diff --git a/admin-compliance/agent-core/soul/compliance-advisor.soul.md b/admin-compliance/agent-core/soul/compliance-advisor.soul.md index 50e654d..48d4249 100644 --- a/admin-compliance/agent-core/soul/compliance-advisor.soul.md +++ b/admin-compliance/agent-core/soul/compliance-advisor.soul.md @@ -19,8 +19,13 @@ offiziellen Quellen und gibst praxisnahe Hinweise. - AI Act (EU KI-Verordnung) - TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz) - ePrivacy-Richtlinie -- DSK-Kurzpapiere (Nr. 1-20) -- SDM (Standard-Datenschutzmodell) V3.0 +- DSK-Kurzpapiere (Nr. 1-20) — primaere deutsche Interpretationshilfe der Datenschutzkonferenz + - Insbesondere: Nr. 1 (VVT), Nr. 5 (Datenschutz-Folgenabschaetzung), Nr. 11 (Loeschung), + Nr. 12 (DSB), Nr. 13 (Auftragsverarbeitung), Nr. 17 (Besondere Kategorien), + Nr. 18 (Risiko fuer Rechte und Freiheiten) +- SDM (Standard-Datenschutzmodell) V3.1 — Methodik zur Schutzbedarf-Bestimmung und Massnahmen-Ableitung +- BfDI Loeschkonzept — Referenzmodell fuer Loeschfristen und Aufbewahrungskonzepte +- BfDI/BayLDA Orientierungshilfen (E-Mail-Verschluesselung, Telemedien, TOM-Checkliste) - BSI-Grundschutz (Basis-Kenntnisse) - BSI-TR-03161 (Sicherheitsanforderungen an digitale Gesundheitsanwendungen) - ISO 27001/27701 (Ueberblick) @@ -51,6 +56,13 @@ Nutze das gesamte RAG-Corpus fuer Kontext und Quellenangaben — ausgenommen sin NIBIS-Inhalte (Erwartungshorizonte, Bildungsstandards, curriculare Vorgaben). Diese gehoeren nicht zum Datenschutz-Kompetenzbereich. +### Priorisierung deutscher Quellen +Nutze DSK-Kurzpapiere als primaere deutsche Interpretationshilfe — sie geben die +gemeinsame Rechtsauffassung aller 18 deutschen Aufsichtsbehoerden wieder. +Fuer TOM-Fragestellungen: SDM V3.1 + BayLDA TOM-Checkliste als Referenz. +Fuer Loeschkonzepte: BfDI Loeschkonzept + DSK KP Nr. 11 (Recht auf Loeschung). +Fuer Risikoanalysen: DSK KP Nr. 18 (Risiko) + SDM Schutzbedarf-Systematik. + ## Kommunikationsstil - Sachlich, aber verstaendlich — kein Juristendeutsch - Deutsch als Hauptsprache diff --git a/admin-compliance/agent-core/soul/drafting-agent.soul.md b/admin-compliance/agent-core/soul/drafting-agent.soul.md index 596cebf..d26706e 100644 --- a/admin-compliance/agent-core/soul/drafting-agent.soul.md +++ b/admin-compliance/agent-core/soul/drafting-agent.soul.md @@ -14,11 +14,28 @@ Konsistenz zwischen Dokumenten sicherzustellen. ## Kompetenzbereich DSGVO, BDSG, AI Act (EU 2024/1689), TTDSG, DDG (§5 Impressum), -DSK-Kurzpapiere, SDM V3.0, BSI-Grundschutz (IT-Grundschutz-Kompendium), -ISO 27001/27701, EDPB Guidelines, WP248, +DSK-Kurzpapiere (Nr. 1-20), SDM V3.1, BSI-Grundschutz (IT-Grundschutz-Kompendium), +ISO 27001/27701, EDPB Guidelines, WP248/WP250/WP259/WP260, +BfDI Loeschkonzept, BfDI/BayLDA Orientierungshilfen, EN-Normen (EN 13849, EN 62443), BGB §305ff (AGB), Standard Contractual Clauses (SCC, 2021/914/EU) +### Quellenpriorisierung pro Dokumenttyp +| Dokumenttyp | Primaere Quelle | Sekundaere Quelle | +|-------------|-----------------|-------------------| +| vvt | DSK KP Nr. 1 (VVT Art. 30) | EDPB Controller/Processor GL | +| tom | SDM V3.1 + BayLDA TOM-Checkliste | EDPB DPbD 4/2019 | +| dsfa | WP248 + DSK KP Nr. 5 | EDPB DPIA List, Laender-Muss-Listen | +| lf | BfDI Loeschkonzept + DSK KP Nr. 11 | — | +| einwilligung | EDPB Consent 05/2020 + WP259 | DSK KP Nr. 4 | +| datenpannen | EDPB Breach 09/2022 + WP250 | — | +| daten_transfer | EDPB Transfers 01/2020 | SCC 2021/914/EU | +| av_vertrag | DSK KP Nr. 13 | EDPB Controller/Processor 07/2020 | +| dsi | WP260 Transparency | DSK KP Nr. 10 | +| betroffenenrechte | EDPB Access 01/2022 | DSK KP Nr. 11 (Loeschung) | +| risikoanalyse | DSK KP Nr. 18 + SDM V3.1 | — | +| datenschutzmanagement | SDM V3.1 | BSI-Grundschutz | + ## Draftbare Dokumenttypen (18) | Typ | Label | Rechtsgrundlage | diff --git a/admin-compliance/app/api/sdk/drafting-engine/chat/route.ts b/admin-compliance/app/api/sdk/drafting-engine/chat/route.ts index 2cdb017..3237271 100644 --- a/admin-compliance/app/api/sdk/drafting-engine/chat/route.ts +++ b/admin-compliance/app/api/sdk/drafting-engine/chat/route.ts @@ -8,7 +8,9 @@ import { NextRequest, NextResponse } from 'next/server' import { queryRAG } from '@/lib/sdk/drafting-engine/rag-query' +import { DOCUMENT_RAG_CONFIG } from '@/lib/sdk/drafting-engine/rag-config' import { readSoulFile } from '@/lib/sdk/agents/soul-reader' +import type { ScopeDocumentType } from '@/lib/sdk/compliance-scope-types' const OLLAMA_URL = process.env.OLLAMA_URL || 'http://host.docker.internal:11434' const LLM_MODEL = process.env.COMPLIANCE_LLM_MODEL || 'qwen2.5vl:32b' @@ -40,8 +42,10 @@ export async function POST(request: NextRequest) { return NextResponse.json({ error: 'Message is required' }, { status: 400 }) } - // 1. Query RAG for legal context - const ragContext = await queryRAG(message) + // 1. Query RAG for legal context (use type-specific collection + query boost if available) + const ragConfig = documentType ? DOCUMENT_RAG_CONFIG[documentType as ScopeDocumentType] : undefined + const ragQuery = ragConfig ? `${ragConfig.query} ${message}` : message + const ragContext = await queryRAG(ragQuery, 3, ragConfig?.collection) // 2. Build system prompt with mode-specific instructions + state projection const soulPrompt = await readSoulFile('drafting-agent') diff --git a/admin-compliance/lib/sdk/drafting-engine/rag-config.ts b/admin-compliance/lib/sdk/drafting-engine/rag-config.ts index 4f61908..9c484e2 100644 --- a/admin-compliance/lib/sdk/drafting-engine/rag-config.ts +++ b/admin-compliance/lib/sdk/drafting-engine/rag-config.ts @@ -17,74 +17,74 @@ export interface DocumentRAGConfig { export const DOCUMENT_RAG_CONFIG: Record = { dsfa: { collection: 'bp_dsfa_corpus', - query: 'Art. 35 DSGVO Risikobewertung Massnahmen', + query: 'Art. 35 DSGVO Datenschutz-Folgenabschaetzung DSFA Risikobewertung WP248 EDPB', }, tom: { collection: 'bp_compliance_datenschutz', - query: 'Art. 32 DSGVO Sicherheit Verarbeitung', + query: 'Art. 32 DSGVO Sicherheit Verarbeitung TOM technisch-organisatorische Massnahmen EDPB DPbD', }, vvt: { collection: 'bp_compliance_gesetze', - query: 'Art. 30 DSGVO Dokumentationspflicht', + query: 'Art. 30 DSGVO Verarbeitungsverzeichnis Dokumentationspflicht DSK Kurzpapier VVT', }, lf: { collection: 'bp_compliance_recht', - query: 'Aufbewahrungsfristen Loeschkonzept', + query: 'Aufbewahrungsfristen Loeschkonzept Art. 17 DSGVO Recht auf Loeschung DSK Kurzpapier', }, dsi: { collection: 'bp_compliance_datenschutz', - query: 'Art. 13 Art. 14 DSGVO Transparenz', + query: 'Art. 13 Art. 14 DSGVO Transparenz Informationspflicht WP260 EDPB', }, betroffenenrechte: { collection: 'bp_compliance_recht', - query: 'Art. 15 bis 22 DSGVO Auskunft Loeschung', + query: 'Art. 15-22 DSGVO Betroffenenrechte Auskunft Loeschung EDPB Access Right', }, datenpannen: { collection: 'bp_compliance_recht', - query: 'Art. 33 Art. 34 DSGVO Meldepflicht', + query: 'Art. 33 Art. 34 DSGVO Datenpanne Meldepflicht EDPB Breach Notification WP250', }, daten_transfer: { collection: 'bp_compliance_ce', - query: 'Kapitel V DSGVO Standardvertragsklauseln', + query: 'Kapitel V DSGVO Drittlandtransfer SCC EDPB Transfers Supplementary Measures', }, einwilligung: { collection: 'bp_compliance_datenschutz', - query: 'Art. 6 Art. 7 Art. 9 DSGVO Widerruf', + query: 'Art. 6 Art. 7 DSGVO Einwilligung Widerruf EDPB Consent Guidelines WP259', }, vertragsmanagement: { collection: 'bp_compliance_recht', - query: 'AVV Art. 28 DSGVO Vertragsanforderungen', + query: 'AVV Art. 28 DSGVO Vertragsmanagement Auftragsverarbeiter Pruefpflichten', }, schulung: { collection: 'bp_compliance_datenschutz', - query: 'Datenschutz Schulung Awareness', + query: 'Datenschutz Schulung Awareness Sensibilisierung Art. 39 DSGVO Mitarbeiter', }, audit_log: { collection: 'bp_compliance_datenschutz', - query: 'Audit Logging Art. 5 Abs. 2 DSGVO', + query: 'Audit Logging Protokollierung Art. 5 Abs. 2 DSGVO Rechenschaftspflicht', }, risikoanalyse: { collection: 'bp_compliance_ce', - query: 'Risikoanalyse Risikobewertung Framework', + query: 'Risikoanalyse Risikobewertung Framework DSK Kurzpapier 18 SDM Schutzbedarf', }, notfallplan: { collection: 'bp_compliance_recht', - query: 'Notfallplan Incident Response Krisenmanagement', + query: 'Notfallplan Incident Response Krisenmanagement Art. 32 DSGVO Wiederherstellung', }, zertifizierung: { collection: 'bp_compliance_ce', - query: 'ISO 27001 ISO 27701 Art. 42 DSGVO', + query: 'Art. 42 Art. 43 DSGVO Zertifizierung Datenschutz-Siegel EDPB Certification', }, datenschutzmanagement: { collection: 'bp_compliance_datenschutz', - query: 'DSMS PDCA Organisation', + query: 'DSMS PDCA Datenschutzmanagement Organisation SDM Standard-Datenschutzmodell', }, iace_ce_assessment: { collection: 'bp_compliance_ce', - query: 'AI Act KI-Verordnung CE-Konformitaet', + query: 'AI Act KI-Verordnung CE-Konformitaet Hochrisiko-KI Art. 6 EDPB', }, av_vertrag: { collection: 'bp_compliance_recht', - query: 'AVV Art. 28 DSGVO Mindestinhalte', + query: 'AVV Art. 28 DSGVO Auftragsverarbeitung Mindestinhalte EDPB Controller Processor', }, } diff --git a/admin-compliance/lib/sdk/tom-generator/controls/tom_controls_v1.json b/admin-compliance/lib/sdk/tom-generator/controls/tom_controls_v1.json new file mode 100644 index 0000000..060a6d6 --- /dev/null +++ b/admin-compliance/lib/sdk/tom-generator/controls/tom_controls_v1.json @@ -0,0 +1,6523 @@ +{ + "version": "1.0", + "schema": "iso_annex_a", + "generated": "2026-03-05", + "total_controls": 180, + "domains": [ + { + "id": "GOV", + "name": "Governance & Policies", + "objective": "Datenschutz-Governance-Rahmen etablieren, Verantwortlichkeiten definieren und regelmaessige Reviews sicherstellen", + "controls": [ + { + "id": "TOM.GOV.01", + "title": "ISMS/Privacy Governance", + "description": "Rollen, Verantwortlichkeiten und Review-Zyklen fuer das Datenschutz-Management definieren und dokumentieren.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Rollen, Verantwortlichkeiten und Review-Zyklen fuer das Datenschutz-Management definieren und dokumentieren.", + "evidence": [ + "Organigramm", + "Governance-Policy", + "Review-Protokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(2)", + "Art. 24" + ], + "iso27001": [ + "A.5.1" + ], + "bsi": [ + "ISMS.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.GOV.02", + "title": "Datenschutzbeauftragter (DSB)", + "description": "Bestellung eines DSB gemaess Art. 37 DSGVO, Sicherstellung der Unabhaengigkeit und Ressourcenausstattung.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Bestellung eines DSB gemaess Art. 37 DSGVO, Sicherstellung der Unabhaengigkeit und Ressourcenausstattung.", + "evidence": [ + "DSB-Bestellungsurkunde", + "Aufgabenbeschreibung", + "Schulungsnachweise" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 37", + "Art. 38", + "Art. 39" + ], + "iso27001": [ + "A.5.2" + ], + "bsi": [ + "ORP.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "CRITICAL", + "complexity": "LOW" + }, + { + "id": "TOM.GOV.03", + "title": "Datenschutz-Leitlinie", + "description": "Unternehmensweite Datenschutz-Policy erstellen, von der Geschaeftsfuehrung genehmigen und an alle Mitarbeiter kommunizieren.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Unternehmensweite Datenschutz-Policy erstellen, von der Geschaeftsfuehrung genehmigen und an alle Mitarbeiter kommunizieren.", + "evidence": [ + "Datenschutz-Leitlinie", + "Freigabenachweis", + "Kommunikationsprotokoll" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 24", + "Art. 5(2)" + ], + "iso27001": [ + "A.5.1" + ], + "bsi": [ + "ORP.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.GOV.04", + "title": "Richtlinien-Review-Zyklus", + "description": "Alle Datenschutz-Richtlinien mindestens jaehrlich pruefen und bei Aenderungen der Rechtslage aktualisieren.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Alle Datenschutz-Richtlinien mindestens jaehrlich pruefen und bei Aenderungen der Rechtslage aktualisieren.", + "evidence": [ + "Review-Protokolle", + "Aenderungshistorie", + "Versionsverwaltung" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 24(1)" + ], + "iso27001": [ + "A.5.1" + ], + "bsi": [ + "ORP.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.GOV.05", + "title": "Compliance-Monitoring", + "description": "Regelmaessige interne Pruefungen der Datenschutz-Compliance durchfuehren und Abweichungen dokumentieren.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Regelmaessige interne Pruefungen der Datenschutz-Compliance durchfuehren und Abweichungen dokumentieren.", + "evidence": [ + "Audit-Berichte", + "Massnahmenplaene", + "Nachverfolgung" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(2)", + "Art. 32(1d)" + ], + "iso27001": [ + "A.5.36" + ], + "bsi": [ + "DER.3.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.GOV.06", + "title": "Datenschutz-Risikoregister", + "description": "Zentrales Register aller datenschutzrelevanten Risiken fuehren, bewerten und Massnahmen zuordnen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Zentrales Register aller datenschutzrelevanten Risiken fuehren, bewerten und Massnahmen zuordnen.", + "evidence": [ + "Risikoregister", + "Risikobewertungen", + "Massnahmenplan" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 24(1)", + "Art. 35" + ], + "iso27001": [ + "A.5.3" + ], + "bsi": [ + "ISMS.1" + ], + "sdm": [ + "Transparenz", + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.GOV.07", + "title": "Management-Review", + "description": "Geschaeftsfuehrung informiert sich regelmaessig ueber den Stand der Datenschutz-Compliance und trifft strategische Entscheidungen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Geschaeftsfuehrung informiert sich regelmaessig ueber den Stand der Datenschutz-Compliance und trifft strategische Entscheidungen.", + "evidence": [ + "Management-Review-Protokoll", + "Praesentationen", + "Entscheidungsprotokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 24" + ], + "iso27001": [ + "A.5.1" + ], + "bsi": [ + "ISMS.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.GOV.08", + "title": "Datenschutz-Folgenabschaetzung Prozess", + "description": "Standardisierten DSFA-Prozess gemaess Art. 35 etablieren mit Schwellwertanalyse, Durchfuehrung und Massnahmenableitung.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Standardisierten DSFA-Prozess gemaess Art. 35 etablieren mit Schwellwertanalyse, Durchfuehrung und Massnahmenableitung.", + "evidence": [ + "DSFA-Vorlage", + "Schwellwertanalyse", + "DSFA-Dokumentation" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 35", + "Art. 36" + ], + "iso27001": [ + "A.5.34" + ], + "bsi": [ + "CON.2" + ], + "sdm": [ + "Transparenz", + "Datenminimierung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.GOV.09", + "title": "Datenschutz-Budgetplanung", + "description": "Dediziertes Budget fuer Datenschutz-Massnahmen, Tools und Schulungen planen und jaehrlich ueberpruefen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Dediziertes Budget fuer Datenschutz-Massnahmen, Tools und Schulungen planen und jaehrlich ueberpruefen.", + "evidence": [ + "Budgetplanung", + "Ausgabenberichte", + "Investitionsplan" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 24" + ], + "iso27001": [ + "A.5.1" + ], + "bsi": [ + "ISMS.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.GOV.10", + "title": "Datenschutz bei Projekten (Privacy by Design)", + "description": "Bei jedem neuen IT-Projekt oder Geschaeftsprozess Datenschutzanforderungen fruehzeitig einbeziehen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Bei jedem neuen IT-Projekt oder Geschaeftsprozess Datenschutzanforderungen fruehzeitig einbeziehen.", + "evidence": [ + "Projekt-Checkliste", + "DSFA-Schwellwertanalyse", + "Freigabeprotokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 25(1)" + ], + "iso27001": [ + "A.5.8" + ], + "bsi": [ + "CON.2" + ], + "sdm": [ + "Datenminimierung", + "Zweckbindung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.GOV.11", + "title": "Verzeichnis von Verarbeitungstaetigkeiten", + "description": "VVT gemaess Art. 30 DSGVO fuehren und aktuell halten mit allen Pflichtangaben.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "VVT gemaess Art. 30 DSGVO fuehren und aktuell halten mit allen Pflichtangaben.", + "evidence": [ + "VVT-Dokument", + "Update-Protokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 30" + ], + "iso27001": [ + "A.5.9" + ], + "bsi": [ + "CON.2" + ], + "sdm": [ + "Transparenz", + "Zweckbindung" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.GOV.12", + "title": "Eskalationsprozess Datenschutzvorfaelle", + "description": "Klaren Eskalationspfad fuer Datenschutzvorfaelle definieren mit Meldewegen, Fristen und Zustaendigkeiten.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Klaren Eskalationspfad fuer Datenschutzvorfaelle definieren mit Meldewegen, Fristen und Zustaendigkeiten.", + "evidence": [ + "Eskalationsmatrix", + "Prozessbeschreibung", + "Kontaktliste" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 33", + "Art. 34" + ], + "iso27001": [ + "A.5.24" + ], + "bsi": [ + "DER.2.1" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.GOV.13", + "title": "Externe Datenschutz-Audits", + "description": "Regelmaessige externe Audits der Datenschutz-Compliance durch unabhaengige Pruefer durchfuehren lassen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Regelmaessige externe Audits der Datenschutz-Compliance durch unabhaengige Pruefer durchfuehren lassen.", + "evidence": [ + "Audit-Berichte extern", + "Zertifikate", + "Massnahmenplan" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 5(2)", + "Art. 42" + ], + "iso27001": [ + "A.5.35" + ], + "bsi": [ + "DER.3.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.GOV.14", + "title": "Datenschutz-Kennzahlen (KPIs)", + "description": "Messbare KPIs fuer Datenschutz definieren und regelmaessig berichten (z.B. offene DSR, Schulungsquote, Vorfaelle).", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Messbare KPIs fuer Datenschutz definieren und regelmaessig berichten (z.B. offene DSR, Schulungsquote, Vorfaelle).", + "evidence": [ + "KPI-Dashboard", + "Quartalsberichte", + "Trend-Analysen" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 5(2)" + ], + "iso27001": [ + "A.5.1" + ], + "bsi": [ + "ISMS.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "MEDIUM", + "complexity": "MEDIUM" + }, + { + "id": "TOM.GOV.15", + "title": "Datenschutz-Zertifizierung", + "description": "Anstreben einer Datenschutz-Zertifizierung (z.B. Art. 42 DSGVO, ISO 27701) zur Nachweisfuehrung.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Anstreben einer Datenschutz-Zertifizierung (z.B. Art. 42 DSGVO, ISO 27701) zur Nachweisfuehrung.", + "evidence": [ + "Zertifikat", + "Audit-Bericht", + "Massnahmenplan" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 42", + "Art. 43" + ], + "iso27001": [ + "A.5.35" + ], + "bsi": [ + "ISMS.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "HIGH" + } + ] + }, + { + "id": "HR", + "name": "Personnel & Awareness", + "objective": "Mitarbeiter fuer Datenschutz sensibilisieren, Verpflichtungen sicherstellen und kontinuierliche Kompetenzentwicklung foerdern", + "controls": [ + { + "id": "TOM.HR.01", + "title": "Datenschutz-Verpflichtung Mitarbeiter", + "description": "Alle Mitarbeiter auf das Datengeheimnis verpflichten und Vertraulichkeitserklaerungen einholen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Alle Mitarbeiter auf das Datengeheimnis verpflichten und Vertraulichkeitserklaerungen einholen.", + "evidence": [ + "Vertraulichkeitserklaerung", + "Verpflichtungsnachweis" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 28(3b)", + "Art. 29" + ], + "iso27001": [ + "A.6.6" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "CRITICAL", + "complexity": "LOW" + }, + { + "id": "TOM.HR.02", + "title": "Datenschutz-Grundschulung", + "description": "Verpflichtende Datenschutz-Grundschulung fuer alle neuen Mitarbeiter innerhalb des Onboardings.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Verpflichtende Datenschutz-Grundschulung fuer alle neuen Mitarbeiter innerhalb des Onboardings.", + "evidence": [ + "Schulungsteilnahme", + "Zertifikat", + "Schulungsunterlagen" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 39(1b)" + ], + "iso27001": [ + "A.6.3" + ], + "bsi": [ + "ORP.3" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.HR.03", + "title": "Jaehrliche Auffrischungsschulung", + "description": "Mindestens jaehrliche Datenschutz-Auffrischung fuer alle Mitarbeiter mit aktuellen Themen und Fallbeispielen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Mindestens jaehrliche Datenschutz-Auffrischung fuer alle Mitarbeiter mit aktuellen Themen und Fallbeispielen.", + "evidence": [ + "Teilnehmerlisten", + "Schulungsinhalte", + "Evaluationsboegen" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 39(1b)" + ], + "iso27001": [ + "A.6.3" + ], + "bsi": [ + "ORP.3" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.HR.04", + "title": "Rollenspezifische Schulungen", + "description": "Vertiefte Schulungen fuer Mitarbeiter mit besonderen Datenschutzaufgaben (IT, HR, Marketing, Vertrieb).", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Vertiefte Schulungen fuer Mitarbeiter mit besonderen Datenschutzaufgaben (IT, HR, Marketing, Vertrieb).", + "evidence": [ + "Schulungsplan", + "Teilnahmenachweise", + "Kompetenzmatrix" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 39(1b)" + ], + "iso27001": [ + "A.6.3" + ], + "bsi": [ + "ORP.3" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.HR.05", + "title": "Datenschutz-Onboarding-Checkliste", + "description": "Standardisiertes Onboarding mit Datenschutz-Briefing, Verpflichtung, Systemzugaenge und Schulungstermin.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Standardisiertes Onboarding mit Datenschutz-Briefing, Verpflichtung, Systemzugaenge und Schulungstermin.", + "evidence": [ + "Onboarding-Checkliste", + "Unterschriften", + "IT-Zugangsprotokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 24", + "Art. 29" + ], + "iso27001": [ + "A.6.1" + ], + "bsi": [ + "ORP.2" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.HR.06", + "title": "Datenschutz-Offboarding-Prozess", + "description": "Beim Austritt Zugriffe entziehen, Geraete zuruecknehmen und Vertraulichkeitspflichten bekraeftigen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Beim Austritt Zugriffe entziehen, Geraete zuruecknehmen und Vertraulichkeitspflichten bekraeftigen.", + "evidence": [ + "Offboarding-Checkliste", + "Zugangsentzugs-Protokoll", + "Geraeterueckgabe" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32" + ], + "iso27001": [ + "A.6.5" + ], + "bsi": [ + "ORP.2" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.HR.07", + "title": "Phishing-Awareness-Training", + "description": "Regelmaessige Phishing-Simulationen und Trainings zur Erkennung von Social-Engineering-Angriffen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Regelmaessige Phishing-Simulationen und Trainings zur Erkennung von Social-Engineering-Angriffen.", + "evidence": [ + "Phishing-Test-Ergebnisse", + "Schulungsnachweise", + "Klickraten-Report" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.6.3" + ], + "bsi": [ + "ORP.3" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.HR.08", + "title": "Datenschutz-Champions/Botschafter", + "description": "In jeder Abteilung einen Datenschutz-Ansprechpartner benennen als Multiplikator und Erstanlaufstelle.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "In jeder Abteilung einen Datenschutz-Ansprechpartner benennen als Multiplikator und Erstanlaufstelle.", + "evidence": [ + "Benennungsliste", + "Aufgabenbeschreibung", + "Schulungsnachweise" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 24" + ], + "iso27001": [ + "A.5.2" + ], + "bsi": [ + "ORP.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.HR.09", + "title": "Schulung besondere Datenkategorien", + "description": "Spezialschulung fuer Mitarbeiter mit Zugang zu Art. 9/10 Daten zu erhoehten Schutzanforderungen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Spezialschulung fuer Mitarbeiter mit Zugang zu Art. 9/10 Daten zu erhoehten Schutzanforderungen.", + "evidence": [ + "Teilnahmenachweise", + "Sonderschulungsunterlagen" + ], + "applies_if": { + "field": "special_categories", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 9", + "Art. 10" + ], + "iso27001": [ + "A.6.3" + ], + "bsi": [ + "ORP.3" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.HR.10", + "title": "Kinder-Datenschutz-Schulung", + "description": "Schulung fuer Mitarbeiter die mit Daten von Minderjaehrigen arbeiten zu besonderen Schutzpflichten.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Schulung fuer Mitarbeiter die mit Daten von Minderjaehrigen arbeiten zu besonderen Schutzpflichten.", + "evidence": [ + "Schulungsunterlagen", + "Teilnahmenachweise" + ], + "applies_if": { + "field": "vulnerable_persons", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 8", + "ErwGr. 38" + ], + "iso27001": [ + "A.6.3" + ], + "bsi": [ + "ORP.3" + ], + "sdm": [ + "Vertraulichkeit", + "Datenminimierung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.HR.11", + "title": "Disziplinarprozess bei Datenschutzverstoessen", + "description": "Klaren Prozess fuer arbeitsrechtliche Konsequenzen bei vorsaetzlichen Datenschutzverstoessen definieren.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Klaren Prozess fuer arbeitsrechtliche Konsequenzen bei vorsaetzlichen Datenschutzverstoessen definieren.", + "evidence": [ + "Disziplinarordnung", + "Dokumentierte Vorfaelle", + "Sanktionskatalog" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 24" + ], + "iso27001": [ + "A.6.4" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.HR.12", + "title": "Datenschutz-Wissenstest", + "description": "Nach Schulungen Verstaendnistests durchfuehren um die Wirksamkeit der Schulungsmassnahmen zu pruefen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Nach Schulungen Verstaendnistests durchfuehren um die Wirksamkeit der Schulungsmassnahmen zu pruefen.", + "evidence": [ + "Testergebnisse", + "Bestehensquoten", + "Nachschulungsplaene" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 5(2)" + ], + "iso27001": [ + "A.6.3" + ], + "bsi": [ + "ORP.3" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.HR.13", + "title": "Externe Datenschutz-Zertifizierung Mitarbeiter", + "description": "Fachkraefte zu externen Datenschutz-Zertifizierungen (CIPP/E, CIPM, DSB-Zertifikat) entsenden.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Fachkraefte zu externen Datenschutz-Zertifizierungen (CIPP/E, CIPM, DSB-Zertifikat) entsenden.", + "evidence": [ + "Zertifikate", + "Fortbildungsnachweise" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 37(5)" + ], + "iso27001": [ + "A.6.3" + ], + "bsi": [ + "ORP.3" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "LOW", + "complexity": "HIGH" + }, + { + "id": "TOM.HR.14", + "title": "Awareness-Kampagnen", + "description": "Regelmaessige Datenschutz-Awareness durch Poster, Newsletter, Intranet-Beitraege und Quiz-Aktionen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Regelmaessige Datenschutz-Awareness durch Poster, Newsletter, Intranet-Beitraege und Quiz-Aktionen.", + "evidence": [ + "Kampagnen-Material", + "Reichweiten-Statistiken", + "Feedback" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 39(1b)" + ], + "iso27001": [ + "A.6.3" + ], + "bsi": [ + "ORP.3" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.HR.15", + "title": "Notfall-Kommunikationsschulung", + "description": "Schulung zur korrekten Kommunikation bei Datenpannen (intern, extern, Behoerden, Betroffene).", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Schulung zur korrekten Kommunikation bei Datenpannen (intern, extern, Behoerden, Betroffene).", + "evidence": [ + "Schulungsunterlagen", + "Uebungsprotokolle", + "Kommunikationsvorlagen" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 33", + "Art. 34" + ], + "iso27001": [ + "A.5.24" + ], + "bsi": [ + "DER.2.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + } + ] + }, + { + "id": "IAM", + "name": "Identity & Access Management", + "objective": "Sichere Identitaetsverwaltung und Authentifizierung fuer alle Systeme und Benutzer gewaehrleisten", + "controls": [ + { + "id": "TOM.IAM.01", + "title": "Zentrales Identitaetsmanagement", + "description": "Zentrales IAM-System (z.B. LDAP, Azure AD) fuer einheitliche Benutzerverwaltung einsetzen.", + "type": "TECHNICAL", + "implementation_guidance": "Zentrales IAM-System (z.B. LDAP, Azure AD) fuer einheitliche Benutzerverwaltung einsetzen.", + "evidence": [ + "IAM-Systemdokumentation", + "Benutzerlisten", + "Konfiguration" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1b)" + ], + "iso27001": [ + "A.5.15" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.IAM.02", + "title": "Multi-Faktor-Authentifizierung (MFA)", + "description": "MFA fuer alle administrativen Zugaenge und Systeme mit personenbezogenen Daten verpflichtend einsetzen.", + "type": "TECHNICAL", + "implementation_guidance": "MFA fuer alle administrativen Zugaenge und Systeme mit personenbezogenen Daten verpflichtend einsetzen.", + "evidence": [ + "MFA-Konfiguration", + "Aktivierungsstatistik", + "Ausnahmeliste" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.5" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.IAM.03", + "title": "Passwort-Policy", + "description": "Mindeststandards fuer Passwoerter definieren: Laenge, Komplexitaet, Aenderungsintervalle, Sperrung.", + "type": "TECHNICAL", + "implementation_guidance": "Mindeststandards fuer Passwoerter definieren: Laenge, Komplexitaet, Aenderungsintervalle, Sperrung.", + "evidence": [ + "Passwort-Richtlinie", + "Technische Konfiguration", + "Compliance-Report" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.5.17" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.IAM.04", + "title": "Single Sign-On (SSO)", + "description": "SSO-Loesung implementieren fuer sichere und benutzerfreundliche Authentifizierung ueber alle Systeme.", + "type": "TECHNICAL", + "implementation_guidance": "SSO-Loesung implementieren fuer sichere und benutzerfreundliche Authentifizierung ueber alle Systeme.", + "evidence": [ + "SSO-Konfiguration", + "Angebundene Systeme", + "Audit-Logs" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.5" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.IAM.05", + "title": "Benutzer-Provisioning/Deprovisioning", + "description": "Automatisierte Prozesse fuer Anlegen und Deaktivieren von Benutzerkonten bei Ein-/Austritt.", + "type": "TECHNICAL", + "implementation_guidance": "Automatisierte Prozesse fuer Anlegen und Deaktivieren von Benutzerkonten bei Ein-/Austritt.", + "evidence": [ + "Provisioning-Workflows", + "Audit-Trail", + "SLA-Einhaltung" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1b)" + ], + "iso27001": [ + "A.5.18" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.IAM.06", + "title": "Service-Account-Management", + "description": "Service-Accounts inventarisieren, mit minimalen Rechten versehen und regelmaessig pruefen.", + "type": "TECHNICAL", + "implementation_guidance": "Service-Accounts inventarisieren, mit minimalen Rechten versehen und regelmaessig pruefen.", + "evidence": [ + "Service-Account-Inventar", + "Berechtigungsmatrix", + "Review-Protokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.5.18" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit", + "Nichtverkettung" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.IAM.07", + "title": "Privileged Access Management (PAM)", + "description": "Verwaltung privilegierter Zugaenge mit Session-Recording, Just-in-Time-Access und Genehmigungsworkflows.", + "type": "TECHNICAL", + "implementation_guidance": "Verwaltung privilegierter Zugaenge mit Session-Recording, Just-in-Time-Access und Genehmigungsworkflows.", + "evidence": [ + "PAM-Konfiguration", + "Session-Logs", + "Genehmigungsprotokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.2" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "HIGH" + }, + { + "id": "TOM.IAM.08", + "title": "Biometrische Authentifizierung", + "description": "Bei Bedarf biometrische Verfahren einsetzen unter Beachtung der besonderen Schutzanforderungen Art. 9.", + "type": "TECHNICAL", + "implementation_guidance": "Bei Bedarf biometrische Verfahren einsetzen unter Beachtung der besonderen Schutzanforderungen Art. 9.", + "evidence": [ + "DSFA", + "Konfiguration", + "Einwilligungsnachweise" + ], + "applies_if": { + "field": "special_categories", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 9", + "Art. 32" + ], + "iso27001": [ + "A.8.5" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.IAM.09", + "title": "Session-Management", + "description": "Automatische Session-Timeouts, Inaktivitaets-Sperren und sichere Session-Tokens implementieren.", + "type": "TECHNICAL", + "implementation_guidance": "Automatische Session-Timeouts, Inaktivitaets-Sperren und sichere Session-Tokens implementieren.", + "evidence": [ + "Session-Konfiguration", + "Timeout-Einstellungen", + "Sicherheitstests" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.5" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.IAM.10", + "title": "Account-Sperrung bei Fehlversuchen", + "description": "Automatische Kontosperrung nach konfigurierbarer Anzahl fehlgeschlagener Anmeldeversuche.", + "type": "TECHNICAL", + "implementation_guidance": "Automatische Kontosperrung nach konfigurierbarer Anzahl fehlgeschlagener Anmeldeversuche.", + "evidence": [ + "Sperr-Konfiguration", + "Monitoring-Alerts", + "Entsperr-Prozess" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.5" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.IAM.11", + "title": "Identitaets-Federation", + "description": "Sichere Identity Federation fuer Drittland-Partner mit Standards wie SAML/OIDC.", + "type": "TECHNICAL", + "implementation_guidance": "Sichere Identity Federation fuer Drittland-Partner mit Standards wie SAML/OIDC.", + "evidence": [ + "Federation-Konfiguration", + "Trust-Vereinbarungen", + "Audit-Logs" + ], + "applies_if": { + "field": "third_country_transfer", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32", + "Art. 44-49" + ], + "iso27001": [ + "A.8.5" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.IAM.12", + "title": "Selbstbedienungs-Passwort-Reset", + "description": "Sicheren Self-Service Passwort-Reset implementieren mit Identitaetsverifikation.", + "type": "TECHNICAL", + "implementation_guidance": "Sicheren Self-Service Passwort-Reset implementieren mit Identitaetsverifikation.", + "evidence": [ + "Konfiguration", + "Nutzungsstatistik", + "Sicherheitstest" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.5" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.IAM.13", + "title": "API-Authentifizierung und Token-Management", + "description": "Sichere API-Keys und OAuth2-Tokens mit Ablaufdatum, Rotation und Scope-Einschraenkung verwalten.", + "type": "TECHNICAL", + "implementation_guidance": "Sichere API-Keys und OAuth2-Tokens mit Ablaufdatum, Rotation und Scope-Einschraenkung verwalten.", + "evidence": [ + "API-Key-Inventar", + "Token-Policies", + "Rotations-Logs" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.5" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.IAM.14", + "title": "Conditional Access Policies", + "description": "Kontextabhaengige Zugangssteuerung basierend auf Geraetestatus, Standort, Risikolevel.", + "type": "TECHNICAL", + "implementation_guidance": "Kontextabhaengige Zugangssteuerung basierend auf Geraetestatus, Standort, Risikolevel.", + "evidence": [ + "Policy-Konfiguration", + "Anwendungsberichte", + "Ausnahmen" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.5" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.IAM.15", + "title": "Hardware-Token/FIDO2", + "description": "Phishing-resistente Authentifizierung durch FIDO2/WebAuthn Hardware-Token fuer kritische Systeme.", + "type": "TECHNICAL", + "implementation_guidance": "Phishing-resistente Authentifizierung durch FIDO2/WebAuthn Hardware-Token fuer kritische Systeme.", + "evidence": [ + "Token-Inventar", + "Verteilungsliste", + "Einsatzrichtlinie" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.5" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + } + ] + }, + { + "id": "AC", + "name": "Authorization & Least Privilege", + "objective": "Zugriff auf personenbezogene Daten nach dem Need-to-Know-Prinzip steuern und regelmaessig rezertifizieren", + "controls": [ + { + "id": "TOM.AC.01", + "title": "Rollenbasierte Zugriffskontrolle (RBAC)", + "description": "RBAC-Modell implementieren mit klar definierten Rollen und minimalen Berechtigungen pro Rolle.", + "type": "TECHNICAL", + "implementation_guidance": "RBAC-Modell implementieren mit klar definierten Rollen und minimalen Berechtigungen pro Rolle.", + "evidence": [ + "Rollenmatrix", + "Berechtigungskonzept", + "RBAC-Konfiguration" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1b)" + ], + "iso27001": [ + "A.5.15" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit", + "Nichtverkettung" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.AC.02", + "title": "Need-to-Know-Prinzip", + "description": "Zugriff auf personenbezogene Daten nur fuer Mitarbeiter die diese fuer ihre Aufgaben benoetigen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Zugriff auf personenbezogene Daten nur fuer Mitarbeiter die diese fuer ihre Aufgaben benoetigen.", + "evidence": [ + "Berechtigungskonzept", + "Zugriffsantraege", + "Genehmigungsprotokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 25(2)", + "Art. 32" + ], + "iso27001": [ + "A.5.15" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Datenminimierung", + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "LOW" + }, + { + "id": "TOM.AC.03", + "title": "Zugriffsrezertifizierung", + "description": "Regelmaessige Ueberpruefung aller vergebenen Berechtigungen durch Vorgesetzte oder Dateneigentuemer.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Regelmaessige Ueberpruefung aller vergebenen Berechtigungen durch Vorgesetzte oder Dateneigentuemer.", + "evidence": [ + "Rezertifizierungs-Protokolle", + "Aenderungsnachweise", + "Fristenueberwachung" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1d)" + ], + "iso27001": [ + "A.5.18" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.AC.04", + "title": "Attributbasierte Zugriffskontrolle (ABAC)", + "description": "Feingramulaere Zugriffssteuerung basierend auf Benutzer-Attributen, Datenklassifizierung und Kontext.", + "type": "TECHNICAL", + "implementation_guidance": "Feingramulaere Zugriffssteuerung basierend auf Benutzer-Attributen, Datenklassifizierung und Kontext.", + "evidence": [ + "ABAC-Policies", + "Attribut-Schema", + "Test-Ergebnisse" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 25(1)", + "Art. 32" + ], + "iso27001": [ + "A.5.15" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit", + "Nichtverkettung" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.AC.05", + "title": "Trennung kritischer Funktionen (SoD)", + "description": "Separation of Duties sicherstellen um Interessenkonflikte und Missbrauchsrisiken zu minimieren.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Separation of Duties sicherstellen um Interessenkonflikte und Missbrauchsrisiken zu minimieren.", + "evidence": [ + "SoD-Matrix", + "Rollenkonflikte-Analyse", + "Ausnahmen-Register" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.5.3" + ], + "bsi": [ + "ORP.1" + ], + "sdm": [ + "Integritaet", + "Nichtverkettung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.AC.06", + "title": "Datenklassifizierung und Labeling", + "description": "Systematische Klassifizierung aller Daten nach Schutzbedarf (oeffentlich, intern, vertraulich, streng vertraulich).", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Systematische Klassifizierung aller Daten nach Schutzbedarf (oeffentlich, intern, vertraulich, streng vertraulich).", + "evidence": [ + "Klassifizierungsschema", + "Dateninventar", + "Label-Statistik" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.5.12" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.AC.07", + "title": "Zugriff auf besondere Datenkategorien", + "description": "Zusaetzliche Zugriffsbeschraenkungen fuer Art. 9/10 Daten mit expliziter Genehmigung und Protokollierung.", + "type": "TECHNICAL", + "implementation_guidance": "Zusaetzliche Zugriffsbeschraenkungen fuer Art. 9/10 Daten mit expliziter Genehmigung und Protokollierung.", + "evidence": [ + "Sonder-Berechtigungskonzept", + "Genehmigungsnachweise", + "Zugriffsprotokolle" + ], + "applies_if": { + "field": "special_categories", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 9", + "Art. 10" + ], + "iso27001": [ + "A.5.15" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit", + "Nichtverkettung" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.AC.08", + "title": "Temporaere Zugriffsrechte", + "description": "Zeitlich befristete Zugaenge fuer Projekte, externe Berater oder Notfaelle mit automatischem Ablauf.", + "type": "TECHNICAL", + "implementation_guidance": "Zeitlich befristete Zugaenge fuer Projekte, externe Berater oder Notfaelle mit automatischem Ablauf.", + "evidence": [ + "Befristungsrichtlinie", + "Ablauf-Konfiguration", + "Review-Protokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.5.18" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "MEDIUM", + "complexity": "MEDIUM" + }, + { + "id": "TOM.AC.09", + "title": "Zugriffsentzug bei Rollenwechsel", + "description": "Bei internem Wechsel alte Berechtigungen entziehen und neue rollenkonform vergeben.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Bei internem Wechsel alte Berechtigungen entziehen und neue rollenkonform vergeben.", + "evidence": [ + "Wechsel-Checkliste", + "Berechtigungs-Audit", + "Freigabeprotokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.5.18" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.AC.10", + "title": "Protokollierung von Zugriffsaenderungen", + "description": "Jede Aenderung an Zugriffsrechten lueckenlos protokollieren mit Zeitstempel, Antragsteller und Genehmiger.", + "type": "TECHNICAL", + "implementation_guidance": "Jede Aenderung an Zugriffsrechten lueckenlos protokollieren mit Zeitstempel, Antragsteller und Genehmiger.", + "evidence": [ + "Aenderungs-Audit-Trail", + "Log-Archivierung", + "Integritaetsschutz" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(2)" + ], + "iso27001": [ + "A.8.15" + ], + "bsi": [ + "OPS.1.2" + ], + "sdm": [ + "Transparenz", + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.AC.11", + "title": "Mandantentrennung", + "description": "Strikte Trennung von Mandanten-/Kundendaten auf Datenbank- und Anwendungsebene.", + "type": "TECHNICAL", + "implementation_guidance": "Strikte Trennung von Mandanten-/Kundendaten auf Datenbank- und Anwendungsebene.", + "evidence": [ + "Mandantenkonzept", + "Trennungstests", + "Konfiguration" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1b)" + ], + "iso27001": [ + "A.5.15" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Nichtverkettung", + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "HIGH" + }, + { + "id": "TOM.AC.12", + "title": "Datenmaskierung und Anonymisierung", + "description": "Produktionsdaten in Test- und Entwicklungsumgebungen maskieren oder anonymisieren.", + "type": "TECHNICAL", + "implementation_guidance": "Produktionsdaten in Test- und Entwicklungsumgebungen maskieren oder anonymisieren.", + "evidence": [ + "Maskierungsregeln", + "Anonymisierungsnachweise", + "Test-Compliance-Report" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 25(1)", + "Art. 32" + ], + "iso27001": [ + "A.8.11" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Datenminimierung", + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.AC.13", + "title": "Break-Glass-Verfahren", + "description": "Notfall-Zugriffsverfahren fuer Ausnahmesituationen mit nachtraeglicher Genehmigung und Protokollierung.", + "type": "TECHNICAL", + "implementation_guidance": "Notfall-Zugriffsverfahren fuer Ausnahmesituationen mit nachtraeglicher Genehmigung und Protokollierung.", + "evidence": [ + "Break-Glass-Policy", + "Nutzungsprotokolle", + "Review-Berichte" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.5.18" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit", + "Verfuegbarkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.AC.14", + "title": "Zugriffskontrolle fuer Kinderdaten", + "description": "Besonders restriktive Zugriffskontrollen fuer Systeme mit Daten von Minderjaehrigen.", + "type": "TECHNICAL", + "implementation_guidance": "Besonders restriktive Zugriffskontrollen fuer Systeme mit Daten von Minderjaehrigen.", + "evidence": [ + "Sonderberechtigungskonzept", + "Altersverifikation", + "Zugriffsprotokolle" + ], + "applies_if": { + "field": "vulnerable_persons", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 8", + "ErwGr. 38" + ], + "iso27001": [ + "A.5.15" + ], + "bsi": [ + "ORP.4" + ], + "sdm": [ + "Vertraulichkeit", + "Datenminimierung" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.AC.15", + "title": "Zero-Trust-Zugriffsmodell", + "description": "Vertrauenswuerdigkeit bei jedem Zugriff neu bewerten statt implizit durch Netzwerkzugehoerigkeit.", + "type": "TECHNICAL", + "implementation_guidance": "Vertrauenswuerdigkeit bei jedem Zugriff neu bewerten statt implizit durch Netzwerkzugehoerigkeit.", + "evidence": [ + "Zero-Trust-Architektur", + "Policy-Engine-Konfiguration", + "Bewertungsregeln" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.5" + ], + "bsi": [ + "NET.1.1" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + } + ] + }, + { + "id": "CRYPTO", + "name": "Encryption & Key Management", + "objective": "Vertraulichkeit und Integritaet personenbezogener Daten durch angemessene Verschluesselung sicherstellen", + "controls": [ + { + "id": "TOM.CRYPTO.01", + "title": "TLS/HTTPS fuer alle Verbindungen", + "description": "Ausschliesslich TLS 1.2+ fuer alle Netzwerkverbindungen verwenden, unsichere Protokolle deaktivieren.", + "type": "TECHNICAL", + "implementation_guidance": "Ausschliesslich TLS 1.2+ fuer alle Netzwerkverbindungen verwenden, unsichere Protokolle deaktivieren.", + "evidence": [ + "TLS-Konfiguration", + "SSL-Scan-Berichte", + "Cipher-Suite-Pruefung" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "LOW" + }, + { + "id": "TOM.CRYPTO.02", + "title": "Verschluesselung ruhender Daten (at rest)", + "description": "Datenbanken, Dateisysteme und Backups mit AES-256 oder vergleichbar verschluesseln.", + "type": "TECHNICAL", + "implementation_guidance": "Datenbanken, Dateisysteme und Backups mit AES-256 oder vergleichbar verschluesseln.", + "evidence": [ + "Verschluesselungskonfiguration", + "Key-Inventar", + "Audit-Berichte" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.CRYPTO.03", + "title": "E-Mail-Verschluesselung", + "description": "S/MIME oder PGP fuer den Versand personenbezogener Daten per E-Mail einsetzen.", + "type": "TECHNICAL", + "implementation_guidance": "S/MIME oder PGP fuer den Versand personenbezogener Daten per E-Mail einsetzen.", + "evidence": [ + "E-Mail-Policy", + "Verschluesselungskonfiguration", + "Zertifikatsverwaltung" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.CRYPTO.04", + "title": "Key-Management-Prozess", + "description": "Dokumentierten Prozess fuer Erstellung, Verteilung, Rotation und Vernichtung kryptographischer Schluessel.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Dokumentierten Prozess fuer Erstellung, Verteilung, Rotation und Vernichtung kryptographischer Schluessel.", + "evidence": [ + "Key-Management-Policy", + "Schluesselinventar", + "Rotationsplan" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.CRYPTO.05", + "title": "Schluessel-Rotation", + "description": "Kryptographische Schluessel regelmaessig rotieren gemaess definiertem Zeitplan und bei Kompromittierungsverdacht.", + "type": "TECHNICAL", + "implementation_guidance": "Kryptographische Schluessel regelmaessig rotieren gemaess definiertem Zeitplan und bei Kompromittierungsverdacht.", + "evidence": [ + "Rotationsplan", + "Rotations-Logs", + "Automatisierungsnachweis" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.CRYPTO.06", + "title": "Hardware Security Module (HSM)", + "description": "HSM fuer die Speicherung und Verwaltung von Master-Keys in Hochsicherheitsumgebungen einsetzen.", + "type": "TECHNICAL", + "implementation_guidance": "HSM fuer die Speicherung und Verwaltung von Master-Keys in Hochsicherheitsumgebungen einsetzen.", + "evidence": [ + "HSM-Dokumentation", + "Zugriffsprotokolle", + "FIPS-140-2-Zertifikat" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.CRYPTO.07", + "title": "Datei-/Ordner-Verschluesselung", + "description": "Endgeraete-Verschluesselung (BitLocker, FileVault) fuer alle Laptops und mobilen Geraete.", + "type": "TECHNICAL", + "implementation_guidance": "Endgeraete-Verschluesselung (BitLocker, FileVault) fuer alle Laptops und mobilen Geraete.", + "evidence": [ + "Verschluesselungs-Policy", + "Aktivierungsstatus", + "MDM-Report" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.1" + ], + "bsi": [ + "SYS.2.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.CRYPTO.08", + "title": "Verschluesselung bei Drittlandtransfer", + "description": "Ende-zu-Ende-Verschluesselung als ergaenzende Massnahme bei Datentransfers in Drittlaender.", + "type": "TECHNICAL", + "implementation_guidance": "Ende-zu-Ende-Verschluesselung als ergaenzende Massnahme bei Datentransfers in Drittlaender.", + "evidence": [ + "E2E-Konfiguration", + "Schluesselhoheit-Nachweis", + "Transfer-Protokolle" + ], + "applies_if": { + "field": "third_country_transfer", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1a)", + "Art. 46" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "HIGH" + }, + { + "id": "TOM.CRYPTO.09", + "title": "Datenbank-Verschluesselung (TDE)", + "description": "Transparent Data Encryption fuer Datenbanken mit personenbezogenen Daten aktivieren.", + "type": "TECHNICAL", + "implementation_guidance": "Transparent Data Encryption fuer Datenbanken mit personenbezogenen Daten aktivieren.", + "evidence": [ + "TDE-Konfiguration", + "Key-Management", + "Performance-Test" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.CRYPTO.10", + "title": "Verschluesselung besonderer Kategorien", + "description": "Verstaerkte Verschluesselung (z.B. Feldverschluesselung) fuer Art. 9/10 Daten auf Anwendungsebene.", + "type": "TECHNICAL", + "implementation_guidance": "Verstaerkte Verschluesselung (z.B. Feldverschluesselung) fuer Art. 9/10 Daten auf Anwendungsebene.", + "evidence": [ + "Feldverschluesselungskonzept", + "Schluesselmanagement", + "Zugriffsprotokolle" + ], + "applies_if": { + "field": "special_categories", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 9", + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "HIGH" + }, + { + "id": "TOM.CRYPTO.11", + "title": "Zertifikatsverwaltung (PKI)", + "description": "Zentralisierte Verwaltung aller digitalen Zertifikate mit Ablaufueberwachung und automatischer Erneuerung.", + "type": "TECHNICAL", + "implementation_guidance": "Zentralisierte Verwaltung aller digitalen Zertifikate mit Ablaufueberwachung und automatischer Erneuerung.", + "evidence": [ + "Zertifikatsinventar", + "Ablaufueberwachung", + "PKI-Dokumentation" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.CRYPTO.12", + "title": "Sichere Zufallszahlengenerierung", + "description": "Kryptographisch sichere Zufallszahlengeneratoren (CSPRNG) fuer Schluessel, Tokens und IDs verwenden.", + "type": "TECHNICAL", + "implementation_guidance": "Kryptographisch sichere Zufallszahlengeneratoren (CSPRNG) fuer Schluessel, Tokens und IDs verwenden.", + "evidence": [ + "Implementierungsdokumentation", + "Code-Review", + "Test-Berichte" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.CRYPTO.13", + "title": "Tokenisierung sensibler Daten", + "description": "Ersetzen sensibler Daten durch nicht-reversible Token wo moeglich zur Risikominimierung.", + "type": "TECHNICAL", + "implementation_guidance": "Ersetzen sensibler Daten durch nicht-reversible Token wo moeglich zur Risikominimierung.", + "evidence": [ + "Tokenisierungskonzept", + "Mapping-Schutz", + "Einsatzbereiche" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 25(1)", + "Art. 32" + ], + "iso27001": [ + "A.8.11" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Datenminimierung", + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.CRYPTO.14", + "title": "Post-Quantum-Readiness", + "description": "Kryptographische Verfahren auf Post-Quantum-Sicherheit evaluieren und Migrationsplan erstellen.", + "type": "TECHNICAL", + "implementation_guidance": "Kryptographische Verfahren auf Post-Quantum-Sicherheit evaluieren und Migrationsplan erstellen.", + "evidence": [ + "Evaluierungsbericht", + "Migrationsplan", + "Algorithmus-Inventar" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.24" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "HIGH" + }, + { + "id": "TOM.CRYPTO.15", + "title": "Verschluesselung mobiler Datentraeger", + "description": "Alle mobilen Datentraeger (USB, externe Festplatten) verschluesseln oder deren Nutzung einschraenken.", + "type": "TECHNICAL", + "implementation_guidance": "Alle mobilen Datentraeger (USB, externe Festplatten) verschluesseln oder deren Nutzung einschraenken.", + "evidence": [ + "USB-Policy", + "Verschluesselungstool", + "DLP-Konfiguration" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.1" + ], + "bsi": [ + "SYS.4.5" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + } + ] + }, + { + "id": "LOG", + "name": "Logging, Monitoring & Detection", + "objective": "Lueckenlose Protokollierung und proaktive Ueberwachung zur Erkennung und Aufklaerung von Datenschutzvorfaellen", + "controls": [ + { + "id": "TOM.LOG.01", + "title": "Zentrale Protokollierung", + "description": "Alle sicherheits- und datenschutzrelevanten Ereignisse zentral sammeln und korrelieren.", + "type": "TECHNICAL", + "implementation_guidance": "Alle sicherheits- und datenschutzrelevanten Ereignisse zentral sammeln und korrelieren.", + "evidence": [ + "SIEM/Log-Management", + "Log-Quellen-Inventar", + "Konfiguration" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(2)", + "Art. 32(1d)" + ], + "iso27001": [ + "A.8.15" + ], + "bsi": [ + "OPS.1.2" + ], + "sdm": [ + "Transparenz", + "Integritaet" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.LOG.02", + "title": "Audit-Trail personenbezogener Zugriffe", + "description": "Jeden Zugriff auf personenbezogene Daten protokollieren mit Wer, Wann, Was, Warum.", + "type": "TECHNICAL", + "implementation_guidance": "Jeden Zugriff auf personenbezogene Daten protokollieren mit Wer, Wann, Was, Warum.", + "evidence": [ + "Zugriffsprotokolle", + "Audit-Trail-Konfiguration", + "Stichproben-Reports" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(2)" + ], + "iso27001": [ + "A.8.15" + ], + "bsi": [ + "OPS.1.2" + ], + "sdm": [ + "Transparenz", + "Nichtverkettung" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.LOG.03", + "title": "Integritaetsschutz fuer Logs", + "description": "Protokolldaten gegen nachtraegliche Manipulation schuetzen (Write-Once, Signierung, WORM).", + "type": "TECHNICAL", + "implementation_guidance": "Protokolldaten gegen nachtraegliche Manipulation schuetzen (Write-Once, Signierung, WORM).", + "evidence": [ + "Log-Integritaetskonfiguration", + "Hash-Pruefprotokolle", + "Zugriffsschutz" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(2)" + ], + "iso27001": [ + "A.8.15" + ], + "bsi": [ + "OPS.1.2" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.LOG.04", + "title": "Aufbewahrungsfristen fuer Logs", + "description": "Log-Retention-Policies definieren: ausreichend lang fuer Nachvollziehbarkeit, konform mit Speicherbegrenzung.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Log-Retention-Policies definieren: ausreichend lang fuer Nachvollziehbarkeit, konform mit Speicherbegrenzung.", + "evidence": [ + "Retention-Policy", + "Loeschautomatisierung", + "Compliance-Nachweis" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(1e)" + ], + "iso27001": [ + "A.8.15" + ], + "bsi": [ + "OPS.1.2" + ], + "sdm": [ + "Speicherbegrenzung", + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.LOG.05", + "title": "Security Information Event Management (SIEM)", + "description": "SIEM-System zur Korrelation und Analyse von Sicherheitsereignissen in Echtzeit einsetzen.", + "type": "TECHNICAL", + "implementation_guidance": "SIEM-System zur Korrelation und Analyse von Sicherheitsereignissen in Echtzeit einsetzen.", + "evidence": [ + "SIEM-Architektur", + "Regelwerk", + "Alert-Konfiguration", + "Tuning-Reports" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1d)" + ], + "iso27001": [ + "A.8.16" + ], + "bsi": [ + "OPS.1.2" + ], + "sdm": [ + "Integritaet", + "Verfuegbarkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.LOG.06", + "title": "Alerting bei Anomalien", + "description": "Automatische Alerts bei ungewoehnlichen Zugriffsmustern, massenhaften Downloads oder Rechteeskalationen.", + "type": "TECHNICAL", + "implementation_guidance": "Automatische Alerts bei ungewoehnlichen Zugriffsmustern, massenhaften Downloads oder Rechteeskalationen.", + "evidence": [ + "Alert-Regeln", + "Eskalationsprozess", + "False-Positive-Rate" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1d)" + ], + "iso27001": [ + "A.8.16" + ], + "bsi": [ + "DER.1" + ], + "sdm": [ + "Integritaet", + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.LOG.07", + "title": "Datenzugriffs-Monitoring bei Art. 9 Daten", + "description": "Verstaerktes Monitoring und Alerting fuer Zugriffe auf besondere Datenkategorien.", + "type": "TECHNICAL", + "implementation_guidance": "Verstaerktes Monitoring und Alerting fuer Zugriffe auf besondere Datenkategorien.", + "evidence": [ + "Monitoring-Regeln", + "Alert-Protokolle", + "Review-Berichte" + ], + "applies_if": { + "field": "special_categories", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 9", + "Art. 32" + ], + "iso27001": [ + "A.8.16" + ], + "bsi": [ + "DER.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.LOG.08", + "title": "Login-/Logout-Protokollierung", + "description": "Erfolgreiche und fehlgeschlagene Anmeldeversuche mit Zeitstempel, IP und Geraet protokollieren.", + "type": "TECHNICAL", + "implementation_guidance": "Erfolgreiche und fehlgeschlagene Anmeldeversuche mit Zeitstempel, IP und Geraet protokollieren.", + "evidence": [ + "Login-Logs", + "Konfiguration", + "Auswertungs-Reports" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1d)" + ], + "iso27001": [ + "A.8.15" + ], + "bsi": [ + "OPS.1.2" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.LOG.09", + "title": "Administrationsaktivitaeten-Logging", + "description": "Alle administrativen Taetigkeiten (Konfigurationsaenderungen, Benutzeraenderungen) protokollieren.", + "type": "TECHNICAL", + "implementation_guidance": "Alle administrativen Taetigkeiten (Konfigurationsaenderungen, Benutzeraenderungen) protokollieren.", + "evidence": [ + "Admin-Audit-Trail", + "Change-Log", + "Four-Eyes-Nachweis" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 5(2)" + ], + "iso27001": [ + "A.8.15" + ], + "bsi": [ + "OPS.1.2" + ], + "sdm": [ + "Transparenz", + "Integritaet" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.LOG.10", + "title": "Datenloesch-Protokollierung", + "description": "Jede Loeschung personenbezogener Daten dokumentieren mit Zeitpunkt, Umfang und Rechtsgrundlage.", + "type": "TECHNICAL", + "implementation_guidance": "Jede Loeschung personenbezogener Daten dokumentieren mit Zeitpunkt, Umfang und Rechtsgrundlage.", + "evidence": [ + "Loeschprotokolle", + "Automatisierungsnachweis", + "Stichproben" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 5(2)", + "Art. 17" + ], + "iso27001": [ + "A.8.10" + ], + "bsi": [ + "OPS.1.2" + ], + "sdm": [ + "Transparenz", + "Speicherbegrenzung" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.LOG.11", + "title": "Netzwerk-Traffic-Monitoring", + "description": "Netzwerkverkehr auf ungewoehnliche Muster, Datenexfiltration und unerlaubte Verbindungen ueberwachen.", + "type": "TECHNICAL", + "implementation_guidance": "Netzwerkverkehr auf ungewoehnliche Muster, Datenexfiltration und unerlaubte Verbindungen ueberwachen.", + "evidence": [ + "Flow-Analyse-Berichte", + "IDS-Konfiguration", + "Alert-Reports" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.16" + ], + "bsi": [ + "NET.3.2" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.LOG.12", + "title": "Grossvolumige Zugriffs-Alerts", + "description": "Alerts bei massenhaftem Datenexport oder -zugriff der auf Datenabfluss hindeuten koennte.", + "type": "TECHNICAL", + "implementation_guidance": "Alerts bei massenhaftem Datenexport oder -zugriff der auf Datenabfluss hindeuten koennte.", + "evidence": [ + "Alert-Schwellwerte", + "DLP-Integration", + "Eskalationsprotokoll" + ], + "applies_if": { + "field": "large_scale", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32", + "Art. 33" + ], + "iso27001": [ + "A.8.16" + ], + "bsi": [ + "DER.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.LOG.13", + "title": "Log-Anonymisierung und Pseudonymisierung", + "description": "Personenbezogene Daten in Logs nach Moeglichkeit pseudonymisieren oder anonymisieren.", + "type": "TECHNICAL", + "implementation_guidance": "Personenbezogene Daten in Logs nach Moeglichkeit pseudonymisieren oder anonymisieren.", + "evidence": [ + "Anonymisierungsregeln", + "Konfiguration", + "Stichproben" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 25(1)", + "Art. 5(1c)" + ], + "iso27001": [ + "A.8.11" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Datenminimierung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "MEDIUM" + }, + { + "id": "TOM.LOG.14", + "title": "24/7 Security Operations Center (SOC)", + "description": "Rund-um-die-Uhr-Ueberwachung durch internes oder externes SOC fuer kritische Systeme.", + "type": "TECHNICAL", + "implementation_guidance": "Rund-um-die-Uhr-Ueberwachung durch internes oder externes SOC fuer kritische Systeme.", + "evidence": [ + "SOC-Vertrag/Aufstellung", + "Eskalationsprozess", + "Incident-Reports" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.16" + ], + "bsi": [ + "DER.1" + ], + "sdm": [ + "Verfuegbarkeit", + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.LOG.15", + "title": "Forensik-Faehigkeit", + "description": "Log-Infrastruktur so gestalten, dass forensische Analysen nach Sicherheitsvorfaellen moeglich sind.", + "type": "TECHNICAL", + "implementation_guidance": "Log-Infrastruktur so gestalten, dass forensische Analysen nach Sicherheitsvorfaellen moeglich sind.", + "evidence": [ + "Forensik-Richtlinie", + "Log-Archivierung", + "Chain-of-Custody-Prozess" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 33", + "Art. 34" + ], + "iso27001": [ + "A.5.28" + ], + "bsi": [ + "DER.2.2" + ], + "sdm": [ + "Integritaet", + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + } + ] + }, + { + "id": "SDLC", + "name": "Secure Development", + "objective": "Datenschutz und Sicherheit fruehzeitig in den Software-Entwicklungsprozess integrieren", + "controls": [ + { + "id": "TOM.SDLC.01", + "title": "Secure Coding Guidelines", + "description": "Verbindliche Richtlinien fuer sichere Softwareentwicklung (OWASP, SANS) etablieren und schulen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Verbindliche Richtlinien fuer sichere Softwareentwicklung (OWASP, SANS) etablieren und schulen.", + "evidence": [ + "Secure Coding Policy", + "Schulungsnachweise", + "Code-Standards" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 25(1)", + "Art. 32" + ], + "iso27001": [ + "A.8.25" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Integritaet", + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.SDLC.02", + "title": "Code-Review-Prozess", + "description": "Peer-Reviews fuer alle Codeaenderungen mit Fokus auf Sicherheits- und Datenschutzaspekte.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Peer-Reviews fuer alle Codeaenderungen mit Fokus auf Sicherheits- und Datenschutzaspekte.", + "evidence": [ + "Review-Policy", + "Pull-Request-Statistik", + "Review-Checkliste" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 25(1)" + ], + "iso27001": [ + "A.8.25" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.SDLC.03", + "title": "Statische Code-Analyse (SAST)", + "description": "Automatisierte SAST-Tools in der CI/CD-Pipeline fuer Sicherheitsluecken-Erkennung einsetzen.", + "type": "TECHNICAL", + "implementation_guidance": "Automatisierte SAST-Tools in der CI/CD-Pipeline fuer Sicherheitsluecken-Erkennung einsetzen.", + "evidence": [ + "SAST-Tool-Konfiguration", + "Scan-Berichte", + "Behebungsquoten" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.25" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.SDLC.04", + "title": "Dependency-/Supply-Chain-Scanning", + "description": "Automatisierte Pruefung von Abhaengigkeiten auf bekannte Schwachstellen (SCA) und Lizenzen.", + "type": "TECHNICAL", + "implementation_guidance": "Automatisierte Pruefung von Abhaengigkeiten auf bekannte Schwachstellen (SCA) und Lizenzen.", + "evidence": [ + "SCA-Tool-Konfiguration", + "SBOM", + "Vulnerability-Reports" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.25" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.SDLC.05", + "title": "Secrets-Scanning", + "description": "Automatisierte Erkennung von hartcodierten Zugangsdaten, API-Keys und Tokens in Code-Repositories.", + "type": "TECHNICAL", + "implementation_guidance": "Automatisierte Erkennung von hartcodierten Zugangsdaten, API-Keys und Tokens in Code-Repositories.", + "evidence": [ + "Scanner-Konfiguration", + "Findings-Report", + "Remediation-Tracking" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.25" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "LOW" + }, + { + "id": "TOM.SDLC.06", + "title": "Privacy by Design in der Entwicklung", + "description": "Datenschutzanforderungen als fester Bestandteil in User Stories, Akzeptanzkriterien und Definition of Done.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Datenschutzanforderungen als fester Bestandteil in User Stories, Akzeptanzkriterien und Definition of Done.", + "evidence": [ + "DoD-Checkliste", + "Story-Templates", + "Sprint-Review-Protokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 25(1)" + ], + "iso27001": [ + "A.8.25" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Datenminimierung", + "Zweckbindung" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.SDLC.07", + "title": "Penetration Testing", + "description": "Regelmaessige Penetration Tests durch interne oder externe Experten fuer kritische Anwendungen.", + "type": "TECHNICAL", + "implementation_guidance": "Regelmaessige Penetration Tests durch interne oder externe Experten fuer kritische Anwendungen.", + "evidence": [ + "Pentest-Berichte", + "Massnahmenplan", + "Nachtest-Ergebnisse" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1d)" + ], + "iso27001": [ + "A.8.8" + ], + "bsi": [ + "DER.3.1" + ], + "sdm": [ + "Integritaet", + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.SDLC.08", + "title": "Getrennte Umgebungen (Dev/Staging/Prod)", + "description": "Strikte Trennung von Entwicklungs-, Test- und Produktionsumgebungen mit eigenen Zugaengen.", + "type": "TECHNICAL", + "implementation_guidance": "Strikte Trennung von Entwicklungs-, Test- und Produktionsumgebungen mit eigenen Zugaengen.", + "evidence": [ + "Umgebungsarchitektur", + "Zugangskonzept", + "Netzwerktrennung" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1b)" + ], + "iso27001": [ + "A.8.31" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Nichtverkettung", + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.SDLC.09", + "title": "CI/CD Security Gates", + "description": "Automatisierte Sicherheitschecks als Quality Gates in der Deployment-Pipeline.", + "type": "TECHNICAL", + "implementation_guidance": "Automatisierte Sicherheitschecks als Quality Gates in der Deployment-Pipeline.", + "evidence": [ + "Pipeline-Konfiguration", + "Gate-Kriterien", + "Compliance-Rate" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.25" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.SDLC.10", + "title": "DSGVO-Testdaten-Management", + "description": "Keine Produktionsdaten in Test-Umgebungen verwenden; stattdessen synthetische oder anonymisierte Testdaten.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Keine Produktionsdaten in Test-Umgebungen verwenden; stattdessen synthetische oder anonymisierte Testdaten.", + "evidence": [ + "Testdaten-Policy", + "Anonymisierungstool", + "Compliance-Nachweis" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 25(1)", + "Art. 5(1c)" + ], + "iso27001": [ + "A.8.33" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Datenminimierung" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.SDLC.11", + "title": "Threat Modeling", + "description": "Bei neuen Features systematische Bedrohungsanalyse durchfuehren (STRIDE, LINDDUN) mit Datenschutzfokus.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Bei neuen Features systematische Bedrohungsanalyse durchfuehren (STRIDE, LINDDUN) mit Datenschutzfokus.", + "evidence": [ + "Threat-Model-Dokumente", + "Massnahmenableitung", + "Review-Protokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 25(1)", + "Art. 35" + ], + "iso27001": [ + "A.5.8" + ], + "bsi": [ + "CON.2" + ], + "sdm": [ + "Integritaet", + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.SDLC.12", + "title": "API-Security-Standards", + "description": "REST/GraphQL APIs nach OWASP API Security Top 10 absichern mit Rate-Limiting, Input-Validation, AuthZ.", + "type": "TECHNICAL", + "implementation_guidance": "REST/GraphQL APIs nach OWASP API Security Top 10 absichern mit Rate-Limiting, Input-Validation, AuthZ.", + "evidence": [ + "API-Security-Richtlinie", + "Scan-Berichte", + "Test-Ergebnisse" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.25" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Integritaet", + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.SDLC.13", + "title": "Security-Champions-Programm", + "description": "In jedem Entwicklungsteam einen Security Champion ausbilden als Ansprechpartner fuer Sicherheitsfragen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "In jedem Entwicklungsteam einen Security Champion ausbilden als Ansprechpartner fuer Sicherheitsfragen.", + "evidence": [ + "Champion-Liste", + "Schulungsnachweise", + "Aktivitaetsprotokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.6.3" + ], + "bsi": [ + "ORP.3" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.SDLC.14", + "title": "Bug-Bounty/Responsible-Disclosure", + "description": "Programm fuer verantwortungsvolle Offenlegung von Schwachstellen durch externe Sicherheitsforscher.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Programm fuer verantwortungsvolle Offenlegung von Schwachstellen durch externe Sicherheitsforscher.", + "evidence": [ + "Disclosure-Policy", + "Kontaktinformationen", + "Belohnungsrichtlinie" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1d)" + ], + "iso27001": [ + "A.5.7" + ], + "bsi": [ + "DER.3.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "MEDIUM" + }, + { + "id": "TOM.SDLC.15", + "title": "Sichere Software-Lieferkette", + "description": "Integritaet der gesamten Build- und Deploy-Pipeline sicherstellen (Signierung, SBOM, Provenance).", + "type": "TECHNICAL", + "implementation_guidance": "Integritaet der gesamten Build- und Deploy-Pipeline sicherstellen (Signierung, SBOM, Provenance).", + "evidence": [ + "SBOM", + "Signierungskonfiguration", + "Pipeline-Audit", + "Provenance-Logs" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.5.21" + ], + "bsi": [ + "APP.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + } + ] + }, + { + "id": "OPS", + "name": "Operations & Hardening", + "objective": "Sichere Konfiguration und laufende Haertung aller IT-Systeme gewaehrleisten", + "controls": [ + { + "id": "TOM.OPS.01", + "title": "Patch-Management-Prozess", + "description": "Zeitnahe Installation von Sicherheits-Patches mit definierten SLAs (kritisch: 24h, hoch: 7 Tage).", + "type": "TECHNICAL", + "implementation_guidance": "Zeitnahe Installation von Sicherheits-Patches mit definierten SLAs (kritisch: 24h, hoch: 7 Tage).", + "evidence": [ + "Patch-Policy", + "Patch-Status-Reports", + "SLA-Einhaltung" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.8" + ], + "bsi": [ + "OPS.1.1" + ], + "sdm": [ + "Integritaet", + "Verfuegbarkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.OPS.02", + "title": "System-Haertung (Hardening)", + "description": "Betriebssysteme und Anwendungen nach CIS-Benchmarks oder BSI-Vorgaben haerten.", + "type": "TECHNICAL", + "implementation_guidance": "Betriebssysteme und Anwendungen nach CIS-Benchmarks oder BSI-Vorgaben haerten.", + "evidence": [ + "Hardening-Checklisten", + "CIS-Benchmark-Reports", + "Konfigurationsdokumentation" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.9" + ], + "bsi": [ + "SYS.1.1" + ], + "sdm": [ + "Integritaet", + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.OPS.03", + "title": "Vulnerability Management", + "description": "Regelmaessige Schwachstellen-Scans und systematische Behebung nach Risikobewertung.", + "type": "TECHNICAL", + "implementation_guidance": "Regelmaessige Schwachstellen-Scans und systematische Behebung nach Risikobewertung.", + "evidence": [ + "Scan-Berichte", + "Behebungs-Tracking", + "Risikobewertungen" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1d)" + ], + "iso27001": [ + "A.8.8" + ], + "bsi": [ + "OPS.1.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.OPS.04", + "title": "Configuration Management", + "description": "Definierte und dokumentierte Konfigurationsstandards fuer alle Systeme mit Abweichungserkennung.", + "type": "TECHNICAL", + "implementation_guidance": "Definierte und dokumentierte Konfigurationsstandards fuer alle Systeme mit Abweichungserkennung.", + "evidence": [ + "Konfigurations-Baseline", + "Drift-Detection-Reports", + "Change-Logs" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.9" + ], + "bsi": [ + "OPS.1.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.OPS.05", + "title": "Asset-/Inventar-Management", + "description": "Vollstaendiges Inventar aller IT-Assets mit Klassifizierung und Datenschutzrelevanz-Bewertung.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Vollstaendiges Inventar aller IT-Assets mit Klassifizierung und Datenschutzrelevanz-Bewertung.", + "evidence": [ + "Asset-Inventar", + "Klassifizierung", + "Verantwortlichkeiten" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 30", + "Art. 32" + ], + "iso27001": [ + "A.5.9" + ], + "bsi": [ + "ORP.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.OPS.06", + "title": "Endgeraete-Sicherheit (EDR/MDM)", + "description": "Endpoint Detection & Response und Mobile Device Management fuer alle Endgeraete einsetzen.", + "type": "TECHNICAL", + "implementation_guidance": "Endpoint Detection & Response und Mobile Device Management fuer alle Endgeraete einsetzen.", + "evidence": [ + "EDR-Konfiguration", + "MDM-Policy", + "Geraetestatus-Reports" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.1" + ], + "bsi": [ + "SYS.3.2" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.OPS.07", + "title": "Server-Haertung kritischer Systeme", + "description": "Verstaerkte Haertung fuer Systeme die besondere Datenkategorien verarbeiten.", + "type": "TECHNICAL", + "implementation_guidance": "Verstaerkte Haertung fuer Systeme die besondere Datenkategorien verarbeiten.", + "evidence": [ + "Haertungsdokumentation", + "Compliance-Scans", + "Abweichungsbericht" + ], + "applies_if": { + "field": "special_categories", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 9", + "Art. 32" + ], + "iso27001": [ + "A.8.9" + ], + "bsi": [ + "SYS.1.1" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.OPS.08", + "title": "Change-Management-Prozess", + "description": "Formaler Change-Management-Prozess fuer alle Aenderungen an produktiven Systemen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Formaler Change-Management-Prozess fuer alle Aenderungen an produktiven Systemen.", + "evidence": [ + "Change-Requests", + "Genehmigungen", + "Rollback-Plaene" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1d)" + ], + "iso27001": [ + "A.8.32" + ], + "bsi": [ + "OPS.1.1" + ], + "sdm": [ + "Integritaet", + "Verfuegbarkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.OPS.09", + "title": "Automatisierte Compliance-Checks", + "description": "Infrastructure-as-Code Compliance-Pruefungen fuer Cloud- und Container-Umgebungen.", + "type": "TECHNICAL", + "implementation_guidance": "Infrastructure-as-Code Compliance-Pruefungen fuer Cloud- und Container-Umgebungen.", + "evidence": [ + "Compliance-Scan-Reports", + "Policy-as-Code", + "Abweichungs-Alerts" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.9" + ], + "bsi": [ + "OPS.1.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.OPS.10", + "title": "Container-Security", + "description": "Container-Images scannen, minimale Base-Images verwenden, Runtime-Schutz implementieren.", + "type": "TECHNICAL", + "implementation_guidance": "Container-Images scannen, minimale Base-Images verwenden, Runtime-Schutz implementieren.", + "evidence": [ + "Image-Scan-Reports", + "Dockerfile-Reviews", + "Runtime-Policy" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.25" + ], + "bsi": [ + "APP.4" + ], + "sdm": [ + "Integritaet", + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.OPS.11", + "title": "Dekommissionierung von Systemen", + "description": "Sichere Ausserbetriebnahme von IT-Systemen mit Datenloeschung, Dokumentation und Inventar-Update.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Sichere Ausserbetriebnahme von IT-Systemen mit Datenloeschung, Dokumentation und Inventar-Update.", + "evidence": [ + "Dekommissionierungsprotokoll", + "Loeschnachweis", + "Inventar-Update" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 17", + "Art. 32" + ], + "iso27001": [ + "A.8.10" + ], + "bsi": [ + "SYS.1.1" + ], + "sdm": [ + "Speicherbegrenzung", + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.OPS.12", + "title": "Malware-Schutz", + "description": "Aktuelle Anti-Malware-Loesung auf allen Systemen mit automatischen Updates und Echtzeit-Scan.", + "type": "TECHNICAL", + "implementation_guidance": "Aktuelle Anti-Malware-Loesung auf allen Systemen mit automatischen Updates und Echtzeit-Scan.", + "evidence": [ + "AV-Konfiguration", + "Scan-Reports", + "Update-Status" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.7" + ], + "bsi": [ + "OPS.1.1" + ], + "sdm": [ + "Integritaet", + "Verfuegbarkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.OPS.13", + "title": "Zeitliche Synchronisation (NTP)", + "description": "Alle Systeme mit verlaesslicher Zeitquelle synchronisieren fuer konsistente Protokollierung.", + "type": "TECHNICAL", + "implementation_guidance": "Alle Systeme mit verlaesslicher Zeitquelle synchronisieren fuer konsistente Protokollierung.", + "evidence": [ + "NTP-Konfiguration", + "Sync-Status", + "Abweichungs-Alerts" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(2)" + ], + "iso27001": [ + "A.8.17" + ], + "bsi": [ + "OPS.1.1" + ], + "sdm": [ + "Integritaet", + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.OPS.14", + "title": "Sichere Entsorgung von Datentraegern", + "description": "Physische Datentraeger vor Entsorgung oder Wiederverwendung sicher loeschen (NIST SP 800-88).", + "type": "TECHNICAL", + "implementation_guidance": "Physische Datentraeger vor Entsorgung oder Wiederverwendung sicher loeschen (NIST SP 800-88).", + "evidence": [ + "Loeschprotokolle", + "Zertifikate Datentraegervernichtung", + "Entsorgungsvertrag" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(1e)", + "Art. 17" + ], + "iso27001": [ + "A.7.14" + ], + "bsi": [ + "INF.1" + ], + "sdm": [ + "Speicherbegrenzung", + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.OPS.15", + "title": "Immutable Infrastructure", + "description": "Unveraenderbare Server-Infrastruktur um Konfigurationsdrift und nachtraegliche Manipulation zu verhindern.", + "type": "TECHNICAL", + "implementation_guidance": "Unveraenderbare Server-Infrastruktur um Konfigurationsdrift und nachtraegliche Manipulation zu verhindern.", + "evidence": [ + "IaC-Repository", + "Deployment-Logs", + "Drift-Detection" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.9" + ], + "bsi": [ + "OPS.1.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "MEDIUM", + "complexity": "HIGH" + } + ] + }, + { + "id": "NET", + "name": "Network Security", + "objective": "Netzwerksicherheit durch Segmentierung, Filterung und Ueberwachung gewaehrleisten", + "controls": [ + { + "id": "TOM.NET.01", + "title": "Netzwerksegmentierung", + "description": "Netzwerk in Sicherheitszonen aufteilen und Datenverarbeitung nach Schutzbedarf separieren.", + "type": "TECHNICAL", + "implementation_guidance": "Netzwerk in Sicherheitszonen aufteilen und Datenverarbeitung nach Schutzbedarf separieren.", + "evidence": [ + "Netzwerkplan", + "Segmentierungskonzept", + "Firewall-Regeln" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1b)" + ], + "iso27001": [ + "A.8.22" + ], + "bsi": [ + "NET.1.1" + ], + "sdm": [ + "Nichtverkettung", + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.NET.02", + "title": "Firewall-Management", + "description": "Restriktive Firewall-Regeln nach Whitelist-Prinzip mit regelmaessiger Review und Aufraeum-Zyklen.", + "type": "TECHNICAL", + "implementation_guidance": "Restriktive Firewall-Regeln nach Whitelist-Prinzip mit regelmaessiger Review und Aufraeum-Zyklen.", + "evidence": [ + "Firewall-Regelwerk", + "Review-Protokolle", + "Change-Logs" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.20" + ], + "bsi": [ + "NET.3.2" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.NET.03", + "title": "Web Application Firewall (WAF)", + "description": "WAF vor oeffentlich erreichbaren Webanwendungen zum Schutz gegen OWASP-Top-10-Angriffe.", + "type": "TECHNICAL", + "implementation_guidance": "WAF vor oeffentlich erreichbaren Webanwendungen zum Schutz gegen OWASP-Top-10-Angriffe.", + "evidence": [ + "WAF-Konfiguration", + "Regelwerk", + "Block-Statistiken" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.20" + ], + "bsi": [ + "NET.3.2" + ], + "sdm": [ + "Integritaet", + "Verfuegbarkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.NET.04", + "title": "Intrusion Detection/Prevention (IDS/IPS)", + "description": "Netzwerkbasierte Angriffserkennung und -verhinderung fuer kritische Netzwerkuebergaenge.", + "type": "TECHNICAL", + "implementation_guidance": "Netzwerkbasierte Angriffserkennung und -verhinderung fuer kritische Netzwerkuebergaenge.", + "evidence": [ + "IDS/IPS-Konfiguration", + "Alert-Reports", + "Tuning-Protokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.23" + ], + "bsi": [ + "NET.3.2" + ], + "sdm": [ + "Integritaet", + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.NET.05", + "title": "DMZ-Architektur", + "description": "Demilitarisierte Zone fuer oeffentlich erreichbare Dienste mit strikter Trennung vom internen Netz.", + "type": "TECHNICAL", + "implementation_guidance": "Demilitarisierte Zone fuer oeffentlich erreichbare Dienste mit strikter Trennung vom internen Netz.", + "evidence": [ + "DMZ-Architektur", + "Datenflussdiagramm", + "Firewall-Regeln" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1b)" + ], + "iso27001": [ + "A.8.22" + ], + "bsi": [ + "NET.1.1" + ], + "sdm": [ + "Vertraulichkeit", + "Nichtverkettung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.NET.06", + "title": "VPN/Sichere Fernzugriffe", + "description": "Alle Fernzugriffe ueber verschluesselte VPN-Tunnel mit Authentifizierung und Geraetepruefung.", + "type": "TECHNICAL", + "implementation_guidance": "Alle Fernzugriffe ueber verschluesselte VPN-Tunnel mit Authentifizierung und Geraetepruefung.", + "evidence": [ + "VPN-Konfiguration", + "Zugangsprotokoll", + "Split-Tunneling-Policy" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.20" + ], + "bsi": [ + "NET.1.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.NET.07", + "title": "DNS-Security (DNSSEC, DNS-Filtering)", + "description": "DNS-Anfragen filtern und absichern zum Schutz gegen DNS-basierte Angriffe und Malware.", + "type": "TECHNICAL", + "implementation_guidance": "DNS-Anfragen filtern und absichern zum Schutz gegen DNS-basierte Angriffe und Malware.", + "evidence": [ + "DNS-Konfiguration", + "Filtering-Policy", + "Block-Statistiken" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.20" + ], + "bsi": [ + "NET.1.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "MEDIUM" + }, + { + "id": "TOM.NET.08", + "title": "Netzwerk-Zugriffskontrolle (NAC)", + "description": "Network Access Control um nur autorisierte und konforme Geraete ins Netzwerk zu lassen.", + "type": "TECHNICAL", + "implementation_guidance": "Network Access Control um nur autorisierte und konforme Geraete ins Netzwerk zu lassen.", + "evidence": [ + "NAC-Konfiguration", + "Policy-Regeln", + "Geraeteinventar" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.20" + ], + "bsi": [ + "NET.1.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.NET.09", + "title": "Mikrosegmentierung", + "description": "Feingranulare Segmentierung auf Workload-Ebene insbesondere fuer Systeme mit Art. 9 Daten.", + "type": "TECHNICAL", + "implementation_guidance": "Feingranulare Segmentierung auf Workload-Ebene insbesondere fuer Systeme mit Art. 9 Daten.", + "evidence": [ + "Mikrosegmentierungskonzept", + "Policy-Regeln", + "Flow-Analyse" + ], + "applies_if": { + "field": "special_categories", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 9", + "Art. 32" + ], + "iso27001": [ + "A.8.22" + ], + "bsi": [ + "NET.1.1" + ], + "sdm": [ + "Nichtverkettung", + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.NET.10", + "title": "DDoS-Schutz", + "description": "Schutzmassnahmen gegen Distributed-Denial-of-Service-Angriffe fuer oeffentliche Dienste.", + "type": "TECHNICAL", + "implementation_guidance": "Schutzmassnahmen gegen Distributed-Denial-of-Service-Angriffe fuer oeffentliche Dienste.", + "evidence": [ + "DDoS-Mitigation-Service", + "Konfiguration", + "Incident-Reports" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1b)" + ], + "iso27001": [ + "A.8.20" + ], + "bsi": [ + "NET.3.2" + ], + "sdm": [ + "Verfuegbarkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.NET.11", + "title": "WLAN-Sicherheit", + "description": "Sichere WLAN-Konfiguration mit WPA3/Enterprise, Gaestenetz-Trennung, Rogue-AP-Detection.", + "type": "TECHNICAL", + "implementation_guidance": "Sichere WLAN-Konfiguration mit WPA3/Enterprise, Gaestenetz-Trennung, Rogue-AP-Detection.", + "evidence": [ + "WLAN-Konfiguration", + "Gaestenetz-Konzept", + "Scan-Berichte" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.20" + ], + "bsi": [ + "NET.2.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.NET.12", + "title": "Datentransfer-Monitoring bei Drittlandtransfer", + "description": "Netzwerkseitige Ueberwachung und Kontrolle von Datenfluessen in Drittlaender.", + "type": "TECHNICAL", + "implementation_guidance": "Netzwerkseitige Ueberwachung und Kontrolle von Datenfluessen in Drittlaender.", + "evidence": [ + "Transfer-Monitoring-Tool", + "Alert-Regeln", + "Laenderlisten" + ], + "applies_if": { + "field": "third_country_transfer", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 44-49" + ], + "iso27001": [ + "A.8.16" + ], + "bsi": [ + "NET.3.2" + ], + "sdm": [ + "Vertraulichkeit", + "Transparenz" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "HIGH" + }, + { + "id": "TOM.NET.13", + "title": "Netzwerk-Dokumentation", + "description": "Aktuelle Netzwerkdokumentation mit Topologie, Datenflussdiagrammen und Sicherheitszonen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Aktuelle Netzwerkdokumentation mit Topologie, Datenflussdiagrammen und Sicherheitszonen.", + "evidence": [ + "Netzwerkdiagramme", + "Datenflussplaene", + "Zonenkonzept" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(2)" + ], + "iso27001": [ + "A.5.9" + ], + "bsi": [ + "NET.1.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.NET.14", + "title": "Zero-Trust-Network-Access (ZTNA)", + "description": "Anwendungsspezifischer Zugang statt VPN mit kontinuierlicher Vertrauensbewertung.", + "type": "TECHNICAL", + "implementation_guidance": "Anwendungsspezifischer Zugang statt VPN mit kontinuierlicher Vertrauensbewertung.", + "evidence": [ + "ZTNA-Architektur", + "Policy-Engine", + "Zugangsstatistiken" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.20" + ], + "bsi": [ + "NET.1.1" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.NET.15", + "title": "Honeypots/Deception Technology", + "description": "Taeuschnungssysteme zur fruehzeitigen Erkennung von Angreifern im Netzwerk einsetzen.", + "type": "TECHNICAL", + "implementation_guidance": "Taeuschnungssysteme zur fruehzeitigen Erkennung von Angreifern im Netzwerk einsetzen.", + "evidence": [ + "Deception-Konfiguration", + "Alert-Protokolle", + "Incident-Reports" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.16" + ], + "bsi": [ + "DER.1" + ], + "sdm": [ + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "LOW", + "complexity": "HIGH" + } + ] + }, + { + "id": "BCP", + "name": "Backup, DR & Business Continuity", + "objective": "Verfuegbarkeit und Wiederherstellbarkeit personenbezogener Daten sicherstellen", + "controls": [ + { + "id": "TOM.BCP.01", + "title": "Backup-Konzept", + "description": "Definiertes Backup-Konzept mit RPO/RTO-Zielen, Backup-Typen und Aufbewahrungsfristen.", + "type": "TECHNICAL", + "implementation_guidance": "Definiertes Backup-Konzept mit RPO/RTO-Zielen, Backup-Typen und Aufbewahrungsfristen.", + "evidence": [ + "Backup-Konzept", + "RPO/RTO-Matrix", + "Backup-Schedule" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1b)", + "Art. 32(1c)" + ], + "iso27001": [ + "A.8.13" + ], + "bsi": [ + "CON.3" + ], + "sdm": [ + "Verfuegbarkeit", + "Integritaet" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.BCP.02", + "title": "Regelmaessige Backup-Tests", + "description": "Restore-Tests regelmaessig durchfuehren und dokumentieren um die Wiederherstellbarkeit zu verifizieren.", + "type": "TECHNICAL", + "implementation_guidance": "Restore-Tests regelmaessig durchfuehren und dokumentieren um die Wiederherstellbarkeit zu verifizieren.", + "evidence": [ + "Test-Protokolle", + "Wiederherstellungszeiten", + "Erfolgsquoten" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1d)" + ], + "iso27001": [ + "A.8.13" + ], + "bsi": [ + "CON.3" + ], + "sdm": [ + "Verfuegbarkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.BCP.03", + "title": "Verschluesselte Backups", + "description": "Alle Backup-Medien und -Daten verschluesseln um Vertraulichkeit auch bei physischem Verlust zu gewaehrleisten.", + "type": "TECHNICAL", + "implementation_guidance": "Alle Backup-Medien und -Daten verschluesseln um Vertraulichkeit auch bei physischem Verlust zu gewaehrleisten.", + "evidence": [ + "Verschluesselungskonfiguration", + "Key-Management", + "Compliance-Nachweis" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.13" + ], + "bsi": [ + "CON.3" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.BCP.04", + "title": "Offsite-/Georedundante Backups", + "description": "Backup-Kopien an geographisch getrenntem Standort lagern fuer Desaster-Recovery.", + "type": "TECHNICAL", + "implementation_guidance": "Backup-Kopien an geographisch getrenntem Standort lagern fuer Desaster-Recovery.", + "evidence": [ + "Offsite-Standort", + "Replikationskonfiguration", + "Transfer-Verschluesselung" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1b)" + ], + "iso27001": [ + "A.8.14" + ], + "bsi": [ + "CON.3" + ], + "sdm": [ + "Verfuegbarkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.BCP.05", + "title": "Immutable Backups", + "description": "Unveraenderbare Backup-Kopien erstellen die auch bei Ransomware-Befall nicht verschluesselt werden koennen.", + "type": "TECHNICAL", + "implementation_guidance": "Unveraenderbare Backup-Kopien erstellen die auch bei Ransomware-Befall nicht verschluesselt werden koennen.", + "evidence": [ + "WORM-Konfiguration", + "Retention-Lock", + "Test-Protokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1)" + ], + "iso27001": [ + "A.8.13" + ], + "bsi": [ + "CON.3" + ], + "sdm": [ + "Verfuegbarkeit", + "Integritaet" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.BCP.06", + "title": "Disaster-Recovery-Plan (DRP)", + "description": "Dokumentierter und getesteter Plan zur Wiederherstellung kritischer Systeme nach Katastrophen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Dokumentierter und getesteter Plan zur Wiederherstellung kritischer Systeme nach Katastrophen.", + "evidence": [ + "DRP-Dokument", + "Kontaktlisten", + "Wiederherstellungsprioritaeten" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 32(1c)" + ], + "iso27001": [ + "A.5.29" + ], + "bsi": [ + "DER.4" + ], + "sdm": [ + "Verfuegbarkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.BCP.07", + "title": "DR-Uebungen", + "description": "Mindestens jaehrliche Disaster-Recovery-Uebungen einschliesslich Failover-Tests.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Mindestens jaehrliche Disaster-Recovery-Uebungen einschliesslich Failover-Tests.", + "evidence": [ + "Uebungsprotokolle", + "Lessons-Learned", + "Verbesserungsmassnahmen" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1d)" + ], + "iso27001": [ + "A.5.29" + ], + "bsi": [ + "DER.4" + ], + "sdm": [ + "Verfuegbarkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.BCP.08", + "title": "Business Continuity Plan (BCP)", + "description": "Uebergreifender BCP der alle kritischen Geschaeftsprozesse und deren Datenschutzrelevanz abdeckt.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Uebergreifender BCP der alle kritischen Geschaeftsprozesse und deren Datenschutzrelevanz abdeckt.", + "evidence": [ + "BCP-Dokument", + "BIA-Ergebnisse", + "Eskalationspfade" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 32(1c)" + ], + "iso27001": [ + "A.5.30" + ], + "bsi": [ + "DER.4" + ], + "sdm": [ + "Verfuegbarkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.BCP.09", + "title": "Hochverfuegbarkeits-Cluster", + "description": "Redundante Systemarchitektur fuer kritische Dienste mit automatischem Failover.", + "type": "TECHNICAL", + "implementation_guidance": "Redundante Systemarchitektur fuer kritische Dienste mit automatischem Failover.", + "evidence": [ + "HA-Architektur", + "Failover-Tests", + "SLA-Monitoring" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1b)" + ], + "iso27001": [ + "A.8.14" + ], + "bsi": [ + "SYS.1.1" + ], + "sdm": [ + "Verfuegbarkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.BCP.10", + "title": "Backup-Loeschung nach Aufbewahrungsfrist", + "description": "Automatische Loeschung von Backups nach Ablauf der definierten Aufbewahrungsfrist.", + "type": "TECHNICAL", + "implementation_guidance": "Automatische Loeschung von Backups nach Ablauf der definierten Aufbewahrungsfrist.", + "evidence": [ + "Retention-Policy", + "Loeschautomatisierung", + "Loeschprotokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 5(1e)", + "Art. 17" + ], + "iso27001": [ + "A.8.10" + ], + "bsi": [ + "CON.3" + ], + "sdm": [ + "Speicherbegrenzung" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.BCP.11", + "title": "Verstaerkte Backup-Frequenz bei Massendaten", + "description": "Erhoehte Backup-Frequenz fuer Systeme mit grossem Datenvolumen und vielen Betroffenen.", + "type": "TECHNICAL", + "implementation_guidance": "Erhoehte Backup-Frequenz fuer Systeme mit grossem Datenvolumen und vielen Betroffenen.", + "evidence": [ + "Backup-Schedule", + "RPO-Analyse", + "Speicherplanung" + ], + "applies_if": { + "field": "large_scale", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 32(1b)" + ], + "iso27001": [ + "A.8.13" + ], + "bsi": [ + "CON.3" + ], + "sdm": [ + "Verfuegbarkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.BCP.12", + "title": "Backup-Verschluesselung besonderer Kategorien", + "description": "Separate Verschluesselung fuer Backups die Art. 9/10 Daten enthalten mit eigenem Schluesselmanagement.", + "type": "TECHNICAL", + "implementation_guidance": "Separate Verschluesselung fuer Backups die Art. 9/10 Daten enthalten mit eigenem Schluesselmanagement.", + "evidence": [ + "Sonder-Verschluesselungskonzept", + "Key-Separation", + "Zugriffsprotokolle" + ], + "applies_if": { + "field": "special_categories", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 9", + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.13" + ], + "bsi": [ + "CON.3" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "HIGH" + }, + { + "id": "TOM.BCP.13", + "title": "Cloud-Backup-Souveraenitaet", + "description": "Bei Cloud-Backups sicherstellen dass Daten im EWR verbleiben und Schluesselhoheit beim Verantwortlichen.", + "type": "TECHNICAL", + "implementation_guidance": "Bei Cloud-Backups sicherstellen dass Daten im EWR verbleiben und Schluesselhoheit beim Verantwortlichen.", + "evidence": [ + "Cloud-Vertrag", + "Standort-Nachweis", + "BYOK-Konfiguration" + ], + "applies_if": { + "field": "third_country_transfer", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 44-49", + "Art. 32" + ], + "iso27001": [ + "A.8.13" + ], + "bsi": [ + "CON.3" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.BCP.14", + "title": "Automatisches Failover fuer Kinderdaten", + "description": "Besonders hohe Verfuegbarkeitsanforderungen fuer Systeme mit Daten von Minderjaehrigen.", + "type": "TECHNICAL", + "implementation_guidance": "Besonders hohe Verfuegbarkeitsanforderungen fuer Systeme mit Daten von Minderjaehrigen.", + "evidence": [ + "HA-Konfiguration", + "SLA-Definition", + "Monitoring" + ], + "applies_if": { + "field": "vulnerable_persons", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 8", + "Art. 32(1c)" + ], + "iso27001": [ + "A.8.14" + ], + "bsi": [ + "SYS.1.1" + ], + "sdm": [ + "Verfuegbarkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.BCP.15", + "title": "Notfall-Kommunikationsplan", + "description": "Kommunikationsplan fuer IT-Notfaelle mit internen und externen Stakeholdern.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Kommunikationsplan fuer IT-Notfaelle mit internen und externen Stakeholdern.", + "evidence": [ + "Kommunikationsplan", + "Kontaktlisten", + "Vorlagen" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 33", + "Art. 34" + ], + "iso27001": [ + "A.5.29" + ], + "bsi": [ + "DER.4" + ], + "sdm": [ + "Transparenz", + "Verfuegbarkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + } + ] + }, + { + "id": "VENDOR", + "name": "Supplier/Processor Controls", + "objective": "Datenschutz-Compliance bei der Einbindung von Auftragsverarbeitern und Dienstleistern sicherstellen", + "controls": [ + { + "id": "TOM.VENDOR.01", + "title": "Auftragsverarbeitungsvertrag (AVV)", + "description": "Wirksamen AVV gemaess Art. 28 DSGVO vor Beginn der Verarbeitung abschliessen mit allen Pflichtinhalten.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Wirksamen AVV gemaess Art. 28 DSGVO vor Beginn der Verarbeitung abschliessen mit allen Pflichtinhalten.", + "evidence": [ + "AVV-Vertrag", + "Checkliste Art. 28", + "Unterschriften" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 28" + ], + "iso27001": [ + "A.5.20" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Vertraulichkeit", + "Zweckbindung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "CRITICAL", + "complexity": "LOW" + }, + { + "id": "TOM.VENDOR.02", + "title": "Dienstleister-Datenschutz-Pruefung", + "description": "Vor Beauftragung Datenschutz-Due-Diligence beim Auftragsverarbeiter durchfuehren.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Vor Beauftragung Datenschutz-Due-Diligence beim Auftragsverarbeiter durchfuehren.", + "evidence": [ + "Due-Diligence-Checkliste", + "Bewertungsbericht", + "Freigabeprotokoll" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 28(1)" + ], + "iso27001": [ + "A.5.19" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.VENDOR.03", + "title": "Sub-Prozessor-Management", + "description": "Genehmigungsprozess fuer Unter-Auftragsverarbeiter mit Informationspflicht und Widerspruchsrecht.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Genehmigungsprozess fuer Unter-Auftragsverarbeiter mit Informationspflicht und Widerspruchsrecht.", + "evidence": [ + "Sub-Prozessor-Liste", + "Genehmigungsprotokolle", + "Informationsschreiben" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 28(2)", + "Art. 28(4)" + ], + "iso27001": [ + "A.5.20" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.VENDOR.04", + "title": "TOM-Nachweis vom Auftragsverarbeiter", + "description": "Regelmaessige Nachweise der technisch-organisatorischen Massnahmen vom Auftragsverarbeiter einfordern.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Regelmaessige Nachweise der technisch-organisatorischen Massnahmen vom Auftragsverarbeiter einfordern.", + "evidence": [ + "TOM-Dokumentation", + "Zertifikate", + "Audit-Berichte" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 28(3f)" + ], + "iso27001": [ + "A.5.20" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Vertraulichkeit", + "Integritaet" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.VENDOR.05", + "title": "Lieferanten-Audit-Recht", + "description": "Vertragliches Audit-Recht beim Auftragsverarbeiter sicherstellen und regelmaessig ausueben.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Vertragliches Audit-Recht beim Auftragsverarbeiter sicherstellen und regelmaessig ausueben.", + "evidence": [ + "Audit-Klausel im AVV", + "Audit-Berichte", + "Massnahmenplaene" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 28(3h)" + ], + "iso27001": [ + "A.5.22" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.VENDOR.06", + "title": "Risikobewertung Auftragsverarbeiter", + "description": "Auftragsverarbeiter nach Risiko klassifizieren und Prueftiefe entsprechend anpassen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Auftragsverarbeiter nach Risiko klassifizieren und Prueftiefe entsprechend anpassen.", + "evidence": [ + "Risikobewertungsmatrix", + "Klassifizierungsergebnisse", + "Pruefplaene" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 24", + "Art. 28" + ], + "iso27001": [ + "A.5.19" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.VENDOR.07", + "title": "SLA-Monitoring Auftragsverarbeiter", + "description": "Laufende Ueberwachung der Service-Level-Agreements insbesondere Verfuegbarkeit und Reaktionszeiten.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Laufende Ueberwachung der Service-Level-Agreements insbesondere Verfuegbarkeit und Reaktionszeiten.", + "evidence": [ + "SLA-Reports", + "Eskalationsprotokolle", + "Performance-Dashboard" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 28(3)" + ], + "iso27001": [ + "A.5.22" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Verfuegbarkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.VENDOR.08", + "title": "Verstaerkte Pruefung bei Drittlandtransfer", + "description": "Erhoehte Due-Diligence fuer Auftragsverarbeiter in Drittlaendern inklusive Transfer Impact Assessment.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Erhoehte Due-Diligence fuer Auftragsverarbeiter in Drittlaendern inklusive Transfer Impact Assessment.", + "evidence": [ + "TIA-Dokument", + "Supplementary Measures", + "SCC-Vertrag" + ], + "applies_if": { + "field": "third_country_transfer", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 28", + "Art. 44-49" + ], + "iso27001": [ + "A.5.19" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "HIGH" + }, + { + "id": "TOM.VENDOR.09", + "title": "Exit-Strategie Auftragsverarbeiter", + "description": "Fuer jeden kritischen Auftragsverarbeiter eine Exit-Strategie mit Datenmigration und Loeschung planen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Fuer jeden kritischen Auftragsverarbeiter eine Exit-Strategie mit Datenmigration und Loeschung planen.", + "evidence": [ + "Exit-Plan", + "Datenmigrations-Konzept", + "Loeschbestaetigung-Template" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 28(3g)" + ], + "iso27001": [ + "A.5.20" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Verfuegbarkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "MEDIUM" + }, + { + "id": "TOM.VENDOR.10", + "title": "Vorfallmeldung durch Auftragsverarbeiter", + "description": "Vertragliche Pflicht zur unverzueglichen Meldung von Datenschutzvorfaellen durch den Auftragsverarbeiter.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Vertragliche Pflicht zur unverzueglichen Meldung von Datenschutzvorfaellen durch den Auftragsverarbeiter.", + "evidence": [ + "AVV-Vorfallklausel", + "Meldeprozess", + "Kontaktdaten" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 28(3f)", + "Art. 33" + ], + "iso27001": [ + "A.5.24" + ], + "bsi": [ + "DER.2.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "ANNUAL", + "priority": "CRITICAL", + "complexity": "LOW" + }, + { + "id": "TOM.VENDOR.11", + "title": "Auftragsverarbeiter-Register", + "description": "Zentrales Verzeichnis aller Auftragsverarbeiter mit Zweck, Datenkategorien und Standort.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Zentrales Verzeichnis aller Auftragsverarbeiter mit Zweck, Datenkategorien und Standort.", + "evidence": [ + "AV-Register", + "Klassifizierung", + "Ablaufdaten" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 30(2)" + ], + "iso27001": [ + "A.5.9" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Transparenz" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.VENDOR.12", + "title": "Cloud-Service-Provider-Compliance", + "description": "Besondere Datenschutzanforderungen an Cloud-Provider: Datenstandort, Verschluesselung, Zugriffskontrolle.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Besondere Datenschutzanforderungen an Cloud-Provider: Datenstandort, Verschluesselung, Zugriffskontrolle.", + "evidence": [ + "Cloud-Security-Checkliste", + "Zertifikate (SOC2, ISO 27001)", + "Konfigurationsnachweise" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 28", + "Art. 32" + ], + "iso27001": [ + "A.5.23" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.VENDOR.13", + "title": "Regelmaessige AV-Vertragspruefung", + "description": "Bestehende AVV regelmaessig auf Aktualitaet pruefen und an geaenderte Verarbeitungen anpassen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Bestehende AVV regelmaessig auf Aktualitaet pruefen und an geaenderte Verarbeitungen anpassen.", + "evidence": [ + "Review-Protokolle", + "Aenderungsnachtraege", + "Versionierung" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 28" + ], + "iso27001": [ + "A.5.20" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Zweckbindung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "LOW" + }, + { + "id": "TOM.VENDOR.14", + "title": "Auftragsverarbeiter-Monitoring bei Kinderdaten", + "description": "Verstaerkte Ueberwachung von Auftragsverarbeitern die Daten von Minderjaehrigen verarbeiten.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Verstaerkte Ueberwachung von Auftragsverarbeitern die Daten von Minderjaehrigen verarbeiten.", + "evidence": [ + "Sonder-Pruefplan", + "Erhoehte Audit-Frequenz", + "Dokumentation" + ], + "applies_if": { + "field": "vulnerable_persons", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 8", + "Art. 28" + ], + "iso27001": [ + "A.5.22" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Vertraulichkeit" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "CRITICAL", + "complexity": "HIGH" + }, + { + "id": "TOM.VENDOR.15", + "title": "Joint-Controller-Vereinbarung", + "description": "Bei gemeinsamer Verantwortlichkeit transparente Vereinbarung gemaess Art. 26 DSGVO abschliessen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Bei gemeinsamer Verantwortlichkeit transparente Vereinbarung gemaess Art. 26 DSGVO abschliessen.", + "evidence": [ + "Art.-26-Vereinbarung", + "Aufgabenverteilung", + "Betroffenen-Kontaktinfo" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 26" + ], + "iso27001": [ + "A.5.20" + ], + "bsi": [ + "OPS.2.1" + ], + "sdm": [ + "Transparenz", + "Zweckbindung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + } + ] + }, + { + "id": "DATA", + "name": "Data Lifecycle", + "objective": "Personenbezogene Daten ueber den gesamten Lebenszyklus datenschutzkonform verwalten", + "controls": [ + { + "id": "TOM.DATA.01", + "title": "Datenminimierung als Designprinzip", + "description": "Nur fuer den definierten Zweck erforderliche personenbezogene Daten erheben und verarbeiten.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Nur fuer den definierten Zweck erforderliche personenbezogene Daten erheben und verarbeiten.", + "evidence": [ + "Dateninventar", + "Zweckbeschreibungen", + "Minimierungsanalyse" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(1c)", + "Art. 25(2)" + ], + "iso27001": [ + "A.5.12" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Datenminimierung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "CRITICAL", + "complexity": "LOW" + }, + { + "id": "TOM.DATA.02", + "title": "Loeschkonzept und Aufbewahrungsfristen", + "description": "Dokumentiertes Loeschkonzept mit Fristen je Datenkategorie, Rechtsgrundlagen und Automatisierung.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Dokumentiertes Loeschkonzept mit Fristen je Datenkategorie, Rechtsgrundlagen und Automatisierung.", + "evidence": [ + "Loeschkonzept", + "Fristenkatalog", + "Automatisierungsnachweis" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(1e)", + "Art. 17" + ], + "iso27001": [ + "A.8.10" + ], + "bsi": [ + "CON.6" + ], + "sdm": [ + "Speicherbegrenzung" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.DATA.03", + "title": "Automatisierte Datenloeschung", + "description": "Technische Umsetzung der automatisierten Loeschung nach Fristablauf mit Protokollierung.", + "type": "TECHNICAL", + "implementation_guidance": "Technische Umsetzung der automatisierten Loeschung nach Fristablauf mit Protokollierung.", + "evidence": [ + "Loeschjob-Konfiguration", + "Ausfuehrungsprotokolle", + "Ausnahmeliste" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(1e)", + "Art. 17" + ], + "iso27001": [ + "A.8.10" + ], + "bsi": [ + "CON.6" + ], + "sdm": [ + "Speicherbegrenzung" + ] + }, + "review_frequency": "QUARTERLY", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.DATA.04", + "title": "Betroffenenrechte-Prozess (DSR)", + "description": "Standardisierten Prozess fuer Auskunft, Berichtigung, Loeschung, Einschraenkung und Datenportabilitaet.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Standardisierten Prozess fuer Auskunft, Berichtigung, Loeschung, Einschraenkung und Datenportabilitaet.", + "evidence": [ + "DSR-Prozessbeschreibung", + "Formulare", + "SLA-Definition", + "Protokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 15-22" + ], + "iso27001": [ + "A.5.34" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Intervenierbarkeit", + "Transparenz" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.DATA.05", + "title": "Datenportabilitaet (Art. 20)", + "description": "Export personenbezogener Daten in strukturiertem, gaengigem und maschinenlesbarem Format ermoeglichen.", + "type": "TECHNICAL", + "implementation_guidance": "Export personenbezogener Daten in strukturiertem, gaengigem und maschinenlesbarem Format ermoeglichen.", + "evidence": [ + "Export-Funktion", + "Formatdokumentation", + "Test-Exports" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 20" + ], + "iso27001": [ + "A.5.34" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Intervenierbarkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.DATA.06", + "title": "Zweckbindungs-Kontrolle", + "description": "Sicherstellen dass personenbezogene Daten nicht ueber den definierten Zweck hinaus verarbeitet werden.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Sicherstellen dass personenbezogene Daten nicht ueber den definierten Zweck hinaus verarbeitet werden.", + "evidence": [ + "Zweckbeschreibungen im VVT", + "Zugriffsbeschraenkungen", + "Audit-Ergebnisse" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(1b)" + ], + "iso27001": [ + "A.5.12" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Zweckbindung", + "Nichtverkettung" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.DATA.07", + "title": "Speicherbegrenzungs-Review", + "description": "Regelmaessige Ueberpruefung ob gespeicherte personenbezogene Daten noch fuer den Zweck erforderlich sind.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Regelmaessige Ueberpruefung ob gespeicherte personenbezogene Daten noch fuer den Zweck erforderlich sind.", + "evidence": [ + "Review-Protokolle", + "Loeschempfehlungen", + "Umsetzungsnachweis" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 5(1e)" + ], + "iso27001": [ + "A.8.10" + ], + "bsi": [ + "CON.6" + ], + "sdm": [ + "Speicherbegrenzung" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "HIGH", + "complexity": "LOW" + }, + { + "id": "TOM.DATA.08", + "title": "Richtigkeit der Daten sicherstellen", + "description": "Prozesse zur Sicherstellung der Datenrichtigkeit: Validierung, Aktualisierung, Berichtigungsmechanismen.", + "type": "TECHNICAL", + "implementation_guidance": "Prozesse zur Sicherstellung der Datenrichtigkeit: Validierung, Aktualisierung, Berichtigungsmechanismen.", + "evidence": [ + "Validierungsregeln", + "Aktualisierungsprozess", + "Berichtigungsprotokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "BASELINE", + "mappings": { + "gdpr": [ + "Art. 5(1d)", + "Art. 16" + ], + "iso27001": [ + "A.5.33" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Richtigkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.DATA.09", + "title": "Pseudonymisierung", + "description": "Personenbezogene Daten wo moeglich pseudonymisieren um das Risiko bei unbefugtem Zugriff zu minimieren.", + "type": "TECHNICAL", + "implementation_guidance": "Personenbezogene Daten wo moeglich pseudonymisieren um das Risiko bei unbefugtem Zugriff zu minimieren.", + "evidence": [ + "Pseudonymisierungskonzept", + "Zuordnungstabellen-Schutz", + "Anwendungsbereiche" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 25(1)", + "Art. 32(1a)" + ], + "iso27001": [ + "A.8.11" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Datenminimierung", + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.DATA.10", + "title": "Anonymisierung fuer Statistik/Forschung", + "description": "Wirksame Anonymisierung fuer statistische Auswertungen und Forschungszwecke sicherstellen.", + "type": "TECHNICAL", + "implementation_guidance": "Wirksame Anonymisierung fuer statistische Auswertungen und Forschungszwecke sicherstellen.", + "evidence": [ + "Anonymisierungsverfahren", + "Re-Identifikations-Risikobewertung", + "Freigabeprotokoll" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "ErwGr. 26", + "Art. 89" + ], + "iso27001": [ + "A.8.11" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Datenminimierung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "HIGH" + }, + { + "id": "TOM.DATA.11", + "title": "Einschraenkung der Verarbeitung (Art. 18)", + "description": "Technische Moeglichkeit zur Markierung und Einschraenkung der Verarbeitung bei Betroffenenantraegen.", + "type": "TECHNICAL", + "implementation_guidance": "Technische Moeglichkeit zur Markierung und Einschraenkung der Verarbeitung bei Betroffenenantraegen.", + "evidence": [ + "Markierungsfunktion", + "Prozessbeschreibung", + "Test-Protokolle" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "ENHANCED", + "mappings": { + "gdpr": [ + "Art. 18" + ], + "iso27001": [ + "A.5.34" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Intervenierbarkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "MEDIUM" + }, + { + "id": "TOM.DATA.12", + "title": "Erhoehter Schutz besonderer Kategorien", + "description": "Zusaetzliche organisatorische Massnahmen fuer die Verarbeitung von Art. 9/10 Daten.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Zusaetzliche organisatorische Massnahmen fuer die Verarbeitung von Art. 9/10 Daten.", + "evidence": [ + "Sonderkonzept", + "Zugriffsrichtlinien", + "DSFA-Ergebnisse" + ], + "applies_if": { + "field": "special_categories", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 9", + "Art. 10" + ], + "iso27001": [ + "A.5.12" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Vertraulichkeit", + "Zweckbindung" + ] + }, + "review_frequency": "SEMI_ANNUAL", + "priority": "CRITICAL", + "complexity": "MEDIUM" + }, + { + "id": "TOM.DATA.13", + "title": "Legal-Hold-Prozess", + "description": "Prozess zum Anhalten geplanter Loeschungen bei Rechtsstreitigkeiten oder Behoerdenanfragen.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Prozess zum Anhalten geplanter Loeschungen bei Rechtsstreitigkeiten oder Behoerdenanfragen.", + "evidence": [ + "Legal-Hold-Policy", + "Ausloeserkriterien", + "Aufhebungsprozess" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 17(3)" + ], + "iso27001": [ + "A.5.34" + ], + "bsi": [ + "CON.6" + ], + "sdm": [ + "Speicherbegrenzung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.DATA.14", + "title": "Datenfluss-Mapping", + "description": "Visualisierung aller Datenfluesse innerhalb der Organisation und zu externen Empfaengern.", + "type": "ORGANIZATIONAL", + "implementation_guidance": "Visualisierung aller Datenfluesse innerhalb der Organisation und zu externen Empfaengern.", + "evidence": [ + "Datenflussdiagramme", + "System-Koppelungen", + "Empfaenger-Uebersicht" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "HIGH_RISK", + "mappings": { + "gdpr": [ + "Art. 30", + "Art. 35" + ], + "iso27001": [ + "A.5.9" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Transparenz", + "Nichtverkettung" + ] + }, + "review_frequency": "ANNUAL", + "priority": "HIGH", + "complexity": "MEDIUM" + }, + { + "id": "TOM.DATA.15", + "title": "Privacy-Enhancing Technologies (PET)", + "description": "Einsatz fortschrittlicher PETs (Differential Privacy, Secure Computation, Synthetic Data) wo angemessen.", + "type": "TECHNICAL", + "implementation_guidance": "Einsatz fortschrittlicher PETs (Differential Privacy, Secure Computation, Synthetic Data) wo angemessen.", + "evidence": [ + "PET-Evaluierung", + "Einsatzbereiche", + "Wirksamkeitsnachweis" + ], + "applies_if": { + "field": "always", + "operator": "EQUALS", + "value": true + }, + "risk_tier": "CRITICAL", + "mappings": { + "gdpr": [ + "Art. 25(1)", + "Art. 32" + ], + "iso27001": [ + "A.8.11" + ], + "bsi": [ + "CON.1" + ], + "sdm": [ + "Datenminimierung", + "Vertraulichkeit" + ] + }, + "review_frequency": "ANNUAL", + "priority": "MEDIUM", + "complexity": "HIGH" + } + ] + } + ] +} \ No newline at end of file diff --git a/admin-compliance/lib/sdk/tom-generator/risk_engine_spec.md b/admin-compliance/lib/sdk/tom-generator/risk_engine_spec.md new file mode 100644 index 0000000..4aad8c9 --- /dev/null +++ b/admin-compliance/lib/sdk/tom-generator/risk_engine_spec.md @@ -0,0 +1,637 @@ +# Risk Engine Spezifikation -- BreakPilot Compliance + +## Ueberblick + +Die Risk Engine berechnet auf Basis von **Impact** und **Likelihood** einen Risiko-Score (0--100), +ordnet diesem Score ein **Risk-Tier** zu und leitet daraus die erforderlichen +technisch-organisatorischen Massnahmen (TOM) ab. Sie ergaenzt die bestehende +vereinfachte I*L-Bewertung (1--5-Skala) um eine feinere Granularitaet (0--10-Skala). + +--- + +## 1. Impact-Heuristik (0--10 Skala) + +Der Impact-Wert beschreibt die Schwere des potenziellen Schadens fuer betroffene Personen. + +| Faktor | Punkte | DSGVO-Bezug | +|--------|--------|-------------| +| Basis-Impact (jede Verarbeitung) | +2 | -- | +| Besondere Datenkategorien (Art. 9) oder Straftaten (Art. 10) | +2 | Art. 9, Art. 10 DSGVO | +| Kinder oder schutzbeduerftige Personen betroffen | +2 | ErwGr. 75, Art. 8 DSGVO | +| Mehr als 10.000 Betroffene | +1 | ErwGr. 