Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
48ca0a6bef5157dc4690eb0b811df87cfbf8b4fc
breakpilot-compliance/backend-compliance/compliance/data/frameworks/csa_ccm.json
Benjamin Admin 48ca0a6bef feat: Framework Decomposition Engine + Composite Detection for Pass 0b 
Adds a routing layer between Pass 0a and Pass 0b that classifies obligations
into atomic/compound/framework_container. Framework-container obligations
(e.g. "CCM-Praktiken fuer AIS") are decomposed into concrete sub-obligations
via an internal framework registry before Pass 0b composition.

- New: framework_decomposition.py with routing, matching, decomposition
- New: Framework registry (NIST SP 800-53, OWASP ASVS, CSA CCM) as JSON
- New: Composite detection flags on atomic controls (is_composite, atomicity)
- New: gen_meta fields: framework_ref, framework_domain, decomposition_source
- Integration: _route_and_compose() in run_pass0b() deterministic path
- 248 tests (198 decomposition + 50 framework), all passing

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-23 12:11:55 +01:00

444 lines
19 KiB
JSON
Raw Blame History

{
"framework_id": "CSA_CCM",
"display_name": "Cloud Security Alliance CCM v4",
"license": {
"type": "restricted",
"rag_allowed": false,
"use_as_metadata": true,
"note": "Abstrahierte Struktur — keine Originaltexte uebernommen"
},
"domains": [
{
"domain_id": "AIS",
"title": "Application and Interface Security",
"aliases": ["ais", "application and interface security", "anwendungssicherheit", "schnittstellensicherheit"],
"keywords": ["application", "anwendung", "interface", "schnittstelle", "api", "web", "eingabevalidierung"],
"subcontrols": [
{
"subcontrol_id": "AIS-01",
"title": "Application Security Policy",
"statement": "Sicherheitsrichtlinien fuer Anwendungsentwicklung und Schnittstellenmanagement muessen definiert und angewendet werden.",
"keywords": ["policy", "richtlinie", "entwicklung"],
"action_hint": "document",
"object_hint": "Anwendungssicherheitsrichtlinie",
"object_class": "policy"
},
{
"subcontrol_id": "AIS-02",
"title": "Application Security Design",
"statement": "Sicherheitsanforderungen muessen in den Entwurf jeder Anwendung integriert werden.",
"keywords": ["design", "entwurf", "security by design"],
"action_hint": "implement",
"object_hint": "Sicherheitsanforderungen im Anwendungsentwurf",
"object_class": "process"
},
{
"subcontrol_id": "AIS-03",
"title": "Application Security Testing",
"statement": "Anwendungen muessen vor dem Deployment und regelmaessig auf Sicherheitsschwachstellen getestet werden.",
"keywords": ["testing", "test", "sast", "dast", "penetration"],
"action_hint": "test",
"object_hint": "Anwendungssicherheitstests",
"object_class": "process"
},
{
"subcontrol_id": "AIS-04",
"title": "Secure Development Practices",
"statement": "Sichere Entwicklungspraktiken (Code Review, Pair Programming, SAST) muessen fuer alle Entwicklungsprojekte gelten.",
"keywords": ["development", "entwicklung", "code review", "sast", "praktiken"],
"action_hint": "implement",
"object_hint": "Sichere Entwicklungspraktiken",
"object_class": "process"
},
{
"subcontrol_id": "AIS-05",
"title": "API Security",
"statement": "APIs muessen authentifiziert, autorisiert und gegen Missbrauch geschuetzt werden.",
"keywords": ["api", "schnittstelle", "authentifizierung", "rate limiting"],
"action_hint": "implement",
"object_hint": "API-Sicherheitskontrollen",
"object_class": "interface"
},
{
"subcontrol_id": "AIS-06",
"title": "Automated Application Security Testing",
"statement": "Automatisierte Sicherheitstests muessen in die CI/CD-Pipeline integriert werden.",
"keywords": ["automatisiert", "ci/cd", "pipeline", "sast", "dast"],
"action_hint": "configure",
"object_hint": "Automatisierte Sicherheitstests in CI/CD",
"object_class": "configuration"
}
]
},
{
"domain_id": "BCR",
"title": "Business Continuity and Resilience",
"aliases": ["bcr", "business continuity", "resilience", "geschaeftskontinuitaet", "resilienz"],
"keywords": ["continuity", "kontinuitaet", "resilience", "resilienz", "disaster", "recovery", "backup"],
"subcontrols": [
{
"subcontrol_id": "BCR-01",
"title": "Business Continuity Planning",
"statement": "Ein Geschaeftskontinuitaetsplan muss erstellt, dokumentiert und regelmaessig getestet werden.",
"keywords": ["plan", "kontinuitaet", "geschaeft"],
"action_hint": "document",
"object_hint": "Geschaeftskontinuitaetsplan",
"object_class": "policy"
},
{
"subcontrol_id": "BCR-02",
"title": "Risk Assessment for BCM",
"statement": "Risikobewertungen muessen fuer geschaeftskritische Prozesse durchgefuehrt werden.",
"keywords": ["risiko", "bewertung", "kritisch"],
"action_hint": "assess",
"object_hint": "BCM-Risikobewertung",
"object_class": "risk_artifact"
},
{
"subcontrol_id": "BCR-03",
"title": "Backup and Recovery",
"statement": "Datensicherungen muessen regelmaessig erstellt und Wiederherstellungstests durchgefuehrt werden.",
"keywords": ["backup", "sicherung", "wiederherstellung", "recovery"],
"action_hint": "maintain",
"object_hint": "Datensicherung und Wiederherstellung",
"object_class": "technical_control"
},
{
"subcontrol_id": "BCR-04",
"title": "Disaster Recovery Planning",
"statement": "Ein Disaster-Recovery-Plan muss dokumentiert und jaehrlich getestet werden.",
"keywords": ["disaster", "recovery", "katastrophe"],
"action_hint": "document",
"object_hint": "Disaster-Recovery-Plan",
"object_class": "policy"
}
]
},
{
"domain_id": "CCC",
"title": "Change Control and Configuration Management",
"aliases": ["ccc", "change control", "configuration management", "aenderungsmanagement", "konfigurationsmanagement"],
"keywords": ["change", "aenderung", "konfiguration", "configuration", "release", "deployment"],
"subcontrols": [
{
"subcontrol_id": "CCC-01",
"title": "Change Management Policy",
"statement": "Ein Aenderungsmanagement-Prozess muss definiert und fuer alle Aenderungen angewendet werden.",
"keywords": ["policy", "richtlinie", "aenderung"],
"action_hint": "document",
"object_hint": "Aenderungsmanagement-Richtlinie",
"object_class": "policy"
},
{
"subcontrol_id": "CCC-02",
"title": "Change Testing",
"statement": "Aenderungen muessen vor der Produktivsetzung getestet und genehmigt werden.",
"keywords": ["test", "genehmigung", "approval"],
"action_hint": "test",
"object_hint": "Aenderungstests",
"object_class": "process"
},
{
"subcontrol_id": "CCC-03",
"title": "Configuration Baseline",
"statement": "Basiskonfigurationen fuer alle Systeme muessen definiert und dokumentiert werden.",
"keywords": ["baseline", "basis", "standard"],
"action_hint": "define",
"object_hint": "Konfigurationsbaseline",
"object_class": "configuration"
}
]
},
{
"domain_id": "CEK",
"title": "Cryptography, Encryption and Key Management",
"aliases": ["cek", "cryptography", "encryption", "key management", "kryptographie", "verschluesselung", "schluesselverwaltung"],
"keywords": ["kryptographie", "verschluesselung", "schluessel", "key", "encryption", "certificate", "zertifikat"],
"subcontrols": [
{
"subcontrol_id": "CEK-01",
"title": "Encryption Policy",
"statement": "Verschluesselungsrichtlinien muessen definiert werden, die Algorithmen, Schluessellaengen und Einsatzbereiche festlegen.",
"keywords": ["policy", "richtlinie", "algorithmus"],
"action_hint": "document",
"object_hint": "Verschluesselungsrichtlinie",
"object_class": "policy"
},
{
"subcontrol_id": "CEK-02",
"title": "Key Management",
"statement": "Kryptographische Schluessel muessen ueber ihren Lebenszyklus sicher verwaltet werden.",
"keywords": ["key", "schluessel", "management", "lebenszyklus"],
"action_hint": "maintain",
"object_hint": "Schluesselverwaltung",
"object_class": "cryptographic_control"
},
{
"subcontrol_id": "CEK-03",
"title": "Data Encryption",
"statement": "Sensible Daten muessen bei Speicherung und Uebertragung verschluesselt werden.",
"keywords": ["data", "daten", "speicherung", "uebertragung"],
"action_hint": "encrypt",
"object_hint": "Datenverschluesselung",
"object_class": "cryptographic_control"
}
]
},
{
"domain_id": "DSP",
"title": "Data Security and Privacy",
"aliases": ["dsp", "data security", "privacy", "datensicherheit", "datenschutz"],
"keywords": ["datenschutz", "datensicherheit", "privacy", "data security", "pii", "personenbezogen", "dsgvo"],
"subcontrols": [
{
"subcontrol_id": "DSP-01",
"title": "Data Classification",
"statement": "Daten muessen nach Sensibilitaet klassifiziert und entsprechend geschuetzt werden.",
"keywords": ["klassifizierung", "sensibilitaet", "classification"],
"action_hint": "define",
"object_hint": "Datenklassifizierung",
"object_class": "data"
},
{
"subcontrol_id": "DSP-02",
"title": "Data Inventory",
"statement": "Ein Dateninventar muss gefuehrt werden, das alle Verarbeitungen personenbezogener Daten dokumentiert.",
"keywords": ["inventar", "verzeichnis", "verarbeitung", "vvt"],
"action_hint": "maintain",
"object_hint": "Dateninventar",
"object_class": "register"
},
{
"subcontrol_id": "DSP-03",
"title": "Data Retention and Deletion",
"statement": "Aufbewahrungsfristen muessen definiert und Daten nach Ablauf sicher geloescht werden.",
"keywords": ["retention", "aufbewahrung", "loeschung", "frist"],
"action_hint": "delete",
"object_hint": "Datenloeschung nach Frist",
"object_class": "data"
},
{
"subcontrol_id": "DSP-04",
"title": "Privacy Impact Assessment",
"statement": "Datenschutz-Folgenabschaetzungen muessen fuer risikoreiche Verarbeitungen durchgefuehrt werden.",
"keywords": ["dsfa", "pia", "folgenabschaetzung", "impact"],
"action_hint": "assess",
"object_hint": "Datenschutz-Folgenabschaetzung",
"object_class": "risk_artifact"
},
{
"subcontrol_id": "DSP-05",
"title": "Data Subject Rights",
"statement": "Verfahren zur Bearbeitung von Betroffenenrechten muessen implementiert werden.",
"keywords": ["betroffenenrechte", "auskunft", "loeschung", "data subject"],
"action_hint": "implement",
"object_hint": "Betroffenenrechte-Verfahren",
"object_class": "process"
}
]
},
{
"domain_id": "GRC",
"title": "Governance, Risk and Compliance",
"aliases": ["grc", "governance", "risk", "compliance", "risikomanagement"],
"keywords": ["governance", "risiko", "compliance", "management", "policy", "richtlinie"],
"subcontrols": [
{
"subcontrol_id": "GRC-01",
"title": "Information Security Program",
"statement": "Ein umfassendes Informationssicherheitsprogramm muss etabliert und aufrechterhalten werden.",
"keywords": ["programm", "sicherheit", "information"],
"action_hint": "maintain",
"object_hint": "Informationssicherheitsprogramm",
"object_class": "policy"
},
{
"subcontrol_id": "GRC-02",
"title": "Risk Management Program",
"statement": "Ein Risikomanagement-Programm muss implementiert werden, das Identifikation, Bewertung und Behandlung umfasst.",
"keywords": ["risiko", "management", "bewertung", "behandlung"],
"action_hint": "implement",
"object_hint": "Risikomanagement-Programm",
"object_class": "process"
},
{
"subcontrol_id": "GRC-03",
"title": "Compliance Monitoring",
"statement": "Die Einhaltung regulatorischer und vertraglicher Anforderungen muss ueberwacht werden.",
"keywords": ["compliance", "einhaltung", "regulatorisch", "ueberwachung"],
"action_hint": "monitor",
"object_hint": "Compliance-Ueberwachung",
"object_class": "process"
}
]
},
{
"domain_id": "IAM",
"title": "Identity and Access Management",
"aliases": ["iam", "identity", "access management", "identitaetsmanagement", "zugriffsverwaltung"],
"keywords": ["identitaet", "zugriff", "identity", "access", "authentifizierung", "autorisierung", "sso"],
"subcontrols": [
{
"subcontrol_id": "IAM-01",
"title": "Identity and Access Policy",
"statement": "Identitaets- und Zugriffsmanagement-Richtlinien muessen definiert werden.",
"keywords": ["policy", "richtlinie"],
"action_hint": "document",
"object_hint": "IAM-Richtlinie",
"object_class": "policy"
},
{
"subcontrol_id": "IAM-02",
"title": "Strong Authentication",
"statement": "Starke Authentifizierung (MFA) muss fuer administrative und sicherheitskritische Zugriffe gefordert werden.",
"keywords": ["mfa", "stark", "authentifizierung", "admin"],
"action_hint": "implement",
"object_hint": "Starke Authentifizierung",
"object_class": "technical_control"
},
{
"subcontrol_id": "IAM-03",
"title": "Identity Lifecycle Management",
"statement": "Identitaeten muessen ueber ihren gesamten Lebenszyklus verwaltet werden.",
"keywords": ["lifecycle", "lebenszyklus", "onboarding", "offboarding"],
"action_hint": "maintain",
"object_hint": "Identitaets-Lebenszyklus",
"object_class": "account"
},
{
"subcontrol_id": "IAM-04",
"title": "Access Review",
"statement": "Zugriffsrechte muessen regelmaessig ueberprueft und ueberschuessige Rechte entzogen werden.",
"keywords": ["review", "ueberpruefen", "rechte", "rezertifizierung"],
"action_hint": "review",
"object_hint": "Zugriffsrechte-Review",
"object_class": "access_control"
}
]
},
{
"domain_id": "LOG",
"title": "Logging and Monitoring",
"aliases": ["log", "logging", "monitoring", "protokollierung", "ueberwachung"],
"keywords": ["logging", "monitoring", "protokollierung", "ueberwachung", "siem", "alarm"],
"subcontrols": [
{
"subcontrol_id": "LOG-01",
"title": "Logging Policy",
"statement": "Protokollierungs-Richtlinien muessen definiert werden, die Umfang und Aufbewahrung festlegen.",
"keywords": ["policy", "richtlinie", "umfang", "aufbewahrung"],
"action_hint": "document",
"object_hint": "Protokollierungsrichtlinie",
"object_class": "policy"
},
{
"subcontrol_id": "LOG-02",
"title": "Security Event Logging",
"statement": "Sicherheitsrelevante Ereignisse muessen erfasst und zentral gespeichert werden.",
"keywords": ["event", "ereignis", "sicherheit", "zentral"],
"action_hint": "configure",
"object_hint": "Sicherheits-Event-Logging",
"object_class": "configuration"
