4.2: + resolution: {integrity: sha512-zrceR/XhGYU/d/opr2EKO7aRHUeiBI8qjtfHqADTwZd6Szfy16la6kqD0MIUs5z5hx6AaKa+PixpPrR289+I0A==} + + regenerator-runtime@0.14.1: + resolution: {integrity: sha512-dYnhHh0nJoMfnkZs6GmmhFknAGRrLznOu5nc9ML+EJxGvrx6H7teuevqVqCuPcPK//3eDrrjQhehXVx9cnkGdw==} + + regenerator-transform@0.15.2: + resolution: {integrity: sha512-hfMp2BoF0qOk3uc5V20ALGDS2ddjQaLrdl7xrGXvAIow7qeWRM2VA2HuCHkUKk9slq3VwEwLNK3DFBqDfPGYtg==} + + regexpp@3.2.0: + resolution: {integrity: sha512-pq2bWo9mVD43nbts2wGv17XLiNLya+GklZ8kaDLV2Z08gDCsGpnKn9BFMepvWuHCbyVvY7J5o5+BVvoQbmlJLg==} + engines: {node: '>=8'} + + regexpu-core@5.3.2: + resolution: {integrity: sha512-RAM5FlZz+Lhmo7db9L298p2vHP5ZywrVXmVXpmAD9GuL5MPH6t9ROw1iA/wfHkQ76Qe7AaPF0nGuim96/IrQMQ==} + engines: {node: '>=4'} + + regjsparser@0.9.1: + resolution: {integrity: sha512-dQUtn90WanSNl+7mQKcXAgZxvUe7Z0SqXlgzv0za4LwiUhyzBC58yQO3liFoUgu8GiJVInAhJjkj1N0EtQ5nkQ==} + hasBin: true + + rehype-external-links@3.0.0: + resolution: {integrity: sha512-yp+e5N9V3C6bwBeAC4n796kc86M4gJCdlVhiMTxIrJG5UHDMh+PJANf9heqORJbt1nrCbDwIlAZKjANIaVBbvw==} + + rehype-slug@6.0.0: + resolution: {integrity: sha512-lWyvf/jwu+oS5+hL5eClVd3hNdmwM1kAC0BUvEGD19pajQMIzcNUd/k9GsfQ+FfECvX+JE+e9/btsKH0EjJT6A==} + + requireindex@1.2.0: + resolution: {integrity: sha512-L9jEkOi3ASd9PYit2cwRfyppc9NoABujTP8/5gFcbERmo5jUoAKovIC3fsF17pkTnGsrByysqX+Kxd2OTNI1ww==} + engines: {node: '>=0.10.5'} + + requires-port@1.0.0: + resolution: {integrity: sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==} + + resolve-from@4.0.0: + resolution: {integrity: sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==} + engines: {node: '>=4'} + + resolve@1.22.8: + resolution: {integrity: sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==} + hasBin: true + + restore-cursor@3.1.0: + resolution: {integrity: sha512-l+sSefzHpj5qimhFSE5a8nufZYAM3sBSVMAPtYkmC+4EH2anSGaEMXSD0izRQbu9nfyQ9y5JrVmp7E8oZrUjvA==} + engines: {node: '>=8'} + + reusify@1.0.4: + resolution: {integrity: sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==} + engines: {iojs: '>=1.0.0', node: '>=0.10.0'} + + rimraf@2.6.3: + resolution: {integrity: sha512-mwqeW5XsA2qAejG46gYdENaxXjx9onRNCfn7L0duuP4hCuTIi/QO7PDK07KJfp1d+izWPrzEJDcSqBa0OZQriA==} + deprecated: Rimraf versions prior to v4 are no longer supported + hasBin: true + + rimraf@2.7.1: + resolution: {integrity: sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==} + deprecated: Rimraf versions prior to v4 are no longer supported + hasBin: true + + rimraf@3.0.2: + resolution: {integrity: sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==} + deprecated: Rimraf versions prior to v4 are no longer supported + hasBin: true + + rollup@4.20.0: + resolution: {integrity: sha512-6rbWBChcnSGzIlXeIdNIZTopKYad8ZG8ajhl78lGRLsI2rX8IkaotQhVas2Ma+GPxJav19wrSzvRvuiv0YKzWw==} + engines: {node: '>=18.0.0', npm: '>=8.0.0'} + hasBin: true + + rrweb-cssom@0.6.0: + resolution: {integrity: sha512-APM0Gt1KoXBz0iIkkdB/kfvGOwC4UuJFeG/c+yV7wSc7q96cG/kJ0HiYCnzivD9SB53cLV1MlHFNfOuPaadYSw==} + + rrweb-cssom@0.7.1: + resolution: {integrity: sha512-TrEMa7JGdVm0UThDJSx7ddw5nVm3UJS9o9CCIZ72B1vSyEZoziDqBYP3XIoi/12lKrJR8rE3jeFHMok2F/Mnsg==} + + run-parallel@1.2.0: + resolution: {integrity: sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==} + + rusha@0.8.14: + resolution: {integrity: sha512-cLgakCUf6PedEu15t8kbsjnwIFFR2D4RfL+W3iWFJ4iac7z4B0ZI8fxy4R3J956kAI68HclCFGL8MPoUVC3qVA==} + + sade@1.8.1: + resolution: {integrity: sha512-xal3CZX1Xlo/k4ApwCFrHVACi9fBqJ7V+mwhBsuf/1IOKbBy098Fex+Wa/5QMubw09pSZ/u8EY8PWgevJsXp1A==} + engines: {node: '>=6'} + + safe-buffer@5.2.1: + resolution: {integrity: sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==} + + safer-buffer@2.1.2: + resolution: {integrity: sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==} + + sander@0.5.1: + resolution: {integrity: sha512-3lVqBir7WuKDHGrKRDn/1Ye3kwpXaDOMsiRP1wd6wpZW56gJhsbp5RqQpA6JG/P+pkXizygnr1dKR8vzWaVsfA==} + + saxes@6.0.0: + resolution: {integrity: sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA==} + engines: {node: '>=v12.22.7'} + + scheduler@0.23.2: + resolution: {integrity: sha512-UOShsPwz7NrMUqhR6t0hWjFduvOzbtv7toDH1/hIrfRNIDBnnBWd0CwJTGvTpngVlmwGCdP9/Zl/tVrDqcuYzQ==} + + semver@5.7.2: + resolution: {integrity: sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==} + hasBin: true + + semver@6.3.1: + resolution: {integrity: sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==} + hasBin: true + + semver@7.6.3: + resolution: {integrity: sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==} + engines: {node: '>=10'} + hasBin: true + + send@0.18.0: + resolution: {integrity: sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==} + engines: {node: '>= 0.8.0'} + + seroval@0.5.1: + resolution: {integrity: sha512-ZfhQVB59hmIauJG5Ydynupy8KHyr5imGNtdDhbZG68Ufh1Ynkv9KOYOAABf71oVbQxJ8VkWnMHAjEHE7fWkH5g==} + engines: {node: '>=10'} + + serve-static@1.15.0: + resolution: {integrity: sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g==} + engines: {node: '>= 0.8.0'} + + set-cookie-parser@2.7.0: + resolution: {integrity: sha512-lXLOiqpkUumhRdFF3k1osNXCy9akgx/dyPZ5p8qAg9seJzXr5ZrlqZuWIMuY6ejOsVLE6flJ5/h3lsn57fQ/PQ==} + + set-function-length@1.2.2: + resolution: {integrity: sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg==} + engines: {node: '>= 0.4'} + + setprototypeof@1.2.0: + resolution: {integrity: sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==} + + sha.js@2.4.11: + resolution: {integrity: sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ==} + hasBin: true + + shallow-clone@3.0.1: + resolution: {integrity: sha512-/6KqX+GVUdqPuPPd2LxDDxzX6CAbjJehAAOKlNpqqUpAqPM6HeL8f+o3a+JsyGjn2lv0WY8UsTgUJjU9Ok55NA==} + engines: {node: '>=8'} + + shebang-command@2.0.0: + resolution: {integrity: sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==} + engines: {node: '>=8'} + + shebang-regex@3.0.0: + resolution: {integrity: sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==} + engines: {node: '>=8'} + + side-channel@1.0.6: + resolution: {integrity: sha512-fDW/EZ6Q9RiO8eFG8Hj+7u/oW+XrPTIChwCOM2+th2A6OblDtYYIpve9m+KvI9Z4C9qSEXlaGR6bTEYHReuglA==} + engines: {node: '>= 0.4'} + + siginfo@2.0.0: + resolution: {integrity: sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==} + + signal-exit@3.0.7: + resolution: {integrity: sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==} + + signal-exit@4.1.0: + resolution: {integrity: sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==} + engines: {node: '>=14'} + + sirv@2.0.4: + resolution: {integrity: sha512-94Bdh3cC2PKrbgSOUqTiGPWVZeSiXfKOVZNJniWoqrWrRkB1CJzBU3NEbiTsPcYy1lDsANA/THzS+9WBiy5nfQ==} + engines: {node: '>= 10'} + + sisteransi@1.0.5: + resolution: {integrity: sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==} + + slash@3.0.0: + resolution: {integrity: sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q==} + engines: {node: '>=8'} + + slash@5.1.0: + resolution: {integrity: sha512-ZA6oR3T/pEyuqwMgAKT0/hAv8oAXckzbkmR0UkUosQ+Mc4RxGoJkRmwHgHufaenlyAgE1Mxgpdcrf75y6XcnDg==} + engines: {node: '>=14.16'} + + solid-js@1.6.12: + resolution: {integrity: sha512-JFqRobfG3q5r1l4RYVOAukk6+FWtHpXGIjgh/GEsHKweN/kK+iHOtzUALE6+P5t/jIcSNeGiVitX8gmJg+cYvQ==} + + solid-js@1.7.11: + resolution: {integrity: sha512-JkuvsHt8jqy7USsy9xJtT18aF9r2pFO+GB8JQ2XGTvtF49rGTObB46iebD25sE3qVNvIbwglXOXdALnJq9IHtQ==} + + sorcery@0.11.1: + resolution: {integrity: sha512-o7npfeJE6wi6J9l0/5LKshFzZ2rMatRiCDwYeDQaOzqdzRJwALhX7mk/A/ecg6wjMu7wdZbmXfD2S/vpOg0bdQ==} + hasBin: true + + source-map-js@1.2.0: + resolution: {integrity: sha512-itJW8lvSA0TXEphiRoawsCksnlf8SyvmFzIhltqAHluXd88pkCd+cXJVHTDwdCr0IzwptSm035IHQktUu1QUMg==} + engines: {node: '>=0.10.0'} + + source-map-support@0.5.21: + resolution: {integrity: sha512-uBHU3L3czsIyYXKX88fdrGovxdSCoTGDRZ6SYXtSRxLZUzHg5P/66Ht6uoUlHu9EZod+inXhKo3qQgwXUT/y1w==} + + source-map@0.6.1: + resolution: {integrity: sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==} + engines: {node: '>=0.10.0'} + + space-separated-tokens@2.0.2: + resolution: {integrity: sha512-PEGlAwrG8yXGXRjW32fGbg66JAlOAwbObuqVoJpv/mRgoWDQfgH1wDPvtzWyUSNAXBGSk8h755YDbbcEy3SH2Q==} + + stackback@0.0.2: + resolution: {integrity: sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==} + + statuses@2.0.1: + resolution: {integrity: sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==} + engines: {node: '>= 0.8'} + + std-env@3.7.0: + resolution: {integrity: sha512-JPbdCEQLj1w5GilpiHAx3qJvFndqybBysA3qUOnznweH4QbNYUsW/ea8QzSrnh0vNsezMMw5bcVool8lM0gwzg==} + + storybook@8.2.9: + resolution: {integrity: sha512-S7Q/Yt4A+nu1O23rg39lQvBqL2Vg+PKXbserDWUR4LFJtfmoZ2xGO8oFIhJmvvhjUBvolw1q7QDeswPq2i0sGw==} + hasBin: true + + string-width@4.2.3: + resolution: {integrity: sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==} + engines: {node: '>=8'} + + string-width@5.1.2: + resolution: {integrity: sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==} + engines: {node: '>=12'} + + string_decoder@1.3.0: + resolution: {integrity: sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==} + + strip-ansi@6.0.1: + resolution: {integrity: sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==} + engines: {node: '>=8'} + + strip-ansi@7.1.0: + resolution: {integrity: sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==} + engines: {node: '>=12'} + + strip-final-newline@2.0.0: + resolution: {integrity: sha512-BrpvfNAE3dcvq7ll3xVumzjKjZQ5tI1sEUIKr3Uoks0XUl45St3FlatVqef9prk4jRDzhW6WZg+3bk93y6pLjA==} + engines: {node: '>=6'} + + strip-final-newline@3.0.0: + resolution: {integrity: sha512-dOESqjYr96iWYylGObzd39EuNTa5VJxyvVAEm5Jnh7KGo75V43Hk1odPQkNDyXNmUR6k+gEiDVXnjB8HJ3crXw==} + engines: {node: '>=12'} + + strip-indent@3.0.0: + resolution: {integrity: sha512-laJTa3Jb+VQpaC6DseHhF7dXVqHTfJPCRDaEbid/drOhgitgYku/letMUqOXFoWV0zIIUbjpdH2t+tYj4bQMRQ==} + engines: {node: '>=8'} + + strip-json-comments@3.1.1: + resolution: {integrity: sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==} + engines: {node: '>=8'} + + strip-literal@2.1.0: + resolution: {integrity: sha512-Op+UycaUt/8FbN/Z2TWPBLge3jWrP3xj10f3fnYxf052bKuS3EKs1ZQcVGjnEMdsNVAM+plXRdmjrZ/KgG3Skw==} + + sucrase@3.35.0: + resolution: {integrity: sha512-8EbVDiu9iN/nESwxeSxDKe0dunta1GOlHufmSSXxMD2z2/tMZpDMpvXQGsc+ajGo8y2uYUmixaSRUc/QPoQ0GA==} + engines: {node: '>=16 || 14 >=14.17'} + hasBin: true + + superstruct@2.0.2: + resolution: {integrity: sha512-uV+TFRZdXsqXTL2pRvujROjdZQ4RAlBUS5BTh9IGm+jTqQntYThciG/qu57Gs69yjnVUSqdxF9YLmSnpupBW9A==} + engines: {node: '>=14.0.0'} + + supports-color@5.5.0: + resolution: {integrity: sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==} + engines: {node: '>=4'} + + supports-color@7.2.0: + resolution: {integrity: sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==} + engines: {node: '>=8'} + + supports-preserve-symlinks-flag@1.0.0: + resolution: {integrity: sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==} + engines: {node: '>= 0.4'} + + svelte-check@3.8.5: + resolution: {integrity: sha512-3OGGgr9+bJ/+1nbPgsvulkLC48xBsqsgtc8Wam281H4G9F5v3mYGa2bHRsPuwHC5brKl4AxJH95QF73kmfihGQ==} + hasBin: true + peerDependencies: + svelte: ^3.55.0 || ^4.0.0-next.0 || ^4.0.0 || ^5.0.0-next.0 + + svelte-eslint-parser@0.41.0: + resolution: {integrity: sha512-L6f4hOL+AbgfBIB52Z310pg1d2QjRqm7wy3kI1W6hhdhX5bvu7+f0R6w4ykp5HoDdzq+vGhIJmsisaiJDGmVfA==} + engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} + peerDependencies: + svelte: ^3.37.0 || ^4.0.0 || ^5.0.0-next.191 + peerDependenciesMeta: + svelte: + optional: true + + svelte-hmr@0.16.0: + resolution: {integrity: sha512-Gyc7cOS3VJzLlfj7wKS0ZnzDVdv3Pn2IuVeJPk9m2skfhcu5bq3wtIZyQGggr7/Iim5rH5cncyQft/kRLupcnA==} + engines: {node: ^12.20 || ^14.13.1 || >= 16} + peerDependencies: + svelte: ^3.19.0 || ^4.0.0 + + svelte-multiselect@10.3.0: + resolution: {integrity: sha512-Pyvlcn4TK3dB2WWo6hDEeNH+x2O/DP82UuUf61PQFX8KMB3cm1Cam+zTKrcrOoRRVI2SwH/8dPF8hSTfJFaMmA==} + + svelte-persisted-store@0.11.0: + resolution: {integrity: sha512-9RgJ5DrawGyyfK22A80cfu8Jose3CV8YjEZKz9Tn94rQ0tWyEmYr+XI+wrVF6wjRbW99JMDSVcFRiM3XzVJj/w==} + engines: {node: '>=0.14'} + peerDependencies: + svelte: ^3.48.0 || ^4.0.0 || ^5.0.0-next.0 + + svelte-preprocess@5.1.4: + resolution: {integrity: sha512-IvnbQ6D6Ao3Gg6ftiM5tdbR6aAETwjhHV+UKGf5bHGYR69RQvF1ho0JKPcbUON4vy4R7zom13jPjgdOWCQ5hDA==} + engines: {node: '>= 16.0.0'} + peerDependencies: + '@babel/core': ^7.10.2 + coffeescript: ^2.5.1 + less: ^3.11.3 || ^4.0.0 + postcss: ^7 || ^8 + postcss-load-config: ^2.1.0 || ^3.0.0 || ^4.0.0 || ^5.0.0 + pug: ^3.0.0 + sass: ^1.26.8 + stylus: ^0.55.0 + sugarss: ^2.0.0 || ^3.0.0 || ^4.0.0 + svelte: ^3.23.0 || ^4.0.0-next.0 || ^4.0.0 || ^5.0.0-next.0 + typescript: '>=3.9.5 || ^4.0.0 || ^5.0.0' + peerDependenciesMeta: + '@babel/core': + optional: true + coffeescript: + optional: true + less: + optional: true + postcss: + optional: true + postcss-load-config: + optional: true + pug: + optional: true + sass: + optional: true + stylus: + optional: true + sugarss: + optional: true + typescript: + optional: true + + svelte-typewriter@3.2.3: + resolution: {integrity: sha512-762k01kIU+IyXfe5f2MEYQ1yIfJZfueAEmJNbO36cxJG56/vciHiWacPQLnSECK/4cvlH/Ll1Mv6B45InMJ1zg==} + peerDependencies: + svelte: '>=3.47.x' + + svelte@4.2.12: + resolution: {integrity: sha512-d8+wsh5TfPwqVzbm4/HCXC783/KPHV60NvwitJnyTA5lWn1elhXMNWhXGCJ7PwPa8qFUnyJNIyuIRt2mT0WMug==} + engines: {node: '>=16'} + + svelte@4.2.18: + resolution: {integrity: sha512-d0FdzYIiAePqRJEb90WlJDkjUEx42xhivxN8muUBmfZnP+tzUgz12DJ2hRJi8sIHCME7jeK1PTMgKPSfTd8JrA==} + engines: {node: '>=16'} + + sveltedoc-parser@4.2.1: + resolution: {integrity: sha512-sWJRa4qOfRdSORSVw9GhfDEwsbsYsegnDzBevUCF6k/Eis/QqCu9lJ6I0+d/E2wOWCjOhlcJ3+jl/Iur+5mmCw==} + engines: {node: '>=10.0.0'} + + sveltekit-flash-message@2.4.4: + resolution: {integrity: sha512-CFN03chH/FMEJcBZ/8zKm7RqGee/pwb57Spbbx8QCQPhe7N9ofZHd9iYV2vVy4E9glBo/oQ1IG7VQje6L092wg==} + peerDependencies: + '@sveltejs/kit': 1.x || 2.x + svelte: 3.x || 4.x || >=5.0.0-next.51 + + sveltekit-rate-limiter@0.5.2: + resolution: {integrity: sha512-7CELKmTffNjj0i/RUxT9SKYFA9IO/tQabjgT39clOlkKvlcGozNy8nqoIx+24amWfqEqC/WXYMEIek04PiFdyA==} + peerDependencies: + '@sveltejs/kit': 1.x || 2.x + + sveltekit-superforms@2.17.0: + resolution: {integrity: sha512-QrX8pkcmE0XoeVU42zMhsah4FoDrgtPc/4cZEr38rDlgU+DE0xNc5J0E7z1456sUJNbFjaB0+HZwwAkX0vYqaA==} + peerDependencies: + '@sveltejs/kit': 1.x || 2.x + svelte: 3.x || 4.x || >=5.0.0-next.51 + + symbol-tree@3.2.4: + resolution: {integrity: sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==} + + tailwindcss@3.4.10: + resolution: {integrity: sha512-KWZkVPm7yJRhdu4SRSl9d4AK2wM3a50UsvgHZO7xY77NQr2V+fIrEuoDGQcbvswWvFGbS2f6e+jC/6WJm1Dl0w==} + engines: {node: '>=14.0.0'} + hasBin: true + + tar@6.2.1: + resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==} + engines: {node: '>=10'} + + telejson@7.2.0: + resolution: {integrity: sha512-1QTEcJkJEhc8OnStBx/ILRu5J2p0GjvWsBx56bmZRqnrkdBMUe+nX92jxV+p3dB4CP6PZCdJMQJwCggkNBMzkQ==} + + temp-dir@3.0.0: + resolution: {integrity: sha512-nHc6S/bwIilKHNRgK/3jlhDoIHcp45YgyiwcAk46Tr0LfEqGBVpmiAyuiuxeVE44m3mXnEeVhaipLOEWmH+Njw==} + engines: {node: '>=14.16'} + + temp@0.8.4: + resolution: {integrity: sha512-s0ZZzd0BzYv5tLSptZooSjK8oj6C+c19p7Vqta9+6NPOf7r+fxq0cJe6/oN4LTC79sy5NY8ucOJNgwsKCSbfqg==} + engines: {node: '>=6.0.0'} + + tempy@3.1.0: + resolution: {integrity: sha512-7jDLIdD2Zp0bDe5r3D2qtkd1QOCacylBuL7oa4udvN6v2pqr4+LcCr67C8DR1zkpaZ8XosF5m1yQSabKAW6f2g==} + engines: {node: '>=14.16'} + + test-exclude@6.0.0: + resolution: {integrity: sha512-cAGWPIyOHU6zlmg88jwm7VRyXnMN7iV68OGAbYDk/Mh/xC/pzVPlQtY6ngoIH/5/tciuhGfvESU8GrHrcxD56w==} + engines: {node: '>=8'} + + text-table@0.2.0: + resolution: {integrity: sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==} + + thenify-all@1.6.0: + resolution: {integrity: sha512-RNxQH/qI8/t3thXJDwcstUO4zeqo64+Uy/+sNVRBx4Xn2OX+OZ9oP+iJnNFqplFra2ZUVeKCSa2oVWi3T4uVmA==} + engines: {node: '>=0.8'} + + thenify@3.3.1: + resolution: {integrity: sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw==} + + throttle-debounce@5.0.2: + resolution: {integrity: sha512-B71/4oyj61iNH0KeCamLuE2rmKuTO5byTOSVwECM5FA7TiAiAW+UqTKZ9ERueC4qvgSttUhdmq1mXC3kJqGX7A==} + engines: {node: '>=12.22'} + + tiny-case@1.0.3: + resolution: {integrity: sha512-Eet/eeMhkO6TX8mnUteS9zgPbUMQa4I6Kkp5ORiBD5476/m+PIRiumP5tmh5ioJpH7k51Kehawy2UDfsnxxY8Q==} + + tiny-glob@0.2.9: + resolution: {integrity: sha512-g/55ssRPUjShh+xkfx9UPDXqhckHEsHr4Vd9zX55oSdGZc/MD0m3sferOkwWtp98bv+kcVfEHtRJgBVJzelrzg==} + + tiny-invariant@1.3.3: + resolution: {integrity: sha512-+FbBPE1o9QAYvviau/qC5SE3caw21q3xkvWKBtja5vgqOWIHHJ3ioaq1VPfn/Szqctz2bU/oYeKd9/z5BL+PVg==} + + tinybench@2.9.0: + resolution: {integrity: sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==} + + tinypool@0.8.4: + resolution: {integrity: sha512-i11VH5gS6IFeLY3gMBQ00/MmLncVP7JLXOw1vlgkytLmJK7QnEr7NXf0LBdxfmNPAeyetukOk0bOYrJrFGjYJQ==} + engines: {node: '>=14.0.0'} + + tinyspy@2.2.1: + resolution: {integrity: sha512-KYad6Vy5VDWV4GH3fjpseMQ/XU2BhIYP7Vzd0LG44qRWm/Yt2WCOTicFdvmgo6gWaqooMQCawTtILVQJupKu7A==} + engines: {node: '>=14.0.0'} + + to-fast-properties@2.0.0: + resolution: {integrity: sha512-/OaKK0xYrs3DmxRYqL/yDc+FxFUVYhDlXMhRmv3z915w2HF1tnN1omB354j8VUGO/hbRzyD6Y3sA7v7GS/ceog==} + engines: {node: '>=4'} + + to-regex-range@5.0.1: + resolution: {integrity: sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==} + engines: {node: '>=8.0'} + + toidentifier@1.0.1: + resolution: {integrity: sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==} + engines: {node: '>=0.6'} + + toposort@2.0.2: + resolution: {integrity: sha512-0a5EOkAUp8D4moMi2W8ZF8jcga7BgZd91O/yabJCFY8az+XSzeGyTKs0Aoo897iV1Nj6guFq8orWDS96z91oGg==} + + totalist@3.0.1: + resolution: {integrity: sha512-sf4i37nQ2LBx4m3wB74y+ubopq6W/dIzXg0FDGjsYnZHVa1Da8FH853wlL2gtUhg+xJXjfk3kUZS3BRoQeoQBQ==} + engines: {node: '>=6'} + + tough-cookie@4.1.4: + resolution: {integrity: sha512-Loo5UUvLD9ScZ6jh8beX1T6sO1w2/MpCRpEP7V280GKMVUQ0Jzar2U3UJPsrdbziLEMMhu3Ujnq//rhiFuIeag==} + engines: {node: '>=6'} + + tr46@5.0.0: + resolution: {integrity: sha512-tk2G5R2KRwBd+ZN0zaEXpmzdKyOYksXwywulIX95MBODjSzMIuQnQ3m8JxgbhnL1LeVo7lqQKsYa1O3Htl7K5g==} + engines: {node: '>=18'} + + ts-algebra@2.0.0: + resolution: {integrity: sha512-FPAhNPFMrkwz76P7cdjdmiShwMynZYN6SgOujD1urY4oNm80Ou9oMdmbR45LotcKOXoy7wSmHkRFE6Mxbrhefw==} + + ts-api-utils@1.3.0: + resolution: {integrity: sha512-UQMIo7pb8WRomKR1/+MFVLTroIvDVtMX3K6OUir8ynLyzB8Jeriont2bTAtmNPa1ekAgN7YPDyf6V+ygrdU+eQ==} + engines: {node: '>=16'} + peerDependencies: + typescript: '>=4.2.0' + + ts-dedent@2.2.0: + resolution: {integrity: sha512-q5W7tVM71e2xjHZTlgfTDoPF/SmqKG5hddq9SzR49CH2hayqRKJtQ4mtRlSxKaJlR/+9rEM+mnBHf7I2/BQcpQ==} + engines: {node: '>=6.10'} + + ts-deepmerge@7.0.1: + resolution: {integrity: sha512-JBFCmNenZdUCc+TRNCtXVM6N8y/nDQHAcpj5BlwXG/gnogjam1NunulB9ia68mnqYI446giMfpqeBFFkOleh+g==} + engines: {node: '>=14.13.1'} + + ts-interface-checker@0.1.13: + resolution: {integrity: sha512-Y/arvbn+rrz3JCKl9C4kVNfTfSm2/mEp5FSz5EsZSANGPSlQrpRI5M4PKF+mJnE52jOO90PnPSc3Ur3bTQw0gA==} + + tslib@1.14.1: + resolution: {integrity: sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==} + + tslib@2.3.0: + resolution: {integrity: sha512-N82ooyxVNm6h1riLCoyS9e3fuJ3AMG2zIZs2Gd1ATcSFjSA23Q0fzjjZeh0jbJvWVDZ0cJT8yaNNaaXHzueNjg==} + + tslib@2.4.0: + resolution: {integrity: sha512-d6xOpEDfsi2CZVlPQzGeux8XMwLT9hssAsaPYExaQMuYskwb+x1x7J371tWlbBdWHroy99KnVB6qIkUbs5X3UQ==} + + tslib@2.6.3: + resolution: {integrity: sha512-xNvxJEOUiWPGhUuUdQgAJPKOOJfGnIyKySOc09XkKsgdUV/3E2zvwZYdejjmRgPCgcym1juLH3226yA7sEFJKQ==} + + tsutils@3.21.0: + resolution: {integrity: sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==} + engines: {node: '>= 6'} + peerDependencies: + typescript: '>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta' + + type-check@0.4.0: + resolution: {integrity: sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==} + engines: {node: '>= 0.8.0'} + + type-detect@4.1.0: + resolution: {integrity: sha512-Acylog8/luQ8L7il+geoSxhEkazvkslg7PSNKOX59mbB9cOveP5aq9h74Y7YU8yDpJwetzQQrfIwtf4Wp4LKcw==} + engines: {node: '>=4'} + + type-fest@0.20.2: + resolution: {integrity: sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==} + engines: {node: '>=10'} + + type-fest@1.4.0: + resolution: {integrity: sha512-yGSza74xk0UG8k+pLh5oeoYirvIiWo5t0/o3zHHAO2tRDiZcxWP7fywNlXhqb6/r6sWvwi+RsyQMWhVLe4BVuA==} + engines: {node: '>=10'} + + type-fest@2.19.0: + resolution: {integrity: sha512-RAH822pAdBgcNMAfWnCBU3CFZcfZ/i1eZjwFU/dsLKumyuuP3niueg2UAukXYF0E2AAoc82ZSSf9J0WQBinzHA==} + engines: {node: '>=12.20'} + + type-is@1.6.18: + resolution: {integrity: sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==} + engines: {node: '>= 0.6'} + + typescript@5.5.4: + resolution: {integrity: sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q==} + engines: {node: '>=14.17'} + hasBin: true + + ufo@1.5.4: + resolution: {integrity: sha512-UsUk3byDzKd04EyoZ7U4DOlxQaD14JUKQl6/P7wiX4FNvUfm3XL246n9W5AmqwW5RSFJ27NAuM0iLscAOYUiGQ==} + + undici-types@5.26.5: + resolution: {integrity: sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==} + + unicode-canonical-property-names-ecmascript@2.0.0: + resolution: {integrity: sha512-yY5PpDlfVIU5+y/BSCxAJRBIS1Zc2dDG3Ujq+sR0U+JjUevW2JhocOF+soROYDSaAezOzOKuyyixhD6mBknSmQ==} + engines: {node: '>=4'} + + unicode-match-property-ecmascript@2.0.0: + resolution: {integrity: sha512-5kaZCrbp5mmbz5ulBkDkbY0SsPOjKqVS35VpL9ulMPfSl0J0Xsm+9Evphv9CoIZFwre7aJoa94AY6seMKGVN5Q==} + engines: {node: '>=4'} + + unicode-match-property-value-ecmascript@2.1.0: + resolution: {integrity: sha512-qxkjQt6qjg/mYscYMC0XKRn3Rh0wFPlfxB0xkt9CfyTvpX1Ra0+rAmdX2QyAobptSEvuy4RtpPRui6XkV+8wjA==} + engines: {node: '>=4'} + + unicode-property-aliases-ecmascript@2.1.0: + resolution: {integrity: sha512-6t3foTQI9qne+OZoVQB/8x8rk2k1eVy1gRXhV3oFQ5T6R1dqQ1xtin3XqSlx3+ATBkliTaR/hHyJBm+LVPNM8w==} + engines: {node: '>=4'} + + unicorn-magic@0.1.0: + resolution: {integrity: sha512-lRfVq8fE8gz6QMBuDM6a+LO3IAzTi05H6gCVaUpir2E1Rwpo4ZUog45KpNXKC/Mn3Yb9UDuHumeFTo9iV/D9FQ==} + engines: {node: '>=18'} + + unique-string@3.0.0: + resolution: {integrity: sha512-VGXBUVwxKMBUznyffQweQABPRRW1vHZAbadFZud4pLFAqRGvv/96vafgjWFqzourzr8YonlQiPgH0YCJfawoGQ==} + engines: {node: '>=12'} + + unist-util-is@6.0.0: + resolution: {integrity: sha512-2qCTHimwdxLfz+YzdGfkqNlH0tLi9xjTnHddPmJwtIG9MGsdbutfTc4P+haPD7l7Cjxf/WZj+we5qfVPvvxfYw==} + + unist-util-visit-parents@6.0.1: + resolution: {integrity: sha512-L/PqWzfTP9lzzEa6CKs0k2nARxTdZduw3zyh8d2NVBnsyvHjSX4TWse388YrrQKbvI8w20fGjGlhgT96WwKykw==} + + unist-util-visit@5.0.0: + resolution: {integrity: sha512-MR04uvD+07cwl/yhVuVWAtw+3GOR/knlL55Nd/wAdblk27GCVt3lqpTivy/tkJcZoNPzTwS1Y+KMojlLDhoTzg==} + + universal-github-app-jwt@1.1.2: + resolution: {integrity: sha512-t1iB2FmLFE+yyJY9+3wMx0ejB+MQpEVkH0gQv7dR6FZyltyq+ZZO0uDpbopxhrZ3SLEO4dCEkIujOMldEQ2iOA==} + + universal-user-agent@6.0.1: + resolution: {integrity: sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ==} + + universalify@0.2.0: + resolution: {integrity: sha512-CJ1QgKmNg3CwvAv/kOFmtnEN05f0D/cn9QntgNOQlQF9dgvVTHj3t+8JPdjqawCHk7V/KA+fbUqzZ9XWhcqPUg==} + engines: {node: '>= 4.0.0'} + + universalify@2.0.1: + resolution: {integrity: sha512-gptHNQghINnc/vTGIk0SOFGFNXw7JVrlRUtConJRlvaw6DuX0wO5Jeko9sWrMBhh+PsYAZ7oXAiOnf/UKogyiw==} + engines: {node: '>= 10.0.0'} + + unpipe@1.0.0: + resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==} + engines: {node: '>= 0.8'} + + unplugin@1.12.2: + resolution: {integrity: sha512-bEqQxeC7rxtxPZ3M5V4Djcc4lQqKPgGe3mAWZvxcSmX5jhGxll19NliaRzQSQPrk4xJZSGniK3puLWpRuZN7VQ==} + engines: {node: '>=14.0.0'} + + unplugin@1.5.1: + resolution: {integrity: sha512-0QkvG13z6RD+1L1FoibQqnvTwVBXvS4XSPwAyinVgoOCl2jAgwzdUKmEj05o4Lt8xwQI85Hb6mSyYkcAGwZPew==} + + update-browserslist-db@1.1.0: + resolution: {integrity: sha512-EdRAaAyk2cUE1wOf2DkEhzxqOQvFOoRJFNS6NeyJ01Gp2beMRpBAINjM2iDXE3KCuKhwnvHIQCJm6ThL2Z+HzQ==} + hasBin: true + peerDependencies: + browserslist: '>= 4.21.0' + + uri-js@4.4.1: + resolution: {integrity: sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==} + + url-parse@1.5.10: + resolution: {integrity: sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==} + + util-deprecate@1.0.2: + resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==} + + util@0.12.5: + resolution: {integrity: sha512-kZf/K6hEIrWHI6XqOFUiiMa+79wE/D8Q+NCNAWclkyg3b4d2k7s0QGepNjiABc+aR3N1PAyHL7p6UcLY6LmrnA==} + + utils-merge@1.0.1: + resolution: {integrity: sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==} + engines: {node: '>= 0.4.0'} + + uuid@9.0.1: + resolution: {integrity: sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==} + hasBin: true + + v8-compile-cache@2.4.0: + resolution: {integrity: sha512-ocyWc3bAHBB/guyqJQVI5o4BZkPhznPYUG2ea80Gond/BgNWpap8TOmLSeeQG7bnh2KMISxskdADG59j7zruhw==} + + valibot@0.31.1: + resolution: {integrity: sha512-2YYIhPrnVSz/gfT2/iXVTrSj92HwchCt9Cga/6hX4B26iCz9zkIsGTS0HjDYTZfTi1Un0X6aRvhBi1cfqs/i0Q==} + + valibot@0.35.0: + resolution: {integrity: sha512-+i2aCRkReTrd5KBN/dW2BrPOvFnU5LXTV2xjZnjnqUIO8YUx6P2+MgRrkwF2FhkexgyKq/NIZdPdknhHf5A/Ww==} + + validator@13.12.0: + resolution: {integrity: sha512-c1Q0mCiPlgdTVVVIJIrBuxNicYE+t/7oKeI9MWLj3fh/uq2Pxh/3eeWbVZ4OcGW1TUf53At0njHw5SMdA3tmMg==} + engines: {node: '>= 0.10'} + + vary@1.1.2: + resolution: {integrity: sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==} + engines: {node: '>= 0.8'} + + vite-node@1.6.0: + resolution: {integrity: sha512-de6HJgzC+TFzOu0NTC4RAIsyf/DY/ibWDYQUcuEA84EMHhcefTUGkjFHKKEJhQN4A+6I0u++kr3l36ZF2d7XRw==} + engines: {node: ^18.0.0 || >=20.0.0} + hasBin: true + + vite-plugin-tailwind-purgecss@0.3.3: + resolution: {integrity: sha512-fsTAzcSdFKrhLxX8zTq3zaTFjk+APmJWOAy+1ujsmxkh9y8hIvM81dWEgdXK1k7suQjns+b7JsoIUkHpxLf5UA==} + peerDependencies: + tailwindcss: ^3.3.0 + vite: ^4.1.1 || ^5.0.0 + + vite@5.4.1: + resolution: {integrity: sha512-1oE6yuNXssjrZdblI9AfBbHCC41nnyoVoEZxQnID6yvQZAFBzxxkqoFLtHUMkYunL8hwOLEjgTuxpkRxvba3kA==} + engines: {node: ^18.0.0 || >=20.0.0} + hasBin: true + peerDependencies: + '@types/node': ^18.0.0 || >=20.0.0 + less: '*' + lightningcss: ^1.21.0 + sass: '*' + sass-embedded: '*' + stylus: '*' + sugarss: '*' + terser: ^5.4.0 + peerDependenciesMeta: + '@types/node': + optional: true + less: + optional: true + lightningcss: + optional: true + sass: + optional: true + sass-embedded: + optional: true + stylus: + optional: true + sugarss: + optional: true + terser: + optional: true + + vitefu@0.2.5: + resolution: {integrity: sha512-SgHtMLoqaeeGnd2evZ849ZbACbnwQCIwRH57t18FxcXoZop0uQu0uzlIhJBlF/eWVzuce0sHeqPcDo+evVcg8Q==} + peerDependencies: + vite: ^3.0.0 || ^4.0.0 || ^5.0.0 + peerDependenciesMeta: + vite: + optional: true + + vitest@1.6.0: + resolution: {integrity: sha512-H5r/dN06swuFnzNFhq/dnz37bPXnq8xB2xB5JOVk8K09rUtoeNN+LHWkoQ0A/i3hvbUKKcCei9KpbxqHMLhLLA==} + engines: {node: ^18.0.0 || >=20.0.0} + hasBin: true + peerDependencies: + '@edge-runtime/vm': '*' + '@types/node': ^18.0.0 || >=20.0.0 + '@vitest/browser': 1.6.0 + '@vitest/ui': 1.6.0 + happy-dom: '*' + jsdom: '*' + peerDependenciesMeta: + '@edge-runtime/vm': + optional: true + '@types/node': + optional: true + '@vitest/browser': + optional: true + '@vitest/ui': + optional: true + happy-dom: + optional: true + jsdom: + optional: true + + w3c-xmlserializer@5.0.0: + resolution: {integrity: sha512-o8qghlI8NZHU1lLPrpi2+Uq7abh4GGPpYANlalzWxyWteJOCsr/P+oPBA49TOLu5FTZO4d3F9MnWJfiMo4BkmA==} + engines: {node: '>=18'} + + walk-up-path@3.0.1: + resolution: {integrity: sha512-9YlCL/ynK3CTlrSRrDxZvUauLzAswPCrsaCgilqFevUYpeEW0/3ScEjaa3kbW/T0ghhkEr7mv+fpjqn1Y1YuTA==} + + wcwidth@1.0.1: + resolution: {integrity: sha512-XHPEwS0q6TaxcvG85+8EYkbiCux2XtWG2mkc47Ng2A77BQu9+DqIOJldST4HgPkuea7dvKSj5VgX3P1d4rW8Tg==} + + webidl-conversions@7.0.0: + resolution: {integrity: sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==} + engines: {node: '>=12'} + + webpack-sources@3.2.3: + resolution: {integrity: sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w==} + engines: {node: '>=10.13.0'} + + webpack-virtual-modules@0.6.2: + resolution: {integrity: sha512-66/V2i5hQanC51vBQKPH4aI8NMAcBW59FVBs+rC7eGHupMyfn34q7rZIE+ETlJ+XTevqfUhVVBgSUNSW2flEUQ==} + + whatwg-encoding@3.1.1: + resolution: {integrity: sha512-6qN4hJdMwfYBtE3YBTTHhoeuUrDBPZmbQaxWAqSALV/MeEnR5z1xd8UKud2RAkFoPkmB+hli1TZSnyi84xz1vQ==} + engines: {node: '>=18'} + + whatwg-mimetype@4.0.0: + resolution: {integrity: sha512-QaKxh0eNIi2mE9p2vEdzfagOKHCcj1pJ56EEHGQOVxp8r9/iszLUUV7v89x9O1p/T+NlTM5W7jW6+cz4Fq1YVg==} + engines: {node: '>=18'} + + whatwg-url@14.0.0: + resolution: {integrity: sha512-1lfMEm2IEr7RIV+f4lUNPOqfFL+pO+Xw3fJSqmjX9AbXcXcYOkCe1P6+9VBZB6n94af16NfZf+sSk0JCBZC9aw==} + engines: {node: '>=18'} + + which-typed-array@1.1.15: + resolution: {integrity: sha512-oV0jmFtUky6CXfkqehVvBP/LSWJ2sy4vWMioiENyJLePrBO/yKyV9OyJySfAKosh+RYkIl5zJCNZ8/4JncrpdA==} + engines: {node: '>= 0.4'} + + which@2.0.2: + resolution: {integrity: sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==} + engines: {node: '>= 8'} + hasBin: true + + why-is-node-running@2.3.0: + resolution: {integrity: sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==} + engines: {node: '>=8'} + hasBin: true + + word-wrap@1.2.5: + resolution: {integrity: sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==} + engines: {node: '>=0.10.0'} + + wrap-ansi@7.0.0: + resolution: {integrity: sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==} + engines: {node: '>=10'} + + wrap-ansi@8.1.0: + resolution: {integrity: sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==} + engines: {node: '>=12'} + + wrappy@1.0.2: + resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==} + + write-file-atomic@2.4.3: + resolution: {integrity: sha512-GaETH5wwsX+GcnzhPgKcKjJ6M2Cq3/iZp1WyY/X1CSqrW+jVNM9Y7D8EC2sM4ZG/V8wZlSniJnCKWPmBYAucRQ==} + + ws@8.18.0: + resolution: {integrity: sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==} + engines: {node: '>=10.0.0'} + peerDependencies: + bufferutil: ^4.0.1 + utf-8-validate: '>=5.0.2' + peerDependenciesMeta: + bufferutil: + optional: true + utf-8-validate: + optional: true + + xml-name-validator@5.0.0: + resolution: {integrity: sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==} + engines: {node: '>=18'} + + xmlchars@2.2.0: + resolution: {integrity: sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==} + + yallist@3.1.1: + resolution: {integrity: sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==} + + yallist@4.0.0: + resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==} + + yaml@1.10.2: + resolution: {integrity: sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==} + engines: {node: '>= 6'} + + yaml@2.5.0: + resolution: {integrity: sha512-2wWLbGbYDiSqqIKoPjar3MPgB94ErzCtrNE1FdqGuaO0pi2JGjmE8aW8TDZwzU7vuxcGRdL/4gPQwQ7hD5AMSw==} + engines: {node: '>= 14'} + hasBin: true + + yocto-queue@0.1.0: + resolution: {integrity: sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==} + engines: {node: '>=10'} + + yocto-queue@1.1.1: + resolution: {integrity: sha512-b4JR1PFR10y1mKjhHY9LaGo6tmrgjit7hxVIeAmyMw3jegXR4dhYqLaQF5zMXZxY7tLpMyJeLjr1C4rLmkVe8g==} + engines: {node: '>=12.20'} + + yup@1.4.0: + resolution: {integrity: sha512-wPbgkJRCqIf+OHyiTBQoJiP5PFuAXaWiJK6AmYkzQAh5/c2K9hzSApBZG5wV9KoKSePF7sAxmNSvh/13YHkFDg==} + + zod-to-json-schema@3.23.2: + resolution: {integrity: sha512-uSt90Gzc/tUfyNqxnjlfBs8W6WSGpNBv0rVsNxP/BVSMHMKGdthPYff4xtCHYloJGM0CFxFsb3NbC0eqPhfImw==} + peerDependencies: + zod: ^3.23.3 + + zod@3.23.8: + resolution: {integrity: sha512-XBx9AXhXktjUqnepgTiE5flcKIYWi/rme0Eaj+5Y0lftuGBq+jyRu/md4WnuxqgP1ubdpNCsYEYPxrzVHD8d6g==} + + zrender@5.6.0: + resolution: {integrity: sha512-uzgraf4njmmHAbEUxMJ8Oxg+P3fT04O+9p7gY+wJRVxo8Ge+KmYv0WJev945EH4wFuc4OY2NLXz46FZrWS9xJg==} + +snapshots: + + '@adobe/css-tools@4.4.0': {} + + '@alloc/quick-lru@5.2.0': {} + + '@ampproject/remapping@2.3.0': + dependencies: + '@jridgewell/gen-mapping': 0.3.5 + '@jridgewell/trace-mapping': 0.3.25 + + '@ark/schema@0.2.0': + dependencies: + '@ark/util': 0.1.0 + optional: true + + '@ark/util@0.1.0': + optional: true + + '@babel/code-frame@7.24.7': + dependencies: + '@babel/highlight': 7.24.7 + picocolors: 1.0.1 + + '@babel/compat-data@7.25.2': {} + + '@babel/core@7.25.2': + dependencies: + '@ampproject/remapping': 2.3.0 + '@babel/code-frame': 7.24.7 + '@babel/generator': 7.25.0 + '@babel/helper-compilation-targets': 7.25.2 + '@babel/helper-module-transforms': 7.25.2(@babel/core@7.25.2) + '@babel/helpers': 7.25.0 + '@babel/parser': 7.25.3 + '@babel/template': 7.25.0 + '@babel/traverse': 7.25.3 + '@babel/types': 7.25.2 + convert-source-map: 2.0.0 + debug: 4.3.6 + gensync: 1.0.0-beta.2 + json5: 2.2.3 + semver: 6.3.1 + transitivePeerDependencies: + - supports-color + + '@babel/generator@7.25.0': + dependencies: + '@babel/types': 7.25.2 + '@jridgewell/gen-mapping': 0.3.5 + '@jridgewell/trace-mapping': 0.3.25 + jsesc: 2.5.2 + + '@babel/helper-annotate-as-pure@7.24.7': + dependencies: + '@babel/types': 7.25.2 + + '@babel/helper-builder-binary-assignment-operator-visitor@7.24.7': + dependencies: + '@babel/traverse': 7.25.3 + '@babel/types': 7.25.2 + transitivePeerDependencies: + - supports-color + + '@babel/helper-compilation-targets@7.25.2': + dependencies: + '@babel/compat-data': 7.25.2 + '@babel/helper-validator-option': 7.24.8 + browserslist: 4.23.3 + lru-cache: 5.1.1 + semver: 6.3.1 + + '@babel/helper-create-class-features-plugin@7.25.0(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-annotate-as-pure': 7.24.7 + '@babel/helper-member-expression-to-functions': 7.24.8 + '@babel/helper-optimise-call-expression': 7.24.7 + '@babel/helper-replace-supers': 7.25.0(@babel/core@7.25.2) + '@babel/helper-skip-transparent-expression-wrappers': 7.24.7 + '@babel/traverse': 7.25.3 + semver: 6.3.1 + transitivePeerDependencies: + - supports-color + + '@babel/helper-create-regexp-features-plugin@7.25.2(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-annotate-as-pure': 7.24.7 + regexpu-core: 5.3.2 + semver: 6.3.1 + + '@babel/helper-define-polyfill-provider@0.6.2(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-compilation-targets': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + debug: 4.3.6 + lodash.debounce: 4.0.8 + resolve: 1.22.8 + transitivePeerDependencies: + - supports-color + + '@babel/helper-member-expression-to-functions@7.24.8': + dependencies: + '@babel/traverse': 7.25.3 + '@babel/types': 7.25.2 + transitivePeerDependencies: + - supports-color + + '@babel/helper-module-imports@7.24.7': + dependencies: + '@babel/traverse': 7.25.3 + '@babel/types': 7.25.2 + transitivePeerDependencies: + - supports-color + + '@babel/helper-module-transforms@7.25.2(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-module-imports': 7.24.7 + '@babel/helper-simple-access': 7.24.7 + '@babel/helper-validator-identifier': 7.24.7 + '@babel/traverse': 7.25.3 + transitivePeerDependencies: + - supports-color + + '@babel/helper-optimise-call-expression@7.24.7': + dependencies: + '@babel/types': 7.25.2 + + '@babel/helper-plugin-utils@7.24.8': {} + + '@babel/helper-remap-async-to-generator@7.25.0(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-annotate-as-pure': 7.24.7 + '@babel/helper-wrap-function': 7.25.0 + '@babel/traverse': 7.25.3 + transitivePeerDependencies: + - supports-color + + '@babel/helper-replace-supers@7.25.0(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-member-expression-to-functions': 7.24.8 + '@babel/helper-optimise-call-expression': 7.24.7 + '@babel/traverse': 7.25.3 + transitivePeerDependencies: + - supports-color + + '@babel/helper-simple-access@7.24.7': + dependencies: + '@babel/traverse': 7.25.3 + '@babel/types': 7.25.2 + transitivePeerDependencies: + - supports-color + + '@babel/helper-skip-transparent-expression-wrappers@7.24.7': + dependencies: + '@babel/traverse': 7.25.3 + '@babel/types': 7.25.2 + transitivePeerDependencies: + - supports-color + + '@babel/helper-string-parser@7.24.8': {} + + '@babel/helper-validator-identifier@7.24.7': {} + + '@babel/helper-validator-option@7.24.8': {} + + '@babel/helper-wrap-function@7.25.0': + dependencies: + '@babel/template': 7.25.0 + '@babel/traverse': 7.25.3 + '@babel/types': 7.25.2 + transitivePeerDependencies: + - supports-color + + '@babel/helpers@7.25.0': + dependencies: + '@babel/template': 7.25.0 + '@babel/types': 7.25.2 + + '@babel/highlight@7.24.7': + dependencies: + '@babel/helper-validator-identifier': 7.24.7 + chalk: 2.4.2 + js-tokens: 4.0.0 + picocolors: 