+OPS-10 Logging and Monitoring - Policies and Procedures
---+OPS-10.01B
---+OPS-10 Supplementary Information - Complementary Customer Criteria

1. Übersicht

OPS-10 Logging and Monitoring - Policies and Procedures

-
OPS-10.01B The cloud service provider has established policies and procedures that govern the logging and monitoring of events on system components within its area of responsibility. These policies and procedures are documented, communicated and provided according to SP-01 with respect to the following aspects:

1. Definition of events that could lead to a violation of the protection goals;
2. Specifications for activating, stopping and pausing the various logs;
3. Information regarding the purpose and retention period of the logs;
4. Definition of roles, responsibilities and authorities for setting up and monitoring logging;
5. Definition of log data allowed for transfer to cloud service customers and technical requirements of such a transfer;
6. Information regarding timestamps used in event creation;
7. Time synchronisation of system components with at least one approved time source that the cloud service provider considers to be reliable based on defined criteria. If several time sources are used, they are consistent with each other. The time sources can also be synchronised to several external reliable sources, except when used for isolated networks; and
8. Compliance with legal and regulatory frameworks.


Logs as referred to in the basic criterion include cloud service derived data and cloud service provider data.
Legal and regulatory frameworks can define e.g. legal requirements for retention and deletion of data.
OPS-10 Supplementary Information - Complementary Customer Criteria Cloud service customers ensure with suitable controls that appropriate logging and monitoring of events that may affect the security and availability of the cloud service (e.g. administrator activities, system failures, authentication checks, data deletions, etc.) takes place for those layers of the cloud service under their responsibility.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum