{ "framework_id": "CSA_CCM", "display_name": "Cloud Security Alliance CCM v4", "license": { "type": "restricted", "rag_allowed": false, "use_as_metadata": true, "note": "Abstrahierte Struktur — keine Originaltexte uebernommen" }, "domains": [ { "domain_id": "AIS", "title": "Application and Interface Security", "aliases": ["ais", "application and interface security", "anwendungssicherheit", "schnittstellensicherheit"], "keywords": ["application", "anwendung", "interface", "schnittstelle", "api", "web", "eingabevalidierung"], "subcontrols": [ { "subcontrol_id": "AIS-01", "title": "Application Security Policy", "statement": "Sicherheitsrichtlinien fuer Anwendungsentwicklung und Schnittstellenmanagement muessen definiert und angewendet werden.", "keywords": ["policy", "richtlinie", "entwicklung"], "action_hint": "document", "object_hint": "Anwendungssicherheitsrichtlinie", "object_class": "policy" }, { "subcontrol_id": "AIS-02", "title": "Application Security Design", "statement": "Sicherheitsanforderungen muessen in den Entwurf jeder Anwendung integriert werden.", "keywords": ["design", "entwurf", "security by design"], "action_hint": "implement", "object_hint": "Sicherheitsanforderungen im Anwendungsentwurf", "object_class": "process" }, { "subcontrol_id": "AIS-03", "title": "Application Security Testing", "statement": "Anwendungen muessen vor dem Deployment und regelmaessig auf Sicherheitsschwachstellen getestet werden.", "keywords": ["testing", "test", "sast", "dast", "penetration"], "action_hint": "test", "object_hint": "Anwendungssicherheitstests", "object_class": "process" }, { "subcontrol_id": "AIS-04", "title": "Secure Development Practices", "statement": "Sichere Entwicklungspraktiken (Code Review, Pair Programming, SAST) muessen fuer alle Entwicklungsprojekte gelten.", "keywords": ["development", "entwicklung", "code review", "sast", "praktiken"], "action_hint": "implement", "object_hint": "Sichere Entwicklungspraktiken", "object_class": "process" }, { "subcontrol_id": "AIS-05", "title": "API Security", "statement": "APIs muessen authentifiziert, autorisiert und gegen Missbrauch geschuetzt werden.", "keywords": ["api", "schnittstelle", "authentifizierung", "rate limiting"], "action_hint": "implement", "object_hint": "API-Sicherheitskontrollen", "object_class": "interface" }, { "subcontrol_id": "AIS-06", "title": "Automated Application Security Testing", "statement": "Automatisierte Sicherheitstests muessen in die CI/CD-Pipeline integriert werden.", "keywords": ["automatisiert", "ci/cd", "pipeline", "sast", "dast"], "action_hint": "configure", "object_hint": "Automatisierte Sicherheitstests in CI/CD", "object_class": "configuration" } ] }, { "domain_id": "BCR", "title": "Business Continuity and Resilience", "aliases": ["bcr", "business continuity", "resilience", "geschaeftskontinuitaet", "resilienz"], "keywords": ["continuity", "kontinuitaet", "resilience", "resilienz", "disaster", "recovery", "backup"], "subcontrols": [ { "subcontrol_id": "BCR-01", "title": "Business Continuity Planning", "statement": "Ein Geschaeftskontinuitaetsplan muss erstellt, dokumentiert und regelmaessig getestet werden.", "keywords": ["plan", "kontinuitaet", "geschaeft"], "action_hint": "document", "object_hint": "Geschaeftskontinuitaetsplan", "object_class": "policy" }, { "subcontrol_id": "BCR-02", "title": "Risk Assessment for BCM", "statement": "Risikobewertungen muessen fuer geschaeftskritische Prozesse durchgefuehrt werden.", "keywords": ["risiko", "bewertung", "kritisch"], "action_hint": "assess", "object_hint": "BCM-Risikobewertung", "object_class": "risk_artifact" }, { "subcontrol_id": "BCR-03", "title": "Backup and Recovery", "statement": "Datensicherungen muessen regelmaessig erstellt und Wiederherstellungstests durchgefuehrt werden.", "keywords": ["backup", "sicherung", "wiederherstellung", "recovery"], "action_hint": "maintain", "object_hint": "Datensicherung und Wiederherstellung", "object_class": "technical_control" }, { "subcontrol_id": "BCR-04", "title": "Disaster Recovery Planning", "statement": "Ein Disaster-Recovery-Plan muss dokumentiert und jaehrlich getestet werden.", "keywords": ["disaster", "recovery", "katastrophe"], "action_hint": "document", "object_hint": "Disaster-Recovery-Plan", "object_class": "policy" } ] }, { "domain_id": "CCC", "title": "Change Control and Configuration Management", "aliases": ["ccc", "change control", "configuration management", "aenderungsmanagement", "konfigurationsmanagement"], "keywords": ["change", "aenderung", "konfiguration", "configuration", "release", "deployment"], "subcontrols": [ { "subcontrol_id": "CCC-01", "title": "Change Management Policy", "statement": "Ein Aenderungsmanagement-Prozess muss definiert und fuer alle Aenderungen angewendet werden.", "keywords": ["policy", "richtlinie", "aenderung"], "action_hint": "document", "object_hint": "Aenderungsmanagement-Richtlinie", "object_class": "policy" }, { "subcontrol_id": "CCC-02", "title": "Change Testing", "statement": "Aenderungen muessen vor der Produktivsetzung getestet und genehmigt werden.", "keywords": ["test", "genehmigung", "approval"], "action_hint": "test", "object_hint": "Aenderungstests", "object_class": "process" }, { "subcontrol_id": "CCC-03", "title": "Configuration Baseline", "statement": "Basiskonfigurationen fuer alle Systeme muessen definiert und dokumentiert werden.", "keywords": ["baseline", "basis", "standard"], "action_hint": "define", "object_hint": "Konfigurationsbaseline", "object_class": "configuration" } ] }, { "domain_id": "CEK", "title": "Cryptography, Encryption and Key Management", "aliases": ["cek", "cryptography", "encryption", "key management", "kryptographie", "verschluesselung", "schluesselverwaltung"], "keywords": ["kryptographie", "verschluesselung", "schluessel", "key", "encryption", "certificate", "zertifikat"], "subcontrols": [ { "subcontrol_id": "CEK-01", "title": "Encryption Policy", "statement": "Verschluesselungsrichtlinien muessen definiert werden, die Algorithmen, Schluessellaengen und Einsatzbereiche festlegen.", "keywords": ["policy", "richtlinie", "algorithmus"], "action_hint": "document", "object_hint": "Verschluesselungsrichtlinie", "object_class": "policy" }, { "subcontrol_id": "CEK-02", "title": "Key Management", "statement": "Kryptographische Schluessel muessen ueber ihren Lebenszyklus sicher verwaltet werden.", "keywords": ["key", "schluessel", "management", "lebenszyklus"], "action_hint": "maintain", "object_hint": "Schluesselverwaltung", "object_class": "cryptographic_control" }, { "subcontrol_id": "CEK-03", "title": "Data Encryption", "statement": "Sensible Daten muessen bei Speicherung und Uebertragung verschluesselt werden.", "keywords": ["data", "daten", "speicherung", "uebertragung"], "action_hint": "encrypt", "object_hint": "Datenverschluesselung", "object_class": "cryptographic_control" } ] }, { "domain_id": "DSP", "title": "Data Security and Privacy", "aliases": ["dsp", "data security", "privacy", "datensicherheit", "datenschutz"], "keywords": ["datenschutz", "datensicherheit", "privacy", "data security", "pii", "personenbezogen", "dsgvo"], "subcontrols": [ { "subcontrol_id": "DSP-01", "title": "Data Classification", "statement": "Daten muessen nach Sensibilitaet klassifiziert und entsprechend geschuetzt werden.", "keywords": ["klassifizierung", "sensibilitaet", "classification"], "action_hint": "define", "object_hint": "Datenklassifizierung", "object_class": "data" }, { "subcontrol_id": "DSP-02", "title": "Data Inventory", "statement": "Ein Dateninventar muss gefuehrt werden, das alle Verarbeitungen personenbezogener Daten dokumentiert.", "keywords": ["inventar", "verzeichnis", "verarbeitung", "vvt"], "action_hint": "maintain", "object_hint": "Dateninventar", "object_class": "register" }, { "subcontrol_id": "DSP-03", "title": "Data Retention and Deletion", "statement": "Aufbewahrungsfristen muessen definiert und Daten nach Ablauf sicher geloescht werden.", "keywords": ["retention", "aufbewahrung", "loeschung", "frist"], "action_hint": "delete", "object_hint": "Datenloeschung nach Frist", "object_class": "data" }, { "subcontrol_id": "DSP-04", "title": "Privacy Impact Assessment", "statement": "Datenschutz-Folgenabschaetzungen muessen fuer risikoreiche Verarbeitungen durchgefuehrt werden.", "keywords": ["dsfa", "pia", "folgenabschaetzung", "impact"], "action_hint": "assess", "object_hint": "Datenschutz-Folgenabschaetzung", "object_class": "risk_artifact" }, { "subcontrol_id": "DSP-05", "title": "Data Subject Rights", "statement": "Verfahren zur Bearbeitung von Betroffenenrechten muessen implementiert werden.", "keywords": ["betroffenenrechte", "auskunft", "loeschung", "data subject"], "action_hint": "implement", "object_hint": "Betroffenenrechte-Verfahren", "object_class": "process" } ] }, { "domain_id": "GRC", "title": "Governance, Risk and Compliance", "aliases": ["grc", "governance", "risk", "compliance", "risikomanagement"], "keywords": ["governance", "risiko", "compliance", "management", "policy", "richtlinie"], "subcontrols": [ { "subcontrol_id": "GRC-01", "title": "Information Security Program", "statement": "Ein umfassendes Informationssicherheitsprogramm muss etabliert und aufrechterhalten werden.", "keywords": ["programm", "sicherheit", "information"], "action_hint": "maintain", "object_hint": "Informationssicherheitsprogramm", "object_class": "policy" }, { "subcontrol_id": "GRC-02", "title": "Risk Management Program", "statement": "Ein Risikomanagement-Programm muss implementiert werden, das Identifikation, Bewertung und Behandlung umfasst.", "keywords": ["risiko", "management", "bewertung", "behandlung"], "action_hint": "implement", "object_hint": "Risikomanagement-Programm", "object_class": "process" }, { "subcontrol_id": "GRC-03", "title": "Compliance Monitoring", "statement": "Die Einhaltung regulatorischer und vertraglicher Anforderungen muss ueberwacht werden.", "keywords": ["compliance", "einhaltung", "regulatorisch", "ueberwachung"], "action_hint": "monitor", "object_hint": "Compliance-Ueberwachung", "object_class": "process" } ] }, { "domain_id": "IAM", "title": "Identity and Access Management", "aliases": ["iam", "identity", "access management", "identitaetsmanagement", "zugriffsverwaltung"], "keywords": ["identitaet", "zugriff", "identity", "access", "authentifizierung", "autorisierung", "sso"], "subcontrols": [ { "subcontrol_id": "IAM-01", "title": "Identity and Access Policy", "statement": "Identitaets- und Zugriffsmanagement-Richtlinien muessen definiert werden.", "keywords": ["policy", "richtlinie"], "action_hint": "document", "object_hint": "IAM-Richtlinie", "object_class": "policy" }, { "subcontrol_id": "IAM-02", "title": "Strong Authentication", "statement": "Starke Authentifizierung (MFA) muss fuer administrative und sicherheitskritische Zugriffe gefordert werden.", "keywords": ["mfa", "stark", "authentifizierung", "admin"], "action_hint": "implement", "object_hint": "Starke Authentifizierung", "object_class": "technical_control" }, { "subcontrol_id": "IAM-03", "title": "Identity Lifecycle Management", "statement": "Identitaeten muessen ueber ihren gesamten Lebenszyklus verwaltet werden.", "keywords": ["lifecycle", "lebenszyklus", "onboarding", "offboarding"], "action_hint": "maintain", "object_hint": "Identitaets-Lebenszyklus", "object_class": "account" }, { "subcontrol_id": "IAM-04", "title": "Access Review", "statement": "Zugriffsrechte muessen regelmaessig ueberprueft und ueberschuessige Rechte entzogen werden.", "keywords": ["review", "ueberpruefen", "rechte", "rezertifizierung"], "action_hint": "review", "object_hint": "Zugriffsrechte-Review", "object_class": "access_control" } ] }, { "domain_id": "LOG", "title": "Logging and Monitoring", "aliases": ["log", "logging", "monitoring", "protokollierung", "ueberwachung"], "keywords": ["logging", "monitoring", "protokollierung", "ueberwachung", "siem", "alarm"], "subcontrols": [ { "subcontrol_id": "LOG-01", "title": "Logging Policy", "statement": "Protokollierungs-Richtlinien muessen definiert werden, die Umfang und Aufbewahrung festlegen.", "keywords": ["policy", "richtlinie", "umfang", "aufbewahrung"], "action_hint": "document", "object_hint": "Protokollierungsrichtlinie", "object_class": "policy" }, { "subcontrol_id": "LOG-02", "title": "Security Event Logging", "statement": "Sicherheitsrelevante Ereignisse muessen erfasst und zentral gespeichert werden.", "keywords": ["event", "ereignis", "sicherheit", "zentral"], "action_hint": "configure", "object_hint": "Sicherheits-Event-Logging", "object_class": "configuration" }, { "subcontrol_id": "LOG-03", "title": "Monitoring and Alerting", "statement": "Sicherheitsrelevante Logs muessen ueberwacht und bei Anomalien Alarme ausgeloest werden.", "keywords": ["monitoring", "alerting", "alarm", "anomalie"], "action_hint": "monitor", "object_hint": "Log-Ueberwachung und Alarmierung", "object_class": "technical_control" } ] }, { "domain_id": "SEF", "title": "Security Incident Management", "aliases": ["sef", "security incident", "incident management", "vorfallmanagement", "sicherheitsvorfall"], "keywords": ["vorfall", "incident", "sicherheitsvorfall", "reaktion", "response", "meldung"], "subcontrols": [ { "subcontrol_id": "SEF-01", "title": "Incident Management Policy", "statement": "Ein Vorfallmanagement-Prozess muss definiert, dokumentiert und getestet werden.", "keywords": ["policy", "richtlinie", "prozess"], "action_hint": "document", "object_hint": "Vorfallmanagement-Richtlinie", "object_class": "policy" }, { "subcontrol_id": "SEF-02", "title": "Incident Response Team", "statement": "Ein Incident-Response-Team muss benannt und geschult werden.", "keywords": ["team", "response", "schulung"], "action_hint": "define", "object_hint": "Incident-Response-Team", "object_class": "role" }, { "subcontrol_id": "SEF-03", "title": "Incident Reporting", "statement": "Sicherheitsvorfaelle muessen innerhalb definierter Fristen an zustaendige Stellen gemeldet werden.", "keywords": ["reporting", "meldung", "frist", "behoerde"], "action_hint": "report", "object_hint": "Vorfallmeldung", "object_class": "incident" }, { "subcontrol_id": "SEF-04", "title": "Incident Lessons Learned", "statement": "Nach jedem Vorfall muss eine Nachbereitung mit Lessons Learned durchgefuehrt werden.", "keywords": ["lessons learned", "nachbereitung", "verbesserung"], "action_hint": "review", "object_hint": "Vorfall-Nachbereitung", "object_class": "record" } ] }, { "domain_id": "TVM", "title": "Threat and Vulnerability Management", "aliases": ["tvm", "threat", "vulnerability", "schwachstelle", "bedrohung", "schwachstellenmanagement"], "keywords": ["schwachstelle", "vulnerability", "threat", "bedrohung", "patch", "scan"], "subcontrols": [ { "subcontrol_id": "TVM-01", "title": "Vulnerability Management Policy", "statement": "Schwachstellenmanagement-Richtlinien muessen definiert und umgesetzt werden.", "keywords": ["policy", "richtlinie"], "action_hint": "document", "object_hint": "Schwachstellenmanagement-Richtlinie", "object_class": "policy" }, { "subcontrol_id": "TVM-02", "title": "Vulnerability Scanning", "statement": "Systeme muessen regelmaessig auf Schwachstellen gescannt werden.", "keywords": ["scan", "scanning", "regelmaessig"], "action_hint": "test", "object_hint": "Schwachstellenscan", "object_class": "system" }, { "subcontrol_id": "TVM-03", "title": "Vulnerability Remediation", "statement": "Erkannte Schwachstellen muessen priorisiert und innerhalb definierter Fristen behoben werden.", "keywords": ["remediation", "behebung", "frist", "priorisierung"], "action_hint": "remediate", "object_hint": "Schwachstellenbehebung", "object_class": "system" }, { "subcontrol_id": "TVM-04", "title": "Penetration Testing", "statement": "Regelmaessige Penetrationstests muessen durchgefuehrt werden.", "keywords": ["penetration", "pentest", "test"], "action_hint": "test", "object_hint": "Penetrationstest", "object_class": "system" } ] } ] }