1.0.1 + + '@babel/parser@7.25.3': + dependencies: + '@babel/types': 7.25.2 + + '@babel/plugin-bugfix-firefox-class-in-computed-class-key@7.25.3(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/traverse': 7.25.3 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-bugfix-safari-class-field-initializer-scope@7.25.0(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@7.25.0(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-skip-transparent-expression-wrappers': 7.24.7 + '@babel/plugin-transform-optional-chaining': 7.24.8(@babel/core@7.25.2) + transitivePeerDependencies: + - supports-color + + '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@7.25.0(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/traverse': 7.25.3 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-proposal-private-property-in-object@7.21.0-placeholder-for-preset-env.2(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + + '@babel/plugin-syntax-async-generators@7.8.4(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-class-properties@7.12.13(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-class-static-block@7.14.5(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-dynamic-import@7.8.3(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-export-namespace-from@7.8.3(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-flow@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-import-assertions@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-import-attributes@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-import-meta@7.10.4(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-json-strings@7.8.3(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-jsx@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-logical-assignment-operators@7.10.4(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-nullish-coalescing-operator@7.8.3(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-numeric-separator@7.10.4(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-object-rest-spread@7.8.3(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-optional-catch-binding@7.8.3(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-optional-chaining@7.8.3(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-private-property-in-object@7.14.5(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-top-level-await@7.14.5(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-typescript@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-syntax-unicode-sets-regex@7.18.6(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-create-regexp-features-plugin': 7.25.2(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-arrow-functions@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-async-generator-functions@7.25.0(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-remap-async-to-generator': 7.25.0(@babel/core@7.25.2) + '@babel/plugin-syntax-async-generators': 7.8.4(@babel/core@7.25.2) + '@babel/traverse': 7.25.3 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-async-to-generator@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-module-imports': 7.24.7 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-remap-async-to-generator': 7.25.0(@babel/core@7.25.2) + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-block-scoped-functions@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-block-scoping@7.25.0(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-class-properties@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-create-class-features-plugin': 7.25.0(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-class-static-block@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-create-class-features-plugin': 7.25.0(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + '@babel/plugin-syntax-class-static-block': 7.14.5(@babel/core@7.25.2) + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-classes@7.25.0(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-annotate-as-pure': 7.24.7 + '@babel/helper-compilation-targets': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-replace-supers': 7.25.0(@babel/core@7.25.2) + '@babel/traverse': 7.25.3 + globals: 11.12.0 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-computed-properties@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/template': 7.25.0 + + '@babel/plugin-transform-destructuring@7.24.8(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-dotall-regex@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-create-regexp-features-plugin': 7.25.2(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-duplicate-keys@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-duplicate-named-capturing-groups-regex@7.25.0(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-create-regexp-features-plugin': 7.25.2(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-dynamic-import@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/plugin-syntax-dynamic-import': 7.8.3(@babel/core@7.25.2) + + '@babel/plugin-transform-exponentiation-operator@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-builder-binary-assignment-operator-visitor': 7.24.7 + '@babel/helper-plugin-utils': 7.24.8 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-export-namespace-from@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/plugin-syntax-export-namespace-from': 7.8.3(@babel/core@7.25.2) + + '@babel/plugin-transform-flow-strip-types@7.25.2(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/plugin-syntax-flow': 7.24.7(@babel/core@7.25.2) + + '@babel/plugin-transform-for-of@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-skip-transparent-expression-wrappers': 7.24.7 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-function-name@7.25.1(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-compilation-targets': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/traverse': 7.25.3 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-json-strings@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/plugin-syntax-json-strings': 7.8.3(@babel/core@7.25.2) + + '@babel/plugin-transform-literals@7.25.2(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-logical-assignment-operators@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/plugin-syntax-logical-assignment-operators': 7.10.4(@babel/core@7.25.2) + + '@babel/plugin-transform-member-expression-literals@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-modules-amd@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-module-transforms': 7.25.2(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-modules-commonjs@7.24.8(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-module-transforms': 7.25.2(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-simple-access': 7.24.7 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-modules-systemjs@7.25.0(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-module-transforms': 7.25.2(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-validator-identifier': 7.24.7 + '@babel/traverse': 7.25.3 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-modules-umd@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-module-transforms': 7.25.2(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-named-capturing-groups-regex@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-create-regexp-features-plugin': 7.25.2(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-new-target@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-nullish-coalescing-operator@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/plugin-syntax-nullish-coalescing-operator': 7.8.3(@babel/core@7.25.2) + + '@babel/plugin-transform-numeric-separator@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/plugin-syntax-numeric-separator': 7.10.4(@babel/core@7.25.2) + + '@babel/plugin-transform-object-rest-spread@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-compilation-targets': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/plugin-syntax-object-rest-spread': 7.8.3(@babel/core@7.25.2) + '@babel/plugin-transform-parameters': 7.24.7(@babel/core@7.25.2) + + '@babel/plugin-transform-object-super@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-replace-supers': 7.25.0(@babel/core@7.25.2) + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-optional-catch-binding@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/plugin-syntax-optional-catch-binding': 7.8.3(@babel/core@7.25.2) + + '@babel/plugin-transform-optional-chaining@7.24.8(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-skip-transparent-expression-wrappers': 7.24.7 + '@babel/plugin-syntax-optional-chaining': 7.8.3(@babel/core@7.25.2) + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-parameters@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-private-methods@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-create-class-features-plugin': 7.25.0(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-private-property-in-object@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-annotate-as-pure': 7.24.7 + '@babel/helper-create-class-features-plugin': 7.25.0(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + '@babel/plugin-syntax-private-property-in-object': 7.14.5(@babel/core@7.25.2) + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-property-literals@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-regenerator@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + regenerator-transform: 0.15.2 + + '@babel/plugin-transform-reserved-words@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-shorthand-properties@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-spread@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-skip-transparent-expression-wrappers': 7.24.7 + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-sticky-regex@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-template-literals@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-typeof-symbol@7.24.8(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-typescript@7.25.2(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-annotate-as-pure': 7.24.7 + '@babel/helper-create-class-features-plugin': 7.25.0(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-skip-transparent-expression-wrappers': 7.24.7 + '@babel/plugin-syntax-typescript': 7.24.7(@babel/core@7.25.2) + transitivePeerDependencies: + - supports-color + + '@babel/plugin-transform-unicode-escapes@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-unicode-property-regex@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-create-regexp-features-plugin': 7.25.2(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-unicode-regex@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-create-regexp-features-plugin': 7.25.2(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/plugin-transform-unicode-sets-regex@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-create-regexp-features-plugin': 7.25.2(@babel/core@7.25.2) + '@babel/helper-plugin-utils': 7.24.8 + + '@babel/preset-env@7.25.3(@babel/core@7.25.2)': + dependencies: + '@babel/compat-data': 7.25.2 + '@babel/core': 7.25.2 + '@babel/helper-compilation-targets': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-validator-option': 7.24.8 + '@babel/plugin-bugfix-firefox-class-in-computed-class-key': 7.25.3(@babel/core@7.25.2) + '@babel/plugin-bugfix-safari-class-field-initializer-scope': 7.25.0(@babel/core@7.25.2) + '@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression': 7.25.0(@babel/core@7.25.2) + '@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly': 7.25.0(@babel/core@7.25.2) + '@babel/plugin-proposal-private-property-in-object': 7.21.0-placeholder-for-preset-env.2(@babel/core@7.25.2) + '@babel/plugin-syntax-async-generators': 7.8.4(@babel/core@7.25.2) + '@babel/plugin-syntax-class-properties': 7.12.13(@babel/core@7.25.2) + '@babel/plugin-syntax-class-static-block': 7.14.5(@babel/core@7.25.2) + '@babel/plugin-syntax-dynamic-import': 7.8.3(@babel/core@7.25.2) + '@babel/plugin-syntax-export-namespace-from': 7.8.3(@babel/core@7.25.2) + '@babel/plugin-syntax-import-assertions': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-syntax-import-attributes': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-syntax-import-meta': 7.10.4(@babel/core@7.25.2) + '@babel/plugin-syntax-json-strings': 7.8.3(@babel/core@7.25.2) + '@babel/plugin-syntax-logical-assignment-operators': 7.10.4(@babel/core@7.25.2) + '@babel/plugin-syntax-nullish-coalescing-operator': 7.8.3(@babel/core@7.25.2) + '@babel/plugin-syntax-numeric-separator': 7.10.4(@babel/core@7.25.2) + '@babel/plugin-syntax-object-rest-spread': 7.8.3(@babel/core@7.25.2) + '@babel/plugin-syntax-optional-catch-binding': 7.8.3(@babel/core@7.25.2) + '@babel/plugin-syntax-optional-chaining': 7.8.3(@babel/core@7.25.2) + '@babel/plugin-syntax-private-property-in-object': 7.14.5(@babel/core@7.25.2) + '@babel/plugin-syntax-top-level-await': 7.14.5(@babel/core@7.25.2) + '@babel/plugin-syntax-unicode-sets-regex': 7.18.6(@babel/core@7.25.2) + '@babel/plugin-transform-arrow-functions': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-async-generator-functions': 7.25.0(@babel/core@7.25.2) + '@babel/plugin-transform-async-to-generator': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-block-scoped-functions': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-block-scoping': 7.25.0(@babel/core@7.25.2) + '@babel/plugin-transform-class-properties': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-class-static-block': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-classes': 7.25.0(@babel/core@7.25.2) + '@babel/plugin-transform-computed-properties': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-destructuring': 7.24.8(@babel/core@7.25.2) + '@babel/plugin-transform-dotall-regex': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-duplicate-keys': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-duplicate-named-capturing-groups-regex': 7.25.0(@babel/core@7.25.2) + '@babel/plugin-transform-dynamic-import': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-exponentiation-operator': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-export-namespace-from': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-for-of': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-function-name': 7.25.1(@babel/core@7.25.2) + '@babel/plugin-transform-json-strings': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-literals': 7.25.2(@babel/core@7.25.2) + '@babel/plugin-transform-logical-assignment-operators': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-member-expression-literals': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-modules-amd': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-modules-commonjs': 7.24.8(@babel/core@7.25.2) + '@babel/plugin-transform-modules-systemjs': 7.25.0(@babel/core@7.25.2) + '@babel/plugin-transform-modules-umd': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-named-capturing-groups-regex': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-new-target': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-nullish-coalescing-operator': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-numeric-separator': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-object-rest-spread': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-object-super': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-optional-catch-binding': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-optional-chaining': 7.24.8(@babel/core@7.25.2) + '@babel/plugin-transform-parameters': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-private-methods': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-private-property-in-object': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-property-literals': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-regenerator': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-reserved-words': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-shorthand-properties': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-spread': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-sticky-regex': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-template-literals': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-typeof-symbol': 7.24.8(@babel/core@7.25.2) + '@babel/plugin-transform-unicode-escapes': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-unicode-property-regex': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-unicode-regex': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-unicode-sets-regex': 7.24.7(@babel/core@7.25.2) + '@babel/preset-modules': 0.1.6-no-external-plugins(@babel/core@7.25.2) + babel-plugin-polyfill-corejs2: 0.4.11(@babel/core@7.25.2) + babel-plugin-polyfill-corejs3: 0.10.6(@babel/core@7.25.2) + babel-plugin-polyfill-regenerator: 0.6.2(@babel/core@7.25.2) + core-js-compat: 3.38.0 + semver: 6.3.1 + transitivePeerDependencies: + - supports-color + + '@babel/preset-flow@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-validator-option': 7.24.8 + '@babel/plugin-transform-flow-strip-types': 7.25.2(@babel/core@7.25.2) + + '@babel/preset-modules@0.1.6-no-external-plugins(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/types': 7.25.2 + esutils: 2.0.3 + + '@babel/preset-typescript@7.24.7(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-plugin-utils': 7.24.8 + '@babel/helper-validator-option': 7.24.8 + '@babel/plugin-syntax-jsx': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-modules-commonjs': 7.24.8(@babel/core@7.25.2) + '@babel/plugin-transform-typescript': 7.25.2(@babel/core@7.25.2) + transitivePeerDependencies: + - supports-color + + '@babel/register@7.24.6(@babel/core@7.25.2)': + dependencies: + '@babel/core': 7.25.2 + clone-deep: 4.0.1 + find-cache-dir: 2.1.0 + make-dir: 2.1.0 + pirates: 4.0.6 + source-map-support: 0.5.21 + + '@babel/regjsgen@0.8.0': {} + + '@babel/runtime@7.25.0': + dependencies: + regenerator-runtime: 0.14.1 + + '@babel/template@7.25.0': + dependencies: + '@babel/code-frame': 7.24.7 + '@babel/parser': 7.25.3 + '@babel/types': 7.25.2 + + '@babel/traverse@7.25.3': + dependencies: + '@babel/code-frame': 7.24.7 + '@babel/generator': 7.25.0 + '@babel/parser': 7.25.3 + '@babel/template': 7.25.0 + '@babel/types': 7.25.2 + debug: 4.3.6 + globals: 11.12.0 + transitivePeerDependencies: + - supports-color + + '@babel/types@7.25.2': + dependencies: + '@babel/helper-string-parser': 7.24.8 + '@babel/helper-validator-identifier': 7.24.7 + to-fast-properties: 2.0.0 + + '@bcoe/v8-coverage@0.2.3': {} + + '@esbuild/aix-ppc64@0.21.5': + optional: true + + '@esbuild/aix-ppc64@0.23.0': + optional: true + + '@esbuild/android-arm64@0.21.5': + optional: true + + '@esbuild/android-arm64@0.23.0': + optional: true + + '@esbuild/android-arm@0.21.5': + optional: true + + '@esbuild/android-arm@0.23.0': + optional: true + + '@esbuild/android-x64@0.21.5': + optional: true + + '@esbuild/android-x64@0.23.0': + optional: true + + '@esbuild/darwin-arm64@0.21.5': + optional: true + + '@esbuild/darwin-arm64@0.23.0': + optional: true + + '@esbuild/darwin-x64@0.21.5': + optional: true + + '@esbuild/darwin-x64@0.23.0': + optional: true + + '@esbuild/freebsd-arm64@0.21.5': + optional: true + + '@esbuild/freebsd-arm64@0.23.0': + optional: true + + '@esbuild/freebsd-x64@0.21.5': + optional: true + + '@esbuild/freebsd-x64@0.23.0': + optional: true + + '@esbuild/linux-arm64@0.21.5': + optional: true + + '@esbuild/linux-arm64@0.23.0': + optional: true + + '@esbuild/linux-arm@0.21.5': + optional: true + + '@esbuild/linux-arm@0.23.0': + optional: true + + '@esbuild/linux-ia32@0.21.5': + optional: true + + '@esbuild/linux-ia32@0.23.0': + optional: true + + '@esbuild/linux-loong64@0.21.5': + optional: true + + '@esbuild/linux-loong64@0.23.0': + optional: true + + '@esbuild/linux-mips64el@0.21.5': + optional: true + + '@esbuild/linux-mips64el@0.23.0': + optional: true + + '@esbuild/linux-ppc64@0.21.5': + optional: true + + '@esbuild/linux-ppc64@0.23.0': + optional: true + + '@esbuild/linux-riscv64@0.21.5': + optional: true + + '@esbuild/linux-riscv64@0.23.0': + optional: true + + '@esbuild/linux-s390x@0.21.5': + optional: true + + '@esbuild/linux-s390x@0.23.0': + optional: true + + '@esbuild/linux-x64@0.21.5': + optional: true + + '@esbuild/linux-x64@0.23.0': + optional: true + + '@esbuild/netbsd-x64@0.21.5': + optional: true + + '@esbuild/netbsd-x64@0.23.0': + optional: true + + '@esbuild/openbsd-arm64@0.23.0': + optional: true + + '@esbuild/openbsd-x64@0.21.5': + optional: true + + '@esbuild/openbsd-x64@0.23.0': + optional: true + + '@esbuild/sunos-x64@0.21.5': + optional: true + + '@esbuild/sunos-x64@0.23.0': + optional: true + + '@esbuild/win32-arm64@0.21.5': + optional: true + + '@esbuild/win32-arm64@0.23.0': + optional: true + + '@esbuild/win32-ia32@0.21.5': + optional: true + + '@esbuild/win32-ia32@0.23.0': + optional: true + + '@esbuild/win32-x64@0.21.5': + optional: true + + '@esbuild/win32-x64@0.23.0': + optional: true + + '@eslint-community/eslint-utils@4.4.0(eslint@8.57.0)': + dependencies: + eslint: 8.57.0 + eslint-visitor-keys: 3.4.3 + + '@eslint-community/regexpp@4.11.0': {} + + '@eslint/eslintrc@1.4.1': + dependencies: + ajv: 6.12.6 + debug: 4.3.6 + espree: 9.6.1 + globals: 13.24.0 + ignore: 5.3.2 + import-fresh: 3.3.0 + js-yaml: 4.1.0 + minimatch: 3.1.2 + strip-json-comments: 3.1.1 + transitivePeerDependencies: + - supports-color + + '@eslint/eslintrc@2.1.4': + dependencies: + ajv: 6.12.6 + debug: 4.3.6 + espree: 9.6.1 + globals: 13.24.0 + ignore: 5.3.2 + import-fresh: 3.3.0 + js-yaml: 4.1.0 + minimatch: 3.1.2 + strip-json-comments: 3.1.1 + transitivePeerDependencies: + - supports-color + + '@eslint/js@8.57.0': {} + + '@exodus/schemasafe@1.3.0': + optional: true + + '@floating-ui/core@1.6.7': + dependencies: + '@floating-ui/utils': 0.2.7 + + '@floating-ui/dom@1.6.10': + dependencies: + '@floating-ui/core': 1.6.7 + '@floating-ui/utils': 0.2.7 + + '@floating-ui/utils@0.2.7': {} + + '@formatjs/ecma402-abstract@2.0.0': + dependencies: + '@formatjs/intl-localematcher': 0.5.4 + tslib: 2.6.3 + + '@formatjs/intl-localematcher@0.5.4': + dependencies: + tslib: 2.6.3 + + '@formatjs/intl-segmenter@11.5.7': + dependencies: + '@formatjs/ecma402-abstract': 2.0.0 + '@formatjs/intl-localematcher': 0.5.4 + tslib: 2.6.3 + + '@fortawesome/fontawesome-free@6.6.0': {} + + '@gcornut/valibot-json-schema@0.31.0': + dependencies: + valibot: 0.31.1 + optionalDependencies: + '@types/json-schema': 7.0.15 + esbuild: 0.23.0 + esbuild-runner: 2.2.2(esbuild@0.23.0) + optional: true + + '@hapi/hoek@9.3.0': + optional: true + + '@hapi/topo@5.1.0': + dependencies: + '@hapi/hoek': 9.3.0 + optional: true + + '@humanwhocodes/config-array@0.11.14': + dependencies: + '@humanwhocodes/object-schema': 2.0.3 + debug: 4.3.6 + minimatch: 3.1.2 + transitivePeerDependencies: + - supports-color + + '@humanwhocodes/config-array@0.9.5': + dependencies: + '@humanwhocodes/object-schema': 1.2.1 + debug: 4.3.6 + minimatch: 3.1.2 + transitivePeerDependencies: + - supports-color + + '@humanwhocodes/module-importer@1.0.1': {} + + '@humanwhocodes/object-schema@1.2.1': {} + + '@humanwhocodes/object-schema@2.0.3': {} + + '@inlang/detect-json-formatting@1.0.0': + dependencies: + guess-json-indent: 2.0.0 + + '@inlang/json-types@1.1.0(@sinclair/typebox@0.31.28)': + dependencies: + '@sinclair/typebox': 0.31.28 + + '@inlang/language-tag@1.5.1': + dependencies: + '@sinclair/typebox': 0.31.28 + + '@inlang/message-lint-rule@1.4.5(@sinclair/typebox@0.31.28)': + dependencies: + '@inlang/json-types': 1.1.0(@sinclair/typebox@0.31.28) + '@inlang/language-tag': 1.5.1 + '@inlang/message': 2.1.0(@sinclair/typebox@0.31.28) + '@inlang/project-settings': 2.4.0(@sinclair/typebox@0.31.28) + '@inlang/translatable': 1.3.1 + '@sinclair/typebox': 0.31.28 + + '@inlang/message@2.1.0(@sinclair/typebox@0.31.28)': + dependencies: + '@inlang/language-tag': 1.5.1 + '@sinclair/typebox': 0.31.28 + + '@inlang/module@1.2.9(@sinclair/typebox@0.31.28)': + dependencies: + '@inlang/message-lint-rule': 1.4.5(@sinclair/typebox@0.31.28) + '@inlang/plugin': 2.4.9(@sinclair/typebox@0.31.28) + '@sinclair/typebox': 0.31.28 + + '@inlang/paraglide-js-adapter-unplugin@1.4.29': + dependencies: + '@inlang/paraglide-js': 1.7.0 + '@inlang/sdk': 0.33.0 + '@lix-js/client': 1.2.1 + unplugin: 1.5.1 + transitivePeerDependencies: + - babel-plugin-macros + - debug + - supports-color + + '@inlang/paraglide-js-adapter-vite@1.2.40': + dependencies: + '@inlang/paraglide-js-adapter-unplugin': 1.4.29 + transitivePeerDependencies: + - babel-plugin-macros + - debug + - supports-color + + '@inlang/paraglide-js@1.11.1': + dependencies: + '@inlang/detect-json-formatting': 1.0.0 + commander: 11.1.0 + consola: 3.2.3 + dedent: 1.5.1 + json5: 2.2.3 + posthog-node: 3.1.3 + transitivePeerDependencies: + - babel-plugin-macros + - debug + + '@inlang/paraglide-js@1.7.0': + dependencies: + '@inlang/detect-json-formatting': 1.0.0 + commander: 11.1.0 + consola: 3.2.3 + dedent: 1.5.1 + json5: 2.2.3 + posthog-node: 3.1.3 + transitivePeerDependencies: + - babel-plugin-macros + - debug + + '@inlang/plugin@2.4.9(@sinclair/typebox@0.31.28)': + dependencies: + '@inlang/json-types': 1.1.0(@sinclair/typebox@0.31.28) + '@inlang/language-tag': 1.5.1 + '@inlang/message': 2.1.0(@sinclair/typebox@0.31.28) + '@inlang/project-settings': 2.4.0(@sinclair/typebox@0.31.28) + '@inlang/translatable': 1.3.1 + '@lix-js/fs': 1.0.0 + '@sinclair/typebox': 0.31.28 + + '@inlang/project-settings@2.4.0(@sinclair/typebox@0.31.28)': + dependencies: + '@inlang/json-types': 1.1.0(@sinclair/typebox@0.31.28) + '@inlang/language-tag': 1.5.1 + '@sinclair/typebox': 0.31.28 + + '@inlang/result@1.1.0': {} + + '@inlang/sdk@0.33.0': + dependencies: + '@inlang/json-types': 1.1.0(@sinclair/typebox@0.31.28) + '@inlang/language-tag': 1.5.1 + '@inlang/message': 2.1.0(@sinclair/typebox@0.31.28) + '@inlang/message-lint-rule': 1.4.5(@sinclair/typebox@0.31.28) + '@inlang/module': 1.2.9(@sinclair/typebox@0.31.28) + '@inlang/plugin': 2.4.9(@sinclair/typebox@0.31.28) + '@inlang/project-settings': 2.4.0(@sinclair/typebox@0.31.28) + '@inlang/result': 1.1.0 + '@inlang/translatable': 1.3.1 + '@lix-js/client': 1.2.1 + '@lix-js/fs': 1.0.0 + '@sinclair/typebox': 0.31.28 + debug: 4.3.6 + dedent: 1.5.1 + deepmerge-ts: 5.1.0 + murmurhash3js: 3.0.1 + solid-js: 1.6.12 + throttle-debounce: 5.0.2 + transitivePeerDependencies: + - babel-plugin-macros + - supports-color + + '@inlang/translatable@1.3.1': + dependencies: + '@inlang/language-tag': 1.5.1 + + '@isaacs/cliui@8.0.2': + dependencies: + string-width: 5.1.2 + string-width-cjs: string-width@4.2.3 + strip-ansi: 7.1.0 + strip-ansi-cjs: strip-ansi@6.0.1 + wrap-ansi: 8.1.0 + wrap-ansi-cjs: wrap-ansi@7.0.0 + + '@isaacs/ttlcache@1.4.1': {} + + '@istanbuljs/schema@0.1.3': {} + + '@jest/schemas@29.6.3': + dependencies: + '@sinclair/typebox': 0.27.8 + + '@jridgewell/gen-mapping@0.3.5': + dependencies: + '@jridgewell/set-array': 1.2.1 + '@jridgewell/sourcemap-codec': 1.5.0 + '@jridgewell/trace-mapping': 0.3.25 + + '@jridgewell/resolve-uri@3.1.2': {} + + '@jridgewell/set-array@1.2.1': {} + + '@jridgewell/sourcemap-codec@1.5.0': {} + + '@jridgewell/trace-mapping@0.3.25': + dependencies: + '@jridgewell/resolve-uri': 3.1.2 + '@jridgewell/sourcemap-codec': 1.5.0 + + '@lix-js/client@1.2.1': + dependencies: + '@lix-js/fs': 1.0.0 + '@octokit/types': 12.4.0 + async-lock: 1.4.1 + clean-git-ref: 2.0.1 + crc-32: 1.2.2 + diff3: 0.0.4 + ignore: 5.3.2 + octokit: 3.1.2 + pako: 1.0.11 + pify: 5.0.0 + sha.js: 2.4.11 + solid-js: 1.7.11 + + '@lix-js/fs@1.0.0': {} + + '@mdx-js/react@3.0.1(@types/react@18.3.3)(react@18.3.1)': + dependencies: + '@types/mdx': 2.0.13 + '@types/react': 18.3.3 + react: 18.3.1 + + '@nodelib/fs.scandir@2.1.5': + dependencies: + '@nodelib/fs.stat': 2.0.5 + run-parallel: 1.2.0 + + '@nodelib/fs.stat@2.0.5': {} + + '@nodelib/fs.walk@1.2.8': + dependencies: + '@nodelib/fs.scandir': 2.1.5 + fastq: 1.17.1 + + '@octokit/app@14.1.0': + dependencies: + '@octokit/auth-app': 6.1.1 + '@octokit/auth-unauthenticated': 5.0.1 + '@octokit/core': 5.2.0 + '@octokit/oauth-app': 6.1.0 + '@octokit/plugin-paginate-rest': 9.2.1(@octokit/core@5.2.0) + '@octokit/types': 12.4.0 + '@octokit/webhooks': 12.2.0 + + '@octokit/auth-app@6.1.1': + dependencies: + '@octokit/auth-oauth-app': 7.1.0 + '@octokit/auth-oauth-user': 4.1.0 + '@octokit/request': 8.4.0 + '@octokit/request-error': 5.1.0 + '@octokit/types': 13.5.0 + deprecation: 2.3.1 + lru-cache: 10.4.3 + universal-github-app-jwt: 1.1.2 + universal-user-agent: 6.0.1 + + '@octokit/auth-oauth-app@7.1.0': + dependencies: + '@octokit/auth-oauth-device': 6.1.0 + '@octokit/auth-oauth-user': 4.1.0 + '@octokit/request': 8.4.0 + '@octokit/types': 13.5.0 + '@types/btoa-lite': 1.0.2 + btoa-lite: 1.0.0 + universal-user-agent: 6.0.1 + + '@octokit/auth-oauth-device@6.1.0': + dependencies: + '@octokit/oauth-methods': 4.1.0 + '@octokit/request': 8.4.0 + '@octokit/types': 13.5.0 + universal-user-agent: 6.0.1 + + '@octokit/auth-oauth-user@4.1.0': + dependencies: + '@octokit/auth-oauth-device': 6.1.0 + '@octokit/oauth-methods': 4.1.0 + '@octokit/request': 8.4.0 + '@octokit/types': 13.5.0 + btoa-lite: 1.0.0 + universal-user-agent: 6.0.1 + + '@octokit/auth-token@4.0.0': {} + + '@octokit/auth-unauthenticated@5.0.1': + dependencies: + '@octokit/request-error': 5.1.0 + '@octokit/types': 12.4.0 + + '@octokit/core@5.2.0': + dependencies: + '@octokit/auth-token': 4.0.0 + '@octokit/graphql': 7.1.0 + '@octokit/request': 8.4.0 + '@octokit/request-error': 5.1.0 + '@octokit/types': 13.5.0 + before-after-hook: 2.2.3 + universal-user-agent: 6.0.1 + + '@octokit/endpoint@9.0.5': + dependencies: + '@octokit/types': 13.5.0 + universal-user-agent: 6.0.1 + + '@octokit/graphql@7.1.0': + dependencies: + '@octokit/request': 8.4.0 + '@octokit/types': 13.5.0 + universal-user-agent: 6.0.1 + + '@octokit/oauth-app@6.1.0': + dependencies: + '@octokit/auth-oauth-app': 7.1.0 + '@octokit/auth-oauth-user': 4.1.0 + '@octokit/auth-unauthenticated': 5.0.1 + '@octokit/core': 5.2.0 + '@octokit/oauth-authorization-url': 6.0.2 + '@octokit/oauth-methods': 4.1.0 + '@types/aws-lambda': 8.10.143 + universal-user-agent: 6.0.1 + + '@octokit/oauth-authorization-url@6.0.2': {} + + '@octokit/oauth-methods@4.1.0': + dependencies: + '@octokit/oauth-authorization-url': 6.0.2 + '@octokit/request': 8.4.0 + '@octokit/request-error': 5.1.0 + '@octokit/types': 13.5.0 + btoa-lite: 1.0.0 + + '@octokit/openapi-types@19.1.0': {} + + '@octokit/openapi-types@20.0.0': {} + + '@octokit/openapi-types@22.2.0': {} + + '@octokit/plugin-paginate-graphql@4.0.1(@octokit/core@5.2.0)': + dependencies: + '@octokit/core': 5.2.0 + + '@octokit/plugin-paginate-rest@9.2.1(@octokit/core@5.2.0)': + dependencies: + '@octokit/core': 5.2.0 + '@octokit/types': 12.6.0 + + '@octokit/plugin-rest-endpoint-methods@10.4.1(@octokit/core@5.2.0)': + dependencies: + '@octokit/core': 5.2.0 + '@octokit/types': 12.6.0 + + '@octokit/plugin-retry@6.0.1(@octokit/core@5.2.0)': + dependencies: + '@octokit/core': 5.2.0 + '@octokit/request-error': 5.1.0 + '@octokit/types': 12.4.0 + bottleneck: 2.19.5 + + '@octokit/plugin-throttling@8.2.0(@octokit/core@5.2.0)': + dependencies: + '@octokit/core': 5.2.0 + '@octokit/types': 12.4.0 + bottleneck: 2.19.5 + + '@octokit/request-error@5.1.0': + dependencies: + '@octokit/types': 13.5.0 + deprecation: 2.3.1 + once: 1.4.0 + + '@octokit/request@8.4.0': + dependencies: + '@octokit/endpoint': 9.0.5 + '@octokit/request-error': 5.1.0 + '@octokit/types': 13.5.0 + universal-user-agent: 6.0.1 + + '@octokit/types@12.4.0': + dependencies: + '@octokit/openapi-types': 19.1.0 + + '@octokit/types@12.6.0': + dependencies: + '@octokit/openapi-types': 20.0.0 + + '@octokit/types@13.5.0': + dependencies: + '@octokit/openapi-types': 22.2.0 + + '@octokit/webhooks-methods@4.1.0': {} + + '@octokit/webhooks-types@7.4.0': {} + + '@octokit/webhooks@12.2.0': + dependencies: + '@octokit/request-error': 5.1.0 + '@octokit/webhooks-methods': 4.1.0 + '@octokit/webhooks-types': 7.4.0 + aggregate-error: 3.1.0 + + '@pkgjs/parseargs@0.11.0': + optional: true + + '@playwright/test@1.46.0': + dependencies: + playwright: 1.46.0 + + '@polka/url@1.0.0-next.25': {} + + '@poppinss/macroable@1.0.2': + optional: true + + '@rollup/plugin-commonjs@26.0.1(rollup@4.20.0)': + dependencies: + '@rollup/pluginutils': 5.1.0(rollup@4.20.0) + commondir: 1.0.1 + estree-walker: 2.0.2 + glob: 10.4.5 + is-reference: 1.2.1 + magic-string: 0.30.11 + optionalDependencies: + rollup: 4.20.0 + + '@rollup/plugin-json@6.1.0(rollup@4.20.0)': + dependencies: + '@rollup/pluginutils': 5.1.0(rollup@4.20.0) + optionalDependencies: + rollup: 4.20.0 + + '@rollup/plugin-node-resolve@15.2.3(rollup@4.20.0)': + dependencies: + '@rollup/pluginutils': 5.1.0(rollup@4.20.0) + '@types/resolve': 1.20.2 + deepmerge: 4.3.1 + is-builtin-module: 3.2.1 + is-module: 1.0.0 + resolve: 1.22.8 + optionalDependencies: + rollup: 4.20.0 + + '@rollup/pluginutils@5.1.0(rollup@4.20.0)': + dependencies: + '@types/estree': 1.0.5 + estree-walker: 2.0.2 + picomatch: 2.3.1 + optionalDependencies: + rollup: 4.20.0 + + '@rollup/rollup-android-arm-eabi@4.20.0': + optional: true + + '@rollup/rollup-android-arm64@4.20.0': + optional: true + + '@rollup/rollup-darwin-arm64@4.20.0': + optional: true + + '@rollup/rollup-darwin-x64@4.20.0': + optional: true + + '@rollup/rollup-linux-arm-gnueabihf@4.20.0': + optional: true + + '@rollup/rollup-linux-arm-musleabihf@4.20.0': + optional: true + + '@rollup/rollup-linux-arm64-gnu@4.20.0': + optional: true + + '@rollup/rollup-linux-arm64-musl@4.20.0': + optional: true + + '@rollup/rollup-linux-powerpc64le-gnu@4.20.0': + optional: true + + '@rollup/rollup-linux-riscv64-gnu@4.20.0': + optional: true + + '@rollup/rollup-linux-s390x-gnu@4.20.0': + optional: true + + '@rollup/rollup-linux-x64-gnu@4.20.0': + optional: true + + '@rollup/rollup-linux-x64-musl@4.20.0': + optional: true + + '@rollup/rollup-win32-arm64-msvc@4.20.0': + optional: true + + '@rollup/rollup-win32-ia32-msvc@4.20.0': + optional: true + + '@rollup/rollup-win32-x64-msvc@4.20.0': + optional: true + + '@sideway/address@4.1.5': + dependencies: + '@hapi/hoek': 9.3.0 + optional: true + + '@sideway/formula@3.0.1': + optional: true + + '@sideway/pinpoint@2.0.0': + optional: true + + '@sinclair/typebox@0.27.8': {} + + '@sinclair/typebox@0.31.28': {} + + '@sinclair/typebox@0.32.35': + optional: true + + '@sindresorhus/merge-streams@2.3.0': {} + + '@skeletonlabs/skeleton@2.10.2(svelte@4.2.18)': + dependencies: + esm-env: 1.0.0 + svelte: 4.2.18 + + '@skeletonlabs/tw-plugin@0.4.0(tailwindcss@3.4.10)': + dependencies: + tailwindcss: 3.4.10 + + '@sodaru/yup-to-json-schema@2.0.1': + optional: true + + '@storybook/addon-actions@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + '@storybook/global': 5.0.0 + '@types/uuid': 9.0.8 + dequal: 2.0.3 + polished: 4.3.1 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + uuid: 9.0.1 + + '@storybook/addon-backgrounds@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + '@storybook/global': 5.0.0 + memoizerific: 1.11.3 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + ts-dedent: 2.2.0 + + '@storybook/addon-controls@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + dequal: 2.0.3 + lodash: 4.17.21 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + ts-dedent: 2.2.0 + + '@storybook/addon-docs@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + '@babel/core': 7.25.2 + '@mdx-js/react': 3.0.1(@types/react@18.3.3)(react@18.3.1) + '@storybook/blocks': 8.2.9(react-dom@18.3.1(react@18.3.1))(react@18.3.1)(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/csf-plugin': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/global': 5.0.0 + '@storybook/react-dom-shim': 8.2.9(react-dom@18.3.1(react@18.3.1))(react@18.3.1)(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@types/react': 18.3.3 + fs-extra: 11.2.0 + react: 18.3.1 + react-dom: 18.3.1(react@18.3.1) + rehype-external-links: 3.0.0 + rehype-slug: 6.0.0 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + ts-dedent: 2.2.0 + transitivePeerDependencies: + - supports-color + + '@storybook/addon-essentials@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + '@storybook/addon-actions': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/addon-backgrounds': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/addon-controls': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/addon-docs': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/addon-highlight': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/addon-measure': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/addon-outline': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/addon-toolbars': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/addon-viewport': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + ts-dedent: 2.2.0 + transitivePeerDependencies: + - supports-color + + '@storybook/addon-highlight@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + '@storybook/global': 5.0.0 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + + '@storybook/addon-interactions@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1))': + dependencies: + '@storybook/global': 5.0.0 + '@storybook/instrumenter': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/test': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1)) + polished: 4.3.1 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + ts-dedent: 2.2.0 + transitivePeerDependencies: + - '@jest/globals' + - '@types/bun' + - '@types/jest' + - jest + - vitest + + '@storybook/addon-links@8.2.9(react@18.3.1)(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + '@storybook/csf': 0.1.11 + '@storybook/global': 5.0.0 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + ts-dedent: 2.2.0 + optionalDependencies: + react: 18.3.1 + + '@storybook/addon-measure@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + '@storybook/global': 5.0.0 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + tiny-invariant: 1.3.3 + + '@storybook/addon-outline@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + '@storybook/global': 5.0.0 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + ts-dedent: 2.2.0 + + '@storybook/addon-toolbars@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + + '@storybook/addon-viewport@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + memoizerific: 1.11.3 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + + '@storybook/blocks@8.2.9(react-dom@18.3.1(react@18.3.1))(react@18.3.1)(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + '@storybook/csf': 0.1.11 + '@storybook/global': 5.0.0 + '@storybook/icons': 1.2.10(react-dom@18.3.1(react@18.3.1))(react@18.3.1) + '@types/lodash': 4.17.7 + color-convert: 2.0.1 + dequal: 2.0.3 + lodash: 4.17.21 + markdown-to-jsx: 7.4.7(react@18.3.1) + memoizerific: 1.11.3 + polished: 4.3.1 + react-colorful: 5.6.1(react-dom@18.3.1(react@18.3.1))(react@18.3.1) + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + telejson: 7.2.0 + ts-dedent: 2.2.0 + util-deprecate: 1.0.2 + optionalDependencies: + react: 18.3.1 + react-dom: 18.3.1(react@18.3.1) + + '@storybook/builder-vite@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(typescript@5.5.4)(vite@5.4.1(@types/node@20.14.15))': + dependencies: + '@storybook/csf-plugin': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@types/find-cache-dir': 3.2.1 + browser-assert: 1.2.1 + es-module-lexer: 1.5.4 + express: 4.19.2 + find-cache-dir: 3.3.2 + fs-extra: 11.2.0 + magic-string: 0.30.11 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + ts-dedent: 2.2.0 + vite: 5.4.1(@types/node@20.14.15) + optionalDependencies: + typescript: 5.5.4 + transitivePeerDependencies: + - supports-color + + '@storybook/codemod@8.2.9': + dependencies: + '@babel/core': 7.25.2 + '@babel/preset-env': 7.25.3(@babel/core@7.25.2) + '@babel/types': 7.25.2 + '@storybook/core': 8.2.9 + '@storybook/csf': 0.1.11 + '@types/cross-spawn': 6.0.6 + cross-spawn: 7.0.3 + globby: 14.0.2 + jscodeshift: 0.15.2(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + lodash: 4.17.21 + prettier: 3.3.3 + recast: 0.23.9 + tiny-invariant: 1.3.3 + transitivePeerDependencies: + - bufferutil + - supports-color + - utf-8-validate + + '@storybook/components@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + + '@storybook/core@8.2.9': + dependencies: + '@storybook/csf': 0.1.11 + '@types/express': 4.17.21 + '@types/node': 18.19.44 + browser-assert: 1.2.1 + esbuild: 0.21.5 + esbuild-register: 3.6.0(esbuild@0.21.5) + express: 4.19.2 + process: 0.11.10 + recast: 0.23.9 + util: 0.12.5 + ws: 8.18.0 + transitivePeerDependencies: + - bufferutil + - supports-color + - utf-8-validate + + '@storybook/csf-plugin@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + unplugin: 1.12.2 + + '@storybook/csf@0.0.1': + dependencies: + lodash: 4.17.21 + + '@storybook/csf@0.1.11': + dependencies: + type-fest: 2.19.0 + + '@storybook/global@5.0.0': {} + + '@storybook/icons@1.2.10(react-dom@18.3.1(react@18.3.1))(react@18.3.1)': + dependencies: + react: 18.3.1 + react-dom: 18.3.1(react@18.3.1) + + '@storybook/instrumenter@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + '@storybook/global': 5.0.0 + '@vitest/utils': 1.6.0 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + util: 0.12.5 + + '@storybook/manager-api@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + + '@storybook/preview-api@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + + '@storybook/react-dom-shim@8.2.9(react-dom@18.3.1(react@18.3.1))(react@18.3.1)(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + react: 18.3.1 + react-dom: 18.3.1(react@18.3.1) + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + + '@storybook/svelte-vite@8.2.9(@babel/core@7.25.2)(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(postcss-load-config@4.0.2(postcss@8.4.41))(postcss@8.4.41)(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(svelte@4.2.18)(typescript@5.5.4)(vite@5.4.1(@types/node@20.14.15))': + dependencies: + '@storybook/builder-vite': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(typescript@5.5.4)(vite@5.4.1(@types/node@20.14.15)) + '@storybook/svelte': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(svelte@4.2.18) + '@sveltejs/vite-plugin-svelte': 3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)) + magic-string: 0.30.11 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + svelte: 4.2.18 + svelte-preprocess: 5.1.4(@babel/core@7.25.2)(postcss-load-config@4.0.2(postcss@8.4.41))(postcss@8.4.41)(svelte@4.2.18)(typescript@5.5.4) + sveltedoc-parser: 4.2.1 + ts-dedent: 2.2.0 + vite: 5.4.1(@types/node@20.14.15) + transitivePeerDependencies: + - '@babel/core' + - '@preact/preset-vite' + - coffeescript + - less + - postcss + - postcss-load-config + - pug + - sass + - stylus + - sugarss + - supports-color + - typescript + - vite-plugin-glimmerx + + '@storybook/svelte@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(svelte@4.2.18)': + dependencies: + '@storybook/components': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/global': 5.0.0 + '@storybook/manager-api': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/preview-api': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/theming': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + svelte: 4.2.18 + sveltedoc-parser: 4.2.1 + ts-dedent: 2.2.0 + type-fest: 2.19.0 + transitivePeerDependencies: + - supports-color + + '@storybook/sveltekit@8.2.9(@babel/core@7.25.2)(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(postcss-load-config@4.0.2(postcss@8.4.41))(postcss@8.4.41)(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(svelte@4.2.18)(typescript@5.5.4)(vite@5.4.1(@types/node@20.14.15))': + dependencies: + '@storybook/addon-actions': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@storybook/builder-vite': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(typescript@5.5.4)(vite@5.4.1(@types/node@20.14.15)) + '@storybook/svelte': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(svelte@4.2.18) + '@storybook/svelte-vite': 8.2.9(@babel/core@7.25.2)(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(postcss-load-config@4.0.2(postcss@8.4.41))(postcss@8.4.41)(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(svelte@4.2.18)(typescript@5.5.4)(vite@5.4.1(@types/node@20.14.15)) + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + svelte: 4.2.18 + vite: 5.4.1(@types/node@20.14.15) + transitivePeerDependencies: + - '@babel/core' + - '@preact/preset-vite' + - '@sveltejs/vite-plugin-svelte' + - coffeescript + - less + - postcss + - postcss-load-config + - pug + - sass + - stylus + - sugarss + - supports-color + - typescript + - vite-plugin-glimmerx + + '@storybook/test@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))(vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1))': + dependencies: + '@storybook/csf': 0.1.11 + '@storybook/instrumenter': 8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2))) + '@testing-library/dom': 10.1.0 + '@testing-library/jest-dom': 6.4.5(vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1)) + '@testing-library/user-event': 14.5.2(@testing-library/dom@10.1.0) + '@vitest/expect': 1.6.0 + '@vitest/spy': 1.6.0 + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + util: 0.12.5 + transitivePeerDependencies: + - '@jest/globals' + - '@types/bun' + - '@types/jest' + - jest + - vitest + + '@storybook/theming@8.2.9(storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)))': + dependencies: + storybook: 8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + + '@sveltejs/adapter-auto@3.2.4(@sveltejs/kit@2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))': + dependencies: + '@sveltejs/kit': 2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)) + import-meta-resolve: 4.1.0 + + '@sveltejs/adapter-node@5.2.2(@sveltejs/kit@2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))': + dependencies: + '@rollup/plugin-commonjs': 26.0.1(rollup@4.20.0) + '@rollup/plugin-json': 6.1.0(rollup@4.20.0) + '@rollup/plugin-node-resolve': 15.2.3(rollup@4.20.0) + '@sveltejs/kit': 2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)) + rollup: 4.20.0 + + '@sveltejs/kit@2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15))': + dependencies: + '@sveltejs/vite-plugin-svelte': 3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)) + '@types/cookie': 0.6.0 + cookie: 0.6.0 + devalue: 5.0.0 + esm-env: 1.0.0 + import-meta-resolve: 4.1.0 + kleur: 4.1.5 + magic-string: 0.30.11 + mrmime: 2.0.0 + sade: 1.8.1 + set-cookie-parser: 2.7.0 + sirv: 2.0.4 + svelte: 4.2.18 + tiny-glob: 0.2.9 + vite: 5.4.1(@types/node@20.14.15) + + '@sveltejs/vite-plugin-svelte-inspector@2.1.0(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15))': + dependencies: + '@sveltejs/vite-plugin-svelte': 3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)) + debug: 4.3.6 + svelte: 4.2.18 + vite: 5.4.1(@types/node@20.14.15) + transitivePeerDependencies: + - supports-color + + '@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15))': + dependencies: + '@sveltejs/vite-plugin-svelte-inspector': 2.1.0(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)) + debug: 4.3.6 + deepmerge: 4.3.1 + kleur: 4.1.5 + magic-string: 0.30.11 + svelte: 4.2.18 + svelte-hmr: 0.16.0(svelte@4.2.18) + vite: 5.4.1(@types/node@20.14.15) + vitefu: 0.2.5(vite@5.4.1(@types/node@20.14.15)) + transitivePeerDependencies: + - supports-color + + '@tailwindcss/forms@0.5.7(tailwindcss@3.4.10)': + dependencies: + mini-svg-data-uri: 1.4.4 + tailwindcss: 3.4.10 + + '@tailwindcss/typography@0.5.14(tailwindcss@3.4.10)': + dependencies: + lodash.castarray: 4.4.0 + lodash.isplainobject: 4.0.6 + lodash.merge: 4.6.2 + postcss-selector-parser: 6.0.10 + tailwindcss: 3.4.10 + + '@testing-library/dom@10.1.0': + dependencies: + '@babel/code-frame': 7.24.7 + '@babel/runtime': 7.25.0 + '@types/aria-query': 5.0.4 + aria-query: 5.3.0 + chalk: 4.1.2 + dom-accessibility-api: 0.5.16 + lz-string: 1.5.0 + pretty-format: 27.5.1 + + '@testing-library/dom@10.4.0': + dependencies: + '@babel/code-frame': 7.24.7 + '@babel/runtime': 7.25.0 + '@types/aria-query': 5.0.4 + aria-query: 5.3.0 + chalk: 4.1.2 + dom-accessibility-api: 0.5.16 + lz-string: 1.5.0 + pretty-format: 27.5.1 + + '@testing-library/jest-dom@6.4.5(vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1))': + dependencies: + '@adobe/css-tools': 4.4.0 + '@babel/runtime': 7.25.0 + aria-query: 5.3.0 + chalk: 3.0.0 + css.escape: 1.5.1 + dom-accessibility-api: 0.6.3 + lodash: 4.17.21 + redent: 3.0.0 + optionalDependencies: + vitest: 1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1) + + '@testing-library/jest-dom@6.4.8': + dependencies: + '@adobe/css-tools': 4.4.0 + '@babel/runtime': 7.25.0 + aria-query: 5.3.0 + chalk: 3.0.0 + css.escape: 1.5.1 + dom-accessibility-api: 0.6.3 + lodash: 4.17.21 + redent: 3.0.0 + + '@testing-library/svelte@5.2.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15))(vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1))': + dependencies: + '@testing-library/dom': 10.4.0 + svelte: 4.2.18 + optionalDependencies: + vite: 5.4.1(@types/node@20.14.15) + vitest: 1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1) + + '@testing-library/user-event@14.5.2(@testing-library/dom@10.1.0)': + dependencies: + '@testing-library/dom': 10.1.0 + + '@types/aria-query@5.0.4': {} + + '@types/aws-lambda@8.10.143': {} + + '@types/body-parser@1.19.5': + dependencies: + '@types/connect': 3.4.38 + '@types/node': 20.14.15 + + '@types/btoa-lite@1.0.2': {} + + '@types/connect@3.4.38': + dependencies: + '@types/node': 20.14.15 + + '@types/cookie@0.6.0': {} + + '@types/cross-spawn@6.0.6': + dependencies: + '@types/node': 20.14.15 + + '@types/emscripten@1.39.13': {} + + '@types/estree@1.0.5': {} + + '@types/express-serve-static-core@4.19.5': + dependencies: + '@types/node': 20.14.15 + '@types/qs': 6.9.15 + '@types/range-parser': 1.2.7 + '@types/send': 0.17.4 + + '@types/express@4.17.21': + dependencies: + '@types/body-parser': 1.19.5 + '@types/express-serve-static-core': 4.19.5 + '@types/qs': 6.9.15 + '@types/serve-static': 1.15.7 + + '@types/find-cache-dir@3.2.1': {} + + '@types/hast@3.0.4': + dependencies: + '@types/unist': 3.0.3 + + '@types/http-errors@2.0.4': {} + + '@types/json-schema@7.0.15': {} + + '@types/jsonwebtoken@9.0.6': + dependencies: + '@types/node': 20.14.15 + + '@types/lodash@4.17.7': {} + + '@types/mdx@2.0.13': {} + + '@types/mime@1.3.5': {} + + '@types/node@18.19.44': + dependencies: + undici-types: 5.26.5 + + '@types/node@20.14.15': + dependencies: + undici-types: 5.26.5 + + '@types/prop-types@15.7.12': {} + + '@types/pug@2.0.10': {} + + '@types/qs@6.9.15': {} + + '@types/range-parser@1.2.7': {} + + '@types/react@18.3.3': + dependencies: + '@types/prop-types': 15.7.12 + csstype: 3.1.3 + + '@types/resolve@1.20.2': {} + + '@types/semver@7.5.8': {} + + '@types/send@0.17.4': + dependencies: + '@types/mime': 1.3.5 + '@types/node': 20.14.15 + + '@types/serve-static@1.15.7': + dependencies: + '@types/http-errors': 2.0.4 + '@types/node': 20.14.15 + '@types/send': 0.17.4 + + '@types/unist@3.0.3': {} + + '@types/uuid@9.0.8': {} + + '@types/validator@13.12.0': + optional: true + + '@typescript-eslint/eslint-plugin@7.18.0(@typescript-eslint/parser@7.18.0(eslint@8.57.0)(typescript@5.5.4))(eslint@8.57.0)(typescript@5.5.4)': + dependencies: + '@eslint-community/regexpp': 4.11.0 + '@typescript-eslint/parser': 7.18.0(eslint@8.57.0)(typescript@5.5.4) + '@typescript-eslint/scope-manager': 7.18.0 + '@typescript-eslint/type-utils': 7.18.0(eslint@8.57.0)(typescript@5.5.4) + '@typescript-eslint/utils': 7.18.0(eslint@8.57.0)(typescript@5.5.4) + '@typescript-eslint/visitor-keys': 7.18.0 + eslint: 8.57.0 + graphemer: 1.4.0 + ignore: 5.3.2 + natural-compare: 1.4.0 + ts-api-utils: 1.3.0(typescript@5.5.4) + optionalDependencies: + typescript: 5.5.4 + transitivePeerDependencies: + - supports-color + + '@typescript-eslint/parser@7.18.0(eslint@8.57.0)(typescript@5.5.4)': + dependencies: + '@typescript-eslint/scope-manager': 7.18.0 + '@typescript-eslint/types': 7.18.0 + '@typescript-eslint/typescript-estree': 7.18.0(typescript@5.5.4) + '@typescript-eslint/visitor-keys': 7.18.0 + debug: 4.3.6 + eslint: 8.57.0 + optionalDependencies: + typescript: 5.5.4 + transitivePeerDependencies: + - supports-color + + '@typescript-eslint/scope-manager@5.62.0': + dependencies: + '@typescript-eslint/types': 5.62.0 + '@typescript-eslint/visitor-keys': 5.62.0 + + '@typescript-eslint/scope-manager@7.18.0': + dependencies: + '@typescript-eslint/types': 7.18.0 + '@typescript-eslint/visitor-keys': 7.18.0 + + '@typescript-eslint/type-utils@7.18.0(eslint@8.57.0)(typescript@5.5.4)': + dependencies: + '@typescript-eslint/typescript-estree': 7.18.0(typescript@5.5.4) + '@typescript-eslint/utils': 7.18.0(eslint@8.57.0)(typescript@5.5.4) + debug: 4.3.6 + eslint: 8.57.0 + ts-api-utils: 1.3.0(typescript@5.5.4) + optionalDependencies: + typescript: 5.5.4 + transitivePeerDependencies: + - supports-color + + '@typescript-eslint/types@5.62.0': {} + + '@typescript-eslint/types@7.18.0': {} + + '@typescript-eslint/typescript-estree@5.62.0(typescript@5.5.4)': + dependencies: + '@typescript-eslint/types': 5.62.0 + '@typescript-eslint/visitor-keys': 5.62.0 + debug: 4.3.6 + globby: 11.1.0 + is-glob: 4.0.3 + semver: 7.6.3 + tsutils: 3.21.0(typescript@5.5.4) + optionalDependencies: + typescript: 5.5.4 + transitivePeerDependencies: + - supports-color + + '@typescript-eslint/typescript-estree@7.18.0(typescript@5.5.4)': + dependencies: + '@typescript-eslint/types': 7.18.0 + '@typescript-eslint/visitor-keys': 7.18.0 + debug: 4.3.6 + globby: 11.1.0 + is-glob: 4.0.3 + minimatch: 9.0.5 + semver: 7.6.3 + ts-api-utils: 1.3.0(typescript@5.5.4) + optionalDependencies: + typescript: 5.5.4 + transitivePeerDependencies: + - supports-color + + '@typescript-eslint/utils@5.62.0(eslint@8.57.0)(typescript@5.5.4)': + dependencies: + '@eslint-community/eslint-utils': 4.4.0(eslint@8.57.0) + '@types/json-schema': 7.0.15 + '@types/semver': 7.5.8 + '@typescript-eslint/scope-manager': 5.62.0 + '@typescript-eslint/types': 5.62.0 + '@typescript-eslint/typescript-estree': 5.62.0(typescript@5.5.4) + eslint: 8.57.0 + eslint-scope: 5.1.1 + semver: 7.6.3 + transitivePeerDependencies: + - supports-color + - typescript + + '@typescript-eslint/utils@7.18.0(eslint@8.57.0)(typescript@5.5.4)': + dependencies: + '@eslint-community/eslint-utils': 4.4.0(eslint@8.57.0) + '@typescript-eslint/scope-manager': 7.18.0 + '@typescript-eslint/types': 7.18.0 + '@typescript-eslint/typescript-estree': 7.18.0(typescript@5.5.4) + eslint: 8.57.0 + transitivePeerDependencies: + - supports-color + - typescript + + '@typescript-eslint/visitor-keys@5.62.0': + dependencies: + '@typescript-eslint/types': 5.62.0 + eslint-visitor-keys: 3.4.3 + + '@typescript-eslint/visitor-keys@7.18.0': + dependencies: + '@typescript-eslint/types': 7.18.0 + eslint-visitor-keys: 