4435e7ea0a
Services: Admin-Compliance, Backend-Compliance, AI-Compliance-SDK, Consent-SDK, Developer-Portal, PCA-Platform, DSMS Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
444 lines
14 KiB
Go
444 lines
14 KiB
Go
// Package ucca implements the Unified Compliance Control Assessment engine
|
|
package ucca
|
|
|
|
// loadBuiltInRules loads the built-in compliance rules
|
|
func (e *Engine) loadBuiltInRules() {
|
|
rules := []Rule{
|
|
// DSGVO Rules
|
|
{
|
|
ID: "DSGVO-001",
|
|
Name: "Verarbeitungsverzeichnis erforderlich",
|
|
Description: "Ein Verzeichnis aller Verarbeitungstätigkeiten muss geführt werden",
|
|
Regulation: "DSGVO",
|
|
Article: "30",
|
|
Severity: "HIGH",
|
|
Category: "DOCUMENTATION",
|
|
Conditions: []string{"no_processing_activities"},
|
|
},
|
|
{
|
|
ID: "DSGVO-002",
|
|
Name: "Technische und organisatorische Maßnahmen",
|
|
Description: "Angemessene TOMs müssen implementiert sein",
|
|
Regulation: "DSGVO",
|
|
Article: "32",
|
|
Severity: "HIGH",
|
|
Category: "SECURITY",
|
|
Conditions: []string{"no_toms"},
|
|
},
|
|
{
|
|
ID: "DSGVO-003",
|
|
Name: "Datenschutz-Folgenabschätzung",
|
|
Description: "DSFA bei hohem Risiko erforderlich",
|
|
Regulation: "DSGVO",
|
|
Article: "35",
|
|
Severity: "HIGH",
|
|
Category: "RISK",
|
|
Conditions: []string{"high_risk_processing", "no_dsfa"},
|
|
},
|
|
{
|
|
ID: "DSGVO-004",
|
|
Name: "Betroffenenrechte",
|
|
Description: "Prozesse für DSR-Anfragen müssen etabliert sein",
|
|
Regulation: "DSGVO",
|
|
Article: "15-22",
|
|
Severity: "CRITICAL",
|
|
Category: "RIGHTS",
|
|
Conditions: []string{"no_dsr_process"},
|
|
},
|
|
{
|
|
ID: "DSGVO-005",
|
|
Name: "Einwilligungsmanagement",
|
|
Description: "Einwilligungen müssen dokumentiert und nachweisbar sein",
|
|
Regulation: "DSGVO",
|
|
Article: "7",
|
|
Severity: "HIGH",
|
|
Category: "CONSENT",
|
|
Conditions: []string{"no_consent_management"},
|
|
},
|
|
{
|
|
ID: "DSGVO-006",
|
|
Name: "Datenschutzbeauftragter",
|
|
Description: "DSB muss benannt sein wenn erforderlich",
|
|
Regulation: "DSGVO",
|
|
Article: "37",
|
|
Severity: "MEDIUM",
|
|
Category: "ORGANIZATION",
|
|
Conditions: []string{"dpo_required", "no_dpo"},
|
|
},
|
|
{
|
|
ID: "DSGVO-007",
|
|
Name: "Auftragsverarbeitung",
|
|
Description: "AVV mit allen Auftragsverarbeitern erforderlich",
|
|
Regulation: "DSGVO",
|
|
Article: "28",
|
|
Severity: "HIGH",
|
|
Category: "CONTRACTS",
|
|
Conditions: []string{"has_processors", "missing_dpa"},
|
|
},
|
|
{
|
|
ID: "DSGVO-008",
|
|
Name: "Löschkonzept",
|
|
Description: "Löschfristen und -prozesse müssen definiert sein",
|
|
Regulation: "DSGVO",
|
|
Article: "17",
|
|
Severity: "MEDIUM",
|
|
Category: "RETENTION",
|
|
Conditions: []string{"no_retention_policies"},
|
|
},
|
|
|
|
// NIS2 Rules
|
|
{
|
|
ID: "NIS2-001",
|
|
Name: "Risikomanagement-Maßnahmen",
|
|
Description: "Umfassende Cybersecurity-Risikomanagement-Maßnahmen erforderlich",
|
|
Regulation: "NIS2",
|
|
Article: "21",
|
|
Severity: "CRITICAL",
|
|
Category: "RISK",
|
|
Conditions: []string{"no_risk_management"},
|
|
},
|
|
{
|
|
ID: "NIS2-002",
|
|
Name: "Incident-Meldung",
|
|
Description: "Meldepflicht bei Sicherheitsvorfällen",
|
|
Regulation: "NIS2",
|
|
Article: "23",
|
|
Severity: "CRITICAL",
|
|
Category: "INCIDENT",
|
|
Conditions: []string{"no_incident_process"},
|
|
},
|
|
{
|
|
ID: "NIS2-003",
|
|
Name: "Supply Chain Security",
|
|
Description: "Sicherheit der Lieferkette muss gewährleistet sein",
|
|
Regulation: "NIS2",
|
|
Article: "21.2d",
|
|
Severity: "HIGH",
|
|
Category: "SUPPLY_CHAIN",
|
|
Conditions: []string{"no_supply_chain_security"},
|
|
},
|
|
{
|
|
ID: "NIS2-004",
|
|
Name: "Business Continuity",
|
|
Description: "Geschäftskontinuitätsmanagement erforderlich",
|
|
Regulation: "NIS2",
|
|
Article: "21.2c",
|
|
Severity: "HIGH",
|
|
Category: "BCM",
|
|
Conditions: []string{"no_bcm"},
|
|
},
|
|
{
|
|
ID: "NIS2-005",
|
|
Name: "Kryptografie",
|
|
Description: "Richtlinien für Kryptografie und Verschlüsselung",
|
|
Regulation: "NIS2",
|
|
Article: "21.2h",
|
|
Severity: "MEDIUM",
|
|
Category: "ENCRYPTION",
|
|
Conditions: []string{"no_crypto_policy"},
|
|
},
|
|
|
|
// AI Act Rules
|
|
{
|
|
ID: "AIACT-001",
|
|
Name: "KI-Risikobewertung",
|
|
Description: "Risikoeinstufung des KI-Systems erforderlich",
|
|
Regulation: "AI_ACT",
|
|
Article: "6",
|
|
Severity: "CRITICAL",
|
|
Category: "RISK",
|
|
Conditions: []string{"uses_ai", "no_ai_risk_assessment"},
|
|
},
|
|
{
|
|
ID: "AIACT-002",
|
|
Name: "Hochrisiko-KI Dokumentation",
|
|
Description: "Technische Dokumentation für Hochrisiko-KI",
|
|
Regulation: "AI_ACT",
|
|
Article: "11",
|
|
Severity: "HIGH",
|
|
Category: "DOCUMENTATION",
|
|
Conditions: []string{"high_risk_ai", "no_ai_documentation"},
|
|
},
|
|
{
|
|
ID: "AIACT-003",
|
|
Name: "Datenqualität",
|
|
Description: "Anforderungen an Trainingsdaten",
|
|
Regulation: "AI_ACT",
|
|
Article: "10",
|
|
Severity: "HIGH",
|
|
Category: "DATA",
|
|
Conditions: []string{"high_risk_ai", "no_data_governance"},
|
|
},
|
|
{
|
|
ID: "AIACT-004",
|
|
Name: "Menschliche Aufsicht",
|
|
Description: "Menschliche Überwachung muss gewährleistet sein",
|
|
Regulation: "AI_ACT",
|
|
Article: "14",
|
|
Severity: "HIGH",
|
|
Category: "OVERSIGHT",
|
|
Conditions: []string{"high_risk_ai", "no_human_oversight"},
|
|
},
|
|
{
|
|
ID: "AIACT-005",
|
|
Name: "Transparenz",
|
|
Description: "Transparenzanforderungen für KI-Systeme",
|
|
Regulation: "AI_ACT",
|
|
Article: "13",
|
|
Severity: "MEDIUM",
|
|
Category: "TRANSPARENCY",
|
|
Conditions: []string{"uses_ai", "no_ai_transparency"},
|
|
},
|
|
|
|
// Additional cross-regulation rules
|
|
{
|
|
ID: "CROSS-001",
|
|
Name: "Zugriffskontrolle",
|
|
Description: "Implementierung von Zugriffskontrollen",
|
|
Regulation: "MULTIPLE",
|
|
Article: "DSGVO-32, NIS2-21",
|
|
Severity: "HIGH",
|
|
Category: "ACCESS_CONTROL",
|
|
Conditions: []string{"no_access_controls"},
|
|
},
|
|
{
|
|
ID: "CROSS-002",
|
|
Name: "Schulungen",
|
|
Description: "Regelmäßige Mitarbeiterschulungen",
|
|
Regulation: "MULTIPLE",
|
|
Article: "DSGVO-39, NIS2-20",
|
|
Severity: "MEDIUM",
|
|
Category: "TRAINING",
|
|
Conditions: []string{"no_training_program"},
|
|
},
|
|
{
|
|
ID: "CROSS-003",
|
|
Name: "Audit-Protokollierung",
|
|
Description: "Protokollierung sicherheitsrelevanter Ereignisse",
|
|
Regulation: "MULTIPLE",
|
|
Article: "DSGVO-32, NIS2-21",
|
|
Severity: "HIGH",
|
|
Category: "LOGGING",
|
|
Conditions: []string{"no_audit_logging"},
|
|
},
|
|
}
|
|
|
|
for i := range rules {
|
|
e.rules[rules[i].ID] = &rules[i]
|
|
}
|
|
}
|
|
|
|
// loadBuiltInRegulations loads the built-in regulations
|
|
func (e *Engine) loadBuiltInRegulations() {
|
|
regulations := []Regulation{
|
|
{
|
|
Code: "DSGVO",
|
|
Name: "Datenschutz-Grundverordnung",
|
|
Description: "EU-Verordnung 2016/679 zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten",
|
|
Articles: []string{"5", "6", "7", "9", "12-22", "24-32", "33-34", "35-36", "37-39", "44-49"},
|
|
Effective: "2018-05-25",
|
|
},
|
|
{
|
|
Code: "NIS2",
|
|
Name: "NIS 2 Directive",
|
|
Description: "EU-Richtlinie 2022/2555 über Maßnahmen für ein hohes gemeinsames Cybersicherheitsniveau",
|
|
Articles: []string{"20", "21", "23", "24", "25", "26", "27", "28", "29", "30", "31", "32"},
|
|
Effective: "2024-10-17",
|
|
},
|
|
{
|
|
Code: "AI_ACT",
|
|
Name: "EU AI Act",
|
|
Description: "EU-Verordnung zur Festlegung harmonisierter Vorschriften für künstliche Intelligenz",
|
|
Articles: []string{"5", "6", "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "52"},
|
|
Effective: "2025-02-02",
|
|
},
|
|
{
|
|
Code: "TDDDG",
|
|
Name: "Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz",
|
|
Description: "Deutsches Gesetz zum Datenschutz bei Telemedien und Telekommunikation",
|
|
Articles: []string{"1-30"},
|
|
Effective: "2021-12-01",
|
|
},
|
|
{
|
|
Code: "BDSG",
|
|
Name: "Bundesdatenschutzgesetz",
|
|
Description: "Deutsches Bundesdatenschutzgesetz",
|
|
Articles: []string{"1-86"},
|
|
Effective: "2018-05-25",
|
|
},
|
|
}
|
|
|
|
for i := range regulations {
|
|
e.regulations[regulations[i].Code] = ®ulations[i]
|
|
}
|
|
}
|
|
|
|
// loadBuiltInControls loads the built-in controls catalog
|
|
func (e *Engine) loadBuiltInControls() {
|
|
controls := []Control{
|
|
// Access Control
|
|
{
|
|
ID: "AC-01",
|
|
Name: "Zugriffskontrollrichtlinie",
|
|
Description: "Dokumentierte Richtlinie für Zugriffskontrollen",
|
|
Domain: "ACCESS_CONTROL",
|
|
Category: "POLICY",
|
|
Objective: "Etablierung einer konsistenten Zugriffskontrolle",
|
|
Guidance: "Definieren Sie Rollen, Verantwortlichkeiten und Prozesse",
|
|
Evidence: []string{"Policy-Dokument", "Genehmigungsnachweis"},
|
|
},
|
|
{
|
|
ID: "AC-02",
|
|
Name: "Benutzerkontenverwaltung",
|
|
Description: "Verwaltung von Benutzerkonten und Zugriffsrechten",
|
|
Domain: "ACCESS_CONTROL",
|
|
Category: "TECHNICAL",
|
|
Objective: "Kontrolle über Benutzerzugriffe",
|
|
Guidance: "Implementieren Sie Prozesse für Anlage, Änderung und Löschung",
|
|
Evidence: []string{"Prozessdokumentation", "IAM-Konfiguration"},
|
|
},
|
|
{
|
|
ID: "AC-03",
|
|
Name: "Multi-Faktor-Authentifizierung",
|
|
Description: "Implementierung von MFA für kritische Systeme",
|
|
Domain: "ACCESS_CONTROL",
|
|
Category: "TECHNICAL",
|
|
Objective: "Stärkere Authentifizierung",
|
|
Guidance: "MFA für alle privilegierten Zugriffe und externe Zugänge",
|
|
Evidence: []string{"MFA-Konfiguration", "Enrollment-Statistik"},
|
|
},
|
|
|
|
// Data Protection
|
|
{
|
|
ID: "DP-01",
|
|
Name: "Datenverschlüsselung",
|
|
Description: "Verschlüsselung von Daten at rest und in transit",
|
|
Domain: "DATA_PROTECTION",
|
|
Category: "TECHNICAL",
|
|
Objective: "Schutz der Vertraulichkeit von Daten",
|
|
Guidance: "TLS 1.3 für Transit, AES-256 für Rest",
|
|
Evidence: []string{"Zertifikate", "Verschlüsselungskonfiguration"},
|
|
},
|
|
{
|
|
ID: "DP-02",
|
|
Name: "Datenklassifizierung",
|
|
Description: "Schema zur Klassifizierung von Daten",
|
|
Domain: "DATA_PROTECTION",
|
|
Category: "ORGANIZATIONAL",
|
|
Objective: "Angemessener Schutz basierend auf Sensitivität",
|
|
Guidance: "Definieren Sie Klassifizierungsstufen und Handhabungsregeln",
|
|
Evidence: []string{"Klassifizierungsschema", "Inventar"},
|
|
},
|
|
{
|
|
ID: "DP-03",
|
|
Name: "Datensicherung",
|
|
Description: "Regelmäßige Backups kritischer Daten",
|
|
Domain: "DATA_PROTECTION",
|
|
Category: "TECHNICAL",
|
|
Objective: "Wiederherstellbarkeit von Daten",
|
|
Guidance: "3-2-1 Backup-Regel, regelmäßige Tests",
|
|
Evidence: []string{"Backup-Logs", "Restore-Tests"},
|
|
},
|
|
|
|
// Incident Response
|
|
{
|
|
ID: "IR-01",
|
|
Name: "Incident-Response-Plan",
|
|
Description: "Dokumentierter Plan für Sicherheitsvorfälle",
|
|
Domain: "INCIDENT_RESPONSE",
|
|
Category: "ORGANIZATIONAL",
|
|
Objective: "Strukturierte Reaktion auf Vorfälle",
|
|
Guidance: "Definieren Sie Rollen, Prozesse und Kommunikationswege",
|
|
Evidence: []string{"IR-Plan", "Kontaktlisten"},
|
|
},
|
|
{
|
|
ID: "IR-02",
|
|
Name: "Incident-Erkennung",
|
|
Description: "Systeme zur Erkennung von Sicherheitsvorfällen",
|
|
Domain: "INCIDENT_RESPONSE",
|
|
Category: "TECHNICAL",
|
|
Objective: "Frühzeitige Erkennung von Angriffen",
|
|
Guidance: "SIEM, IDS/IPS, Log-Monitoring",
|
|
Evidence: []string{"Monitoring-Konfiguration", "Alert-Regeln"},
|
|
},
|
|
{
|
|
ID: "IR-03",
|
|
Name: "Meldeprozesse",
|
|
Description: "Prozesse für behördliche Meldungen",
|
|
Domain: "INCIDENT_RESPONSE",
|
|
Category: "ORGANIZATIONAL",
|
|
Objective: "Compliance mit Meldepflichten",
|
|
Guidance: "72h für DSGVO, 24h für NIS2",
|
|
Evidence: []string{"Meldeprozess", "Templates"},
|
|
},
|
|
|
|
// Risk Management
|
|
{
|
|
ID: "RM-01",
|
|
Name: "Risikobeurteilungsmethodik",
|
|
Description: "Standardisierte Methodik zur Risikobewertung",
|
|
Domain: "RISK_MANAGEMENT",
|
|
Category: "ORGANIZATIONAL",
|
|
Objective: "Konsistente Risikobewertung",
|
|
Guidance: "ISO 27005 oder vergleichbar",
|
|
Evidence: []string{"Methodik-Dokument", "Schulungsnachweise"},
|
|
},
|
|
{
|
|
ID: "RM-02",
|
|
Name: "Risikoregister",
|
|
Description: "Dokumentation aller identifizierten Risiken",
|
|
Domain: "RISK_MANAGEMENT",
|
|
Category: "DOCUMENTATION",
|
|
Objective: "Überblick über Risikolandschaft",
|
|
Guidance: "Regelmäßige Aktualisierung, Maßnahmentracking",
|
|
Evidence: []string{"Risikoregister", "Review-Protokolle"},
|
|
},
|
|
{
|
|
ID: "RM-03",
|
|
Name: "Risikobehandlung",
|
|
Description: "Prozess zur Behandlung identifizierter Risiken",
|
|
Domain: "RISK_MANAGEMENT",
|
|
Category: "ORGANIZATIONAL",
|
|
Objective: "Systematische Risikominimierung",
|
|
Guidance: "Mitigate, Transfer, Accept, Avoid",
|
|
Evidence: []string{"Behandlungspläne", "Statusberichte"},
|
|
},
|
|
|
|
// Business Continuity
|
|
{
|
|
ID: "BC-01",
|
|
Name: "Business-Impact-Analyse",
|
|
Description: "Analyse der Geschäftsauswirkungen",
|
|
Domain: "BUSINESS_CONTINUITY",
|
|
Category: "ORGANIZATIONAL",
|
|
Objective: "Identifikation kritischer Prozesse",
|
|
Guidance: "RTO/RPO für alle kritischen Systeme",
|
|
Evidence: []string{"BIA-Dokument", "Kritikalitätseinstufung"},
|
|
},
|
|
{
|
|
ID: "BC-02",
|
|
Name: "Kontinuitätsplan",
|
|
Description: "Plan für Geschäftskontinuität",
|
|
Domain: "BUSINESS_CONTINUITY",
|
|
Category: "ORGANIZATIONAL",
|
|
Objective: "Aufrechterhaltung des Betriebs",
|
|
Guidance: "Szenarien, Aktivierungskriterien, Ressourcen",
|
|
Evidence: []string{"BCP-Dokument", "Ressourcenpläne"},
|
|
},
|
|
{
|
|
ID: "BC-03",
|
|
Name: "Disaster-Recovery-Plan",
|
|
Description: "Plan für Wiederherstellung nach Katastrophen",
|
|
Domain: "BUSINESS_CONTINUITY",
|
|
Category: "TECHNICAL",
|
|
Objective: "Schnelle Wiederherstellung der IT",
|
|
Guidance: "DR-Standort, Failover-Prozesse, Tests",
|
|
Evidence: []string{"DRP-Dokument", "Test-Protokolle"},
|
|
},
|
|
}
|
|
|
|
for i := range controls {
|
|
e.controls[controls[i].ID] = &controls[i]
|
|
}
|
|
}
|