From e58af8aa3099be9b9255735ec96c843f8a50c5a8 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Fri, 17 Apr 2026 09:20:22 +0200 Subject: [PATCH] refactor(admin): split tom-generator controls loader and vendor risk controls-library Split loader.ts (3163 LOC) into categories/ subdir (8 files, each <500 LOC): - access.ts (ACCESS_CONTROL + ADMISSION_CONTROL + ACCESS_AUTHORIZATION) - transfer-input.ts (TRANSFER_CONTROL + INPUT_CONTROL) - order-availability.ts (ORDER_CONTROL + AVAILABILITY) - separation-encryption.ts (SEPARATION incl. DL-* + ENCRYPTION) - pseudonymization.ts (PSEUDONYMIZATION) - resilience-recovery.ts (RESILIENCE + RECOVERY) - review.ts (REVIEW + training/TR-* controls) - category-map.ts (category metadata Map) Split controls-library.ts (943 LOC) into domain files: - transfer-audit.ts (TRANSFER + AUDIT) - deletion-incident.ts (DELETION + INCIDENT) - subprocessor-tom.ts (SUBPROCESSOR + TOM) - contract-data-subject.ts (CONTRACT + DATA_SUBJECT) - security-governance.ts (SECURITY + GOVERNANCE) Both barrel files preserved their full public API. No consumer imports changed. Zero new TypeScript errors introduced (305 pre-existing errors unchanged). Co-Authored-By: Claude Sonnet 4.6 --- .../controls/categories/access.ts | 467 +++ .../controls/categories/category-map.ts | 102 + .../controls/categories/order-availability.ts | 325 ++ .../controls/categories/pseudonymization.ts | 107 + .../categories/resilience-recovery.ts | 256 ++ .../controls/categories/review.ts | 352 ++ .../categories/separation-encryption.ts | 407 +++ .../controls/categories/transfer-input.ts | 289 ++ .../lib/sdk/tom-generator/controls/loader.ts | 2989 +---------------- .../risk/contract-data-subject.ts | 126 + .../risk/controls-library.ts | 840 +---- .../risk/deletion-incident.ts | 164 + .../risk/security-governance.ts | 126 + .../risk/subprocessor-tom.ts | 221 ++ .../vendor-compliance/risk/transfer-audit.ts | 202 ++ 15 files changed, 3200 insertions(+), 3773 deletions(-) create mode 100644 admin-compliance/lib/sdk/tom-generator/controls/categories/access.ts create mode 100644 admin-compliance/lib/sdk/tom-generator/controls/categories/category-map.ts create mode 100644 admin-compliance/lib/sdk/tom-generator/controls/categories/order-availability.ts create mode 100644 admin-compliance/lib/sdk/tom-generator/controls/categories/pseudonymization.ts create mode 100644 admin-compliance/lib/sdk/tom-generator/controls/categories/resilience-recovery.ts create mode 100644 admin-compliance/lib/sdk/tom-generator/controls/categories/review.ts create mode 100644 admin-compliance/lib/sdk/tom-generator/controls/categories/separation-encryption.ts create mode 100644 admin-compliance/lib/sdk/tom-generator/controls/categories/transfer-input.ts create mode 100644 admin-compliance/lib/sdk/vendor-compliance/risk/contract-data-subject.ts create mode 100644 admin-compliance/lib/sdk/vendor-compliance/risk/deletion-incident.ts create mode 100644 admin-compliance/lib/sdk/vendor-compliance/risk/security-governance.ts create mode 100644 admin-compliance/lib/sdk/vendor-compliance/risk/subprocessor-tom.ts create mode 100644 admin-compliance/lib/sdk/vendor-compliance/risk/transfer-audit.ts diff --git a/admin-compliance/lib/sdk/tom-generator/controls/categories/access.ts b/admin-compliance/lib/sdk/tom-generator/controls/categories/access.ts new file mode 100644 index 0000000..204c0e7 --- /dev/null +++ b/admin-compliance/lib/sdk/tom-generator/controls/categories/access.ts @@ -0,0 +1,467 @@ +// ============================================================================= +// Access Controls +// Categories: ACCESS_CONTROL, ADMISSION_CONTROL, ACCESS_AUTHORIZATION +// ============================================================================= + +import { ControlLibraryEntry } from '../../types' + +export const ACCESS_CONTROLS: ControlLibraryEntry[] = [ + // ACCESS_CONTROL + { + id: 'TOM-AC-01', + code: 'TOM-AC-01', + category: 'ACCESS_CONTROL', + type: 'TECHNICAL', + name: { de: 'Elektronische Zutrittskontrolle', en: 'Electronic Access Control' }, + description: { + de: 'Implementierung elektronischer Zugangskontrollsysteme (Chipkarten, Biometrie) zur Kontrolle des physischen Zutritts zu Räumlichkeiten mit IT-Systemen.', + en: 'Implementation of electronic access control systems (chip cards, biometrics) to control physical access to premises with IT systems.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 10 }, + { field: 'architectureProfile.hostingModel', operator: 'EQUALS', value: 'PUBLIC_CLOUD', result: 'NOT_APPLICABLE', priority: 20 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Zutrittskontrollkonzept', 'Protokolle des Zutrittskontrollsystems', 'Besucherregelungen'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['physical-security', 'access'], + }, + { + id: 'TOM-AC-02', + code: 'TOM-AC-02', + category: 'ACCESS_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'Besuchermanagement', en: 'Visitor Management' }, + description: { + de: 'Regelungen für den Empfang, die Begleitung und Registrierung von Besuchern in sicherheitsrelevanten Bereichen.', + en: 'Regulations for receiving, accompanying and registering visitors in security-relevant areas.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 10 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Besucherrichtlinie', 'Besucherbuch/Protokolle'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'LOW', + tags: ['physical-security', 'visitors'], + }, + { + id: 'TOM-AC-03', + code: 'TOM-AC-03', + category: 'ACCESS_CONTROL', + type: 'TECHNICAL', + name: { de: 'Videoüberwachung', en: 'Video Surveillance' }, + description: { + de: 'Installation von Videoüberwachungssystemen zur Kontrolle und Dokumentation des Zutritts zu sensiblen Bereichen.', + en: 'Installation of video surveillance systems to control and document access to sensitive areas.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.7.4' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'RECOMMENDED', priority: 20 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['Videoüberwachungskonzept', 'Datenschutz-Folgenabschätzung für Videoüberwachung'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'MEDIUM', + tags: ['physical-security', 'monitoring'], + }, + { + id: 'TOM-AC-04', + code: 'TOM-AC-04', + category: 'ACCESS_CONTROL', + type: 'TECHNICAL', + name: { de: 'Alarmanlage', en: 'Alarm System' }, + description: { + de: 'Einbruchmeldeanlage zum Schutz der Räumlichkeiten außerhalb der Betriebszeiten.', + en: 'Intrusion detection system to protect premises outside business hours.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'INF.1' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 10 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Alarmkonzept', 'Wartungsprotokolle'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'MEDIUM', + tags: ['physical-security', 'intrusion-detection'], + }, + { + id: 'TOM-AC-05', + code: 'TOM-AC-05', + category: 'ACCESS_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'Schlüsselmanagement', en: 'Key Management' }, + description: { + de: 'Dokumentierte Verwaltung und Ausgabe von physischen Schlüsseln mit Nachverfolgbarkeit.', + en: 'Documented management and distribution of physical keys with traceability.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 10 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Schlüsselausgabeprotokoll', 'Schlüsselverwaltungsrichtlinie'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'LOW', + tags: ['physical-security', 'keys'], + }, + { + id: 'TOM-AC-06', + code: 'TOM-AC-06', + category: 'ACCESS_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'Besuchermanagement (erweitert)', en: 'Visitor Management (Extended)' }, + description: { + de: 'Erweitertes Besuchermanagement mit Voranmeldung, Identitaetspruefung, Begleitpflicht und zeitlich begrenztem Zugang zu sicherheitsrelevanten Bereichen.', + en: 'Extended visitor management with pre-registration, identity verification, escort requirement and time-limited access to security-relevant areas.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 }, + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['Besuchermanagement-Richtlinie', 'Besucherprotokolle', 'Zonenkonzept'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'LOW', + tags: ['physical-security', 'visitors', 'extended'], + }, + + // ADMISSION_CONTROL + { + id: 'TOM-ADM-01', + code: 'TOM-ADM-01', + category: 'ADMISSION_CONTROL', + type: 'TECHNICAL', + name: { de: 'Multi-Faktor-Authentifizierung', en: 'Multi-Factor Authentication' }, + description: { + de: 'Implementierung einer Zwei- oder Mehr-Faktor-Authentifizierung für den Systemzugang zu kritischen Systemen und Daten.', + en: 'Implementation of two- or multi-factor authentication for system access to critical systems and data.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.2' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 }, + { field: 'dataProfile.processesMinors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 }, + { field: 'companyProfile.role', operator: 'EQUALS', value: 'PROCESSOR', result: 'REQUIRED', priority: 15 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['MFA-Konfigurationsdokumentation', 'Nutzerstatistiken zur MFA-Nutzung'], + reviewFrequency: 'QUARTERLY', + priority: 'CRITICAL', + complexity: 'MEDIUM', + tags: ['authentication', 'mfa', 'identity'], + }, + { + id: 'TOM-ADM-02', + code: 'TOM-ADM-02', + category: 'ADMISSION_CONTROL', + type: 'TECHNICAL', + name: { de: 'Passwortrichtlinien', en: 'Password Policies' }, + description: { + de: 'Durchsetzung technischer Passwortrichtlinien (Mindestlänge, Komplexität, regelmäßiger Wechsel, Historie).', + en: 'Enforcement of technical password policies (minimum length, complexity, regular changes, history).', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.3' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Passwortrichtlinie', 'Technische Konfiguration'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['authentication', 'passwords'], + }, + { + id: 'TOM-ADM-03', + code: 'TOM-ADM-03', + category: 'ADMISSION_CONTROL', + type: 'TECHNICAL', + name: { de: 'Single Sign-On (SSO)', en: 'Single Sign-On (SSO)' }, + description: { + de: 'Zentralisierte Authentifizierung über SSO zur Verbesserung der Sicherheit und Benutzerfreundlichkeit.', + en: 'Centralized authentication via SSO to improve security and usability.', + }, + mappings: [{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.4' }], + applicabilityConditions: [ + { field: 'companyProfile.size', operator: 'IN', value: ['MEDIUM', 'LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['SSO-Konfigurationsdokumentation', 'Integrierte Anwendungsliste'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'HIGH', + tags: ['authentication', 'sso', 'identity'], + }, + { + id: 'TOM-ADM-04', + code: 'TOM-ADM-04', + category: 'ADMISSION_CONTROL', + type: 'TECHNICAL', + name: { de: 'Automatische Bildschirmsperre', en: 'Automatic Screen Lock' }, + description: { + de: 'Automatische Sperrung von Arbeitsplätzen nach Inaktivität mit erforderlicher Re-Authentifizierung.', + en: 'Automatic locking of workstations after inactivity with required re-authentication.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.11.2.8' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['GPO/MDM-Konfiguration', 'Richtliniendokumentation'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['workstation', 'security'], + }, + { + id: 'TOM-ADM-05', + code: 'TOM-ADM-05', + category: 'ADMISSION_CONTROL', + type: 'TECHNICAL', + name: { de: 'Kontosperrung nach Fehlversuchen', en: 'Account Lockout After Failed Attempts' }, + description: { + de: 'Automatische temporäre Sperrung von Benutzerkonten nach mehreren fehlgeschlagenen Anmeldeversuchen.', + en: 'Automatic temporary locking of user accounts after multiple failed login attempts.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.2' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Konfigurationsdokumentation', 'Protokollierung der Sperrereignisse'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['authentication', 'brute-force-protection'], + }, + { + id: 'TOM-ADM-06', + code: 'TOM-ADM-06', + category: 'ADMISSION_CONTROL', + type: 'TECHNICAL', + name: { de: 'Endpoint Detection & Response (EDR)', en: 'Endpoint Detection & Response (EDR)' }, + description: { + de: 'Einsatz von EDR-Loesungen zur Erkennung und Abwehr von Bedrohungen auf Endgeraeten in Echtzeit.', + en: 'Deployment of EDR solutions for real-time threat detection and response on endpoints.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.2.1' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'OPS.1.1.4' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 25 }, + { field: 'companyProfile.size', operator: 'IN', value: ['LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['EDR-Konfiguration', 'Bedrohungsberichte', 'Incident-Response-Statistiken'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'HIGH', + tags: ['endpoint', 'edr', 'threat-detection'], + }, + + // ACCESS_AUTHORIZATION + { + id: 'TOM-AZ-01', + code: 'TOM-AZ-01', + category: 'ACCESS_AUTHORIZATION', + type: 'TECHNICAL', + name: { de: 'Rollenbasierte Zugriffskontrolle (RBAC)', en: 'Role-Based Access Control (RBAC)' }, + description: { + de: 'Implementierung eines rollenbasierten Berechtigungssystems zur Steuerung des Datenzugriffs nach dem Need-to-Know-Prinzip.', + en: 'Implementation of a role-based permission system to control data access according to the need-to-know principle.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.3' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Berechtigungskonzept', 'Rollenmatrix', 'Berechtigungsaudits'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'CRITICAL', + complexity: 'MEDIUM', + tags: ['authorization', 'rbac', 'access'], + }, + { + id: 'TOM-AZ-02', + code: 'TOM-AZ-02', + category: 'ACCESS_AUTHORIZATION', + type: 'ORGANIZATIONAL', + name: { de: 'Berechtigungsverwaltungsprozess', en: 'Authorization Management Process' }, + description: { + de: 'Dokumentierter Prozess für Beantragung, Genehmigung und Entzug von Zugriffsberechtigungen.', + en: 'Documented process for requesting, approving and revoking access permissions.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.2' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Berechtigungsanträge', 'Genehmigungsprotokolle', 'Prozessdokumentation'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['authorization', 'process'], + }, + { + id: 'TOM-AZ-03', + code: 'TOM-AZ-03', + category: 'ACCESS_AUTHORIZATION', + type: 'TECHNICAL', + name: { de: 'Privileged Access Management (PAM)', en: 'Privileged Access Management (PAM)' }, + description: { + de: 'Spezielle Kontrollen für privilegierte Konten (Admins) mit Aufzeichnung, zeitlicher Begrenzung und Genehmigungsworkflows.', + en: 'Special controls for privileged accounts (admins) with recording, time limits and approval workflows.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.3' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 }, + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + { field: 'companyProfile.size', operator: 'IN', value: ['LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['PAM-Konfiguration', 'Sitzungsaufzeichnungen', 'Audit-Logs'], + reviewFrequency: 'QUARTERLY', + priority: 'CRITICAL', + complexity: 'HIGH', + tags: ['authorization', 'pam', 'privileged'], + }, + { + id: 'TOM-AZ-04', + code: 'TOM-AZ-04', + category: 'ACCESS_AUTHORIZATION', + type: 'ORGANIZATIONAL', + name: { de: 'Regelmäßige Berechtigungsrezertifizierung', en: 'Regular Authorization Recertification' }, + description: { + de: 'Periodische Überprüfung aller Zugriffsberechtigungen durch die jeweiligen Vorgesetzten.', + en: 'Periodic review of all access permissions by respective supervisors.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.5' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Rezertifizierungsprotokolle', 'Prozessdokumentation'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['authorization', 'review'], + }, + { + id: 'TOM-AZ-05', + code: 'TOM-AZ-05', + category: 'ACCESS_AUTHORIZATION', + type: 'TECHNICAL', + name: { de: 'Datenklassifizierung und Label', en: 'Data Classification and Labeling' }, + description: { + de: 'Technische Umsetzung einer Datenklassifizierung mit entsprechenden Zugriffssteuerungen.', + en: 'Technical implementation of data classification with corresponding access controls.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.8.2' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Klassifizierungsschema', 'Label-Konfiguration'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'HIGH', + tags: ['classification', 'labeling'], + }, + { + id: 'TOM-AZ-06', + code: 'TOM-AZ-06', + category: 'ACCESS_AUTHORIZATION', + type: 'TECHNICAL', + name: { de: 'API-Zugriffskontrolle', en: 'API Access Control' }, + description: { + de: 'Implementierung von Authentifizierungs- und Autorisierungsmechanismen fuer APIs (OAuth 2.0, API-Keys, Rate Limiting).', + en: 'Implementation of authentication and authorization mechanisms for APIs (OAuth 2.0, API keys, rate limiting).', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.1' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 20 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['API-Security-Konzept', 'OAuth-Konfiguration', 'Rate-Limiting-Regeln'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['authorization', 'api', 'oauth'], + }, + { + id: 'TOM-AZ-07', + code: 'TOM-AZ-07', + category: 'ACCESS_AUTHORIZATION', + type: 'ORGANIZATIONAL', + name: { de: 'Regelmaessiger Berechtigungsreview', en: 'Regular Permission Review' }, + description: { + de: 'Systematische Ueberpruefung und Bereinigung von Zugriffsberechtigungen in regelmaessigen Abstaenden durch die jeweiligen Fachverantwortlichen.', + en: 'Systematic review and cleanup of access permissions at regular intervals by the respective department heads.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.5' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Review-Protokolle', 'Berechtigungsaenderungslog', 'Freigabedokumentation'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['authorization', 'review', 'permissions'], + }, +] diff --git a/admin-compliance/lib/sdk/tom-generator/controls/categories/category-map.ts b/admin-compliance/lib/sdk/tom-generator/controls/categories/category-map.ts new file mode 100644 index 0000000..5e89de6 --- /dev/null +++ b/admin-compliance/lib/sdk/tom-generator/controls/categories/category-map.ts @@ -0,0 +1,102 @@ +// ============================================================================= +// Category Map — ControlCategory → name + gdprReference +// ============================================================================= + +import { ControlCategory, LocalizedString } from '../../types' + +export const CATEGORY_MAP: Map< + ControlCategory, + { name: LocalizedString; gdprReference: string } +> = new Map([ + [ + 'ACCESS_CONTROL', + { + name: { de: 'Zutrittskontrolle', en: 'Physical Access Control' }, + gdprReference: 'Art. 32 Abs. 1 lit. b', + }, + ], + [ + 'ADMISSION_CONTROL', + { + name: { de: 'Zugangskontrolle', en: 'System Access Control' }, + gdprReference: 'Art. 32 Abs. 1 lit. b', + }, + ], + [ + 'ACCESS_AUTHORIZATION', + { + name: { de: 'Zugriffskontrolle', en: 'Access Authorization' }, + gdprReference: 'Art. 32 Abs. 1 lit. b', + }, + ], + [ + 'TRANSFER_CONTROL', + { + name: { de: 'Weitergabekontrolle', en: 'Transfer Control' }, + gdprReference: 'Art. 32 Abs. 1 lit. b', + }, + ], + [ + 'INPUT_CONTROL', + { + name: { de: 'Eingabekontrolle', en: 'Input Control' }, + gdprReference: 'Art. 32 Abs. 1 lit. b', + }, + ], + [ + 'ORDER_CONTROL', + { + name: { de: 'Auftragskontrolle', en: 'Order Control' }, + gdprReference: 'Art. 28', + }, + ], + [ + 'AVAILABILITY', + { + name: { de: 'Verfügbarkeit', en: 'Availability' }, + gdprReference: 'Art. 32 Abs. 1 lit. b, c', + }, + ], + [ + 'SEPARATION', + { + name: { de: 'Trennbarkeit', en: 'Separation' }, + gdprReference: 'Art. 32 Abs. 1 lit. b', + }, + ], + [ + 'ENCRYPTION', + { + name: { de: 'Verschlüsselung', en: 'Encryption' }, + gdprReference: 'Art. 32 Abs. 1 lit. a', + }, + ], + [ + 'PSEUDONYMIZATION', + { + name: { de: 'Pseudonymisierung', en: 'Pseudonymization' }, + gdprReference: 'Art. 32 Abs. 1 lit. a', + }, + ], + [ + 'RESILIENCE', + { + name: { de: 'Belastbarkeit', en: 'Resilience' }, + gdprReference: 'Art. 32 Abs. 1 lit. b', + }, + ], + [ + 'RECOVERY', + { + name: { de: 'Wiederherstellbarkeit', en: 'Recovery' }, + gdprReference: 'Art. 32 Abs. 1 lit. c', + }, + ], + [ + 'REVIEW', + { + name: { de: 'Überprüfung & Bewertung', en: 'Review & Assessment' }, + gdprReference: 'Art. 32 Abs. 1 lit. d', + }, + ], +]) diff --git a/admin-compliance/lib/sdk/tom-generator/controls/categories/order-availability.ts b/admin-compliance/lib/sdk/tom-generator/controls/categories/order-availability.ts new file mode 100644 index 0000000..fbd253a --- /dev/null +++ b/admin-compliance/lib/sdk/tom-generator/controls/categories/order-availability.ts @@ -0,0 +1,325 @@ +// ============================================================================= +// Order and Availability Controls +// Categories: ORDER_CONTROL, AVAILABILITY +// ============================================================================= + +import { ControlLibraryEntry } from '../../types' + +export const ORDER_AVAILABILITY_CONTROLS: ControlLibraryEntry[] = [ + // ORDER_CONTROL + { + id: 'TOM-OR-01', + code: 'TOM-OR-01', + category: 'ORDER_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'Auftragsverarbeitungsverträge (AVV)', en: 'Data Processing Agreements (DPA)' }, + description: { + de: 'Abschluss von Auftragsverarbeitungsverträgen gemäß Art. 28 DSGVO mit allen Auftragsverarbeitern.', + en: 'Conclusion of data processing agreements according to Art. 28 GDPR with all processors.', + }, + mappings: [ + { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.2' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 }, + { field: 'companyProfile.role', operator: 'EQUALS', value: 'CONTROLLER', result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Unterschriebene AVVs', 'Auftragsverarbeiter-Verzeichnis'], + reviewFrequency: 'ANNUAL', + priority: 'CRITICAL', + complexity: 'LOW', + tags: ['contracts', 'avv', 'dpa'], + }, + { + id: 'TOM-OR-02', + code: 'TOM-OR-02', + category: 'ORDER_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'Auftragsverarbeiter-Prüfung', en: 'Processor Auditing' }, + description: { + de: 'Regelmäßige Überprüfung der technischen und organisatorischen Maßnahmen bei Auftragsverarbeitern.', + en: 'Regular verification of technical and organizational measures at processors.', + }, + mappings: [ + { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. h' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.15.2.1' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Audit-Berichte', 'Zertifikate der Auftragsverarbeiter', 'Prüfprotokolle'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['audit', 'processor'], + }, + { + id: 'TOM-OR-03', + code: 'TOM-OR-03', + category: 'ORDER_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'Weisungsgebundenheit dokumentieren', en: 'Document Instruction Compliance' }, + description: { + de: 'Dokumentation der Weisungsgebundenheit von Auftragsverarbeitern und Mitarbeitern.', + en: 'Documentation of instruction compliance by processors and employees.', + }, + mappings: [ + { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. a' }, + { framework: 'GDPR_ART29', reference: 'Art. 29' }, + ], + applicabilityConditions: [ + { field: 'companyProfile.role', operator: 'EQUALS', value: 'PROCESSOR', result: 'REQUIRED', priority: 30 }, + ], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Weisungsdokumentation', 'Schulungsnachweise'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['processor', 'instructions'], + }, + { + id: 'TOM-OR-04', + code: 'TOM-OR-04', + category: 'ORDER_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'Unterauftragsverarbeiter-Management', en: 'Sub-processor Management' }, + description: { + de: 'Dokumentiertes Verfahren für die Genehmigung und Überwachung von Unterauftragsverarbeitern.', + en: 'Documented procedure for approval and monitoring of sub-processors.', + }, + mappings: [ + { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 2, 4' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.3' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 }, + { field: 'companyProfile.role', operator: 'EQUALS', value: 'PROCESSOR', result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Unterauftragsverarbeiter-Liste', 'Genehmigungsprotokolle', 'AVVs mit Unterauftragsverarbeitern'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['sub-processor', 'management'], + }, + { + id: 'TOM-OR-05', + code: 'TOM-OR-05', + category: 'ORDER_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'Auftragsverarbeiter-Monitoring', en: 'Processor Monitoring' }, + description: { + de: 'Regelmaessige Ueberpruefung und Bewertung der Datenschutz-Massnahmen bei Auftragsverarbeitern gemaess Art. 28 Abs. 3 lit. h DSGVO.', + en: 'Regular review and assessment of data protection measures at processors according to Art. 28(3)(h) GDPR.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 28 Abs. 3 lit. h' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.15.2.1' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Audit-Berichte der Auftragsverarbeiter', 'Monitoring-Checklisten'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['order-control', 'processor', 'monitoring'], + }, + { + id: 'TOM-OR-06', + code: 'TOM-OR-06', + category: 'ORDER_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'Sub-Processor Management', en: 'Sub-Processor Management' }, + description: { + de: 'Dokumentiertes Verfahren zur Genehmigung, Ueberwachung und Dokumentation von Unterauftragsverarbeitern.', + en: 'Documented process for approval, monitoring and documentation of sub-processors.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 28 Abs. 2, 4' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.2' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + { field: 'architectureProfile.subprocessorCount', operator: 'GREATER_THAN', value: 3, result: 'REQUIRED', priority: 20 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Sub-Processor-Register', 'Genehmigungsverfahren', 'Vertragsdokumentation'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['order-control', 'sub-processor'], + }, + + // AVAILABILITY + { + id: 'TOM-AV-01', + code: 'TOM-AV-01', + category: 'AVAILABILITY', + type: 'TECHNICAL', + name: { de: 'Backup-Strategie', en: 'Backup Strategy' }, + description: { + de: 'Implementierung einer umfassenden Backup-Strategie mit regelmäßigen Sicherungen und Aufbewahrung.', + en: 'Implementation of a comprehensive backup strategy with regular backups and retention.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.3.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Backup-Konzept', 'Backup-Protokolle', 'Restore-Tests'], + reviewFrequency: 'QUARTERLY', + priority: 'CRITICAL', + complexity: 'MEDIUM', + tags: ['backup', 'recovery'], + }, + { + id: 'TOM-AV-02', + code: 'TOM-AV-02', + category: 'AVAILABILITY', + type: 'TECHNICAL', + name: { de: 'Redundante Systeme', en: 'Redundant Systems' }, + description: { + de: 'Implementierung von Redundanz für kritische Systeme zur Sicherstellung der Verfügbarkeit.', + en: 'Implementation of redundancy for critical systems to ensure availability.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 3, result: 'REQUIRED', priority: 20 }, + { field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Redundanzkonzept', 'Architekturdokumentation'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'HIGH', + tags: ['redundancy', 'availability'], + }, + { + id: 'TOM-AV-03', + code: 'TOM-AV-03', + category: 'AVAILABILITY', + type: 'TECHNICAL', + name: { de: 'Unterbrechungsfreie Stromversorgung (USV)', en: 'Uninterruptible Power Supply (UPS)' }, + description: { + de: 'Einsatz von USV-Anlagen zum Schutz kritischer Systeme vor Stromausfällen.', + en: 'Use of UPS systems to protect critical systems from power failures.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.11.2.2' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'INF.2' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 15 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['USV-Dokumentation', 'Wartungsprotokolle'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'MEDIUM', + tags: ['power', 'infrastructure'], + }, + { + id: 'TOM-AV-04', + code: 'TOM-AV-04', + category: 'AVAILABILITY', + type: 'ORGANIZATIONAL', + name: { de: 'Notfallvorsorge (Business Continuity)', en: 'Business Continuity Planning' }, + description: { + de: 'Dokumentierte Notfallvorsorge zur Aufrechterhaltung kritischer Geschäftsprozesse.', + en: 'Documented emergency preparedness to maintain critical business processes.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.1' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 2, result: 'REQUIRED', priority: 15 }, + ], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Business-Continuity-Plan', 'Notfallkontakte', 'Übungsprotokolle'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['bcp', 'continuity'], + }, + { + id: 'TOM-AV-05', + code: 'TOM-AV-05', + category: 'AVAILABILITY', + type: 'TECHNICAL', + name: { de: 'Monitoring und Alerting', en: 'Monitoring and Alerting' }, + description: { + de: 'Kontinuierliche Überwachung der Systemverfügbarkeit mit automatischen Benachrichtigungen bei Ausfällen.', + en: 'Continuous monitoring of system availability with automatic notifications for outages.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Monitoring-Konfiguration', 'Alert-Regeln', 'Verfügbarkeitsberichte'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['monitoring', 'alerting'], + }, + { + id: 'TOM-AV-06', + code: 'TOM-AV-06', + category: 'AVAILABILITY', + type: 'TECHNICAL', + name: { de: 'Monitoring und Alerting', en: 'Monitoring and Alerting' }, + description: { + de: 'Implementierung einer umfassenden Ueberwachung aller IT-Systeme mit automatischen Benachrichtigungen bei Stoerungen oder Schwellenwert-Ueberschreitungen.', + en: 'Implementation of comprehensive monitoring of all IT systems with automatic notifications for disruptions or threshold violations.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'OPS.1.1.2' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Monitoring-Konzept', 'Alerting-Konfiguration', 'Eskalationsmatrix'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['availability', 'monitoring', 'alerting'], + }, + { + id: 'TOM-AV-07', + code: 'TOM-AV-07', + category: 'AVAILABILITY', + type: 'ORGANIZATIONAL', + name: { de: 'Service Level Management', en: 'Service Level Management' }, + description: { + de: 'Definition und Ueberwachung von Service Level Agreements (SLAs) fuer alle kritischen IT-Services mit klaren Verfuegbarkeitszielen.', + en: 'Definition and monitoring of Service Level Agreements (SLAs) for all critical IT services with clear availability targets.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.15.2.1' }, + ], + applicabilityConditions: [ + { field: 'companyProfile.size', operator: 'IN', value: ['MEDIUM', 'LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10 }, + { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 20 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['SLA-Dokumentation', 'Verfuegbarkeitsberichte', 'Eskalationsverfahren'], + reviewFrequency: 'QUARTERLY', + priority: 'MEDIUM', + complexity: 'LOW', + tags: ['availability', 'sla', 'service-management'], + }, +] diff --git a/admin-compliance/lib/sdk/tom-generator/controls/categories/pseudonymization.ts b/admin-compliance/lib/sdk/tom-generator/controls/categories/pseudonymization.ts new file mode 100644 index 0000000..d7be9d3 --- /dev/null +++ b/admin-compliance/lib/sdk/tom-generator/controls/categories/pseudonymization.ts @@ -0,0 +1,107 @@ +// ============================================================================= +// Pseudonymization Controls +// Category: PSEUDONYMIZATION +// ============================================================================= + +import { ControlLibraryEntry } from '../../types' + +export const PSEUDONYMIZATION_CONTROLS: ControlLibraryEntry[] = [ + { + id: 'TOM-PS-01', + code: 'TOM-PS-01', + category: 'PSEUDONYMIZATION', + type: 'TECHNICAL', + name: { de: 'Pseudonymisierungsverfahren', en: 'Pseudonymization Procedures' }, + description: { + de: 'Implementierung von Pseudonymisierungsverfahren zur Reduzierung des Personenbezugs von Daten.', + en: 'Implementation of pseudonymization procedures to reduce the personal reference of data.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Pseudonymisierungskonzept', 'Mapping-Tabellen-Sicherheit'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'HIGH', + tags: ['pseudonymization', 'data-minimization'], + }, + { + id: 'TOM-PS-02', + code: 'TOM-PS-02', + category: 'PSEUDONYMIZATION', + type: 'ORGANIZATIONAL', + name: { de: 'Datenanonymisierung fuer Analysen', en: 'Data Anonymization for Analytics' }, + description: { + de: 'Verfahren zur Anonymisierung von Daten fuer Analyse- und Statistikzwecke.', + en: 'Procedures for anonymizing data for analysis and statistical purposes.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['Anonymisierungskonzept', 'Risikoanalyse zur Re-Identifizierung'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'HIGH', + tags: ['anonymization', 'analytics'], + }, + { + id: 'TOM-PS-03', + code: 'TOM-PS-03', + category: 'PSEUDONYMIZATION', + type: 'TECHNICAL', + name: { de: 'Anonymisierung fuer Analysezwecke', en: 'Anonymization for Analytics' }, + description: { + de: 'Technische Verfahren zur irreversiblen Anonymisierung personenbezogener Daten fuer statistische Auswertungen und Analysen.', + en: 'Technical procedures for irreversible anonymization of personal data for statistical evaluations and analyses.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['Anonymisierungsverfahren-Dokumentation', 'Re-Identifizierungs-Risikoanalyse'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'HIGH', + tags: ['pseudonymization', 'anonymization', 'analytics'], + }, + { + id: 'TOM-PS-04', + code: 'TOM-PS-04', + category: 'PSEUDONYMIZATION', + type: 'ORGANIZATIONAL', + name: { de: 'Pseudonymisierungskonzept', en: 'Pseudonymization Concept' }, + description: { + de: 'Dokumentiertes Konzept fuer die Pseudonymisierung personenbezogener Daten mit Definition der Verfahren, Zustaendigkeiten und Zuordnungsregeln.', + en: 'Documented concept for pseudonymization of personal data with definition of procedures, responsibilities and mapping rules.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'CON.2' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Pseudonymisierungskonzept', 'Verfahrensdokumentation'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['pseudonymization', 'concept', 'documentation'], + }, +] diff --git a/admin-compliance/lib/sdk/tom-generator/controls/categories/resilience-recovery.ts b/admin-compliance/lib/sdk/tom-generator/controls/categories/resilience-recovery.ts new file mode 100644 index 0000000..badeac3 --- /dev/null +++ b/admin-compliance/lib/sdk/tom-generator/controls/categories/resilience-recovery.ts @@ -0,0 +1,256 @@ +// ============================================================================= +// Resilience and Recovery Controls +// Categories: RESILIENCE, RECOVERY +// ============================================================================= + +import { ControlLibraryEntry } from '../../types' + +export const RESILIENCE_RECOVERY_CONTROLS: ControlLibraryEntry[] = [ + // RESILIENCE + { + id: 'TOM-RE-01', + code: 'TOM-RE-01', + category: 'RESILIENCE', + type: 'TECHNICAL', + name: { de: 'Load Balancing', en: 'Load Balancing' }, + description: { + de: 'Implementierung von Lastverteilung zur Sicherstellung der Systemstabilitaet bei hoher Last.', + en: 'Implementation of load balancing to ensure system stability under high load.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 3, result: 'REQUIRED', priority: 20 }, + { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['Load-Balancer-Konfiguration', 'Kapazitaetsplanung'], + reviewFrequency: 'QUARTERLY', + priority: 'MEDIUM', + complexity: 'MEDIUM', + tags: ['resilience', 'load-balancing'], + }, + { + id: 'TOM-RE-02', + code: 'TOM-RE-02', + category: 'RESILIENCE', + type: 'TECHNICAL', + name: { de: 'DDoS-Schutz', en: 'DDoS Protection' }, + description: { + de: 'Massnahmen zum Schutz vor Distributed Denial of Service Angriffen.', + en: 'Measures to protect against Distributed Denial of Service attacks.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.1' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 15 }, + { field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['DDoS-Schutzkonzept', 'WAF-Konfiguration'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['security', 'ddos'], + }, + { + id: 'TOM-RE-03', + code: 'TOM-RE-03', + category: 'RESILIENCE', + type: 'TECHNICAL', + name: { de: 'Auto-Scaling', en: 'Auto-Scaling' }, + description: { + de: 'Automatische Skalierung von Ressourcen basierend auf der tatsaechlichen Last.', + en: 'Automatic scaling of resources based on actual load.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.3' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['Auto-Scaling-Konfiguration', 'Kapazitaetsmetriken'], + reviewFrequency: 'QUARTERLY', + priority: 'MEDIUM', + complexity: 'MEDIUM', + tags: ['cloud', 'scaling'], + }, + { + id: 'TOM-RE-04', + code: 'TOM-RE-04', + category: 'RESILIENCE', + type: 'TECHNICAL', + name: { de: 'DDoS-Abwehr (erweitert)', en: 'DDoS Mitigation (Advanced)' }, + description: { + de: 'Erweiterte DDoS-Schutzmassnahmen inkl. Traffic-Analyse, automatischer Mitigation und Incident-Response-Integration.', + en: 'Advanced DDoS protection measures including traffic analysis, automatic mitigation and incident response integration.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.1' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 25 }, + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['DDoS-Schutzkonzept (erweitert)', 'Mitigation-Berichte', 'Incident-Playbooks'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'HIGH', + tags: ['resilience', 'ddos', 'advanced'], + }, + { + id: 'TOM-RE-05', + code: 'TOM-RE-05', + category: 'RESILIENCE', + type: 'ORGANIZATIONAL', + name: { de: 'Kapazitaetsplanung', en: 'Capacity Planning' }, + description: { + de: 'Systematische Planung und Ueberwachung von IT-Kapazitaeten zur Sicherstellung der Systemverfuegbarkeit bei wachsender Nutzung.', + en: 'Systematic planning and monitoring of IT capacities to ensure system availability with growing usage.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.3' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Kapazitaetsplan', 'Trend-Analysen', 'Skalierungskonzept'], + reviewFrequency: 'QUARTERLY', + priority: 'MEDIUM', + complexity: 'MEDIUM', + tags: ['resilience', 'capacity', 'planning'], + }, + + // RECOVERY + { + id: 'TOM-RC-01', + code: 'TOM-RC-01', + category: 'RECOVERY', + type: 'TECHNICAL', + name: { de: 'Disaster Recovery Plan', en: 'Disaster Recovery Plan' }, + description: { + de: 'Dokumentierter und getesteter Plan zur Wiederherstellung von IT-Systemen nach einem Katastrophenfall.', + en: 'Documented and tested plan for restoring IT systems after a disaster.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.2' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 2, result: 'REQUIRED', priority: 20 }, + ], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Disaster-Recovery-Plan', 'Test-Protokolle', 'RTO/RPO-Definitionen'], + reviewFrequency: 'ANNUAL', + priority: 'CRITICAL', + complexity: 'HIGH', + tags: ['disaster-recovery', 'bcp'], + }, + { + id: 'TOM-RC-02', + code: 'TOM-RC-02', + category: 'RECOVERY', + type: 'TECHNICAL', + name: { de: 'Geo-Redundanz', en: 'Geo-Redundancy' }, + description: { + de: 'Geografisch verteilte Datenhaltung zur Sicherstellung der Verfuegbarkeit bei regionalen Ausfaellen.', + en: 'Geographically distributed data storage to ensure availability during regional outages.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 30 }, + { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 4, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['Geo-Redundanz-Konzept', 'Standort-Dokumentation'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'HIGH', + tags: ['geo-redundancy', 'availability'], + }, + { + id: 'TOM-RC-03', + code: 'TOM-RC-03', + category: 'RECOVERY', + type: 'ORGANIZATIONAL', + name: { de: 'Wiederherstellungstests', en: 'Recovery Testing' }, + description: { + de: 'Regelmaessige Tests der Wiederherstellungsverfahren zur Validierung der Backup- und DR-Strategie.', + en: 'Regular testing of recovery procedures to validate backup and DR strategy.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.3' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Test-Protokolle', 'Wiederherstellungszeiten', 'Massnahmenplan bei Fehlern'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['testing', 'recovery'], + }, + { + id: 'TOM-RC-04', + code: 'TOM-RC-04', + category: 'RECOVERY', + type: 'TECHNICAL', + name: { de: 'Georedundantes Backup', en: 'Geo-Redundant Backup' }, + description: { + de: 'Speicherung von Backup-Kopien an geografisch getrennten Standorten zum Schutz vor standortbezogenen Katastrophen.', + en: 'Storage of backup copies at geographically separated locations to protect against site-specific disasters.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.3.1' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'CON.3' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 25 }, + { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 3, result: 'REQUIRED', priority: 20 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Georedundanz-Konzept', 'Backup-Standort-Dokumentation', 'Wiederherstellungstests'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'HIGH', + complexity: 'HIGH', + tags: ['recovery', 'backup', 'geo-redundancy'], + }, + { + id: 'TOM-RC-05', + code: 'TOM-RC-05', + category: 'RECOVERY', + type: 'ORGANIZATIONAL', + name: { de: 'Notfallwiederherstellungs-Tests', en: 'Disaster Recovery Testing' }, + description: { + de: 'Regelmaessige Durchfuehrung und Dokumentation von Notfallwiederherstellungstests zur Validierung der RTO/RPO-Ziele.', + en: 'Regular execution and documentation of disaster recovery tests to validate RTO/RPO targets.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c, d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.3' }, + ], + applicabilityConditions: [ + { field: 'securityProfile.hasDRPlan', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['DR-Testberichte', 'RTO/RPO-Messungen', 'Verbesserungsmassnahmen'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['recovery', 'dr-testing', 'rto', 'rpo'], + }, +] diff --git a/admin-compliance/lib/sdk/tom-generator/controls/categories/review.ts b/admin-compliance/lib/sdk/tom-generator/controls/categories/review.ts new file mode 100644 index 0000000..cede1ba --- /dev/null +++ b/admin-compliance/lib/sdk/tom-generator/controls/categories/review.ts @@ -0,0 +1,352 @@ +// ============================================================================= +// Review, Training, and Awareness Controls +// Category: REVIEW (includes training/TR-* and all REVIEW controls) +// ============================================================================= + +import { ControlLibraryEntry } from '../../types' + +export const REVIEW_CONTROLS: ControlLibraryEntry[] = [ + { + id: 'TOM-RV-01', + code: 'TOM-RV-01', + category: 'REVIEW', + type: 'ORGANIZATIONAL', + name: { de: 'Regelmaessige TOM-Ueberpruefung', en: 'Regular TOM Review' }, + description: { + de: 'Periodische Ueberpruefung und Aktualisierung der technischen und organisatorischen Massnahmen.', + en: 'Periodic review and update of technical and organizational measures.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Ueberpruefungsprotokolle', 'Massnahmenplan'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['review', 'compliance'], + }, + { + id: 'TOM-RV-02', + code: 'TOM-RV-02', + category: 'REVIEW', + type: 'TECHNICAL', + name: { de: 'Penetrationstests', en: 'Penetration Testing' }, + description: { + de: 'Regelmaessige Durchfuehrung von Penetrationstests durch qualifizierte Pruefer.', + en: 'Regular penetration testing by qualified testers.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.3' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 }, + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Penetrationstest-Berichte', 'Massnahmenplan'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'HIGH', + tags: ['security-testing', 'pentest'], + }, + { + id: 'TOM-RV-03', + code: 'TOM-RV-03', + category: 'REVIEW', + type: 'TECHNICAL', + name: { de: 'Schwachstellenscanning', en: 'Vulnerability Scanning' }, + description: { + de: 'Regelmaessiges automatisiertes Scanning nach bekannten Schwachstellen in Systemen und Anwendungen.', + en: 'Regular automated scanning for known vulnerabilities in systems and applications.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.6.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Scan-Berichte', 'Behebungsnachweis'], + reviewFrequency: 'MONTHLY', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['security-testing', 'vulnerability'], + }, + { + id: 'TOM-RV-04', + code: 'TOM-RV-04', + category: 'REVIEW', + type: 'ORGANIZATIONAL', + name: { de: 'Sicherheitsaudits', en: 'Security Audits' }, + description: { + de: 'Durchfuehrung regelmaessiger interner oder externer Sicherheitsaudits.', + en: 'Conducting regular internal or external security audits.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 }, + { field: 'companyProfile.role', operator: 'EQUALS', value: 'PROCESSOR', result: 'REQUIRED', priority: 15 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Audit-Berichte', 'Zertifikate', 'Massnahmenplan'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['audit', 'compliance'], + }, + { + id: 'TOM-RV-05', + code: 'TOM-RV-05', + category: 'REVIEW', + type: 'ORGANIZATIONAL', + name: { de: 'Datenschutzschulung', en: 'Data Protection Training' }, + description: { + de: 'Regelmaessige Schulung aller Mitarbeiter zu Datenschutz und IT-Sicherheit.', + en: 'Regular training of all employees on data protection and IT security.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2.2' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Schulungskonzept', 'Teilnehmerlisten', 'Schulungsnachweise'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['training', 'awareness'], + }, + { + id: 'TOM-RV-06', + code: 'TOM-RV-06', + category: 'REVIEW', + type: 'ORGANIZATIONAL', + name: { de: 'Incident Response Plan', en: 'Incident Response Plan' }, + description: { + de: 'Dokumentiertes Verfahren zur Erkennung, Meldung und Behandlung von Sicherheitsvorfaellen.', + en: 'Documented procedure for detection, reporting and handling of security incidents.', + }, + mappings: [ + { framework: 'GDPR_ART33', reference: 'Art. 33' }, + { framework: 'GDPR_ART34', reference: 'Art. 34' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.16.1.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Incident-Response-Plan', 'Kontaktliste', 'Meldeformulare', 'Uebungsprotokolle'], + reviewFrequency: 'ANNUAL', + priority: 'CRITICAL', + complexity: 'MEDIUM', + tags: ['incident-response', 'breach'], + }, + { + id: 'TOM-RV-07', + code: 'TOM-RV-07', + category: 'REVIEW', + type: 'TECHNICAL', + name: { + de: 'Security Information and Event Management (SIEM)', + en: 'Security Information and Event Management (SIEM)', + }, + description: { + de: 'Zentralisierte Sammlung und Analyse von Sicherheitsereignissen zur Erkennung von Angriffen.', + en: 'Centralized collection and analysis of security events to detect attacks.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 30 }, + { field: 'companyProfile.size', operator: 'IN', value: ['LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['SIEM-Konfiguration', 'Korrelationsregeln', 'Alert-Berichte'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'HIGH', + tags: ['siem', 'monitoring', 'detection'], + }, + { + id: 'TOM-RV-08', + code: 'TOM-RV-08', + category: 'REVIEW', + type: 'ORGANIZATIONAL', + name: { + de: 'Datenschutz-Folgenabschaetzung (DSFA)', + en: 'Data Protection Impact Assessment (DPIA)', + }, + description: { + de: 'Durchfuehrung von Datenschutz-Folgenabschaetzungen fuer risikoreiche Verarbeitungen.', + en: 'Conducting data protection impact assessments for high-risk processing.', + }, + mappings: [ + { framework: 'GDPR_ART35', reference: 'Art. 35' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.18.1.4' }, + ], + applicabilityConditions: [ + { field: 'riskProfile.dsfaRequired', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 }, + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + { field: 'dataProfile.processesMinors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['DSFA-Dokumentation', 'Risikobewertung', 'Massnahmenplan'], + reviewFrequency: 'ANNUAL', + priority: 'CRITICAL', + complexity: 'HIGH', + tags: ['dpia', 'dsfa', 'risk-assessment'], + }, + { + id: 'TOM-RV-09', + code: 'TOM-RV-09', + category: 'REVIEW', + type: 'ORGANIZATIONAL', + name: { de: 'Datenschutz-Audit-Programm', en: 'Data Protection Audit Program' }, + description: { + de: 'Systematisches Programm zur regelmaessigen internen Ueberpruefung aller Datenschutzmassnahmen mit dokumentierten Ergebnissen und Massnahmenverfolgung.', + en: 'Systematic program for regular internal review of all data protection measures with documented results and action tracking.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'DER.3.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Audit-Programm', 'Audit-Berichte', 'Massnahmenplan'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['review', 'audit', 'data-protection'], + }, + { + id: 'TOM-RV-10', + code: 'TOM-RV-10', + category: 'REVIEW', + type: 'TECHNICAL', + name: { de: 'Automatisierte Compliance-Pruefung', en: 'Automated Compliance Checking' }, + description: { + de: 'Einsatz automatisierter Tools zur kontinuierlichen Ueberpruefung der Einhaltung von Sicherheits- und Datenschutzrichtlinien.', + en: 'Use of automated tools for continuous monitoring of compliance with security and data protection policies.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.2' }, + ], + applicabilityConditions: [ + { field: 'companyProfile.size', operator: 'IN', value: ['MEDIUM', 'LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10 }, + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['Tool-Konfiguration', 'Compliance-Dashboard', 'Automatisierte Berichte'], + reviewFrequency: 'QUARTERLY', + priority: 'MEDIUM', + complexity: 'HIGH', + tags: ['review', 'automation', 'compliance'], + }, + { + id: 'TOM-RV-11', + code: 'TOM-RV-11', + category: 'REVIEW', + type: 'ORGANIZATIONAL', + name: { de: 'Management Review (Art. 32 Abs. 1 lit. d)', en: 'Management Review (Art. 32(1)(d))' }, + description: { + de: 'Regelmaessige Ueberpruefung der Wirksamkeit aller technischen und organisatorischen Massnahmen durch die Geschaeftsfuehrung mit dokumentierten Ergebnissen.', + en: 'Regular review of the effectiveness of all technical and organizational measures by management with documented results.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Management-Review-Protokolle', 'Massnahmenplan', 'Wirksamkeitsbewertung'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['review', 'management', 'effectiveness'], + }, + // Training and confidentiality controls (also REVIEW category) + { + id: 'TOM-TR-01', + code: 'TOM-TR-01', + category: 'REVIEW', + type: 'ORGANIZATIONAL', + name: { de: 'Datenschutzschulung', en: 'Data Protection Training' }, + description: { + de: 'Regelmaessige Schulung aller Mitarbeiter zu Datenschutzgrundlagen, DSGVO-Anforderungen und betrieblichen Datenschutzrichtlinien.', + en: 'Regular training of all employees on data protection fundamentals, GDPR requirements, and organizational data protection policies.', + }, + mappings: [ + { framework: 'GDPR_ART39', reference: 'Art. 39 Abs. 1 lit. b' }, + { framework: 'GDPR_ART47', reference: 'Art. 47 Abs. 2 lit. n' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' }, + ], + applicabilityConditions: [ + { field: 'orgProfile.employeeCount', operator: 'GREATER_THAN', value: 0, result: 'REQUIRED', priority: 30 }, + ], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Schulungsplan (jaehrlich)', 'Teilnahmelisten / Schulungsnachweise', 'Schulungsmaterialien / Praesentation', 'Wissenstest-Ergebnisse (optional)'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['training', 'schulung', 'awareness', 'organizational'], + }, + { + id: 'TOM-TR-02', + code: 'TOM-TR-02', + category: 'REVIEW', + type: 'ORGANIZATIONAL', + name: { de: 'Verpflichtung auf Datengeheimnis', en: 'Confidentiality Obligation' }, + description: { + de: 'Schriftliche Verpflichtung aller Mitarbeiter und externen Dienstleister auf die Vertraulichkeit personenbezogener Daten.', + en: 'Written obligation of all employees and external service providers to maintain confidentiality of personal data.', + }, + mappings: [ + { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. b' }, + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 4' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.6.6' }, + ], + applicabilityConditions: [ + { field: 'orgProfile.employeeCount', operator: 'GREATER_THAN', value: 0, result: 'REQUIRED', priority: 30 }, + ], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Muster-Verpflichtungserklaerung', 'Unterschriebene Verpflichtungserklaerungen', 'Register der verpflichteten Personen'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['training', 'confidentiality', 'vertraulichkeit', 'obligation'], + }, + { + id: 'TOM-TR-03', + code: 'TOM-TR-03', + category: 'REVIEW', + type: 'ORGANIZATIONAL', + name: { de: 'Security Awareness Programm', en: 'Security Awareness Program' }, + description: { + de: 'Fortlaufendes Awareness-Programm zu IT-Sicherheit, Phishing-Erkennung, Social Engineering und sicherem Umgang mit Daten.', + en: 'Ongoing awareness program on IT security, phishing detection, social engineering, and safe data handling.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' }, + { framework: 'BSI_C5', reference: 'ORP.3' }, + ], + applicabilityConditions: [ + { field: 'orgProfile.employeeCount', operator: 'GREATER_THAN', value: 10, result: 'REQUIRED', priority: 20 }, + { field: 'orgProfile.employeeCount', operator: 'GREATER_THAN', value: 0, result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Awareness-Programm-Dokumentation', 'Phishing-Simulationsergebnisse', 'Teilnahmenachweise'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'MEDIUM', + complexity: 'MEDIUM', + tags: ['training', 'security-awareness', 'phishing', 'social-engineering'], + }, +] diff --git a/admin-compliance/lib/sdk/tom-generator/controls/categories/separation-encryption.ts b/admin-compliance/lib/sdk/tom-generator/controls/categories/separation-encryption.ts new file mode 100644 index 0000000..ed9f94f --- /dev/null +++ b/admin-compliance/lib/sdk/tom-generator/controls/categories/separation-encryption.ts @@ -0,0 +1,407 @@ +// ============================================================================= +// Separation and Encryption Controls +// Categories: SEPARATION (incl. deletion/DL-*), ENCRYPTION +// ============================================================================= + +import { ControlLibraryEntry } from '../../types' + +export const SEPARATION_ENCRYPTION_CONTROLS: ControlLibraryEntry[] = [ + // SEPARATION + { + id: 'TOM-SE-01', + code: 'TOM-SE-01', + category: 'SEPARATION', + type: 'TECHNICAL', + name: { de: 'Mandantentrennung', en: 'Multi-Tenant Separation' }, + description: { + de: 'Technische Trennung von Daten verschiedener Kunden/Mandanten in mandantenfähigen Systemen.', + en: 'Technical separation of data from different customers/tenants in multi-tenant systems.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.multiTenancy', operator: 'EQUALS', value: 'MULTI_TENANT', result: 'REQUIRED', priority: 30 }, + { field: 'companyProfile.role', operator: 'EQUALS', value: 'PROCESSOR', result: 'REQUIRED', priority: 20 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Mandantentrennungskonzept', 'Architekturdokumentation', 'Penetrationstest-Ergebnisse'], + reviewFrequency: 'ANNUAL', + priority: 'CRITICAL', + complexity: 'HIGH', + tags: ['multi-tenant', 'separation'], + }, + { + id: 'TOM-SE-02', + code: 'TOM-SE-02', + category: 'SEPARATION', + type: 'TECHNICAL', + name: { de: 'Netzwerksegmentierung', en: 'Network Segmentation' }, + description: { + de: 'Segmentierung des Netzwerks zur Trennung verschiedener Sicherheitszonen und Datenverarbeitungsbereiche.', + en: 'Network segmentation to separate different security zones and data processing areas.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 15 }, + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Netzwerkdiagramm', 'Firewall-Regeln'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['network', 'segmentation'], + }, + { + id: 'TOM-SE-03', + code: 'TOM-SE-03', + category: 'SEPARATION', + type: 'TECHNICAL', + name: { de: 'Umgebungstrennung (Dev/Test/Prod)', en: 'Environment Separation (Dev/Test/Prod)' }, + description: { + de: 'Strikte Trennung von Entwicklungs-, Test- und Produktionsumgebungen.', + en: 'Strict separation of development, test and production environments.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.4' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Umgebungsdokumentation', 'Zugriffsrechte je Umgebung'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['environments', 'separation'], + }, + { + id: 'TOM-SE-04', + code: 'TOM-SE-04', + category: 'SEPARATION', + type: 'ORGANIZATIONAL', + name: { de: 'Zweckbindung dokumentieren', en: 'Document Purpose Limitation' }, + description: { + de: 'Dokumentation und technische Durchsetzung der Zweckbindung bei der Datenverarbeitung.', + en: 'Documentation and technical enforcement of purpose limitation in data processing.', + }, + mappings: [ + { framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. b' }, + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Verarbeitungsverzeichnis', 'Zweckdokumentation'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['purpose-limitation', 'documentation'], + }, + { + id: 'TOM-SE-05', + code: 'TOM-SE-05', + category: 'SEPARATION', + type: 'TECHNICAL', + name: { de: 'Netzwerksegmentierung', en: 'Network Segmentation' }, + description: { + de: 'Aufteilung des Netzwerks in separate Sicherheitszonen mit kontrollierten Uebergaengen zur Begrenzung der Ausbreitung von Sicherheitsvorfaellen.', + en: 'Division of the network into separate security zones with controlled transitions to limit the spread of security incidents.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'NET.1.1' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 20 }, + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Netzwerkplan', 'Firewall-Regeln', 'Segmentierungskonzept'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'HIGH', + complexity: 'HIGH', + tags: ['separation', 'network', 'segmentation'], + }, + { + id: 'TOM-SE-06', + code: 'TOM-SE-06', + category: 'SEPARATION', + type: 'TECHNICAL', + name: { de: 'Mandantenisolierung in Cloud', en: 'Tenant Isolation in Cloud' }, + description: { + de: 'Technische Sicherstellung der vollstaendigen Datentrennung zwischen verschiedenen Mandanten in Multi-Tenant-Cloud-Umgebungen.', + en: 'Technical assurance of complete data separation between different tenants in multi-tenant cloud environments.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.multiTenancy', operator: 'EQUALS', value: 'MULTI_TENANT', result: 'REQUIRED', priority: 30 }, + { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['Mandantentrennungskonzept', 'Isolierungstests', 'Cloud-Security-Assessment'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'CRITICAL', + complexity: 'HIGH', + tags: ['separation', 'multi-tenant', 'cloud'], + }, + // Deletion/secure data removal controls (SEPARATION category) + { + id: 'TOM-DL-01', + code: 'TOM-DL-01', + category: 'SEPARATION', + type: 'TECHNICAL', + name: { de: 'Sichere Datenloeschung', en: 'Secure Data Deletion' }, + description: { + de: 'Implementierung sicherer Loeschverfahren, die personenbezogene Daten unwiederbringlich entfernen (z.B. nach DIN 66399).', + en: 'Implementation of secure deletion procedures that irrecoverably remove personal data (e.g. per DIN 66399).', + }, + mappings: [ + { framework: 'GDPR_ART17', reference: 'Art. 17' }, + { framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. e' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' }, + { framework: 'BSI_C5', reference: 'SY-09' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.dataVolume', operator: 'NOT_EQUALS', value: 'NONE', result: 'REQUIRED', priority: 30 }, + ], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Loeschkonzept / Loeschrichtlinie', 'Loeschprotokolle mit Zeitstempeln', 'DIN 66399 Konformitaetsnachweis'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['deletion', 'loeschung', 'data-lifecycle', 'din-66399'], + }, + { + id: 'TOM-DL-02', + code: 'TOM-DL-02', + category: 'SEPARATION', + type: 'TECHNICAL', + name: { de: 'Datentraegervernichtung', en: 'Media Destruction' }, + description: { + de: 'Physische Vernichtung von Datentraegern (Festplatten, SSDs, USB-Sticks, Papier) gemaess DIN 66399 Schutzklassen.', + en: 'Physical destruction of storage media (hard drives, SSDs, USB sticks, paper) per DIN 66399 protection classes.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.7.14' }, + { framework: 'BSI_C5', reference: 'AM-08' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.dataVolume', operator: 'NOT_EQUALS', value: 'NONE', result: 'RECOMMENDED', priority: 20 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Vernichtungsprotokoll mit Seriennummern', 'Zertifikat des Vernichtungsdienstleisters', 'DIN 66399 Sicherheitsstufe-Nachweis'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'LOW', + tags: ['deletion', 'media-destruction', 'physical-security', 'din-66399'], + }, + { + id: 'TOM-DL-03', + code: 'TOM-DL-03', + category: 'SEPARATION', + type: 'ORGANIZATIONAL', + name: { de: 'Loeschprotokollierung', en: 'Deletion Logging' }, + description: { + de: 'Systematische Protokollierung aller Loeschvorgaenge mit Zeitstempel, Verantwortlichem, Datenobjekt und Loeschmethode.', + en: 'Systematic logging of all deletion operations with timestamp, responsible person, data object, and deletion method.', + }, + mappings: [ + { framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 2 (Rechenschaftspflicht)' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.dataVolume', operator: 'NOT_EQUALS', value: 'NONE', result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Loeschprotokoll-Template', 'Archivierte Loeschprotokolle (Stichprobe)', 'Automatisierungsnachweis (bei automatischen Loeschungen)'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['deletion', 'logging', 'accountability', 'documentation'], + }, + { + id: 'TOM-DL-04', + code: 'TOM-DL-04', + category: 'SEPARATION', + type: 'TECHNICAL', + name: { de: 'Backup-Bereinigung', en: 'Backup Sanitization' }, + description: { + de: 'Sicherstellung, dass personenbezogene Daten auch in Backup-Systemen nach Ablauf der Loeschfrist entfernt werden.', + en: 'Ensuring that personal data is also removed from backup systems after the retention period expires.', + }, + mappings: [ + { framework: 'GDPR_ART17', reference: 'Art. 17 Abs. 2' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.8.13' }, + ], + applicabilityConditions: [ + { field: 'techProfile.hasBackups', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Backup-Loeschkonzept', 'Backup-Rotationsplan', 'Nachweis der Backup-Bereinigung'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'MEDIUM', + complexity: 'HIGH', + tags: ['deletion', 'backup', 'data-lifecycle', 'retention'], + }, + { + id: 'TOM-DL-05', + code: 'TOM-DL-05', + category: 'SEPARATION', + type: 'ORGANIZATIONAL', + name: { de: 'Datenloesch-Audit', en: 'Data Deletion Audit' }, + description: { + de: 'Regelmaessige Ueberpruefung der Wirksamkeit und Vollstaendigkeit von Datenloeschvorgaengen durch unabhaengige Stellen.', + en: 'Regular review of the effectiveness and completeness of data deletion processes by independent parties.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 5 Abs. 1 lit. e' }, + { framework: 'GDPR_ART32', reference: 'Art. 17' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.8.3.2' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Audit-Berichte', 'Loeschprotokolle', 'Stichproben-Ergebnisse'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'MEDIUM', + tags: ['separation', 'deletion', 'audit'], + }, + + // ENCRYPTION + { + id: 'TOM-ENC-01', + code: 'TOM-ENC-01', + category: 'ENCRYPTION', + type: 'TECHNICAL', + name: { de: 'Verschlüsselung ruhender Daten', en: 'Encryption at Rest' }, + description: { + de: 'Verschlüsselung aller gespeicherten personenbezogenen Daten mit modernen Verschlüsselungsalgorithmen.', + en: 'Encryption of all stored personal data using modern encryption algorithms.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.1' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 }, + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Verschlüsselungskonzept', 'Konfigurationsdokumentation'], + reviewFrequency: 'ANNUAL', + priority: 'CRITICAL', + complexity: 'MEDIUM', + tags: ['encryption', 'at-rest'], + }, + { + id: 'TOM-ENC-02', + code: 'TOM-ENC-02', + category: 'ENCRYPTION', + type: 'TECHNICAL', + name: { de: 'Schlüsselmanagement', en: 'Key Management' }, + description: { + de: 'Sicheres Verfahren zur Erzeugung, Speicherung, Rotation und Vernichtung kryptografischer Schlüssel.', + en: 'Secure process for generation, storage, rotation and destruction of cryptographic keys.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.2' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.encryptionAtRest', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Schlüsselmanagement-Richtlinie', 'HSM/KMS-Dokumentation'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'HIGH', + tags: ['encryption', 'key-management'], + }, + { + id: 'TOM-ENC-03', + code: 'TOM-ENC-03', + category: 'ENCRYPTION', + type: 'TECHNICAL', + name: { de: 'Datenbank-Verschlüsselung', en: 'Database Encryption' }, + description: { + de: 'Verschlüsselung von Datenbanken auf Ebene der Datenbank oder einzelner Felder.', + en: 'Encryption of databases at database level or individual field level.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.1' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 }, + { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Datenbank-Verschlüsselungskonfiguration', 'Feldverschlüsselungsmatrix'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['encryption', 'database'], + }, + { + id: 'TOM-ENC-04', + code: 'TOM-ENC-04', + category: 'ENCRYPTION', + type: 'TECHNICAL', + name: { de: 'Zertifikatsmanagement (TLS/SSL)', en: 'Certificate Management (TLS/SSL)' }, + description: { + de: 'Systematische Verwaltung, Ueberwachung und rechtzeitige Erneuerung aller TLS/SSL-Zertifikate zur Vermeidung von Sicherheitsluecken durch abgelaufene Zertifikate.', + en: 'Systematic management, monitoring and timely renewal of all TLS/SSL certificates to prevent security gaps from expired certificates.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.2' }, + { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'CON.1' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.encryptionInTransit', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Zertifikatsinventar', 'Monitoring-Konfiguration', 'Erneuerungsprotokolle'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['encryption', 'certificates', 'tls'], + }, + { + id: 'TOM-ENC-05', + code: 'TOM-ENC-05', + category: 'ENCRYPTION', + type: 'ORGANIZATIONAL', + name: { de: 'Schluesselmanagement-Policy', en: 'Key Management Policy' }, + description: { + de: 'Dokumentierte Richtlinie fuer den gesamten Lebenszyklus kryptografischer Schluessel inkl. Erzeugung, Verteilung, Speicherung, Rotation und Vernichtung.', + en: 'Documented policy for the full lifecycle of cryptographic keys including generation, distribution, storage, rotation and destruction.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.2' }, + ], + applicabilityConditions: [ + { field: 'architectureProfile.encryptionAtRest', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['Schluesselmanagement-Richtlinie', 'Schluesselrotationsplan'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['encryption', 'key-management', 'policy'], + }, + +] diff --git a/admin-compliance/lib/sdk/tom-generator/controls/categories/transfer-input.ts b/admin-compliance/lib/sdk/tom-generator/controls/categories/transfer-input.ts new file mode 100644 index 0000000..412cc83 --- /dev/null +++ b/admin-compliance/lib/sdk/tom-generator/controls/categories/transfer-input.ts @@ -0,0 +1,289 @@ +// ============================================================================= +// Transfer and Input Controls +// Categories: TRANSFER_CONTROL, INPUT_CONTROL +// ============================================================================= + +import { ControlLibraryEntry } from '../../types' + +export const TRANSFER_INPUT_CONTROLS: ControlLibraryEntry[] = [ + // TRANSFER_CONTROL + { + id: 'TOM-TR-01', + code: 'TOM-TR-01', + category: 'TRANSFER_CONTROL', + type: 'TECHNICAL', + name: { de: 'Transportverschlüsselung (TLS)', en: 'Transport Encryption (TLS)' }, + description: { + de: 'Verschlüsselung aller Datenübertragungen mittels TLS 1.2 oder höher.', + en: 'Encryption of all data transfers using TLS 1.2 or higher.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['TLS-Konfigurationsdokumentation', 'SSL/TLS-Scans'], + reviewFrequency: 'QUARTERLY', + priority: 'CRITICAL', + complexity: 'MEDIUM', + tags: ['encryption', 'transport', 'tls'], + }, + { + id: 'TOM-TR-02', + code: 'TOM-TR-02', + category: 'TRANSFER_CONTROL', + type: 'TECHNICAL', + name: { de: 'VPN für Fernzugriff', en: 'VPN for Remote Access' }, + description: { + de: 'Nutzung von VPN-Verbindungen für sicheren Fernzugriff auf Unternehmensnetzwerke.', + en: 'Use of VPN connections for secure remote access to corporate networks.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' }, + ], + applicabilityConditions: [ + { field: 'companyProfile.hasRemoteWorkers', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['VPN-Konfiguration', 'Nutzungsrichtlinie'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['vpn', 'remote-access', 'encryption'], + }, + { + id: 'TOM-TR-03', + code: 'TOM-TR-03', + category: 'TRANSFER_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'E-Mail-Verschlüsselung', en: 'Email Encryption' }, + description: { + de: 'Verschlüsselung sensibler E-Mails mittels S/MIME oder PGP.', + en: 'Encryption of sensitive emails using S/MIME or PGP.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.3' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'RECOMMENDED', + evidenceRequirements: ['E-Mail-Verschlüsselungsrichtlinie', 'Zertifikatsverwaltung'], + reviewFrequency: 'ANNUAL', + priority: 'MEDIUM', + complexity: 'MEDIUM', + tags: ['email', 'encryption', 'communication'], + }, + { + id: 'TOM-TR-04', + code: 'TOM-TR-04', + category: 'TRANSFER_CONTROL', + type: 'TECHNICAL', + name: { de: 'Sichere Dateiübertragung (SFTP/FTPS)', en: 'Secure File Transfer (SFTP/FTPS)' }, + description: { + de: 'Nutzung verschlüsselter Protokolle für Dateiübertragungen (SFTP, FTPS, HTTPS).', + en: 'Use of encrypted protocols for file transfers (SFTP, FTPS, HTTPS).', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Protokollkonfiguration', 'Übertragungsprotokolle'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'LOW', + tags: ['file-transfer', 'encryption', 'sftp'], + }, + { + id: 'TOM-TR-05', + code: 'TOM-TR-05', + category: 'TRANSFER_CONTROL', + type: 'TECHNICAL', + name: { de: 'Data Loss Prevention (DLP)', en: 'Data Loss Prevention (DLP)' }, + description: { + de: 'Implementierung von DLP-Lösungen zur Verhinderung der unautorisierten Weitergabe von Daten.', + en: 'Implementation of DLP solutions to prevent unauthorized data transfer.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'RECOMMENDED', priority: 20 }, + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 10 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['DLP-Konfiguration', 'Vorfallsberichte'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'HIGH', + tags: ['dlp', 'data-protection'], + }, + { + id: 'TOM-TR-06', + code: 'TOM-TR-06', + category: 'TRANSFER_CONTROL', + type: 'TECHNICAL', + name: { de: 'E-Mail-Verschluesselung (erweitert)', en: 'Email Encryption (Extended)' }, + description: { + de: 'Erweiterte E-Mail-Verschluesselung mit automatischer Erkennung sensibler Inhalte und erzwungener Gateway-Verschluesselung.', + en: 'Extended email encryption with automatic detection of sensitive content and enforced gateway encryption.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.3' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, + { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['E-Mail-Verschluesselungs-Policy', 'Gateway-Konfiguration', 'DLP-Regeln'], + reviewFrequency: 'SEMI_ANNUAL', + priority: 'MEDIUM', + complexity: 'MEDIUM', + tags: ['transfer', 'email', 'encryption'], + }, + { + id: 'TOM-TR-07', + code: 'TOM-TR-07', + category: 'TRANSFER_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'Drittstaat-Transferbewertung', en: 'Third Country Transfer Assessment' }, + description: { + de: 'Dokumentierte Bewertung und Absicherung von Datenuebermittlungen in Drittstaaten gemaess Art. 44-49 DSGVO (Standardvertragsklauseln, TIA).', + en: 'Documented assessment and safeguarding of data transfers to third countries according to Art. 44-49 GDPR (Standard Contractual Clauses, TIA).', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 44-49' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.2' }, + ], + applicabilityConditions: [ + { field: 'dataProfile.thirdCountryTransfers', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 }, + { field: 'architectureProfile.hostingLocation', operator: 'IN', value: ['THIRD_COUNTRY_ADEQUATE', 'THIRD_COUNTRY'], result: 'REQUIRED', priority: 25 }, + ], + defaultApplicability: 'OPTIONAL', + evidenceRequirements: ['Transfer Impact Assessment', 'Standardvertragsklauseln', 'Angemessenheitsbeschluss-Pruefung'], + reviewFrequency: 'ANNUAL', + priority: 'CRITICAL', + complexity: 'MEDIUM', + tags: ['transfer', 'third-country', 'schrems-ii'], + }, + + // INPUT_CONTROL + { + id: 'TOM-IN-01', + code: 'TOM-IN-01', + category: 'INPUT_CONTROL', + type: 'TECHNICAL', + name: { de: 'Audit-Logging', en: 'Audit Logging' }, + description: { + de: 'Umfassende Protokollierung aller Datenverarbeitungsvorgänge mit Zeitstempel und Benutzeridentifikation.', + en: 'Comprehensive logging of all data processing activities with timestamp and user identification.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Logging-Konzept', 'Log-Konfiguration', 'Beispiel-Logs'], + reviewFrequency: 'ANNUAL', + priority: 'CRITICAL', + complexity: 'MEDIUM', + tags: ['logging', 'audit'], + }, + { + id: 'TOM-IN-02', + code: 'TOM-IN-02', + category: 'INPUT_CONTROL', + type: 'TECHNICAL', + name: { de: 'Änderungsprotokollierung (Change Log)', en: 'Change Logging' }, + description: { + de: 'Automatische Protokollierung aller Änderungen an personenbezogenen Daten.', + en: 'Automatic logging of all changes to personal data.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Change-Log-Konfiguration', 'Beispielprotokolle'], + reviewFrequency: 'ANNUAL', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['logging', 'change-tracking'], + }, + { + id: 'TOM-IN-03', + code: 'TOM-IN-03', + category: 'INPUT_CONTROL', + type: 'TECHNICAL', + name: { de: 'Eingabevalidierung', en: 'Input Validation' }, + description: { + de: 'Technische Validierung aller Eingaben zur Verhinderung von Datenmanipulation und Injection-Angriffen.', + en: 'Technical validation of all inputs to prevent data manipulation and injection attacks.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.14.2.5' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Validierungsregeln', 'Code-Reviews'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['security', 'validation'], + }, + { + id: 'TOM-IN-04', + code: 'TOM-IN-04', + category: 'INPUT_CONTROL', + type: 'ORGANIZATIONAL', + name: { de: 'Log-Aufbewahrung und -Auswertung', en: 'Log Retention and Analysis' }, + description: { + de: 'Definierte Aufbewahrungsfristen für Protokolle und regelmäßige Auswertung zur Erkennung von Anomalien.', + en: 'Defined retention periods for logs and regular analysis to detect anomalies.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Log-Aufbewahrungsrichtlinie', 'Analyseberichte'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['logging', 'analysis', 'retention'], + }, + { + id: 'TOM-IN-05', + code: 'TOM-IN-05', + category: 'INPUT_CONTROL', + type: 'TECHNICAL', + name: { de: 'Automatisierte Eingabevalidierung', en: 'Automated Input Validation' }, + description: { + de: 'Technische Validierung aller Benutzereingaben zur Verhinderung von Injection-Angriffen und Sicherstellung der Datenintegritaet.', + en: 'Technical validation of all user inputs to prevent injection attacks and ensure data integrity.', + }, + mappings: [ + { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, + { framework: 'ISO27001_ANNEX_A', reference: 'A.14.2.5' }, + ], + applicabilityConditions: [], + defaultApplicability: 'REQUIRED', + evidenceRequirements: ['Validierungsregeln-Dokumentation', 'Penetrationstest-Berichte'], + reviewFrequency: 'QUARTERLY', + priority: 'HIGH', + complexity: 'MEDIUM', + tags: ['input-validation', 'security', 'injection-prevention'], + }, +] diff --git a/admin-compliance/lib/sdk/tom-generator/controls/loader.ts b/admin-compliance/lib/sdk/tom-generator/controls/loader.ts index 211daed..5e7cb29 100644 --- a/admin-compliance/lib/sdk/tom-generator/controls/loader.ts +++ b/admin-compliance/lib/sdk/tom-generator/controls/loader.ts @@ -1,6 +1,7 @@ // ============================================================================= // Control Library Loader -// Loads and parses the controls.yml file +// Barrel re-exporting all category controls and providing loader functions. +// Data is split into categories/ subdirectory — each file <500 LOC. // ============================================================================= import { @@ -16,57 +17,31 @@ import { ApplicabilityCondition, } from '../types' -// ============================================================================= -// RAW YAML TYPES -// ============================================================================= +import { CATEGORY_MAP } from './categories/category-map' +import { ACCESS_CONTROLS } from './categories/access' +import { TRANSFER_INPUT_CONTROLS } from './categories/transfer-input' +import { ORDER_AVAILABILITY_CONTROLS } from './categories/order-availability' +import { SEPARATION_ENCRYPTION_CONTROLS } from './categories/separation-encryption' +import { PSEUDONYMIZATION_CONTROLS } from './categories/pseudonymization' +import { RESILIENCE_RECOVERY_CONTROLS } from './categories/resilience-recovery' +import { REVIEW_CONTROLS } from './categories/review' -interface RawApplicabilityCondition { - field: string - operator: string - value: unknown - result: string - priority: number -} - -interface RawMapping { - framework: string - reference: string -} - -interface RawControl { - id: string - code: string - category: string - type: 'TECHNICAL' | 'ORGANIZATIONAL' - name: { de: string; en: string } - description: { de: string; en: string } - mappings: RawMapping[] - applicabilityConditions: RawApplicabilityCondition[] - defaultApplicability: string - evidenceRequirements: string[] - reviewFrequency: string - priority: string - complexity: string - tags: string[] -} - -interface RawCategoryInfo { - name: { de: string; en: string } - gdprReference: string -} - -interface RawControlsYaml { - metadata: { - version: string - lastUpdated: string - totalControls: number - } - categories: Record - controls: RawControl[] +// Re-export raw types for consumers that import them from here +export type { + ControlLibraryEntry, + ControlCategory, + ControlApplicability, + ConditionOperator, + ReviewFrequency, + ControlPriority, + ControlComplexity, + LocalizedString, + FrameworkMapping, + ApplicabilityCondition, } // ============================================================================= -// PARSED CONTROL LIBRARY +// PARSED CONTROL LIBRARY TYPE // ============================================================================= export interface ControlLibrary { @@ -83,2919 +58,27 @@ export interface ControlLibrary { } // ============================================================================= -// EMBEDDED CONTROL DATA -// Since we can't dynamically load YAML in all environments, we embed the data +// ASSEMBLED CONTROL LIBRARY DATA // ============================================================================= +const ALL_CONTROLS: ControlLibraryEntry[] = [ + ...ACCESS_CONTROLS, + ...TRANSFER_INPUT_CONTROLS, + ...ORDER_AVAILABILITY_CONTROLS, + ...SEPARATION_ENCRYPTION_CONTROLS, + ...PSEUDONYMIZATION_CONTROLS, + ...RESILIENCE_RECOVERY_CONTROLS, + ...REVIEW_CONTROLS, +] + const CONTROL_LIBRARY_DATA: ControlLibrary = { metadata: { version: '1.1.0', lastUpdated: '2026-03-19', totalControls: 88, }, - categories: new Map([ - [ - 'ACCESS_CONTROL', - { - name: { de: 'Zutrittskontrolle', en: 'Physical Access Control' }, - gdprReference: 'Art. 32 Abs. 1 lit. b', - }, - ], - [ - 'ADMISSION_CONTROL', - { - name: { de: 'Zugangskontrolle', en: 'System Access Control' }, - gdprReference: 'Art. 32 Abs. 1 lit. b', - }, - ], - [ - 'ACCESS_AUTHORIZATION', - { - name: { de: 'Zugriffskontrolle', en: 'Access Authorization' }, - gdprReference: 'Art. 32 Abs. 1 lit. b', - }, - ], - [ - 'TRANSFER_CONTROL', - { - name: { de: 'Weitergabekontrolle', en: 'Transfer Control' }, - gdprReference: 'Art. 32 Abs. 1 lit. b', - }, - ], - [ - 'INPUT_CONTROL', - { - name: { de: 'Eingabekontrolle', en: 'Input Control' }, - gdprReference: 'Art. 32 Abs. 1 lit. b', - }, - ], - [ - 'ORDER_CONTROL', - { - name: { de: 'Auftragskontrolle', en: 'Order Control' }, - gdprReference: 'Art. 28', - }, - ], - [ - 'AVAILABILITY', - { - name: { de: 'Verfügbarkeit', en: 'Availability' }, - gdprReference: 'Art. 32 Abs. 1 lit. b, c', - }, - ], - [ - 'SEPARATION', - { - name: { de: 'Trennbarkeit', en: 'Separation' }, - gdprReference: 'Art. 32 Abs. 1 lit. b', - }, - ], - [ - 'ENCRYPTION', - { - name: { de: 'Verschlüsselung', en: 'Encryption' }, - gdprReference: 'Art. 32 Abs. 1 lit. a', - }, - ], - [ - 'PSEUDONYMIZATION', - { - name: { de: 'Pseudonymisierung', en: 'Pseudonymization' }, - gdprReference: 'Art. 32 Abs. 1 lit. a', - }, - ], - [ - 'RESILIENCE', - { - name: { de: 'Belastbarkeit', en: 'Resilience' }, - gdprReference: 'Art. 32 Abs. 1 lit. b', - }, - ], - [ - 'RECOVERY', - { - name: { de: 'Wiederherstellbarkeit', en: 'Recovery' }, - gdprReference: 'Art. 32 Abs. 1 lit. c', - }, - ], - [ - 'REVIEW', - { - name: { de: 'Überprüfung & Bewertung', en: 'Review & Assessment' }, - gdprReference: 'Art. 32 Abs. 1 lit. d', - }, - ], - ]), - controls: [ - // ACCESS CONTROL - { - id: 'TOM-AC-01', - code: 'TOM-AC-01', - category: 'ACCESS_CONTROL', - type: 'TECHNICAL', - name: { - de: 'Elektronische Zutrittskontrolle', - en: 'Electronic Access Control', - }, - description: { - de: 'Implementierung elektronischer Zugangskontrollsysteme (Chipkarten, Biometrie) zur Kontrolle des physischen Zutritts zu Räumlichkeiten mit IT-Systemen.', - en: 'Implementation of electronic access control systems (chip cards, biometrics) to control physical access to premises with IT systems.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hostingModel', - operator: 'IN', - value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], - result: 'REQUIRED', - priority: 10, - }, - { - field: 'architectureProfile.hostingModel', - operator: 'EQUALS', - value: 'PUBLIC_CLOUD', - result: 'NOT_APPLICABLE', - priority: 20, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Zutrittskontrollkonzept', - 'Protokolle des Zutrittskontrollsystems', - 'Besucherregelungen', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['physical-security', 'access'], - }, - { - id: 'TOM-AC-02', - code: 'TOM-AC-02', - category: 'ACCESS_CONTROL', - type: 'ORGANIZATIONAL', - name: { de: 'Besuchermanagement', en: 'Visitor Management' }, - description: { - de: 'Regelungen für den Empfang, die Begleitung und Registrierung von Besuchern in sicherheitsrelevanten Bereichen.', - en: 'Regulations for receiving, accompanying and registering visitors in security-relevant areas.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hostingModel', - operator: 'IN', - value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], - result: 'REQUIRED', - priority: 10, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Besucherrichtlinie', 'Besucherbuch/Protokolle'], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'LOW', - tags: ['physical-security', 'visitors'], - }, - { - id: 'TOM-AC-03', - code: 'TOM-AC-03', - category: 'ACCESS_CONTROL', - type: 'TECHNICAL', - name: { de: 'Videoüberwachung', en: 'Video Surveillance' }, - description: { - de: 'Installation von Videoüberwachungssystemen zur Kontrolle und Dokumentation des Zutritts zu sensiblen Bereichen.', - en: 'Installation of video surveillance systems to control and document access to sensitive areas.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.7.4' }, - ], - applicabilityConditions: [ - { - field: 'riskProfile.protectionLevel', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'RECOMMENDED', - priority: 15, - }, - { - field: 'dataProfile.hasSpecialCategories', - operator: 'EQUALS', - value: true, - result: 'RECOMMENDED', - priority: 20, - }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: [ - 'Videoüberwachungskonzept', - 'Datenschutz-Folgenabschätzung für Videoüberwachung', - ], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'MEDIUM', - tags: ['physical-security', 'monitoring'], - }, - { - id: 'TOM-AC-04', - code: 'TOM-AC-04', - category: 'ACCESS_CONTROL', - type: 'TECHNICAL', - name: { de: 'Alarmanlage', en: 'Alarm System' }, - description: { - de: 'Einbruchmeldeanlage zum Schutz der Räumlichkeiten außerhalb der Betriebszeiten.', - en: 'Intrusion detection system to protect premises outside business hours.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'INF.1' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hostingModel', - operator: 'IN', - value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], - result: 'RECOMMENDED', - priority: 10, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Alarmkonzept', 'Wartungsprotokolle'], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'MEDIUM', - tags: ['physical-security', 'intrusion-detection'], - }, - { - id: 'TOM-AC-05', - code: 'TOM-AC-05', - category: 'ACCESS_CONTROL', - type: 'ORGANIZATIONAL', - name: { de: 'Schlüsselmanagement', en: 'Key Management' }, - description: { - de: 'Dokumentierte Verwaltung und Ausgabe von physischen Schlüsseln mit Nachverfolgbarkeit.', - en: 'Documented management and distribution of physical keys with traceability.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hostingModel', - operator: 'IN', - value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], - result: 'REQUIRED', - priority: 10, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Schlüsselausgabeprotokoll', - 'Schlüsselverwaltungsrichtlinie', - ], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'LOW', - tags: ['physical-security', 'keys'], - }, - - // ADMISSION CONTROL - { - id: 'TOM-ADM-01', - code: 'TOM-ADM-01', - category: 'ADMISSION_CONTROL', - type: 'TECHNICAL', - name: { - de: 'Multi-Faktor-Authentifizierung', - en: 'Multi-Factor Authentication', - }, - description: { - de: 'Implementierung einer Zwei- oder Mehr-Faktor-Authentifizierung für den Systemzugang zu kritischen Systemen und Daten.', - en: 'Implementation of two- or multi-factor authentication for system access to critical systems and data.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.2' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' }, - ], - applicabilityConditions: [ - { - field: 'dataProfile.hasSpecialCategories', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 30, - }, - { - field: 'dataProfile.processesMinors', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 25, - }, - { - field: 'riskProfile.protectionLevel', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'REQUIRED', - priority: 20, - }, - { - field: 'companyProfile.role', - operator: 'EQUALS', - value: 'PROCESSOR', - result: 'REQUIRED', - priority: 15, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'MFA-Konfigurationsdokumentation', - 'Nutzerstatistiken zur MFA-Nutzung', - ], - reviewFrequency: 'QUARTERLY', - priority: 'CRITICAL', - complexity: 'MEDIUM', - tags: ['authentication', 'mfa', 'identity'], - }, - { - id: 'TOM-ADM-02', - code: 'TOM-ADM-02', - category: 'ADMISSION_CONTROL', - type: 'TECHNICAL', - name: { de: 'Passwortrichtlinien', en: 'Password Policies' }, - description: { - de: 'Durchsetzung technischer Passwortrichtlinien (Mindestlänge, Komplexität, regelmäßiger Wechsel, Historie).', - en: 'Enforcement of technical password policies (minimum length, complexity, regular changes, history).', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.3' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Passwortrichtlinie', 'Technische Konfiguration'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['authentication', 'passwords'], - }, - { - id: 'TOM-ADM-03', - code: 'TOM-ADM-03', - category: 'ADMISSION_CONTROL', - type: 'TECHNICAL', - name: { de: 'Single Sign-On (SSO)', en: 'Single Sign-On (SSO)' }, - description: { - de: 'Zentralisierte Authentifizierung über SSO zur Verbesserung der Sicherheit und Benutzerfreundlichkeit.', - en: 'Centralized authentication via SSO to improve security and usability.', - }, - mappings: [{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.4' }], - applicabilityConditions: [ - { - field: 'companyProfile.size', - operator: 'IN', - value: ['MEDIUM', 'LARGE', 'ENTERPRISE'], - result: 'RECOMMENDED', - priority: 10, - }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: [ - 'SSO-Konfigurationsdokumentation', - 'Integrierte Anwendungsliste', - ], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'HIGH', - tags: ['authentication', 'sso', 'identity'], - }, - { - id: 'TOM-ADM-04', - code: 'TOM-ADM-04', - category: 'ADMISSION_CONTROL', - type: 'TECHNICAL', - name: { de: 'Automatische Bildschirmsperre', en: 'Automatic Screen Lock' }, - description: { - de: 'Automatische Sperrung von Arbeitsplätzen nach Inaktivität mit erforderlicher Re-Authentifizierung.', - en: 'Automatic locking of workstations after inactivity with required re-authentication.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.11.2.8' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['GPO/MDM-Konfiguration', 'Richtliniendokumentation'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['workstation', 'security'], - }, - { - id: 'TOM-ADM-05', - code: 'TOM-ADM-05', - category: 'ADMISSION_CONTROL', - type: 'TECHNICAL', - name: { - de: 'Kontosperrung nach Fehlversuchen', - en: 'Account Lockout After Failed Attempts', - }, - description: { - de: 'Automatische temporäre Sperrung von Benutzerkonten nach mehreren fehlgeschlagenen Anmeldeversuchen.', - en: 'Automatic temporary locking of user accounts after multiple failed login attempts.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.2' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Konfigurationsdokumentation', - 'Protokollierung der Sperrereignisse', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['authentication', 'brute-force-protection'], - }, - - // ACCESS AUTHORIZATION - { - id: 'TOM-AZ-01', - code: 'TOM-AZ-01', - category: 'ACCESS_AUTHORIZATION', - type: 'TECHNICAL', - name: { - de: 'Rollenbasierte Zugriffskontrolle (RBAC)', - en: 'Role-Based Access Control (RBAC)', - }, - description: { - de: 'Implementierung eines rollenbasierten Berechtigungssystems zur Steuerung des Datenzugriffs nach dem Need-to-Know-Prinzip.', - en: 'Implementation of a role-based permission system to control data access according to the need-to-know principle.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.3' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Berechtigungskonzept', - 'Rollenmatrix', - 'Berechtigungsaudits', - ], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'CRITICAL', - complexity: 'MEDIUM', - tags: ['authorization', 'rbac', 'access'], - }, - { - id: 'TOM-AZ-02', - code: 'TOM-AZ-02', - category: 'ACCESS_AUTHORIZATION', - type: 'ORGANIZATIONAL', - name: { - de: 'Berechtigungsverwaltungsprozess', - en: 'Authorization Management Process', - }, - description: { - de: 'Dokumentierter Prozess für Beantragung, Genehmigung und Entzug von Zugriffsberechtigungen.', - en: 'Documented process for requesting, approving and revoking access permissions.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.2' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Berechtigungsanträge', - 'Genehmigungsprotokolle', - 'Prozessdokumentation', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['authorization', 'process'], - }, - { - id: 'TOM-AZ-03', - code: 'TOM-AZ-03', - category: 'ACCESS_AUTHORIZATION', - type: 'TECHNICAL', - name: { - de: 'Privileged Access Management (PAM)', - en: 'Privileged Access Management (PAM)', - }, - description: { - de: 'Spezielle Kontrollen für privilegierte Konten (Admins) mit Aufzeichnung, zeitlicher Begrenzung und Genehmigungsworkflows.', - en: 'Special controls for privileged accounts (admins) with recording, time limits and approval workflows.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.3' }, - ], - applicabilityConditions: [ - { - field: 'riskProfile.protectionLevel', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'REQUIRED', - priority: 20, - }, - { - field: 'dataProfile.hasSpecialCategories', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 25, - }, - { - field: 'companyProfile.size', - operator: 'IN', - value: ['LARGE', 'ENTERPRISE'], - result: 'RECOMMENDED', - priority: 10, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'PAM-Konfiguration', - 'Sitzungsaufzeichnungen', - 'Audit-Logs', - ], - reviewFrequency: 'QUARTERLY', - priority: 'CRITICAL', - complexity: 'HIGH', - tags: ['authorization', 'pam', 'privileged'], - }, - { - id: 'TOM-AZ-04', - code: 'TOM-AZ-04', - category: 'ACCESS_AUTHORIZATION', - type: 'ORGANIZATIONAL', - name: { - de: 'Regelmäßige Berechtigungsrezertifizierung', - en: 'Regular Authorization Recertification', - }, - description: { - de: 'Periodische Überprüfung aller Zugriffsberechtigungen durch die jeweiligen Vorgesetzten.', - en: 'Periodic review of all access permissions by respective supervisors.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.5' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Rezertifizierungsprotokolle', - 'Prozessdokumentation', - ], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['authorization', 'review'], - }, - { - id: 'TOM-AZ-05', - code: 'TOM-AZ-05', - category: 'ACCESS_AUTHORIZATION', - type: 'TECHNICAL', - name: { - de: 'Datenklassifizierung und Label', - en: 'Data Classification and Labeling', - }, - description: { - de: 'Technische Umsetzung einer Datenklassifizierung mit entsprechenden Zugriffssteuerungen.', - en: 'Technical implementation of data classification with corresponding access controls.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.8.2' }, - ], - applicabilityConditions: [ - { - field: 'dataProfile.hasSpecialCategories', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 25, - }, - { - field: 'riskProfile.protectionLevel', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'RECOMMENDED', - priority: 15, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Klassifizierungsschema', 'Label-Konfiguration'], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'HIGH', - tags: ['classification', 'labeling'], - }, - - // TRANSFER CONTROL - { - id: 'TOM-TR-01', - code: 'TOM-TR-01', - category: 'TRANSFER_CONTROL', - type: 'TECHNICAL', - name: { de: 'Transportverschlüsselung (TLS)', en: 'Transport Encryption (TLS)' }, - description: { - de: 'Verschlüsselung aller Datenübertragungen mittels TLS 1.2 oder höher.', - en: 'Encryption of all data transfers using TLS 1.2 or higher.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['TLS-Konfigurationsdokumentation', 'SSL/TLS-Scans'], - reviewFrequency: 'QUARTERLY', - priority: 'CRITICAL', - complexity: 'MEDIUM', - tags: ['encryption', 'transport', 'tls'], - }, - { - id: 'TOM-TR-02', - code: 'TOM-TR-02', - category: 'TRANSFER_CONTROL', - type: 'TECHNICAL', - name: { de: 'VPN für Fernzugriff', en: 'VPN for Remote Access' }, - description: { - de: 'Nutzung von VPN-Verbindungen für sicheren Fernzugriff auf Unternehmensnetzwerke.', - en: 'Use of VPN connections for secure remote access to corporate networks.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hostingModel', - operator: 'IN', - value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], - result: 'REQUIRED', - priority: 15, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['VPN-Konfiguration', 'Nutzungsstatistiken'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['vpn', 'remote-access'], - }, - { - id: 'TOM-TR-03', - code: 'TOM-TR-03', - category: 'TRANSFER_CONTROL', - type: 'ORGANIZATIONAL', - name: { de: 'Richtlinie zur Datenübermittlung', en: 'Data Transfer Policy' }, - description: { - de: 'Dokumentierte Richtlinie für die sichere Übermittlung personenbezogener Daten intern und extern.', - en: 'Documented policy for secure transfer of personal data internally and externally.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.2' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Datenübermittlungsrichtlinie', 'Schulungsnachweise'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['policy', 'transfer'], - }, - { - id: 'TOM-TR-04', - code: 'TOM-TR-04', - category: 'TRANSFER_CONTROL', - type: 'TECHNICAL', - name: { de: 'E-Mail-Verschlüsselung', en: 'Email Encryption' }, - description: { - de: 'Implementierung von E-Mail-Verschlüsselung (S/MIME, PGP) für vertrauliche Kommunikation.', - en: 'Implementation of email encryption (S/MIME, PGP) for confidential communication.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.3' }, - ], - applicabilityConditions: [ - { - field: 'dataProfile.hasSpecialCategories', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 25, - }, - { - field: 'riskProfile.protectionLevel', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'RECOMMENDED', - priority: 15, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'E-Mail-Verschlüsselungskonzept', - 'Konfigurationsdokumentation', - ], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'MEDIUM', - tags: ['encryption', 'email'], - }, - { - id: 'TOM-TR-05', - code: 'TOM-TR-05', - category: 'TRANSFER_CONTROL', - type: 'TECHNICAL', - name: { de: 'Data Loss Prevention (DLP)', en: 'Data Loss Prevention (DLP)' }, - description: { - de: 'Technische Maßnahmen zur Verhinderung unbeabsichtigter oder unbefugter Datenabflüsse.', - en: 'Technical measures to prevent unintentional or unauthorized data leakage.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.2' }, - ], - applicabilityConditions: [ - { - field: 'dataProfile.hasSpecialCategories', - operator: 'EQUALS', - value: true, - result: 'RECOMMENDED', - priority: 25, - }, - { - field: 'riskProfile.protectionLevel', - operator: 'EQUALS', - value: 'VERY_HIGH', - result: 'REQUIRED', - priority: 30, - }, - { - field: 'companyProfile.size', - operator: 'IN', - value: ['LARGE', 'ENTERPRISE'], - result: 'RECOMMENDED', - priority: 10, - }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: ['DLP-Konfiguration', 'Vorfallsberichte'], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'HIGH', - tags: ['dlp', 'data-protection'], - }, - - // INPUT CONTROL - { - id: 'TOM-IN-01', - code: 'TOM-IN-01', - category: 'INPUT_CONTROL', - type: 'TECHNICAL', - name: { de: 'Audit-Logging', en: 'Audit Logging' }, - description: { - de: 'Umfassende Protokollierung aller Datenverarbeitungsvorgänge mit Zeitstempel und Benutzeridentifikation.', - en: 'Comprehensive logging of all data processing activities with timestamp and user identification.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Logging-Konzept', 'Log-Konfiguration', 'Beispiel-Logs'], - reviewFrequency: 'ANNUAL', - priority: 'CRITICAL', - complexity: 'MEDIUM', - tags: ['logging', 'audit'], - }, - { - id: 'TOM-IN-02', - code: 'TOM-IN-02', - category: 'INPUT_CONTROL', - type: 'TECHNICAL', - name: { de: 'Änderungsprotokollierung (Change Log)', en: 'Change Logging' }, - description: { - de: 'Automatische Protokollierung aller Änderungen an personenbezogenen Daten.', - en: 'Automatic logging of all changes to personal data.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Change-Log-Konfiguration', 'Beispielprotokolle'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['logging', 'change-tracking'], - }, - { - id: 'TOM-IN-03', - code: 'TOM-IN-03', - category: 'INPUT_CONTROL', - type: 'TECHNICAL', - name: { de: 'Eingabevalidierung', en: 'Input Validation' }, - description: { - de: 'Technische Validierung aller Eingaben zur Verhinderung von Datenmanipulation und Injection-Angriffen.', - en: 'Technical validation of all inputs to prevent data manipulation and injection attacks.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.14.2.5' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Validierungsregeln', 'Code-Reviews'], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['security', 'validation'], - }, - { - id: 'TOM-IN-04', - code: 'TOM-IN-04', - category: 'INPUT_CONTROL', - type: 'ORGANIZATIONAL', - name: { - de: 'Log-Aufbewahrung und -Auswertung', - en: 'Log Retention and Analysis', - }, - description: { - de: 'Definierte Aufbewahrungsfristen für Protokolle und regelmäßige Auswertung zur Erkennung von Anomalien.', - en: 'Defined retention periods for logs and regular analysis to detect anomalies.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Log-Aufbewahrungsrichtlinie', 'Analyseberichte'], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['logging', 'analysis', 'retention'], - }, - - // ORDER CONTROL - { - id: 'TOM-OR-01', - code: 'TOM-OR-01', - category: 'ORDER_CONTROL', - type: 'ORGANIZATIONAL', - name: { - de: 'Auftragsverarbeitungsverträge (AVV)', - en: 'Data Processing Agreements (DPA)', - }, - description: { - de: 'Abschluss von Auftragsverarbeitungsverträgen gemäß Art. 28 DSGVO mit allen Auftragsverarbeitern.', - en: 'Conclusion of data processing agreements according to Art. 28 GDPR with all processors.', - }, - mappings: [ - { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.2' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hasSubprocessors', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 30, - }, - { - field: 'companyProfile.role', - operator: 'EQUALS', - value: 'CONTROLLER', - result: 'REQUIRED', - priority: 25, - }, - ], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Unterschriebene AVVs', - 'Auftragsverarbeiter-Verzeichnis', - ], - reviewFrequency: 'ANNUAL', - priority: 'CRITICAL', - complexity: 'LOW', - tags: ['contracts', 'avv', 'dpa'], - }, - { - id: 'TOM-OR-02', - code: 'TOM-OR-02', - category: 'ORDER_CONTROL', - type: 'ORGANIZATIONAL', - name: { de: 'Auftragsverarbeiter-Prüfung', en: 'Processor Auditing' }, - description: { - de: 'Regelmäßige Überprüfung der technischen und organisatorischen Maßnahmen bei Auftragsverarbeitern.', - en: 'Regular verification of technical and organizational measures at processors.', - }, - mappings: [ - { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. h' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.15.2.1' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hasSubprocessors', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 25, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Audit-Berichte', - 'Zertifikate der Auftragsverarbeiter', - 'Prüfprotokolle', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['audit', 'processor'], - }, - { - id: 'TOM-OR-03', - code: 'TOM-OR-03', - category: 'ORDER_CONTROL', - type: 'ORGANIZATIONAL', - name: { - de: 'Weisungsgebundenheit dokumentieren', - en: 'Document Instruction Compliance', - }, - description: { - de: 'Dokumentation der Weisungsgebundenheit von Auftragsverarbeitern und Mitarbeitern.', - en: 'Documentation of instruction compliance by processors and employees.', - }, - mappings: [ - { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. a' }, - { framework: 'GDPR_ART29', reference: 'Art. 29' }, - ], - applicabilityConditions: [ - { - field: 'companyProfile.role', - operator: 'EQUALS', - value: 'PROCESSOR', - result: 'REQUIRED', - priority: 30, - }, - ], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Weisungsdokumentation', 'Schulungsnachweise'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['processor', 'instructions'], - }, - { - id: 'TOM-OR-04', - code: 'TOM-OR-04', - category: 'ORDER_CONTROL', - type: 'ORGANIZATIONAL', - name: { - de: 'Unterauftragsverarbeiter-Management', - en: 'Sub-processor Management', - }, - description: { - de: 'Dokumentiertes Verfahren für die Genehmigung und Überwachung von Unterauftragsverarbeitern.', - en: 'Documented procedure for approval and monitoring of sub-processors.', - }, - mappings: [ - { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 2, 4' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.3' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hasSubprocessors', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 30, - }, - { - field: 'companyProfile.role', - operator: 'EQUALS', - value: 'PROCESSOR', - result: 'REQUIRED', - priority: 25, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Unterauftragsverarbeiter-Liste', - 'Genehmigungsprotokolle', - 'AVVs mit Unterauftragsverarbeitern', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['sub-processor', 'management'], - }, - - // AVAILABILITY - { - id: 'TOM-AV-01', - code: 'TOM-AV-01', - category: 'AVAILABILITY', - type: 'TECHNICAL', - name: { de: 'Backup-Strategie', en: 'Backup Strategy' }, - description: { - de: 'Implementierung einer umfassenden Backup-Strategie mit regelmäßigen Sicherungen und Aufbewahrung.', - en: 'Implementation of a comprehensive backup strategy with regular backups and retention.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.3.1' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Backup-Konzept', 'Backup-Protokolle', 'Restore-Tests'], - reviewFrequency: 'QUARTERLY', - priority: 'CRITICAL', - complexity: 'MEDIUM', - tags: ['backup', 'recovery'], - }, - { - id: 'TOM-AV-02', - code: 'TOM-AV-02', - category: 'AVAILABILITY', - type: 'TECHNICAL', - name: { de: 'Redundante Systeme', en: 'Redundant Systems' }, - description: { - de: 'Implementierung von Redundanz für kritische Systeme zur Sicherstellung der Verfügbarkeit.', - en: 'Implementation of redundancy for critical systems to ensure availability.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' }, - ], - applicabilityConditions: [ - { - field: 'riskProfile.ciaAssessment.availability', - operator: 'GREATER_THAN', - value: 3, - result: 'REQUIRED', - priority: 20, - }, - { - field: 'riskProfile.protectionLevel', - operator: 'EQUALS', - value: 'VERY_HIGH', - result: 'REQUIRED', - priority: 25, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Redundanzkonzept', 'Architekturdokumentation'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'HIGH', - tags: ['redundancy', 'availability'], - }, - { - id: 'TOM-AV-03', - code: 'TOM-AV-03', - category: 'AVAILABILITY', - type: 'TECHNICAL', - name: { - de: 'Unterbrechungsfreie Stromversorgung (USV)', - en: 'Uninterruptible Power Supply (UPS)', - }, - description: { - de: 'Einsatz von USV-Anlagen zum Schutz kritischer Systeme vor Stromausfällen.', - en: 'Use of UPS systems to protect critical systems from power failures.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.11.2.2' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'INF.2' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hostingModel', - operator: 'IN', - value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], - result: 'REQUIRED', - priority: 15, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['USV-Dokumentation', 'Wartungsprotokolle'], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'MEDIUM', - tags: ['power', 'infrastructure'], - }, - { - id: 'TOM-AV-04', - code: 'TOM-AV-04', - category: 'AVAILABILITY', - type: 'ORGANIZATIONAL', - name: { - de: 'Notfallvorsorge (Business Continuity)', - en: 'Business Continuity Planning', - }, - description: { - de: 'Dokumentierte Notfallvorsorge zur Aufrechterhaltung kritischer Geschäftsprozesse.', - en: 'Documented emergency preparedness to maintain critical business processes.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.1' }, - ], - applicabilityConditions: [ - { - field: 'riskProfile.ciaAssessment.availability', - operator: 'GREATER_THAN', - value: 2, - result: 'REQUIRED', - priority: 15, - }, - ], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Business-Continuity-Plan', - 'Notfallkontakte', - 'Übungsprotokolle', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['bcp', 'continuity'], - }, - { - id: 'TOM-AV-05', - code: 'TOM-AV-05', - category: 'AVAILABILITY', - type: 'TECHNICAL', - name: { de: 'Monitoring und Alerting', en: 'Monitoring and Alerting' }, - description: { - de: 'Kontinuierliche Überwachung der Systemverfügbarkeit mit automatischen Benachrichtigungen bei Ausfällen.', - en: 'Continuous monitoring of system availability with automatic notifications for outages.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Monitoring-Konfiguration', - 'Alert-Regeln', - 'Verfügbarkeitsberichte', - ], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['monitoring', 'alerting'], - }, - - // SEPARATION - { - id: 'TOM-SE-01', - code: 'TOM-SE-01', - category: 'SEPARATION', - type: 'TECHNICAL', - name: { de: 'Mandantentrennung', en: 'Multi-Tenant Separation' }, - description: { - de: 'Technische Trennung von Daten verschiedener Kunden/Mandanten in mandantenfähigen Systemen.', - en: 'Technical separation of data from different customers/tenants in multi-tenant systems.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.multiTenancy', - operator: 'EQUALS', - value: 'MULTI_TENANT', - result: 'REQUIRED', - priority: 30, - }, - { - field: 'companyProfile.role', - operator: 'EQUALS', - value: 'PROCESSOR', - result: 'REQUIRED', - priority: 20, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Mandantentrennungskonzept', - 'Architekturdokumentation', - 'Penetrationstest-Ergebnisse', - ], - reviewFrequency: 'ANNUAL', - priority: 'CRITICAL', - complexity: 'HIGH', - tags: ['multi-tenant', 'separation'], - }, - { - id: 'TOM-SE-02', - code: 'TOM-SE-02', - category: 'SEPARATION', - type: 'TECHNICAL', - name: { de: 'Netzwerksegmentierung', en: 'Network Segmentation' }, - description: { - de: 'Segmentierung des Netzwerks zur Trennung verschiedener Sicherheitszonen und Datenverarbeitungsbereiche.', - en: 'Network segmentation to separate different security zones and data processing areas.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hostingModel', - operator: 'IN', - value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], - result: 'REQUIRED', - priority: 15, - }, - { - field: 'riskProfile.protectionLevel', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'REQUIRED', - priority: 20, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Netzwerkdiagramm', 'Firewall-Regeln'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['network', 'segmentation'], - }, - { - id: 'TOM-SE-03', - code: 'TOM-SE-03', - category: 'SEPARATION', - type: 'TECHNICAL', - name: { - de: 'Umgebungstrennung (Dev/Test/Prod)', - en: 'Environment Separation (Dev/Test/Prod)', - }, - description: { - de: 'Strikte Trennung von Entwicklungs-, Test- und Produktionsumgebungen.', - en: 'Strict separation of development, test and production environments.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.4' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Umgebungsdokumentation', - 'Zugriffsrechte je Umgebung', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['environments', 'separation'], - }, - { - id: 'TOM-SE-04', - code: 'TOM-SE-04', - category: 'SEPARATION', - type: 'ORGANIZATIONAL', - name: { de: 'Zweckbindung dokumentieren', en: 'Document Purpose Limitation' }, - description: { - de: 'Dokumentation und technische Durchsetzung der Zweckbindung bei der Datenverarbeitung.', - en: 'Documentation and technical enforcement of purpose limitation in data processing.', - }, - mappings: [ - { framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. b' }, - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Verarbeitungsverzeichnis', 'Zweckdokumentation'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['purpose-limitation', 'documentation'], - }, - - // ENCRYPTION - { - id: 'TOM-ENC-01', - code: 'TOM-ENC-01', - category: 'ENCRYPTION', - type: 'TECHNICAL', - name: { de: 'Verschlüsselung ruhender Daten', en: 'Encryption at Rest' }, - description: { - de: 'Verschlüsselung aller gespeicherten personenbezogenen Daten mit modernen Verschlüsselungsalgorithmen.', - en: 'Encryption of all stored personal data using modern encryption algorithms.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.1' }, - ], - applicabilityConditions: [ - { - field: 'dataProfile.hasSpecialCategories', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 30, - }, - { - field: 'riskProfile.protectionLevel', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'REQUIRED', - priority: 20, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Verschlüsselungskonzept', - 'Konfigurationsdokumentation', - ], - reviewFrequency: 'ANNUAL', - priority: 'CRITICAL', - complexity: 'MEDIUM', - tags: ['encryption', 'at-rest'], - }, - { - id: 'TOM-ENC-02', - code: 'TOM-ENC-02', - category: 'ENCRYPTION', - type: 'TECHNICAL', - name: { de: 'Schlüsselmanagement', en: 'Key Management' }, - description: { - de: 'Sicheres Verfahren zur Erzeugung, Speicherung, Rotation und Vernichtung kryptografischer Schlüssel.', - en: 'Secure process for generation, storage, rotation and destruction of cryptographic keys.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.2' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.encryptionAtRest', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 30, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Schlüsselmanagement-Richtlinie', - 'HSM/KMS-Dokumentation', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'HIGH', - tags: ['encryption', 'key-management'], - }, - { - id: 'TOM-ENC-03', - code: 'TOM-ENC-03', - category: 'ENCRYPTION', - type: 'TECHNICAL', - name: { de: 'Datenbank-Verschlüsselung', en: 'Database Encryption' }, - description: { - de: 'Verschlüsselung von Datenbanken auf Ebene der Datenbank oder einzelner Felder.', - en: 'Encryption of databases at database level or individual field level.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.1' }, - ], - applicabilityConditions: [ - { - field: 'dataProfile.hasSpecialCategories', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 30, - }, - { - field: 'dataProfile.dataVolume', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'RECOMMENDED', - priority: 15, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Datenbank-Verschlüsselungskonfiguration', - 'Feldverschlüsselungsmatrix', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['encryption', 'database'], - }, - - // PSEUDONYMIZATION - { - id: 'TOM-PS-01', - code: 'TOM-PS-01', - category: 'PSEUDONYMIZATION', - type: 'TECHNICAL', - name: { de: 'Pseudonymisierungsverfahren', en: 'Pseudonymization Procedures' }, - description: { - de: 'Implementierung von Pseudonymisierungsverfahren zur Reduzierung des Personenbezugs von Daten.', - en: 'Implementation of pseudonymization procedures to reduce the personal reference of data.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' }, - ], - applicabilityConditions: [ - { - field: 'dataProfile.hasSpecialCategories', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 25, - }, - { - field: 'dataProfile.dataVolume', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'RECOMMENDED', - priority: 15, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Pseudonymisierungskonzept', - 'Mapping-Tabellen-Sicherheit', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'HIGH', - tags: ['pseudonymization', 'data-minimization'], - }, - { - id: 'TOM-PS-02', - code: 'TOM-PS-02', - category: 'PSEUDONYMIZATION', - type: 'ORGANIZATIONAL', - name: { - de: 'Datenanonymisierung für Analysen', - en: 'Data Anonymization for Analytics', - }, - description: { - de: 'Verfahren zur Anonymisierung von Daten für Analyse- und Statistikzwecke.', - en: 'Procedures for anonymizing data for analysis and statistical purposes.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' }, - ], - applicabilityConditions: [ - { - field: 'dataProfile.dataVolume', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'RECOMMENDED', - priority: 15, - }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: [ - 'Anonymisierungskonzept', - 'Risikoanalyse zur Re-Identifizierung', - ], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'HIGH', - tags: ['anonymization', 'analytics'], - }, - - // RESILIENCE - { - id: 'TOM-RE-01', - code: 'TOM-RE-01', - category: 'RESILIENCE', - type: 'TECHNICAL', - name: { de: 'Load Balancing', en: 'Load Balancing' }, - description: { - de: 'Implementierung von Lastverteilung zur Sicherstellung der Systemstabilität bei hoher Last.', - en: 'Implementation of load balancing to ensure system stability under high load.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' }, - ], - applicabilityConditions: [ - { - field: 'riskProfile.ciaAssessment.availability', - operator: 'GREATER_THAN', - value: 3, - result: 'REQUIRED', - priority: 20, - }, - { - field: 'dataProfile.dataVolume', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'RECOMMENDED', - priority: 15, - }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: ['Load-Balancer-Konfiguration', 'Kapazitätsplanung'], - reviewFrequency: 'QUARTERLY', - priority: 'MEDIUM', - complexity: 'MEDIUM', - tags: ['resilience', 'load-balancing'], - }, - { - id: 'TOM-RE-02', - code: 'TOM-RE-02', - category: 'RESILIENCE', - type: 'TECHNICAL', - name: { de: 'DDoS-Schutz', en: 'DDoS Protection' }, - description: { - de: 'Maßnahmen zum Schutz vor Distributed Denial of Service Angriffen.', - en: 'Measures to protect against Distributed Denial of Service attacks.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.1' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hostingModel', - operator: 'IN', - value: ['PUBLIC_CLOUD', 'HYBRID'], - result: 'RECOMMENDED', - priority: 15, - }, - { - field: 'riskProfile.protectionLevel', - operator: 'EQUALS', - value: 'VERY_HIGH', - result: 'REQUIRED', - priority: 25, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['DDoS-Schutzkonzept', 'WAF-Konfiguration'], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['security', 'ddos'], - }, - { - id: 'TOM-RE-03', - code: 'TOM-RE-03', - category: 'RESILIENCE', - type: 'TECHNICAL', - name: { de: 'Auto-Scaling', en: 'Auto-Scaling' }, - description: { - de: 'Automatische Skalierung von Ressourcen basierend auf der tatsächlichen Last.', - en: 'Automatic scaling of resources based on actual load.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.3' }, - ], - applicabilityConditions: [ - { - field: 'architectureProfile.hostingModel', - operator: 'IN', - value: ['PUBLIC_CLOUD', 'HYBRID'], - result: 'RECOMMENDED', - priority: 15, - }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: ['Auto-Scaling-Konfiguration', 'Kapazitätsmetriken'], - reviewFrequency: 'QUARTERLY', - priority: 'MEDIUM', - complexity: 'MEDIUM', - tags: ['cloud', 'scaling'], - }, - - // RECOVERY - { - id: 'TOM-RC-01', - code: 'TOM-RC-01', - category: 'RECOVERY', - type: 'TECHNICAL', - name: { de: 'Disaster Recovery Plan', en: 'Disaster Recovery Plan' }, - description: { - de: 'Dokumentierter und getesteter Plan zur Wiederherstellung von IT-Systemen nach einem Katastrophenfall.', - en: 'Documented and tested plan for restoring IT systems after a disaster.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.2' }, - ], - applicabilityConditions: [ - { - field: 'riskProfile.ciaAssessment.availability', - operator: 'GREATER_THAN', - value: 2, - result: 'REQUIRED', - priority: 20, - }, - ], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Disaster-Recovery-Plan', - 'Test-Protokolle', - 'RTO/RPO-Definitionen', - ], - reviewFrequency: 'ANNUAL', - priority: 'CRITICAL', - complexity: 'HIGH', - tags: ['disaster-recovery', 'bcp'], - }, - { - id: 'TOM-RC-02', - code: 'TOM-RC-02', - category: 'RECOVERY', - type: 'TECHNICAL', - name: { de: 'Geo-Redundanz', en: 'Geo-Redundancy' }, - description: { - de: 'Geografisch verteilte Datenhaltung zur Sicherstellung der Verfügbarkeit bei regionalen Ausfällen.', - en: 'Geographically distributed data storage to ensure availability during regional outages.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' }, - ], - applicabilityConditions: [ - { - field: 'riskProfile.protectionLevel', - operator: 'EQUALS', - value: 'VERY_HIGH', - result: 'REQUIRED', - priority: 30, - }, - { - field: 'riskProfile.ciaAssessment.availability', - operator: 'GREATER_THAN', - value: 4, - result: 'REQUIRED', - priority: 25, - }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: ['Geo-Redundanz-Konzept', 'Standort-Dokumentation'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'HIGH', - tags: ['geo-redundancy', 'availability'], - }, - { - id: 'TOM-RC-03', - code: 'TOM-RC-03', - category: 'RECOVERY', - type: 'ORGANIZATIONAL', - name: { de: 'Wiederherstellungstests', en: 'Recovery Testing' }, - description: { - de: 'Regelmäßige Tests der Wiederherstellungsverfahren zur Validierung der Backup- und DR-Strategie.', - en: 'Regular testing of recovery procedures to validate backup and DR strategy.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.3' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Test-Protokolle', - 'Wiederherstellungszeiten', - 'Maßnahmenplan bei Fehlern', - ], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['testing', 'recovery'], - }, - - // REVIEW - { - id: 'TOM-RV-01', - code: 'TOM-RV-01', - category: 'REVIEW', - type: 'ORGANIZATIONAL', - name: { de: 'Regelmäßige TOM-Überprüfung', en: 'Regular TOM Review' }, - description: { - de: 'Periodische Überprüfung und Aktualisierung der technischen und organisatorischen Maßnahmen.', - en: 'Periodic review and update of technical and organizational measures.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Überprüfungsprotokolle', 'Maßnahmenplan'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['review', 'compliance'], - }, - { - id: 'TOM-RV-02', - code: 'TOM-RV-02', - category: 'REVIEW', - type: 'TECHNICAL', - name: { de: 'Penetrationstests', en: 'Penetration Testing' }, - description: { - de: 'Regelmäßige Durchführung von Penetrationstests durch qualifizierte Prüfer.', - en: 'Regular penetration testing by qualified testers.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.3' }, - ], - applicabilityConditions: [ - { - field: 'riskProfile.protectionLevel', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'REQUIRED', - priority: 20, - }, - { - field: 'dataProfile.hasSpecialCategories', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 25, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Penetrationstest-Berichte', 'Maßnahmenplan'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'HIGH', - tags: ['security-testing', 'pentest'], - }, - { - id: 'TOM-RV-03', - code: 'TOM-RV-03', - category: 'REVIEW', - type: 'TECHNICAL', - name: { de: 'Schwachstellenscanning', en: 'Vulnerability Scanning' }, - description: { - de: 'Regelmäßiges automatisiertes Scanning nach bekannten Schwachstellen in Systemen und Anwendungen.', - en: 'Regular automated scanning for known vulnerabilities in systems and applications.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.6.1' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Scan-Berichte', 'Behebungsnachweis'], - reviewFrequency: 'MONTHLY', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['security-testing', 'vulnerability'], - }, - { - id: 'TOM-RV-04', - code: 'TOM-RV-04', - category: 'REVIEW', - type: 'ORGANIZATIONAL', - name: { de: 'Sicherheitsaudits', en: 'Security Audits' }, - description: { - de: 'Durchführung regelmäßiger interner oder externer Sicherheitsaudits.', - en: 'Conducting regular internal or external security audits.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' }, - ], - applicabilityConditions: [ - { - field: 'riskProfile.protectionLevel', - operator: 'IN', - value: ['HIGH', 'VERY_HIGH'], - result: 'REQUIRED', - priority: 20, - }, - { - field: 'companyProfile.role', - operator: 'EQUALS', - value: 'PROCESSOR', - result: 'REQUIRED', - priority: 15, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Audit-Berichte', 'Zertifikate', 'Maßnahmenplan'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['audit', 'compliance'], - }, - { - id: 'TOM-RV-05', - code: 'TOM-RV-05', - category: 'REVIEW', - type: 'ORGANIZATIONAL', - name: { de: 'Datenschutzschulung', en: 'Data Protection Training' }, - description: { - de: 'Regelmäßige Schulung aller Mitarbeiter zu Datenschutz und IT-Sicherheit.', - en: 'Regular training of all employees on data protection and IT security.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2.2' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Schulungskonzept', - 'Teilnehmerlisten', - 'Schulungsnachweise', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['training', 'awareness'], - }, - { - id: 'TOM-RV-06', - code: 'TOM-RV-06', - category: 'REVIEW', - type: 'ORGANIZATIONAL', - name: { de: 'Incident Response Plan', en: 'Incident Response Plan' }, - description: { - de: 'Dokumentiertes Verfahren zur Erkennung, Meldung und Behandlung von Sicherheitsvorfällen.', - en: 'Documented procedure for detection, reporting and handling of security incidents.', - }, - mappings: [ - { framework: 'GDPR_ART33', reference: 'Art. 33' }, - { framework: 'GDPR_ART34', reference: 'Art. 34' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.16.1.1' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Incident-Response-Plan', - 'Kontaktliste', - 'Meldeformulare', - 'Übungsprotokolle', - ], - reviewFrequency: 'ANNUAL', - priority: 'CRITICAL', - complexity: 'MEDIUM', - tags: ['incident-response', 'breach'], - }, - { - id: 'TOM-RV-07', - code: 'TOM-RV-07', - category: 'REVIEW', - type: 'TECHNICAL', - name: { - de: 'Security Information and Event Management (SIEM)', - en: 'Security Information and Event Management (SIEM)', - }, - description: { - de: 'Zentralisierte Sammlung und Analyse von Sicherheitsereignissen zur Erkennung von Angriffen.', - en: 'Centralized collection and analysis of security events to detect attacks.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, - ], - applicabilityConditions: [ - { - field: 'riskProfile.protectionLevel', - operator: 'EQUALS', - value: 'VERY_HIGH', - result: 'REQUIRED', - priority: 30, - }, - { - field: 'companyProfile.size', - operator: 'IN', - value: ['LARGE', 'ENTERPRISE'], - result: 'RECOMMENDED', - priority: 15, - }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: [ - 'SIEM-Konfiguration', - 'Korrelationsregeln', - 'Alert-Berichte', - ], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'HIGH', - tags: ['siem', 'monitoring', 'detection'], - }, - { - id: 'TOM-RV-08', - code: 'TOM-RV-08', - category: 'REVIEW', - type: 'ORGANIZATIONAL', - name: { - de: 'Datenschutz-Folgenabschätzung (DSFA)', - en: 'Data Protection Impact Assessment (DPIA)', - }, - description: { - de: 'Durchführung von Datenschutz-Folgenabschätzungen für risikoreiche Verarbeitungen.', - en: 'Conducting data protection impact assessments for high-risk processing.', - }, - mappings: [ - { framework: 'GDPR_ART35', reference: 'Art. 35' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.18.1.4' }, - ], - applicabilityConditions: [ - { - field: 'riskProfile.dsfaRequired', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 30, - }, - { - field: 'dataProfile.hasSpecialCategories', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 25, - }, - { - field: 'dataProfile.processesMinors', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 25, - }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: [ - 'DSFA-Dokumentation', - 'Risikobewertung', - 'Maßnahmenplan', - ], - reviewFrequency: 'ANNUAL', - priority: 'CRITICAL', - complexity: 'HIGH', - tags: ['dpia', 'dsfa', 'risk-assessment'], - }, - - // ========================================================================= - // DELETION / VERNICHTUNG — Sichere Datenloeschung & Datentraegervernichtung - // ========================================================================= - { - id: 'TOM-DL-01', - code: 'TOM-DL-01', - category: 'SEPARATION', - type: 'TECHNICAL', - name: { - de: 'Sichere Datenloeschung', - en: 'Secure Data Deletion', - }, - description: { - de: 'Implementierung sicherer Loeschverfahren, die personenbezogene Daten unwiederbringlich entfernen (z.B. nach DIN 66399).', - en: 'Implementation of secure deletion procedures that irrecoverably remove personal data (e.g. per DIN 66399).', - }, - mappings: [ - { framework: 'GDPR_ART17', reference: 'Art. 17' }, - { framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. e' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' }, - { framework: 'BSI_C5', reference: 'SY-09' }, - ], - applicabilityConditions: [ - { - field: 'dataProfile.dataVolume', - operator: 'NOT_EQUALS', - value: 'NONE', - result: 'REQUIRED', - priority: 30, - }, - ], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Loeschkonzept / Loeschrichtlinie', - 'Loeschprotokolle mit Zeitstempeln', - 'DIN 66399 Konformitaetsnachweis', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['deletion', 'loeschung', 'data-lifecycle', 'din-66399'], - }, - { - id: 'TOM-DL-02', - code: 'TOM-DL-02', - category: 'SEPARATION', - type: 'TECHNICAL', - name: { - de: 'Datentraegervernichtung', - en: 'Media Destruction', - }, - description: { - de: 'Physische Vernichtung von Datentraegern (Festplatten, SSDs, USB-Sticks, Papier) gemaess DIN 66399 Schutzklassen.', - en: 'Physical destruction of storage media (hard drives, SSDs, USB sticks, paper) per DIN 66399 protection classes.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.7.14' }, - { framework: 'BSI_C5', reference: 'AM-08' }, - ], - applicabilityConditions: [ - { - field: 'dataProfile.dataVolume', - operator: 'NOT_EQUALS', - value: 'NONE', - result: 'RECOMMENDED', - priority: 20, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Vernichtungsprotokoll mit Seriennummern', - 'Zertifikat des Vernichtungsdienstleisters', - 'DIN 66399 Sicherheitsstufe-Nachweis', - ], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'LOW', - tags: ['deletion', 'media-destruction', 'physical-security', 'din-66399'], - }, - { - id: 'TOM-DL-03', - code: 'TOM-DL-03', - category: 'SEPARATION', - type: 'ORGANIZATIONAL', - name: { - de: 'Loeschprotokollierung', - en: 'Deletion Logging', - }, - description: { - de: 'Systematische Protokollierung aller Loeschvorgaenge mit Zeitstempel, Verantwortlichem, Datenobjekt und Loeschmethode.', - en: 'Systematic logging of all deletion operations with timestamp, responsible person, data object, and deletion method.', - }, - mappings: [ - { framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 2 (Rechenschaftspflicht)' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' }, - ], - applicabilityConditions: [ - { - field: 'dataProfile.dataVolume', - operator: 'NOT_EQUALS', - value: 'NONE', - result: 'REQUIRED', - priority: 25, - }, - ], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Loeschprotokoll-Template', - 'Archivierte Loeschprotokolle (Stichprobe)', - 'Automatisierungsnachweis (bei automatischen Loeschungen)', - ], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['deletion', 'logging', 'accountability', 'documentation'], - }, - { - id: 'TOM-DL-04', - code: 'TOM-DL-04', - category: 'SEPARATION', - type: 'TECHNICAL', - name: { - de: 'Backup-Bereinigung', - en: 'Backup Sanitization', - }, - description: { - de: 'Sicherstellung, dass personenbezogene Daten auch in Backup-Systemen nach Ablauf der Loeschfrist entfernt werden.', - en: 'Ensuring that personal data is also removed from backup systems after the retention period expires.', - }, - mappings: [ - { framework: 'GDPR_ART17', reference: 'Art. 17 Abs. 2' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.8.13' }, - ], - applicabilityConditions: [ - { - field: 'techProfile.hasBackups', - operator: 'EQUALS', - value: true, - result: 'REQUIRED', - priority: 25, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Backup-Loeschkonzept', - 'Backup-Rotationsplan', - 'Nachweis der Backup-Bereinigung', - ], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'MEDIUM', - complexity: 'HIGH', - tags: ['deletion', 'backup', 'data-lifecycle', 'retention'], - }, - - // ========================================================================= - // SCHULUNG / VERTRAULICHKEIT — Training & Awareness - // ========================================================================= - { - id: 'TOM-TR-01', - code: 'TOM-TR-01', - category: 'REVIEW', - type: 'ORGANIZATIONAL', - name: { - de: 'Datenschutzschulung', - en: 'Data Protection Training', - }, - description: { - de: 'Regelmaessige Schulung aller Mitarbeiter zu Datenschutzgrundlagen, DSGVO-Anforderungen und betrieblichen Datenschutzrichtlinien.', - en: 'Regular training of all employees on data protection fundamentals, GDPR requirements, and organizational data protection policies.', - }, - mappings: [ - { framework: 'GDPR_ART39', reference: 'Art. 39 Abs. 1 lit. b' }, - { framework: 'GDPR_ART47', reference: 'Art. 47 Abs. 2 lit. n' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' }, - ], - applicabilityConditions: [ - { - field: 'orgProfile.employeeCount', - operator: 'GREATER_THAN', - value: 0, - result: 'REQUIRED', - priority: 30, - }, - ], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Schulungsplan (jaehrlich)', - 'Teilnahmelisten / Schulungsnachweise', - 'Schulungsmaterialien / Praesentation', - 'Wissenstest-Ergebnisse (optional)', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['training', 'schulung', 'awareness', 'organizational'], - }, - { - id: 'TOM-TR-02', - code: 'TOM-TR-02', - category: 'REVIEW', - type: 'ORGANIZATIONAL', - name: { - de: 'Verpflichtung auf Datengeheimnis', - en: 'Confidentiality Obligation', - }, - description: { - de: 'Schriftliche Verpflichtung aller Mitarbeiter und externen Dienstleister auf die Vertraulichkeit personenbezogener Daten.', - en: 'Written obligation of all employees and external service providers to maintain confidentiality of personal data.', - }, - mappings: [ - { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. b' }, - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 4' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.6.6' }, - ], - applicabilityConditions: [ - { - field: 'orgProfile.employeeCount', - operator: 'GREATER_THAN', - value: 0, - result: 'REQUIRED', - priority: 30, - }, - ], - defaultApplicability: 'REQUIRED', - evidenceRequirements: [ - 'Muster-Verpflichtungserklaerung', - 'Unterschriebene Verpflichtungserklaerungen', - 'Register der verpflichteten Personen', - ], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['training', 'confidentiality', 'vertraulichkeit', 'obligation'], - }, - { - id: 'TOM-TR-03', - code: 'TOM-TR-03', - category: 'REVIEW', - type: 'ORGANIZATIONAL', - name: { - de: 'Security Awareness Programm', - en: 'Security Awareness Program', - }, - description: { - de: 'Fortlaufendes Awareness-Programm zu IT-Sicherheit, Phishing-Erkennung, Social Engineering und sicherem Umgang mit Daten.', - en: 'Ongoing awareness program on IT security, phishing detection, social engineering, and safe data handling.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' }, - { framework: 'BSI_C5', reference: 'ORP.3' }, - ], - applicabilityConditions: [ - { - field: 'orgProfile.employeeCount', - operator: 'GREATER_THAN', - value: 10, - result: 'REQUIRED', - priority: 20, - }, - { - field: 'orgProfile.employeeCount', - operator: 'GREATER_THAN', - value: 0, - result: 'RECOMMENDED', - priority: 15, - }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: [ - 'Awareness-Programm-Dokumentation', - 'Phishing-Simulationsergebnisse', - 'Teilnahmenachweise', - ], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'MEDIUM', - complexity: 'MEDIUM', - tags: ['training', 'security-awareness', 'phishing', 'social-engineering'], - }, - - // ========================================================================= - // NEW CONTROLS (v1.1.0) — 25 additional measures - // ========================================================================= - - // ENCRYPTION — 2 new - { - id: 'TOM-ENC-04', - code: 'TOM-ENC-04', - category: 'ENCRYPTION', - type: 'TECHNICAL', - name: { de: 'Zertifikatsmanagement (TLS/SSL)', en: 'Certificate Management (TLS/SSL)' }, - description: { - de: 'Systematische Verwaltung, Ueberwachung und rechtzeitige Erneuerung aller TLS/SSL-Zertifikate zur Vermeidung von Sicherheitsluecken durch abgelaufene Zertifikate.', - en: 'Systematic management, monitoring and timely renewal of all TLS/SSL certificates to prevent security gaps from expired certificates.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.2' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'CON.1' }, - ], - applicabilityConditions: [ - { field: 'architectureProfile.encryptionInTransit', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Zertifikatsinventar', 'Monitoring-Konfiguration', 'Erneuerungsprotokolle'], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['encryption', 'certificates', 'tls'], - }, - { - id: 'TOM-ENC-05', - code: 'TOM-ENC-05', - category: 'ENCRYPTION', - type: 'ORGANIZATIONAL', - name: { de: 'Schluesselmanagement-Policy', en: 'Key Management Policy' }, - description: { - de: 'Dokumentierte Richtlinie fuer den gesamten Lebenszyklus kryptografischer Schluessel inkl. Erzeugung, Verteilung, Speicherung, Rotation und Vernichtung.', - en: 'Documented policy for the full lifecycle of cryptographic keys including generation, distribution, storage, rotation and destruction.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.2' }, - ], - applicabilityConditions: [ - { field: 'architectureProfile.encryptionAtRest', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, - { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Schluesselmanagement-Richtlinie', 'Schluesselrotationsplan'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['encryption', 'key-management', 'policy'], - }, - - // PSEUDONYMIZATION — 2 new - { - id: 'TOM-PS-03', - code: 'TOM-PS-03', - category: 'PSEUDONYMIZATION', - type: 'TECHNICAL', - name: { de: 'Anonymisierung fuer Analysezwecke', en: 'Anonymization for Analytics' }, - description: { - de: 'Technische Verfahren zur irreversiblen Anonymisierung personenbezogener Daten fuer statistische Auswertungen und Analysen.', - en: 'Technical procedures for irreversible anonymization of personal data for statistical evaluations and analyses.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' }, - ], - applicabilityConditions: [ - { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: ['Anonymisierungsverfahren-Dokumentation', 'Re-Identifizierungs-Risikoanalyse'], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'HIGH', - tags: ['pseudonymization', 'anonymization', 'analytics'], - }, - { - id: 'TOM-PS-04', - code: 'TOM-PS-04', - category: 'PSEUDONYMIZATION', - type: 'ORGANIZATIONAL', - name: { de: 'Pseudonymisierungskonzept', en: 'Pseudonymization Concept' }, - description: { - de: 'Dokumentiertes Konzept fuer die Pseudonymisierung personenbezogener Daten mit Definition der Verfahren, Zustaendigkeiten und Zuordnungsregeln.', - en: 'Documented concept for pseudonymization of personal data with definition of procedures, responsibilities and mapping rules.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'CON.2' }, - ], - applicabilityConditions: [ - { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Pseudonymisierungskonzept', 'Verfahrensdokumentation'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['pseudonymization', 'concept', 'documentation'], - }, - - // INPUT_CONTROL — 1 new - { - id: 'TOM-IN-05', - code: 'TOM-IN-05', - category: 'INPUT_CONTROL', - type: 'TECHNICAL', - name: { de: 'Automatisierte Eingabevalidierung', en: 'Automated Input Validation' }, - description: { - de: 'Technische Validierung aller Benutzereingaben zur Verhinderung von Injection-Angriffen und Sicherstellung der Datenintegritaet.', - en: 'Technical validation of all user inputs to prevent injection attacks and ensure data integrity.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.14.2.5' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Validierungsregeln-Dokumentation', 'Penetrationstest-Berichte'], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['input-validation', 'security', 'injection-prevention'], - }, - - // ORDER_CONTROL — 2 new - { - id: 'TOM-OR-05', - code: 'TOM-OR-05', - category: 'ORDER_CONTROL', - type: 'ORGANIZATIONAL', - name: { de: 'Auftragsverarbeiter-Monitoring', en: 'Processor Monitoring' }, - description: { - de: 'Regelmaessige Ueberpruefung und Bewertung der Datenschutz-Massnahmen bei Auftragsverarbeitern gemaess Art. 28 Abs. 3 lit. h DSGVO.', - en: 'Regular review and assessment of data protection measures at processors according to Art. 28(3)(h) GDPR.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 28 Abs. 3 lit. h' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.15.2.1' }, - ], - applicabilityConditions: [ - { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Audit-Berichte der Auftragsverarbeiter', 'Monitoring-Checklisten'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['order-control', 'processor', 'monitoring'], - }, - { - id: 'TOM-OR-06', - code: 'TOM-OR-06', - category: 'ORDER_CONTROL', - type: 'ORGANIZATIONAL', - name: { de: 'Sub-Processor Management', en: 'Sub-Processor Management' }, - description: { - de: 'Dokumentiertes Verfahren zur Genehmigung, Ueberwachung und Dokumentation von Unterauftragsverarbeitern.', - en: 'Documented process for approval, monitoring and documentation of sub-processors.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 28 Abs. 2, 4' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.2' }, - ], - applicabilityConditions: [ - { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, - { field: 'architectureProfile.subprocessorCount', operator: 'GREATER_THAN', value: 3, result: 'REQUIRED', priority: 20 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Sub-Processor-Register', 'Genehmigungsverfahren', 'Vertragsdokumentation'], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['order-control', 'sub-processor'], - }, - - // RESILIENCE — 2 new - { - id: 'TOM-RE-04', - code: 'TOM-RE-04', - category: 'RESILIENCE', - type: 'TECHNICAL', - name: { de: 'DDoS-Abwehr (erweitert)', en: 'DDoS Mitigation (Advanced)' }, - description: { - de: 'Erweiterte DDoS-Schutzmassnahmen inkl. Traffic-Analyse, automatischer Mitigation und Incident-Response-Integration.', - en: 'Advanced DDoS protection measures including traffic analysis, automatic mitigation and incident response integration.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.1' }, - ], - applicabilityConditions: [ - { field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 25 }, - { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 15 }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: ['DDoS-Schutzkonzept (erweitert)', 'Mitigation-Berichte', 'Incident-Playbooks'], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'HIGH', - tags: ['resilience', 'ddos', 'advanced'], - }, - { - id: 'TOM-RE-05', - code: 'TOM-RE-05', - category: 'RESILIENCE', - type: 'ORGANIZATIONAL', - name: { de: 'Kapazitaetsplanung', en: 'Capacity Planning' }, - description: { - de: 'Systematische Planung und Ueberwachung von IT-Kapazitaeten zur Sicherstellung der Systemverfuegbarkeit bei wachsender Nutzung.', - en: 'Systematic planning and monitoring of IT capacities to ensure system availability with growing usage.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.3' }, - ], - applicabilityConditions: [ - { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Kapazitaetsplan', 'Trend-Analysen', 'Skalierungskonzept'], - reviewFrequency: 'QUARTERLY', - priority: 'MEDIUM', - complexity: 'MEDIUM', - tags: ['resilience', 'capacity', 'planning'], - }, - - // RECOVERY — 2 new - { - id: 'TOM-RC-04', - code: 'TOM-RC-04', - category: 'RECOVERY', - type: 'TECHNICAL', - name: { de: 'Georedundantes Backup', en: 'Geo-Redundant Backup' }, - description: { - de: 'Speicherung von Backup-Kopien an geografisch getrennten Standorten zum Schutz vor standortbezogenen Katastrophen.', - en: 'Storage of backup copies at geographically separated locations to protect against site-specific disasters.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.3.1' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'CON.3' }, - ], - applicabilityConditions: [ - { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 25 }, - { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 3, result: 'REQUIRED', priority: 20 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Georedundanz-Konzept', 'Backup-Standort-Dokumentation', 'Wiederherstellungstests'], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'HIGH', - complexity: 'HIGH', - tags: ['recovery', 'backup', 'geo-redundancy'], - }, - { - id: 'TOM-RC-05', - code: 'TOM-RC-05', - category: 'RECOVERY', - type: 'ORGANIZATIONAL', - name: { de: 'Notfallwiederherstellungs-Tests', en: 'Disaster Recovery Testing' }, - description: { - de: 'Regelmaessige Durchfuehrung und Dokumentation von Notfallwiederherstellungstests zur Validierung der RTO/RPO-Ziele.', - en: 'Regular execution and documentation of disaster recovery tests to validate RTO/RPO targets.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c, d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.3' }, - ], - applicabilityConditions: [ - { field: 'securityProfile.hasDRPlan', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['DR-Testberichte', 'RTO/RPO-Messungen', 'Verbesserungsmassnahmen'], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['recovery', 'dr-testing', 'rto', 'rpo'], - }, - - // SEPARATION — 2 new - { - id: 'TOM-SE-05', - code: 'TOM-SE-05', - category: 'SEPARATION', - type: 'TECHNICAL', - name: { de: 'Netzwerksegmentierung', en: 'Network Segmentation' }, - description: { - de: 'Aufteilung des Netzwerks in separate Sicherheitszonen mit kontrollierten Uebergaengen zur Begrenzung der Ausbreitung von Sicherheitsvorfaellen.', - en: 'Division of the network into separate security zones with controlled transitions to limit the spread of security incidents.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'NET.1.1' }, - ], - applicabilityConditions: [ - { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 20 }, - { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 25 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Netzwerkplan', 'Firewall-Regeln', 'Segmentierungskonzept'], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'HIGH', - complexity: 'HIGH', - tags: ['separation', 'network', 'segmentation'], - }, - { - id: 'TOM-SE-06', - code: 'TOM-SE-06', - category: 'SEPARATION', - type: 'TECHNICAL', - name: { de: 'Mandantenisolierung in Cloud', en: 'Tenant Isolation in Cloud' }, - description: { - de: 'Technische Sicherstellung der vollstaendigen Datentrennung zwischen verschiedenen Mandanten in Multi-Tenant-Cloud-Umgebungen.', - en: 'Technical assurance of complete data separation between different tenants in multi-tenant cloud environments.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' }, - ], - applicabilityConditions: [ - { field: 'architectureProfile.multiTenancy', operator: 'EQUALS', value: 'MULTI_TENANT', result: 'REQUIRED', priority: 30 }, - { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 15 }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: ['Mandantentrennungskonzept', 'Isolierungstests', 'Cloud-Security-Assessment'], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'CRITICAL', - complexity: 'HIGH', - tags: ['separation', 'multi-tenant', 'cloud'], - }, - - // ACCESS_CONTROL — 1 new - { - id: 'TOM-AC-06', - code: 'TOM-AC-06', - category: 'ACCESS_CONTROL', - type: 'ORGANIZATIONAL', - name: { de: 'Besuchermanagement (erweitert)', en: 'Visitor Management (Extended)' }, - description: { - de: 'Erweitertes Besuchermanagement mit Voranmeldung, Identitaetspruefung, Begleitpflicht und zeitlich begrenztem Zugang zu sicherheitsrelevanten Bereichen.', - en: 'Extended visitor management with pre-registration, identity verification, escort requirement and time-limited access to security-relevant areas.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' }, - ], - applicabilityConditions: [ - { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 }, - { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'RECOMMENDED', priority: 15 }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: ['Besuchermanagement-Richtlinie', 'Besucherprotokolle', 'Zonenkonzept'], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'LOW', - tags: ['physical-security', 'visitors', 'extended'], - }, - - // ADMISSION_CONTROL — 1 new - { - id: 'TOM-ADM-06', - code: 'TOM-ADM-06', - category: 'ADMISSION_CONTROL', - type: 'TECHNICAL', - name: { de: 'Endpoint Detection & Response (EDR)', en: 'Endpoint Detection & Response (EDR)' }, - description: { - de: 'Einsatz von EDR-Loesungen zur Erkennung und Abwehr von Bedrohungen auf Endgeraeten in Echtzeit.', - en: 'Deployment of EDR solutions for real-time threat detection and response on endpoints.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.2.1' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'OPS.1.1.4' }, - ], - applicabilityConditions: [ - { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 25 }, - { field: 'companyProfile.size', operator: 'IN', value: ['LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['EDR-Konfiguration', 'Bedrohungsberichte', 'Incident-Response-Statistiken'], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'HIGH', - tags: ['endpoint', 'edr', 'threat-detection'], - }, - - // ACCESS_AUTHORIZATION — 2 new - { - id: 'TOM-AZ-06', - code: 'TOM-AZ-06', - category: 'ACCESS_AUTHORIZATION', - type: 'TECHNICAL', - name: { de: 'API-Zugriffskontrolle', en: 'API Access Control' }, - description: { - de: 'Implementierung von Authentifizierungs- und Autorisierungsmechanismen fuer APIs (OAuth 2.0, API-Keys, Rate Limiting).', - en: 'Implementation of authentication and authorization mechanisms for APIs (OAuth 2.0, API keys, rate limiting).', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.1' }, - ], - applicabilityConditions: [ - { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 20 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['API-Security-Konzept', 'OAuth-Konfiguration', 'Rate-Limiting-Regeln'], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['authorization', 'api', 'oauth'], - }, - { - id: 'TOM-AZ-07', - code: 'TOM-AZ-07', - category: 'ACCESS_AUTHORIZATION', - type: 'ORGANIZATIONAL', - name: { de: 'Regelmaessiger Berechtigungsreview', en: 'Regular Permission Review' }, - description: { - de: 'Systematische Ueberpruefung und Bereinigung von Zugriffsberechtigungen in regelmaessigen Abstaenden durch die jeweiligen Fachverantwortlichen.', - en: 'Systematic review and cleanup of access permissions at regular intervals by the respective department heads.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.5' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Review-Protokolle', 'Berechtigungsaenderungslog', 'Freigabedokumentation'], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['authorization', 'review', 'permissions'], - }, - - // TRANSFER_CONTROL — 2 new - { - id: 'TOM-TR-06', - code: 'TOM-TR-06', - category: 'TRANSFER_CONTROL', - type: 'TECHNICAL', - name: { de: 'E-Mail-Verschluesselung (erweitert)', en: 'Email Encryption (Extended)' }, - description: { - de: 'Erweiterte E-Mail-Verschluesselung mit automatischer Erkennung sensibler Inhalte und erzwungener Gateway-Verschluesselung.', - en: 'Extended email encryption with automatic detection of sensitive content and enforced gateway encryption.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.3' }, - ], - applicabilityConditions: [ - { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, - { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: ['E-Mail-Verschluesselungs-Policy', 'Gateway-Konfiguration', 'DLP-Regeln'], - reviewFrequency: 'SEMI_ANNUAL', - priority: 'MEDIUM', - complexity: 'MEDIUM', - tags: ['transfer', 'email', 'encryption'], - }, - { - id: 'TOM-TR-07', - code: 'TOM-TR-07', - category: 'TRANSFER_CONTROL', - type: 'ORGANIZATIONAL', - name: { de: 'Drittstaat-Transferbewertung', en: 'Third Country Transfer Assessment' }, - description: { - de: 'Dokumentierte Bewertung und Absicherung von Datenuebermittlungen in Drittstaaten gemaess Art. 44-49 DSGVO (Standardvertragsklauseln, TIA).', - en: 'Documented assessment and safeguarding of data transfers to third countries according to Art. 44-49 GDPR (Standard Contractual Clauses, TIA).', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 44-49' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.2' }, - ], - applicabilityConditions: [ - { field: 'dataProfile.thirdCountryTransfers', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 }, - { field: 'architectureProfile.hostingLocation', operator: 'IN', value: ['THIRD_COUNTRY_ADEQUATE', 'THIRD_COUNTRY'], result: 'REQUIRED', priority: 25 }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: ['Transfer Impact Assessment', 'Standardvertragsklauseln', 'Angemessenheitsbeschluss-Pruefung'], - reviewFrequency: 'ANNUAL', - priority: 'CRITICAL', - complexity: 'MEDIUM', - tags: ['transfer', 'third-country', 'schrems-ii'], - }, - - // AVAILABILITY — 2 new - { - id: 'TOM-AV-06', - code: 'TOM-AV-06', - category: 'AVAILABILITY', - type: 'TECHNICAL', - name: { de: 'Monitoring und Alerting', en: 'Monitoring and Alerting' }, - description: { - de: 'Implementierung einer umfassenden Ueberwachung aller IT-Systeme mit automatischen Benachrichtigungen bei Stoerungen oder Schwellenwert-Ueberschreitungen.', - en: 'Implementation of comprehensive monitoring of all IT systems with automatic notifications for disruptions or threshold violations.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'OPS.1.1.2' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Monitoring-Konzept', 'Alerting-Konfiguration', 'Eskalationsmatrix'], - reviewFrequency: 'QUARTERLY', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['availability', 'monitoring', 'alerting'], - }, - { - id: 'TOM-AV-07', - code: 'TOM-AV-07', - category: 'AVAILABILITY', - type: 'ORGANIZATIONAL', - name: { de: 'Service Level Management', en: 'Service Level Management' }, - description: { - de: 'Definition und Ueberwachung von Service Level Agreements (SLAs) fuer alle kritischen IT-Services mit klaren Verfuegbarkeitszielen.', - en: 'Definition and monitoring of Service Level Agreements (SLAs) for all critical IT services with clear availability targets.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.15.2.1' }, - ], - applicabilityConditions: [ - { field: 'companyProfile.size', operator: 'IN', value: ['MEDIUM', 'LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10 }, - { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 20 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['SLA-Dokumentation', 'Verfuegbarkeitsberichte', 'Eskalationsverfahren'], - reviewFrequency: 'QUARTERLY', - priority: 'MEDIUM', - complexity: 'LOW', - tags: ['availability', 'sla', 'service-management'], - }, - - // SEPARATION — 1 more new (TOM-DL-05) - { - id: 'TOM-DL-05', - code: 'TOM-DL-05', - category: 'SEPARATION', - type: 'ORGANIZATIONAL', - name: { de: 'Datenloesch-Audit', en: 'Data Deletion Audit' }, - description: { - de: 'Regelmaessige Ueberpruefung der Wirksamkeit und Vollstaendigkeit von Datenloeschvorgaengen durch unabhaengige Stellen.', - en: 'Regular review of the effectiveness and completeness of data deletion processes by independent parties.