+HR-01 Verification of Qualification and Trustworthiness
---+HR-01.01B
---+HR-01.02B
---+HR-01.03B
---+HR-01.04B
---+HR-01.05B
---+HR-01.06B
---+HR-01.01AC
|
1. Übersicht
HR-01 Verification of Qualification and Trustworthiness
-
| Bezeichnung |
Standard |
|
HR-01.01B
|
The cloud service provider identifies for the production environment which roles within the organisation can access cloud service customer data, cloud service derived data, cloud service provider data, account data or system components under the cloud service provider's responsibility.
This criterion applies to both existing and newly hired personnel. Roles with access to these data types or system components can, depending on their access rights, include, but are not limited to:
1. Cloud software engineers and developers;
2. Cloud architects and cloud infrastructure engineers;
3. Cloud platform engineers and DevOps engineers;
4. System operations engineers and managers;
5. Cloud operations engineers and managers;
6. Cloud network engineers and architecture leads;
7. Cloud security engineers, administrators and security architects;
8. Cloud security operations specialists and analysts;
9. Storage and database engineers;
10. Technical account managers and customer account managers;
11. Customer support engineers;
12. IAM administrators and access management specialists;
13. Cloud compliance managers and risk and compliance analysts; and
14. Information security officers and data protection officers.
Personnel refers to both internal and external personnel.
|
|
HR-01.02B
|
The competency and integrity of all internal and external personnel to which these roles are assigned is verified prior to employment. The verification considers the following measures, to the extent permitted by local legislation and regulation and as considered appropriate by the cloud service provider to mitigate risks related to inappropriate access to the respective data type:
1. Verification of the person's identity via identity card or passport;
2. Verification of professional experience through the CV;
3. Verification of academic titles and degrees;
4. Request for a certificate of good conduct, police clearance or other national equivalents; and
5. Evaluation of susceptibility to blackmail.
This criterion applies to both existing and newly hired personnel. External personnel in the sense of the criterion is that which performs activities in accordance with the processes and procedures of the cloud service provider and that has potential access to cloud service customer data or cloud service derived data. Personnel of service organisations that performs activities according to the service organisation's own processes and procedures is not covered by this criterion.
Permissible verifications of competency and integrity are governed by applicable local laws and the roles of the personnel. In some jurisdictions, the collection, processing, or disclosure of such information is fundamentally restricted or even prohibited, meaning they may be unable to be obtained at all or only in a very limited form. Where permitted, explicit consent by the personnel may be required depending on the nature and scope of the checks. These legal constraints also apply to any analyses concerning blackmailing.
The verification of qualification and trustworthiness can be supported by specialised service providers or be based on voluntary self-disclosure of the personnel. Depending on national legislation, national equivalents of the German certificate of good conduct ('Führungszeugnis') may also be permitted. Assessing the vulnerability of potential personnel to blackmail can involve evaluating their creditworthiness. However, this assessment may only be legally permissible for positions with significant financial responsibility, depending on local regulations.
Risks related to inappropriate access to cloud service customer data may be mitigated by the use of encryption or monitoring system access for suspicious events. Although such measures are not supposed to completely substitute the above-mentioned verification measures, the extent of such measures may be reduced.
|
|
HR-01.03B
|
The cloud service provider considers changes in personnel roles or employment status that may impact access rights, responsibilities, or risk exposure, and identifies and mitigates related risks.
|
|
HR-01.04B
|
The cloud service provider classifies security-sensitive positions according to their level of risk, including IT administration roles and any positions with access to cloud service customer data or to system components used to provide the cloud service in the production environment.
|
|
HR-01.05B
|
The cloud service provider assesses the competence and integrity of its personnel before transfer or promotion into a role with a higher risk classification.
|
|
HR-01.06B
|
The intensity of the assessment defined in this criterion is in proportion to the business context, the sensitivity of the information that the personnel will access, and the associated risks.
|
|
HR-01.01AC
|
The cloud service provider defines in the human resource policy positions with levels and risk classification that require regular assessment of competence and integrity. The cloud service provider annually reviews their assessment of competence and integrity for personnel belonging to the defined positions.
Cloud service providers can implement various methods to assess competence and integrity of personnel in high risk positions, such as:
1. Self-disclosure of significant financial interests to determine conflicts of interest and susceptibility to blackmail;
2. Regular checking of certificates of good conduct, police clearance or other national equivalents;
3. Regular self-declaration of commitment with applicable policies and obligations;
4. Enforcing regular ethics and compliance trainings, including certification and testing of the personnel's understanding of applicable requirements and policies;
5. Enforcing regular participation in assessment centers to evaluate personnel's competence and integrity; and
6. Regular checks of personnel against national and international sanctions lists.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|