+INQ-01 Legal Assessment of Investigation Requests
---+INQ-01.01B
---+INQ-01.02B
---+INQ-01 Supplementary Information - Complementary Customer Criteria
|
1. Übersicht
INQ-01 Legal Assessment of Investigation Requests
-
| Bezeichnung |
Standard |
|
INQ-01.01B
|
Investigation requests from government agencies for cloud service customer data, cloud service derived data and account data are subject to a documented legal assessment by subject matter experts of the cloud service provider. The assessment determines whether the government agency has an applicable and legally valid legal basis and what further steps need to be taken for the given request.
For evidence purposes, all requests that were completely processed during the specified period shall form the population for testing the operating effectiveness of controls to meet the criteria in this domain. All requests are to be included in the population, irrespective of whether they resulted in cloud service customer data or cloud service derived data being disclosed.
|
|
INQ-01.02B
|
Access to or disclosure of cloud service customer data, cloud service derived data or account data in response to government investigation requests is only permitted if the cloud service provider has performed a legal assessment. This assessment has to confirm that there is an applicable and valid legal basis and that the request must be granted according to this basis.
Disclosure of cloud service customer data to government agencies may include handing over encryption keys. The disclosure of keys should also be scrutinised in accordance with the INQ criteria. In particular, with reference to INQ-03, care should be taken to ensure that no other cloud service customer data is compromised by handing over a key.
|
|
INQ-01 Supplementary Information - Complementary Customer Criteria
|
Cloud service customers ensure with suitable controls that the type and scope of government agencies' investigation requests and the associated disclosure of their own data has been dealt with in their own risk management and that the use of the cloud service is only taken up or continued when this risk has been deemed acceptable.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|