+OPS-26 Managing Vulnerabilities, Incidents and Crashes - System Hardening
---+OPS-26.01B
---+OPS-26.02B
---+OPS-26.03B
---+OPS-26.04B
---+OPS-26.05B
---+OPS-26.06B
---+OPS-26.05AS
---+OPS-26 Supplementary Information - Complementary Customer Criteria

1. Übersicht

OPS-26 Managing Vulnerabilities, Incidents and Crashes - System Hardening

-
OPS-26.01B System components in the production environment used to provide the cloud service under the cloud service provider's responsibility are hardened according to generally accepted industry standards.

System components in the sense of the criterion are the objects required for the information security of the cloud service during the creation, processing, storage, transmission, deletion or destruction of information in the cloud service provider's area of responsibility, e.g. firewalls, load balancers, web servers, application servers and database servers. These system components in turn consist of hardware and software objects. This criterion is limited to software objects such as hypervisors, operating systems, databases, programming interfaces (APIs), images (e.g. for virtual machines and containers) and applications for logging and monitoring security events.

Generally accepted industry standards are, for example, the Security Configuration Benchmark of the Centre for Internet Security (CIS) or the corresponding modules in the BSI IT-Grundschutz-Compendium.
OPS-26.02B The hardening requirements for each system component are documented.
OPS-26.03B If non-modifiable ('immutable') images are used, compliance with the hardening specifications, as defined in the hardening requirements, is checked upon creation of the images.
OPS-26.04B Configurations and log files (cloud service provider data) regarding the continuous availability of the aforementioned immutable images are retained.

The configuration and log files for non-modifiable images include e.g.:

1. Configuration of the images used with regards to implemented hardening;
2. Specifications including version history; and
3. Logs for file integrity monitoring of images in productive use.
OPS-26.05B The cloud service provider implements monitoring measures to ensure system components comply with hardening specifications.

System components in the sense of the criterion are the objects required for the information security of the cloud service during the creation, processing, storage, transmission, deletion or destruction of information in the cloud service provider's area of responsibility, e.g. firewalls, load balancers, web servers, application servers and database servers. These system components in turn consist of hardware and software objects. This criterion is limited to software objects such as hypervisors, operating systems, databases, programming interfaces (APIs), images (e.g. for virtual machines and containers) and applications for logging and monitoring security events.

Compliance with hardening specifications can be monitored with e.g. file integrity monitoring.
OPS-26.06B Identified deviations from these specifications are timely reported to the appropriate departments for immediate assessment and action.
OPS-26.05AS System components in the cloud service provider's area of responsibility are automatically monitored for compliance with hardening specifications.

System components in the sense of the criterion are the objects required for the information security of the cloud service during the creation, processing, storage, transmission, deletion or destruction of information in the cloud service provider's area of responsibility, e.g. firewalls, load balancers, web servers, application servers and database servers. These system components in turn consist of hardware and software objects. This criterion is limited to software objects such as hypervisors, operating systems, databases, programming interfaces (APIs), images (e.g. for virtual machines and containers) and applications for logging and monitoring security events.

Compliance with hardening specifications can be monitored with e.g. file integrity monitoring.
OPS-26 Supplementary Information - Complementary Customer Criteria Cloud service customers ensure with suitable controls that layers of the cloud service which are under their responsibility are hardened according to generally established and accepted industry standards. The hardening specifications applied are derived from a risk assessment of the planned usage of the cloud service.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum