+OPS-25 Managing Vulnerabilities, Incidents and Crashes - Vulnerability Scans
---+OPS-25.01B
---+OPS-25.02B
---+OPS-25.03B
---+OPS-25.04B
---+OPS-25.01AC
---+OPS-25.01AS
---+OPS-25.02AS
---+OPS-25 Supplementary Information - Complementary Customer Criteria

1. Übersicht

OPS-25 Managing Vulnerabilities, Incidents and Crashes - Vulnerability Scans

-
OPS-25.01B System components in the area of responsibility of the cloud service provider for the provision of the cloud service are subject to vulnerability scans at least once a month in accordance with the policies for handling vulnerabilities (cf. OPS-18). These vulnerability scans include a comparison of software component data against up-to-date vulnerability databases (e.g., CVE, EUVD, etc.) to identify known vulnerabilities.

In contrast to penetration tests (cf. OPS-22), which are carried out manually and according to an individual scheme, the check for open vulnerabilities is performed automatically, using so-called vulnerability scanners.

Definitions of the terms 'CVE' and 'EUVD', as well as other vulnerability-related terms, can be found in the supplementary information of criterion OPS-18.01B.

The software component data to be compared against up-to-date vulnerability databases can be, but does not have to be, obtained using a Software Bill of Materials (SBOM).
OPS-25.02B The cloud service provider assesses the severity of vulnerabilities in accordance with defined criteria.
OPS-25.03B Measures for timely remediation or mitigation are initiated within defined time frame.
OPS-25.04B The results of the vulnerability scans are used to update the cloud service provider's SIEM system (cf. OPS-13) rules, enabling the system to detect when known vulnerabilities are being actively exploited.
OPS-25.01AC Time frames for the initiation of remediation or mitigation efforts after a vulnerability is identified are defined and monitored according to a risk-based classification framework. This framework incorporates, but is not limited to, the CVSS severity level of vulnerabilities.

An example of a framework for risk-based classification and definition of time frames can be:

1. Critical (CVSS = 9.0 - 10.0): 24 - 48 hours;
2. High (CVSS = 7.0 - 8.9): 48 - 72 hours;
3. Medium (CVSS = 4.0 - 6.9): 5 days; and
4. Low (CVSS = 0.1 - 3.9): 1 month.
OPS-25.01AS System components in the area of responsibility of the cloud service provider for the provision of the cloud service are subject to vulnerability scans at least once a day in accordance with the policies for handling vulnerabilities (cf. OPS-18). These vulnerability scans include a comparison of software component data against up-to-date vulnerability databases (e.g., CVE, EUVD, etc.) to identify known vulnerabilities.

In contrast to penetration tests (cf. OPS-22), which are carried out manually and according to an individual scheme, the check for open vulnerabilities is performed automatically, using so-called vulnerability scanners.

Definitions of the terms 'CVE' and 'EUVD', as well as other vulnerability-related terms, can be found in the supplementary information of criterion OPS-18.01B.

The software component data to be compared against up-to-date vulnerability databases can be, but does not have to be, obtained using a Software Bill of Materials (SBOM).
OPS-25.02AS The cloud service provider assesses the severity of vulnerabilities using the latest version of the Common Vulnerability Scoring System (CVSS) valid at the time of the assessment.
OPS-25 Supplementary Information - Complementary Customer Criteria Cloud service customers ensure with suitable controls that system components under their responsibility are regularly checked for vulnerabilities and to mitigate these by appropriate measures. If cloud service customers operate virtual machines or containers with the cloud service, this also includes performing vulnerability scans to ensure that secure images (so-called golden images) provided by either the cloud service provider or the cloud service customer themselves are used.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum