bsi c5 - it-sa.de
TRANSCRIPT
PwC
1. What is the BSI C5?
2. Why is the C5 relevant for you?
3. How can you achieve a BSI C5 attestation?
Takeaways of this presentation
BSI C5 – it-sa Nürnberg
2
PwC
1. BSI C5 – Introduction and Overview
2. Relevance of Cloud Compliance
3. Structure and Requirements
4. Recommended Approach to obtain a BSI C5 attestation
5. Further Reading
6. Your contact at PwC
Agenda
BSI C5 – it-sa Nürnberg
3
PwC
1. BSI C5 -Introduction and Overview
Cloud Computing Compliance Controls Catalogue (C5)
BSI C5 – it-sa Nürnberg
4
PwC
• 17 sections with individual Information Security
objectives and Cloud-specific requirements
• 114 basic requirements reflect the baseline security level,
supplemented by 52 optional, additional requirements
• Report according to ISAE 3000: both Design Suitability
(Type 1) or Operating Effectiveness (Type 2) are possible
Advantages of the C5 Attestation
BSI enforces C5With publishing its “Minimum Standard for the use of
Cloud Services” in May 2017, the German BSI requires federal agencies to use only such CSPs that hold a C5 attestation.
Transparency for CustomersCSPs demonstrate transparency and strengthen
their customer’s trust in their Cloud services by incorporating regular BSI C5 attestations in their contracts / SLAs.
Reference in the MarketWith a C5, CSPs demonstrate a high level of Information
Security to their customers and prospective customers with an internationally accepted compliance scheme.
Overview C5 Cloud Providers with C5
BSI C5 - Introduction and Overview
BSI C5 – it-sa Nürnberg
5
PwC
2. Relevance of Cloud Compliance
Cloud Computing Compliance Controls Catalogue (C5)
BSI C5 – it-sa Nürnberg
6
PwC
Relevance of Cloud Compliance: Trust and Transparency
BSI C5 – it-sa Nürnberg
7
Attestation of functioning system of internal control
Attestation of functioningsystem of internal control
Subservice ProviderService Organization
(Cloud Service Provider)User Organization
(Cloud User)
e.g. co-location
datacenterCloud Service
TrustTransparency
(…)
TrustTransparency
(…)
Auditor Auditor
PwC
Relevance of Cloud Compliance: Cloud-specific risks
BSI C5 – it-sa Nürnberg
8
User Access Rights
Administrators of a Cloud
Service Provider might have
unnecessary and unreasonably
high access rights
Availability
The Cloud Service might be
unavailable due to failure of
system components.
Subservice Providers
A Co-Location Service Provider
might apply lower security
standards for physical and
logical security.
Data segregation
Due to an incorrect
configuration, a Cloud User
might be able to access the data
of an other Cloud User.
Data leaks
Unauthorized individuals might
penetrate the systems of a
Cloud Provider or Subservice
Provider to access data.
Insider
Employees of the Cloud
Service Provider could
perform attacks from inside
the Cloud Service.
Backup
Backups performed by the
Cloud Service Provider might
be faulty and thus unusable in
case of a restore.
Interfaces
Interfaces of the Cloud Service
Provider can contain
vulnerabilities enabling
internet-based attacks.
Cloud Computing offers a number of advantages such as quick availability, low costs of procurement and operation, short contractual duration
and a continuous improvement of functionality and security.
On the other hand, Cloud Services are often based on complex and individual system architecture, numerous system components and varying
geographical distribution – they are therefore subject to specific risks.
Cloud Service Provider and their auditors must consider cloud-specific risks when designing, maintaining or
auditing a Cloud Servide to fulfill the expectations of clients, users or other recipients of attestation reports.
PwC
BSI defines its expectations on Cloud Service Providers: BSI C5
BSI C5 – it-sa Nürnberg
9
February 2016
Publication of the „Cloud
Computing Compliance
Controls Catalogue, „C5“
May 2017
Publication of the „Minimum
Standard of the BSI for the use of
external Cloud Services“
June 2018
Publication of the Minimum
Standard for the co-utilisation of
external Cloud Services
PwC
BSI defines its expectations on Cloud Service Providers: BSI C5
BSI C5 – it-sa Nürnberg
10
The BSI Minimum Standards enforce that the Public IT uses only Cloud
Services, which hold a BSI C5 report.
PwC
Real-world example: BodyCam for Federal Police in Germany
Federal police…
… communicated the need
for BodyCams that transfer
videos for further analyses
to a central storage (e.g. a
Cloud Storage).
BSI…
… as federal cyber security
authority advises on IT
security requirements for and
consults federal agencies on
selecting appropriate service
providers.
BSI minimum standard…
… defines for federal
agencies on how to prepare
the use of public Cloud
Services and points to the
BSI C5.
BSI C5…
… forms the baseline for
Security of Cloud Services
and creates the
transparency required to
evaluate a Cloud Service.
BSI Mindest-standard
externe Cloud-Dienste
BSI C5 – it-sa Nürnberg
11
PwC
3. Structure and Requirements
Cloud Computing Compliance Controls Catalogue (C5)
BSI C5 – it-sa Nürnberg
12
PwC
Structure and Requirements of the BSI C5
• IDW ERS FAIT 5• BSI IT-GS Katalog 14. EL 2014• BSI SaaS Sicherheitsprofile 2014
Applicable audit standard
• International Standard on Assurance Engagements 3000 (ISAE 3000) • Type 1 Audit (Design Suitability) and Type 2 (Operating Effectiveness) possible
Referenced standards
• ISO/IEC 27001:2013• CSA CCM 3.01• ANSSI Referentiel Secure Cloud v2.01• AICPA TSP 2014
System description requirements
• Type and scope of the provided cloud services• Principles, procedures, measures and implemented controls• Description of the infrastructure• Approach for handling significant incidents• Roles and responsibilities of the cloud provider and the cloud customer• Functions assigned or outsourced to subcontractors• Material system changes within the audit period
Structure• 17 sections in the BSI C5 Controls Catalogue with individual security objectives• 114 basic requirements specific for Cloud to be met with Internal Controls of the Cloud Provider
Surrounding parameters
• Four surrounding parameters for transparency towards Cloud Users (part of the Assurance Report)• Requirements regarding System Description, Jurisdiction and data storage, Investigatory Powers as well as Certifications
BSI C5 – it-sa Nürnberg
13
PwC 14
17 Control Areas of the BSI C5
BSI C5 – it-sa Nürnberg
Organisation of information security Identity and access management Security incident management
Physical security Cryptography and key management Business continuity management
Personnel Communication security Security check and verification
Asset management Portability and interoperability Compliance and data protection
Security policies and work instructions
Procurement, development and maintenance of information systems
Control and monitoring of service providers and suppliers
Safeguards for regular operations Mobile device management
PwC
4. Recommended Approach to obtain a BSI C5 attestation
Cloud Computing Compliance Controls Catalogue (C5)
BSI C5 – it-sa Nürnberg
15
PwC
Approach to obtain a BSI C5 attestation
BSI C5 – it-sa Nürnberg
16
Preparing draft report for client
commentation.
Evaluating comments, finalizing
and delivering BSI C5 report.
Performing interviews with
subject matter experts and
inspecting documentation.
Inspecting evidences and
information to validate
surrounding parameters for
transparency.
Review mapping of controls and
system description to provide
recommendations for
improvement.
Performing a kick-off workshop
to plan audit project in detail.
1. Healthcheck
Audit readiness Audit completed Final report
2. Perform audit 3. Reporting
PwC
Controls in scope for
SOC 2 and BSI C5
1
Integration BSI C5 Audits with existing compliance scheme (e.g. SOC 2)
BSI C5 – it-sa Nürnberg
These controls are mapped to the TSCs and the BSI C5 basic requirements.
Hence, these controls are in scope of the SOC and the BSI C5 testing.
1
In the BSI C5 audit, we re-use the results from testing controls in SOC scope.
2
SOC 2-specific controls
BSI C5-specific controls
2
SOC Scope BSI C5 Scope
Controls in scope for
SOC 2 and BSI C5
17
SOC 2 Report BSI C5 Report
Schematic description of linkage between SOC and BSI C5 audits
PwC
5. Further reading
Cloud Computing Compliance Controls Catalogue (C5)
BSI C5 – it-sa Nürnberg
18
PwC
Further reading recommendations
BSI C5 – it-sa Nürnberg
19
www.pwc.de(search for “Cloud”)
www.bsi.bund.de/EN (search for „Compliance Controls Catalogue“ for PDF and Excel version of the BSI C5)
PwC
Further reading recommendations (direct links)
BSI C5 – it-sa Nürnberg
BSI
Publications
https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Controls_Catalogue
/Compliance_Controls_Catalogue_node.html
https://www.bsi.bund.de/DE/Themen/StandardsKriterien/Mindeststandards/Externe_Cl
oud-Dienste/Externe_Cloud-Dienste_node.html
https://www.pwc.de/de/digitale-transformation/bsi-c5-der-anforderungskatalog-des-bsi-
fuer-mehr-transparenz-in-der-cloud.html
https://www.pwc.de/de/pressemitteilungen/2018/erste-cloud-loesung-der-[Client]-
erhaelt-testat-gemaess-bsi.html
https://www.pwc.de/en/digitale-transformation/alibaba-cloud-receives-c5-attestation-
for-its-cloud-services.html
20
PwC
6. Your contactsat PwC forthe BSI C5
Cloud Computing Compliance Controls Catalogue (C5)
BSI C5 – it-sa Nürnberg
21
PwC
Your contacts at PwC for the BSI C5
© 2018 PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft, which is a member firm of PricewaterhouseCoopers
International Limited (PwCIL). Each member firm of PwCIL is a separate and independent legal entity.
BSI C5 – it-sa Nürnberg
Markus VehlowPartnerFrankfurt am Main
Phone: +49 69 9585-2293Mobile: +49 160 [email protected]
22
Immo RegenerManagerMunich
Phone: +49 89 5790-6275Mobile: +49 151 [email protected]
Andreas SchipplingSenior ConsultantFrankfurt am Main
Phone: +49 69 9585-3800Mobile: +49 151 [email protected]