ECSA Assessment Report

Transcription

1 ECSA Assessment Report Company Test Cloud Company Name of the cloudservice textcloud.com Website of the cloudservice 11.textcloud.com Project number #10652 Projectname Dummyproject Print date Link to publication on ECSA web ECSA online analysis Only if publication was ordered Used tickets Print time 18:48 Self-Assessment reports like this one are a summary of information about a specific cloud services provided by a representative of the organisation mentioned in the report. Under no circumstances does EuroCloud add, change, delete or evaluate this data... EuroCloud never performs any kind of quality check and is therefore not reliable for any misleading, missing or incorrect information given by the user of the ECSA Assessment Tool. An ECSA Audit includes a third party quality check which is performed by an external audit organisation not EuroCloud. Self- Assessments do not include such an external quality check. EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 1/33

2 Area 6s: Application SaaS Not applicable Assessment Statistics Total rating: 0 Area Requested Star Rating Control questions Total A Answers Total B Answers Total C Answers Total D Answers Total E Answers Total F Answers Achieved Star Rating 01 Provider Profile 02 Contract & Compliance 03 Security & Data Privacy 04 DC Infrastructure 05 Operational Processes i IaaS p PaaS s SaaS EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 2/33

3 Area 1: Cloud Service Provider Profile Print Date: EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 3/33

4 Area 1: Cloud Service Provider Profile CSP Profile Company Name Address Test Cloud Company Gluckgasse Vienna Germny Company Registration DE Köln Reference ghr-78900k Contact Sales and Product Services SChmutzer martin martin.schmutzer@ff.vom Contact Technical Services Karin maier Maier@ff.com Contact Data Privacy Helmut heimlich hh@ff.com Contact Legal Dr. Laurich Martin laurci@ff.com Street ZIP Code (optional) City Country Company Web Site Country and City of company registration Company registration number Date of registration Full name address EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 4/33

5 Area 1: Cloud Service Provider Profile Phone Number Full name address Phone Number Full name address Phone Number Full name address Phone Number EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 5/33

6 Area 1: Cloud Service Provider Profile Physical Data Location Customer Data Full contact Details of the DC location (First) Full contact Details of the DC location (Second/Backup) DC1 karinberg Munich Germny textcloud DC2 martinstr berlin Germany cloudtest Full contact Details of further DC locations Name Street ZIP Code (optional) City Country Legal owner of the DC location and owner structure Name Street ZIP Code (optional) City Country Legal owner of the DC location and owner structure EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 6/33

7 Area 1: Cloud Service Provider Profile Service Management Access options for technical and support resources outside the CSP and DC facilities and level of country restriction EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 7/33

8 Area 1: Cloud Service Provider Profile Extended Company Profile Headcount for Cloud Service provisioning 367 Company headquarters Berlin Worldwide headcount 367 Main role ISV (Independent Software Vendor) Level of experience for Cloud Service provisioning fully up and running and in place since 2010 EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 8/33

9 Area 1: Cloud Service Provider Profile Reference Information about the Cloud Service Name of the Cloud Service Short service description Website of the Cloud Service textcloud.com This is just a test description of a service 11.textcloud.com Overall number of Cloud Services (no modules) 1 Number of customers of the Cloud Service in scope for 3000 assessment/certification Number of users of the Cloud Service in scope for 3000 assessment/certification EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 9/33

10 Area 1: Cloud Service Provider Profile Certifications Certifications for Technical management ECSA DC Star 01 TÜV 445 ISO Reference profil.pdf Certifications for Quality Management Cobit 9000 Reference Certifications for Compliance ITL 9000 Reference Certifications for Data Privacy none Reference Sector Specific certifications none Reference EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 10/33

11 Version 3.0 rev Control: 2 - Contract & Compliance EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 11/33

12 Version 3.0 rev Control: 2 - Contract & Compliance 01 Adequate contract terms Conclusion of contract A02-S01-C01-Q01 Are the contract elements accessible for the customer before booking services? Online reference or request procedure for clients A: Excellent - All relevant contract elements are bundled, easy to understand, easily accessible on the website with the most recent version and version management. No hidden links to any other documents that are legally binding. A02-S01-C01-Q02 Are all the relevant contractual elements included and referenced - like the general terms and conditions, privacy policies, security policies and others? A main document (e.g frame contract) which is cleary referenced to the Service offered according to the profile is in place. All related agreements are referenced and named in this document B: Good - Main document is available in the most recent version Terms of cancellation EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 12/33

13 Version 3.0 rev Control: 2 - Contract & Compliance A02-S01-C02-Q01 Is it possible to terminate a contract with just cause? At least a standard clause to terminate the contract has to be outlined. C: Sufficient - A standard clause for contract termination is specified EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 13/33

14 Version 3.0 rev Control: 2 - Contract & Compliance 02 Rules for Data Management Location of Data A02-S02-C01-Q01 Are the location, postal address and contact for the physical data hosting of the customer data clearly provided? Customer must be able to provide evidence of data location for personal and financial data (if required by local regulation) A: Excellent - Any location with potential customer data is listed with address, contact data and entitlement to access the data by the customer on demand Data access by customer A02-S02-C02-Q01 In the case of dissent about the service delivery is it confirmed that the customer can access the data without any constraints and that the service provider is still bound to the data archiving requirements. Give the customer the right to access his data in the case of unclear payment balances or other contractual obligations. The service itself can be interrupted. B: Good - The customer can still use the service for at least 2 weeks after first formal notice of potential service interruption and archiving is still active. Data access is granted for the following 6 month. EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 14/33

15 Version 3.0 rev Control: 2 - Contract & Compliance 04 Service Level Agreements General requirements A02-S04-C01-Q01 Is the Service Level Agreement part of the overall contract and does it describe in a sufficient way the guarantee of service quality? Provide appropriate Service Level objectives which can be monitored by the Customer A: Excellent - The SLA provides clear service objectives, metrics and ongoing evidence of compliance. EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 15/33

16 Version 3.0 rev Control: 2 - Contract & Compliance 06 Terms for pricing and cost allocation Terms for pricing and cost allocation A02-S06-C01-Q01 Are the pricing units and service costs transparently described? A sample calculation has to be shown with all ramp up costs and dynamic price items. C: Sufficient - A standard price scheme is in place. EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 16/33

17 Version 3.0 rev Control: 3 - Security and Data Privacy EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 17/33

18 Version 3.0 rev Control: 3 - Security and Data Privacy 01 Security Management Organisational Requirements A03-S01-C01-Q06 Are operational staff trained in IT security on a regular basis? A (*****) - Evidence of training and testing by a training institute entitled for ISO training B (*****) - Evidence of training and testing C (***) - Training plan and participation plan provided C: Sufficient - Training plan and participation plan provided A03-S01-C01-Q07 Are the operational staff trained in policies relating to access to personal data and data privacy? A (****) - Dedicated training with attestation B (****) - Policies in place and confirmed by each individual C (***) - Policies referenced in HR contract B: Good - Policies in place and confirmed by each individual Preventive Measures A03-S01-C02-Q01 Are regular security checks or penetration tests carried out? Pro active security monitoring and verification of procedures ***** (A),**** (B), *** ( C) A: Excellent - Continuous monitoring of known vulnerabilities and cyber threads and regular penetration testing (at least every 6 Months) EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 18/33

19 Version 3.0 rev Control: 3 - Security and Data Privacy A03-S01-C02-Q03 Is the entitlement and authorisation process for new customers appropriate? Protect other customers from being affected by suspicious or anonymous users (cyber and crime threads) **** (A), *** (B) F: Not applicable - Please comment on reasoning *** For whatever good reason, this control is not applicable. EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 19/33

20 Version 3.0 rev Control: 3 - Security and Data Privacy 02 Technical Security Cyber Security A03-S02-C01-Q01 Does a firewall system protect the infrastructure according to the current level of technology? Evidence of base line protection C: Sufficient - FW mechanism is in place and up to date A03-S02-C01-Q03 Optional Control: Is the service access secured either by Virtual Private Network (VPN) or Virtual Private Cloud (VPC) access? Show isolation level of connected users for highly sensitive areas (e.g. medical patient data) This Control- Questions is only optional. Please do only use it if necessary, otherwise use Option not applicable. B: Good - Secured and monitored VPC Password Management A03-S02-C03-Q01 Is the password management system automated? No user intervention is allowed to manage customer passwords A: Excellent - Certified by ISO (in scope for auditing) A03-S02-C03-Q02 Are the passwords secured against unauthorised access? Protection of passwords against decryption and unauthorised access A: Excellent - Certified by ISO (in scope for auditing) EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 20/33

21 Version 3.0 rev Control: 3 - Security and Data Privacy 03 Technical Data Privacy Measures Technical Data Privacy Assessment A03-S03-C01-Q01 Is the communication between the user and the service fully encrypted? Encryption level is according to current market standard F: Not applicable - Please comment on reasoning *** For whatever good reason, this control is not applicable. A03-S03-C01-Q02 Are the encryption technologies in use uncompromised and at a sufficient encryption level? Encryption level is according to current market standard B: Good - According to NIST Rev 1 A03-S03-C01-Q04 Are backups sufficiently secured against unauthorised access Archived data is included into all security processes A: Excellent - Certified by ISO (in scope for auditing) A03-S03-C01-Q10 Is the use of production data excluded for test and training systems? Clear separation of production and test systems B: Good - Clear policies to separate test and production data EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 21/33

22 Control: 4 - Operation DC Infrastructure EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 22/33

23 Control: 4 - Operation DC Infrastructure 01 Proper Facility and IT Co-Location Management Access control A04-S01-C03-Q01 Is there an adequate access and security concept for the data centre? Area and access protection C: Sufficient - DC access and security documentation in place A04-S01-C03-Q02 Is admission to the area used for the cloud service secured against unauthorised entry? Evidence of appropriate access protection to Cloud Service environment and stored data B: Good - Full qualified list of individuals with personal access codes Fail-safe operation A04-S01-C04-Q01 Is there a redundant power supply with UPS operation? Business continuity in case of short electricity outage A: Excellent - Bridge time > 60 mins A04-S01-C04-Q04 Is the cooling system redundant? Business continuity in case of cooling outage C: Sufficient - Cooling system with redundant power supply EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 23/33

24 Control: 4 - Operation DC Infrastructure A04-S01-C04-Q05 Are the hardware components adequately separated from other infrastructure? Is expansion possible, when required? Appropriate physical isolation level and expansion capabilities C: Sufficient - Relevant Infrastructure components are clearly assigned and protected against unauthorised access with extension options to 3 times of the current workload. A04-S01-C04-Q06 How high is the availability level in the individual data centres? A (*****) > 99.5, B (****) > 99,0, C (***) > 98,5 C: Sufficient > 98, Organisation Data Centre A04-S01-C05-Q01 Optional Control: Is there an operation management handbook? Please provide. C: Sufficient - Handbook is in place EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 24/33

25 Control: 5 - Cloud Service Operational Processes EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 25/33

26 Control: 5 - Cloud Service Operational Processes 01 Appropriate Customer Support Validation of Support Service A05-S01-C01-Q01 How is user authentication undertaken with regard to support? Level of entitlement to authorise a request before interact with support to a customer s specific request ***** (A), **** (B), *** ( C) C: Sufficient - Standard password check online, no customer specific support online A05-S01-C01-Q02 What is the guaranteed response time? Guranteed response time (not resolution time) to a service request ***** (A), **** (B), *** ( C) C: Sufficient - > 1 working day A05-S01-C01-Q03 What is the average resolution time? Differentiation according to degree of severity. Average resolution time for standard priority ***** (A), **** (B), *** ( C) C: Sufficient - < 4 working days A05-S01-C01-Q04 Does the customer have read-access to the contractor's ticketing system? Allow customers to keep track of status/activity ***** (A), **** (B), *** ( C) F: Not applicable - Please comment on reasoning *** For whatever good reason, this control is not applicable. A05-S01-C01-Q05 What is the availability of the support line? (hours of operation) Show support availability ***** (A), **** (B), *** ( C) A: Excellent - 7 days a week, 24 hours per day EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 26/33

27 Control: 5 - Cloud Service Operational Processes 02 Appropriate Service Management Problem Management A05-S02-C03-Q01 Are the roles and tasks defined for the problem management system? Efficient Problem Management A: Excellent - ISO certificate with appropriate scope is in place Change Management A05-S02-C04-Q01 Are changes in services reported to customers in advance when an impact is expected on the operation of the service? Appropriate customer information about potential service disruption/digression A: Excellent - Standard maintenance plan for the coming 12 months, regularly updated Capacity Management A05-S02-C07-Q01 Are the system resources continuously monitored? Pro active monitoring to identify SLA related issues A: Excellent - Monitoring with link to alert and incident management Availability Management EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 27/33

28 Control: 5 - Cloud Service Operational Processes A05-S02-C08-Q01 Is there an availability management system in place for the hardware? Special procedures for hardware avaialability management C: Sufficient - Procuedures for Availability Management is in place A05-S02-C08-Q02 Is there an availability management system in place for applications? Special procedures for application availability management B: Good - Availability Management System is in place Backup Management A05-S02-C12-Q01 Is there a data backup management system? Back Up management practice A: Excellent - ISO certified backup system A05-S02-C12-Q02 On what media are the backup data archived, and for how long? Appropriate backup media and retention C: Sufficient - Data media are appropriate to securely backup the system and customer data A05-S02-C12-Q04 At what intervals does backup of the transactional data occur? Frequency of backup cycles ***** (A), **** (B), *** ( C) C: Sufficient - 24 hours EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 28/33

29 Area 6i: Application IaaS EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 29/33

30 Area 6i: Application IaaS S0 Security S0.C0 Access Hypervisor AI06-S03-C01-Q01 Is there is a two-factor authentication for the provisioning access? Secure admin access C: Sufficient - Two factor authentication with at least one dynamic key is in place AI06-S03-C01-Q03 Are there user directives to ensure the security of virtual machines? Guidance to avoid vulnerability by customer managed systems C: Sufficient - Standard recommendations to reduce security risks for the used services EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 30/33

31 Area 6i: Application IaaS S0 Licence Management S0.C0 Operating System AI06-S04-C01-Q01 Are there authorisations by the licensor of the operating systems which are made available for deployment? Show evidence that the provider is entitled to offer the Operating Systems B: Good - Full liability statement by the provider in case of dispute about correct license usage EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 31/33

32 Area 6p: Application PaaS Not applicable EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 32/33

33 Powered by TCPDF ( EuroCloud Star Audit Catalogue Area 6s: Application SaaS Not applicable EuroCloud Star Audit Assessment Version: (c) All rights reserved to EuroCloud Europe, Luxembourg 33/33