feat: Framework Decomposition Engine + Composite Detection for Pass 0b
Adds a routing layer between Pass 0a and Pass 0b that classifies obligations into atomic/compound/framework_container. Framework-container obligations (e.g. "CCM-Praktiken fuer AIS") are decomposed into concrete sub-obligations via an internal framework registry before Pass 0b composition. - New: framework_decomposition.py with routing, matching, decomposition - New: Framework registry (NIST SP 800-53, OWASP ASVS, CSA CCM) as JSON - New: Composite detection flags on atomic controls (is_composite, atomicity) - New: gen_meta fields: framework_ref, framework_domain, decomposition_source - Integration: _route_and_compose() in run_pass0b() deterministic path - 248 tests (198 decomposition + 50 framework), all passing Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
443
backend-compliance/compliance/data/frameworks/csa_ccm.json
Normal file
443
backend-compliance/compliance/data/frameworks/csa_ccm.json
Normal file
@@ -0,0 +1,443 @@
|
||||
{
|
||||
"framework_id": "CSA_CCM",
|
||||
"display_name": "Cloud Security Alliance CCM v4",
|
||||
"license": {
|
||||
"type": "restricted",
|
||||
"rag_allowed": false,
|
||||
"use_as_metadata": true,
|
||||
"note": "Abstrahierte Struktur — keine Originaltexte uebernommen"
|
||||
},
|
||||
"domains": [
|
||||
{
|
||||
"domain_id": "AIS",
|
||||
"title": "Application and Interface Security",
|
||||
"aliases": ["ais", "application and interface security", "anwendungssicherheit", "schnittstellensicherheit"],
|
||||
"keywords": ["application", "anwendung", "interface", "schnittstelle", "api", "web", "eingabevalidierung"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "AIS-01",
|
||||
"title": "Application Security Policy",
|
||||
"statement": "Sicherheitsrichtlinien fuer Anwendungsentwicklung und Schnittstellenmanagement muessen definiert und angewendet werden.",
|
||||
"keywords": ["policy", "richtlinie", "entwicklung"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Anwendungssicherheitsrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AIS-02",
|
||||
"title": "Application Security Design",
|
||||
"statement": "Sicherheitsanforderungen muessen in den Entwurf jeder Anwendung integriert werden.",
|
||||
"keywords": ["design", "entwurf", "security by design"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Sicherheitsanforderungen im Anwendungsentwurf",
|
||||
"object_class": "process"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AIS-03",
|
||||
"title": "Application Security Testing",
|
||||
"statement": "Anwendungen muessen vor dem Deployment und regelmaessig auf Sicherheitsschwachstellen getestet werden.",
|
||||
"keywords": ["testing", "test", "sast", "dast", "penetration"],
|
||||
"action_hint": "test",
|
||||
"object_hint": "Anwendungssicherheitstests",
|
||||
"object_class": "process"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AIS-04",
|
||||
"title": "Secure Development Practices",
|
||||
"statement": "Sichere Entwicklungspraktiken (Code Review, Pair Programming, SAST) muessen fuer alle Entwicklungsprojekte gelten.",
|
||||
"keywords": ["development", "entwicklung", "code review", "sast", "praktiken"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Sichere Entwicklungspraktiken",
|
||||
"object_class": "process"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AIS-05",
|
||||
"title": "API Security",
|
||||
"statement": "APIs muessen authentifiziert, autorisiert und gegen Missbrauch geschuetzt werden.",
|
||||
"keywords": ["api", "schnittstelle", "authentifizierung", "rate limiting"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "API-Sicherheitskontrollen",
|
||||
"object_class": "interface"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AIS-06",
|
||||
"title": "Automated Application Security Testing",
|
||||
"statement": "Automatisierte Sicherheitstests muessen in die CI/CD-Pipeline integriert werden.",
|
||||
"keywords": ["automatisiert", "ci/cd", "pipeline", "sast", "dast"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "Automatisierte Sicherheitstests in CI/CD",
|
||||
"object_class": "configuration"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "BCR",
|
||||
"title": "Business Continuity and Resilience",
|
||||
"aliases": ["bcr", "business continuity", "resilience", "geschaeftskontinuitaet", "resilienz"],
|
||||
"keywords": ["continuity", "kontinuitaet", "resilience", "resilienz", "disaster", "recovery", "backup"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "BCR-01",
|
||||
"title": "Business Continuity Planning",
|
||||
"statement": "Ein Geschaeftskontinuitaetsplan muss erstellt, dokumentiert und regelmaessig getestet werden.",
|
||||
"keywords": ["plan", "kontinuitaet", "geschaeft"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Geschaeftskontinuitaetsplan",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "BCR-02",
|
||||
"title": "Risk Assessment for BCM",
|
||||
"statement": "Risikobewertungen muessen fuer geschaeftskritische Prozesse durchgefuehrt werden.",
|
||||
"keywords": ["risiko", "bewertung", "kritisch"],
|
||||
"action_hint": "assess",
|
||||
"object_hint": "BCM-Risikobewertung",
|
||||
"object_class": "risk_artifact"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "BCR-03",
|
||||
"title": "Backup and Recovery",
|
||||
"statement": "Datensicherungen muessen regelmaessig erstellt und Wiederherstellungstests durchgefuehrt werden.",
|
||||
"keywords": ["backup", "sicherung", "wiederherstellung", "recovery"],
|
||||
"action_hint": "maintain",
|
||||
"object_hint": "Datensicherung und Wiederherstellung",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "BCR-04",
|
||||
"title": "Disaster Recovery Planning",
|
||||
"statement": "Ein Disaster-Recovery-Plan muss dokumentiert und jaehrlich getestet werden.",
|
||||
"keywords": ["disaster", "recovery", "katastrophe"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Disaster-Recovery-Plan",
|
||||
"object_class": "policy"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "CCC",
|
||||
"title": "Change Control and Configuration Management",
|
||||
"aliases": ["ccc", "change control", "configuration management", "aenderungsmanagement", "konfigurationsmanagement"],
|
||||
"keywords": ["change", "aenderung", "konfiguration", "configuration", "release", "deployment"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "CCC-01",
|
||||
"title": "Change Management Policy",
|
||||
"statement": "Ein Aenderungsmanagement-Prozess muss definiert und fuer alle Aenderungen angewendet werden.",
|
||||
"keywords": ["policy", "richtlinie", "aenderung"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Aenderungsmanagement-Richtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "CCC-02",
|
||||
"title": "Change Testing",
|
||||
"statement": "Aenderungen muessen vor der Produktivsetzung getestet und genehmigt werden.",
|
||||
"keywords": ["test", "genehmigung", "approval"],
|
||||
"action_hint": "test",
|
||||
"object_hint": "Aenderungstests",
|
||||
"object_class": "process"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "CCC-03",
|
||||
"title": "Configuration Baseline",
|
||||
"statement": "Basiskonfigurationen fuer alle Systeme muessen definiert und dokumentiert werden.",
|
||||
"keywords": ["baseline", "basis", "standard"],
|
||||
"action_hint": "define",
|
||||
"object_hint": "Konfigurationsbaseline",
|
||||
"object_class": "configuration"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "CEK",
|
||||
"title": "Cryptography, Encryption and Key Management",
|
||||
"aliases": ["cek", "cryptography", "encryption", "key management", "kryptographie", "verschluesselung", "schluesselverwaltung"],
|
||||
"keywords": ["kryptographie", "verschluesselung", "schluessel", "key", "encryption", "certificate", "zertifikat"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "CEK-01",
|
||||
"title": "Encryption Policy",
|
||||
"statement": "Verschluesselungsrichtlinien muessen definiert werden, die Algorithmen, Schluessellaengen und Einsatzbereiche festlegen.",
|
||||
"keywords": ["policy", "richtlinie", "algorithmus"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Verschluesselungsrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "CEK-02",
|
||||
"title": "Key Management",
|
||||
"statement": "Kryptographische Schluessel muessen ueber ihren Lebenszyklus sicher verwaltet werden.",
|
||||
"keywords": ["key", "schluessel", "management", "lebenszyklus"],
|
||||
"action_hint": "maintain",
|
||||
"object_hint": "Schluesselverwaltung",
|
||||
"object_class": "cryptographic_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "CEK-03",
|
||||
"title": "Data Encryption",
|
||||
"statement": "Sensible Daten muessen bei Speicherung und Uebertragung verschluesselt werden.",
|
||||
"keywords": ["data", "daten", "speicherung", "uebertragung"],
|
||||
"action_hint": "encrypt",
|
||||
"object_hint": "Datenverschluesselung",
|
||||
"object_class": "cryptographic_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "DSP",
|
||||
"title": "Data Security and Privacy",
|
||||
"aliases": ["dsp", "data security", "privacy", "datensicherheit", "datenschutz"],
|
||||
"keywords": ["datenschutz", "datensicherheit", "privacy", "data security", "pii", "personenbezogen", "dsgvo"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "DSP-01",
|
||||
"title": "Data Classification",
|
||||
"statement": "Daten muessen nach Sensibilitaet klassifiziert und entsprechend geschuetzt werden.",
|
||||
"keywords": ["klassifizierung", "sensibilitaet", "classification"],
|
||||
"action_hint": "define",
|
||||
"object_hint": "Datenklassifizierung",
|
||||
"object_class": "data"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "DSP-02",
|
||||
"title": "Data Inventory",
|
||||
"statement": "Ein Dateninventar muss gefuehrt werden, das alle Verarbeitungen personenbezogener Daten dokumentiert.",
|
||||
"keywords": ["inventar", "verzeichnis", "verarbeitung", "vvt"],
|
||||
"action_hint": "maintain",
|
||||
"object_hint": "Dateninventar",
|
||||
"object_class": "register"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "DSP-03",
|
||||
"title": "Data Retention and Deletion",
|
||||
"statement": "Aufbewahrungsfristen muessen definiert und Daten nach Ablauf sicher geloescht werden.",
|
||||
"keywords": ["retention", "aufbewahrung", "loeschung", "frist"],
|
||||
"action_hint": "delete",
|
||||
"object_hint": "Datenloeschung nach Frist",
|
||||
"object_class": "data"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "DSP-04",
|
||||
"title": "Privacy Impact Assessment",
|
||||
"statement": "Datenschutz-Folgenabschaetzungen muessen fuer risikoreiche Verarbeitungen durchgefuehrt werden.",
|
||||
"keywords": ["dsfa", "pia", "folgenabschaetzung", "impact"],
|
||||
"action_hint": "assess",
|
||||
"object_hint": "Datenschutz-Folgenabschaetzung",
|
||||
"object_class": "risk_artifact"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "DSP-05",
|
||||
"title": "Data Subject Rights",
|
||||
"statement": "Verfahren zur Bearbeitung von Betroffenenrechten muessen implementiert werden.",
|
||||
"keywords": ["betroffenenrechte", "auskunft", "loeschung", "data subject"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Betroffenenrechte-Verfahren",
|
||||
"object_class": "process"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "GRC",
|
||||
"title": "Governance, Risk and Compliance",
|
||||
"aliases": ["grc", "governance", "risk", "compliance", "risikomanagement"],
|
||||
"keywords": ["governance", "risiko", "compliance", "management", "policy", "richtlinie"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "GRC-01",
|
||||
"title": "Information Security Program",
|
||||
"statement": "Ein umfassendes Informationssicherheitsprogramm muss etabliert und aufrechterhalten werden.",
|
||||
"keywords": ["programm", "sicherheit", "information"],
|
||||
"action_hint": "maintain",
|
||||
"object_hint": "Informationssicherheitsprogramm",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "GRC-02",
|
||||
"title": "Risk Management Program",
|
||||
"statement": "Ein Risikomanagement-Programm muss implementiert werden, das Identifikation, Bewertung und Behandlung umfasst.",
|
||||
"keywords": ["risiko", "management", "bewertung", "behandlung"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Risikomanagement-Programm",
|
||||
"object_class": "process"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "GRC-03",
|
||||
"title": "Compliance Monitoring",
|
||||
"statement": "Die Einhaltung regulatorischer und vertraglicher Anforderungen muss ueberwacht werden.",
|
||||
"keywords": ["compliance", "einhaltung", "regulatorisch", "ueberwachung"],
|
||||
"action_hint": "monitor",
|
||||
"object_hint": "Compliance-Ueberwachung",
|
||||
"object_class": "process"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "IAM",
|
||||
"title": "Identity and Access Management",
|
||||
"aliases": ["iam", "identity", "access management", "identitaetsmanagement", "zugriffsverwaltung"],
|
||||
"keywords": ["identitaet", "zugriff", "identity", "access", "authentifizierung", "autorisierung", "sso"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "IAM-01",
|
||||
"title": "Identity and Access Policy",
|
||||
"statement": "Identitaets- und Zugriffsmanagement-Richtlinien muessen definiert werden.",
|
||||
"keywords": ["policy", "richtlinie"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "IAM-Richtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "IAM-02",
|
||||
"title": "Strong Authentication",
|
||||
"statement": "Starke Authentifizierung (MFA) muss fuer administrative und sicherheitskritische Zugriffe gefordert werden.",
|
||||
"keywords": ["mfa", "stark", "authentifizierung", "admin"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Starke Authentifizierung",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "IAM-03",
|
||||
"title": "Identity Lifecycle Management",
|
||||
"statement": "Identitaeten muessen ueber ihren gesamten Lebenszyklus verwaltet werden.",
|
||||
"keywords": ["lifecycle", "lebenszyklus", "onboarding", "offboarding"],
|
||||
"action_hint": "maintain",
|
||||
"object_hint": "Identitaets-Lebenszyklus",
|
||||
"object_class": "account"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "IAM-04",
|
||||
"title": "Access Review",
|
||||
"statement": "Zugriffsrechte muessen regelmaessig ueberprueft und ueberschuessige Rechte entzogen werden.",
|
||||
"keywords": ["review", "ueberpruefen", "rechte", "rezertifizierung"],
|
||||
"action_hint": "review",
|
||||
"object_hint": "Zugriffsrechte-Review",
|
||||
"object_class": "access_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "LOG",
|
||||
"title": "Logging and Monitoring",
|
||||
"aliases": ["log", "logging", "monitoring", "protokollierung", "ueberwachung"],
|
||||
"keywords": ["logging", "monitoring", "protokollierung", "ueberwachung", "siem", "alarm"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "LOG-01",
|
||||
"title": "Logging Policy",
|
||||
"statement": "Protokollierungs-Richtlinien muessen definiert werden, die Umfang und Aufbewahrung festlegen.",
|
||||
"keywords": ["policy", "richtlinie", "umfang", "aufbewahrung"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Protokollierungsrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "LOG-02",
|
||||
"title": "Security Event Logging",
|
||||
"statement": "Sicherheitsrelevante Ereignisse muessen erfasst und zentral gespeichert werden.",
|
||||
"keywords": ["event", "ereignis", "sicherheit", "zentral"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "Sicherheits-Event-Logging",
|
||||
"object_class": "configuration"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "LOG-03",
|
||||
"title": "Monitoring and Alerting",
|
||||
"statement": "Sicherheitsrelevante Logs muessen ueberwacht und bei Anomalien Alarme ausgeloest werden.",
|
||||
"keywords": ["monitoring", "alerting", "alarm", "anomalie"],
|
||||
"action_hint": "monitor",
|
||||
"object_hint": "Log-Ueberwachung und Alarmierung",
|
||||
"object_class": "technical_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "SEF",
|
||||
"title": "Security Incident Management",
|
||||
"aliases": ["sef", "security incident", "incident management", "vorfallmanagement", "sicherheitsvorfall"],
|
||||
"keywords": ["vorfall", "incident", "sicherheitsvorfall", "reaktion", "response", "meldung"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "SEF-01",
|
||||
"title": "Incident Management Policy",
|
||||
"statement": "Ein Vorfallmanagement-Prozess muss definiert, dokumentiert und getestet werden.",
|
||||
"keywords": ["policy", "richtlinie", "prozess"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Vorfallmanagement-Richtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SEF-02",
|
||||
"title": "Incident Response Team",
|
||||
"statement": "Ein Incident-Response-Team muss benannt und geschult werden.",
|
||||
"keywords": ["team", "response", "schulung"],
|
||||
"action_hint": "define",
|
||||
"object_hint": "Incident-Response-Team",
|
||||
"object_class": "role"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SEF-03",
|
||||
"title": "Incident Reporting",
|
||||
"statement": "Sicherheitsvorfaelle muessen innerhalb definierter Fristen an zustaendige Stellen gemeldet werden.",
|
||||
"keywords": ["reporting", "meldung", "frist", "behoerde"],
|
||||
"action_hint": "report",
|
||||
"object_hint": "Vorfallmeldung",
|
||||
"object_class": "incident"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SEF-04",
|
||||
"title": "Incident Lessons Learned",
|
||||
"statement": "Nach jedem Vorfall muss eine Nachbereitung mit Lessons Learned durchgefuehrt werden.",
|
||||
"keywords": ["lessons learned", "nachbereitung", "verbesserung"],
|
||||
"action_hint": "review",
|
||||
"object_hint": "Vorfall-Nachbereitung",
|
||||
"object_class": "record"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "TVM",
|
||||
"title": "Threat and Vulnerability Management",
|
||||
"aliases": ["tvm", "threat", "vulnerability", "schwachstelle", "bedrohung", "schwachstellenmanagement"],
|
||||
"keywords": ["schwachstelle", "vulnerability", "threat", "bedrohung", "patch", "scan"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "TVM-01",
|
||||
"title": "Vulnerability Management Policy",
|
||||
"statement": "Schwachstellenmanagement-Richtlinien muessen definiert und umgesetzt werden.",
|
||||
"keywords": ["policy", "richtlinie"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Schwachstellenmanagement-Richtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "TVM-02",
|
||||
"title": "Vulnerability Scanning",
|
||||
"statement": "Systeme muessen regelmaessig auf Schwachstellen gescannt werden.",
|
||||
"keywords": ["scan", "scanning", "regelmaessig"],
|
||||
"action_hint": "test",
|
||||
"object_hint": "Schwachstellenscan",
|
||||
"object_class": "system"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "TVM-03",
|
||||
"title": "Vulnerability Remediation",
|
||||
"statement": "Erkannte Schwachstellen muessen priorisiert und innerhalb definierter Fristen behoben werden.",
|
||||
"keywords": ["remediation", "behebung", "frist", "priorisierung"],
|
||||
"action_hint": "remediate",
|
||||
"object_hint": "Schwachstellenbehebung",
|
||||
"object_class": "system"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "TVM-04",
|
||||
"title": "Penetration Testing",
|
||||
"statement": "Regelmaessige Penetrationstests muessen durchgefuehrt werden.",
|
||||
"keywords": ["penetration", "pentest", "test"],
|
||||
"action_hint": "test",
|
||||
"object_hint": "Penetrationstest",
|
||||
"object_class": "system"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
514
backend-compliance/compliance/data/frameworks/nist_sp800_53.json
Normal file
514
backend-compliance/compliance/data/frameworks/nist_sp800_53.json
Normal file
@@ -0,0 +1,514 @@
|
||||
{
|
||||
"framework_id": "NIST_SP800_53",
|
||||
"display_name": "NIST SP 800-53 Rev. 5",
|
||||
"license": {
|
||||
"type": "public_domain",
|
||||
"rag_allowed": true,
|
||||
"use_as_metadata": true
|
||||
},
|
||||
"domains": [
|
||||
{
|
||||
"domain_id": "AC",
|
||||
"title": "Access Control",
|
||||
"aliases": ["access control", "zugriffskontrolle", "zugriffssteuerung"],
|
||||
"keywords": ["access", "zugriff", "berechtigung", "authorization", "autorisierung"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "AC-1",
|
||||
"title": "Access Control Policy and Procedures",
|
||||
"statement": "Zugriffskontrollrichtlinien und -verfahren muessen definiert, dokumentiert und regelmaessig ueberprueft werden.",
|
||||
"keywords": ["policy", "richtlinie", "verfahren", "procedures"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Zugriffskontrollrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AC-2",
|
||||
"title": "Account Management",
|
||||
"statement": "Benutzerkonten muessen ueber ihren gesamten Lebenszyklus verwaltet werden: Erstellung, Aktivierung, Aenderung, Deaktivierung und Loeschung.",
|
||||
"keywords": ["account", "konto", "benutzer", "lifecycle", "lebenszyklus"],
|
||||
"action_hint": "maintain",
|
||||
"object_hint": "Benutzerkontenverwaltung",
|
||||
"object_class": "account"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AC-3",
|
||||
"title": "Access Enforcement",
|
||||
"statement": "Der Zugriff auf Systemressourcen muss gemaess der definierten Zugriffskontrollrichtlinie durchgesetzt werden.",
|
||||
"keywords": ["enforcement", "durchsetzung", "ressourcen", "system"],
|
||||
"action_hint": "restrict_access",
|
||||
"object_hint": "Zugriffsdurchsetzung",
|
||||
"object_class": "access_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AC-5",
|
||||
"title": "Separation of Duties",
|
||||
"statement": "Aufgabentrennung muss definiert und durchgesetzt werden, um Interessenkonflikte und Missbrauch zu verhindern.",
|
||||
"keywords": ["separation", "trennung", "duties", "aufgaben", "funktionstrennung"],
|
||||
"action_hint": "define",
|
||||
"object_hint": "Aufgabentrennung",
|
||||
"object_class": "role"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AC-6",
|
||||
"title": "Least Privilege",
|
||||
"statement": "Zugriffsrechte muessen nach dem Prinzip der minimalen Rechte vergeben werden.",
|
||||
"keywords": ["least privilege", "minimal", "rechte", "privileg"],
|
||||
"action_hint": "restrict_access",
|
||||
"object_hint": "Minimale Rechtevergabe",
|
||||
"object_class": "access_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AC-7",
|
||||
"title": "Unsuccessful Logon Attempts",
|
||||
"statement": "Fehlgeschlagene Anmeldeversuche muessen begrenzt und ueberwacht werden.",
|
||||
"keywords": ["logon", "anmeldung", "fehlgeschlagen", "sperre", "lockout"],
|
||||
"action_hint": "monitor",
|
||||
"object_hint": "Anmeldeversuchsueberwachung",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AC-17",
|
||||
"title": "Remote Access",
|
||||
"statement": "Fernzugriff muss autorisiert, ueberwacht und verschluesselt werden.",
|
||||
"keywords": ["remote", "fern", "vpn", "fernzugriff"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "Fernzugriffskonfiguration",
|
||||
"object_class": "technical_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "AU",
|
||||
"title": "Audit and Accountability",
|
||||
"aliases": ["audit", "protokollierung", "accountability", "rechenschaftspflicht"],
|
||||
"keywords": ["audit", "log", "protokoll", "nachvollziehbarkeit", "logging"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "AU-1",
|
||||
"title": "Audit Policy and Procedures",
|
||||
"statement": "Audit- und Protokollierungsrichtlinien muessen definiert und regelmaessig ueberprueft werden.",
|
||||
"keywords": ["policy", "richtlinie", "audit"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Auditrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AU-2",
|
||||
"title": "Event Logging",
|
||||
"statement": "Sicherheitsrelevante Ereignisse muessen identifiziert und protokolliert werden.",
|
||||
"keywords": ["event", "ereignis", "logging", "protokollierung"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "Ereignisprotokollierung",
|
||||
"object_class": "configuration"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AU-3",
|
||||
"title": "Content of Audit Records",
|
||||
"statement": "Audit-Eintraege muessen ausreichende Informationen enthalten: Zeitstempel, Quelle, Ergebnis, Identitaet.",
|
||||
"keywords": ["content", "inhalt", "record", "eintrag"],
|
||||
"action_hint": "define",
|
||||
"object_hint": "Audit-Eintragsformat",
|
||||
"object_class": "record"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AU-6",
|
||||
"title": "Audit Record Review and Reporting",
|
||||
"statement": "Audit-Eintraege muessen regelmaessig ueberprueft und bei Anomalien berichtet werden.",
|
||||
"keywords": ["review", "ueberpruefen", "reporting", "anomalie"],
|
||||
"action_hint": "review",
|
||||
"object_hint": "Audit-Ueberpruefung",
|
||||
"object_class": "record"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AU-9",
|
||||
"title": "Protection of Audit Information",
|
||||
"statement": "Audit-Daten muessen vor unbefugtem Zugriff, Aenderung und Loeschung geschuetzt werden.",
|
||||
"keywords": ["schutz", "protection", "integritaet", "integrity"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Audit-Datenschutz",
|
||||
"object_class": "technical_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "AT",
|
||||
"title": "Awareness and Training",
|
||||
"aliases": ["awareness", "training", "schulung", "sensibilisierung"],
|
||||
"keywords": ["training", "schulung", "awareness", "sensibilisierung", "weiterbildung"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "AT-1",
|
||||
"title": "Policy and Procedures",
|
||||
"statement": "Schulungs- und Sensibilisierungsrichtlinien muessen definiert und regelmaessig aktualisiert werden.",
|
||||
"keywords": ["policy", "richtlinie"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Schulungsrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AT-2",
|
||||
"title": "Literacy Training and Awareness",
|
||||
"statement": "Alle Mitarbeiter muessen regelmaessig Sicherheitsschulungen erhalten.",
|
||||
"keywords": ["mitarbeiter", "schulung", "sicherheit"],
|
||||
"action_hint": "train",
|
||||
"object_hint": "Sicherheitsschulung",
|
||||
"object_class": "training"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "AT-3",
|
||||
"title": "Role-Based Training",
|
||||
"statement": "Rollenbasierte Sicherheitsschulungen muessen fuer Mitarbeiter mit besonderen Sicherheitsaufgaben durchgefuehrt werden.",
|
||||
"keywords": ["rollenbasiert", "role-based", "speziell"],
|
||||
"action_hint": "train",
|
||||
"object_hint": "Rollenbasierte Sicherheitsschulung",
|
||||
"object_class": "training"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "CM",
|
||||
"title": "Configuration Management",
|
||||
"aliases": ["configuration management", "konfigurationsmanagement", "konfiguration"],
|
||||
"keywords": ["konfiguration", "configuration", "baseline", "haertung", "hardening"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "CM-1",
|
||||
"title": "Policy and Procedures",
|
||||
"statement": "Konfigurationsmanagement-Richtlinien muessen dokumentiert und gepflegt werden.",
|
||||
"keywords": ["policy", "richtlinie"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Konfigurationsmanagement-Richtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "CM-2",
|
||||
"title": "Baseline Configuration",
|
||||
"statement": "Basiskonfigurationen fuer Systeme muessen definiert, dokumentiert und gepflegt werden.",
|
||||
"keywords": ["baseline", "basis", "standard"],
|
||||
"action_hint": "define",
|
||||
"object_hint": "Basiskonfiguration",
|
||||
"object_class": "configuration"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "CM-6",
|
||||
"title": "Configuration Settings",
|
||||
"statement": "Sicherheitsrelevante Konfigurationseinstellungen muessen definiert und durchgesetzt werden.",
|
||||
"keywords": ["settings", "einstellungen", "sicherheit"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "Sicherheitskonfiguration",
|
||||
"object_class": "configuration"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "CM-7",
|
||||
"title": "Least Functionality",
|
||||
"statement": "Systeme muessen so konfiguriert werden, dass nur notwendige Funktionen aktiv sind.",
|
||||
"keywords": ["least functionality", "minimal", "dienste", "ports"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "Minimalkonfiguration",
|
||||
"object_class": "configuration"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "CM-8",
|
||||
"title": "System Component Inventory",
|
||||
"statement": "Ein Inventar aller Systemkomponenten muss gefuehrt und aktuell gehalten werden.",
|
||||
"keywords": ["inventar", "inventory", "komponenten", "assets"],
|
||||
"action_hint": "maintain",
|
||||
"object_hint": "Systemkomponenten-Inventar",
|
||||
"object_class": "register"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "IA",
|
||||
"title": "Identification and Authentication",
|
||||
"aliases": ["identification", "authentication", "identifikation", "authentifizierung"],
|
||||
"keywords": ["authentifizierung", "identifikation", "identity", "passwort", "mfa", "credential"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "IA-1",
|
||||
"title": "Policy and Procedures",
|
||||
"statement": "Identifikations- und Authentifizierungsrichtlinien muessen dokumentiert und regelmaessig ueberprueft werden.",
|
||||
"keywords": ["policy", "richtlinie"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Authentifizierungsrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "IA-2",
|
||||
"title": "Identification and Authentication",
|
||||
"statement": "Benutzer und Geraete muessen eindeutig identifiziert und authentifiziert werden.",
|
||||
"keywords": ["benutzer", "geraete", "identifizierung"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Benutzerauthentifizierung",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "IA-2(1)",
|
||||
"title": "Multi-Factor Authentication",
|
||||
"statement": "Multi-Faktor-Authentifizierung muss fuer privilegierte Konten implementiert werden.",
|
||||
"keywords": ["mfa", "multi-faktor", "zwei-faktor", "2fa"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Multi-Faktor-Authentifizierung",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "IA-5",
|
||||
"title": "Authenticator Management",
|
||||
"statement": "Authentifizierungsmittel (Passwoerter, Token, Zertifikate) muessen sicher verwaltet werden.",
|
||||
"keywords": ["passwort", "token", "zertifikat", "credential"],
|
||||
"action_hint": "maintain",
|
||||
"object_hint": "Authentifizierungsmittel-Verwaltung",
|
||||
"object_class": "technical_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "IR",
|
||||
"title": "Incident Response",
|
||||
"aliases": ["incident response", "vorfallbehandlung", "vorfallreaktion", "incident management"],
|
||||
"keywords": ["vorfall", "incident", "reaktion", "response", "breach", "sicherheitsvorfall"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "IR-1",
|
||||
"title": "Policy and Procedures",
|
||||
"statement": "Vorfallreaktionsrichtlinien und -verfahren muessen definiert und regelmaessig aktualisiert werden.",
|
||||
"keywords": ["policy", "richtlinie", "verfahren"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Vorfallreaktionsrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "IR-2",
|
||||
"title": "Incident Response Training",
|
||||
"statement": "Mitarbeiter muessen regelmaessig in der Vorfallreaktion geschult werden.",
|
||||
"keywords": ["training", "schulung"],
|
||||
"action_hint": "train",
|
||||
"object_hint": "Vorfallreaktionsschulung",
|
||||
"object_class": "training"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "IR-4",
|
||||
"title": "Incident Handling",
|
||||
"statement": "Ein strukturierter Prozess fuer die Vorfallbehandlung muss implementiert werden: Erkennung, Analyse, Eindaemmung, Behebung.",
|
||||
"keywords": ["handling", "behandlung", "erkennung", "eindaemmung"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Vorfallbehandlungsprozess",
|
||||
"object_class": "process"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "IR-5",
|
||||
"title": "Incident Monitoring",
|
||||
"statement": "Sicherheitsvorfaelle muessen kontinuierlich ueberwacht und verfolgt werden.",
|
||||
"keywords": ["monitoring", "ueberwachung", "tracking"],
|
||||
"action_hint": "monitor",
|
||||
"object_hint": "Vorfallsueberwachung",
|
||||
"object_class": "incident"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "IR-6",
|
||||
"title": "Incident Reporting",
|
||||
"statement": "Sicherheitsvorfaelle muessen innerhalb definierter Fristen an die zustaendigen Stellen gemeldet werden.",
|
||||
"keywords": ["reporting", "meldung", "melden", "frist"],
|
||||
"action_hint": "report",
|
||||
"object_hint": "Vorfallmeldung",
|
||||
"object_class": "incident"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "IR-8",
|
||||
"title": "Incident Response Plan",
|
||||
"statement": "Ein Vorfallreaktionsplan muss dokumentiert und regelmaessig getestet werden.",
|
||||
"keywords": ["plan", "dokumentation", "test"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Vorfallreaktionsplan",
|
||||
"object_class": "policy"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "RA",
|
||||
"title": "Risk Assessment",
|
||||
"aliases": ["risk assessment", "risikobewertung", "risikoanalyse"],
|
||||
"keywords": ["risiko", "risk", "bewertung", "assessment", "analyse", "bedrohung", "threat"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "RA-1",
|
||||
"title": "Policy and Procedures",
|
||||
"statement": "Risikobewertungsrichtlinien muessen dokumentiert und regelmaessig aktualisiert werden.",
|
||||
"keywords": ["policy", "richtlinie"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Risikobewertungsrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "RA-3",
|
||||
"title": "Risk Assessment",
|
||||
"statement": "Regelmaessige Risikobewertungen muessen durchgefuehrt und dokumentiert werden.",
|
||||
"keywords": ["bewertung", "assessment", "regelmaessig"],
|
||||
"action_hint": "assess",
|
||||
"object_hint": "Risikobewertung",
|
||||
"object_class": "risk_artifact"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "RA-5",
|
||||
"title": "Vulnerability Monitoring and Scanning",
|
||||
"statement": "Systeme muessen regelmaessig auf Schwachstellen gescannt und ueberwacht werden.",
|
||||
"keywords": ["vulnerability", "schwachstelle", "scan", "monitoring"],
|
||||
"action_hint": "monitor",
|
||||
"object_hint": "Schwachstellenueberwachung",
|
||||
"object_class": "system"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "SC",
|
||||
"title": "System and Communications Protection",
|
||||
"aliases": ["system protection", "communications protection", "kommunikationsschutz", "systemschutz"],
|
||||
"keywords": ["verschluesselung", "encryption", "tls", "netzwerk", "network", "kommunikation", "firewall"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "SC-1",
|
||||
"title": "Policy and Procedures",
|
||||
"statement": "System- und Kommunikationsschutzrichtlinien muessen dokumentiert und aktuell gehalten werden.",
|
||||
"keywords": ["policy", "richtlinie"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Kommunikationsschutzrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SC-7",
|
||||
"title": "Boundary Protection",
|
||||
"statement": "Netzwerkgrenzen muessen durch Firewall-Regeln und Zugangskontrollen geschuetzt werden.",
|
||||
"keywords": ["boundary", "grenze", "firewall", "netzwerk"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Netzwerkgrenzschutz",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SC-8",
|
||||
"title": "Transmission Confidentiality and Integrity",
|
||||
"statement": "Daten muessen bei der Uebertragung durch Verschluesselung geschuetzt werden.",
|
||||
"keywords": ["transmission", "uebertragung", "verschluesselung", "tls"],
|
||||
"action_hint": "encrypt",
|
||||
"object_hint": "Uebertragungsverschluesselung",
|
||||
"object_class": "cryptographic_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SC-12",
|
||||
"title": "Cryptographic Key Establishment and Management",
|
||||
"statement": "Kryptographische Schluessel muessen sicher erzeugt, verteilt, gespeichert und widerrufen werden.",
|
||||
"keywords": ["key", "schluessel", "kryptographie", "management"],
|
||||
"action_hint": "maintain",
|
||||
"object_hint": "Schluesselverwaltung",
|
||||
"object_class": "cryptographic_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SC-13",
|
||||
"title": "Cryptographic Protection",
|
||||
"statement": "Kryptographische Mechanismen muessen gemaess anerkannten Standards implementiert werden.",
|
||||
"keywords": ["kryptographie", "verschluesselung", "standard"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Kryptographischer Schutz",
|
||||
"object_class": "cryptographic_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "SI",
|
||||
"title": "System and Information Integrity",
|
||||
"aliases": ["system integrity", "information integrity", "systemintegritaet", "informationsintegritaet"],
|
||||
"keywords": ["integritaet", "integrity", "malware", "patch", "flaw", "schwachstelle"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "SI-1",
|
||||
"title": "Policy and Procedures",
|
||||
"statement": "System- und Informationsintegritaetsrichtlinien muessen dokumentiert und regelmaessig ueberprueft werden.",
|
||||
"keywords": ["policy", "richtlinie"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Integritaetsrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SI-2",
|
||||
"title": "Flaw Remediation",
|
||||
"statement": "Bekannte Schwachstellen muessen innerhalb definierter Fristen behoben werden.",
|
||||
"keywords": ["flaw", "schwachstelle", "patch", "behebung", "remediation"],
|
||||
"action_hint": "remediate",
|
||||
"object_hint": "Schwachstellenbehebung",
|
||||
"object_class": "system"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SI-3",
|
||||
"title": "Malicious Code Protection",
|
||||
"statement": "Systeme muessen vor Schadsoftware geschuetzt werden durch Erkennung und Abwehrmechanismen.",
|
||||
"keywords": ["malware", "schadsoftware", "antivirus", "erkennung"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Schadsoftwareschutz",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SI-4",
|
||||
"title": "System Monitoring",
|
||||
"statement": "Systeme muessen kontinuierlich auf Sicherheitsereignisse und Anomalien ueberwacht werden.",
|
||||
"keywords": ["monitoring", "ueberwachung", "anomalie", "siem"],
|
||||
"action_hint": "monitor",
|
||||
"object_hint": "Systemueberwachung",
|
||||
"object_class": "system"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SI-5",
|
||||
"title": "Security Alerts and Advisories",
|
||||
"statement": "Sicherheitswarnungen muessen empfangen, bewertet und darauf reagiert werden.",
|
||||
"keywords": ["alert", "warnung", "advisory", "cve"],
|
||||
"action_hint": "monitor",
|
||||
"object_hint": "Sicherheitswarnungen",
|
||||
"object_class": "incident"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "SA",
|
||||
"title": "System and Services Acquisition",
|
||||
"aliases": ["system acquisition", "services acquisition", "systembeschaffung", "secure development"],
|
||||
"keywords": ["beschaffung", "acquisition", "entwicklung", "development", "lieferkette", "supply chain"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "SA-1",
|
||||
"title": "Policy and Procedures",
|
||||
"statement": "Beschaffungsrichtlinien mit Sicherheitsanforderungen muessen dokumentiert werden.",
|
||||
"keywords": ["policy", "richtlinie", "beschaffung"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Beschaffungsrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SA-8",
|
||||
"title": "Security and Privacy Engineering Principles",
|
||||
"statement": "Sicherheits- und Datenschutzprinzipien muessen in die Systementwicklung integriert werden.",
|
||||
"keywords": ["engineering", "development", "prinzipien", "design"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Security-by-Design-Prinzipien",
|
||||
"object_class": "process"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SA-11",
|
||||
"title": "Developer Testing and Evaluation",
|
||||
"statement": "Entwickler muessen Sicherheitstests und Code-Reviews durchfuehren.",
|
||||
"keywords": ["testing", "test", "code review", "evaluation"],
|
||||
"action_hint": "test",
|
||||
"object_hint": "Entwickler-Sicherheitstests",
|
||||
"object_class": "process"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "SA-12",
|
||||
"title": "Supply Chain Protection",
|
||||
"statement": "Lieferkettenrisiken muessen bewertet und Schutzmassnahmen implementiert werden.",
|
||||
"keywords": ["supply chain", "lieferkette", "third party", "drittanbieter"],
|
||||
"action_hint": "assess",
|
||||
"object_hint": "Lieferkettenrisikobewertung",
|
||||
"object_class": "risk_artifact"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
353
backend-compliance/compliance/data/frameworks/owasp_asvs.json
Normal file
353
backend-compliance/compliance/data/frameworks/owasp_asvs.json
Normal file
@@ -0,0 +1,353 @@
|
||||
{
|
||||
"framework_id": "OWASP_ASVS",
|
||||
"display_name": "OWASP Application Security Verification Standard 4.0",
|
||||
"license": {
|
||||
"type": "cc_by_sa_4",
|
||||
"rag_allowed": true,
|
||||
"use_as_metadata": true
|
||||
},
|
||||
"domains": [
|
||||
{
|
||||
"domain_id": "V1",
|
||||
"title": "Architecture, Design and Threat Modeling",
|
||||
"aliases": ["architecture", "architektur", "design", "threat modeling", "bedrohungsmodellierung"],
|
||||
"keywords": ["architektur", "design", "threat model", "bedrohung", "modellierung"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "V1.1",
|
||||
"title": "Secure Software Development Lifecycle",
|
||||
"statement": "Ein sicherer Softwareentwicklungs-Lebenszyklus (SSDLC) muss definiert und angewendet werden.",
|
||||
"keywords": ["sdlc", "lifecycle", "lebenszyklus", "entwicklung"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Sicherer Entwicklungs-Lebenszyklus",
|
||||
"object_class": "process"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V1.2",
|
||||
"title": "Authentication Architecture",
|
||||
"statement": "Die Authentifizierungsarchitektur muss dokumentiert und regelmaessig ueberprueft werden.",
|
||||
"keywords": ["authentication", "authentifizierung", "architektur"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Authentifizierungsarchitektur",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V1.4",
|
||||
"title": "Access Control Architecture",
|
||||
"statement": "Die Zugriffskontrollarchitektur muss dokumentiert und zentral durchgesetzt werden.",
|
||||
"keywords": ["access control", "zugriffskontrolle", "architektur"],
|
||||
"action_hint": "document",
|
||||
"object_hint": "Zugriffskontrollarchitektur",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V1.5",
|
||||
"title": "Input and Output Architecture",
|
||||
"statement": "Eingabe- und Ausgabevalidierung muss architektonisch verankert und durchgaengig angewendet werden.",
|
||||
"keywords": ["input", "output", "eingabe", "ausgabe", "validierung"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Ein-/Ausgabevalidierung",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V1.6",
|
||||
"title": "Cryptographic Architecture",
|
||||
"statement": "Kryptographische Mechanismen muessen architektonisch definiert und standardisiert sein.",
|
||||
"keywords": ["crypto", "kryptographie", "verschluesselung"],
|
||||
"action_hint": "define",
|
||||
"object_hint": "Kryptographie-Architektur",
|
||||
"object_class": "cryptographic_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "V2",
|
||||
"title": "Authentication",
|
||||
"aliases": ["authentication", "authentifizierung", "anmeldung", "login"],
|
||||
"keywords": ["authentication", "authentifizierung", "passwort", "login", "anmeldung", "credential"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "V2.1",
|
||||
"title": "Password Security",
|
||||
"statement": "Passwortrichtlinien muessen Mindestlaenge, Komplexitaet und Sperrmechanismen definieren.",
|
||||
"keywords": ["passwort", "password", "laenge", "komplexitaet"],
|
||||
"action_hint": "define",
|
||||
"object_hint": "Passwortrichtlinie",
|
||||
"object_class": "policy"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V2.2",
|
||||
"title": "General Authenticator Security",
|
||||
"statement": "Authentifizierungsmittel muessen sicher gespeichert und uebertragen werden.",
|
||||
"keywords": ["authenticator", "credential", "speicherung"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Sichere Credential-Verwaltung",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V2.7",
|
||||
"title": "Out-of-Band Verification",
|
||||
"statement": "Out-of-Band-Verifikationsmechanismen muessen sicher implementiert werden.",
|
||||
"keywords": ["oob", "out-of-band", "sms", "push"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Out-of-Band-Verifikation",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V2.8",
|
||||
"title": "Multi-Factor Authentication",
|
||||
"statement": "Multi-Faktor-Authentifizierung muss fuer sicherheitskritische Funktionen verfuegbar sein.",
|
||||
"keywords": ["mfa", "multi-faktor", "totp", "fido"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Multi-Faktor-Authentifizierung",
|
||||
"object_class": "technical_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "V3",
|
||||
"title": "Session Management",
|
||||
"aliases": ["session", "sitzung", "session management", "sitzungsverwaltung"],
|
||||
"keywords": ["session", "sitzung", "token", "cookie", "timeout"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "V3.1",
|
||||
"title": "Session Management Security",
|
||||
"statement": "Sitzungstoken muessen sicher erzeugt, uebertragen und invalidiert werden.",
|
||||
"keywords": ["token", "sitzung", "sicherheit"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Sichere Sitzungsverwaltung",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V3.3",
|
||||
"title": "Session Termination",
|
||||
"statement": "Sitzungen muessen nach Inaktivitaet und bei Abmeldung zuverlaessig beendet werden.",
|
||||
"keywords": ["termination", "timeout", "abmeldung", "beenden"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "Sitzungstimeout",
|
||||
"object_class": "configuration"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V3.5",
|
||||
"title": "Token-Based Session Management",
|
||||
"statement": "Tokenbasierte Sitzungsmechanismen muessen gegen Diebstahl und Replay geschuetzt sein.",
|
||||
"keywords": ["jwt", "token", "replay", "diebstahl"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Token-Schutz",
|
||||
"object_class": "technical_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "V5",
|
||||
"title": "Validation, Sanitization and Encoding",
|
||||
"aliases": ["validation", "validierung", "sanitization", "encoding", "eingabevalidierung"],
|
||||
"keywords": ["validierung", "sanitization", "encoding", "xss", "injection", "eingabe"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "V5.1",
|
||||
"title": "Input Validation",
|
||||
"statement": "Alle Eingabedaten muessen serverseitig validiert werden.",
|
||||
"keywords": ["input", "eingabe", "validierung", "serverseitig"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Eingabevalidierung",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V5.2",
|
||||
"title": "Sanitization and Sandboxing",
|
||||
"statement": "Eingaben muessen bereinigt und in sicherer Umgebung verarbeitet werden.",
|
||||
"keywords": ["sanitization", "bereinigung", "sandbox"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Eingabebereinigung",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V5.3",
|
||||
"title": "Output Encoding and Injection Prevention",
|
||||
"statement": "Ausgaben muessen kontextabhaengig kodiert werden, um Injection-Angriffe zu verhindern.",
|
||||
"keywords": ["output", "encoding", "injection", "xss", "sql"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Ausgabe-Encoding",
|
||||
"object_class": "technical_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "V6",
|
||||
"title": "Stored Cryptography",
|
||||
"aliases": ["cryptography", "kryptographie", "verschluesselung", "stored cryptography"],
|
||||
"keywords": ["kryptographie", "verschluesselung", "hashing", "schluessel", "key management"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "V6.1",
|
||||
"title": "Data Classification",
|
||||
"statement": "Daten muessen klassifiziert und entsprechend ihrer Schutzklasse behandelt werden.",
|
||||
"keywords": ["klassifizierung", "classification", "schutzklasse"],
|
||||
"action_hint": "define",
|
||||
"object_hint": "Datenklassifizierung",
|
||||
"object_class": "data"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V6.2",
|
||||
"title": "Algorithms",
|
||||
"statement": "Nur zugelassene und aktuelle kryptographische Algorithmen duerfen verwendet werden.",
|
||||
"keywords": ["algorithmus", "algorithm", "aes", "rsa"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "Kryptographische Algorithmen",
|
||||
"object_class": "cryptographic_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V6.4",
|
||||
"title": "Secret Management",
|
||||
"statement": "Geheimnisse (Schluessel, Passwoerter, Tokens) muessen in einem Secret-Management-System verwaltet werden.",
|
||||
"keywords": ["secret", "geheimnis", "vault", "key management"],
|
||||
"action_hint": "maintain",
|
||||
"object_hint": "Secret-Management",
|
||||
"object_class": "cryptographic_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "V8",
|
||||
"title": "Data Protection",
|
||||
"aliases": ["data protection", "datenschutz", "datenverarbeitung"],
|
||||
"keywords": ["datenschutz", "data protection", "pii", "personenbezogen", "privacy"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "V8.1",
|
||||
"title": "General Data Protection",
|
||||
"statement": "Personenbezogene Daten muessen gemaess Datenschutzanforderungen geschuetzt werden.",
|
||||
"keywords": ["personenbezogen", "pii", "datenschutz"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Datenschutzmassnahmen",
|
||||
"object_class": "data"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V8.2",
|
||||
"title": "Client-Side Data Protection",
|
||||
"statement": "Clientseitig gespeicherte sensible Daten muessen geschuetzt und minimiert werden.",
|
||||
"keywords": ["client", "browser", "localstorage", "cookie"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Clientseitiger Datenschutz",
|
||||
"object_class": "technical_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V8.3",
|
||||
"title": "Sensitive Private Data",
|
||||
"statement": "Sensible Daten muessen bei Speicherung und Verarbeitung besonders geschuetzt werden.",
|
||||
"keywords": ["sensibel", "vertraulich", "speicherung"],
|
||||
"action_hint": "encrypt",
|
||||
"object_hint": "Verschluesselung sensibler Daten",
|
||||
"object_class": "data"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "V9",
|
||||
"title": "Communication",
|
||||
"aliases": ["communication", "kommunikation", "tls", "transport"],
|
||||
"keywords": ["tls", "ssl", "https", "transport", "kommunikation", "verschluesselung"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "V9.1",
|
||||
"title": "Client Communication Security",
|
||||
"statement": "Alle Client-Server-Kommunikation muss ueber TLS verschluesselt werden.",
|
||||
"keywords": ["tls", "https", "client", "server"],
|
||||
"action_hint": "encrypt",
|
||||
"object_hint": "TLS-Transportverschluesselung",
|
||||
"object_class": "cryptographic_control"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V9.2",
|
||||
"title": "Server Communication Security",
|
||||
"statement": "Server-zu-Server-Kommunikation muss authentifiziert und verschluesselt erfolgen.",
|
||||
"keywords": ["server", "mtls", "backend"],
|
||||
"action_hint": "encrypt",
|
||||
"object_hint": "Server-Kommunikationsverschluesselung",
|
||||
"object_class": "cryptographic_control"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "V13",
|
||||
"title": "API and Web Service",
|
||||
"aliases": ["api", "web service", "rest", "graphql", "webservice"],
|
||||
"keywords": ["api", "rest", "graphql", "webservice", "endpoint", "schnittstelle"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "V13.1",
|
||||
"title": "Generic Web Service Security",
|
||||
"statement": "Web-Services muessen gegen gaengige Angriffe abgesichert werden.",
|
||||
"keywords": ["web service", "sicherheit", "angriff"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "Web-Service-Absicherung",
|
||||
"object_class": "interface"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V13.2",
|
||||
"title": "RESTful Web Service",
|
||||
"statement": "REST-APIs muessen Input-Validierung, Rate Limiting und sichere Authentifizierung implementieren.",
|
||||
"keywords": ["rest", "api", "rate limiting", "input"],
|
||||
"action_hint": "implement",
|
||||
"object_hint": "REST-API-Absicherung",
|
||||
"object_class": "interface"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V13.4",
|
||||
"title": "GraphQL and Web Services",
|
||||
"statement": "GraphQL-Endpoints muessen gegen Query-Complexity-Angriffe und Introspection geschuetzt werden.",
|
||||
"keywords": ["graphql", "query", "complexity", "introspection"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "GraphQL-Absicherung",
|
||||
"object_class": "interface"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"domain_id": "V14",
|
||||
"title": "Configuration",
|
||||
"aliases": ["configuration", "konfiguration", "hardening", "haertung"],
|
||||
"keywords": ["konfiguration", "hardening", "haertung", "header", "deployment"],
|
||||
"subcontrols": [
|
||||
{
|
||||
"subcontrol_id": "V14.1",
|
||||
"title": "Build and Deploy",
|
||||
"statement": "Build- und Deployment-Prozesse muessen sicher konfiguriert und reproduzierbar sein.",
|
||||
"keywords": ["build", "deploy", "ci/cd", "pipeline"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "Sichere Build-Pipeline",
|
||||
"object_class": "configuration"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V14.2",
|
||||
"title": "Dependency Management",
|
||||
"statement": "Abhaengigkeiten muessen auf Schwachstellen geprueft und aktuell gehalten werden.",
|
||||
"keywords": ["dependency", "abhaengigkeit", "sca", "sbom"],
|
||||
"action_hint": "maintain",
|
||||
"object_hint": "Abhaengigkeitsverwaltung",
|
||||
"object_class": "system"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V14.3",
|
||||
"title": "Unintended Security Disclosure",
|
||||
"statement": "Fehlermeldungen und Debug-Informationen duerfen keine sicherheitsrelevanten Details preisgeben.",
|
||||
"keywords": ["disclosure", "fehlermeldung", "debug", "information leakage"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "Fehlerbehandlung",
|
||||
"object_class": "configuration"
|
||||
},
|
||||
{
|
||||
"subcontrol_id": "V14.4",
|
||||
"title": "HTTP Security Headers",
|
||||
"statement": "HTTP-Sicherheitsheader muessen korrekt konfiguriert sein.",
|
||||
"keywords": ["header", "csp", "hsts", "x-frame"],
|
||||
"action_hint": "configure",
|
||||
"object_hint": "HTTP-Sicherheitsheader",
|
||||
"object_class": "configuration"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user