+OPS-05 Protection Against Malware - Implementation
---+OPS-05.01B
---+OPS-05.02B
---+OPS-05.03B
---+OPS-05.01AC
---+OPS-05.02AC
---+OPS-05.03AC
---+OPS-05.02AS
---+OPS-05 Supplementary Information - Complementary Customer Criteria
|
1. Übersicht
OPS-05 Protection Against Malware - Implementation
-
| Bezeichnung |
Standard |
|
OPS-05.01B
|
System components under the cloud service provider's responsibility that are used to operate the cloud service in the production environment are configured with malware protection according to the policies and procedures.
Protection against malicious programmes can be implemented by operating system-specific protection mechanisms or explicit protection programmes (e.g. for signature- and behaviour-based detection and removal of malicious programmes).
If the cloud service provider operates malware protected containers or virtual machines to provide the cloud service, the malware protection should include container-specific measures. This can include, for example, monitoring the container images and the container runtime, and due to the frequent start and stop of the containers, real-time scans and -monitoring processes.
For end-devices used by the personnel of the cloud service provider, the applicability of this subcriterion is determined based on the risk assessment performed according to AM-08.
|
|
OPS-05.02B
|
If protection programmes are set up with signature or behaviour-based malware detection and removal, these protection programmes are regularly updated with the latest malware definitions when they are available, at least on a daily basis.
Protection against malicious programmes can be implemented by operating system-specific protection mechanisms or explicit protection programmes (e.g. for signature- and behaviour-based detection and removal of malicious programmes).
If the cloud service provider operates malware protected containers or virtual machines to provide the cloud service, the malware protection should include container-specific measures. This can include, for example, monitoring the container images and the container runtime, and due to the frequent start and stop of the containers, real-time scans and -monitoring processes.
|
|
OPS-05.03B
|
The cloud service provider creates regular reports on the checks performed by the operated protection programmes, which are reviewed and analysed by authorised individuals, bodies or committees.
|
|
OPS-05.01AC
|
Policies and procedures describe the technical measures taken to securely configure and monitor the management console (both the customer's self-service and the service provider's cloud administration) to protect it from malware.
|
|
OPS-05.02AC
|
The configuration of the protection mechanisms is monitored automatically.
|
|
OPS-05.03AC
|
Deviations from the specifications are automatically reported to the cloud service provider's subject matter experts so that they can be immediately assessed and the necessary measures taken.
|
|
OPS-05.02AS
|
If protection programmes are set up with signature and behaviour-based malware detection and removal, these protection programmes are regularly updated with the latest malware definitions when they are available, at the highest frequency that the vendor(s) offer(s) where applicable.
Protection against malicious programmes can be implemented by operating system-specific protection mechanisms or explicit protection programmes (e.g. for signature- and behaviour-based detection and removal of malicious programmes).
If the cloud service provider operates malware protected containers or virtual machines to provide the cloud service, the malware protection should include container-specific measures. This can include, for example, monitoring the container images and the container runtime, and due to the frequent start and stop of the containers, real-time scans and -monitoring processes.
|
|
OPS-05 Supplementary Information - Complementary Customer Criteria
|
Cloud service customers ensure with suitable controls that the layers of the cloud service which they are responsible for have security products in place to detect and remove malware.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|