Date:
20/03/1519/03/15
EuroCloud Europe a.s.b.l.
Version 3.0 Rev 10
EuroCloud Star Audit Certificate
No.
項次
I - Control Topic
控制主題
II - Control Scope
控制範疇
III - Control Question
控制題項
Star Rating
Audit Goal
驗證目標
A03-S01-C01-Q01
Security Management
資訊安全管理
Organizational Require-
ments
組織性要求
Is an ISMS established with reference to ISO 27001?
組織所建立之資訊安全管理系統是否參考
ISO 27001
標準
?
*****
Provide evidence of effective security management
提出有效資安管理之證據
A03-S01-C01-Q02
Are there security policies in place with reference to
ISO 27002 and/or ENISA?
實施中之資訊安全政策是否參考
ISO 27001
及
/
或
ENISA
標準
?
*****
Provide evidence of appropriate controls according to standard and
newly identified security threats
提供有根據標準及新近界定之安全威脅進行適當管控之證據
A03-S01-C01-Q03
Is the administrative remote access to sensitive systems
(IDM, data bases, and personal data) sufficiently pro-
tected?
具管理功能之遠端存取機敏系統之行為(如身分認
證管理、資料庫、個人資料)是否有受到足夠的防
護
?
****
No VPN access is allowed, dedicated virtual desktop with no data
transfer options
不允許
VPN
(虛擬專用網路)存取,只能以沒有資料傳輸選項
的專用虛擬桌面
(Virtual Desktop)
存取
A03-S01-C01-Q04
Is cryptographic key management established and are
the key users sepa-rated from the key managers?
是否建立密碼金鑰管理制度,並將金鑰使用者及金
鑰管理者區隔?
*****
Evidence of key management
提供金鑰管理機制的證據
A03-S01-C01-Q05
Is communication to relevant parties guaranteed in the
case of security breaches and un-authorized data
access?
若有資安危害及非授權存取資料之事件發生,是否
仍能確保相關團體溝通順暢?
*****
Communication plan with all parties in the case of security breaches
as part of the security policies
資安政策應包含當資安漏洞被發現時與所有相關團體之溝通計
畫
A03-S01-C01-Q06
Are the operational staff trained in IT security on a
regular basis?
維運同仁是否接受定期性
/
常態性資安訓練?
***** (A),
**** (B),
*** ( C)
A - Evidence of training and testing by a training institute for IEC 62443,
B - Evidence of training and testing ,
C - Training plan and participation plan provided
A--
提出接受訓練機構有關
IEC 62443
之訓練和測驗之證據
B--
提出訓練及測驗之證據
C--
提出訓練計畫及人員參與之規劃
A03-S01-C01-Q07
Are the operational staff trained in policies relating to
access to personal data and data privacy?
**** (A;B),
*** ( C)
A -Dedicated training with attestation,
B - Policies in place and confirmed by each individual,
C - Policies referenced in HR contract