91 | +| Automatisierte Einzelentscheidungen / Profiling | +1 | Art. 22 DSGVO | +| Gesundheits- oder Finanzdaten | +1 | Art. 9 Abs. 2 lit. h | +| Systematische Ueberwachung / oeffentlich zugaenglicher Bereich | +1 | Art. 35 Abs. 3 lit. c | + +**Cap:** `I = min(Summe, 10)` + +### Beispiel-Berechnung + +``` +Szenario: Schul-App mit Schueler-Gesundheitsdaten + Basis = 2 + + Besondere Kategorien (Gesundheit) = +2 + + Kinder betroffen = +2 + + Gesundheitsdaten = +1 + ----------------------------------------- + Impact (roh) = 7 + Impact (nach Cap) = min(7, 10) = 7 +``` + +### Implementierung + +```typescript +interface ImpactContext { + special_categories: boolean; // Art. 9/10 Daten + vulnerable_persons: boolean; // Kinder, Schutzbeduerftige + data_subject_count: number; // Anzahl Betroffene + automated_decisions: boolean; // Art. 22 Profiling + health_or_finance: boolean; // Gesundheits-/Finanzdaten + systematic_monitoring: boolean; // Systematische Ueberwachung +} + +function calculateImpact(ctx: ImpactContext): number { + let impact = 2; // Basis + + if (ctx.special_categories) impact += 2; + if (ctx.vulnerable_persons) impact += 2; + if (ctx.data_subject_count > 10_000) impact += 1; + if (ctx.automated_decisions) impact += 1; + if (ctx.health_or_finance) impact += 1; + if (ctx.systematic_monitoring) impact += 1; + + return Math.min(impact, 10); +} +``` + +--- + +## 2. Likelihood-Heuristik (0--10 Skala) + +Der Likelihood-Wert beschreibt die Eintrittswahrscheinlichkeit einer Datenschutzverletzung. + +| Faktor | Punkte | Begruendung | +|--------|--------|-------------| +| Basis-Likelihood (jede Verarbeitung) | +2 | -- | +| Internet-Exponierung (oeffentlich zugaengliche Systeme) | +2 | Groessere Angriffsflaeche | +| Viele Subprozessoren / kein zentrales IAM | +2 | Kontrollverlust, Zugriffschaos | +| Fehlendes Logging / SIEM | +2 | Keine Erkennung von Vorfaellen | +| Cloud ohne Verschluesselung at rest | +1 | Daten bei Breach lesbar | +| Fehlendes Patch-Management / veralteter Software-Stand | +1 | Bekannte Schwachstellen | +| Fehlende Mitarbeiterschulung | +1 | Social Engineering, Fehlbedienung | + +**Cap:** `L = min(Summe, 10)` + +### Beispiel-Berechnung + +``` +Szenario: Cloud-SaaS ohne zentrale Zugriffsverwaltung + Basis = 2 + + Internet-Exponierung = +2 + + Kein zentrales IAM = +2 + + Cloud ohne Verschluesselung at rest = +1 + ----------------------------------------- + Likelihood (roh) = 7 + Likelihood (nach Cap) = min(7, 10) = 7 +``` + +### Implementierung + +```typescript +interface LikelihoodContext { + internet_exposed: boolean; // Oeffentlich erreichbar + many_subprocessors: boolean; // Viele AVV-Partner / kein IAM + no_logging: boolean; // Kein SIEM / Audit-Log + cloud_unencrypted: boolean; // Cloud ohne Verschluesselung at rest + no_patch_management: boolean; // Veralteter Software-Stand + no_employee_training: boolean; // Keine DS-Schulung +} + +function calculateLikelihood(ctx: LikelihoodContext): number { + let likelihood = 2; // Basis + + if (ctx.internet_exposed) likelihood += 2; + if (ctx.many_subprocessors) likelihood += 2; + if (ctx.no_logging) likelihood += 2; + if (ctx.cloud_unencrypted) likelihood += 1; + if (ctx.no_patch_management) likelihood += 1; + if (ctx.no_employee_training) likelihood += 1; + + return Math.min(likelihood, 10); +} +``` + +--- + +## 3. Score-Berechnung + +Der Risiko-Score ergibt sich aus dem Produkt von Impact und Likelihood: + +``` +Score = round(I * L) +``` + +| Parameter | Bereich | +|-----------|---------| +| Impact (I) | 0--10 | +| Likelihood (L) | 0--10 | +| **Score** | **0--100** | + +### Implementierung + +```typescript +function calculateRiskScore(impact: number, likelihood: number): number { + return Math.round( + Math.min(impact, 10) * Math.min(likelihood, 10) + ); +} +``` + +### Risiko-Matrix (Impact x Likelihood) + +``` +L\I │ 2 │ 3 │ 4 │ 5 │ 6 │ 7 │ 8 │ 9 │ 10 +────┼─────┼─────┼─────┼─────┼─────┼─────┼─────┼─────┼───── + 2 │ 4 │ 6 │ 8 │ 10 │ 12 │ 14 │ 16 │ 18 │ 20 + 3 │ 6 │ 9 │ 12 │ 15 │ 18 │ 21 │ 24 │ 27 │ 30 + 4 │ 8 │ 12 │ 16 │ 20 │ 24 │ 28 │ 32 │ 36 │ 40 + 5 │ 10 │ 15 │ 20 │ 25 │ 30 │ 35 │ 40 │ 45 │ 50 + 6 │ 12 │ 18 │ 24 │ 30 │ 36 │ 42 │ 48 │ 54 │ 60 + 7 │ 14 │ 21 │ 28 │ 35 │ 42 │ 49 │ 56 │ 63 │ 70 + 8 │ 16 │ 24 │ 32 │ 40 │ 48 │ 56 │ 64 │ 72 │ 80 + 9 │ 18 │ 27 │ 36 │ 45 │ 54 │ 63 │ 72 │ 81 │ 90 +10 │ 20 │ 30 │ 40 │ 50 │ 60 │ 70 │ 80 │ 90 │ 100 +``` + +--- + +## 4. Risk-Tier Zuordnung + +| Score-Range | Tier | Anzahl Controls | Farbe | Beschreibung | +|-------------|------|-----------------|-------|--------------| +| 0--24 | `BASELINE` | ~60 Mindestanforderungen | Gruen | Standard-Schutzniveau | +| 25--49 | `ENHANCED` | +40 erweiterte Massnahmen | Gelb | Erhoehtes Schutzniveau | +| 50--74 | `HIGH_RISK` | +50 Hochrisiko-Pack | Orange | Hohes Risiko, DSFA empfohlen | +| 75--100 | `CRITICAL` | +30 Kritisches Pack | Rot | Kritisch, DSFA verpflichtend | + +**Controls sind kumulativ:** +- `BASELINE` = 60 Controls +- `ENHANCED` = BASELINE + 40 = 100 Controls +- `HIGH_RISK` = BASELINE + ENHANCED + 50 = 150 Controls +- `CRITICAL` = BASELINE + ENHANCED + HIGH_RISK + 30 = 180 Controls + +### Implementierung + +```typescript +enum RiskTier { + BASELINE = "BASELINE", + ENHANCED = "ENHANCED", + HIGH_RISK = "HIGH_RISK", + CRITICAL = "CRITICAL", +} + +const TIER_ORDER: Record = { + [RiskTier.BASELINE]: 0, + [RiskTier.ENHANCED]: 1, + [RiskTier.HIGH_RISK]: 2, + [RiskTier.CRITICAL]: 3, +}; + +function scoreTier(score: number): RiskTier { + if (score >= 75) return RiskTier.CRITICAL; + if (score >= 50) return RiskTier.HIGH_RISK; + if (score >= 25) return RiskTier.ENHANCED; + return RiskTier.BASELINE; +} +``` + +--- + +## 5. Control-Selection Algorithmus + +Der Algorithmus waehlt Controls basierend auf dem Risk-Tier und kontextspezifischen Trigger-Regeln. + +### Pseudocode + +``` +function selectControls(score, context): + tier = scoreTier(score) + controls = allControls.filter(c => c.risk_tier <= tier) + + # Trigger-Rules: zusaetzliche Controls je nach Kontext + if context.special_categories: + controls += allControls.filter(c => c.applies_if.field == "special_categories") + if context.third_country_transfer: + controls += allControls.filter(c => c.applies_if.field == "third_country_transfer") + if context.large_scale: + controls += allControls.filter(c => c.applies_if.field == "large_scale") + if context.vulnerable_persons: + controls += allControls.filter(c => c.applies_if.field == "vulnerable_persons") + + return deduplicate(controls) +``` + +### Implementierung + +```typescript +interface Control { + id: string; + title: string; + description: string; + risk_tier: RiskTier; + domain: TOMDomain; + applies_if?: { + field: string; + value: boolean; + }; +} + +interface SelectionContext { + score: number; + special_categories: boolean; + third_country_transfer: boolean; + large_scale: boolean; + vulnerable_persons: boolean; +} + +function selectControls( + allControls: Control[], + ctx: SelectionContext +): Control[] { + const tier = scoreTier(ctx.score); + const tierLevel = TIER_ORDER[tier]; + + // 1. Tier-basierte Auswahl (kumulativ) + const tierControls = allControls.filter( + (c) => TIER_ORDER[c.risk_tier] <= tierLevel + ); + + // 2. Trigger-basierte Zusatz-Controls + const triggerFields: (keyof SelectionContext)[] = [ + "special_categories", + "third_country_transfer", + "large_scale", + "vulnerable_persons", + ]; + + const triggerControls = allControls.filter((c) => { + if (!c.applies_if) return false; + const field = c.applies_if.field as keyof SelectionContext; + return triggerFields.includes(field) && ctx[field] === true; + }); + + // 3. Deduplizieren + const controlMap = new Map(); + [...tierControls, ...triggerControls].forEach((c) => { + controlMap.set(c.id, c); + }); + + return Array.from(controlMap.values()); +} +``` + +### Trigger-Rules im Detail + +| Trigger | Zusaetzliche Controls | Beispiel | +|---------|----------------------|----------| +| `special_categories` | Erweiterte Zugriffskontrolle, Verschluesselung, DSFA-Pflicht | Gesundheitsdaten in HR-System | +| `third_country_transfer` | SCCs, TIA, Binding Corporate Rules | US-Cloud-Anbieter | +| `large_scale` | DPO-Pflicht, erweitertes Monitoring, Kapazitaetsplanung | >100.000 Betroffene | +| `vulnerable_persons` | Altersverifikation, elterliche Einwilligung, kindgerechte UI | Schul-App | + +--- + +## 6. Loeschfristen-Engine + +Die Loeschfristen-Engine bestimmt automatisch Aufbewahrungsfristen und Loeschzeitpunkte. + +### Berechnung der Aufbewahrungsfrist + +``` +RetentionPeriod = max(legal_minimum, operational_need) +``` + +### Loeschausloeser (DeletionTrigger) + +| Trigger | Beschreibung | Beispiel | +|---------|--------------|----------| +| `Vertragsende` | Ende der Vertragsbeziehung | Schueler verlaesst Schule | +| `Zweckwegfall` | Verarbeitungszweck entfaellt | Projekt abgeschlossen | +| `Widerruf` | Betroffener widerruft Einwilligung | Einwilligung zurueckgezogen | + +### Ausnahmeregeln (ExceptionRules) + +| Rechtsgrundlage | Frist | Datenkategorie | +|-----------------|-------|----------------| +| HGB Par. 257 (Handelsbuecher) | 10 Jahre | Buchungsbelege, Jahresabschluesse | +| AO Par. 147 (Abgabenordnung) | 10 Jahre | Steuerrelevante Unterlagen | +| AO Par. 147 (sonstige Unterlagen) | 6 Jahre | Geschaeftsbriefe | +| BetrVG (Betriebsrat) | 3 Jahre | Betriebsratsprotokolle | +| BDSG Par. 35 | Unverzueglich | Nicht mehr benoetigte personenbezogene Daten | +| **Rechtsstreit-Hold** | Bis Abschluss | Alle prozessrelevanten Daten | + +### Default-Retention je Datenkategorie + +| Datenkategorie | Default-Frist | Gesetzliche Grundlage | +|----------------|---------------|----------------------| +| Stammdaten (Name, Adresse) | 3 Jahre nach Vertragsende | DSGVO Art. 17, Verjaehrung Par. 195 BGB | +| Vertragsdaten | 10 Jahre | HGB Par. 257 | +| Rechnungsdaten | 10 Jahre | AO Par. 147 | +| Kommunikationsdaten (E-Mails) | 6 Jahre | AO Par. 147 | +| Bewerberdaten | 6 Monate | AGG Par. 15 Abs. 4 | +| Log-Daten (Server, Zugriff) | 90 Tage | DSGVO Art. 5 Abs. 1 lit. e | +| Gesundheitsdaten | 10 Jahre | Aerztliche Aufbewahrungspflicht | +| Schulnoten / Zeugnisse | 10 Jahre nach Abgang | Landesschulgesetze | +| Einwilligungen (Nachweis) | 3 Jahre nach Widerruf | DSGVO Art. 7 Abs. 1, Beweislast | +| Video-Ueberwachung | 72 Stunden | BDSG Par. 4 Abs. 5 | + +### Implementierung + +```typescript +interface RetentionRule { + category: string; + default_days: number; + legal_basis: string; + deletion_trigger: "Vertragsende" | "Zweckwegfall" | "Widerruf"; + exception_rules: ExceptionRule[]; +} + +interface ExceptionRule { + condition: string; // z.B. "Rechtsstreit-Hold" + override_days: number; // -1 = unbegrenzt bis Bedingung entfaellt + legal_basis: string; +} + +function calculateDeletionDate( + rule: RetentionRule, + triggerDate: Date, + activeExceptions: ExceptionRule[] +): Date | null { + // Aktive Ausnahmen pruefen + const holdException = activeExceptions.find( + (e) => e.override_days === -1 + ); + if (holdException) return null; // Loeschung ausgesetzt + + // Maximale Frist berechnen + const retentionDays = Math.max( + rule.default_days, + ...activeExceptions.map((e) => e.override_days) + ); + + const deletionDate = new Date(triggerDate); + deletionDate.setDate(deletionDate.getDate() + retentionDays); + return deletionDate; +} +``` + +--- + +## 7. Mapping: Score → TOM-Domaenen → Textbausteine + +### TOM-Domaenen nach SDM (Standard-Datenschutzmodell) + +| Domaene | Beschreibung | SDM-Gewaehrleistungsziel | +|---------|--------------|--------------------------| +| `ZUGANG` | Zugangskontrolle | Vertraulichkeit | +| `ZUGRIFF` | Zugriffskontrolle | Vertraulichkeit | +| `UEBERTRAGUNG` | Weitergabekontrolle | Integritaet | +| `EINGABE` | Eingabekontrolle | Integritaet | +| `AUFTRAG` | Auftragskontrolle | Integritaet | +| `VERFUEGBARKEIT` | Verfuegbarkeitskontrolle | Verfuegbarkeit | +| `TRENNUNG` | Trennungskontrolle | Nichtverkettung | +| `TRANSPARENZ` | Transparenzkontrolle | Transparenz | +| `INTERVENIERBARKEIT` | Betroffenenrechte | Intervenierbarkeit | +| `DATENMINIMIERUNG` | Datenminimierung | Datenminimierung | + +### Tier → Domaenen-Zuordnung + +| Domaene | BASELINE | ENHANCED | HIGH_RISK | CRITICAL | +|---------|----------|----------|-----------|----------| +| ZUGANG | Pflicht | Pflicht | Pflicht | Pflicht | +| ZUGRIFF | Pflicht | Pflicht | Pflicht | Pflicht | +| UEBERTRAGUNG | Pflicht | Pflicht | Pflicht | Pflicht | +| EINGABE | Empfohlen | Pflicht | Pflicht | Pflicht | +| AUFTRAG | Empfohlen | Pflicht | Pflicht | Pflicht | +| VERFUEGBARKEIT | Pflicht | Pflicht | Pflicht | Pflicht | +| TRENNUNG | Empfohlen | Empfohlen | Pflicht | Pflicht | +| TRANSPARENZ | Pflicht | Pflicht | Pflicht | Pflicht | +| INTERVENIERBARKEIT | Pflicht | Pflicht | Pflicht | Pflicht | +| DATENMINIMIERUNG | Empfohlen | Pflicht | Pflicht | Pflicht | + +### Textbausteine je Tier und Domaene (Auszug) + +```typescript +const TOM_TEXTBAUSTEINE: Record> = { + BASELINE: { + ZUGANG: [ + "Passwortrichtlinie mit Mindestlaenge 12 Zeichen", + "Automatische Bildschirmsperre nach 5 Minuten", + "Besuchermanagement mit Protokollierung", + ], + ZUGRIFF: [ + "Rollenbasierte Zugriffskontrolle (RBAC)", + "Need-to-know-Prinzip", + "Regelmaessige Ueberpruefung der Berechtigungen (jaehrlich)", + ], + VERFUEGBARKEIT: [ + "Taegliche Backups mit Integritaetspruefung", + "USV-Anlage fuer kritische Systeme", + "Dokumentierter Notfallplan", + ], + }, + ENHANCED: { + ZUGANG: [ + "Multi-Faktor-Authentifizierung (MFA) fuer alle Nutzer", + "Zentrales Identity Management (IdP)", + "Hardware-Token oder FIDO2 fuer Admin-Zugaenge", + ], + ZUGRIFF: [ + "Attributbasierte Zugriffskontrolle (ABAC)", + "Privileged Access Management (PAM)", + "Quartalsweise Zugriffs-Reviews", + ], + VERFUEGBARKEIT: [ + "Geo-redundante Backups", + "Recovery Time Objective (RTO) < 4 Stunden", + "Jaehrlicher Disaster-Recovery-Test", + ], + }, + HIGH_RISK: { + ZUGANG: [ + "Zero-Trust-Architektur", + "Biometrische Zugangskontrolle fuer Serverraeume", + "Netzwerksegmentierung mit Mikrosegmenten", + ], + ZUGRIFF: [ + "Just-in-Time Access (zeitlich begrenzte Berechtigungen)", + "Vier-Augen-Prinzip fuer kritische Operationen", + "Echtzeit-Anomalieerkennung bei Zugriffen", + ], + TRENNUNG: [ + "Mandantentrennung auf Datenbankebene (Schemata)", + "Getrennte Verschluesselungsschluessel je Mandant", + "Isolierte Verarbeitungsumgebungen", + ], + }, + CRITICAL: { + ZUGANG: [ + "Air-Gapped Systeme fuer kritischste Daten", + "24/7 SOC-Ueberwachung", + "Penetrationstests (quartalsweise, extern)", + ], + ZUGRIFF: [ + "Hardware Security Modules (HSM) fuer Schluessel", + "Break-Glass-Verfahren mit Audit-Trail", + "Kontinuierliche Authentifizierung", + ], + VERFUEGBARKEIT: [ + "Active-Active Cluster mit automatischem Failover", + "RTO < 15 Minuten, RPO < 5 Minuten", + "Monatliche Disaster-Recovery-Tests", + ], + }, +}; +``` + +--- + +## 8. Kompatibilitaet mit bestehendem Modell + +### Bestehendes Modell (backend-compliance) + +Das bestehende Modell in `backend-compliance/compliance/db/models.py` nutzt eine vereinfachte Skala: + +| Parameter | Bestehend | Neu (diese Spec) | +|-----------|-----------|-------------------| +| Impact-Skala | 1--5 | 0--10 | +| Likelihood-Skala | 1--5 | 0--10 | +| Score-Bereich | 1--25 | 0--100 | +| Schwellenwerte | 6 / 12 / 20 | 25 / 50 / 75 | + +### Konvertierung: Alte Skala → Neue Skala + +```typescript +// Alt (1-5) → Neu (0-10) +function oldToNewScale(oldValue: number): number { + return Math.round((oldValue / 5) * 10); +} + +// Neu (0-10) → Alt (1-5) +function newToOldScale(newValue: number): number { + return Math.max(1, Math.round((newValue / 10) * 5)); +} +``` + +### Konvertierung: Alter Score → Neuer Score + +```typescript +// Alt (1-25) → Neu (0-100) +function oldScoreToNew(oldScore: number): number { + return Math.round((oldScore / 25) * 100); +} + +// Neu (0-100) → Alt (1-25) +function newScoreToOld(newScore: number): number { + return Math.max(1, Math.round((newScore / 100) * 25)); +} +``` + +### Schwellenwert-Mapping + +| Altes Tier (1--25) | Neues Tier (0--100) | Risk-Tier | +|---------------------|---------------------|-----------| +| 1--5 | 0--24 | BASELINE | +| 6--11 | 25--49 | ENHANCED | +| 12--19 | 50--74 | HIGH_RISK | +| 20--25 | 75--100 | CRITICAL | + +### Migrations-Strategie + +Bei der Migration bestehender Risikobewertungen: + +```sql +-- Bestehende Scores konvertieren (1-25 → 0-100) +UPDATE compliance_risks +SET score_v2 = ROUND((score::numeric / 25.0) * 100) +WHERE score_v2 IS NULL; + +-- Impact/Likelihood konvertieren (1-5 → 0-10) +UPDATE compliance_risks +SET impact_v2 = ROUND((impact::numeric / 5.0) * 10), + likelihood_v2 = ROUND((likelihood::numeric / 5.0) * 10) +WHERE impact_v2 IS NULL; +``` + +--- + +## Anhang A: Vollstaendiges Berechnungsbeispiel + +### Szenario: Lernplattform mit KI-Korrekturvorschlaegen + +**Kontext:** +- Schueler-Plattform (Kinder betroffen) +- KI bewertet Klausuren (automatisierte Entscheidung) +- Gesundheitsdaten bei Attestverwaltung +- Cloud-Hosting (AWS Frankfurt) +- MFA vorhanden, aber kein SIEM + +**Impact-Berechnung:** + +``` +Basis = 2 ++ Kinder / Schutzbeduerftige = +2 ++ Automatisierte Entscheidungen = +1 ++ Gesundheitsdaten = +1 ++ Besondere Kategorien (Art. 9) = +2 +───────────────────────────────────── +Impact = min(8, 10) = 8 +``` + +**Likelihood-Berechnung:** + +``` +Basis = 2 ++ Internet-Exponierung = +2 ++ Fehlendes Logging / SIEM = +2 +───────────────────────────────────── +Likelihood = min(6, 10) = 6 +``` + +**Score und Tier:** + +``` +Score = round(8 * 6) = 48 → Tier: ENHANCED +``` + +**Ausgewaehlte Controls:** 100 (60 BASELINE + 40 ENHANCED) +plus Trigger-Controls fuer `special_categories` und `vulnerable_persons`. + +**Empfohlene Massnahmen (Auszug):** +- MFA fuer alle Nutzer (bereits vorhanden) +- SIEM-System einfuehren (fehlend -- Prioritaet hoch) +- Altersverifikation und elterliche Einwilligung +- DSFA durchfuehren (Art. 35 -- Kinder + automatisierte Entscheidung) +- Erklaerbarkeit der KI-Entscheidungen sicherstellen (AI Act) + +--- + +## Anhang B: Glossar + +| Begriff | Erklaerung | +|---------|-----------| +| **TOM** | Technisch-organisatorische Massnahmen (Art. 32 DSGVO) | +| **DSFA** | Datenschutz-Folgenabschaetzung (Art. 35 DSGVO) | +| **SDM** | Standard-Datenschutzmodell der Datenschutzkonferenz | +| **IAM** | Identity and Access Management | +| **SIEM** | Security Information and Event Management | +| **SCCs** | Standard Contractual Clauses (Standardvertragsklauseln) | +| **TIA** | Transfer Impact Assessment | +| **AVV** | Auftragsverarbeitungsvertrag (Art. 28 DSGVO) | +| **RBAC** | Role-Based Access Control | +| **ABAC** | Attribute-Based Access Control | +| **PAM** | Privileged Access Management | +| **HSM** | Hardware Security Module | +| **SOC** | Security Operations Center | +| **RTO** | Recovery Time Objective | +| **RPO** | Recovery Point Objective | diff --git a/scripts/edpb-crawler.py b/scripts/edpb-crawler.py new file mode 100755 index 0000000..e20014c --- /dev/null +++ b/scripts/edpb-crawler.py @@ -0,0 +1,1721 @@ +#!/usr/bin/env python3 +""" +BreakPilot Compliance — EDPB/WP29/DSFA Auto-Crawler + +Downloads, versioniert und ingestiert alle relevanten Datenschutz-Dokumente +in die Qdrant-Collections bp_compliance_datenschutz / bp_dsfa_corpus: + + - EDPB Guidelines & Recommendations + - Endorsed WP29 Guidelines + - EDPS Guidance + - DSFA Muss-Listen (BfDI + 16 Bundeslaender) + - DSK Kurzpapiere (Nr. 1-20) + - DSK Orientierungshilfen (SDM V3.1, E-Mail-Verschluesselung, Telemedien) + - BfDI Praxis-Dokumente (Loeschkonzept) + - BayLDA/BayLfD Orientierungshilfen (TOM-Checkliste, Loeschung) + +Ordnerstruktur: + ~/rag-ingestion/sources/eu/edpb/guidelines/ EDPB eigene Guidelines + ~/rag-ingestion/sources/eu/edpb/endorsed_wp29/ Endorsed WP29 + ~/rag-ingestion/sources/eu/edps/ EDPS Guidance + ~/rag-ingestion/sources/de/bfdi/ BfDI DSFA-Liste + ~/rag-ingestion/sources/de/bfdi/praxis/ BfDI Praxis-Dokumente + ~/rag-ingestion/sources/de/dsk/ DSK gemeinsame Liste + ~/rag-ingestion/sources/de/dsk/kurzpapiere/ DSK Kurzpapiere Nr. 1-20 + ~/rag-ingestion/sources/de/dsk/orientierungshilfen/ SDM, OH E-Mail, OH Telemedien + ~/rag-ingestion/sources/de/dpas/{bw,by,...}/ Laender-DPA Listen + ~/rag-ingestion/sources/de/baylda/ BayLDA Dokumente + ~/rag-ingestion/sources/de/baylfb/ BayLfD Dokumente + ~/rag-ingestion/manifests/ CSV-Manifeste + +Usage: + python3 edpb-crawler.py --all # Download + Ingest alles + python3 edpb-crawler.py --download # Nur fehlende PDFs laden + python3 edpb-crawler.py --ingest # Geladene PDFs hochladen + python3 edpb-crawler.py --status # Uebersicht + python3 edpb-crawler.py --verify # RAG-Test-Suchen + python3 edpb-crawler.py --migrate # PDFs aus pdfs/ in sources/ verschieben +""" + +import argparse +import csv +import hashlib +import json +import os +import shutil +import sys +import tempfile +import time +import urllib3 +from datetime import datetime, timezone +from pathlib import Path + +try: + import requests +except ImportError: + print("ERROR: 'requests' not installed. Run: pip3 install requests") + sys.exit(1) + +# PyMuPDF for local text extraction fallback +try: + import fitz # PyMuPDF + HAS_PYMUPDF = True +except ImportError: + HAS_PYMUPDF = False + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# --------------------------------------------------------------------------- +# Configuration +# --------------------------------------------------------------------------- +WORK_DIR = Path(os.environ.get("WORK_DIR", Path.home() / "rag-ingestion")) +SOURCES_DIR = WORK_DIR / "sources" +MANIFESTS_DIR = WORK_DIR / "manifests" +MANIFEST_PATH = WORK_DIR / "edpb-manifest.json" +RAG_URL = os.environ.get("RAG_URL", "https://localhost:8097/api/v1/documents/upload") +RAG_SEARCH_URL = os.environ.get("RAG_SEARCH_URL", "https://localhost:8097/api/v1/search") +COLLECTION = "bp_compliance_datenschutz" +COLLECTION_DSFA = "bp_dsfa_corpus" +TIMEOUT = 300 +DOWNLOAD_DELAY = 3 # seconds between downloads to avoid 429 + +# --------------------------------------------------------------------------- +# Document Registry +# +# Jeder Eintrag hat: id, title, url, filename, subdir (relativ zu sources/), +# category, year, source_org, collection (optional, default COLLECTION). +# --------------------------------------------------------------------------- + +# --- Endorsed WP29 --- +WP29_ENDORSED = [ + { + "id": "wp248_dpia", + "title": "WP248 rev.01 — Guidelines on DPIA", + "url": "https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=47711", + "filename": "edpb_wp248_dpia.pdf", + "subdir": "eu/edpb/endorsed_wp29", + "category": "dpia", + "year": 2017, + "source_org": "Article 29 Working Party / EDPB endorsed", + "source_url": "https://www.edpb.europa.eu/our-work-tools/general-guidance/endorsed-wp29-guidelines_en", + }, + { + "id": "wp243_dpo", + "title": "WP243 rev.01 — Guidelines on DPO", + "url": "https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=44100", + "filename": "edpb_wp243_dpo.pdf", + "subdir": "eu/edpb/endorsed_wp29", + "category": "dpo", + "year": 2016, + "source_org": "Article 29 Working Party / EDPB endorsed", + "source_url": "https://www.edpb.europa.eu/our-work-tools/general-guidance/endorsed-wp29-guidelines_en", + }, + { + "id": "wp260_transparency", + "title": "WP260 rev.01 — Guidelines on Transparency", + "url": "https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51025", + "filename": "edpb_wp260_transparency.pdf", + "subdir": "eu/edpb/endorsed_wp29", + "category": "transparency", + "year": 2018, + "source_org": "Article 29 Working Party / EDPB endorsed", + "source_url": "https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227", + }, + { + "id": "wp250_breach", + "title": "WP250 rev.01 — Guidelines on Data Breach Notification", + "url": "https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=47741", + "filename": "edpb_wp250_breach.pdf", + "subdir": "eu/edpb/endorsed_wp29", + "category": "breach", + "year": 2018, + "source_org": "Article 29 Working Party / EDPB endorsed", + "source_url": "https://www.edpb.europa.eu/our-work-tools/general-guidance/endorsed-wp29-guidelines_en", + }, + { + "id": "wp259_consent", + "title": "WP259 rev.01 — Guidelines on Consent under GDPR", + "url": "https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51030", + "filename": "edpb_wp259_consent.pdf", + "subdir": "eu/edpb/endorsed_wp29", + "category": "consent", + "year": 2018, + "source_org": "Article 29 Working Party / EDPB endorsed", + "source_url": "https://www.edpb.europa.eu/our-work-tools/general-guidance/endorsed-wp29-guidelines_en", + }, + { + "id": "wp242_portability", + "title": "WP242 rev.01 — Guidelines on Right to Data Portability", + "url": "https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=44099", + "filename": "edpb_wp242_portability.pdf", + "subdir": "eu/edpb/endorsed_wp29", + "category": "portability", + "year": 2017, + "source_org": "Article 29 Working Party / EDPB endorsed", + "source_url": "https://www.edpb.europa.eu/our-work-tools/general-guidance/endorsed-wp29-guidelines_en", + }, + { + "id": "wp251_profiling", + "title": "WP251 rev.01 — Guidelines on Automated Decision-Making/Profiling", + "url": "https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=49826", + "filename": "edpb_wp251_profiling.pdf", + "subdir": "eu/edpb/endorsed_wp29", + "category": "profiling", + "year": 2018, + "source_org": "Article 29 Working Party / EDPB endorsed", + "source_url": "https://www.edpb.europa.eu/our-work-tools/general-guidance/endorsed-wp29-guidelines_en", + }, +] + +# --- EDPB eigene Guidelines & Recommendations --- +EDPB_GUIDELINES = [ + { + "id": "edpb_consent_05_2020", + "title": "EDPB Guidelines 05/2020 on Consent", + "url": "https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf", + "filename": "edpb_consent_05_2020.pdf", + "subdir": "eu/edpb/guidelines", + "category": "consent", + "year": 2020, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en", + }, + { + "id": "edpb_dpbd_04_2019", + "title": "EDPB Guidelines 4/2019 on Data Protection by Design and Default", + "url": "https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf", + "filename": "edpb_dpbd_04_2019.pdf", + "subdir": "eu/edpb/guidelines", + "category": "dpbd", + "year": 2019, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019-article-25-data-protection-design-and_en", + }, + { + "id": "edpb_transfers_01_2020", + "title": "EDPB Recommendations 01/2020 on Supplementary Transfer Measures", + "url": "https://www.edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf", + "filename": "edpb_transfers_01_2020.pdf", + "subdir": "eu/edpb/guidelines", + "category": "transfers", + "year": 2020, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en", + }, + { + "id": "edpb_controller_processor_07_2020", + "title": "EDPB Guidelines 07/2020 on Controller and Processor", + "url": "https://www.edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf", + "filename": "edpb_controller_processor_07_2020.pdf", + "subdir": "eu/edpb/guidelines", + "category": "controller_processor", + "year": 2020, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en", + }, + { + "id": "edpb_breach_09_2022", + "title": "EDPB Guidelines 09/2022 on Personal Data Breach Notification", + "url": "https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2_en.pdf", + "filename": "edpb_breach_09_2022.pdf", + "subdir": "eu/edpb/guidelines", + "category": "breach", + "year": 2022, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092022-personal-data-breach-notification-under_en", + }, + { + "id": "edpb_access_01_2022", + "title": "EDPB Guidelines 01/2022 on Right of Access", + "url": "https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf", + "filename": "edpb_access_01_2022.pdf", + "subdir": "eu/edpb/guidelines", + "category": "access", + "year": 2022, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en", + }, + { + "id": "edpb_fines_04_2022", + "title": "EDPB Guidelines 04/2022 on Calculation of Administrative Fines", + "url": "https://www.edpb.europa.eu/system/files/2023-06/edpb_guidelines_042022_calculationofadministrativefines_en.pdf", + "filename": "edpb_fines_04_2022.pdf", + "subdir": "eu/edpb/guidelines", + "category": "fines", + "year": 2022, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042022-calculation-administrative-fines-under_en", + }, + { + "id": "edpb_article48_02_2024", + "title": "EDPB Guidelines 02/2024 on Article 48 GDPR", + "url": "https://www.edpb.europa.eu/system/files/2024-07/edpb_guidelines_202402_article48_en.pdf", + "filename": "edpb_article48_02_2024.pdf", + "subdir": "eu/edpb/guidelines", + "category": "transfers", + "year": 2024, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-022024-article-48-gdpr_en", + }, + { + "id": "edpb_eprivacy_02_2023", + "title": "EDPB Guidelines 2/2023 on Technical Scope of Art. 5(3) ePrivacy", + "url": "https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf", + "filename": "edpb_eprivacy_02_2023.pdf", + "subdir": "eu/edpb/guidelines", + "category": "eprivacy", + "year": 2023, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22023-technical-scope-art-53-eprivacy-directive_en", + }, + { + "id": "edpb_legitimate_interest_01_2024", + "title": "EDPB Guidelines 01/2024 on Legitimate Interest (Art. 6(1)(f))", + "url": "https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimate-interest_hyperlinks_en.pdf", + "filename": "edpb_legitimate_interest_01_2024.pdf", + "subdir": "eu/edpb/guidelines", + "category": "legitimate_interest", + "year": 2024, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-12024-processing-personal-data-based-legitimate_en", + }, + { + "id": "edpb_dark_patterns_03_2022", + "title": "EDPB Guidelines 03/2022 on Dark Patterns in Social Media", + "url": "https://www.edpb.europa.eu/system/files/2022-03/edpb_03-2022_guidelines_on_dark_patterns_in_social_media_platform_interfaces_en.pdf", + "filename": "edpb_dark_patterns_03_2022.pdf", + "subdir": "eu/edpb/guidelines", + "category": "dark_patterns", + "year": 2022, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-dark-patterns-social-media-platform_en", + }, + { + "id": "edpb_social_media_08_2020", + "title": "EDPB Guidelines 08/2020 on Targeting Social Media Users", + "url": "https://www.edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf", + "filename": "edpb_social_media_08_2020.pdf", + "subdir": "eu/edpb/guidelines", + "category": "social_media", + "year": 2020, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-082020-targeting-social-media-users_en", + }, + { + "id": "edpb_video_03_2019", + "title": "EDPB Guidelines 3/2019 on Video Surveillance (CCTV)", + "url": "https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201903_video_devices_en_0.pdf", + "filename": "edpb_video_03_2019.pdf", + "subdir": "eu/edpb/guidelines", + "category": "video", + "year": 2019, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en", + }, + { + "id": "edpb_connected_vehicles_01_2020", + "title": "EDPB Guidelines 01/2020 on Connected Vehicles", + "url": "https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202001_connected_vehicles_v2.0_adopted_en.pdf", + "filename": "edpb_connected_vehicles_01_2020.pdf", + "subdir": "eu/edpb/guidelines", + "category": "connected_vehicles", + "year": 2020, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-12020-processing-personal-data-context_en", + }, + { + "id": "edpb_vva_02_2021", + "title": "EDPB Guidelines 02/2021 on Virtual Voice Assistants", + "url": "https://www.edpb.europa.eu/system/files/2021-07/edpb_guidelines_202102_on_vva_v2.0_adopted_en.pdf", + "filename": "edpb_vva_02_2021.pdf", + "subdir": "eu/edpb/guidelines", + "category": "virtual_assistants", + "year": 2021, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-022021-virtual-voice-assistants_en", + }, + { + "id": "edpb_cookie_taskforce_2023", + "title": "EDPB Cookie Banner Taskforce Report", + "url": "https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf", + "filename": "edpb_cookie_taskforce_2023.pdf", + "subdir": "eu/edpb/guidelines", + "category": "cookies", + "year": 2023, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/other/report-work-undertaken-cookie-banner-taskforce_en", + }, + { + "id": "edpb_certification_01_2018", + "title": "EDPB Guidelines 1/2018 on GDPR Certification (v3.0)", + "url": "https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf", + "filename": "edpb_certification_01_2018.pdf", + "subdir": "eu/edpb/guidelines", + "category": "certification", + "year": 2019, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-12018-certification-and-identifying-certification_en", + }, + { + "id": "edpb_bcr_01_2022", + "title": "EDPB Recommendations 01/2022 on BCR Application (v2)", + "url": "https://www.edpb.europa.eu/system/files/2023-06/edpb_recommendations_20221_bcr-c_v2_en.pdf", + "filename": "edpb_bcr_01_2022.pdf", + "subdir": "eu/edpb/guidelines", + "category": "transfers", + "year": 2022, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012022-application-approval-binding_en", + }, + { + "id": "edpb_rtbf_05_2019", + "title": "EDPB Guidelines 5/2019 on Right to Erasure (Search Engines)", + "url": "https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201905_rtbfsearchengines_afterpublicconsultation_en.pdf", + "filename": "edpb_rtbf_05_2019.pdf", + "subdir": "eu/edpb/guidelines", + "category": "erasure", + "year": 2019, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-52019-criteria-right-be-forgotten-search-engines_en", + }, + { + "id": "edpb_dpia_list_recommendation", + "title": "EDPB DPIA Lists Recommendation (Consistency Mechanism)", + "url": "https://www.edpb.europa.eu/sites/default/files/files/file2/edpb-dpia_recommendation-list-en_0.pdf", + "filename": "edpb_dpia_list_recommendation.pdf", + "subdir": "eu/edpb/guidelines", + "category": "dpia", + "year": 2019, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/consistency-findings/opinions_en", + }, + { + "id": "edpb_health_data_03_2020", + "title": "EDPB Guidelines 03/2020 on Health Data for Research (COVID-19)", + "url": "https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf", + "filename": "edpb_health_data_03_2020.pdf", + "subdir": "eu/edpb/guidelines", + "category": "health_data", + "year": 2020, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-data-concerning-health-purpose_en", + }, + { + "id": "edpb_geolocation_04_2020", + "title": "EDPB Guidelines 04/2020 on Geolocation/Contact Tracing", + "url": "https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf", + "filename": "edpb_geolocation_04_2020.pdf", + "subdir": "eu/edpb/guidelines", + "category": "geolocation", + "year": 2020, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042020-use-location-data-and-contact-tracing_en", + }, + { + "id": "edpb_legal_basis_02_2019", + "title": "EDPB Guidelines 2/2019 on Art. 6(1)(b) GDPR (Online Services)", + "url": "https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf", + "filename": "edpb_legal_basis_02_2019.pdf", + "subdir": "eu/edpb/guidelines", + "category": "legal_basis", + "year": 2019, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22019-processing-personal-data-under-article-61b_en", + }, + # --- Zusaetzliche EDPB Guidelines (neu hinzugefuegt) --- + { + "id": "edpb_rro_09_2020", + "title": "EDPB Guidelines 09/2020 on Relevant and Reasoned Objection", + "url": "https://www.edpb.europa.eu/system/files/2021-03/edpb_guidelines_202009_rro_final_en.pdf", + "filename": "edpb_rro_09_2020.pdf", + "subdir": "eu/edpb/guidelines", + "category": "enforcement", + "year": 2020, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-092020-relevant-and-reasoned-objection-under_en", + }, + { + "id": "edpb_facial_recognition_05_2022", + "title": "EDPB Guidelines 05/2022 on Facial Recognition in Law Enforcement", + "url": "https://www.edpb.europa.eu/system/files/2023-05/edpb_guidelines_202304_frtlawenforcement_v2_en.pdf", + "filename": "edpb_facial_recognition_05_2022.pdf", + "subdir": "eu/edpb/guidelines", + "category": "facial_recognition", + "year": 2022, + "source_org": "European Data Protection Board (EDPB)", + "source_url": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052022-use-facial-recognition-technology-area-law_en", + }, +] + +# --- EDPS Guidance --- +EDPS_GUIDANCE = [ + { + "id": "edps_dpia_list", + "title": "EDPS DPIA List (EU Institutions)", + "url": "https://www.edps.europa.eu/sites/default/files/publication/19-07-16_dpia_list_en.pdf", + "filename": "edps_dpia_list.pdf", + "subdir": "eu/edps", + "category": "dpia", + "year": 2019, + "source_org": "European Data Protection Supervisor (EDPS)", + "source_url": "https://www.edps.europa.eu/data-protection/our-work/publications/lists/dpia-list_en", + }, + { + "id": "edps_genai_orientations_2024", + "title": "EDPS GenAI Orientations (June 2024)", + "url": "https://www.edps.europa.eu/system/files/2024-06/24-06-03_genai_orientations_en.pdf", + "filename": "edps_genai_orientations_2024.pdf", + "subdir": "eu/edps", + "category": "ai", + "year": 2024, + "source_org": "European Data Protection Supervisor (EDPS)", + "source_url": "https://www.edps.europa.eu/press-publications/publications/guidelines/generative-ai-orientations_en", + }, + { + "id": "edps_digital_ethics_2018", + "title": "EDPS Ethics Advisory Group Report (2018)", + "url": "https://www.edps.europa.eu/sites/default/files/publication/18-01-25_eag_report_en.pdf", + "filename": "edps_digital_ethics_2018.pdf", + "subdir": "eu/edps", + "category": "ethics", + "year": 2018, + "source_org": "European Data Protection Supervisor (EDPS)", + "source_url": "https://www.edps.europa.eu/data-protection/our-work/publications/ethical-framework/ethics-advisory-group-report-2018_en", + }, +] + +# --- DSFA Muss-Listen (Bund + 16 Laender) --- +DSFA_MUSSLISTEN = [ + { + "id": "dsfa_bfdi_bund", + "title": "BfDI — DSFA-Liste Art. 35(4) fuer oeffentliche Stellen des Bundes", + "url": "https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Muster/Liste_VerarbeitungsvorgaengeArt35.pdf?__blob=publicationFile&v=7", + "filename": "dsfa_bfdi_bund.pdf", + "subdir": "de/bfdi", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "Bundesbeauftragte fuer den Datenschutz und die Informationsfreiheit (BfDI)", + "source_url": "https://www.bfdi.bund.de/DE/Datenschutz/DatenschutzGVO/Hilfsmittel/DSFA/DSFA-node.html", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_dsk_gemeinsam", + "title": "DSK — Gemeinsame DSFA Muss-Liste (nicht-oeffentlicher Bereich)", + "url": "https://datenschutz.hessen.de/sites/datenschutz.hessen.de/files/2022-11/dsfa_muss_liste_dsk_de.pdf", + "filename": "dsfa_dsk_gemeinsam.pdf", + "subdir": "de/dsk", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://datenschutz.hessen.de/datenschutz/it-und-datenschutz/datenschutz-folgenabschaetzung", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_bw", + "title": "Baden-Wuerttemberg — DSFA Muss-Liste", + "url": "https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2018/05/Liste-von-Verarbeitungsvorg%C3%A4ngen-nach-Art.-35-Abs.-4-DS-GVO-LfDI-BW.pdf", + "filename": "dsfa_bw.pdf", + "subdir": "de/dpas/bw", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "LfDI Baden-Wuerttemberg", + "source_url": "https://www.baden-wuerttemberg.datenschutz.de/datenschutz-folgenabschaetzung/", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_by", + "title": "Bayern (BayLDA) — DSFA Muss-Liste (DSK)", + "url": "https://www.lda.bayern.de/media/dsfa_muss_liste_dsk_de.pdf", + "filename": "dsfa_by.pdf", + "subdir": "de/dpas/by", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "Bayerisches Landesamt fuer Datenschutzaufsicht (BayLDA)", + "source_url": "https://www.lda.bayern.de/de/datenschutz_eu.html", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_be_noe", + "title": "Berlin — DSFA-Liste nicht-oeffentlicher Bereich", + "url": "https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/dokumente/2018-BlnBDI_DSFA-nicht-oeffentlich.pdf", + "filename": "dsfa_be_noe.pdf", + "subdir": "de/dpas/be", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "Berliner Beauftragte fuer Datenschutz und Informationsfreiheit (BlnBDI)", + "source_url": "https://www.datenschutz-berlin.de/infothek/publikationen", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_be_oe", + "title": "Berlin — DSFA-Liste oeffentlicher Bereich", + "url": "https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/dokumente/2018-BlnBDI_DSFA-oeffentlich.pdf", + "filename": "dsfa_be_oe.pdf", + "subdir": "de/dpas/be", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "Berliner Beauftragte fuer Datenschutz und Informationsfreiheit (BlnBDI)", + "source_url": "https://www.datenschutz-berlin.de/infothek/publikationen", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_bb_oe", + "title": "Brandenburg — DSFA-Liste oeffentlicher Bereich", + "url": "https://www.lda.brandenburg.de/sixcms/media.php/9/DSFA-Liste_%C3%B6ffentlicher_Bereich.pdf", + "filename": "dsfa_bb_oe.pdf", + "subdir": "de/dpas/bb", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "LDA Brandenburg", + "source_url": "https://www.lda.brandenburg.de/lda/de/datenschutz/datenschutz-folgenabschaetzung/", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_bb_noe", + "title": "Brandenburg — DSFA-Liste nicht-oeffentlicher Bereich", + "url": "https://www.lda.brandenburg.de/sixcms/media.php/9/DSFA-Liste_nicht_%C3%B6ffentlicher_Bereich.pdf", + "filename": "dsfa_bb_noe.pdf", + "subdir": "de/dpas/bb", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "LDA Brandenburg", + "source_url": "https://www.lda.brandenburg.de/lda/de/datenschutz/datenschutz-folgenabschaetzung/", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_hb", + "title": "Bremen — DSFA Muss-Liste", + "url": "https://www.datenschutz.bremen.de/sixcms/media.php/13/DSFA%20Muss-Liste%20LfDI%20HB.pdf", + "filename": "dsfa_hb.pdf", + "subdir": "de/dpas/hb", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "LfDI Bremen", + "source_url": "https://www.datenschutz.bremen.de/datenschutz/ds-gvo/datenschutz-folgenabschaetzung-18544", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_hh_noe", + "title": "Hamburg — DSFA Muss-Liste nicht-oeffentlicher Bereich", + "url": "https://datenschutz-hamburg.de/fileadmin/user_upload/HmbBfDI/Datenschutz/Informationen/DSFA_Muss-Liste_fuer_den_nicht-oeffentlicher_Bereich_-_Stand_17.10.2018.pdf", + "filename": "dsfa_hh_noe.pdf", + "subdir": "de/dpas/hh", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "HmbBfDI Hamburg", + "source_url": "https://datenschutz-hamburg.de/datenschutz-informationen", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_hh_oe", + "title": "Hamburg — DSFA Muss-Liste oeffentlicher Bereich", + "url": "https://datenschutz-hamburg.de/fileadmin/user_upload/HmbBfDI/Datenschutz/Informationen/Liste_Art_35-4_DSGVO_HmbBfDI-oeffentlicher_Bereich_v2.0a.pdf", + "filename": "dsfa_hh_oe.pdf", + "subdir": "de/dpas/hh", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "HmbBfDI Hamburg", + "source_url": "https://datenschutz-hamburg.de/datenschutz-informationen", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_mv", + "title": "Mecklenburg-Vorpommern — DSFA Muss-Liste oeffentlicher Bereich", + "url": "https://www.datenschutz-mv.de/static/DS/Dateien/DS-GVO/HilfsmittelzurUmsetzung/MV-DSFA-Muss-Liste-Oeffentlicher-Bereich.pdf", + "filename": "dsfa_mv.pdf", + "subdir": "de/dpas/mv", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "LfDI Mecklenburg-Vorpommern", + "source_url": "https://www.datenschutz-mv.de/datenschutz/fuer-verwaltungen/Datenschutz-Folgenabschaetzung/", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_ni", + "title": "Niedersachsen — DSFA Muss-Liste", + "url": "https://www.lfd.niedersachsen.de/download/131098/Liste_von_Verarbeitungsvorgaengen_nach_Art._35_Abs._4_DS-GVO.pdf", + "filename": "dsfa_ni.pdf", + "subdir": "de/dpas/ni", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "LfD Niedersachsen", + "source_url": "https://www.lfd.niedersachsen.de/dsgvo/liste_von_verarbeitungsvorgangen_nach_art_35_abs_4_ds_gvo/muss-listen-zur-datenschutz-folgenabschatzung-179663.html", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_rp", + "title": "Rheinland-Pfalz — DSFA Muss-Liste oeffentliche Stellen", + "url": "https://www.datenschutz.rlp.de/fileadmin/datenschutz/Dokumente/Orientierungshilfen/DSFA_-_Muss-Liste_RLP_OE.pdf", + "filename": "dsfa_rp.pdf", + "subdir": "de/dpas/rp", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "LfDI Rheinland-Pfalz", + "source_url": "https://www.datenschutz.rlp.de/themen/datenschutz-folgenabschaetzung", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_sl", + "title": "Saarland — DSFA Muss-Liste (DSK)", + "url": "https://www.datenschutz.saarland.de/fileadmin/user_upload/uds/alle_Dateien_und_Ordner_bis_2025/Download/dsfa_muss_liste_dsk_de.pdf", + "filename": "dsfa_sl.pdf", + "subdir": "de/dpas/sl", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "UDS Saarland", + "source_url": "https://www.datenschutz.saarland.de/", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_sn", + "title": "Sachsen — DSFA-Ergaenzungsliste", + "url": "https://www.datenschutz.sachsen.de/download/Datenschutz-Folgenabschaetzung_Ergaenzung_Liste_V1_20180606.pdf", + "filename": "dsfa_sn.pdf", + "subdir": "de/dpas/sn", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "Saechsischer Datenschutzbeauftragter", + "source_url": "https://www.datenschutz.sachsen.de/datenschutz-folgenabschaetzung-4156.html", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_st_oe", + "title": "Sachsen-Anhalt — DSFA-Liste oeffentlicher Bereich", + "url": "https://datenschutz.sachsen-anhalt.de/fileadmin/Bibliothek/Landesaemter/LfD/Informationen/Internationales/Datenschutz-Grundverordnung/Liste_DSFA/Art-35-Liste-oeffentlicher_Bereich.pdf", + "filename": "dsfa_st_oe.pdf", + "subdir": "de/dpas/st", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "LfD Sachsen-Anhalt", + "source_url": "https://datenschutz.sachsen-anhalt.de/", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_st_noe", + "title": "Sachsen-Anhalt — DSFA-Liste nicht-oeffentlicher Bereich", + "url": "https://datenschutz.sachsen-anhalt.de/fileadmin/Bibliothek/Landesaemter/LfD/Informationen/Internationales/Datenschutz-Grundverordnung/Liste_DSFA/Art-35-Liste-nichtoeffentlicher_Bereich.pdf", + "filename": "dsfa_st_noe.pdf", + "subdir": "de/dpas/st", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "LfD Sachsen-Anhalt", + "source_url": "https://datenschutz.sachsen-anhalt.de/", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_sh", + "title": "Schleswig-Holstein — DSFA Muss-Liste", + "url": "https://www.datenschutzzentrum.de/uploads/datenschutzfolgenabschaetzung/20180525_LfD-SH_DSFA_Muss-Liste_V1.0.pdf", + "filename": "dsfa_sh.pdf", + "subdir": "de/dpas/sh", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "ULD Schleswig-Holstein", + "source_url": "https://www.datenschutzzentrum.de/datenschutzfolgenabschaetzung/", + "collection": COLLECTION_DSFA, + }, + { + "id": "dsfa_th", + "title": "Thueringen — Vorlaeufige DSFA Muss-Liste", + "url": "https://tlfdi.de/fileadmin/tlfdi/datenschutz/dsfa_muss-liste_04_07_18.pdf", + "filename": "dsfa_th.pdf", + "subdir": "de/dpas/th", + "category": "dsfa_mussliste", + "year": 2018, + "source_org": "TLfDI Thueringen", + "source_url": "https://tlfdi.de/", + "collection": COLLECTION_DSFA, + }, +] + +# --- DSK Kurzpapiere (Lizenz: GRUEN — oeffentliche Aufsichtsbehoerdendokumente, kommerziell nutzbar) --- +DSK_KURZPAPIERE = [ + { + "id": "dsk_kp_01_vvt", + "title": "DSK Kurzpapier Nr. 1 — Verzeichnis von Verarbeitungstaetigkeiten (Art. 30)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_1.pdf", + "filename": "dsk_kpnr_1.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_02_einwilligung", + "title": "DSK Kurzpapier Nr. 2 — Einwilligung (Art. 7)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_2.pdf", + "filename": "dsk_kpnr_2.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_03_zweckbindung", + "title": "DSK Kurzpapier Nr. 3 — Zweckbindung und Zweckaenderung", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_3.pdf", + "filename": "dsk_kpnr_3.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_04_datenminimierung", + "title": "DSK Kurzpapier Nr. 4 — Datenminimierung", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_4.pdf", + "filename": "dsk_kpnr_4.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_05_dsfa", + "title": "DSK Kurzpapier Nr. 5 — Datenschutz-Folgenabschaetzung (Art. 35)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_5.pdf", + "filename": "dsk_kpnr_5.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_06_auskunftsrecht", + "title": "DSK Kurzpapier Nr. 6 — Auskunftsrecht (Art. 15)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_6.pdf", + "filename": "dsk_kpnr_6.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_07_marktortprinzip", + "title": "DSK Kurzpapier Nr. 7 — Marktortprinzip (Art. 3)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_7.pdf", + "filename": "dsk_kpnr_7.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_08_datenportabilitaet", + "title": "DSK Kurzpapier Nr. 8 — Datenportabilitaet (Art. 20)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_8.pdf", + "filename": "dsk_kpnr_8.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_09_sanktionen", + "title": "DSK Kurzpapier Nr. 9 — Sanktionen, Geldbussen und Schadenersatz", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_9.pdf", + "filename": "dsk_kpnr_9.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_10_informationspflichten", + "title": "DSK Kurzpapier Nr. 10 — Informationspflichten (Art. 12-14)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_10.pdf", + "filename": "dsk_kpnr_10.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_11_loeschung", + "title": "DSK Kurzpapier Nr. 11 — Recht auf Loeschung (Art. 17)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_11.pdf", + "filename": "dsk_kpnr_11.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_12_dsb", + "title": "DSK Kurzpapier Nr. 12 — Datenschutzbeauftragte (Art. 37-39)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_12.pdf", + "filename": "dsk_kpnr_12.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_13_avv", + "title": "DSK Kurzpapier Nr. 13 — Auftragsverarbeitung (Art. 28)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_13.pdf", + "filename": "dsk_kpnr_13.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_14_beschaeftigte", + "title": "DSK Kurzpapier Nr. 14 — Beschaeftigtendatenschutz", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_14.pdf", + "filename": "dsk_kpnr_14.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_15_videoueberwachung", + "title": "DSK Kurzpapier Nr. 15 — Videoueberwachung nach DSGVO", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_15.pdf", + "filename": "dsk_kpnr_15.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_16_gemeinsame_verantwortlichkeit", + "title": "DSK Kurzpapier Nr. 16 — Gemeinsame Verantwortlichkeit (Art. 26)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_16.pdf", + "filename": "dsk_kpnr_16.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_17_art9", + "title": "DSK Kurzpapier Nr. 17 — Besondere Kategorien personenbezogener Daten (Art. 9)", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_17.pdf", + "filename": "dsk_kpnr_17.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_18_risiko", + "title": "DSK Kurzpapier Nr. 18 — Risiko fuer die Rechte und Freiheiten natuerlicher Personen", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_18.pdf", + "filename": "dsk_kpnr_18.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_19_unabhaengigkeit", + "title": "DSK Kurzpapier Nr. 19 — Unabhaengigkeit der Datenschutzaufsicht", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_19.pdf", + "filename": "dsk_kpnr_19.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2018, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, + { + "id": "dsk_kp_20_evaluierung", + "title": "DSK Kurzpapier Nr. 20 — Evaluierung der DSGVO", + "url": "https://www.datenschutzkonferenz-online.de/media/kp/dsk_kpnr_20.pdf", + "filename": "dsk_kpnr_20.pdf", + "subdir": "de/dsk/kurzpapiere", + "category": "dsk_kurzpapier", + "year": 2020, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/kurzpapiere.html", + "license_grade": "green", + }, +] + +# --- DSK Orientierungshilfen (Lizenz: GELB — oeffentlich verfuegbar, Lizenz nicht explizit) --- +DSK_ORIENTIERUNGSHILFEN = [ + { + "id": "dsk_sdm_v31", + "title": "DSK — Standard-Datenschutzmodell (SDM) V3.1", + "url": "https://www.datenschutzkonferenz-online.de/media/oh/SDM-Methode-V31.pdf", + "filename": "SDM-Methode-V31.pdf", + "subdir": "de/dsk/orientierungshilfen", + "category": "dsk_orientierungshilfe", + "year": 2024, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/sdm.html", + "license_grade": "yellow", + }, + { + "id": "dsk_oh_email_verschl", + "title": "DSK Orientierungshilfe — E-Mail-Verschluesselung", + "url": "https://www.datenschutzkonferenz-online.de/media/oh/oh_e_mail_verschluesselung.pdf", + "filename": "oh_e_mail_verschluesselung.pdf", + "subdir": "de/dsk/orientierungshilfen", + "category": "dsk_orientierungshilfe", + "year": 2021, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/orientierungshilfen.html", + "license_grade": "yellow", + }, + { + "id": "dsk_oh_telemedien", + "title": "DSK Orientierungshilfe — Telemedien (Webseiten/Apps)", + "url": "https://www.datenschutzkonferenz-online.de/media/oh/oh_telemedien.pdf", + "filename": "oh_telemedien.pdf", + "subdir": "de/dsk/orientierungshilfen", + "category": "dsk_orientierungshilfe", + "year": 2022, + "source_org": "Datenschutzkonferenz (DSK)", + "source_url": "https://www.datenschutzkonferenz-online.de/orientierungshilfen.html", + "license_grade": "yellow", + }, +] + +# --- BfDI Praxis-Dokumente (Lizenz: GELB — oeffentlich verfuegbar, Lizenz nicht explizit) --- +BFDI_PRAXIS = [ + { + "id": "bfdi_loeschkonzept", + "title": "BfDI — Loeschkonzept (2021)", + "url": "https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Broschueren/INFO5.pdf?__blob=publicationFile&v=9", + "filename": "2021_Loeschkonzept-BfDI.pdf", + "subdir": "de/bfdi/praxis", + "category": "bfdi_praxis", + "year": 2021, + "source_org": "Bundesbeauftragte fuer den Datenschutz und die Informationsfreiheit (BfDI)", + "source_url": "https://www.bfdi.bund.de/DE/Fachthemen/Inhalte/Loeschen/loeschen-node.html", + "license_grade": "yellow", + }, +] + +# --- BayLDA/BayLfD Dokumente (Lizenz: GELB — oeffentlich verfuegbar) --- +BAYLDA_DOCS = [ + { + "id": "baylda_tom_checkliste", + "title": "BayLDA — Checkliste Technisch-Organisatorische Massnahmen (TOM)", + "url": "https://www.lda.bayern.de/media/baylda_checkliste_tom.pdf", + "filename": "baylda_checkliste_tom.pdf", + "subdir": "de/baylda", + "category": "baylda_praxis", + "year": 2019, + "source_org": "Bayerisches Landesamt fuer Datenschutzaufsicht (BayLDA)", + "source_url": "https://www.lda.bayern.de/de/datenschutz_eu.html", + "license_grade": "yellow", + }, + { + "id": "baylfb_oh_loeschung", + "title": "BayLfD — Orientierungshilfe Loeschung", + "url": "https://www.datenschutz-bayern.de/datenschutzreform2018/OH_Loeschung.pdf", + "filename": "OH_Loeschung.pdf", + "subdir": "de/baylfb", + "category": "baylda_praxis", + "year": 2019, + "source_org": "Bayerischer Landesbeauftragter fuer den Datenschutz (BayLfD)", + "source_url": "https://www.datenschutz-bayern.de/datenschutzreform2018/", + "license_grade": "yellow", + }, +] + +# Combined registry +REGISTRY = ( + WP29_ENDORSED + + EDPB_GUIDELINES + + EDPS_GUIDANCE + + DSFA_MUSSLISTEN + + DSK_KURZPAPIERE + + DSK_ORIENTIERUNGSHILFEN + + BFDI_PRAXIS + + BAYLDA_DOCS +) + +# Mapping old filenames (from pdfs/) to new entry IDs for migration +OLD_FILENAME_MAP = { + "edpb_wp248_dpia.pdf": "wp248_dpia", + "edpb_wp243_dpo.pdf": "wp243_dpo", + "edpb_wp260_transparency.pdf": "wp260_transparency", + "edpb_wp250_breach.pdf": "wp250_breach", + "edpb_wp259_consent.pdf": "wp259_consent", + "edpb_wp242_portability.pdf": "wp242_portability", + "edpb_wp251_profiling.pdf": "wp251_profiling", + "edpb_consent_05_2020.pdf": "edpb_consent_05_2020", + "edpb_dpbd_04_2019.pdf": "edpb_dpbd_04_2019", + "edpb_transfers_07_2020.pdf": "edpb_transfers_01_2020", + "edpb_gl_7_2020.pdf": "edpb_controller_processor_07_2020", + "edpb_breach_09_2022.pdf": "edpb_breach_09_2022", + "edpb_access_01_2022.pdf": "edpb_access_01_2022", + "edpb_gl_04_2022.pdf": "edpb_fines_04_2022", + "edpb_article48_02_2024.pdf": "edpb_article48_02_2024", + "edpb_eprivacy_02_2023.pdf": "edpb_eprivacy_02_2023", + "edpb_legitimate_interest.pdf": "edpb_legitimate_interest_01_2024", + "edpb_dark_patterns_03_2022.pdf": "edpb_dark_patterns_03_2022", + "edpb_social_media_08_2020.pdf": "edpb_social_media_08_2020", + "edpb_gl_3_2019.pdf": "edpb_video_03_2019", + "edpb_connected_vehicles_01_2020.pdf": "edpb_connected_vehicles_01_2020", + "edpb_vva_02_2021.pdf": "edpb_vva_02_2021", + "edpb_cookie_taskforce_2023.pdf": "edpb_cookie_taskforce_2023", + "edpb_certification_01_2019.pdf": "edpb_certification_01_2018", + "edpb_bcr_01_2022.pdf": "edpb_bcr_01_2022", + "edpb_rtbf_05_2019.pdf": "edpb_rtbf_05_2019", + "edpb_dpia_list_recommendation.pdf": "edpb_dpia_list_recommendation", + "edpb_health_data_03_2020.pdf": "edpb_health_data_03_2020", + "edpb_geolocation_04_2020.pdf": "edpb_geolocation_04_2020", + "edpb_gl_2_2019.pdf": "edpb_legal_basis_02_2019", + "edps_dpia_list.pdf": "edps_dpia_list", + "edps_genai_orientations_2024.pdf": "edps_genai_orientations_2024", + "edps_digital_ethics_2018.pdf": "edps_digital_ethics_2018", +} + + +# --------------------------------------------------------------------------- +# Helpers +# --------------------------------------------------------------------------- + +def ts() -> str: + return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") + + +def sha256_file(path: Path) -> str: + h = hashlib.sha256() + with open(path, "rb") as f: + for chunk in iter(lambda: f.read(8192), b""): + h.update(chunk) + return h.hexdigest() + + +def load_manifest() -> dict: + if MANIFEST_PATH.exists(): + with open(MANIFEST_PATH) as f: + return json.load(f) + return {"version": datetime.now().strftime("%Y-%m-%d.1"), "last_updated": ts(), "documents": {}} + + +def save_manifest(manifest: dict) -> None: + manifest["last_updated"] = ts() + today = datetime.now().strftime("%Y-%m-%d") + old_v = manifest.get("version", "") + if old_v.startswith(today + "."): + n = int(old_v.split(".")[-1]) + 1 + manifest["version"] = f"{today}.{n}" + else: + manifest["version"] = f"{today}.1" + MANIFEST_PATH.parent.mkdir(parents=True, exist_ok=True) + with open(MANIFEST_PATH, "w") as f: + json.dump(manifest, f, indent=2, ensure_ascii=False) + + +def log(msg): print(f"[{datetime.now().strftime('%H:%M:%S')}] {msg}") +def ok(msg): print(f"[{datetime.now().strftime('%H:%M:%S')}] \u2713 {msg}") +def warn(msg): print(f"[{datetime.now().strftime('%H:%M:%S')}] \u26a0 {msg}", file=sys.stderr) +def fail(msg): print(f"[{datetime.now().strftime('%H:%M:%S')}] \u2717 {msg}", file=sys.stderr) + + +def is_valid_pdf(path: Path) -> bool: + """Check if file is actually a PDF (not HTML from Cloudflare).""" + with open(path, "rb") as f: + header = f.read(5) + return header == b"%PDF-" + + +def extract_text_pymupdf(pdf_path: Path) -> str: + """Extract text from PDF using PyMuPDF locally.""" + if not HAS_PYMUPDF: + return "" + doc = fitz.open(str(pdf_path)) + pages = [] + for page in doc: + text = page.get_text() + if text.strip(): + pages.append(text) + doc.close() + return "\n\n".join(pages) + + +def upload_text_as_file(text: str, filename: str, collection: str, + data_type: str, use_case: str, year: str, + metadata: dict) -> dict: + """Upload extracted text as a .txt file to the RAG API.""" + txt_filename = filename.replace(".pdf", ".txt") + resp = requests.post( + RAG_URL, + files={"file": (txt_filename, text.encode("utf-8"), "text/plain")}, + data={ + "collection": collection, + "data_type": data_type, + "use_case": use_case, + "year": year, + "chunk_strategy": "recursive", + "chunk_size": "512", + "chunk_overlap": "50", + "metadata_json": json.dumps(metadata), + }, + timeout=TIMEOUT, + verify=False, + ) + return resp + + +def entry_path(entry: dict) -> Path: + """Full path for a registry entry.""" + return SOURCES_DIR / entry["subdir"] / entry["filename"] + + +def entry_collection(entry: dict) -> str: + """Target Qdrant collection for a registry entry.""" + return entry.get("collection", COLLECTION) + + +def registry_by_id() -> dict: + return {e["id"]: e for e in REGISTRY} + + +# --------------------------------------------------------------------------- +# CSV Manifest Export +# --------------------------------------------------------------------------- + +def export_csv_manifests() -> None: + """Write CSV manifests per category + unified manifest with license grades.""" + MANIFESTS_DIR.mkdir(parents=True, exist_ok=True) + fields = ["id", "title", "url", "filename", "subdir", "category", "year", "source_org", "source_url"] + + groups = { + "eu_wp29_endorsed.csv": WP29_ENDORSED, + "eu_edpb_guidelines.csv": EDPB_GUIDELINES, + "eu_edps_guidance.csv": EDPS_GUIDANCE, + "de_dsfa_lists.csv": DSFA_MUSSLISTEN, + "de_dsk_kurzpapiere.csv": DSK_KURZPAPIERE, + "de_dsk_orientierungshilfen.csv": DSK_ORIENTIERUNGSHILFEN, + "de_bfdi_praxis.csv": BFDI_PRAXIS, + "de_baylda_docs.csv": BAYLDA_DOCS, + } + + for fname, entries in groups.items(): + path = MANIFESTS_DIR / fname + with open(path, "w", newline="", encoding="utf-8") as f: + writer = csv.DictWriter(f, fieldnames=fields, extrasaction="ignore") + writer.writeheader() + for e in entries: + writer.writerow(e) + ok(f"CSV manifest: {path} ({len(entries)} entries)") + + # Unified manifest with license grades + unified_fields = [ + "id", "topic", "doc_type", "url", "license_grade", + "source_org", "source_url", "collection", "notes", + ] + unified_path = MANIFESTS_DIR / "eu_de_privacy_manifest.csv" + with open(unified_path, "w", newline="", encoding="utf-8") as f: + writer = csv.DictWriter(f, fieldnames=unified_fields, extrasaction="ignore") + writer.writeheader() + for e in REGISTRY: + grade = e.get("license_grade", "green") + coll = entry_collection(e) + row = { + "id": e["id"], + "topic": e.get("category", ""), + "doc_type": e.get("category", ""), + "url": e["url"], + "license_grade": grade, + "source_org": e.get("source_org", ""), + "source_url": e.get("source_url", ""), + "collection": coll, + "notes": e["title"], + } + writer.writerow(row) + ok(f"Unified manifest: {unified_path} ({len(REGISTRY)} entries)") + + +# --------------------------------------------------------------------------- +# Migration: pdfs/ -> sources/ +# --------------------------------------------------------------------------- + +def migrate_from_pdfs(manifest: dict) -> dict: + """Move existing PDFs from ~/rag-ingestion/pdfs/ into the new sources/ structure.""" + old_dir = WORK_DIR / "pdfs" + if not old_dir.exists(): + log("No pdfs/ directory found — nothing to migrate") + return manifest + + moved = 0 + for old_file in sorted(old_dir.glob("*.pdf")): + fname = old_file.name + entry_id = OLD_FILENAME_MAP.get(fname) + if not entry_id: + warn(f"No registry mapping for {fname} — skipping migration") + continue + + rmap = registry_by_id() + entry = rmap.get(entry_id) + if not entry: + warn(f"Entry {entry_id} not in registry — skipping") + continue + + new_path = entry_path(entry) + if new_path.exists(): + # Already migrated + continue + + new_path.parent.mkdir(parents=True, exist_ok=True) + shutil.copy2(str(old_file), str(new_path)) + + sha = sha256_file(new_path) + manifest["documents"][entry_id] = { + "filename": entry["filename"], + "subdir": entry["subdir"], + "sha256": sha, + "downloaded_at": ts(), + "file_size": new_path.stat().st_size, + "source_url": entry["url"], + "source_org": entry["source_org"], + "source_page": entry.get("source_url", ""), + "ingested": False, + "ingested_at": None, + "collection": entry_collection(entry), + } + ok(f"Migrated: {fname} -> sources/{entry['subdir']}/{entry['filename']}") + moved += 1 + + log(f"Migration: {moved} files moved to sources/") + return manifest + + +# --------------------------------------------------------------------------- +# Download +# --------------------------------------------------------------------------- + +def download_new(manifest: dict) -> dict: + """Download PDFs from registry that are not yet on disk.""" + downloaded = 0 + skipped = 0 + failed = 0 + + for entry in REGISTRY: + doc_id = entry["id"] + target = entry_path(entry) + + # Already on disk? + if target.exists() and target.stat().st_size > 100: + if doc_id not in manifest["documents"]: + sha = sha256_file(target) + manifest["documents"][doc_id] = { + "filename": entry["filename"], + "subdir": entry["subdir"], + "sha256": sha, + "downloaded_at": ts(), + "file_size": target.stat().st_size, + "source_url": entry["url"], + "source_org": entry["source_org"], + "source_page": entry.get("source_url", ""), + "ingested": False, + "ingested_at": None, + "collection": entry_collection(entry), + } + skipped += 1 + continue + + target.parent.mkdir(parents=True, exist_ok=True) + log(f"Downloading: {entry['title']}") + + try: + time.sleep(DOWNLOAD_DELAY) + resp = requests.get( + entry["url"], timeout=60, verify=False, + headers={"User-Agent": "BreakPilot-Compliance-Crawler/1.0"}, + allow_redirects=True, + ) + resp.raise_for_status() + + if len(resp.content) < 1000: + warn(f"Response too small ({len(resp.content)} bytes): {entry['title']}") + failed += 1 + continue + + ct = resp.headers.get("content-type", "") + if "html" in ct.lower() and "pdf" not in ct.lower(): + warn(f"Got HTML instead of PDF (Cloudflare?): {entry['title']}") + failed += 1 + continue + + # Double-check: content starts with %PDF- + if not resp.content[:5] == b"%PDF-": + warn(f"Downloaded content is not a PDF (header: {resp.content[:15]!r}): {entry['title']}") + failed += 1 + continue + + target.write_bytes(resp.content) + sha = sha256_file(target) + manifest["documents"][doc_id] = { + "filename": entry["filename"], + "subdir": entry["subdir"], + "sha256": sha, + "downloaded_at": ts(), + "file_size": len(resp.content), + "source_url": entry["url"], + "source_org": entry["source_org"], + "source_page": entry.get("source_url", ""), + "ingested": False, + "ingested_at": None, + "collection": entry_collection(entry), + } + ok(f"Downloaded: {entry['filename']} ({len(resp.content) // 1024} KB)") + downloaded += 1 + + except Exception as e: + fail(f"Download failed: {entry['title']} — {e}") + failed += 1 + + log(f"Download: {downloaded} new, {skipped} existing, {failed} failed") + return manifest + + +# --------------------------------------------------------------------------- +# Ingest +# --------------------------------------------------------------------------- + +def ingest_new(manifest: dict) -> dict: + """Ingest PDFs that are downloaded but not yet ingested. + + Strategy: + 1. Try PDF upload to RAG API (embedding service extracts text) + 2. If that fails (500), check if file is actually HTML (Cloudflare block) + → if HTML, mark as needs-redownload and skip + 3. If real PDF, fallback: extract text locally with PyMuPDF, + then upload as .txt file + """ + rmap = registry_by_id() + ingested = 0 + skipped = 0 + failed = 0 + fallback_used = 0 + + for doc_id, doc in list(manifest["documents"].items()): + if doc.get("ingested"): + skipped += 1 + continue + + # Find file: try new structure first, then old pdfs/ dir + pdf_path = SOURCES_DIR / doc.get("subdir", "") / doc["filename"] + if not pdf_path.exists(): + pdf_path = WORK_DIR / "pdfs" / doc["filename"] + if not pdf_path.exists(): + warn(f"PDF not found: {doc['filename']}") + failed += 1 + continue + + # Check for HTML files masquerading as PDFs + if not is_valid_pdf(pdf_path): + warn(f"Not a valid PDF (HTML/Cloudflare block): {doc['filename']} — deleting, will re-download") + pdf_path.unlink() + # Remove from manifest so --download will retry + if doc_id in manifest["documents"]: + del manifest["documents"][doc_id] + failed += 1 + continue + + entry = rmap.get(doc_id, {}) + title = entry.get("title", doc_id) + category = entry.get("category", "general") + year = str(entry.get("year", "2024")) + collection = doc.get("collection", entry.get("collection", COLLECTION)) + + # Determine source_id based on subdir + subdir = doc.get("subdir", entry.get("subdir", "")) + if subdir.startswith("de/"): + source_id = subdir.split("/")[1] + doc_type = "dsfa_mussliste" + data_type = "compliance" + use_case = "legal_reference" + elif "edps" in subdir: + source_id = "edps" + doc_type = "guidance" + data_type = "compliance_datenschutz" + use_case = "guidance" + else: + source_id = "edpb" + doc_type = "guidance" + data_type = "compliance_datenschutz" + use_case = "guidance" + + metadata = { + "source_id": source_id, + "doc_type": doc_type, + "guideline_id": doc_id, + "guideline_name": title, + "category": category, + "license": "reuse_notice" if subdir.startswith("eu/") else "public_law", + "attribution": entry.get("source_org", ""), + "source": entry.get("source_url", entry.get("url", "")), + "download_url": entry.get("url", doc.get("source_url", "")), + } + + log(f"Ingesting: {title} ({pdf_path.stat().st_size // 1024} KB) -> {collection}") + + # --- Attempt 1: direct PDF upload --- + try: + with open(pdf_path, "rb") as f: + resp = requests.post( + RAG_URL, + files={"file": (doc["filename"], f, "application/pdf")}, + data={ + "collection": collection, + "data_type": data_type, + "use_case": use_case, + "year": year, + "chunk_strategy": "recursive", + "chunk_size": "512", + "chunk_overlap": "50", + "metadata_json": json.dumps(metadata), + }, + timeout=TIMEOUT, + verify=False, + ) + + result = resp.json() + chunks = result.get("chunks_count") or result.get("vectors_indexed", "?") + + if resp.status_code < 300 and ("chunks_count" in result or "vectors_indexed" in result): + doc["ingested"] = True + doc["ingested_at"] = ts() + ok(f"Ingested: {title} -> {chunks} chunks") + ingested += 1 + continue + + except Exception as e: + warn(f"PDF upload error: {title} — {e}") + + # --- Attempt 2: PyMuPDF local extraction + text upload --- + if not HAS_PYMUPDF: + fail(f"Ingest failed + no PyMuPDF fallback: {title}") + failed += 1 + continue + + log(f" Fallback: extracting text locally with PyMuPDF...") + try: + text = extract_text_pymupdf(pdf_path) + if len(text.strip()) < 100: + fail(f" PyMuPDF extracted too little text ({len(text)} chars): {title}") + failed += 1 + continue + + resp = upload_text_as_file(text, doc["filename"], collection, + data_type, use_case, year, metadata) + result = resp.json() + chunks = result.get("chunks_count") or result.get("vectors_indexed", "?") + + if resp.status_code < 300 and ("chunks_count" in result or "vectors_indexed" in result): + doc["ingested"] = True + doc["ingested_at"] = ts() + doc["ingest_method"] = "pymupdf_fallback" + ok(f" Fallback OK: {title} -> {chunks} chunks (PyMuPDF text extraction)") + ingested += 1 + fallback_used += 1 + else: + fail(f" Fallback ingest failed ({resp.status_code}): {title}") + fail(f" Response: {resp.text[:300]}") + failed += 1 + + except Exception as e: + fail(f" Fallback error: {title} — {e}") + failed += 1 + + log(f"Ingest: {ingested} new ({fallback_used} via PyMuPDF fallback), {skipped} already ingested, {failed} failed") + return manifest + + +# --------------------------------------------------------------------------- +# Status +# --------------------------------------------------------------------------- + +def show_status(manifest: dict) -> None: + downloaded = 0 + ingested_count = 0 + missing = 0 + + sections = [ + ("=== Endorsed WP29 ===", WP29_ENDORSED), + ("=== EDPB Guidelines & Recommendations ===", EDPB_GUIDELINES), + ("=== EDPS Guidance ===", EDPS_GUIDANCE), + ("=== DSFA Muss-Listen (DE) ===", DSFA_MUSSLISTEN), + ("=== DSK Kurzpapiere (Nr. 1-20) ===", DSK_KURZPAPIERE), + ("=== DSK Orientierungshilfen ===", DSK_ORIENTIERUNGSHILFEN), + ("=== BfDI Praxis-Dokumente ===", BFDI_PRAXIS), + ("=== BayLDA/BayLfD Dokumente ===", BAYLDA_DOCS), + ] + + print() + for header, entries in sections: + print(f"\n{header}") + print(f"{'ID':<40} {'Status':<12} {'File':<45} {'Size':>8}") + print("-" * 110) + + for entry in entries: + doc_id = entry["id"] + doc = manifest["documents"].get(doc_id) + + if doc: + size_kb = doc.get("file_size", 0) // 1024 + if doc.get("ingested"): + status = "INGESTED" + ingested_count += 1 + else: + status = "DOWNLOADED" + downloaded += 1 + else: + fp = entry_path(entry) + if fp.exists(): + status = "ON DISK" + downloaded += 1 + size_kb = fp.stat().st_size // 1024 + else: + status = "MISSING" + missing += 1 + size_kb = 0 + + size_str = f"{size_kb:>6} KB" if size_kb > 0 else " -" + print(f"{doc_id:<40} {status:<12} {entry['filename']:<45} {size_str}") + + print() + print("=" * 110) + print(f"Total: {len(REGISTRY)} in registry | {downloaded} downloaded | {ingested_count} ingested | {missing} missing") + print(f"Manifest: {MANIFEST_PATH}") + print(f"Sources: {SOURCES_DIR}") + print() + + +# --------------------------------------------------------------------------- +# Verify +# --------------------------------------------------------------------------- + +def verify(manifest: dict) -> None: + queries = [ + ("DSFA erforderlich Risiko", COLLECTION, "WP248"), + ("Datenschutzbeauftragter Pflichten", COLLECTION, "WP243"), + ("Transparenz Informationspflicht", COLLECTION, "WP260"), + ("Einwilligung Consent Cookie", COLLECTION, "Consent"), + ("Data Protection by Design", COLLECTION, "DPbD"), + ("Datenschutz-Folgenabschaetzung Muss-Liste", COLLECTION_DSFA, "DSFA Mussliste"), + ("Videoüberwachung DSFA erforderlich", COLLECTION_DSFA, "Laender-DPA"), + # DSK Kurzpapiere + ("VVT Art. 30 Verarbeitungsverzeichnis", COLLECTION, "DSK KP 1"), + ("Recht auf Loeschung Art. 17", COLLECTION, "DSK KP 11"), + ("Auftragsverarbeitung Art. 28", COLLECTION, "DSK KP 13"), + ("Besondere Kategorien Art. 9", COLLECTION, "DSK KP 17"), + ("Risiko Rechte Freiheiten natuerlicher Personen", COLLECTION, "DSK KP 18"), + # SDM / BfDI / BayLDA + ("Standard-Datenschutzmodell SDM Schutzbedarf", COLLECTION, "SDM V3.1"), + ("Loeschkonzept Aufbewahrungsfristen", COLLECTION, "BfDI Loeschkonzept"), + ("TOM Art. 32 Verschluesselung Massnahmen", COLLECTION, "BayLDA TOM"), + ] + + log("Verifying RAG collections") + ok_count = 0 + fail_count = 0 + + for query, collection, hint in queries: + try: + resp = requests.post( + RAG_SEARCH_URL, + json={"query": query, "collection": collection, "top_k": 3}, + timeout=30, verify=False, + ) + results = resp.json() + hits = results.get("results", results.get("documents", [])) + if hits: + top_score = hits[0].get("score", hits[0].get("relevance_score", "?")) + ok(f"[{collection}] '{query}' -> {len(hits)} hits (score: {top_score})") + ok_count += 1 + else: + warn(f"[{collection}] '{query}' -> 0 hits (expected: {hint})") + fail_count += 1 + except Exception as e: + fail(f"Search error: {e}") + fail_count += 1 + + print() + log(f"Verification: {ok_count}/{len(queries)} queries OK") + + +# --------------------------------------------------------------------------- +# Main +# --------------------------------------------------------------------------- + +def main(): + parser = argparse.ArgumentParser(description="EDPB/WP29/DSFA Auto-Crawler for BreakPilot Compliance") + parser.add_argument("--all", action="store_true", help="Migrate + Download + Ingest + CSV export") + parser.add_argument("--download", action="store_true", help="Download missing PDFs") + parser.add_argument("--ingest", action="store_true", help="Ingest downloaded PDFs") + parser.add_argument("--status", action="store_true", help="Show status overview") + parser.add_argument("--verify", action="store_true", help="Run RAG test searches") + parser.add_argument("--migrate", action="store_true", help="Move PDFs from pdfs/ to sources/") + parser.add_argument("--csv", action="store_true", help="Export CSV manifests") + args = parser.parse_args() + + if not any([args.all, args.download, args.ingest, args.status, args.verify, args.migrate, args.csv]): + parser.print_help() + return + + manifest = load_manifest() + + if args.migrate or args.all: + manifest = migrate_from_pdfs(manifest) + save_manifest(manifest) + + if args.download or args.all: + manifest = download_new(manifest) + save_manifest(manifest) + + if args.ingest or args.all: + manifest = ingest_new(manifest) + save_manifest(manifest) + + if args.csv or args.all: + export_csv_manifests() + + if args.status: + show_status(manifest) + + if args.verify: + verify(manifest) + + +if __name__ == "__main__": + main()