},
{
"subcontrol_id": "LOG-03",
"title": "Monitoring and Alerting",
"statement": "Sicherheitsrelevante Logs muessen ueberwacht und bei Anomalien Alarme ausgeloest werden.",
"keywords": ["monitoring", "alerting", "alarm", "anomalie"],
"action_hint": "monitor",
"object_hint": "Log-Ueberwachung und Alarmierung",
"object_class": "technical_control"
}
]
},
{
"domain_id": "SEF",
"title": "Security Incident Management",
"aliases": ["sef", "security incident", "incident management", "vorfallmanagement", "sicherheitsvorfall"],
"keywords": ["vorfall", "incident", "sicherheitsvorfall", "reaktion", "response", "meldung"],
"subcontrols": [
{
"subcontrol_id": "SEF-01",
"title": "Incident Management Policy",
"statement": "Ein Vorfallmanagement-Prozess muss definiert, dokumentiert und getestet werden.",
"keywords": ["policy", "richtlinie", "prozess"],
"action_hint": "document",
"object_hint": "Vorfallmanagement-Richtlinie",
"object_class": "policy"
},
{
"subcontrol_id": "SEF-02",
"title": "Incident Response Team",
"statement": "Ein Incident-Response-Team muss benannt und geschult werden.",
"keywords": ["team", "response", "schulung"],
"action_hint": "define",
"object_hint": "Incident-Response-Team",
"object_class": "role"
},
{
"subcontrol_id": "SEF-03",
"title": "Incident Reporting",
"statement": "Sicherheitsvorfaelle muessen innerhalb definierter Fristen an zustaendige Stellen gemeldet werden.",
"keywords": ["reporting", "meldung", "frist", "behoerde"],
"action_hint": "report",
"object_hint": "Vorfallmeldung",
"object_class": "incident"
},
{
"subcontrol_id": "SEF-04",
"title": "Incident Lessons Learned",
"statement": "Nach jedem Vorfall muss eine Nachbereitung mit Lessons Learned durchgefuehrt werden.",
"keywords": ["lessons learned", "nachbereitung", "verbesserung"],
"action_hint": "review",
"object_hint": "Vorfall-Nachbereitung",
"object_class": "record"
}
]
},
{
"domain_id": "TVM",
"title": "Threat and Vulnerability Management",
"aliases": ["tvm", "threat", "vulnerability", "schwachstelle", "bedrohung", "schwachstellenmanagement"],
"keywords": ["schwachstelle", "vulnerability", "threat", "bedrohung", "patch", "scan"],
"subcontrols": [
{
"subcontrol_id": "TVM-01",
"title": "Vulnerability Management Policy",
"statement": "Schwachstellenmanagement-Richtlinien muessen definiert und umgesetzt werden.",
"keywords": ["policy", "richtlinie"],
"action_hint": "document",
"object_hint": "Schwachstellenmanagement-Richtlinie",
"object_class": "policy"
},
{
"subcontrol_id": "TVM-02",
"title": "Vulnerability Scanning",
"statement": "Systeme muessen regelmaessig auf Schwachstellen gescannt werden.",
"keywords": ["scan", "scanning", "regelmaessig"],
"action_hint": "test",
"object_hint": "Schwachstellenscan",
"object_class": "system"
},
{
"subcontrol_id": "TVM-03",
"title": "Vulnerability Remediation",
"statement": "Erkannte Schwachstellen muessen priorisiert und innerhalb definierter Fristen behoben werden.",
"keywords": ["remediation", "behebung", "frist", "priorisierung"],
"action_hint": "remediate",
"object_hint": "Schwachstellenbehebung",
"object_class": "system"
},
{
"subcontrol_id": "TVM-04",
"title": "Penetration Testing",
"statement": "Regelmaessige Penetrationstests muessen durchgefuehrt werden.",
"keywords": ["penetration", "pentest", "test"],
"action_hint": "test",
"object_hint": "Penetrationstest",
"object_class": "system"
}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink