dff2ef796b
SDK modules added/enhanced: - compliance-hub, compliance-scope, consent-management, notfallplan - audit-report, workflow, source-policy, dsms - advisory-board documentation section - TOM dashboard components, TOM generator SDM mapping - DSFA: mitigation library, risk catalog, threshold analysis, source attribution - VVT: baseline catalog, profiling engine, types - Loeschfristen: baseline catalog, compliance engine, export, profiling, types - Compliance scope: engine, profiling, golden tests, types Existing SDK pages updated: - dsfa/[id], tom, vvt, loeschfristen, advisory-board — expanded functionality - SDKSidebar, StepHeader — new navigation items and layout - SDK layout, context, types — expanded type system Other admin-v2 changes: - AI agents page, RAG pipeline DSFA integration - GridOverlay component updates - Companion feature (development + education) - Compliance advisor SOUL definition Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2522 lines
80 KiB
TypeScript
2522 lines
80 KiB
TypeScript
// =============================================================================
|
|
// Control Library Loader
|
|
// Loads and parses the controls.yml file
|
|
// =============================================================================
|
|
|
|
import {
|
|
ControlLibraryEntry,
|
|
ControlCategory,
|
|
ControlApplicability,
|
|
ConditionOperator,
|
|
ReviewFrequency,
|
|
ControlPriority,
|
|
ControlComplexity,
|
|
LocalizedString,
|
|
FrameworkMapping,
|
|
ApplicabilityCondition,
|
|
} from '../types'
|
|
|
|
// =============================================================================
|
|
// RAW YAML TYPES
|
|
// =============================================================================
|
|
|
|
interface RawApplicabilityCondition {
|
|
field: string
|
|
operator: string
|
|
value: unknown
|
|
result: string
|
|
priority: number
|
|
}
|
|
|
|
interface RawMapping {
|
|
framework: string
|
|
reference: string
|
|
}
|
|
|
|
interface RawControl {
|
|
id: string
|
|
code: string
|
|
category: string
|
|
type: 'TECHNICAL' | 'ORGANIZATIONAL'
|
|
name: { de: string; en: string }
|
|
description: { de: string; en: string }
|
|
mappings: RawMapping[]
|
|
applicabilityConditions: RawApplicabilityCondition[]
|
|
defaultApplicability: string
|
|
evidenceRequirements: string[]
|
|
reviewFrequency: string
|
|
priority: string
|
|
complexity: string
|
|
tags: string[]
|
|
}
|
|
|
|
interface RawCategoryInfo {
|
|
name: { de: string; en: string }
|
|
gdprReference: string
|
|
}
|
|
|
|
interface RawControlsYaml {
|
|
metadata: {
|
|
version: string
|
|
lastUpdated: string
|
|
totalControls: number
|
|
}
|
|
categories: Record<string, RawCategoryInfo>
|
|
controls: RawControl[]
|
|
}
|
|
|
|
// =============================================================================
|
|
// PARSED CONTROL LIBRARY
|
|
// =============================================================================
|
|
|
|
export interface ControlLibrary {
|
|
metadata: {
|
|
version: string
|
|
lastUpdated: string
|
|
totalControls: number
|
|
}
|
|
categories: Map<
|
|
ControlCategory,
|
|
{ name: LocalizedString; gdprReference: string }
|
|
>
|
|
controls: ControlLibraryEntry[]
|
|
}
|
|
|
|
// =============================================================================
|
|
// EMBEDDED CONTROL DATA
|
|
// Since we can't dynamically load YAML in all environments, we embed the data
|
|
// =============================================================================
|
|
|
|
const CONTROL_LIBRARY_DATA: ControlLibrary = {
|
|
metadata: {
|
|
version: '1.0.0',
|
|
lastUpdated: '2026-02-04',
|
|
totalControls: 60,
|
|
},
|
|
categories: new Map([
|
|
[
|
|
'ACCESS_CONTROL',
|
|
{
|
|
name: { de: 'Zutrittskontrolle', en: 'Physical Access Control' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. b',
|
|
},
|
|
],
|
|
[
|
|
'ADMISSION_CONTROL',
|
|
{
|
|
name: { de: 'Zugangskontrolle', en: 'System Access Control' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. b',
|
|
},
|
|
],
|
|
[
|
|
'ACCESS_AUTHORIZATION',
|
|
{
|
|
name: { de: 'Zugriffskontrolle', en: 'Access Authorization' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. b',
|
|
},
|
|
],
|
|
[
|
|
'TRANSFER_CONTROL',
|
|
{
|
|
name: { de: 'Weitergabekontrolle', en: 'Transfer Control' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. b',
|
|
},
|
|
],
|
|
[
|
|
'INPUT_CONTROL',
|
|
{
|
|
name: { de: 'Eingabekontrolle', en: 'Input Control' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. b',
|
|
},
|
|
],
|
|
[
|
|
'ORDER_CONTROL',
|
|
{
|
|
name: { de: 'Auftragskontrolle', en: 'Order Control' },
|
|
gdprReference: 'Art. 28',
|
|
},
|
|
],
|
|
[
|
|
'AVAILABILITY',
|
|
{
|
|
name: { de: 'Verfügbarkeit', en: 'Availability' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. b, c',
|
|
},
|
|
],
|
|
[
|
|
'SEPARATION',
|
|
{
|
|
name: { de: 'Trennbarkeit', en: 'Separation' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. b',
|
|
},
|
|
],
|
|
[
|
|
'ENCRYPTION',
|
|
{
|
|
name: { de: 'Verschlüsselung', en: 'Encryption' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. a',
|
|
},
|
|
],
|
|
[
|
|
'PSEUDONYMIZATION',
|
|
{
|
|
name: { de: 'Pseudonymisierung', en: 'Pseudonymization' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. a',
|
|
},
|
|
],
|
|
[
|
|
'RESILIENCE',
|
|
{
|
|
name: { de: 'Belastbarkeit', en: 'Resilience' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. b',
|
|
},
|
|
],
|
|
[
|
|
'RECOVERY',
|
|
{
|
|
name: { de: 'Wiederherstellbarkeit', en: 'Recovery' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. c',
|
|
},
|
|
],
|
|
[
|
|
'REVIEW',
|
|
{
|
|
name: { de: 'Überprüfung & Bewertung', en: 'Review & Assessment' },
|
|
gdprReference: 'Art. 32 Abs. 1 lit. d',
|
|
},
|
|
],
|
|
]),
|
|
controls: [
|
|
// ACCESS CONTROL
|
|
{
|
|
id: 'TOM-AC-01',
|
|
code: 'TOM-AC-01',
|
|
category: 'ACCESS_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Elektronische Zutrittskontrolle',
|
|
en: 'Electronic Access Control',
|
|
},
|
|
description: {
|
|
de: 'Implementierung elektronischer Zugangskontrollsysteme (Chipkarten, Biometrie) zur Kontrolle des physischen Zutritts zu Räumlichkeiten mit IT-Systemen.',
|
|
en: 'Implementation of electronic access control systems (chip cards, biometrics) to control physical access to premises with IT systems.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' },
|
|
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hostingModel',
|
|
operator: 'IN',
|
|
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
|
|
result: 'REQUIRED',
|
|
priority: 10,
|
|
},
|
|
{
|
|
field: 'architectureProfile.hostingModel',
|
|
operator: 'EQUALS',
|
|
value: 'PUBLIC_CLOUD',
|
|
result: 'NOT_APPLICABLE',
|
|
priority: 20,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Zutrittskontrollkonzept',
|
|
'Protokolle des Zutrittskontrollsystems',
|
|
'Besucherregelungen',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['physical-security', 'access'],
|
|
},
|
|
{
|
|
id: 'TOM-AC-02',
|
|
code: 'TOM-AC-02',
|
|
category: 'ACCESS_CONTROL',
|
|
type: 'ORGANIZATIONAL',
|
|
name: { de: 'Besuchermanagement', en: 'Visitor Management' },
|
|
description: {
|
|
de: 'Regelungen für den Empfang, die Begleitung und Registrierung von Besuchern in sicherheitsrelevanten Bereichen.',
|
|
en: 'Regulations for receiving, accompanying and registering visitors in security-relevant areas.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hostingModel',
|
|
operator: 'IN',
|
|
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
|
|
result: 'REQUIRED',
|
|
priority: 10,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: ['Besucherrichtlinie', 'Besucherbuch/Protokolle'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'LOW',
|
|
tags: ['physical-security', 'visitors'],
|
|
},
|
|
{
|
|
id: 'TOM-AC-03',
|
|
code: 'TOM-AC-03',
|
|
category: 'ACCESS_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Videoüberwachung', en: 'Video Surveillance' },
|
|
description: {
|
|
de: 'Installation von Videoüberwachungssystemen zur Kontrolle und Dokumentation des Zutritts zu sensiblen Bereichen.',
|
|
en: 'Installation of video surveillance systems to control and document access to sensitive areas.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.4' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'RECOMMENDED',
|
|
priority: 15,
|
|
},
|
|
{
|
|
field: 'dataProfile.hasSpecialCategories',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'RECOMMENDED',
|
|
priority: 20,
|
|
},
|
|
],
|
|
defaultApplicability: 'OPTIONAL',
|
|
evidenceRequirements: [
|
|
'Videoüberwachungskonzept',
|
|
'Datenschutz-Folgenabschätzung für Videoüberwachung',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'MEDIUM',
|
|
tags: ['physical-security', 'monitoring'],
|
|
},
|
|
{
|
|
id: 'TOM-AC-04',
|
|
code: 'TOM-AC-04',
|
|
category: 'ACCESS_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Alarmanlage', en: 'Alarm System' },
|
|
description: {
|
|
de: 'Einbruchmeldeanlage zum Schutz der Räumlichkeiten außerhalb der Betriebszeiten.',
|
|
en: 'Intrusion detection system to protect premises outside business hours.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'INF.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hostingModel',
|
|
operator: 'IN',
|
|
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
|
|
result: 'RECOMMENDED',
|
|
priority: 10,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: ['Alarmkonzept', 'Wartungsprotokolle'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'MEDIUM',
|
|
tags: ['physical-security', 'intrusion-detection'],
|
|
},
|
|
{
|
|
id: 'TOM-AC-05',
|
|
code: 'TOM-AC-05',
|
|
category: 'ACCESS_CONTROL',
|
|
type: 'ORGANIZATIONAL',
|
|
name: { de: 'Schlüsselmanagement', en: 'Key Management' },
|
|
description: {
|
|
de: 'Dokumentierte Verwaltung und Ausgabe von physischen Schlüsseln mit Nachverfolgbarkeit.',
|
|
en: 'Documented management and distribution of physical keys with traceability.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hostingModel',
|
|
operator: 'IN',
|
|
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
|
|
result: 'REQUIRED',
|
|
priority: 10,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Schlüsselausgabeprotokoll',
|
|
'Schlüsselverwaltungsrichtlinie',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'LOW',
|
|
tags: ['physical-security', 'keys'],
|
|
},
|
|
|
|
// ADMISSION CONTROL
|
|
{
|
|
id: 'TOM-ADM-01',
|
|
code: 'TOM-ADM-01',
|
|
category: 'ADMISSION_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Multi-Faktor-Authentifizierung',
|
|
en: 'Multi-Factor Authentication',
|
|
},
|
|
description: {
|
|
de: 'Implementierung einer Zwei- oder Mehr-Faktor-Authentifizierung für den Systemzugang zu kritischen Systemen und Daten.',
|
|
en: 'Implementation of two- or multi-factor authentication for system access to critical systems and data.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.2' },
|
|
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'dataProfile.hasSpecialCategories',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
{
|
|
field: 'dataProfile.processesMinors',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'REQUIRED',
|
|
priority: 20,
|
|
},
|
|
{
|
|
field: 'companyProfile.role',
|
|
operator: 'EQUALS',
|
|
value: 'PROCESSOR',
|
|
result: 'REQUIRED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'MFA-Konfigurationsdokumentation',
|
|
'Nutzerstatistiken zur MFA-Nutzung',
|
|
],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'CRITICAL',
|
|
complexity: 'MEDIUM',
|
|
tags: ['authentication', 'mfa', 'identity'],
|
|
},
|
|
{
|
|
id: 'TOM-ADM-02',
|
|
code: 'TOM-ADM-02',
|
|
category: 'ADMISSION_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Passwortrichtlinien', en: 'Password Policies' },
|
|
description: {
|
|
de: 'Durchsetzung technischer Passwortrichtlinien (Mindestlänge, Komplexität, regelmäßiger Wechsel, Historie).',
|
|
en: 'Enforcement of technical password policies (minimum length, complexity, regular changes, history).',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.3' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['Passwortrichtlinie', 'Technische Konfiguration'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['authentication', 'passwords'],
|
|
},
|
|
{
|
|
id: 'TOM-ADM-03',
|
|
code: 'TOM-ADM-03',
|
|
category: 'ADMISSION_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Single Sign-On (SSO)', en: 'Single Sign-On (SSO)' },
|
|
description: {
|
|
de: 'Zentralisierte Authentifizierung über SSO zur Verbesserung der Sicherheit und Benutzerfreundlichkeit.',
|
|
en: 'Centralized authentication via SSO to improve security and usability.',
|
|
},
|
|
mappings: [{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.4' }],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'companyProfile.size',
|
|
operator: 'IN',
|
|
value: ['MEDIUM', 'LARGE', 'ENTERPRISE'],
|
|
result: 'RECOMMENDED',
|
|
priority: 10,
|
|
},
|
|
],
|
|
defaultApplicability: 'OPTIONAL',
|
|
evidenceRequirements: [
|
|
'SSO-Konfigurationsdokumentation',
|
|
'Integrierte Anwendungsliste',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'HIGH',
|
|
tags: ['authentication', 'sso', 'identity'],
|
|
},
|
|
{
|
|
id: 'TOM-ADM-04',
|
|
code: 'TOM-ADM-04',
|
|
category: 'ADMISSION_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Automatische Bildschirmsperre', en: 'Automatic Screen Lock' },
|
|
description: {
|
|
de: 'Automatische Sperrung von Arbeitsplätzen nach Inaktivität mit erforderlicher Re-Authentifizierung.',
|
|
en: 'Automatic locking of workstations after inactivity with required re-authentication.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.11.2.8' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['GPO/MDM-Konfiguration', 'Richtliniendokumentation'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['workstation', 'security'],
|
|
},
|
|
{
|
|
id: 'TOM-ADM-05',
|
|
code: 'TOM-ADM-05',
|
|
category: 'ADMISSION_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Kontosperrung nach Fehlversuchen',
|
|
en: 'Account Lockout After Failed Attempts',
|
|
},
|
|
description: {
|
|
de: 'Automatische temporäre Sperrung von Benutzerkonten nach mehreren fehlgeschlagenen Anmeldeversuchen.',
|
|
en: 'Automatic temporary locking of user accounts after multiple failed login attempts.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.2' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Konfigurationsdokumentation',
|
|
'Protokollierung der Sperrereignisse',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['authentication', 'brute-force-protection'],
|
|
},
|
|
|
|
// ACCESS AUTHORIZATION
|
|
{
|
|
id: 'TOM-AZ-01',
|
|
code: 'TOM-AZ-01',
|
|
category: 'ACCESS_AUTHORIZATION',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Rollenbasierte Zugriffskontrolle (RBAC)',
|
|
en: 'Role-Based Access Control (RBAC)',
|
|
},
|
|
description: {
|
|
de: 'Implementierung eines rollenbasierten Berechtigungssystems zur Steuerung des Datenzugriffs nach dem Need-to-Know-Prinzip.',
|
|
en: 'Implementation of a role-based permission system to control data access according to the need-to-know principle.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.3' },
|
|
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Berechtigungskonzept',
|
|
'Rollenmatrix',
|
|
'Berechtigungsaudits',
|
|
],
|
|
reviewFrequency: 'SEMI_ANNUAL',
|
|
priority: 'CRITICAL',
|
|
complexity: 'MEDIUM',
|
|
tags: ['authorization', 'rbac', 'access'],
|
|
},
|
|
{
|
|
id: 'TOM-AZ-02',
|
|
code: 'TOM-AZ-02',
|
|
category: 'ACCESS_AUTHORIZATION',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Berechtigungsverwaltungsprozess',
|
|
en: 'Authorization Management Process',
|
|
},
|
|
description: {
|
|
de: 'Dokumentierter Prozess für Beantragung, Genehmigung und Entzug von Zugriffsberechtigungen.',
|
|
en: 'Documented process for requesting, approving and revoking access permissions.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.2' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Berechtigungsanträge',
|
|
'Genehmigungsprotokolle',
|
|
'Prozessdokumentation',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['authorization', 'process'],
|
|
},
|
|
{
|
|
id: 'TOM-AZ-03',
|
|
code: 'TOM-AZ-03',
|
|
category: 'ACCESS_AUTHORIZATION',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Privileged Access Management (PAM)',
|
|
en: 'Privileged Access Management (PAM)',
|
|
},
|
|
description: {
|
|
de: 'Spezielle Kontrollen für privilegierte Konten (Admins) mit Aufzeichnung, zeitlicher Begrenzung und Genehmigungsworkflows.',
|
|
en: 'Special controls for privileged accounts (admins) with recording, time limits and approval workflows.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.3' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'REQUIRED',
|
|
priority: 20,
|
|
},
|
|
{
|
|
field: 'dataProfile.hasSpecialCategories',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
{
|
|
field: 'companyProfile.size',
|
|
operator: 'IN',
|
|
value: ['LARGE', 'ENTERPRISE'],
|
|
result: 'RECOMMENDED',
|
|
priority: 10,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'PAM-Konfiguration',
|
|
'Sitzungsaufzeichnungen',
|
|
'Audit-Logs',
|
|
],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'CRITICAL',
|
|
complexity: 'HIGH',
|
|
tags: ['authorization', 'pam', 'privileged'],
|
|
},
|
|
{
|
|
id: 'TOM-AZ-04',
|
|
code: 'TOM-AZ-04',
|
|
category: 'ACCESS_AUTHORIZATION',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Regelmäßige Berechtigungsrezertifizierung',
|
|
en: 'Regular Authorization Recertification',
|
|
},
|
|
description: {
|
|
de: 'Periodische Überprüfung aller Zugriffsberechtigungen durch die jeweiligen Vorgesetzten.',
|
|
en: 'Periodic review of all access permissions by respective supervisors.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.5' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Rezertifizierungsprotokolle',
|
|
'Prozessdokumentation',
|
|
],
|
|
reviewFrequency: 'SEMI_ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['authorization', 'review'],
|
|
},
|
|
{
|
|
id: 'TOM-AZ-05',
|
|
code: 'TOM-AZ-05',
|
|
category: 'ACCESS_AUTHORIZATION',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Datenklassifizierung und Label',
|
|
en: 'Data Classification and Labeling',
|
|
},
|
|
description: {
|
|
de: 'Technische Umsetzung einer Datenklassifizierung mit entsprechenden Zugriffssteuerungen.',
|
|
en: 'Technical implementation of data classification with corresponding access controls.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.2' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'dataProfile.hasSpecialCategories',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'RECOMMENDED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: ['Klassifizierungsschema', 'Label-Konfiguration'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'HIGH',
|
|
tags: ['classification', 'labeling'],
|
|
},
|
|
|
|
// TRANSFER CONTROL
|
|
{
|
|
id: 'TOM-TR-01',
|
|
code: 'TOM-TR-01',
|
|
category: 'TRANSFER_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Transportverschlüsselung (TLS)', en: 'Transport Encryption (TLS)' },
|
|
description: {
|
|
de: 'Verschlüsselung aller Datenübertragungen mittels TLS 1.2 oder höher.',
|
|
en: 'Encryption of all data transfers using TLS 1.2 or higher.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['TLS-Konfigurationsdokumentation', 'SSL/TLS-Scans'],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'CRITICAL',
|
|
complexity: 'MEDIUM',
|
|
tags: ['encryption', 'transport', 'tls'],
|
|
},
|
|
{
|
|
id: 'TOM-TR-02',
|
|
code: 'TOM-TR-02',
|
|
category: 'TRANSFER_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'VPN für Fernzugriff', en: 'VPN for Remote Access' },
|
|
description: {
|
|
de: 'Nutzung von VPN-Verbindungen für sicheren Fernzugriff auf Unternehmensnetzwerke.',
|
|
en: 'Use of VPN connections for secure remote access to corporate networks.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hostingModel',
|
|
operator: 'IN',
|
|
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
|
|
result: 'REQUIRED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: ['VPN-Konfiguration', 'Nutzungsstatistiken'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['vpn', 'remote-access'],
|
|
},
|
|
{
|
|
id: 'TOM-TR-03',
|
|
code: 'TOM-TR-03',
|
|
category: 'TRANSFER_CONTROL',
|
|
type: 'ORGANIZATIONAL',
|
|
name: { de: 'Richtlinie zur Datenübermittlung', en: 'Data Transfer Policy' },
|
|
description: {
|
|
de: 'Dokumentierte Richtlinie für die sichere Übermittlung personenbezogener Daten intern und extern.',
|
|
en: 'Documented policy for secure transfer of personal data internally and externally.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.2' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['Datenübermittlungsrichtlinie', 'Schulungsnachweise'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['policy', 'transfer'],
|
|
},
|
|
{
|
|
id: 'TOM-TR-04',
|
|
code: 'TOM-TR-04',
|
|
category: 'TRANSFER_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'E-Mail-Verschlüsselung', en: 'Email Encryption' },
|
|
description: {
|
|
de: 'Implementierung von E-Mail-Verschlüsselung (S/MIME, PGP) für vertrauliche Kommunikation.',
|
|
en: 'Implementation of email encryption (S/MIME, PGP) for confidential communication.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.3' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'dataProfile.hasSpecialCategories',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'RECOMMENDED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'E-Mail-Verschlüsselungskonzept',
|
|
'Konfigurationsdokumentation',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'MEDIUM',
|
|
tags: ['encryption', 'email'],
|
|
},
|
|
{
|
|
id: 'TOM-TR-05',
|
|
code: 'TOM-TR-05',
|
|
category: 'TRANSFER_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Data Loss Prevention (DLP)', en: 'Data Loss Prevention (DLP)' },
|
|
description: {
|
|
de: 'Technische Maßnahmen zur Verhinderung unbeabsichtigter oder unbefugter Datenabflüsse.',
|
|
en: 'Technical measures to prevent unintentional or unauthorized data leakage.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.2' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'dataProfile.hasSpecialCategories',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'RECOMMENDED',
|
|
priority: 25,
|
|
},
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'EQUALS',
|
|
value: 'VERY_HIGH',
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
{
|
|
field: 'companyProfile.size',
|
|
operator: 'IN',
|
|
value: ['LARGE', 'ENTERPRISE'],
|
|
result: 'RECOMMENDED',
|
|
priority: 10,
|
|
},
|
|
],
|
|
defaultApplicability: 'OPTIONAL',
|
|
evidenceRequirements: ['DLP-Konfiguration', 'Vorfallsberichte'],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'HIGH',
|
|
complexity: 'HIGH',
|
|
tags: ['dlp', 'data-protection'],
|
|
},
|
|
|
|
// INPUT CONTROL
|
|
{
|
|
id: 'TOM-IN-01',
|
|
code: 'TOM-IN-01',
|
|
category: 'INPUT_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Audit-Logging', en: 'Audit Logging' },
|
|
description: {
|
|
de: 'Umfassende Protokollierung aller Datenverarbeitungsvorgänge mit Zeitstempel und Benutzeridentifikation.',
|
|
en: 'Comprehensive logging of all data processing activities with timestamp and user identification.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['Logging-Konzept', 'Log-Konfiguration', 'Beispiel-Logs'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'CRITICAL',
|
|
complexity: 'MEDIUM',
|
|
tags: ['logging', 'audit'],
|
|
},
|
|
{
|
|
id: 'TOM-IN-02',
|
|
code: 'TOM-IN-02',
|
|
category: 'INPUT_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Änderungsprotokollierung (Change Log)', en: 'Change Logging' },
|
|
description: {
|
|
de: 'Automatische Protokollierung aller Änderungen an personenbezogenen Daten.',
|
|
en: 'Automatic logging of all changes to personal data.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['Change-Log-Konfiguration', 'Beispielprotokolle'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['logging', 'change-tracking'],
|
|
},
|
|
{
|
|
id: 'TOM-IN-03',
|
|
code: 'TOM-IN-03',
|
|
category: 'INPUT_CONTROL',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Eingabevalidierung', en: 'Input Validation' },
|
|
description: {
|
|
de: 'Technische Validierung aller Eingaben zur Verhinderung von Datenmanipulation und Injection-Angriffen.',
|
|
en: 'Technical validation of all inputs to prevent data manipulation and injection attacks.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.14.2.5' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['Validierungsregeln', 'Code-Reviews'],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['security', 'validation'],
|
|
},
|
|
{
|
|
id: 'TOM-IN-04',
|
|
code: 'TOM-IN-04',
|
|
category: 'INPUT_CONTROL',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Log-Aufbewahrung und -Auswertung',
|
|
en: 'Log Retention and Analysis',
|
|
},
|
|
description: {
|
|
de: 'Definierte Aufbewahrungsfristen für Protokolle und regelmäßige Auswertung zur Erkennung von Anomalien.',
|
|
en: 'Defined retention periods for logs and regular analysis to detect anomalies.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['Log-Aufbewahrungsrichtlinie', 'Analyseberichte'],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['logging', 'analysis', 'retention'],
|
|
},
|
|
|
|
// ORDER CONTROL
|
|
{
|
|
id: 'TOM-OR-01',
|
|
code: 'TOM-OR-01',
|
|
category: 'ORDER_CONTROL',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Auftragsverarbeitungsverträge (AVV)',
|
|
en: 'Data Processing Agreements (DPA)',
|
|
},
|
|
description: {
|
|
de: 'Abschluss von Auftragsverarbeitungsverträgen gemäß Art. 28 DSGVO mit allen Auftragsverarbeitern.',
|
|
en: 'Conclusion of data processing agreements according to Art. 28 GDPR with all processors.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.2' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hasSubprocessors',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
{
|
|
field: 'companyProfile.role',
|
|
operator: 'EQUALS',
|
|
value: 'CONTROLLER',
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Unterschriebene AVVs',
|
|
'Auftragsverarbeiter-Verzeichnis',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'CRITICAL',
|
|
complexity: 'LOW',
|
|
tags: ['contracts', 'avv', 'dpa'],
|
|
},
|
|
{
|
|
id: 'TOM-OR-02',
|
|
code: 'TOM-OR-02',
|
|
category: 'ORDER_CONTROL',
|
|
type: 'ORGANIZATIONAL',
|
|
name: { de: 'Auftragsverarbeiter-Prüfung', en: 'Processor Auditing' },
|
|
description: {
|
|
de: 'Regelmäßige Überprüfung der technischen und organisatorischen Maßnahmen bei Auftragsverarbeitern.',
|
|
en: 'Regular verification of technical and organizational measures at processors.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. h' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.15.2.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hasSubprocessors',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Audit-Berichte',
|
|
'Zertifikate der Auftragsverarbeiter',
|
|
'Prüfprotokolle',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['audit', 'processor'],
|
|
},
|
|
{
|
|
id: 'TOM-OR-03',
|
|
code: 'TOM-OR-03',
|
|
category: 'ORDER_CONTROL',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Weisungsgebundenheit dokumentieren',
|
|
en: 'Document Instruction Compliance',
|
|
},
|
|
description: {
|
|
de: 'Dokumentation der Weisungsgebundenheit von Auftragsverarbeitern und Mitarbeitern.',
|
|
en: 'Documentation of instruction compliance by processors and employees.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. a' },
|
|
{ framework: 'GDPR_ART29', reference: 'Art. 29' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'companyProfile.role',
|
|
operator: 'EQUALS',
|
|
value: 'PROCESSOR',
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['Weisungsdokumentation', 'Schulungsnachweise'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['processor', 'instructions'],
|
|
},
|
|
{
|
|
id: 'TOM-OR-04',
|
|
code: 'TOM-OR-04',
|
|
category: 'ORDER_CONTROL',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Unterauftragsverarbeiter-Management',
|
|
en: 'Sub-processor Management',
|
|
},
|
|
description: {
|
|
de: 'Dokumentiertes Verfahren für die Genehmigung und Überwachung von Unterauftragsverarbeitern.',
|
|
en: 'Documented procedure for approval and monitoring of sub-processors.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 2, 4' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.3' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hasSubprocessors',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
{
|
|
field: 'companyProfile.role',
|
|
operator: 'EQUALS',
|
|
value: 'PROCESSOR',
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Unterauftragsverarbeiter-Liste',
|
|
'Genehmigungsprotokolle',
|
|
'AVVs mit Unterauftragsverarbeitern',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['sub-processor', 'management'],
|
|
},
|
|
|
|
// AVAILABILITY
|
|
{
|
|
id: 'TOM-AV-01',
|
|
code: 'TOM-AV-01',
|
|
category: 'AVAILABILITY',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Backup-Strategie', en: 'Backup Strategy' },
|
|
description: {
|
|
de: 'Implementierung einer umfassenden Backup-Strategie mit regelmäßigen Sicherungen und Aufbewahrung.',
|
|
en: 'Implementation of a comprehensive backup strategy with regular backups and retention.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.3.1' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['Backup-Konzept', 'Backup-Protokolle', 'Restore-Tests'],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'CRITICAL',
|
|
complexity: 'MEDIUM',
|
|
tags: ['backup', 'recovery'],
|
|
},
|
|
{
|
|
id: 'TOM-AV-02',
|
|
code: 'TOM-AV-02',
|
|
category: 'AVAILABILITY',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Redundante Systeme', en: 'Redundant Systems' },
|
|
description: {
|
|
de: 'Implementierung von Redundanz für kritische Systeme zur Sicherstellung der Verfügbarkeit.',
|
|
en: 'Implementation of redundancy for critical systems to ensure availability.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'riskProfile.ciaAssessment.availability',
|
|
operator: 'GREATER_THAN',
|
|
value: 3,
|
|
result: 'REQUIRED',
|
|
priority: 20,
|
|
},
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'EQUALS',
|
|
value: 'VERY_HIGH',
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: ['Redundanzkonzept', 'Architekturdokumentation'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'HIGH',
|
|
tags: ['redundancy', 'availability'],
|
|
},
|
|
{
|
|
id: 'TOM-AV-03',
|
|
code: 'TOM-AV-03',
|
|
category: 'AVAILABILITY',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Unterbrechungsfreie Stromversorgung (USV)',
|
|
en: 'Uninterruptible Power Supply (UPS)',
|
|
},
|
|
description: {
|
|
de: 'Einsatz von USV-Anlagen zum Schutz kritischer Systeme vor Stromausfällen.',
|
|
en: 'Use of UPS systems to protect critical systems from power failures.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.11.2.2' },
|
|
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'INF.2' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hostingModel',
|
|
operator: 'IN',
|
|
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
|
|
result: 'REQUIRED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: ['USV-Dokumentation', 'Wartungsprotokolle'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'MEDIUM',
|
|
tags: ['power', 'infrastructure'],
|
|
},
|
|
{
|
|
id: 'TOM-AV-04',
|
|
code: 'TOM-AV-04',
|
|
category: 'AVAILABILITY',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Notfallvorsorge (Business Continuity)',
|
|
en: 'Business Continuity Planning',
|
|
},
|
|
description: {
|
|
de: 'Dokumentierte Notfallvorsorge zur Aufrechterhaltung kritischer Geschäftsprozesse.',
|
|
en: 'Documented emergency preparedness to maintain critical business processes.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'riskProfile.ciaAssessment.availability',
|
|
operator: 'GREATER_THAN',
|
|
value: 2,
|
|
result: 'REQUIRED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Business-Continuity-Plan',
|
|
'Notfallkontakte',
|
|
'Übungsprotokolle',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['bcp', 'continuity'],
|
|
},
|
|
{
|
|
id: 'TOM-AV-05',
|
|
code: 'TOM-AV-05',
|
|
category: 'AVAILABILITY',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Monitoring und Alerting', en: 'Monitoring and Alerting' },
|
|
description: {
|
|
de: 'Kontinuierliche Überwachung der Systemverfügbarkeit mit automatischen Benachrichtigungen bei Ausfällen.',
|
|
en: 'Continuous monitoring of system availability with automatic notifications for outages.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Monitoring-Konfiguration',
|
|
'Alert-Regeln',
|
|
'Verfügbarkeitsberichte',
|
|
],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['monitoring', 'alerting'],
|
|
},
|
|
|
|
// SEPARATION
|
|
{
|
|
id: 'TOM-SE-01',
|
|
code: 'TOM-SE-01',
|
|
category: 'SEPARATION',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Mandantentrennung', en: 'Multi-Tenant Separation' },
|
|
description: {
|
|
de: 'Technische Trennung von Daten verschiedener Kunden/Mandanten in mandantenfähigen Systemen.',
|
|
en: 'Technical separation of data from different customers/tenants in multi-tenant systems.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.multiTenancy',
|
|
operator: 'EQUALS',
|
|
value: 'MULTI_TENANT',
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
{
|
|
field: 'companyProfile.role',
|
|
operator: 'EQUALS',
|
|
value: 'PROCESSOR',
|
|
result: 'REQUIRED',
|
|
priority: 20,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Mandantentrennungskonzept',
|
|
'Architekturdokumentation',
|
|
'Penetrationstest-Ergebnisse',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'CRITICAL',
|
|
complexity: 'HIGH',
|
|
tags: ['multi-tenant', 'separation'],
|
|
},
|
|
{
|
|
id: 'TOM-SE-02',
|
|
code: 'TOM-SE-02',
|
|
category: 'SEPARATION',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Netzwerksegmentierung', en: 'Network Segmentation' },
|
|
description: {
|
|
de: 'Segmentierung des Netzwerks zur Trennung verschiedener Sicherheitszonen und Datenverarbeitungsbereiche.',
|
|
en: 'Network segmentation to separate different security zones and data processing areas.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hostingModel',
|
|
operator: 'IN',
|
|
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
|
|
result: 'REQUIRED',
|
|
priority: 15,
|
|
},
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'REQUIRED',
|
|
priority: 20,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: ['Netzwerkdiagramm', 'Firewall-Regeln'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['network', 'segmentation'],
|
|
},
|
|
{
|
|
id: 'TOM-SE-03',
|
|
code: 'TOM-SE-03',
|
|
category: 'SEPARATION',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Umgebungstrennung (Dev/Test/Prod)',
|
|
en: 'Environment Separation (Dev/Test/Prod)',
|
|
},
|
|
description: {
|
|
de: 'Strikte Trennung von Entwicklungs-, Test- und Produktionsumgebungen.',
|
|
en: 'Strict separation of development, test and production environments.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.4' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Umgebungsdokumentation',
|
|
'Zugriffsrechte je Umgebung',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['environments', 'separation'],
|
|
},
|
|
{
|
|
id: 'TOM-SE-04',
|
|
code: 'TOM-SE-04',
|
|
category: 'SEPARATION',
|
|
type: 'ORGANIZATIONAL',
|
|
name: { de: 'Zweckbindung dokumentieren', en: 'Document Purpose Limitation' },
|
|
description: {
|
|
de: 'Dokumentation und technische Durchsetzung der Zweckbindung bei der Datenverarbeitung.',
|
|
en: 'Documentation and technical enforcement of purpose limitation in data processing.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. b' },
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['Verarbeitungsverzeichnis', 'Zweckdokumentation'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['purpose-limitation', 'documentation'],
|
|
},
|
|
|
|
// ENCRYPTION
|
|
{
|
|
id: 'TOM-ENC-01',
|
|
code: 'TOM-ENC-01',
|
|
category: 'ENCRYPTION',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Verschlüsselung ruhender Daten', en: 'Encryption at Rest' },
|
|
description: {
|
|
de: 'Verschlüsselung aller gespeicherten personenbezogenen Daten mit modernen Verschlüsselungsalgorithmen.',
|
|
en: 'Encryption of all stored personal data using modern encryption algorithms.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'dataProfile.hasSpecialCategories',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'REQUIRED',
|
|
priority: 20,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Verschlüsselungskonzept',
|
|
'Konfigurationsdokumentation',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'CRITICAL',
|
|
complexity: 'MEDIUM',
|
|
tags: ['encryption', 'at-rest'],
|
|
},
|
|
{
|
|
id: 'TOM-ENC-02',
|
|
code: 'TOM-ENC-02',
|
|
category: 'ENCRYPTION',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Schlüsselmanagement', en: 'Key Management' },
|
|
description: {
|
|
de: 'Sicheres Verfahren zur Erzeugung, Speicherung, Rotation und Vernichtung kryptografischer Schlüssel.',
|
|
en: 'Secure process for generation, storage, rotation and destruction of cryptographic keys.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.2' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.encryptionAtRest',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Schlüsselmanagement-Richtlinie',
|
|
'HSM/KMS-Dokumentation',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'HIGH',
|
|
tags: ['encryption', 'key-management'],
|
|
},
|
|
{
|
|
id: 'TOM-ENC-03',
|
|
code: 'TOM-ENC-03',
|
|
category: 'ENCRYPTION',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Datenbank-Verschlüsselung', en: 'Database Encryption' },
|
|
description: {
|
|
de: 'Verschlüsselung von Datenbanken auf Ebene der Datenbank oder einzelner Felder.',
|
|
en: 'Encryption of databases at database level or individual field level.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'dataProfile.hasSpecialCategories',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
{
|
|
field: 'dataProfile.dataVolume',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'RECOMMENDED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Datenbank-Verschlüsselungskonfiguration',
|
|
'Feldverschlüsselungsmatrix',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['encryption', 'database'],
|
|
},
|
|
|
|
// PSEUDONYMIZATION
|
|
{
|
|
id: 'TOM-PS-01',
|
|
code: 'TOM-PS-01',
|
|
category: 'PSEUDONYMIZATION',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Pseudonymisierungsverfahren', en: 'Pseudonymization Procedures' },
|
|
description: {
|
|
de: 'Implementierung von Pseudonymisierungsverfahren zur Reduzierung des Personenbezugs von Daten.',
|
|
en: 'Implementation of pseudonymization procedures to reduce the personal reference of data.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
|
|
{ framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'dataProfile.hasSpecialCategories',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
{
|
|
field: 'dataProfile.dataVolume',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'RECOMMENDED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Pseudonymisierungskonzept',
|
|
'Mapping-Tabellen-Sicherheit',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'HIGH',
|
|
tags: ['pseudonymization', 'data-minimization'],
|
|
},
|
|
{
|
|
id: 'TOM-PS-02',
|
|
code: 'TOM-PS-02',
|
|
category: 'PSEUDONYMIZATION',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Datenanonymisierung für Analysen',
|
|
en: 'Data Anonymization for Analytics',
|
|
},
|
|
description: {
|
|
de: 'Verfahren zur Anonymisierung von Daten für Analyse- und Statistikzwecke.',
|
|
en: 'Procedures for anonymizing data for analysis and statistical purposes.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
|
|
{ framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'dataProfile.dataVolume',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'RECOMMENDED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'OPTIONAL',
|
|
evidenceRequirements: [
|
|
'Anonymisierungskonzept',
|
|
'Risikoanalyse zur Re-Identifizierung',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'HIGH',
|
|
tags: ['anonymization', 'analytics'],
|
|
},
|
|
|
|
// RESILIENCE
|
|
{
|
|
id: 'TOM-RE-01',
|
|
code: 'TOM-RE-01',
|
|
category: 'RESILIENCE',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Load Balancing', en: 'Load Balancing' },
|
|
description: {
|
|
de: 'Implementierung von Lastverteilung zur Sicherstellung der Systemstabilität bei hoher Last.',
|
|
en: 'Implementation of load balancing to ensure system stability under high load.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'riskProfile.ciaAssessment.availability',
|
|
operator: 'GREATER_THAN',
|
|
value: 3,
|
|
result: 'REQUIRED',
|
|
priority: 20,
|
|
},
|
|
{
|
|
field: 'dataProfile.dataVolume',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'RECOMMENDED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'OPTIONAL',
|
|
evidenceRequirements: ['Load-Balancer-Konfiguration', 'Kapazitätsplanung'],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'MEDIUM',
|
|
complexity: 'MEDIUM',
|
|
tags: ['resilience', 'load-balancing'],
|
|
},
|
|
{
|
|
id: 'TOM-RE-02',
|
|
code: 'TOM-RE-02',
|
|
category: 'RESILIENCE',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'DDoS-Schutz', en: 'DDoS Protection' },
|
|
description: {
|
|
de: 'Maßnahmen zum Schutz vor Distributed Denial of Service Angriffen.',
|
|
en: 'Measures to protect against Distributed Denial of Service attacks.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hostingModel',
|
|
operator: 'IN',
|
|
value: ['PUBLIC_CLOUD', 'HYBRID'],
|
|
result: 'RECOMMENDED',
|
|
priority: 15,
|
|
},
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'EQUALS',
|
|
value: 'VERY_HIGH',
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: ['DDoS-Schutzkonzept', 'WAF-Konfiguration'],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['security', 'ddos'],
|
|
},
|
|
{
|
|
id: 'TOM-RE-03',
|
|
code: 'TOM-RE-03',
|
|
category: 'RESILIENCE',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Auto-Scaling', en: 'Auto-Scaling' },
|
|
description: {
|
|
de: 'Automatische Skalierung von Ressourcen basierend auf der tatsächlichen Last.',
|
|
en: 'Automatic scaling of resources based on actual load.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.3' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'architectureProfile.hostingModel',
|
|
operator: 'IN',
|
|
value: ['PUBLIC_CLOUD', 'HYBRID'],
|
|
result: 'RECOMMENDED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'OPTIONAL',
|
|
evidenceRequirements: ['Auto-Scaling-Konfiguration', 'Kapazitätsmetriken'],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'MEDIUM',
|
|
complexity: 'MEDIUM',
|
|
tags: ['cloud', 'scaling'],
|
|
},
|
|
|
|
// RECOVERY
|
|
{
|
|
id: 'TOM-RC-01',
|
|
code: 'TOM-RC-01',
|
|
category: 'RECOVERY',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Disaster Recovery Plan', en: 'Disaster Recovery Plan' },
|
|
description: {
|
|
de: 'Dokumentierter und getesteter Plan zur Wiederherstellung von IT-Systemen nach einem Katastrophenfall.',
|
|
en: 'Documented and tested plan for restoring IT systems after a disaster.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.2' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'riskProfile.ciaAssessment.availability',
|
|
operator: 'GREATER_THAN',
|
|
value: 2,
|
|
result: 'REQUIRED',
|
|
priority: 20,
|
|
},
|
|
],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Disaster-Recovery-Plan',
|
|
'Test-Protokolle',
|
|
'RTO/RPO-Definitionen',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'CRITICAL',
|
|
complexity: 'HIGH',
|
|
tags: ['disaster-recovery', 'bcp'],
|
|
},
|
|
{
|
|
id: 'TOM-RC-02',
|
|
code: 'TOM-RC-02',
|
|
category: 'RECOVERY',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Geo-Redundanz', en: 'Geo-Redundancy' },
|
|
description: {
|
|
de: 'Geografisch verteilte Datenhaltung zur Sicherstellung der Verfügbarkeit bei regionalen Ausfällen.',
|
|
en: 'Geographically distributed data storage to ensure availability during regional outages.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'EQUALS',
|
|
value: 'VERY_HIGH',
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
{
|
|
field: 'riskProfile.ciaAssessment.availability',
|
|
operator: 'GREATER_THAN',
|
|
value: 4,
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
],
|
|
defaultApplicability: 'OPTIONAL',
|
|
evidenceRequirements: ['Geo-Redundanz-Konzept', 'Standort-Dokumentation'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'HIGH',
|
|
tags: ['geo-redundancy', 'availability'],
|
|
},
|
|
{
|
|
id: 'TOM-RC-03',
|
|
code: 'TOM-RC-03',
|
|
category: 'RECOVERY',
|
|
type: 'ORGANIZATIONAL',
|
|
name: { de: 'Wiederherstellungstests', en: 'Recovery Testing' },
|
|
description: {
|
|
de: 'Regelmäßige Tests der Wiederherstellungsverfahren zur Validierung der Backup- und DR-Strategie.',
|
|
en: 'Regular testing of recovery procedures to validate backup and DR strategy.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.3' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Test-Protokolle',
|
|
'Wiederherstellungszeiten',
|
|
'Maßnahmenplan bei Fehlern',
|
|
],
|
|
reviewFrequency: 'SEMI_ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['testing', 'recovery'],
|
|
},
|
|
|
|
// REVIEW
|
|
{
|
|
id: 'TOM-RV-01',
|
|
code: 'TOM-RV-01',
|
|
category: 'REVIEW',
|
|
type: 'ORGANIZATIONAL',
|
|
name: { de: 'Regelmäßige TOM-Überprüfung', en: 'Regular TOM Review' },
|
|
description: {
|
|
de: 'Periodische Überprüfung und Aktualisierung der technischen und organisatorischen Maßnahmen.',
|
|
en: 'Periodic review and update of technical and organizational measures.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['Überprüfungsprotokolle', 'Maßnahmenplan'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['review', 'compliance'],
|
|
},
|
|
{
|
|
id: 'TOM-RV-02',
|
|
code: 'TOM-RV-02',
|
|
category: 'REVIEW',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Penetrationstests', en: 'Penetration Testing' },
|
|
description: {
|
|
de: 'Regelmäßige Durchführung von Penetrationstests durch qualifizierte Prüfer.',
|
|
en: 'Regular penetration testing by qualified testers.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.3' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'REQUIRED',
|
|
priority: 20,
|
|
},
|
|
{
|
|
field: 'dataProfile.hasSpecialCategories',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: ['Penetrationstest-Berichte', 'Maßnahmenplan'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'HIGH',
|
|
tags: ['security-testing', 'pentest'],
|
|
},
|
|
{
|
|
id: 'TOM-RV-03',
|
|
code: 'TOM-RV-03',
|
|
category: 'REVIEW',
|
|
type: 'TECHNICAL',
|
|
name: { de: 'Schwachstellenscanning', en: 'Vulnerability Scanning' },
|
|
description: {
|
|
de: 'Regelmäßiges automatisiertes Scanning nach bekannten Schwachstellen in Systemen und Anwendungen.',
|
|
en: 'Regular automated scanning for known vulnerabilities in systems and applications.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.6.1' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: ['Scan-Berichte', 'Behebungsnachweis'],
|
|
reviewFrequency: 'MONTHLY',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['security-testing', 'vulnerability'],
|
|
},
|
|
{
|
|
id: 'TOM-RV-04',
|
|
code: 'TOM-RV-04',
|
|
category: 'REVIEW',
|
|
type: 'ORGANIZATIONAL',
|
|
name: { de: 'Sicherheitsaudits', en: 'Security Audits' },
|
|
description: {
|
|
de: 'Durchführung regelmäßiger interner oder externer Sicherheitsaudits.',
|
|
en: 'Conducting regular internal or external security audits.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'IN',
|
|
value: ['HIGH', 'VERY_HIGH'],
|
|
result: 'REQUIRED',
|
|
priority: 20,
|
|
},
|
|
{
|
|
field: 'companyProfile.role',
|
|
operator: 'EQUALS',
|
|
value: 'PROCESSOR',
|
|
result: 'REQUIRED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: ['Audit-Berichte', 'Zertifikate', 'Maßnahmenplan'],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['audit', 'compliance'],
|
|
},
|
|
{
|
|
id: 'TOM-RV-05',
|
|
code: 'TOM-RV-05',
|
|
category: 'REVIEW',
|
|
type: 'ORGANIZATIONAL',
|
|
name: { de: 'Datenschutzschulung', en: 'Data Protection Training' },
|
|
description: {
|
|
de: 'Regelmäßige Schulung aller Mitarbeiter zu Datenschutz und IT-Sicherheit.',
|
|
en: 'Regular training of all employees on data protection and IT security.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.2.2' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Schulungskonzept',
|
|
'Teilnehmerlisten',
|
|
'Schulungsnachweise',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['training', 'awareness'],
|
|
},
|
|
{
|
|
id: 'TOM-RV-06',
|
|
code: 'TOM-RV-06',
|
|
category: 'REVIEW',
|
|
type: 'ORGANIZATIONAL',
|
|
name: { de: 'Incident Response Plan', en: 'Incident Response Plan' },
|
|
description: {
|
|
de: 'Dokumentiertes Verfahren zur Erkennung, Meldung und Behandlung von Sicherheitsvorfällen.',
|
|
en: 'Documented procedure for detection, reporting and handling of security incidents.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART33', reference: 'Art. 33' },
|
|
{ framework: 'GDPR_ART34', reference: 'Art. 34' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.16.1.1' },
|
|
],
|
|
applicabilityConditions: [],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Incident-Response-Plan',
|
|
'Kontaktliste',
|
|
'Meldeformulare',
|
|
'Übungsprotokolle',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'CRITICAL',
|
|
complexity: 'MEDIUM',
|
|
tags: ['incident-response', 'breach'],
|
|
},
|
|
{
|
|
id: 'TOM-RV-07',
|
|
code: 'TOM-RV-07',
|
|
category: 'REVIEW',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Security Information and Event Management (SIEM)',
|
|
en: 'Security Information and Event Management (SIEM)',
|
|
},
|
|
description: {
|
|
de: 'Zentralisierte Sammlung und Analyse von Sicherheitsereignissen zur Erkennung von Angriffen.',
|
|
en: 'Centralized collection and analysis of security events to detect attacks.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'riskProfile.protectionLevel',
|
|
operator: 'EQUALS',
|
|
value: 'VERY_HIGH',
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
{
|
|
field: 'companyProfile.size',
|
|
operator: 'IN',
|
|
value: ['LARGE', 'ENTERPRISE'],
|
|
result: 'RECOMMENDED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'OPTIONAL',
|
|
evidenceRequirements: [
|
|
'SIEM-Konfiguration',
|
|
'Korrelationsregeln',
|
|
'Alert-Berichte',
|
|
],
|
|
reviewFrequency: 'QUARTERLY',
|
|
priority: 'HIGH',
|
|
complexity: 'HIGH',
|
|
tags: ['siem', 'monitoring', 'detection'],
|
|
},
|
|
{
|
|
id: 'TOM-RV-08',
|
|
code: 'TOM-RV-08',
|
|
category: 'REVIEW',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Datenschutz-Folgenabschätzung (DSFA)',
|
|
en: 'Data Protection Impact Assessment (DPIA)',
|
|
},
|
|
description: {
|
|
de: 'Durchführung von Datenschutz-Folgenabschätzungen für risikoreiche Verarbeitungen.',
|
|
en: 'Conducting data protection impact assessments for high-risk processing.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART35', reference: 'Art. 35' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.18.1.4' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'riskProfile.dsfaRequired',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
{
|
|
field: 'dataProfile.hasSpecialCategories',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
{
|
|
field: 'dataProfile.processesMinors',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
],
|
|
defaultApplicability: 'OPTIONAL',
|
|
evidenceRequirements: [
|
|
'DSFA-Dokumentation',
|
|
'Risikobewertung',
|
|
'Maßnahmenplan',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'CRITICAL',
|
|
complexity: 'HIGH',
|
|
tags: ['dpia', 'dsfa', 'risk-assessment'],
|
|
},
|
|
|
|
// =========================================================================
|
|
// DELETION / VERNICHTUNG — Sichere Datenloeschung & Datentraegervernichtung
|
|
// =========================================================================
|
|
{
|
|
id: 'TOM-DL-01',
|
|
code: 'TOM-DL-01',
|
|
category: 'SEPARATION',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Sichere Datenloeschung',
|
|
en: 'Secure Data Deletion',
|
|
},
|
|
description: {
|
|
de: 'Implementierung sicherer Loeschverfahren, die personenbezogene Daten unwiederbringlich entfernen (z.B. nach DIN 66399).',
|
|
en: 'Implementation of secure deletion procedures that irrecoverably remove personal data (e.g. per DIN 66399).',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART17', reference: 'Art. 17' },
|
|
{ framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. e' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' },
|
|
{ framework: 'BSI_C5', reference: 'SY-09' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'dataProfile.dataVolume',
|
|
operator: 'NOT_EQUALS',
|
|
value: 'NONE',
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Loeschkonzept / Loeschrichtlinie',
|
|
'Loeschprotokolle mit Zeitstempeln',
|
|
'DIN 66399 Konformitaetsnachweis',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'MEDIUM',
|
|
tags: ['deletion', 'loeschung', 'data-lifecycle', 'din-66399'],
|
|
},
|
|
{
|
|
id: 'TOM-DL-02',
|
|
code: 'TOM-DL-02',
|
|
category: 'SEPARATION',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Datentraegervernichtung',
|
|
en: 'Media Destruction',
|
|
},
|
|
description: {
|
|
de: 'Physische Vernichtung von Datentraegern (Festplatten, SSDs, USB-Sticks, Papier) gemaess DIN 66399 Schutzklassen.',
|
|
en: 'Physical destruction of storage media (hard drives, SSDs, USB sticks, paper) per DIN 66399 protection classes.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.14' },
|
|
{ framework: 'BSI_C5', reference: 'AM-08' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'dataProfile.dataVolume',
|
|
operator: 'NOT_EQUALS',
|
|
value: 'NONE',
|
|
result: 'RECOMMENDED',
|
|
priority: 20,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Vernichtungsprotokoll mit Seriennummern',
|
|
'Zertifikat des Vernichtungsdienstleisters',
|
|
'DIN 66399 Sicherheitsstufe-Nachweis',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'LOW',
|
|
tags: ['deletion', 'media-destruction', 'physical-security', 'din-66399'],
|
|
},
|
|
{
|
|
id: 'TOM-DL-03',
|
|
code: 'TOM-DL-03',
|
|
category: 'SEPARATION',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Loeschprotokollierung',
|
|
en: 'Deletion Logging',
|
|
},
|
|
description: {
|
|
de: 'Systematische Protokollierung aller Loeschvorgaenge mit Zeitstempel, Verantwortlichem, Datenobjekt und Loeschmethode.',
|
|
en: 'Systematic logging of all deletion operations with timestamp, responsible person, data object, and deletion method.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 2 (Rechenschaftspflicht)' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'dataProfile.dataVolume',
|
|
operator: 'NOT_EQUALS',
|
|
value: 'NONE',
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Loeschprotokoll-Template',
|
|
'Archivierte Loeschprotokolle (Stichprobe)',
|
|
'Automatisierungsnachweis (bei automatischen Loeschungen)',
|
|
],
|
|
reviewFrequency: 'SEMI_ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['deletion', 'logging', 'accountability', 'documentation'],
|
|
},
|
|
{
|
|
id: 'TOM-DL-04',
|
|
code: 'TOM-DL-04',
|
|
category: 'SEPARATION',
|
|
type: 'TECHNICAL',
|
|
name: {
|
|
de: 'Backup-Bereinigung',
|
|
en: 'Backup Sanitization',
|
|
},
|
|
description: {
|
|
de: 'Sicherstellung, dass personenbezogene Daten auch in Backup-Systemen nach Ablauf der Loeschfrist entfernt werden.',
|
|
en: 'Ensuring that personal data is also removed from backup systems after the retention period expires.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART17', reference: 'Art. 17 Abs. 2' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.13' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'techProfile.hasBackups',
|
|
operator: 'EQUALS',
|
|
value: true,
|
|
result: 'REQUIRED',
|
|
priority: 25,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Backup-Loeschkonzept',
|
|
'Backup-Rotationsplan',
|
|
'Nachweis der Backup-Bereinigung',
|
|
],
|
|
reviewFrequency: 'SEMI_ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'HIGH',
|
|
tags: ['deletion', 'backup', 'data-lifecycle', 'retention'],
|
|
},
|
|
|
|
// =========================================================================
|
|
// SCHULUNG / VERTRAULICHKEIT — Training & Awareness
|
|
// =========================================================================
|
|
{
|
|
id: 'TOM-TR-01',
|
|
code: 'TOM-TR-01',
|
|
category: 'REVIEW',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Datenschutzschulung',
|
|
en: 'Data Protection Training',
|
|
},
|
|
description: {
|
|
de: 'Regelmaessige Schulung aller Mitarbeiter zu Datenschutzgrundlagen, DSGVO-Anforderungen und betrieblichen Datenschutzrichtlinien.',
|
|
en: 'Regular training of all employees on data protection fundamentals, GDPR requirements, and organizational data protection policies.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART39', reference: 'Art. 39 Abs. 1 lit. b' },
|
|
{ framework: 'GDPR_ART47', reference: 'Art. 47 Abs. 2 lit. n' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'orgProfile.employeeCount',
|
|
operator: 'GREATER_THAN',
|
|
value: 0,
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Schulungsplan (jaehrlich)',
|
|
'Teilnahmelisten / Schulungsnachweise',
|
|
'Schulungsmaterialien / Praesentation',
|
|
'Wissenstest-Ergebnisse (optional)',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['training', 'schulung', 'awareness', 'organizational'],
|
|
},
|
|
{
|
|
id: 'TOM-TR-02',
|
|
code: 'TOM-TR-02',
|
|
category: 'REVIEW',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Verpflichtung auf Datengeheimnis',
|
|
en: 'Confidentiality Obligation',
|
|
},
|
|
description: {
|
|
de: 'Schriftliche Verpflichtung aller Mitarbeiter und externen Dienstleister auf die Vertraulichkeit personenbezogener Daten.',
|
|
en: 'Written obligation of all employees and external service providers to maintain confidentiality of personal data.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. b' },
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 4' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.6.6' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'orgProfile.employeeCount',
|
|
operator: 'GREATER_THAN',
|
|
value: 0,
|
|
result: 'REQUIRED',
|
|
priority: 30,
|
|
},
|
|
],
|
|
defaultApplicability: 'REQUIRED',
|
|
evidenceRequirements: [
|
|
'Muster-Verpflichtungserklaerung',
|
|
'Unterschriebene Verpflichtungserklaerungen',
|
|
'Register der verpflichteten Personen',
|
|
],
|
|
reviewFrequency: 'ANNUAL',
|
|
priority: 'HIGH',
|
|
complexity: 'LOW',
|
|
tags: ['training', 'confidentiality', 'vertraulichkeit', 'obligation'],
|
|
},
|
|
{
|
|
id: 'TOM-TR-03',
|
|
code: 'TOM-TR-03',
|
|
category: 'REVIEW',
|
|
type: 'ORGANIZATIONAL',
|
|
name: {
|
|
de: 'Security Awareness Programm',
|
|
en: 'Security Awareness Program',
|
|
},
|
|
description: {
|
|
de: 'Fortlaufendes Awareness-Programm zu IT-Sicherheit, Phishing-Erkennung, Social Engineering und sicherem Umgang mit Daten.',
|
|
en: 'Ongoing awareness program on IT security, phishing detection, social engineering, and safe data handling.',
|
|
},
|
|
mappings: [
|
|
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
|
|
{ framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' },
|
|
{ framework: 'BSI_C5', reference: 'ORP.3' },
|
|
],
|
|
applicabilityConditions: [
|
|
{
|
|
field: 'orgProfile.employeeCount',
|
|
operator: 'GREATER_THAN',
|
|
value: 10,
|
|
result: 'REQUIRED',
|
|
priority: 20,
|
|
},
|
|
{
|
|
field: 'orgProfile.employeeCount',
|
|
operator: 'GREATER_THAN',
|
|
value: 0,
|
|
result: 'RECOMMENDED',
|
|
priority: 15,
|
|
},
|
|
],
|
|
defaultApplicability: 'RECOMMENDED',
|
|
evidenceRequirements: [
|
|
'Awareness-Programm-Dokumentation',
|
|
'Phishing-Simulationsergebnisse',
|
|
'Teilnahmenachweise',
|
|
],
|
|
reviewFrequency: 'SEMI_ANNUAL',
|
|
priority: 'MEDIUM',
|
|
complexity: 'MEDIUM',
|
|
tags: ['training', 'security-awareness', 'phishing', 'social-engineering'],
|
|
},
|
|
],
|
|
}
|
|
|
|
// =============================================================================
|
|
// LOADER FUNCTIONS
|
|
// =============================================================================
|
|
|
|
let cachedLibrary: ControlLibrary | null = null
|
|
|
|
/**
|
|
* Get the control library (singleton with embedded data)
|
|
*/
|
|
export function getControlLibrary(): ControlLibrary {
|
|
if (!cachedLibrary) {
|
|
cachedLibrary = CONTROL_LIBRARY_DATA
|
|
}
|
|
return cachedLibrary
|
|
}
|
|
|
|
/**
|
|
* Get all controls from the library
|
|
*/
|
|
export function getAllControls(): ControlLibraryEntry[] {
|
|
return getControlLibrary().controls
|
|
}
|
|
|
|
/**
|
|
* Get a control by ID
|
|
*/
|
|
export function getControlById(id: string): ControlLibraryEntry | undefined {
|
|
return getAllControls().find((control) => control.id === id)
|
|
}
|
|
|
|
/**
|
|
* Get controls by category
|
|
*/
|
|
export function getControlsByCategory(
|
|
category: ControlCategory
|
|
): ControlLibraryEntry[] {
|
|
return getAllControls().filter((control) => control.category === category)
|
|
}
|
|
|
|
/**
|
|
* Get controls by type (TECHNICAL or ORGANIZATIONAL)
|
|
*/
|
|
export function getControlsByType(
|
|
type: 'TECHNICAL' | 'ORGANIZATIONAL'
|
|
): ControlLibraryEntry[] {
|
|
return getAllControls().filter((control) => control.type === type)
|
|
}
|
|
|
|
/**
|
|
* Get controls by priority
|
|
*/
|
|
export function getControlsByPriority(
|
|
priority: ControlPriority
|
|
): ControlLibraryEntry[] {
|
|
return getAllControls().filter((control) => control.priority === priority)
|
|
}
|
|
|
|
/**
|
|
* Get controls by tag
|
|
*/
|
|
export function getControlsByTag(tag: string): ControlLibraryEntry[] {
|
|
return getAllControls().filter((control) => control.tags.includes(tag))
|
|
}
|
|
|
|
/**
|
|
* Get all unique tags from controls
|
|
*/
|
|
export function getAllTags(): string[] {
|
|
const tags = new Set<string>()
|
|
getAllControls().forEach((control) => {
|
|
control.tags.forEach((tag) => tags.add(tag))
|
|
})
|
|
return Array.from(tags).sort()
|
|
}
|
|
|
|
/**
|
|
* Get category metadata
|
|
*/
|
|
export function getCategoryMetadata(
|
|
category: ControlCategory
|
|
): { name: LocalizedString; gdprReference: string } | undefined {
|
|
return getControlLibrary().categories.get(category)
|
|
}
|
|
|
|
/**
|
|
* Get all categories
|
|
*/
|
|
export function getAllCategories(): ControlCategory[] {
|
|
return Array.from(getControlLibrary().categories.keys())
|
|
}
|
|
|
|
/**
|
|
* Get categories with metadata (alias for API compatibility)
|
|
*/
|
|
export function getCategories(): Array<{
|
|
id: ControlCategory
|
|
name: LocalizedString
|
|
gdprReference: string
|
|
}> {
|
|
const library = getControlLibrary()
|
|
const result: Array<{ id: ControlCategory; name: LocalizedString; gdprReference: string }> = []
|
|
library.categories.forEach((metadata, id) => {
|
|
result.push({
|
|
id,
|
|
name: metadata.name,
|
|
gdprReference: metadata.gdprReference,
|
|
})
|
|
})
|
|
return result
|
|
}
|
|
|
|
/**
|
|
* Get library metadata
|
|
*/
|
|
export function getLibraryMetadata(): {
|
|
version: string
|
|
lastUpdated: string
|
|
totalControls: number
|
|
} {
|
|
return getControlLibrary().metadata
|
|
}
|
|
|
|
/**
|
|
* Search controls by text (searches name and description in both languages)
|
|
*/
|
|
export function searchControls(
|
|
query: string,
|
|
language: 'de' | 'en' = 'de'
|
|
): ControlLibraryEntry[] {
|
|
const lowerQuery = query.toLowerCase()
|
|
return getAllControls().filter((control) => {
|
|
const name = control.name[language].toLowerCase()
|
|
const description = control.description[language].toLowerCase()
|
|
const code = control.code.toLowerCase()
|
|
return (
|
|
name.includes(lowerQuery) ||
|
|
description.includes(lowerQuery) ||
|
|
code.includes(lowerQuery)
|
|
)
|
|
})
|
|
}
|
|
|
|
/**
|
|
* Get controls by framework mapping
|
|
*/
|
|
export function getControlsByFramework(
|
|
framework: string
|
|
): ControlLibraryEntry[] {
|
|
return getAllControls().filter((control) =>
|
|
control.mappings.some((m) => m.framework === framework)
|
|
)
|
|
}
|
|
|
|
/**
|
|
* Get controls count by category
|
|
*/
|
|
export function getControlsCountByCategory(): Map<ControlCategory, number> {
|
|
const counts = new Map<ControlCategory, number>()
|
|
getAllCategories().forEach((category) => {
|
|
counts.set(category, getControlsByCategory(category).length)
|
|
})
|
|
return counts
|
|
}
|