3.4.3 + + '@ungap/structured-clone@1.2.0': {} + + '@vincjo/datatables@1.14.10(svelte@4.2.18)': + dependencies: + svelte: 4.2.18 + + '@vinejs/compiler@2.5.0': + optional: true + + '@vinejs/vine@1.8.0': + dependencies: + '@poppinss/macroable': 1.0.2 + '@types/validator': 13.12.0 + '@vinejs/compiler': 2.5.0 + camelcase: 8.0.0 + dayjs: 1.11.12 + dlv: 1.1.3 + normalize-url: 8.0.1 + validator: 13.12.0 + optional: true + + '@vitest/coverage-v8@1.6.0(vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1))': + dependencies: + '@ampproject/remapping': 2.3.0 + '@bcoe/v8-coverage': 0.2.3 + debug: 4.3.6 + istanbul-lib-coverage: 3.2.2 + istanbul-lib-report: 3.0.1 + istanbul-lib-source-maps: 5.0.6 + istanbul-reports: 3.1.7 + magic-string: 0.30.11 + magicast: 0.3.4 + picocolors: 1.0.1 + std-env: 3.7.0 + strip-literal: 2.1.0 + test-exclude: 6.0.0 + vitest: 1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1) + transitivePeerDependencies: + - supports-color + + '@vitest/expect@1.6.0': + dependencies: + '@vitest/spy': 1.6.0 + '@vitest/utils': 1.6.0 + chai: 4.5.0 + + '@vitest/runner@1.6.0': + dependencies: + '@vitest/utils': 1.6.0 + p-limit: 5.0.0 + pathe: 1.1.2 + + '@vitest/snapshot@1.6.0': + dependencies: + magic-string: 0.30.11 + pathe: 1.1.2 + pretty-format: 29.7.0 + + '@vitest/spy@1.6.0': + dependencies: + tinyspy: 2.2.1 + + '@vitest/ui@1.6.0(vitest@1.6.0)': + dependencies: + '@vitest/utils': 1.6.0 + fast-glob: 3.3.2 + fflate: 0.8.2 + flatted: 3.3.1 + pathe: 1.1.2 + picocolors: 1.0.1 + sirv: 2.0.4 + vitest: 1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1) + + '@vitest/utils@1.6.0': + dependencies: + diff-sequences: 29.6.3 + estree-walker: 3.0.3 + loupe: 2.3.7 + pretty-format: 29.7.0 + + '@yarnpkg/fslib@2.10.3': + dependencies: + '@yarnpkg/libzip': 2.3.0 + tslib: 1.14.1 + + '@yarnpkg/libzip@2.3.0': + dependencies: + '@types/emscripten': 1.39.13 + tslib: 1.14.1 + + accepts@1.3.8: + dependencies: + mime-types: 2.1.35 + negotiator: 0.6.3 + + acorn-jsx@5.3.2(acorn@8.12.1): + dependencies: + acorn: 8.12.1 + + acorn-walk@8.3.3: + dependencies: + acorn: 8.12.1 + + acorn@8.12.1: {} + + agent-base@7.1.1: + dependencies: + debug: 4.3.6 + transitivePeerDependencies: + - supports-color + + aggregate-error@3.1.0: + dependencies: + clean-stack: 2.2.0 + indent-string: 4.0.0 + + ajv@6.12.6: + dependencies: + fast-deep-equal: 3.1.3 + fast-json-stable-stringify: 2.1.0 + json-schema-traverse: 0.4.1 + uri-js: 4.4.1 + + ansi-colors@4.1.3: {} + + ansi-regex@5.0.1: {} + + ansi-regex@6.0.1: {} + + ansi-styles@3.2.1: + dependencies: + color-convert: 1.9.3 + + ansi-styles@4.3.0: + dependencies: + color-convert: 2.0.1 + + ansi-styles@5.2.0: {} + + ansi-styles@6.2.1: {} + + any-promise@1.3.0: {} + + anymatch@3.1.3: + dependencies: + normalize-path: 3.0.0 + picomatch: 2.3.1 + + arg@5.0.2: {} + + argparse@2.0.1: {} + + aria-query@5.3.0: + dependencies: + dequal: 2.0.3 + + arktype@2.0.0-beta.0: + dependencies: + '@ark/schema': 0.2.0 + '@ark/util': 0.1.0 + optional: true + + array-flatten@1.1.1: {} + + array-union@2.1.0: {} + + assertion-error@1.1.0: {} + + ast-types@0.16.1: + dependencies: + tslib: 2.6.3 + + async-lock@1.4.1: {} + + asynckit@0.4.0: {} + + autoprefixer@10.4.20(postcss@8.4.41): + dependencies: + browserslist: 4.23.3 + caniuse-lite: 1.0.30001651 + fraction.js: 4.3.7 + normalize-range: 0.1.2 + picocolors: 1.0.1 + postcss: 8.4.41 + postcss-value-parser: 4.2.0 + + available-typed-arrays@1.0.7: + dependencies: + possible-typed-array-names: 1.0.0 + + axios@1.7.4: + dependencies: + follow-redirects: 1.15.6 + form-data: 4.0.0 + proxy-from-env: 1.1.0 + transitivePeerDependencies: + - debug + + axobject-query@4.1.0: {} + + babel-core@7.0.0-bridge.0(@babel/core@7.25.2): + dependencies: + '@babel/core': 7.25.2 + + babel-plugin-polyfill-corejs2@0.4.11(@babel/core@7.25.2): + dependencies: + '@babel/compat-data': 7.25.2 + '@babel/core': 7.25.2 + '@babel/helper-define-polyfill-provider': 0.6.2(@babel/core@7.25.2) + semver: 6.3.1 + transitivePeerDependencies: + - supports-color + + babel-plugin-polyfill-corejs3@0.10.6(@babel/core@7.25.2): + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-define-polyfill-provider': 0.6.2(@babel/core@7.25.2) + core-js-compat: 3.38.0 + transitivePeerDependencies: + - supports-color + + babel-plugin-polyfill-regenerator@0.6.2(@babel/core@7.25.2): + dependencies: + '@babel/core': 7.25.2 + '@babel/helper-define-polyfill-provider': 0.6.2(@babel/core@7.25.2) + transitivePeerDependencies: + - supports-color + + balanced-match@1.0.2: {} + + base64-js@1.5.1: {} + + before-after-hook@2.2.3: {} + + binary-extensions@2.3.0: {} + + bl@4.1.0: + dependencies: + buffer: 5.7.1 + inherits: 2.0.4 + readable-stream: 3.6.2 + + body-parser@1.20.2: + dependencies: + bytes: 3.1.2 + content-type: 1.0.5 + debug: 2.6.9 + depd: 2.0.0 + destroy: 1.2.0 + http-errors: 2.0.0 + iconv-lite: 0.4.24 + on-finished: 2.4.1 + qs: 6.11.0 + raw-body: 2.5.2 + type-is: 1.6.18 + unpipe: 1.0.0 + transitivePeerDependencies: + - supports-color + + bottleneck@2.19.5: {} + + brace-expansion@1.1.11: + dependencies: + balanced-match: 1.0.2 + concat-map: 0.0.1 + + brace-expansion@2.0.1: + dependencies: + balanced-match: 1.0.2 + + braces@3.0.3: + dependencies: + fill-range: 7.1.1 + + browser-assert@1.2.1: {} + + browserslist@4.23.3: + dependencies: + caniuse-lite: 1.0.30001651 + electron-to-chromium: 1.5.8 + node-releases: 2.0.18 + update-browserslist-db: 1.1.0(browserslist@4.23.3) + + btoa-lite@1.0.0: {} + + buffer-crc32@1.0.0: {} + + buffer-equal-constant-time@1.0.1: {} + + buffer-from@1.1.2: {} + + buffer@5.7.1: + dependencies: + base64-js: 1.5.1 + ieee754: 1.2.1 + + builtin-modules@3.3.0: {} + + bytes@3.1.2: {} + + cac@6.7.14: {} + + call-bind@1.0.7: + dependencies: + es-define-property: 1.0.0 + es-errors: 1.3.0 + function-bind: 1.1.2 + get-intrinsic: 1.2.4 + set-function-length: 1.2.2 + + callsites@3.1.0: {} + + camelcase-css@2.0.1: {} + + camelcase@8.0.0: + optional: true + + caniuse-lite@1.0.30001651: {} + + chai@4.5.0: + dependencies: + assertion-error: 1.1.0 + check-error: 1.0.3 + deep-eql: 4.1.4 + get-func-name: 2.0.2 + loupe: 2.3.7 + pathval: 1.1.1 + type-detect: 4.1.0 + + chalk@2.4.2: + dependencies: + ansi-styles: 3.2.1 + escape-string-regexp: 1.0.5 + supports-color: 5.5.0 + + chalk@3.0.0: + dependencies: + ansi-styles: 4.3.0 + supports-color: 7.2.0 + + chalk@4.1.2: + dependencies: + ansi-styles: 4.3.0 + supports-color: 7.2.0 + + chalk@5.3.0: {} + + check-error@1.0.3: + dependencies: + get-func-name: 2.0.2 + + chokidar@3.6.0: + dependencies: + anymatch: 3.1.3 + braces: 3.0.3 + glob-parent: 5.1.2 + is-binary-path: 2.1.0 + is-glob: 4.0.3 + normalize-path: 3.0.0 + readdirp: 3.6.0 + optionalDependencies: + fsevents: 2.3.3 + + chownr@2.0.0: {} + + citty@0.1.6: + dependencies: + consola: 3.2.3 + + clean-git-ref@2.0.1: {} + + clean-stack@2.2.0: {} + + cli-cursor@3.1.0: + dependencies: + restore-cursor: 3.1.0 + + cli-spinners@2.9.2: {} + + clone-deep@4.0.1: + dependencies: + is-plain-object: 2.0.4 + kind-of: 6.0.3 + shallow-clone: 3.0.1 + + clone@1.0.4: {} + + code-red@1.0.4: + dependencies: + '@jridgewell/sourcemap-codec': 1.5.0 + '@types/estree': 1.0.5 + acorn: 8.12.1 + estree-walker: 3.0.3 + periscopic: 3.1.0 + + color-convert@1.9.3: + dependencies: + color-name: 1.1.3 + + color-convert@2.0.1: + dependencies: + color-name: 1.1.4 + + color-name@1.1.3: {} + + color-name@1.1.4: {} + + combined-stream@1.0.8: + dependencies: + delayed-stream: 1.0.0 + + commander@11.1.0: {} + + commander@12.1.0: {} + + commander@4.1.1: {} + + commander@6.2.1: {} + + commondir@1.0.1: {} + + concat-map@0.0.1: {} + + confbox@0.1.7: {} + + consola@3.2.3: {} + + content-disposition@0.5.4: + dependencies: + safe-buffer: 5.2.1 + + content-type@1.0.5: {} + + convert-source-map@2.0.0: {} + + cookie-signature@1.0.6: {} + + cookie@0.6.0: {} + + core-js-compat@3.38.0: + dependencies: + browserslist: 4.23.3 + + crc-32@1.2.2: {} + + cross-spawn@7.0.3: + dependencies: + path-key: 3.1.1 + shebang-command: 2.0.0 + which: 2.0.2 + + crypto-random-string@4.0.0: + dependencies: + type-fest: 1.4.0 + + css-tree@2.3.1: + dependencies: + mdn-data: 2.0.30 + source-map-js: 1.2.0 + + css.escape@1.5.1: {} + + cssesc@3.0.0: {} + + cssstyle@4.0.1: + dependencies: + rrweb-cssom: 0.6.0 + + csstype@3.1.3: {} + + data-urls@5.0.0: + dependencies: + whatwg-mimetype: 4.0.0 + whatwg-url: 14.0.0 + + dayjs@1.11.12: + optional: true + + debug@2.6.9: + dependencies: + ms: 2.0.0 + + debug@4.3.6: + dependencies: + ms: 2.1.2 + + decimal.js@10.4.3: {} + + dedent@1.5.1: {} + + deep-eql@4.1.4: + dependencies: + type-detect: 4.1.0 + + deep-is@0.1.4: {} + + deepmerge-ts@5.1.0: {} + + deepmerge@4.3.1: {} + + defaults@1.0.4: + dependencies: + clone: 1.0.4 + + define-data-property@1.1.4: + dependencies: + es-define-property: 1.0.0 + es-errors: 1.3.0 + gopd: 1.0.1 + + defu@6.1.4: {} + + delayed-stream@1.0.0: {} + + depd@2.0.0: {} + + deprecation@2.3.1: {} + + dequal@2.0.3: {} + + destroy@1.2.0: {} + + detect-indent@6.1.0: {} + + devalue@5.0.0: {} + + didyoumean@1.2.2: {} + + diff-sequences@29.6.3: {} + + diff3@0.0.4: {} + + dir-glob@3.0.1: + dependencies: + path-type: 4.0.0 + + dlv@1.1.3: {} + + doctrine@3.0.0: + dependencies: + esutils: 2.0.3 + + dom-accessibility-api@0.5.16: {} + + dom-accessibility-api@0.6.3: {} + + dom-serializer@1.4.1: + dependencies: + domelementtype: 2.3.0 + domhandler: 4.3.1 + entities: 2.2.0 + + domelementtype@2.3.0: {} + + domhandler@3.3.0: + dependencies: + domelementtype: 2.3.0 + + domhandler@4.3.1: + dependencies: + domelementtype: 2.3.0 + + domhandler@5.0.3: + dependencies: + domelementtype: 2.3.0 + + domutils@2.8.0: + dependencies: + dom-serializer: 1.4.1 + domelementtype: 2.3.0 + domhandler: 4.3.1 + + dotenv@16.4.5: {} + + eastasianwidth@0.2.0: {} + + ecdsa-sig-formatter@1.0.11: + dependencies: + safe-buffer: 5.2.1 + + echarts@5.5.1: + dependencies: + tslib: 2.3.0 + zrender: 5.6.0 + + ee-first@1.1.1: {} + + electron-to-chromium@1.5.8: {} + + emoji-regex@8.0.0: {} + + emoji-regex@9.2.2: {} + + encodeurl@1.0.2: {} + + enquirer@2.4.1: + dependencies: + ansi-colors: 4.1.3 + strip-ansi: 6.0.1 + + entities@2.2.0: {} + + entities@4.5.0: {} + + envinfo@7.13.0: {} + + es-define-property@1.0.0: + dependencies: + get-intrinsic: 1.2.4 + + es-errors@1.3.0: {} + + es-module-lexer@1.5.4: {} + + es6-promise@3.3.1: {} + + esbuild-register@3.6.0(esbuild@0.21.5): + dependencies: + debug: 4.3.6 + esbuild: 0.21.5 + transitivePeerDependencies: + - supports-color + + esbuild-runner@2.2.2(esbuild@0.23.0): + dependencies: + esbuild: 0.23.0 + source-map-support: 0.5.21 + tslib: 2.4.0 + optional: true + + esbuild@0.21.5: + optionalDependencies: + '@esbuild/aix-ppc64': 0.21.5 + '@esbuild/android-arm': 0.21.5 + '@esbuild/android-arm64': 0.21.5 + '@esbuild/android-x64': 0.21.5 + '@esbuild/darwin-arm64': 0.21.5 + '@esbuild/darwin-x64': 0.21.5 + '@esbuild/freebsd-arm64': 0.21.5 + '@esbuild/freebsd-x64': 0.21.5 + '@esbuild/linux-arm': 0.21.5 + '@esbuild/linux-arm64': 0.21.5 + '@esbuild/linux-ia32': 0.21.5 + '@esbuild/linux-loong64': 0.21.5 + '@esbuild/linux-mips64el': 0.21.5 + '@esbuild/linux-ppc64': 0.21.5 + '@esbuild/linux-riscv64': 0.21.5 + '@esbuild/linux-s390x': 0.21.5 + '@esbuild/linux-x64': 0.21.5 + '@esbuild/netbsd-x64': 0.21.5 + '@esbuild/openbsd-x64': 0.21.5 + '@esbuild/sunos-x64': 0.21.5 + '@esbuild/win32-arm64': 0.21.5 + '@esbuild/win32-ia32': 0.21.5 + '@esbuild/win32-x64': 0.21.5 + + esbuild@0.23.0: + optionalDependencies: + '@esbuild/aix-ppc64': 0.23.0 + '@esbuild/android-arm': 0.23.0 + '@esbuild/android-arm64': 0.23.0 + '@esbuild/android-x64': 0.23.0 + '@esbuild/darwin-arm64': 0.23.0 + '@esbuild/darwin-x64': 0.23.0 + '@esbuild/freebsd-arm64': 0.23.0 + '@esbuild/freebsd-x64': 0.23.0 + '@esbuild/linux-arm': 0.23.0 + '@esbuild/linux-arm64': 0.23.0 + '@esbuild/linux-ia32': 0.23.0 + '@esbuild/linux-loong64': 0.23.0 + '@esbuild/linux-mips64el': 0.23.0 + '@esbuild/linux-ppc64': 0.23.0 + '@esbuild/linux-riscv64': 0.23.0 + '@esbuild/linux-s390x': 0.23.0 + '@esbuild/linux-x64': 0.23.0 + '@esbuild/netbsd-x64': 0.23.0 + '@esbuild/openbsd-arm64': 0.23.0 + '@esbuild/openbsd-x64': 0.23.0 + '@esbuild/sunos-x64': 0.23.0 + '@esbuild/win32-arm64': 0.23.0 + '@esbuild/win32-ia32': 0.23.0 + '@esbuild/win32-x64': 0.23.0 + optional: true + + escalade@3.1.2: {} + + escape-html@1.0.3: {} + + escape-string-regexp@1.0.5: {} + + escape-string-regexp@4.0.0: {} + + eslint-compat-utils@0.5.1(eslint@8.57.0): + dependencies: + eslint: 8.57.0 + semver: 7.6.3 + + eslint-config-prettier@9.1.0(eslint@8.57.0): + dependencies: + eslint: 8.57.0 + + eslint-plugin-storybook@0.8.0(eslint@8.57.0)(typescript@5.5.4): + dependencies: + '@storybook/csf': 0.0.1 + '@typescript-eslint/utils': 5.62.0(eslint@8.57.0)(typescript@5.5.4) + eslint: 8.57.0 + requireindex: 1.2.0 + ts-dedent: 2.2.0 + transitivePeerDependencies: + - supports-color + - typescript + + eslint-plugin-svelte@2.43.0(eslint@8.57.0)(svelte@4.2.18): + dependencies: + '@eslint-community/eslint-utils': 4.4.0(eslint@8.57.0) + '@jridgewell/sourcemap-codec': 1.5.0 + eslint: 8.57.0 + eslint-compat-utils: 0.5.1(eslint@8.57.0) + esutils: 2.0.3 + known-css-properties: 0.34.0 + postcss: 8.4.41 + postcss-load-config: 3.1.4(postcss@8.4.41) + postcss-safe-parser: 6.0.0(postcss@8.4.41) + postcss-selector-parser: 6.1.2 + semver: 7.6.3 + svelte-eslint-parser: 0.41.0(svelte@4.2.18) + optionalDependencies: + svelte: 4.2.18 + transitivePeerDependencies: + - ts-node + + eslint-scope@5.1.1: + dependencies: + esrecurse: 4.3.0 + estraverse: 4.3.0 + + eslint-scope@7.2.2: + dependencies: + esrecurse: 4.3.0 + estraverse: 5.3.0 + + eslint-utils@3.0.0(eslint@8.4.1): + dependencies: + eslint: 8.4.1 + eslint-visitor-keys: 2.1.0 + + eslint-visitor-keys@2.1.0: {} + + eslint-visitor-keys@3.4.3: {} + + eslint@8.4.1: + dependencies: + '@eslint/eslintrc': 1.4.1 + '@humanwhocodes/config-array': 0.9.5 + ajv: 6.12.6 + chalk: 4.1.2 + cross-spawn: 7.0.3 + debug: 4.3.6 + doctrine: 3.0.0 + enquirer: 2.4.1 + escape-string-regexp: 4.0.0 + eslint-scope: 7.2.2 + eslint-utils: 3.0.0(eslint@8.4.1) + eslint-visitor-keys: 3.4.3 + espree: 9.2.0 + esquery: 1.6.0 + esutils: 2.0.3 + fast-deep-equal: 3.1.3 + file-entry-cache: 6.0.1 + functional-red-black-tree: 1.0.1 + glob-parent: 6.0.2 + globals: 13.24.0 + ignore: 4.0.6 + import-fresh: 3.3.0 + imurmurhash: 0.1.4 + is-glob: 4.0.3 + js-yaml: 4.1.0 + json-stable-stringify-without-jsonify: 1.0.1 + levn: 0.4.1 + lodash.merge: 4.6.2 + minimatch: 3.1.2 + natural-compare: 1.4.0 + optionator: 0.9.4 + progress: 2.0.3 + regexpp: 3.2.0 + semver: 7.6.3 + strip-ansi: 6.0.1 + strip-json-comments: 3.1.1 + text-table: 0.2.0 + v8-compile-cache: 2.4.0 + transitivePeerDependencies: + - supports-color + + eslint@8.57.0: + dependencies: + '@eslint-community/eslint-utils': 4.4.0(eslint@8.57.0) + '@eslint-community/regexpp': 4.11.0 + '@eslint/eslintrc': 2.1.4 + '@eslint/js': 8.57.0 + '@humanwhocodes/config-array': 0.11.14 + '@humanwhocodes/module-importer': 1.0.1 + '@nodelib/fs.walk': 1.2.8 + '@ungap/structured-clone': 1.2.0 + ajv: 6.12.6 + chalk: 4.1.2 + cross-spawn: 7.0.3 + debug: 4.3.6 + doctrine: 3.0.0 + escape-string-regexp: 4.0.0 + eslint-scope: 7.2.2 + eslint-visitor-keys: 3.4.3 + espree: 9.6.1 + esquery: 1.6.0 + esutils: 2.0.3 + fast-deep-equal: 3.1.3 + file-entry-cache: 6.0.1 + find-up: 5.0.0 + glob-parent: 6.0.2 + globals: 13.24.0 + graphemer: 1.4.0 + ignore: 5.3.2 + imurmurhash: 0.1.4 + is-glob: 4.0.3 + is-path-inside: 3.0.3 + js-yaml: 4.1.0 + json-stable-stringify-without-jsonify: 1.0.1 + levn: 0.4.1 + lodash.merge: 4.6.2 + minimatch: 3.1.2 + natural-compare: 1.4.0 + optionator: 0.9.4 + strip-ansi: 6.0.1 + text-table: 0.2.0 + transitivePeerDependencies: + - supports-color + + esm-env@1.0.0: {} + + espree@9.2.0: + dependencies: + acorn: 8.12.1 + acorn-jsx: 5.3.2(acorn@8.12.1) + eslint-visitor-keys: 3.4.3 + + espree@9.6.1: + dependencies: + acorn: 8.12.1 + acorn-jsx: 5.3.2(acorn@8.12.1) + eslint-visitor-keys: 3.4.3 + + esprima@4.0.1: {} + + esquery@1.6.0: + dependencies: + estraverse: 5.3.0 + + esrecurse@4.3.0: + dependencies: + estraverse: 5.3.0 + + estraverse@4.3.0: {} + + estraverse@5.3.0: {} + + estree-walker@2.0.2: {} + + estree-walker@3.0.3: + dependencies: + '@types/estree': 1.0.5 + + esutils@2.0.3: {} + + etag@1.8.1: {} + + execa@5.1.1: + dependencies: + cross-spawn: 7.0.3 + get-stream: 6.0.1 + human-signals: 2.1.0 + is-stream: 2.0.1 + merge-stream: 2.0.0 + npm-run-path: 4.0.1 + onetime: 5.1.2 + signal-exit: 3.0.7 + strip-final-newline: 2.0.0 + + execa@8.0.1: + dependencies: + cross-spawn: 7.0.3 + get-stream: 8.0.1 + human-signals: 5.0.0 + is-stream: 3.0.0 + merge-stream: 2.0.0 + npm-run-path: 5.3.0 + onetime: 6.0.0 + signal-exit: 4.1.0 + strip-final-newline: 3.0.0 + + express@4.19.2: + dependencies: + accepts: 1.3.8 + array-flatten: 1.1.1 + body-parser: 1.20.2 + content-disposition: 0.5.4 + content-type: 1.0.5 + cookie: 0.6.0 + cookie-signature: 1.0.6 + debug: 2.6.9 + depd: 2.0.0 + encodeurl: 1.0.2 + escape-html: 1.0.3 + etag: 1.8.1 + finalhandler: 1.2.0 + fresh: 0.5.2 + http-errors: 2.0.0 + merge-descriptors: 1.0.1 + methods: 1.1.2 + on-finished: 2.4.1 + parseurl: 1.3.3 + path-to-regexp: 0.1.7 + proxy-addr: 2.0.7 + qs: 6.11.0 + range-parser: 1.2.1 + safe-buffer: 5.2.1 + send: 0.18.0 + serve-static: 1.15.0 + setprototypeof: 1.2.0 + statuses: 2.0.1 + type-is: 1.6.18 + utils-merge: 1.0.1 + vary: 1.1.2 + transitivePeerDependencies: + - supports-color + + fast-deep-equal@3.1.3: {} + + fast-glob@3.3.2: + dependencies: + '@nodelib/fs.stat': 2.0.5 + '@nodelib/fs.walk': 1.2.8 + glob-parent: 5.1.2 + merge2: 1.4.1 + micromatch: 4.0.7 + + fast-json-stable-stringify@2.1.0: {} + + fast-levenshtein@2.0.6: {} + + fastq@1.17.1: + dependencies: + reusify: 1.0.4 + + fd-package-json@1.2.0: + dependencies: + walk-up-path: 3.0.1 + + fflate@0.8.2: {} + + file-entry-cache@6.0.1: + dependencies: + flat-cache: 3.2.0 + + fill-range@7.1.1: + dependencies: + to-regex-range: 5.0.1 + + finalhandler@1.2.0: + dependencies: + debug: 2.6.9 + encodeurl: 1.0.2 + escape-html: 1.0.3 + on-finished: 2.4.1 + parseurl: 1.3.3 + statuses: 2.0.1 + unpipe: 1.0.0 + transitivePeerDependencies: + - supports-color + + find-cache-dir@2.1.0: + dependencies: + commondir: 1.0.1 + make-dir: 2.1.0 + pkg-dir: 3.0.0 + + find-cache-dir@3.3.2: + dependencies: + commondir: 1.0.1 + make-dir: 3.1.0 + pkg-dir: 4.2.0 + + find-up@3.0.0: + dependencies: + locate-path: 3.0.0 + + find-up@4.1.0: + dependencies: + locate-path: 5.0.0 + path-exists: 4.0.0 + + find-up@5.0.0: + dependencies: + locate-path: 6.0.0 + path-exists: 4.0.0 + + flat-cache@3.2.0: + dependencies: + flatted: 3.3.1 + keyv: 4.5.4 + rimraf: 3.0.2 + + flatted@3.3.1: {} + + flow-parser@0.243.0: {} + + follow-redirects@1.15.6: {} + + for-each@0.3.3: + dependencies: + is-callable: 1.2.7 + + foreground-child@3.3.0: + dependencies: + cross-spawn: 7.0.3 + signal-exit: 4.1.0 + + form-data@4.0.0: + dependencies: + asynckit: 0.4.0 + combined-stream: 1.0.8 + mime-types: 2.1.35 + + forwarded@0.2.0: {} + + fraction.js@4.3.7: {} + + fresh@0.5.2: {} + + fs-extra@11.2.0: + dependencies: + graceful-fs: 4.2.11 + jsonfile: 6.1.0 + universalify: 2.0.1 + + fs-minipass@2.1.0: + dependencies: + minipass: 3.3.6 + + fs.realpath@1.0.0: {} + + fsevents@2.3.2: + optional: true + + fsevents@2.3.3: + optional: true + + function-bind@1.1.2: {} + + functional-red-black-tree@1.0.1: {} + + gensync@1.0.0-beta.2: {} + + get-func-name@2.0.2: {} + + get-intrinsic@1.2.4: + dependencies: + es-errors: 1.3.0 + function-bind: 1.1.2 + has-proto: 1.0.3 + has-symbols: 1.0.3 + hasown: 2.0.2 + + get-stream@6.0.1: {} + + get-stream@8.0.1: {} + + giget@1.2.3: + dependencies: + citty: 0.1.6 + consola: 3.2.3 + defu: 6.1.4 + node-fetch-native: 1.6.4 + nypm: 0.3.9 + ohash: 1.1.3 + pathe: 1.1.2 + tar: 6.2.1 + + github-slugger@2.0.0: {} + + glob-parent@5.1.2: + dependencies: + is-glob: 4.0.3 + + glob-parent@6.0.2: + dependencies: + is-glob: 4.0.3 + + glob@10.4.5: + dependencies: + foreground-child: 3.3.0 + jackspeak: 3.4.3 + minimatch: 9.0.5 + minipass: 7.1.2 + package-json-from-dist: 1.0.0 + path-scurry: 1.11.1 + + glob@7.2.3: + dependencies: + fs.realpath: 1.0.0 + inflight: 1.0.6 + inherits: 2.0.4 + minimatch: 3.1.2 + once: 1.4.0 + path-is-absolute: 1.0.1 + + globals@11.12.0: {} + + globals@13.24.0: + dependencies: + type-fest: 0.20.2 + + globalyzer@0.1.0: {} + + globby@11.1.0: + dependencies: + array-union: 2.1.0 + dir-glob: 3.0.1 + fast-glob: 3.3.2 + ignore: 5.3.2 + merge2: 1.4.1 + slash: 3.0.0 + + globby@14.0.2: + dependencies: + '@sindresorhus/merge-streams': 2.3.0 + fast-glob: 3.3.2 + ignore: 5.3.2 + path-type: 5.0.0 + slash: 5.1.0 + unicorn-magic: 0.1.0 + + globrex@0.1.2: {} + + gopd@1.0.1: + dependencies: + get-intrinsic: 1.2.4 + + graceful-fs@4.2.11: {} + + graphemer@1.4.0: {} + + guess-json-indent@2.0.0: {} + + has-flag@3.0.0: {} + + has-flag@4.0.0: {} + + has-property-descriptors@1.0.2: + dependencies: + es-define-property: 1.0.0 + + has-proto@1.0.3: {} + + has-symbols@1.0.3: {} + + has-tostringtag@1.0.2: + dependencies: + has-symbols: 1.0.3 + + hasown@2.0.2: + dependencies: + function-bind: 1.1.2 + + hast-util-heading-rank@3.0.0: + dependencies: + '@types/hast': 3.0.4 + + hast-util-is-element@3.0.0: + dependencies: + '@types/hast': 3.0.4 + + hast-util-to-string@3.0.0: + dependencies: + '@types/hast': 3.0.4 + + html-encoding-sniffer@4.0.0: + dependencies: + whatwg-encoding: 3.1.1 + + html-escaper@2.0.2: {} + + htmlparser2-svelte@4.1.0: + dependencies: + domelementtype: 2.3.0 + domhandler: 3.3.0 + domutils: 2.8.0 + entities: 2.2.0 + + http-errors@2.0.0: + dependencies: + depd: 2.0.0 + inherits: 2.0.4 + setprototypeof: 1.2.0 + statuses: 2.0.1 + toidentifier: 1.0.1 + + http-proxy-agent@7.0.2: + dependencies: + agent-base: 7.1.1 + debug: 4.3.6 + transitivePeerDependencies: + - supports-color + + https-proxy-agent@7.0.5: + dependencies: + agent-base: 7.1.1 + debug: 4.3.6 + transitivePeerDependencies: + - supports-color + + human-signals@2.1.0: {} + + human-signals@5.0.0: {} + + iconv-lite@0.4.24: + dependencies: + safer-buffer: 2.1.2 + + iconv-lite@0.6.3: + dependencies: + safer-buffer: 2.1.2 + + ieee754@1.2.1: {} + + ignore@4.0.6: {} + + ignore@5.3.2: {} + + import-fresh@3.3.0: + dependencies: + parent-module: 1.0.1 + resolve-from: 4.0.0 + + import-meta-resolve@4.1.0: {} + + imurmurhash@0.1.4: {} + + indent-string@4.0.0: {} + + inflight@1.0.6: + dependencies: + once: 1.4.0 + wrappy: 1.0.2 + + inherits@2.0.4: {} + + ipaddr.js@1.9.1: {} + + is-absolute-url@4.0.1: {} + + is-arguments@1.1.1: + dependencies: + call-bind: 1.0.7 + has-tostringtag: 1.0.2 + + is-binary-path@2.1.0: + dependencies: + binary-extensions: 2.3.0 + + is-builtin-module@3.2.1: + dependencies: + builtin-modules: 3.3.0 + + is-callable@1.2.7: {} + + is-core-module@2.15.0: + dependencies: + hasown: 2.0.2 + + is-extglob@2.1.1: {} + + is-fullwidth-code-point@3.0.0: {} + + is-generator-function@1.0.10: + dependencies: + has-tostringtag: 1.0.2 + + is-glob@4.0.3: + dependencies: + is-extglob: 2.1.1 + + is-interactive@1.0.0: {} + + is-module@1.0.0: {} + + is-number@7.0.0: {} + + is-path-inside@3.0.3: {} + + is-plain-object@2.0.4: + dependencies: + isobject: 3.0.1 + + is-potential-custom-element-name@1.0.1: {} + + is-reference@1.2.1: + dependencies: + '@types/estree': 1.0.5 + + is-reference@3.0.2: + dependencies: + '@types/estree': 1.0.5 + + is-stream@2.0.1: {} + + is-stream@3.0.0: {} + + is-typed-array@1.1.13: + dependencies: + which-typed-array: 1.1.15 + + is-unicode-supported@0.1.0: {} + + isexe@2.0.0: {} + + isobject@3.0.1: {} + + istanbul-lib-coverage@3.2.2: {} + + istanbul-lib-report@3.0.1: + dependencies: + istanbul-lib-coverage: 3.2.2 + make-dir: 4.0.0 + supports-color: 7.2.0 + + istanbul-lib-source-maps@5.0.6: + dependencies: + '@jridgewell/trace-mapping': 0.3.25 + debug: 4.3.6 + istanbul-lib-coverage: 3.2.2 + transitivePeerDependencies: + - supports-color + + istanbul-reports@3.1.7: + dependencies: + html-escaper: 2.0.2 + istanbul-lib-report: 3.0.1 + + jackspeak@3.4.3: + dependencies: + '@isaacs/cliui': 8.0.2 + optionalDependencies: + '@pkgjs/parseargs': 0.11.0 + + jiti@1.21.6: {} + + joi@17.13.3: + dependencies: + '@hapi/hoek': 9.3.0 + '@hapi/topo': 5.1.0 + '@sideway/address': 4.1.5 + '@sideway/formula': 3.0.1 + '@sideway/pinpoint': 2.0.0 + optional: true + + js-tokens@4.0.0: {} + + js-tokens@9.0.0: {} + + js-yaml@4.1.0: + dependencies: + argparse: 2.0.1 + + jscodeshift@0.15.2(@babel/preset-env@7.25.3(@babel/core@7.25.2)): + dependencies: + '@babel/core': 7.25.2 + '@babel/parser': 7.25.3 + '@babel/plugin-transform-class-properties': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-modules-commonjs': 7.24.8(@babel/core@7.25.2) + '@babel/plugin-transform-nullish-coalescing-operator': 7.24.7(@babel/core@7.25.2) + '@babel/plugin-transform-optional-chaining': 7.24.8(@babel/core@7.25.2) + '@babel/plugin-transform-private-methods': 7.24.7(@babel/core@7.25.2) + '@babel/preset-flow': 7.24.7(@babel/core@7.25.2) + '@babel/preset-typescript': 7.24.7(@babel/core@7.25.2) + '@babel/register': 7.24.6(@babel/core@7.25.2) + babel-core: 7.0.0-bridge.0(@babel/core@7.25.2) + chalk: 4.1.2 + flow-parser: 0.243.0 + graceful-fs: 4.2.11 + micromatch: 4.0.7 + neo-async: 2.6.2 + node-dir: 0.1.17 + recast: 0.23.9 + temp: 0.8.4 + write-file-atomic: 2.4.3 + optionalDependencies: + '@babel/preset-env': 7.25.3(@babel/core@7.25.2) + transitivePeerDependencies: + - supports-color + + jsdom@24.1.1: + dependencies: + cssstyle: 4.0.1 + data-urls: 5.0.0 + decimal.js: 10.4.3 + form-data: 4.0.0 + html-encoding-sniffer: 4.0.0 + http-proxy-agent: 7.0.2 + https-proxy-agent: 7.0.5 + is-potential-custom-element-name: 1.0.1 + nwsapi: 2.2.12 + parse5: 7.1.2 + rrweb-cssom: 0.7.1 + saxes: 6.0.0 + symbol-tree: 3.2.4 + tough-cookie: 4.1.4 + w3c-xmlserializer: 5.0.0 + webidl-conversions: 7.0.0 + whatwg-encoding: 3.1.1 + whatwg-mimetype: 4.0.0 + whatwg-url: 14.0.0 + ws: 8.18.0 + xml-name-validator: 5.0.0 + transitivePeerDependencies: + - bufferutil + - supports-color + - utf-8-validate + + jsesc@0.5.0: {} + + jsesc@2.5.2: {} + + json-buffer@3.0.1: {} + + json-schema-to-ts@3.1.0: + dependencies: + '@babel/runtime': 7.25.0 + ts-algebra: 2.0.0 + optional: true + + json-schema-traverse@0.4.1: {} + + json-stable-stringify-without-jsonify@1.0.1: {} + + json5@2.2.3: {} + + jsonfile@6.1.0: + dependencies: + universalify: 2.0.1 + optionalDependencies: + graceful-fs: 4.2.11 + + jsonwebtoken@9.0.2: + dependencies: + jws: 3.2.2 + lodash.includes: 4.3.0 + lodash.isboolean: 3.0.3 + lodash.isinteger: 4.0.4 + lodash.isnumber: 3.0.3 + lodash.isplainobject: 4.0.6 + lodash.isstring: 4.0.1 + lodash.once: 4.1.1 + ms: 2.1.3 + semver: 7.6.3 + + just-clone@6.2.0: {} + + jwa@1.4.1: + dependencies: + buffer-equal-constant-time: 1.0.1 + ecdsa-sig-formatter: 1.0.11 + safe-buffer: 5.2.1 + + jws@3.2.2: + dependencies: + jwa: 1.4.1 + safe-buffer: 5.2.1 + + keyv@4.5.4: + dependencies: + json-buffer: 3.0.1 + + kind-of@6.0.3: {} + + kleur@3.0.3: {} + + kleur@4.1.5: {} + + known-css-properties@0.34.0: {} + + leven@3.1.0: {} + + levn@0.4.1: + dependencies: + prelude-ls: 1.2.1 + type-check: 0.4.0 + + lilconfig@2.1.0: {} + + lilconfig@3.1.2: {} + + lines-and-columns@1.2.4: {} + + local-pkg@0.5.0: + dependencies: + mlly: 1.7.1 + pkg-types: 1.1.3 + + locate-character@3.0.0: {} + + locate-path@3.0.0: + dependencies: + p-locate: 3.0.0 + path-exists: 3.0.0 + + locate-path@5.0.0: + dependencies: + p-locate: 4.1.0 + + locate-path@6.0.0: + dependencies: + p-locate: 5.0.0 + + lodash.castarray@4.4.0: {} + + lodash.debounce@4.0.8: {} + + lodash.includes@4.3.0: {} + + lodash.isboolean@3.0.3: {} + + lodash.isinteger@4.0.4: {} + + lodash.isnumber@3.0.3: {} + + lodash.isplainobject@4.0.6: {} + + lodash.isstring@4.0.1: {} + + lodash.merge@4.6.2: {} + + lodash.once@4.1.1: {} + + lodash@4.17.21: {} + + log-symbols@4.1.0: + dependencies: + chalk: 4.1.2 + is-unicode-supported: 0.1.0 + + loose-envify@1.4.0: + dependencies: + js-tokens: 4.0.0 + + loupe@2.3.7: + dependencies: + get-func-name: 2.0.2 + + lru-cache@10.4.3: {} + + lru-cache@5.1.1: + dependencies: + yallist: 3.1.1 + + lz-string@1.5.0: {} + + magic-string@0.30.11: + dependencies: + '@jridgewell/sourcemap-codec': 1.5.0 + + magicast@0.3.4: + dependencies: + '@babel/parser': 7.25.3 + '@babel/types': 7.25.2 + source-map-js: 1.2.0 + + make-dir@2.1.0: + dependencies: + pify: 4.0.1 + semver: 5.7.2 + + make-dir@3.1.0: + dependencies: + semver: 6.3.1 + + make-dir@4.0.0: + dependencies: + semver: 7.6.3 + + map-or-similar@1.5.0: {} + + markdown-to-jsx@7.4.7(react@18.3.1): + dependencies: + react: 18.3.1 + + mdn-data@2.0.30: {} + + media-typer@0.3.0: {} + + memoize-weak@1.0.2: {} + + memoizerific@1.11.3: + dependencies: + map-or-similar: 1.5.0 + + merge-descriptors@1.0.1: {} + + merge-stream@2.0.0: {} + + merge2@1.4.1: {} + + methods@1.1.2: {} + + micromatch@4.0.7: + dependencies: + braces: 3.0.3 + picomatch: 2.3.1 + + mime-db@1.52.0: {} + + mime-types@2.1.35: + dependencies: + mime-db: 1.52.0 + + mime@1.6.0: {} + + mimic-fn@2.1.0: {} + + mimic-fn@4.0.0: {} + + min-indent@1.0.1: {} + + mini-svg-data-uri@1.4.4: {} + + minimatch@3.1.2: + dependencies: + brace-expansion: 1.1.11 + + minimatch@9.0.5: + dependencies: + brace-expansion: 2.0.1 + + minimist@1.2.8: {} + + minipass@3.3.6: + dependencies: + yallist: 4.0.0 + + minipass@5.0.0: {} + + minipass@7.1.2: {} + + minizlib@2.1.2: + dependencies: + minipass: 3.3.6 + yallist: 4.0.0 + + mkdirp@0.5.6: + dependencies: + minimist: 1.2.8 + + mkdirp@1.0.4: {} + + mlly@1.7.1: + dependencies: + acorn: 8.12.1 + pathe: 1.1.2 + pkg-types: 1.1.3 + ufo: 1.5.4 + + mri@1.2.0: {} + + mrmime@2.0.0: {} + + ms@2.0.0: {} + + ms@2.1.2: {} + + ms@2.1.3: {} + + murmurhash3js@3.0.1: {} + + mz@2.7.0: + dependencies: + any-promise: 1.3.0 + object-assign: 4.1.1 + thenify-all: 1.6.0 + + nanoid@3.3.7: {} + + natural-compare@1.4.0: {} + + negotiator@0.6.3: {} + + neo-async@2.6.2: {} + + node-dir@0.1.17: + dependencies: + minimatch: 3.1.2 + + node-fetch-native@1.6.4: {} + + node-releases@2.0.18: {} + + normalize-path@3.0.0: {} + + normalize-range@0.1.2: {} + + normalize-url@8.0.1: + optional: true + + npm-run-path@4.0.1: + dependencies: + path-key: 3.1.1 + + npm-run-path@5.3.0: + dependencies: + path-key: 4.0.0 + + nwsapi@2.2.12: {} + + nypm@0.3.9: + dependencies: + citty: 0.1.6 + consola: 3.2.3 + execa: 8.0.1 + pathe: 1.1.2 + pkg-types: 1.1.3 + ufo: 1.5.4 + + object-assign@4.1.1: {} + + object-hash@3.0.0: {} + + object-inspect@1.13.2: {} + + octokit@3.1.2: + dependencies: + '@octokit/app': 14.1.0 + '@octokit/core': 5.2.0 + '@octokit/oauth-app': 6.1.0 + '@octokit/plugin-paginate-graphql': 4.0.1(@octokit/core@5.2.0) + '@octokit/plugin-paginate-rest': 9.2.1(@octokit/core@5.2.0) + '@octokit/plugin-rest-endpoint-methods': 10.4.1(@octokit/core@5.2.0) + '@octokit/plugin-retry': 6.0.1(@octokit/core@5.2.0) + '@octokit/plugin-throttling': 8.2.0(@octokit/core@5.2.0) + '@octokit/request-error': 5.1.0 + '@octokit/types': 12.4.0 + + ohash@1.1.3: {} + + on-finished@2.4.1: + dependencies: + ee-first: 1.1.1 + + once@1.4.0: + dependencies: + wrappy: 1.0.2 + + onetime@5.1.2: + dependencies: + mimic-fn: 2.1.0 + + onetime@6.0.0: + dependencies: + mimic-fn: 4.0.0 + + optionator@0.9.4: + dependencies: + deep-is: 0.1.4 + fast-levenshtein: 2.0.6 + levn: 0.4.1 + prelude-ls: 1.2.1 + type-check: 0.4.0 + word-wrap: 1.2.5 + + ora@5.4.1: + dependencies: + bl: 4.1.0 + chalk: 4.1.2 + cli-cursor: 3.1.0 + cli-spinners: 2.9.2 + is-interactive: 1.0.0 + is-unicode-supported: 0.1.0 + log-symbols: 4.1.0 + strip-ansi: 6.0.1 + wcwidth: 1.0.1 + + p-limit@2.3.0: + dependencies: + p-try: 2.2.0 + + p-limit@3.1.0: + dependencies: + yocto-queue: 0.1.0 + + p-limit@5.0.0: + dependencies: + yocto-queue: 1.1.1 + + p-locate@3.0.0: + dependencies: + p-limit: 2.3.0 + + p-locate@4.1.0: + dependencies: + p-limit: 2.3.0 + + p-locate@5.0.0: + dependencies: + p-limit: 3.1.0 + + p-try@2.2.0: {} + + package-json-from-dist@1.0.0: {} + + pako@1.0.11: {} + + parent-module@1.0.1: + dependencies: + callsites: 3.1.0 + + parse5-htmlparser2-tree-adapter@7.0.0: + dependencies: + domhandler: 5.0.3 + parse5: 7.1.2 + + parse5@7.1.2: + dependencies: + entities: 4.5.0 + + parseurl@1.3.3: {} + + path-exists@3.0.0: {} + + path-exists@4.0.0: {} + + path-is-absolute@1.0.1: {} + + path-key@3.1.1: {} + + path-key@4.0.0: {} + + path-parse@1.0.7: {} + + path-scurry@1.11.1: + dependencies: + lru-cache: 10.4.3 + minipass: 7.1.2 + + path-to-regexp@0.1.7: {} + + path-type@4.0.0: {} + + path-type@5.0.0: {} + + pathe@1.1.2: {} + + pathval@1.1.1: {} + + periscopic@3.1.0: + dependencies: + '@types/estree': 1.0.5 + estree-walker: 3.0.3 + is-reference: 3.0.2 + + picocolors@1.0.1: {} + + picomatch@2.3.1: {} + + pify@2.3.0: {} + + pify@4.0.1: {} + + pify@5.0.0: {} + + pirates@4.0.6: {} + + pkg-dir@3.0.0: + dependencies: + find-up: 3.0.0 + + pkg-dir@4.2.0: + dependencies: + find-up: 4.1.0 + + pkg-types@1.1.3: + dependencies: + confbox: 0.1.7 + mlly: 1.7.1 + pathe: 1.1.2 + + playwright-core@1.46.0: {} + + playwright@1.46.0: + dependencies: + playwright-core: 1.46.0 + optionalDependencies: + fsevents: 2.3.2 + + polished@4.3.1: + dependencies: + '@babel/runtime': 7.25.0 + + possible-typed-array-names@1.0.0: {} + + postcss-import@15.1.0(postcss@8.4.41): + dependencies: + postcss: 8.4.41 + postcss-value-parser: 4.2.0 + read-cache: 1.0.0 + resolve: 1.22.8 + + postcss-js@4.0.1(postcss@8.4.41): + dependencies: + camelcase-css: 2.0.1 + postcss: 8.4.41 + + postcss-load-config@3.1.4(postcss@8.4.41): + dependencies: + lilconfig: 2.1.0 + yaml: 1.10.2 + optionalDependencies: + postcss: 8.4.41 + + postcss-load-config@4.0.2(postcss@8.4.41): + dependencies: + lilconfig: 3.1.2 + yaml: 2.5.0 + optionalDependencies: + postcss: 8.4.41 + + postcss-nested@6.2.0(postcss@8.4.41): + dependencies: + postcss: 8.4.41 + postcss-selector-parser: 6.1.2 + + postcss-safe-parser@6.0.0(postcss@8.4.41): + dependencies: + postcss: 8.4.41 + + postcss-scss@4.0.9(postcss@8.4.41): + dependencies: + postcss: 8.4.41 + + postcss-selector-parser@6.0.10: + dependencies: + cssesc: 3.0.0 + util-deprecate: 1.0.2 + + postcss-selector-parser@6.1.2: + dependencies: + cssesc: 3.0.0 + util-deprecate: 1.0.2 + + postcss-value-parser@4.2.0: {} + + postcss@8.4.41: + dependencies: + nanoid: 3.3.7 + picocolors: 1.0.1 + source-map-js: 1.2.0 + + posthog-node@3.1.3: + dependencies: + axios: 1.7.4 + rusha: 0.8.14 + transitivePeerDependencies: + - debug + + prelude-ls@1.2.1: {} + + prettier-plugin-svelte@3.2.6(prettier@3.3.3)(svelte@4.2.18): + dependencies: + prettier: 3.3.3 + svelte: 4.2.18 + + prettier@3.3.3: {} + + pretty-format@27.5.1: + dependencies: + ansi-regex: 5.0.1 + ansi-styles: 5.2.0 + react-is: 17.0.2 + + pretty-format@29.7.0: + dependencies: + '@jest/schemas': 29.6.3 + ansi-styles: 5.2.0 + react-is: 18.3.1 + + process@0.11.10: {} + + progress@2.0.3: {} + + prompts@2.4.2: + dependencies: + kleur: 3.0.3 + sisteransi: 1.0.5 + + property-expr@2.0.6: + optional: true + + proxy-addr@2.0.7: + dependencies: + forwarded: 0.2.0 + ipaddr.js: 1.9.1 + + proxy-from-env@1.1.0: {} + + psl@1.9.0: {} + + punycode@2.3.1: {} + + purgecss-from-html@6.0.0: + dependencies: + parse5: 7.1.2 + parse5-htmlparser2-tree-adapter: 7.0.0 + + purgecss@6.0.0: + dependencies: + commander: 12.1.0 + glob: 10.4.5 + postcss: 8.4.41 + postcss-selector-parser: 6.1.2 + + qs@6.11.0: + dependencies: + side-channel: 1.0.6 + + querystringify@2.2.0: {} + + queue-microtask@1.2.3: {} + + range-parser@1.2.1: {} + + raw-body@2.5.2: + dependencies: + bytes: 3.1.2 + http-errors: 2.0.0 + iconv-lite: 0.4.24 + unpipe: 1.0.0 + + react-colorful@5.6.1(react-dom@18.3.1(react@18.3.1))(react@18.3.1): + dependencies: + react: 18.3.1 + react-dom: 18.3.1(react@18.3.1) + + react-dom@18.3.1(react@18.3.1): + dependencies: + loose-envify: 1.4.0 + react: 18.3.1 + scheduler: 0.23.2 + + react-is@17.0.2: {} + + react-is@18.3.1: {} + + react@18.3.1: + dependencies: + loose-envify: 1.4.0 + + read-cache@1.0.0: + dependencies: + pify: 2.3.0 + + readable-stream@3.6.2: + dependencies: + inherits: 2.0.4 + string_decoder: 1.3.0 + util-deprecate: 1.0.2 + + readdirp@3.6.0: + dependencies: + picomatch: 2.3.1 + + recast@0.23.9: + dependencies: + ast-types: 0.16.1 + esprima: 4.0.1 + source-map: 0.6.1 + tiny-invariant: 1.3.3 + tslib: 2.6.3 + + redent@3.0.0: + dependencies: + indent-string: 4.0.0 + strip-indent: 3.0.0 + + regenerate-unicode-properties@10.1.1: + dependencies: + regenerate: 1.4.2 + + regenerate@1.4.2: {} + + regenerator-runtime@0.14.1: {} + + regenerator-transform@0.15.2: + dependencies: + '@babel/runtime': 7.25.0 + + regexpp@3.2.0: {} + + regexpu-core@5.3.2: + dependencies: + '@babel/regjsgen': 0.8.0 + regenerate: 1.4.2 + regenerate-unicode-properties: 10.1.1 + regjsparser: 0.9.1 + unicode-match-property-ecmascript: 2.0.0 + unicode-match-property-value-ecmascript: 2.1.0 + + regjsparser@0.9.1: + dependencies: + jsesc: 0.5.0 + + rehype-external-links@3.0.0: + dependencies: + '@types/hast': 3.0.4 + '@ungap/structured-clone': 1.2.0 + hast-util-is-element: 3.0.0 + is-absolute-url: 4.0.1 + space-separated-tokens: 2.0.2 + unist-util-visit: 5.0.0 + + rehype-slug@6.0.0: + dependencies: + '@types/hast': 3.0.4 + github-slugger: 2.0.0 + hast-util-heading-rank: 3.0.0 + hast-util-to-string: 3.0.0 + unist-util-visit: 5.0.0 + + requireindex@1.2.0: {} + + requires-port@1.0.0: {} + + resolve-from@4.0.0: {} + + resolve@1.22.8: + dependencies: + is-core-module: 2.15.0 + path-parse: 1.0.7 + supports-preserve-symlinks-flag: 1.0.0 + + restore-cursor@3.1.0: + dependencies: + onetime: 5.1.2 + signal-exit: 3.0.7 + + reusify@1.0.4: {} + + rimraf@2.6.3: + dependencies: + glob: 7.2.3 + + rimraf@2.7.1: + dependencies: + glob: 7.2.3 + + rimraf@3.0.2: + dependencies: + glob: 7.2.3 + + rollup@4.20.0: + dependencies: + '@types/estree': 1.0.5 + optionalDependencies: + '@rollup/rollup-android-arm-eabi': 4.20.0 + '@rollup/rollup-android-arm64': 4.20.0 + '@rollup/rollup-darwin-arm64': 4.20.0 + '@rollup/rollup-darwin-x64': 4.20.0 + '@rollup/rollup-linux-arm-gnueabihf': 4.20.0 + '@rollup/rollup-linux-arm-musleabihf': 4.20.0 + '@rollup/rollup-linux-arm64-gnu': 4.20.0 + '@rollup/rollup-linux-arm64-musl': 4.20.0 + '@rollup/rollup-linux-powerpc64le-gnu': 4.20.0 + '@rollup/rollup-linux-riscv64-gnu': 4.20.0 + '@rollup/rollup-linux-s390x-gnu': 4.20.0 + '@rollup/rollup-linux-x64-gnu': 4.20.0 + '@rollup/rollup-linux-x64-musl': 4.20.0 + '@rollup/rollup-win32-arm64-msvc': 4.20.0 + '@rollup/rollup-win32-ia32-msvc': 4.20.0 + '@rollup/rollup-win32-x64-msvc': 4.20.0 + fsevents: 2.3.3 + + rrweb-cssom@0.6.0: {} + + rrweb-cssom@0.7.1: {} + + run-parallel@1.2.0: + dependencies: + queue-microtask: 1.2.3 + + rusha@0.8.14: {} + + sade@1.8.1: + dependencies: + mri: 1.2.0 + + safe-buffer@5.2.1: {} + + safer-buffer@2.1.2: {} + + sander@0.5.1: + dependencies: + es6-promise: 3.3.1 + graceful-fs: 4.2.11 + mkdirp: 0.5.6 + rimraf: 2.7.1 + + saxes@6.0.0: + dependencies: + xmlchars: 2.2.0 + + scheduler@0.23.2: + dependencies: + loose-envify: 1.4.0 + + semver@5.7.2: {} + + semver@6.3.1: {} + + semver@7.6.3: {} + + send@0.18.0: + dependencies: + debug: 2.6.9 + depd: 2.0.0 + destroy: 1.2.0 + encodeurl: 1.0.2 + escape-html: 1.0.3 + etag: 1.8.1 + fresh: 0.5.2 + http-errors: 2.0.0 + mime: 1.6.0 + ms: 2.1.3 + on-finished: 2.4.1 + range-parser: 1.2.1 + statuses: 2.0.1 + transitivePeerDependencies: + - supports-color + + seroval@0.5.1: {} + + serve-static@1.15.0: + dependencies: + encodeurl: 1.0.2 + escape-html: 1.0.3 + parseurl: 1.3.3 + send: 0.18.0 + transitivePeerDependencies: + - supports-color + + set-cookie-parser@2.7.0: {} + + set-function-length@1.2.2: + dependencies: + define-data-property: 1.1.4 + es-errors: 1.3.0 + function-bind: 1.1.2 + get-intrinsic: 1.2.4 + gopd: 1.0.1 + has-property-descriptors: 1.0.2 + + setprototypeof@1.2.0: {} + + sha.js@2.4.11: + dependencies: + inherits: 2.0.4 + safe-buffer: 5.2.1 + + shallow-clone@3.0.1: + dependencies: + kind-of: 6.0.3 + + shebang-command@2.0.0: + dependencies: + shebang-regex: 3.0.0 + + shebang-regex@3.0.0: {} + + side-channel@1.0.6: + dependencies: + call-bind: 1.0.7 + es-errors: 1.3.0 + get-intrinsic: 1.2.4 + object-inspect: 1.13.2 + + siginfo@2.0.0: {} + + signal-exit@3.0.7: {} + + signal-exit@4.1.0: {} + + sirv@2.0.4: + dependencies: + '@polka/url': 1.0.0-next.25 + mrmime: 2.0.0 + totalist: 3.0.1 + + sisteransi@1.0.5: {} + + slash@3.0.0: {} + + slash@5.1.0: {} + + solid-js@1.6.12: + dependencies: + csstype: 3.1.3 + + solid-js@1.7.11: + dependencies: + csstype: 3.1.3 + seroval: 0.5.1 + + sorcery@0.11.1: + dependencies: + '@jridgewell/sourcemap-codec': 1.5.0 + buffer-crc32: 1.0.0 + minimist: 1.2.8 + sander: 0.5.1 + + source-map-js@1.2.0: {} + + source-map-support@0.5.21: + dependencies: + buffer-from: 1.1.2 + source-map: 0.6.1 + + source-map@0.6.1: {} + + space-separated-tokens@2.0.2: {} + + stackback@0.0.2: {} + + statuses@2.0.1: {} + + std-env@3.7.0: {} + + storybook@8.2.9(@babel/preset-env@7.25.3(@babel/core@7.25.2)): + dependencies: + '@babel/core': 7.25.2 + '@babel/types': 7.25.2 + '@storybook/codemod': 8.2.9 + '@storybook/core': 8.2.9 + '@types/semver': 7.5.8 + '@yarnpkg/fslib': 2.10.3 + '@yarnpkg/libzip': 2.3.0 + chalk: 4.1.2 + commander: 6.2.1 + cross-spawn: 7.0.3 + detect-indent: 6.1.0 + envinfo: 7.13.0 + execa: 5.1.1 + fd-package-json: 1.2.0 + find-up: 5.0.0 + fs-extra: 11.2.0 + giget: 1.2.3 + globby: 14.0.2 + jscodeshift: 0.15.2(@babel/preset-env@7.25.3(@babel/core@7.25.2)) + leven: 3.1.0 + ora: 5.4.1 + prettier: 3.3.3 + prompts: 2.4.2 + semver: 7.6.3 + strip-json-comments: 3.1.1 + tempy: 3.1.0 + tiny-invariant: 1.3.3 + ts-dedent: 2.2.0 + transitivePeerDependencies: + - '@babel/preset-env' + - bufferutil + - supports-color + - utf-8-validate + + string-width@4.2.3: + dependencies: + emoji-regex: 8.0.0 + is-fullwidth-code-point: 3.0.0 + strip-ansi: 6.0.1 + + string-width@5.1.2: + dependencies: + eastasianwidth: 0.2.0 + emoji-regex: 9.2.2 + strip-ansi: 7.1.0 + + string_decoder@1.3.0: + dependencies: + safe-buffer: 5.2.1 + + strip-ansi@6.0.1: + dependencies: + ansi-regex: 5.0.1 + + strip-ansi@7.1.0: + dependencies: + ansi-regex: 6.0.1 + + strip-final-newline@2.0.0: {} + + strip-final-newline@3.0.0: {} + + strip-indent@3.0.0: + dependencies: + min-indent: 1.0.1 + + strip-json-comments@3.1.1: {} + + strip-literal@2.1.0: + dependencies: + js-tokens: 9.0.0 + + sucrase@3.35.0: + dependencies: + '@jridgewell/gen-mapping': 0.3.5 + commander: 4.1.1 + glob: 10.4.5 + lines-and-columns: 1.2.4 + mz: 2.7.0 + pirates: 4.0.6 + ts-interface-checker: 0.1.13 + + superstruct@2.0.2: + optional: true + + supports-color@5.5.0: + dependencies: + has-flag: 3.0.0 + + supports-color@7.2.0: + dependencies: + has-flag: 4.0.0 + + supports-preserve-symlinks-flag@1.0.0: {} + + svelte-check@3.8.5(@babel/core@7.25.2)(postcss-load-config@4.0.2(postcss@8.4.41))(postcss@8.4.41)(svelte@4.2.18): + dependencies: + '@jridgewell/trace-mapping': 0.3.25 + chokidar: 3.6.0 + picocolors: 1.0.1 + sade: 1.8.1 + svelte: 4.2.18 + svelte-preprocess: 5.1.4(@babel/core@7.25.2)(postcss-load-config@4.0.2(postcss@8.4.41))(postcss@8.4.41)(svelte@4.2.18)(typescript@5.5.4) + typescript: 5.5.4 + transitivePeerDependencies: + - '@babel/core' + - coffeescript + - less + - postcss + - postcss-load-config + - pug + - sass + - stylus + - sugarss + + svelte-eslint-parser@0.41.0(svelte@4.2.18): + dependencies: + eslint-scope: 7.2.2 + eslint-visitor-keys: 3.4.3 + espree: 9.6.1 + postcss: 8.4.41 + postcss-scss: 4.0.9(postcss@8.4.41) + optionalDependencies: + svelte: 4.2.18 + + svelte-hmr@0.16.0(svelte@4.2.18): + dependencies: + svelte: 4.2.18 + + svelte-multiselect@10.3.0: + dependencies: + svelte: 4.2.12 + + svelte-persisted-store@0.11.0(svelte@4.2.18): + dependencies: + svelte: 4.2.18 + + svelte-preprocess@5.1.4(@babel/core@7.25.2)(postcss-load-config@4.0.2(postcss@8.4.41))(postcss@8.4.41)(svelte@4.2.18)(typescript@5.5.4): + dependencies: + '@types/pug': 2.0.10 + detect-indent: 6.1.0 + magic-string: 0.30.11 + sorcery: 0.11.1 + strip-indent: 3.0.0 + svelte: 4.2.18 + optionalDependencies: + '@babel/core': 7.25.2 + postcss: 8.4.41 + postcss-load-config: 4.0.2(postcss@8.4.41) + typescript: 5.5.4 + + svelte-typewriter@3.2.3(svelte@4.2.18): + dependencies: + '@formatjs/intl-segmenter': 11.5.7 + svelte: 4.2.18 + + svelte@4.2.12: + dependencies: + '@ampproject/remapping': 2.3.0 + '@jridgewell/sourcemap-codec': 1.5.0 + '@jridgewell/trace-mapping': 0.3.25 + '@types/estree': 1.0.5 + acorn: 8.12.1 + aria-query: 5.3.0 + axobject-query: 4.1.0 + code-red: 1.0.4 + css-tree: 2.3.1 + estree-walker: 3.0.3 + is-reference: 3.0.2 + locate-character: 3.0.0 + magic-string: 0.30.11 + periscopic: 3.1.0 + + svelte@4.2.18: + dependencies: + '@ampproject/remapping': 2.3.0 + '@jridgewell/sourcemap-codec': 1.5.0 + '@jridgewell/trace-mapping': 0.3.25 + '@types/estree': 1.0.5 + acorn: 8.12.1 + aria-query: 5.3.0 + axobject-query: 4.1.0 + code-red: 1.0.4 + css-tree: 2.3.1 + estree-walker: 3.0.3 + is-reference: 3.0.2 + locate-character: 3.0.0 + magic-string: 0.30.11 + periscopic: 3.1.0 + + sveltedoc-parser@4.2.1: + dependencies: + eslint: 8.4.1 + espree: 9.2.0 + htmlparser2-svelte: 4.1.0 + transitivePeerDependencies: + - supports-color + + sveltekit-flash-message@2.4.4(@sveltejs/kit@2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18): + dependencies: + '@sveltejs/kit': 2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)) + svelte: 4.2.18 + + sveltekit-rate-limiter@0.5.2(@sveltejs/kit@2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15))): + dependencies: + '@isaacs/ttlcache': 1.4.1 + '@sveltejs/kit': 2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)) + + sveltekit-superforms@2.17.0(@sveltejs/kit@2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18): + dependencies: + '@sveltejs/kit': 2.5.22(@sveltejs/vite-plugin-svelte@3.1.1(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)))(svelte@4.2.18)(vite@5.4.1(@types/node@20.14.15)) + devalue: 5.0.0 + just-clone: 6.2.0 + memoize-weak: 1.0.2 + svelte: 4.2.18 + ts-deepmerge: 7.0.1 + optionalDependencies: + '@exodus/schemasafe': 1.3.0 + '@gcornut/valibot-json-schema': 0.31.0 + '@sinclair/typebox': 0.32.35 + '@sodaru/yup-to-json-schema': 2.0.1 + '@vinejs/vine': 1.8.0 + arktype: 2.0.0-beta.0 + joi: 17.13.3 + json-schema-to-ts: 3.1.0 + superstruct: 2.0.2 + valibot: 0.35.0 + yup: 1.4.0 + zod: 3.23.8 + zod-to-json-schema: 3.23.2(zod@3.23.8) + + symbol-tree@3.2.4: {} + + tailwindcss@3.4.10: + dependencies: + '@alloc/quick-lru': 5.2.0 + arg: 5.0.2 + chokidar: 3.6.0 + didyoumean: 1.2.2 + dlv: 1.1.3 + fast-glob: 3.3.2 + glob-parent: 6.0.2 + is-glob: 4.0.3 + jiti: 1.21.6 + lilconfig: 2.1.0 + micromatch: 4.0.7 + normalize-path: 3.0.0 + object-hash: 3.0.0 + picocolors: 1.0.1 + postcss: 8.4.41 + postcss-import: 15.1.0(postcss@8.4.41) + postcss-js: 4.0.1(postcss@8.4.41) + postcss-load-config: 4.0.2(postcss@8.4.41) + postcss-nested: 6.2.0(postcss@8.4.41) + postcss-selector-parser: 6.1.2 + resolve: 1.22.8 + sucrase: 3.35.0 + transitivePeerDependencies: + - ts-node + + tar@6.2.1: + dependencies: + chownr: 2.0.0 + fs-minipass: 2.1.0 + minipass: 5.0.0 + minizlib: 2.1.2 + mkdirp: 1.0.4 + yallist: 4.0.0 + + telejson@7.2.0: + dependencies: + memoizerific: 1.11.3 + + temp-dir@3.0.0: {} + + temp@0.8.4: + dependencies: + rimraf: 2.6.3 + + tempy@3.1.0: + dependencies: + is-stream: 3.0.0 + temp-dir: 3.0.0 + type-fest: 2.19.0 + unique-string: 3.0.0 + + test-exclude@6.0.0: + dependencies: + '@istanbuljs/schema': 0.1.3 + glob: 7.2.3 + minimatch: 3.1.2 + + text-table@0.2.0: {} + + thenify-all@1.6.0: + dependencies: + thenify: 3.3.1 + + thenify@3.3.1: + dependencies: + any-promise: 1.3.0 + + throttle-debounce@5.0.2: {} + + tiny-case@1.0.3: + optional: true + + tiny-glob@0.2.9: + dependencies: + globalyzer: 0.1.0 + globrex: 0.1.2 + + tiny-invariant@1.3.3: {} + + tinybench@2.9.0: {} + + tinypool@0.8.4: {} + + tinyspy@2.2.1: {} + + to-fast-properties@2.0.0: {} + + to-regex-range@5.0.1: + dependencies: + is-number: 7.0.0 + + toidentifier@1.0.1: {} + + toposort@2.0.2: + optional: true + + totalist@3.0.1: {} + + tough-cookie@4.1.4: + dependencies: + psl: 1.9.0 + punycode: 2.3.1 + universalify: 0.2.0 + url-parse: 1.5.10 + + tr46@5.0.0: + dependencies: + punycode: 2.3.1 + + ts-algebra@2.0.0: + optional: true + + ts-api-utils@1.3.0(typescript@5.5.4): + dependencies: + typescript: 5.5.4 + + ts-dedent@2.2.0: {} + + ts-deepmerge@7.0.1: {} + + ts-interface-checker@0.1.13: {} + + tslib@1.14.1: {} + + tslib@2.3.0: {} + + tslib@2.4.0: + optional: true + + tslib@2.6.3: {} + + tsutils@3.21.0(typescript@5.5.4): + dependencies: + tslib: 1.14.1 + typescript: 5.5.4 + + type-check@0.4.0: + dependencies: + prelude-ls: 1.2.1 + + type-detect@4.1.0: {} + + type-fest@0.20.2: {} + + type-fest@1.4.0: {} + + type-fest@2.19.0: {} + + type-is@1.6.18: + dependencies: + media-typer: 0.3.0 + mime-types: 2.1.35 + + typescript@5.5.4: {} + + ufo@1.5.4: {} + + undici-types@5.26.5: {} + + unicode-canonical-property-names-ecmascript@2.0.0: {} + + unicode-match-property-ecmascript@2.0.0: + dependencies: + unicode-canonical-property-names-ecmascript: 2.0.0 + unicode-property-aliases-ecmascript: 2.1.0 + + unicode-match-property-value-ecmascript@2.1.0: {} + + unicode-property-aliases-ecmascript@2.1.0: {} + + unicorn-magic@0.1.0: {} + + unique-string@3.0.0: + dependencies: + crypto-random-string: 4.0.0 + + unist-util-is@6.0.0: + dependencies: + '@types/unist': 3.0.3 + + unist-util-visit-parents@6.0.1: + dependencies: + '@types/unist': 3.0.3 + unist-util-is: 6.0.0 + + unist-util-visit@5.0.0: + dependencies: + '@types/unist': 3.0.3 + unist-util-is: 6.0.0 + unist-util-visit-parents: 6.0.1 + + universal-github-app-jwt@1.1.2: + dependencies: + '@types/jsonwebtoken': 9.0.6 + jsonwebtoken: 9.0.2 + + universal-user-agent@6.0.1: {} + + universalify@0.2.0: {} + + universalify@2.0.1: {} + + unpipe@1.0.0: {} + + unplugin@1.12.2: + dependencies: + acorn: 8.12.1 + chokidar: 3.6.0 + webpack-sources: 3.2.3 + webpack-virtual-modules: 0.6.2 + + unplugin@1.5.1: + dependencies: + acorn: 8.12.1 + chokidar: 3.6.0 + webpack-sources: 3.2.3 + webpack-virtual-modules: 0.6.2 + + update-browserslist-db@1.1.0(browserslist@4.23.3): + dependencies: + browserslist: 4.23.3 + escalade: 3.1.2 + picocolors: 1.0.1 + + uri-js@4.4.1: + dependencies: + punycode: 2.3.1 + + url-parse@1.5.10: + dependencies: + querystringify: 2.2.0 + requires-port: 1.0.0 + + util-deprecate@1.0.2: {} + + util@0.12.5: + dependencies: + inherits: 2.0.4 + is-arguments: 1.1.1 + is-generator-function: 1.0.10 + is-typed-array: 1.1.13 + which-typed-array: 1.1.15 + + utils-merge@1.0.1: {} + + uuid@9.0.1: {} + + v8-compile-cache@2.4.0: {} + + valibot@0.31.1: + optional: true + + valibot@0.35.0: + optional: true + + validator@13.12.0: + optional: true + + vary@1.1.2: {} + + vite-node@1.6.0(@types/node@20.14.15): + dependencies: + cac: 6.7.14 + debug: 4.3.6 + pathe: 1.1.2 + picocolors: 1.0.1 + vite: 5.4.1(@types/node@20.14.15) + transitivePeerDependencies: + - '@types/node' + - less + - lightningcss + - sass + - sass-embedded + - stylus + - sugarss + - supports-color + - terser + + vite-plugin-tailwind-purgecss@0.3.3(tailwindcss@3.4.10)(vite@5.4.1(@types/node@20.14.15)): + dependencies: + chalk: 5.3.0 + css-tree: 2.3.1 + fast-glob: 3.3.2 + purgecss: 6.0.0 + purgecss-from-html: 6.0.0 + tailwindcss: 3.4.10 + vite: 5.4.1(@types/node@20.14.15) + + vite@5.4.1(@types/node@20.14.15): + dependencies: + esbuild: 0.21.5 + postcss: 8.4.41 + rollup: 4.20.0 + optionalDependencies: + '@types/node': 20.14.15 + fsevents: 2.3.3 + + vitefu@0.2.5(vite@5.4.1(@types/node@20.14.15)): + optionalDependencies: + vite: 5.4.1(@types/node@20.14.15) + + vitest@1.6.0(@types/node@20.14.15)(@vitest/ui@1.6.0)(jsdom@24.1.1): + dependencies: + '@vitest/expect': 1.6.0 + '@vitest/runner': 1.6.0 + '@vitest/snapshot': 1.6.0 + '@vitest/spy': 1.6.0 + '@vitest/utils': 1.6.0 + acorn-walk: 8.3.3 + chai: 4.5.0 + debug: 4.3.6 + execa: 8.0.1 + local-pkg: 0.5.0 + magic-string: 0.30.11 + pathe: 1.1.2 + picocolors: 1.0.1 + std-env: 3.7.0 + strip-literal: 2.1.0 + tinybench: 2.9.0 + tinypool: 0.8.4 + vite: 5.4.1(@types/node@20.14.15) + vite-node: 1.6.0(@types/node@20.14.15) + why-is-node-running: 2.3.0 + optionalDependencies: + '@types/node': 20.14.15 + '@vitest/ui': 1.6.0(vitest@1.6.0) + jsdom: 24.1.1 + transitivePeerDependencies: + - less + - lightningcss + - sass + - sass-embedded + - stylus + - sugarss + - supports-color + - terser + + w3c-xmlserializer@5.0.0: + dependencies: + xml-name-validator: 5.0.0 + + walk-up-path@3.0.1: {} + + wcwidth@1.0.1: + dependencies: + defaults: 1.0.4 + + webidl-conversions@7.0.0: {} + + webpack-sources@3.2.3: {} + + webpack-virtual-modules@0.6.2: {} + + whatwg-encoding@3.1.1: + dependencies: + iconv-lite: 0.6.3 + + whatwg-mimetype@4.0.0: {} + + whatwg-url@14.0.0: + dependencies: + tr46: 5.0.0 + webidl-conversions: 7.0.0 + + which-typed-array@1.1.15: + dependencies: + available-typed-arrays: 1.0.7 + call-bind: 1.0.7 + for-each: 0.3.3 + gopd: 1.0.1 + has-tostringtag: 1.0.2 + + which@2.0.2: + dependencies: + isexe: 2.0.0 + + why-is-node-running@2.3.0: + dependencies: + siginfo: 2.0.0 + stackback: 0.0.2 + + word-wrap@1.2.5: {} + + wrap-ansi@7.0.0: + dependencies: + ansi-styles: 4.3.0 + string-width: 4.2.3 + strip-ansi: 6.0.1 + + wrap-ansi@8.1.0: + dependencies: + ansi-styles: 6.2.1 + string-width: 5.1.2 + strip-ansi: 7.1.0 + + wrappy@1.0.2: {} + + write-file-atomic@2.4.3: + dependencies: + graceful-fs: 4.2.11 + imurmurhash: 0.1.4 + signal-exit: 3.0.7 + + ws@8.18.0: {} + + xml-name-validator@5.0.0: {} + + xmlchars@2.2.0: {} + + yallist@3.1.1: {} + + yallist@4.0.0: {} + + yaml@1.10.2: {} + + yaml@2.5.0: {} + + yocto-queue@0.1.0: {} + + yocto-queue@1.1.1: {} + + yup@1.4.0: + dependencies: + property-expr: 2.0.6 + tiny-case: 1.0.3 + toposort: 2.0.2 + type-fest: 2.19.0 + optional: true + + zod-to-json-schema@3.23.2(zod@3.23.8): + dependencies: + zod: 3.23.8 + optional: true + + zod@3.23.8: {} + + zrender@5.6.0: + dependencies: + tslib: 2.3.0 diff --git a/enterprise/frontend/src/lib/components/Forms/ModelForm.svelte b/enterprise/frontend/src/lib/components/Forms/ModelForm.svelte new file mode 100644 index 000000000..c92890ac2 --- /dev/null +++ b/enterprise/frontend/src/lib/components/Forms/ModelForm.svelte @@ -0,0 +1,1083 @@ + + + createModalCache.deleteCache(model.urlModel)} + {...$$restProps} +> + + + + {#if shape.reference_control} + { + if (e.detail) { + await fetch(`/reference-controls/${e.detail}`) + .then((r) => r.json()) + .then((r) => { + form.form.update((currentData) => { + if ( + context === 'edit' && + currentData['reference_control'] === initialData['reference_control'] && + !updated_fields.has('reference_control') + ) { + return currentData; // Keep the current values in the edit form. + } + updated_fields.add('reference_control'); + return { ...currentData, category: r.category, csf_function: r.csf_function }; + }); + }); + } + }} + /> + {/if} + {#if shape.name} + + {/if} + {#if shape.description} +