+INQ-04.02B

1. Übersicht

INQ-04.02B

The type and scope of the information provided to the cloud service customers is based on the needs of their expert personnel to assess risks to the cloud service customer's data confidentiality. At a minimum, the following aspects are addressed:

1. The process for the provision and disclosure of cloud service customer data in response to legitimate investigation requests;
2. The technical capabilities and limitations of the cloud service provider regarding disclosure of cloud service customer data;
3. Logging mechanisms implemented to records access for disclosure of cloud service customer data;
4. Access possibilities for cloud service customers to review such logs;
5. Methods and technical procedures per service for accessing and disclosing cloud service customer data; and
6. Laws, regulations, or other legal means and their applicability concerning the cloud service provider's ability to inform its customers about the provision and disclosure of cloud service customer data.

The criterion is limited to cloud service customer data. The cloud service provider typically has access to other data types such as cloud service derived data and account data such that extending the criterion to those other data types, may not lead to useful information for customers' risk management. Technical capabilities and limitations to access cloud service customer data include aspects such as:

1. If the cloud service customers store their cloud service customer data in unencrypted form;
2. If the cloud service provider encrypts cloud service customer data in storage and transit;
3. Whether the cloud service provider has the ability to decrypt cloud service customer data in case of such requests and how this ability for access or disclosure is used;
4. Retention periods for cloud service derived data relating to the cloud service customer and whether such data is stored in encrypted form;
5. Possibilities for decrypting cloud service customer data or for extracting cloud service customer data during the decryption process;
6. Disclosure of user identities and credentials; and
7. Further measures that have been created or can be used for disclosing cloud service customer data.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html