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 5 Abs. 1 lit. e' }, - { framework: 'GDPR_ART32', reference: 'Art. 17' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.8.3.2' }, - ], - applicabilityConditions: [ - { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 }, - ], - defaultApplicability: 'RECOMMENDED', - evidenceRequirements: ['Audit-Berichte', 'Loeschprotokolle', 'Stichproben-Ergebnisse'], - reviewFrequency: 'ANNUAL', - priority: 'MEDIUM', - complexity: 'MEDIUM', - tags: ['separation', 'deletion', 'audit'], - }, - - // REVIEW — 3 new - { - id: 'TOM-RV-09', - code: 'TOM-RV-09', - category: 'REVIEW', - type: 'ORGANIZATIONAL', - name: { de: 'Datenschutz-Audit-Programm', en: 'Data Protection Audit Program' }, - description: { - de: 'Systematisches Programm zur regelmaessigen internen Ueberpruefung aller Datenschutzmassnahmen mit dokumentierten Ergebnissen und Massnahmenverfolgung.', - en: 'Systematic program for regular internal review of all data protection measures with documented results and action tracking.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' }, - { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'DER.3.1' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Audit-Programm', 'Audit-Berichte', 'Massnahmenplan'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'MEDIUM', - tags: ['review', 'audit', 'data-protection'], - }, - { - id: 'TOM-RV-10', - code: 'TOM-RV-10', - category: 'REVIEW', - type: 'TECHNICAL', - name: { de: 'Automatisierte Compliance-Pruefung', en: 'Automated Compliance Checking' }, - description: { - de: 'Einsatz automatisierter Tools zur kontinuierlichen Ueberpruefung der Einhaltung von Sicherheits- und Datenschutzrichtlinien.', - en: 'Use of automated tools for continuous monitoring of compliance with security and data protection policies.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.2' }, - ], - applicabilityConditions: [ - { field: 'companyProfile.size', operator: 'IN', value: ['MEDIUM', 'LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10 }, - { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 }, - ], - defaultApplicability: 'OPTIONAL', - evidenceRequirements: ['Tool-Konfiguration', 'Compliance-Dashboard', 'Automatisierte Berichte'], - reviewFrequency: 'QUARTERLY', - priority: 'MEDIUM', - complexity: 'HIGH', - tags: ['review', 'automation', 'compliance'], - }, - { - id: 'TOM-RV-11', - code: 'TOM-RV-11', - category: 'REVIEW', - type: 'ORGANIZATIONAL', - name: { de: 'Management Review (Art. 32 Abs. 1 lit. d)', en: 'Management Review (Art. 32(1)(d))' }, - description: { - de: 'Regelmaessige Ueberpruefung der Wirksamkeit aller technischen und organisatorischen Massnahmen durch die Geschaeftsfuehrung mit dokumentierten Ergebnissen.', - en: 'Regular review of the effectiveness of all technical and organizational measures by management with documented results.', - }, - mappings: [ - { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, - { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' }, - ], - applicabilityConditions: [], - defaultApplicability: 'REQUIRED', - evidenceRequirements: ['Management-Review-Protokolle', 'Massnahmenplan', 'Wirksamkeitsbewertung'], - reviewFrequency: 'ANNUAL', - priority: 'HIGH', - complexity: 'LOW', - tags: ['review', 'management', 'effectiveness'], - }, - ], + categories: CATEGORY_MAP, + controls: ALL_CONTROLS, } // ============================================================================= diff --git a/admin-compliance/lib/sdk/vendor-compliance/risk/contract-data-subject.ts b/admin-compliance/lib/sdk/vendor-compliance/risk/contract-data-subject.ts new file mode 100644 index 0000000..d6031e1 --- /dev/null +++ b/admin-compliance/lib/sdk/vendor-compliance/risk/contract-data-subject.ts @@ -0,0 +1,126 @@ +/** + * Contract and Data Subject Controls + * Domains: CONTRACT, DATA_SUBJECT + */ + +import { Control } from '../types' + +export const CONTRACT_CONTROLS: Control[] = [ + { + id: 'VND-CON-01', + domain: 'CONTRACT', + title: { + de: 'Weisungsgebundenheit', + en: 'Instruction binding', + }, + description: { + de: 'Auftragsverarbeiter ist an Weisungen gebunden', + en: 'Processor is bound by instructions', + }, + passCriteria: { + de: 'Weisungsgebundenheit explizit vereinbart, Hinweispflicht bei rechtswidrigen Weisungen', + en: 'Instruction binding explicitly agreed, notification obligation for unlawful instructions', + }, + requirements: ['Art. 28 Abs. 3 lit. a DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-CON-02', + domain: 'CONTRACT', + title: { + de: 'Vertraulichkeitsverpflichtung', + en: 'Confidentiality obligation', + }, + description: { + de: 'Mitarbeiter sind zur Vertraulichkeit verpflichtet', + en: 'Employees are obligated to confidentiality', + }, + passCriteria: { + de: 'Vertraulichkeitsverpflichtung für alle Mitarbeiter mit Datenzugriff', + en: 'Confidentiality obligation for all employees with data access', + }, + requirements: ['Art. 28 Abs. 3 lit. b DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-CON-03', + domain: 'CONTRACT', + title: { + de: 'Gegenstand und Dauer der Verarbeitung', + en: 'Subject and duration of processing', + }, + description: { + de: 'Klare Definition von Gegenstand und Dauer der Verarbeitung', + en: 'Clear definition of subject and duration of processing', + }, + passCriteria: { + de: 'Verarbeitungsgegenstand, Dauer, Art der Daten, Betroffene definiert', + en: 'Processing subject, duration, type of data, data subjects defined', + }, + requirements: ['Art. 28 Abs. 3 DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-CON-04', + domain: 'CONTRACT', + title: { + de: 'Schriftform/Textform', + en: 'Written/text form', + }, + description: { + de: 'AVV in Schriftform oder elektronischem Format', + en: 'DPA in written or electronic format', + }, + passCriteria: { + de: 'AVV in Schriftform oder elektronisch mit qualifizierter Signatur', + en: 'DPA in written form or electronically with qualified signature', + }, + requirements: ['Art. 28 Abs. 9 DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, +] + +export const DATA_SUBJECT_CONTROLS: Control[] = [ + { + id: 'VND-DSR-01', + domain: 'DATA_SUBJECT', + title: { + de: 'Unterstützung bei Betroffenenrechten', + en: 'Support for data subject rights', + }, + description: { + de: 'Vendor unterstützt bei der Erfüllung von Betroffenenrechten', + en: 'Vendor supports fulfillment of data subject rights', + }, + passCriteria: { + de: 'Unterstützungspflicht vereinbart, Prozess zur Weiterleitung definiert', + en: 'Support obligation agreed, process for forwarding defined', + }, + requirements: ['Art. 28 Abs. 3 lit. e DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-DSR-02', + domain: 'DATA_SUBJECT', + title: { + de: 'Reaktionszeit für Anfragen', + en: 'Response time for requests', + }, + description: { + de: 'Definierte Reaktionszeit für Betroffenenanfragen', + en: 'Defined response time for data subject requests', + }, + passCriteria: { + de: 'Reaktionszeit max. 5 Werktage, um Frist von 1 Monat einhalten zu können', + en: 'Response time max. 5 business days to meet 1 month deadline', + }, + requirements: ['Art. 12 Abs. 3 DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, +] diff --git a/admin-compliance/lib/sdk/vendor-compliance/risk/controls-library.ts b/admin-compliance/lib/sdk/vendor-compliance/risk/controls-library.ts index 70a35f5..bc90b1d 100644 --- a/admin-compliance/lib/sdk/vendor-compliance/risk/controls-library.ts +++ b/admin-compliance/lib/sdk/vendor-compliance/risk/controls-library.ts @@ -1,834 +1,34 @@ /** * Controls Library * - * Standard controls for vendor and processing activity compliance + * Standard controls for vendor and processing activity compliance. + * Data is split by domain into sibling files — each <500 LOC. + * This file re-assembles them and provides all helper functions. */ import { Control, ControlDomain, ReviewFrequency, LocalizedText } from '../types' +import { TRANSFER_CONTROLS, AUDIT_CONTROLS } from './transfer-audit' +import { DELETION_CONTROLS, INCIDENT_CONTROLS } from './deletion-incident' +import { SUBPROCESSOR_CONTROLS, TOM_CONTROLS } from './subprocessor-tom' +import { CONTRACT_CONTROLS, DATA_SUBJECT_CONTROLS } from './contract-data-subject' +import { SECURITY_CONTROLS, GOVERNANCE_CONTROLS } from './security-governance' + // ========================================== -// CONTROL DEFINITIONS +// ASSEMBLED CONTROLS LIBRARY // ========================================== export const CONTROLS_LIBRARY: Control[] = [ - // ========================================== - // TRANSFER - Drittlandtransfer Controls - // ========================================== - { - id: 'VND-TRF-01', - domain: 'TRANSFER', - title: { - de: 'Drittlandtransfer nur mit Rechtsgrundlage', - en: 'Third country transfer with legal basis', - }, - description: { - de: 'Drittlandtransfers erfolgen nur auf Basis von SCC, BCR oder Angemessenheitsbeschluss', - en: 'Third country transfers only based on SCC, BCR or adequacy decision', - }, - passCriteria: { - de: 'SCC oder BCR vertraglich vereinbart ODER Angemessenheitsbeschluss vorhanden', - en: 'SCC or BCR contractually agreed OR adequacy decision exists', - }, - requirements: ['Art. 44-49 DSGVO', 'ISO 27001 A.15.1.2'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-TRF-02', - domain: 'TRANSFER', - title: { - de: 'Aktuelle Standardvertragsklauseln', - en: 'Current Standard Contractual Clauses', - }, - description: { - de: 'Bei SCC-Nutzung: Verwendung der aktuellen EU-Kommission-Klauseln (2021)', - en: 'When using SCC: Current EU Commission clauses (2021) are used', - }, - passCriteria: { - de: 'SCC 2021 (Durchführungsbeschluss (EU) 2021/914) verwendet', - en: 'SCC 2021 (Implementing Decision (EU) 2021/914) used', - }, - requirements: ['Art. 46 Abs. 2 lit. c DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-TRF-03', - domain: 'TRANSFER', - title: { - de: 'Transfer Impact Assessment (TIA)', - en: 'Transfer Impact Assessment (TIA)', - }, - description: { - de: 'Bei Transfers in Drittländer ohne Angemessenheitsbeschluss ist TIA durchzuführen', - en: 'TIA required for transfers to third countries without adequacy decision', - }, - passCriteria: { - de: 'TIA dokumentiert und bewertet Risiken als akzeptabel', - en: 'TIA documented and risks assessed as acceptable', - }, - requirements: ['Schrems II Urteil', 'EDSA Empfehlungen 01/2020'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-TRF-04', - domain: 'TRANSFER', - title: { - de: 'Zusätzliche Schutzmaßnahmen', - en: 'Supplementary Measures', - }, - description: { - de: 'Bei Bedarf sind zusätzliche technische/organisatorische Maßnahmen implementiert', - en: 'Supplementary technical/organizational measures implemented where needed', - }, - passCriteria: { - de: 'Ergänzende Maßnahmen dokumentiert (Verschlüsselung, Pseudonymisierung, etc.)', - en: 'Supplementary measures documented (encryption, pseudonymization, etc.)', - }, - requirements: ['EDSA Empfehlungen 01/2020'], - isRequired: false, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-TRF-05', - domain: 'TRANSFER', - title: { - de: 'Überwachung Angemessenheitsbeschlüsse', - en: 'Monitoring Adequacy Decisions', - }, - description: { - de: 'Änderungen bei Angemessenheitsbeschlüssen werden überwacht', - en: 'Changes to adequacy decisions are monitored', - }, - passCriteria: { - de: 'Prozess zur Überwachung und Reaktion auf Änderungen etabliert', - en: 'Process for monitoring and responding to changes established', - }, - requirements: ['Art. 45 DSGVO'], - isRequired: false, - defaultFrequency: 'QUARTERLY', - }, - - // ========================================== - // AUDIT - Auditrechte Controls - // ========================================== - { - id: 'VND-AUD-01', - domain: 'AUDIT', - title: { - de: 'Auditrecht vertraglich vereinbart', - en: 'Audit right contractually agreed', - }, - description: { - de: 'Vertrag enthält wirksames Auditrecht ohne unangemessene Einschränkungen', - en: 'Contract contains effective audit right without unreasonable restrictions', - }, - passCriteria: { - de: 'Auditrecht im AVV enthalten, max. 30 Tage Vorlaufzeit, keine Ausschlussklausel', - en: 'Audit right in DPA, max 30 days notice, no exclusion clause', - }, - requirements: ['Art. 28 Abs. 3 lit. h DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-AUD-02', - domain: 'AUDIT', - title: { - de: 'Vor-Ort-Inspektionen möglich', - en: 'On-site inspections possible', - }, - description: { - de: 'Vertrag erlaubt Vor-Ort-Inspektionen bei dem Auftragsverarbeiter', - en: 'Contract allows on-site inspections at the processor', - }, - passCriteria: { - de: 'Vor-Ort-Audit explizit erlaubt, Zugang zu relevanten Bereichen', - en: 'On-site audit explicitly allowed, access to relevant areas', - }, - requirements: ['Art. 28 Abs. 3 lit. h DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-AUD-03', - domain: 'AUDIT', - title: { - de: 'Aktuelle Zertifizierungen', - en: 'Current Certifications', - }, - description: { - de: 'Relevante Sicherheitszertifizierungen sind aktuell und gültig', - en: 'Relevant security certifications are current and valid', - }, - passCriteria: { - de: 'ISO 27001, SOC 2 oder vergleichbar, nicht abgelaufen', - en: 'ISO 27001, SOC 2 or equivalent, not expired', - }, - requirements: ['Art. 32 DSGVO', 'ISO 27001 A.15.1.1'], - isRequired: false, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-AUD-04', - domain: 'AUDIT', - title: { - de: 'Letzte Prüfung durchgeführt', - en: 'Last review conducted', - }, - description: { - de: 'Vendor wurde innerhalb des Review-Zyklus geprüft', - en: 'Vendor was reviewed within the review cycle', - }, - passCriteria: { - de: 'Dokumentierte Prüfung innerhalb des festgelegten Intervalls', - en: 'Documented review within the defined interval', - }, - requirements: ['Art. 28 Abs. 3 lit. h DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-AUD-05', - domain: 'AUDIT', - title: { - de: 'Prüfberichte verfügbar', - en: 'Audit reports available', - }, - description: { - de: 'Aktuelle Prüfberichte (SOC 2, Penetrationstest, etc.) liegen vor', - en: 'Current audit reports (SOC 2, penetration test, etc.) are available', - }, - passCriteria: { - de: 'Prüfberichte nicht älter als 12 Monate', - en: 'Audit reports not older than 12 months', - }, - requirements: ['ISO 27001 A.18.2.1'], - isRequired: false, - defaultFrequency: 'ANNUAL', - }, - - // ========================================== - // DELETION - Löschung Controls - // ========================================== - { - id: 'VND-DEL-01', - domain: 'DELETION', - title: { - de: 'Löschung/Rückgabe nach Vertragsende', - en: 'Deletion/return after contract end', - }, - description: { - de: 'Klare Regelung zur Löschung oder Rückgabe aller Daten nach Vertragsende', - en: 'Clear provision for deletion or return of all data after contract end', - }, - passCriteria: { - de: 'Löschfrist max. 30 Tage, Löschbestätigung vorgesehen', - en: 'Deletion within max 30 days, deletion confirmation provided', - }, - requirements: ['Art. 28 Abs. 3 lit. g DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-DEL-02', - domain: 'DELETION', - title: { - de: 'Löschbestätigung', - en: 'Deletion confirmation', - }, - description: { - de: 'Schriftliche Bestätigung der vollständigen Datenlöschung', - en: 'Written confirmation of complete data deletion', - }, - passCriteria: { - de: 'Löschbestätigung vertraglich vereinbart und einforderbar', - en: 'Deletion confirmation contractually agreed and enforceable', - }, - requirements: ['Art. 28 Abs. 3 lit. g DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-DEL-03', - domain: 'DELETION', - title: { - de: 'Löschung bei Unterauftragnehmern', - en: 'Deletion at sub-processors', - }, - description: { - de: 'Löschpflicht erstreckt sich auf alle Unterauftragnehmer', - en: 'Deletion obligation extends to all sub-processors', - }, - passCriteria: { - de: 'Weitergabe der Löschpflicht an Unterauftragnehmer vertraglich vereinbart', - en: 'Transfer of deletion obligation to sub-processors contractually agreed', - }, - requirements: ['Art. 28 Abs. 3 lit. g, d DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-DEL-04', - domain: 'DELETION', - title: { - de: 'Backup-Löschung', - en: 'Backup deletion', - }, - description: { - de: 'Daten werden auch aus Backups gelöscht', - en: 'Data is also deleted from backups', - }, - passCriteria: { - de: 'Backup-Löschung geregelt, max. Aufbewahrungsfrist für Backups definiert', - en: 'Backup deletion regulated, max retention period for backups defined', - }, - requirements: ['Art. 28 Abs. 3 lit. g DSGVO'], - isRequired: false, - defaultFrequency: 'ANNUAL', - }, - - // ========================================== - // INCIDENT - Incident Response Controls - // ========================================== - { - id: 'VND-INC-01', - domain: 'INCIDENT', - title: { - de: 'Meldepflicht bei Datenpannen', - en: 'Data breach notification obligation', - }, - description: { - de: 'Unverzügliche Meldung von Datenschutzverletzungen', - en: 'Immediate notification of data protection violations', - }, - passCriteria: { - de: 'Meldepflicht vereinbart, Frist max. 24-48h, Mindestinhalte definiert', - en: 'Notification obligation agreed, deadline max 24-48h, minimum content defined', - }, - requirements: ['Art. 33 Abs. 2 DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-INC-02', - domain: 'INCIDENT', - title: { - de: 'Incident Response Plan', - en: 'Incident Response Plan', - }, - description: { - de: 'Vendor hat dokumentierten Incident Response Plan', - en: 'Vendor has documented incident response plan', - }, - passCriteria: { - de: 'Incident Response Plan liegt vor und wurde getestet', - en: 'Incident response plan exists and has been tested', - }, - requirements: ['ISO 27001 A.16.1'], - isRequired: false, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-INC-03', - domain: 'INCIDENT', - title: { - de: 'Kontaktstelle für Incidents', - en: 'Contact point for incidents', - }, - description: { - de: 'Definierte Kontaktstelle für Datenschutzvorfälle', - en: 'Defined contact point for data protection incidents', - }, - passCriteria: { - de: 'Kontaktdaten für Incident-Meldungen bekannt und aktuell', - en: 'Contact details for incident reporting known and current', - }, - requirements: ['Art. 33 Abs. 2 DSGVO'], - isRequired: true, - defaultFrequency: 'QUARTERLY', - }, - { - id: 'VND-INC-04', - domain: 'INCIDENT', - title: { - de: 'Unterstützung bei Incident-Dokumentation', - en: 'Support with incident documentation', - }, - description: { - de: 'Vendor unterstützt bei der Dokumentation von Vorfällen', - en: 'Vendor supports documentation of incidents', - }, - passCriteria: { - de: 'Unterstützungspflicht bei Dokumentation vertraglich vereinbart', - en: 'Support obligation for documentation contractually agreed', - }, - requirements: ['Art. 33 Abs. 5 DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - - // ========================================== - // SUBPROCESSOR - Unterauftragnehmer Controls - // ========================================== - { - id: 'VND-SUB-01', - domain: 'SUBPROCESSOR', - title: { - de: 'Genehmigungspflicht für Unterauftragnehmer', - en: 'Approval requirement for sub-processors', - }, - description: { - de: 'Einsatz von Unterauftragnehmern nur mit Genehmigung', - en: 'Use of sub-processors only with approval', - }, - passCriteria: { - de: 'Genehmigungserfordernis (spezifisch oder allgemein mit Widerspruchsrecht) vereinbart', - en: 'Approval requirement (specific or general with objection right) agreed', - }, - requirements: ['Art. 28 Abs. 2, 4 DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-SUB-02', - domain: 'SUBPROCESSOR', - title: { - de: 'Aktuelle Unterauftragnehmer-Liste', - en: 'Current sub-processor list', - }, - description: { - de: 'Vollständige und aktuelle Liste aller Unterauftragnehmer', - en: 'Complete and current list of all sub-processors', - }, - passCriteria: { - de: 'Liste liegt vor mit Name, Sitz, Verarbeitungszweck', - en: 'List available with name, location, processing purpose', - }, - requirements: ['Art. 28 Abs. 2 DSGVO'], - isRequired: true, - defaultFrequency: 'QUARTERLY', - }, - { - id: 'VND-SUB-03', - domain: 'SUBPROCESSOR', - title: { - de: 'Informationspflicht bei Änderungen', - en: 'Notification obligation for changes', - }, - description: { - de: 'Information über neue oder geänderte Unterauftragnehmer', - en: 'Information about new or changed sub-processors', - }, - passCriteria: { - de: 'Vorabinformation vereinbart, ausreichende Frist für Widerspruch', - en: 'Advance notification agreed, sufficient time for objection', - }, - requirements: ['Art. 28 Abs. 2 DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-SUB-04', - domain: 'SUBPROCESSOR', - title: { - de: 'Weitergabe der Datenschutzpflichten', - en: 'Transfer of data protection obligations', - }, - description: { - de: 'Datenschutzpflichten werden an Unterauftragnehmer weitergegeben', - en: 'Data protection obligations are transferred to sub-processors', - }, - passCriteria: { - de: 'Vertraglich vereinbart, dass Unterauftragnehmer gleichen Pflichten unterliegen', - en: 'Contractually agreed that sub-processors are subject to same obligations', - }, - requirements: ['Art. 28 Abs. 4 DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-SUB-05', - domain: 'SUBPROCESSOR', - title: { - de: 'Haftung für Unterauftragnehmer', - en: 'Liability for sub-processors', - }, - description: { - de: 'Klare Haftungsregelung für Unterauftragnehmer', - en: 'Clear liability provision for sub-processors', - }, - passCriteria: { - de: 'Auftragsverarbeiter haftet für Unterauftragnehmer wie für eigenes Handeln', - en: 'Processor is liable for sub-processors as for own actions', - }, - requirements: ['Art. 28 Abs. 4 DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - - // ========================================== - // TOM - Technische/Organisatorische Maßnahmen - // ========================================== - { - id: 'VND-TOM-01', - domain: 'TOM', - title: { - de: 'TOM-Dokumentation vorhanden', - en: 'TOM documentation available', - }, - description: { - de: 'Vollständige Dokumentation der technischen und organisatorischen Maßnahmen', - en: 'Complete documentation of technical and organizational measures', - }, - passCriteria: { - de: 'TOM-Anlage vorhanden, aktuell, spezifisch für die Verarbeitung', - en: 'TOM annex available, current, specific to the processing', - }, - requirements: ['Art. 28 Abs. 3 lit. c DSGVO', 'Art. 32 DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-TOM-02', - domain: 'TOM', - title: { - de: 'Verschlüsselung', - en: 'Encryption', - }, - description: { - de: 'Angemessene Verschlüsselung für Daten in Transit und at Rest', - en: 'Appropriate encryption for data in transit and at rest', - }, - passCriteria: { - de: 'TLS 1.2+ für Transit, AES-256 für at Rest', - en: 'TLS 1.2+ for transit, AES-256 for at rest', - }, - requirements: ['Art. 32 Abs. 1 lit. a DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-TOM-03', - domain: 'TOM', - title: { - de: 'Zugriffskontrolle', - en: 'Access control', - }, - description: { - de: 'Angemessene Zugriffskontrollmechanismen', - en: 'Appropriate access control mechanisms', - }, - passCriteria: { - de: 'Rollenbasierte Zugriffskontrolle, Least Privilege, Logging', - en: 'Role-based access control, least privilege, logging', - }, - requirements: ['Art. 32 Abs. 1 lit. b DSGVO', 'ISO 27001 A.9'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-TOM-04', - domain: 'TOM', - title: { - de: 'Verfügbarkeit und Wiederherstellung', - en: 'Availability and recovery', - }, - description: { - de: 'Maßnahmen zur Sicherstellung der Verfügbarkeit und Wiederherstellung', - en: 'Measures to ensure availability and recovery', - }, - passCriteria: { - de: 'Backup-Konzept, DR-Plan, RTO/RPO definiert', - en: 'Backup concept, DR plan, RTO/RPO defined', - }, - requirements: ['Art. 32 Abs. 1 lit. b, c DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-TOM-05', - domain: 'TOM', - title: { - de: 'Regelmäßige TOM-Überprüfung', - en: 'Regular TOM review', - }, - description: { - de: 'Regelmäßige Überprüfung und Aktualisierung der TOM', - en: 'Regular review and update of TOM', - }, - passCriteria: { - de: 'TOM werden mindestens jährlich überprüft und bei Bedarf aktualisiert', - en: 'TOM are reviewed at least annually and updated as needed', - }, - requirements: ['Art. 32 Abs. 1 lit. d DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-TOM-06', - domain: 'TOM', - title: { - de: 'Penetrationstest', - en: 'Penetration testing', - }, - description: { - de: 'Regelmäßige Penetrationstests der relevanten Systeme', - en: 'Regular penetration testing of relevant systems', - }, - passCriteria: { - de: 'Jährlicher Pentest, kritische Findings behoben', - en: 'Annual pentest, critical findings resolved', - }, - requirements: ['ISO 27001 A.12.6.1'], - isRequired: false, - defaultFrequency: 'ANNUAL', - }, - - // ========================================== - // CONTRACT - Vertragliche Grundlagen - // ========================================== - { - id: 'VND-CON-01', - domain: 'CONTRACT', - title: { - de: 'Weisungsgebundenheit', - en: 'Instruction binding', - }, - description: { - de: 'Auftragsverarbeiter ist an Weisungen gebunden', - en: 'Processor is bound by instructions', - }, - passCriteria: { - de: 'Weisungsgebundenheit explizit vereinbart, Hinweispflicht bei rechtswidrigen Weisungen', - en: 'Instruction binding explicitly agreed, notification obligation for unlawful instructions', - }, - requirements: ['Art. 28 Abs. 3 lit. a DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-CON-02', - domain: 'CONTRACT', - title: { - de: 'Vertraulichkeitsverpflichtung', - en: 'Confidentiality obligation', - }, - description: { - de: 'Mitarbeiter sind zur Vertraulichkeit verpflichtet', - en: 'Employees are obligated to confidentiality', - }, - passCriteria: { - de: 'Vertraulichkeitsverpflichtung für alle Mitarbeiter mit Datenzugriff', - en: 'Confidentiality obligation for all employees with data access', - }, - requirements: ['Art. 28 Abs. 3 lit. b DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-CON-03', - domain: 'CONTRACT', - title: { - de: 'Gegenstand und Dauer der Verarbeitung', - en: 'Subject and duration of processing', - }, - description: { - de: 'Klare Definition von Gegenstand und Dauer der Verarbeitung', - en: 'Clear definition of subject and duration of