+AM-01 Asset Management Framework
---+AM-01.01B
---+AM-01.01AC
---+AM-01.02AC
|
1. Übersicht
AM-01 Asset Management Framework
-
| Bezeichnung |
Standard |
|
AM-01.01B
|
An asset management framework is documented, communicated and provided according to SP-01, in which the following aspects are described:
1. Identification of assets which are used to provide the cloud service in the production environment;
2. Definition of a scheme for identifying protection needs based on information processed, stored or transmitted on the asset;
3. Definition of asset types, considering at a minimum the differentiation of hardware and software objects;
4. Definition of asset lifecycles based on the asset type; and
5. Definition of procedures for inventory of hardware and software assets.
Assets within the meaning of this domain are the objects required for the information security of the cloud service during the creation, processing, storage, transmission, deletion or destruction of information in the cloud service provider's area of responsibility, e.g. firewalls, load balancers, web servers, application servers and database servers.
These objects consist of hardware and software objects.
Hardware objects include, but are not limited to:
1. Physical and virtual infrastructure resources (e.g. servers, storage systems, network components); and
2. End user devices if the cloud service provider has determined in a risk assessment that these could endanger the information security of the cloud service in the event of loss or unauthorised access (e.g. mobile devices used as security tokens for authentication).
Software objects include, but are not limited to, hypervisors, containers, operating systems, databases, microservices and application programming interfaces (APIs).
The lifecycle of an asset includes, depending on the asset type:
1. Acquisition;
2. Commissioning;
3. Maintenance;
4. Decommissioning; and
5. Disposal.
|
|
AM-01.01AC
|
The information collected about assets is considered in logging and monitoring applications to:
1. Identify the impact on cloud services and functions in case of events that could lead to a breach of protection objectives; and
2. Support information provided to affected cloud service customers in accordance with contractual agreements.
Assets within the meaning of this domain are the objects required for the information security of the cloud service during the creation, processing, storage, transmission, deletion or destruction of information in the cloud service provider's area of responsibility, e.g. firewalls, load balancers, web servers, application servers and database servers.
These objects consist of hardware and software objects.
Hardware objects include, but are not limited to:
1. Physical and virtual infrastructure resources (e.g. servers, storage systems, network components); and
2. End user devices if the cloud service provider has determined in a risk assessment that these could endanger the information security of the cloud service in the event of loss or unauthorised access (e.g. mobile devices used as security tokens for authentication).
Software objects include, but are not limited to, hypervisors, containers, operating systems, databases, microservices and application programming interfaces (APIs).
The lifecycle of an asset includes, depending on the asset type:
1. Acquisition;
2. Commissioning;
3. Maintenance;
4. Decommissioning; and
5. Disposal.
|
|
AM-01.02AC
|
The cloud service provider assures that the inventory of assets is up-to-date by implementing monitoring measures to the process that is maintaining it.
Assets within the meaning of this domain are the objects required for the information security of the cloud service during the creation, processing, storage, transmission, deletion or destruction of information in the cloud service provider's area of responsibility, e.g. firewalls, load balancers, web servers, application servers and database servers.
These objects consist of hardware and software objects.
Hardware objects include, but are not limited to:
1. Physical and virtual infrastructure resources (e.g. servers, storage systems, network components); and
2. End user devices if the cloud service provider has determined in a risk assessment that these could endanger the information security of the cloud service in the event of loss or unauthorised access (e.g. mobile devices used as security tokens for authentication).
Software objects include, but are not limited to, hypervisors, containers, operating systems, databases, microservices and application programming interfaces (APIs).
The lifecycle of an asset includes, depending on the asset type:
1. Acquisition;
2. Commissioning;
3. Maintenance;
4. Decommissioning; and
5. Disposal.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|