processing', - }, - passCriteria: { - de: 'Verarbeitungsgegenstand, Dauer, Art der Daten, Betroffene definiert', - en: 'Processing subject, duration, type of data, data subjects defined', - }, - requirements: ['Art. 28 Abs. 3 DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-CON-04', - domain: 'CONTRACT', - title: { - de: 'Schriftform/Textform', - en: 'Written/text form', - }, - description: { - de: 'AVV in Schriftform oder elektronischem Format', - en: 'DPA in written or electronic format', - }, - passCriteria: { - de: 'AVV in Schriftform oder elektronisch mit qualifizierter Signatur', - en: 'DPA in written form or electronically with qualified signature', - }, - requirements: ['Art. 28 Abs. 9 DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - - // ========================================== - // DATA_SUBJECT - Betroffenenrechte - // ========================================== - { - id: 'VND-DSR-01', - domain: 'DATA_SUBJECT', - title: { - de: 'Unterstützung bei Betroffenenrechten', - en: 'Support for data subject rights', - }, - description: { - de: 'Vendor unterstützt bei der Erfüllung von Betroffenenrechten', - en: 'Vendor supports fulfillment of data subject rights', - }, - passCriteria: { - de: 'Unterstützungspflicht vereinbart, Prozess zur Weiterleitung definiert', - en: 'Support obligation agreed, process for forwarding defined', - }, - requirements: ['Art. 28 Abs. 3 lit. e DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-DSR-02', - domain: 'DATA_SUBJECT', - title: { - de: 'Reaktionszeit für Anfragen', - en: 'Response time for requests', - }, - description: { - de: 'Definierte Reaktionszeit für Betroffenenanfragen', - en: 'Defined response time for data subject requests', - }, - passCriteria: { - de: 'Reaktionszeit max. 5 Werktage, um Frist von 1 Monat einhalten zu können', - en: 'Response time max. 5 business days to meet 1 month deadline', - }, - requirements: ['Art. 12 Abs. 3 DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - - // ========================================== - // SECURITY - Sicherheit - // ========================================== - { - id: 'VND-SEC-01', - domain: 'SECURITY', - title: { - de: 'Sicherheitsbewertung', - en: 'Security assessment', - }, - description: { - de: 'Regelmäßige Sicherheitsbewertung des Vendors', - en: 'Regular security assessment of the vendor', - }, - passCriteria: { - de: 'Sicherheitsfragebogen ausgefüllt, keine kritischen Lücken', - en: 'Security questionnaire completed, no critical gaps', - }, - requirements: ['Art. 32 DSGVO', 'ISO 27001 A.15.2.1'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-SEC-02', - domain: 'SECURITY', - title: { - de: 'Vulnerability Management', - en: 'Vulnerability management', - }, - description: { - de: 'Etabliertes Vulnerability Management beim Vendor', - en: 'Established vulnerability management at the vendor', - }, - passCriteria: { - de: 'Regelmäßige Schwachstellen-Scans, Patch-Management dokumentiert', - en: 'Regular vulnerability scans, patch management documented', - }, - requirements: ['ISO 27001 A.12.6'], - isRequired: false, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-SEC-03', - domain: 'SECURITY', - title: { - de: 'Mitarbeiter-Schulung', - en: 'Employee training', - }, - description: { - de: 'Datenschutz-Schulung für Mitarbeiter des Vendors', - en: 'Data protection training for vendor employees', - }, - passCriteria: { - de: 'Regelmäßige Schulungen (mind. jährlich), Nachweis verfügbar', - en: 'Regular training (at least annually), proof available', - }, - requirements: ['Art. 39 Abs. 1 lit. b DSGVO'], - isRequired: false, - defaultFrequency: 'ANNUAL', - }, - - // ========================================== - // GOVERNANCE - Governance - // ========================================== - { - id: 'VND-GOV-01', - domain: 'GOVERNANCE', - title: { - de: 'Datenschutzbeauftragter benannt', - en: 'Data protection officer appointed', - }, - description: { - de: 'Vendor hat DSB benannt (wenn erforderlich)', - en: 'Vendor has appointed DPO (if required)', - }, - passCriteria: { - de: 'DSB benannt und Kontaktdaten verfügbar', - en: 'DPO appointed and contact details available', - }, - requirements: ['Art. 37 DSGVO'], - isRequired: false, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-GOV-02', - domain: 'GOVERNANCE', - title: { - de: 'Verzeichnis der Verarbeitungstätigkeiten', - en: 'Records of processing activities', - }, - description: { - de: 'Vendor führt eigenes Verarbeitungsverzeichnis', - en: 'Vendor maintains own processing records', - }, - passCriteria: { - de: 'Verzeichnis nach Art. 30 Abs. 2 DSGVO vorhanden', - en: 'Records according to Art. 30(2) GDPR available', - }, - requirements: ['Art. 30 Abs. 2 DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, - { - id: 'VND-GOV-03', - domain: 'GOVERNANCE', - title: { - de: 'Unterstützung bei DSFA', - en: 'Support for DPIA', - }, - description: { - de: 'Vendor unterstützt bei Datenschutz-Folgenabschätzung', - en: 'Vendor supports data protection impact assessment', - }, - passCriteria: { - de: 'Unterstützungspflicht bei DSFA vertraglich vereinbart', - en: 'Support obligation for DPIA contractually agreed', - }, - requirements: ['Art. 28 Abs. 3 lit. f DSGVO'], - isRequired: true, - defaultFrequency: 'ANNUAL', - }, + ...TRANSFER_CONTROLS, + ...AUDIT_CONTROLS, + ...DELETION_CONTROLS, + ...INCIDENT_CONTROLS, + ...SUBPROCESSOR_CONTROLS, + ...TOM_CONTROLS, + ...CONTRACT_CONTROLS, + ...DATA_SUBJECT_CONTROLS, + ...SECURITY_CONTROLS, + ...GOVERNANCE_CONTROLS, ] // ========================================== diff --git a/admin-compliance/lib/sdk/vendor-compliance/risk/deletion-incident.ts b/admin-compliance/lib/sdk/vendor-compliance/risk/deletion-incident.ts new file mode 100644 index 0000000..80be660 --- /dev/null +++ b/admin-compliance/lib/sdk/vendor-compliance/risk/deletion-incident.ts @@ -0,0 +1,164 @@ +/** + * Deletion and Incident Controls + * Domains: DELETION, INCIDENT + */ + +import { Control } from '../types' + +export const DELETION_CONTROLS: Control[] = [ + { + id: 'VND-DEL-01', + domain: 'DELETION', + title: { + de: 'Löschung/Rückgabe nach Vertragsende', + en: 'Deletion/return after contract end', + }, + description: { + de: 'Klare Regelung zur Löschung oder Rückgabe aller Daten nach Vertragsende', + en: 'Clear provision for deletion or return of all data after contract end', + }, + passCriteria: { + de: 'Löschfrist max. 30 Tage, Löschbestätigung vorgesehen', + en: 'Deletion within max 30 days, deletion confirmation provided', + }, + requirements: ['Art. 28 Abs. 3 lit. g DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-DEL-02', + domain: 'DELETION', + title: { + de: 'Löschbestätigung', + en: 'Deletion confirmation', + }, + description: { + de: 'Schriftliche Bestätigung der vollständigen Datenlöschung', + en: 'Written confirmation of complete data deletion', + }, + passCriteria: { + de: 'Löschbestätigung vertraglich vereinbart und einforderbar', + en: 'Deletion confirmation contractually agreed and enforceable', + }, + requirements: ['Art. 28 Abs. 3 lit. g DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-DEL-03', + domain: 'DELETION', + title: { + de: 'Löschung bei Unterauftragnehmern', + en: 'Deletion at sub-processors', + }, + description: { + de: 'Löschpflicht erstreckt sich auf alle Unterauftragnehmer', + en: 'Deletion obligation extends to all sub-processors', + }, + passCriteria: { + de: 'Weitergabe der Löschpflicht an Unterauftragnehmer vertraglich vereinbart', + en: 'Transfer of deletion obligation to sub-processors contractually agreed', + }, + requirements: ['Art. 28 Abs. 3 lit. g, d DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-DEL-04', + domain: 'DELETION', + title: { + de: 'Backup-Löschung', + en: 'Backup deletion', + }, + description: { + de: 'Daten werden auch aus Backups gelöscht', + en: 'Data is also deleted from backups', + }, + passCriteria: { + de: 'Backup-Löschung geregelt, max. Aufbewahrungsfrist für Backups definiert', + en: 'Backup deletion regulated, max retention period for backups defined', + }, + requirements: ['Art. 28 Abs. 3 lit. g DSGVO'], + isRequired: false, + defaultFrequency: 'ANNUAL', + }, +] + +export const INCIDENT_CONTROLS: Control[] = [ + { + id: 'VND-INC-01', + domain: 'INCIDENT', + title: { + de: 'Meldepflicht bei Datenpannen', + en: 'Data breach notification obligation', + }, + description: { + de: 'Unverzügliche Meldung von Datenschutzverletzungen', + en: 'Immediate notification of data protection violations', + }, + passCriteria: { + de: 'Meldepflicht vereinbart, Frist max. 24-48h, Mindestinhalte definiert', + en: 'Notification obligation agreed, deadline max 24-48h, minimum content defined', + }, + requirements: ['Art. 33 Abs. 2 DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-INC-02', + domain: 'INCIDENT', + title: { + de: 'Incident Response Plan', + en: 'Incident Response Plan', + }, + description: { + de: 'Vendor hat dokumentierten Incident Response Plan', + en: 'Vendor has documented incident response plan', + }, + passCriteria: { + de: 'Incident Response Plan liegt vor und wurde getestet', + en: 'Incident response plan exists and has been tested', + }, + requirements: ['ISO 27001 A.16.1'], + isRequired: false, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-INC-03', + domain: 'INCIDENT', + title: { + de: 'Kontaktstelle für Incidents', + en: 'Contact point for incidents', + }, + description: { + de: 'Definierte Kontaktstelle für Datenschutzvorfälle', + en: 'Defined contact point for data protection incidents', + }, + passCriteria: { + de: 'Kontaktdaten für Incident-Meldungen bekannt und aktuell', + en: 'Contact details for incident reporting known and current', + }, + requirements: ['Art. 33 Abs. 2 DSGVO'], + isRequired: true, + defaultFrequency: 'QUARTERLY', + }, + { + id: 'VND-INC-04', + domain: 'INCIDENT', + title: { + de: 'Unterstützung bei Incident-Dokumentation', + en: 'Support with incident documentation', + }, + description: { + de: 'Vendor unterstützt bei der Dokumentation von Vorfällen', + en: 'Vendor supports documentation of incidents', + }, + passCriteria: { + de: 'Unterstützungspflicht bei Dokumentation vertraglich vereinbart', + en: 'Support obligation for documentation contractually agreed', + }, + requirements: ['Art. 33 Abs. 5 DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, +] diff --git a/admin-compliance/lib/sdk/vendor-compliance/risk/security-governance.ts b/admin-compliance/lib/sdk/vendor-compliance/risk/security-governance.ts new file mode 100644 index 0000000..d407449 --- /dev/null +++ b/admin-compliance/lib/sdk/vendor-compliance/risk/security-governance.ts @@ -0,0 +1,126 @@ +/** + * Security and Governance Controls + * Domains: SECURITY, GOVERNANCE + */ + +import { Control } from '../types' + +export const SECURITY_CONTROLS: Control[] = [ + { + id: 'VND-SEC-01', + domain: 'SECURITY', + title: { + de: 'Sicherheitsbewertung', + en: 'Security assessment', + }, + description: { + de: 'Regelmäßige Sicherheitsbewertung des Vendors', + en: 'Regular security assessment of the vendor', + }, + passCriteria: { + de: 'Sicherheitsfragebogen ausgefüllt, keine kritischen Lücken', + en: 'Security questionnaire completed, no critical gaps', + }, + requirements: ['Art. 32 DSGVO', 'ISO 27001 A.15.2.1'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-SEC-02', + domain: 'SECURITY', + title: { + de: 'Vulnerability Management', + en: 'Vulnerability management', + }, + description: { + de: 'Etabliertes Vulnerability Management beim Vendor', + en: 'Established vulnerability management at the vendor', + }, + passCriteria: { + de: 'Regelmäßige Schwachstellen-Scans, Patch-Management dokumentiert', + en: 'Regular vulnerability scans, patch management documented', + }, + requirements: ['ISO 27001 A.12.6'], + isRequired: false, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-SEC-03', + domain: 'SECURITY', + title: { + de: 'Mitarbeiter-Schulung', + en: 'Employee training', + }, + description: { + de: 'Datenschutz-Schulung für Mitarbeiter des Vendors', + en: 'Data protection training for vendor employees', + }, + passCriteria: { + de: 'Regelmäßige Schulungen (mind. jährlich), Nachweis verfügbar', + en: 'Regular training (at least annually), proof available', + }, + requirements: ['Art. 39 Abs. 1 lit. b DSGVO'], + isRequired: false, + defaultFrequency: 'ANNUAL', + }, +] + +export const GOVERNANCE_CONTROLS: Control[] = [ + { + id: 'VND-GOV-01', + domain: 'GOVERNANCE', + title: { + de: 'Datenschutzbeauftragter benannt', + en: 'Data protection officer appointed', + }, + description: { + de: 'Vendor hat DSB benannt (wenn erforderlich)', + en: 'Vendor has appointed DPO (if required)', + }, + passCriteria: { + de: 'DSB benannt und Kontaktdaten verfügbar', + en: 'DPO appointed and contact details available', + }, + requirements: ['Art. 37 DSGVO'], + isRequired: false, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-GOV-02', + domain: 'GOVERNANCE', + title: { + de: 'Verzeichnis der Verarbeitungstätigkeiten', + en: 'Records of processing activities', + }, + description: { + de: 'Vendor führt eigenes Verarbeitungsverzeichnis', + en: 'Vendor maintains own processing records', + }, + passCriteria: { + de: 'Verzeichnis nach Art. 30 Abs. 2 DSGVO vorhanden', + en: 'Records according to Art. 30(2) GDPR available', + }, + requirements: ['Art. 30 Abs. 2 DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-GOV-03', + domain: 'GOVERNANCE', + title: { + de: 'Unterstützung bei DSFA', + en: 'Support for DPIA', + }, + description: { + de: 'Vendor unterstützt bei Datenschutz-Folgenabschätzung', + en: 'Vendor supports data protection impact assessment', + }, + passCriteria: { + de: 'Unterstützungspflicht bei DSFA vertraglich vereinbart', + en: 'Support obligation for DPIA contractually agreed', + }, + requirements: ['Art. 28 Abs. 3 lit. f DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, +] diff --git a/admin-compliance/lib/sdk/vendor-compliance/risk/subprocessor-tom.ts b/admin-compliance/lib/sdk/vendor-compliance/risk/subprocessor-tom.ts new file mode 100644 index 0000000..4087eda --- /dev/null +++ b/admin-compliance/lib/sdk/vendor-compliance/risk/subprocessor-tom.ts @@ -0,0 +1,221 @@ +/** + * Subprocessor and TOM Controls + * Domains: SUBPROCESSOR, TOM + */ + +import { Control } from '../types' + +export const SUBPROCESSOR_CONTROLS: Control[] = [ + { + id: 'VND-SUB-01', + domain: 'SUBPROCESSOR', + title: { + de: 'Genehmigungspflicht für Unterauftragnehmer', + en: 'Approval requirement for sub-processors', + }, + description: { + de: 'Einsatz von Unterauftragnehmern nur mit Genehmigung', + en: 'Use of sub-processors only with approval', + }, + passCriteria: { + de: 'Genehmigungserfordernis (spezifisch oder allgemein mit Widerspruchsrecht) vereinbart', + en: 'Approval requirement (specific or general with objection right) agreed', + }, + requirements: ['Art. 28 Abs. 2, 4 DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-SUB-02', + domain: 'SUBPROCESSOR', + title: { + de: 'Aktuelle Unterauftragnehmer-Liste', + en: 'Current sub-processor list', + }, + description: { + de: 'Vollständige und aktuelle Liste aller Unterauftragnehmer', + en: 'Complete and current list of all sub-processors', + }, + passCriteria: { + de: 'Liste liegt vor mit Name, Sitz, Verarbeitungszweck', + en: 'List available with name, location, processing purpose', + }, + requirements: ['Art. 28 Abs. 2 DSGVO'], + isRequired: true, + defaultFrequency: 'QUARTERLY', + }, + { + id: 'VND-SUB-03', + domain: 'SUBPROCESSOR', + title: { + de: 'Informationspflicht bei Änderungen', + en: 'Notification obligation for changes', + }, + description: { + de: 'Information über neue oder geänderte Unterauftragnehmer', + en: 'Information about new or changed sub-processors', + }, + passCriteria: { + de: 'Vorabinformation vereinbart, ausreichende Frist für Widerspruch', + en: 'Advance notification agreed, sufficient time for objection', + }, + requirements: ['Art. 28 Abs. 2 DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-SUB-04', + domain: 'SUBPROCESSOR', + title: { + de: 'Weitergabe der Datenschutzpflichten', + en: 'Transfer of data protection obligations', + }, + description: { + de: 'Datenschutzpflichten werden an Unterauftragnehmer weitergegeben', + en: 'Data protection obligations are transferred to sub-processors', + }, + passCriteria: { + de: 'Vertraglich vereinbart, dass Unterauftragnehmer gleichen Pflichten unterliegen', + en: 'Contractually agreed that sub-processors are subject to same obligations', + }, + requirements: ['Art. 28 Abs. 4 DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-SUB-05', + domain: 'SUBPROCESSOR', + title: { + de: 'Haftung für Unterauftragnehmer', + en: 'Liability for sub-processors', + }, + description: { + de: 'Klare Haftungsregelung für Unterauftragnehmer', + en: 'Clear liability provision for sub-processors', + }, + passCriteria: { + de: 'Auftragsverarbeiter haftet für Unterauftragnehmer wie für eigenes Handeln', + en: 'Processor is liable for sub-processors as for own actions', + }, + requirements: ['Art. 28 Abs. 4 DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, +] + +export const TOM_CONTROLS: Control[] = [ + { + id: 'VND-TOM-01', + domain: 'TOM', + title: { + de: 'TOM-Dokumentation vorhanden', + en: 'TOM documentation available', + }, + description: { + de: 'Vollständige Dokumentation der technischen und organisatorischen Maßnahmen', + en: 'Complete documentation of technical and organizational measures', + }, + passCriteria: { + de: 'TOM-Anlage vorhanden, aktuell, spezifisch für die Verarbeitung', + en: 'TOM annex available, current, specific to the processing', + }, + requirements: ['Art. 28 Abs. 3 lit. c DSGVO', 'Art. 32 DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-TOM-02', + domain: 'TOM', + title: { + de: 'Verschlüsselung', + en: 'Encryption', + }, + description: { + de: 'Angemessene Verschlüsselung für Daten in Transit und at Rest', + en: 'Appropriate encryption for data in transit and at rest', + }, + passCriteria: { + de: 'TLS 1.2+ für Transit, AES-256 für at Rest', + en: 'TLS 1.2+ for transit, AES-256 for at rest', + }, + requirements: ['Art. 32 Abs. 1 lit. a DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-TOM-03', + domain: 'TOM', + title: { + de: 'Zugriffskontrolle', + en: 'Access control', + }, + description: { + de: 'Angemessene Zugriffskontrollmechanismen', + en: 'Appropriate access control mechanisms', + }, + passCriteria: { + de: 'Rollenbasierte Zugriffskontrolle, Least Privilege, Logging', + en: 'Role-based access control, least privilege, logging', + }, + requirements: ['Art. 32 Abs. 1 lit. b DSGVO', 'ISO 27001 A.9'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-TOM-04', + domain: 'TOM', + title: { + de: 'Verfügbarkeit und Wiederherstellung', + en: 'Availability and recovery', + }, + description: { + de: 'Maßnahmen zur Sicherstellung der Verfügbarkeit und Wiederherstellung', + en: 'Measures to ensure availability and recovery', + }, + passCriteria: { + de: 'Backup-Konzept, DR-Plan, RTO/RPO definiert', + en: 'Backup concept, DR plan, RTO/RPO defined', + }, + requirements: ['Art. 32 Abs. 1 lit. b, c DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-TOM-05', + domain: 'TOM', + title: { + de: 'Regelmäßige TOM-Überprüfung', + en: 'Regular TOM review', + }, + description: { + de: 'Regelmäßige Überprüfung und Aktualisierung der TOM', + en: 'Regular review and update of TOM', + }, + passCriteria: { + de: 'TOM werden mindestens jährlich überprüft und bei Bedarf aktualisiert', + en: 'TOM are reviewed at least annually and updated as needed', + }, + requirements: ['Art. 32 Abs. 1 lit. d DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-TOM-06', + domain: 'TOM', + title: { + de: 'Penetrationstest', + en: 'Penetration testing', + }, + description: { + de: 'Regelmäßige Penetrationstests der relevanten Systeme', + en: 'Regular penetration testing of relevant systems', + }, + passCriteria: { + de: 'Jährlicher Pentest, kritische Findings behoben', + en: 'Annual pentest, critical findings resolved', + }, + requirements: ['ISO 27001 A.12.6.1'], + isRequired: false, + defaultFrequency: 'ANNUAL', + }, +] diff --git a/admin-compliance/lib/sdk/vendor-compliance/risk/transfer-audit.ts b/admin-compliance/lib/sdk/vendor-compliance/risk/transfer-audit.ts new file mode 100644 index 0000000..71d496d --- /dev/null +++ b/admin-compliance/lib/sdk/vendor-compliance/risk/transfer-audit.ts @@ -0,0 +1,202 @@ +/** + * Transfer and Audit Controls + * Domains: TRANSFER, AUDIT + */ + +import { Control } from '../types' + +export const TRANSFER_CONTROLS: Control[] = [ + { + id: 'VND-TRF-01', + domain: 'TRANSFER', + title: { + de: 'Drittlandtransfer nur mit Rechtsgrundlage', + en: 'Third country transfer with legal basis', + }, + description: { + de: 'Drittlandtransfers erfolgen nur auf Basis von SCC, BCR oder Angemessenheitsbeschluss', + en: 'Third country transfers only based on SCC, BCR or adequacy decision', + }, + passCriteria: { + de: 'SCC oder BCR vertraglich vereinbart ODER Angemessenheitsbeschluss vorhanden', + en: 'SCC or BCR contractually agreed OR adequacy decision exists', + }, + requirements: ['Art. 44-49 DSGVO', 'ISO 27001 A.15.1.2'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-TRF-02', + domain: 'TRANSFER', + title: { + de: 'Aktuelle Standardvertragsklauseln', + en: 'Current Standard Contractual Clauses', + }, + description: { + de: 'Bei SCC-Nutzung: Verwendung der aktuellen EU-Kommission-Klauseln (2021)', + en: 'When using SCC: Current EU Commission clauses (2021) are used', + }, + passCriteria: { + de: 'SCC 2021 (Durchführungsbeschluss (EU) 2021/914) verwendet', + en: 'SCC 2021 (Implementing Decision (EU) 2021/914) used', + }, + requirements: ['Art. 46 Abs. 2 lit. c DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-TRF-03', + domain: 'TRANSFER', + title: { + de: 'Transfer Impact Assessment (TIA)', + en: 'Transfer Impact Assessment (TIA)', + }, + description: { + de: 'Bei Transfers in Drittländer ohne Angemessenheitsbeschluss ist TIA durchzuführen', + en: 'TIA required for transfers to third countries without adequacy decision', + }, + passCriteria: { + de: 'TIA dokumentiert und bewertet Risiken als akzeptabel', + en: 'TIA documented and risks assessed as acceptable', + }, + requirements: ['Schrems II Urteil', 'EDSA Empfehlungen 01/2020'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-TRF-04', + domain: 'TRANSFER', + title: { + de: 'Zusätzliche Schutzmaßnahmen', + en: 'Supplementary Measures', + }, + description: { + de: 'Bei Bedarf sind zusätzliche technische/organisatorische Maßnahmen implementiert', + en: 'Supplementary technical/organizational measures implemented where needed', + }, + passCriteria: { + de: 'Ergänzende Maßnahmen dokumentiert (Verschlüsselung, Pseudonymisierung, etc.)', + en: 'Supplementary measures documented (encryption, pseudonymization, etc.)', + }, + requirements: ['EDSA Empfehlungen 01/2020'], + isRequired: false, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-TRF-05', + domain: 'TRANSFER', + title: { + de: 'Überwachung Angemessenheitsbeschlüsse', + en: 'Monitoring Adequacy Decisions', + }, + description: { + de: 'Änderungen bei Angemessenheitsbeschlüssen werden überwacht', + en: 'Changes to adequacy decisions are monitored', + }, + passCriteria: { + de: 'Prozess zur Überwachung und Reaktion auf Änderungen etabliert', + en: 'Process for monitoring and responding to changes established', + }, + requirements: ['Art. 45 DSGVO'], + isRequired: false, + defaultFrequency: 'QUARTERLY', + }, +] + +export const AUDIT_CONTROLS: Control[] = [ + { + id: 'VND-AUD-01', + domain: 'AUDIT', + title: { + de: 'Auditrecht vertraglich vereinbart', + en: 'Audit right contractually agreed', + }, + description: { + de: 'Vertrag enthält wirksames Auditrecht ohne unangemessene Einschränkungen', + en: 'Contract contains effective audit right without unreasonable restrictions', + }, + passCriteria: { + de: 'Auditrecht im AVV enthalten, max. 30 Tage Vorlaufzeit, keine Ausschlussklausel', + en: 'Audit right in DPA, max 30 days notice, no exclusion clause', + }, + requirements: ['Art. 28 Abs. 3 lit. h DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-AUD-02', + domain: 'AUDIT', + title: { + de: 'Vor-Ort-Inspektionen möglich', + en: 'On-site inspections possible', + }, + description: { + de: 'Vertrag erlaubt Vor-Ort-Inspektionen bei dem Auftragsverarbeiter', + en: 'Contract allows on-site inspections at the processor', + }, + passCriteria: { + de: 'Vor-Ort-Audit explizit erlaubt, Zugang zu relevanten Bereichen', + en: 'On-site audit explicitly allowed, access to relevant areas', + }, + requirements: ['Art. 28 Abs. 3 lit. h DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-AUD-03', + domain: 'AUDIT', + title: { + de: 'Aktuelle Zertifizierungen', + en: 'Current Certifications', + }, + description: { + de: 'Relevante Sicherheitszertifizierungen sind aktuell und gültig', + en: 'Relevant security certifications are current and valid', + }, + passCriteria: { + de: 'ISO 27001, SOC 2 oder vergleichbar, nicht abgelaufen', + en: 'ISO 27001, SOC 2 or equivalent, not expired', + }, + requirements: ['Art. 32 DSGVO', 'ISO 27001 A.15.1.1'], + isRequired: false, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-AUD-04', + domain: 'AUDIT', + title: { + de: 'Letzte Prüfung durchgeführt', + en: 'Last review conducted', + }, + description: { + de: 'Vendor wurde innerhalb des Review-Zyklus geprüft', + en: 'Vendor was reviewed within the review cycle', + }, + passCriteria: { + de: 'Dokumentierte Prüfung innerhalb des festgelegten Intervalls', + en: 'Documented review within the defined interval', + }, + requirements: ['Art. 28 Abs. 3 lit. h DSGVO'], + isRequired: true, + defaultFrequency: 'ANNUAL', + }, + { + id: 'VND-AUD-05', + domain: 'AUDIT', + title: { + de: 'Prüfberichte verfügbar', + en: 'Audit reports available', + }, + description: { + de: 'Aktuelle Prüfberichte (SOC 2, Penetrationstest, etc.) liegen vor', + en: 'Current audit reports (SOC 2, penetration test, etc.) are available', + }, + passCriteria: { + de: 'Prüfberichte nicht älter als 12 Monate', + en: 'Audit reports not older than 12 months', + }, + requirements: ['ISO 27001 A.18.2.1'], + isRequired: false, + defaultFrequency: 'ANNUAL', + }, +]