Date: 23/01/15
EuroCloud Europe a.s.b.l.
Version 3.0 Rev10
EuroCloud Star Audit Certificate
No.
I - Control Topic
II - Control Scope
III - Control Question
Star Rating
Audit Goal
A03-S01-C01-Q01
Security Management
Organizational Requirements
Is an ISMS established with reference to ISO 27001?
*****
Provide evidence of effective security management.
A03-S01-C01-Q02
Are there security policies in place with reference to ISO
27002
and/or ENISA?
*****
Provide evidence of appropriate controls according to standard and
newly identified security threads.
A03-S01-C01-Q03
Is the administrative remote access to sensitive systems
(
Identity Management, data bases, and personal data)
sufficiently protected?
****
No VPN access is allowed, dedicated virtual desktop with no data trans-
fer options
A03-S01-C01-Q04
Is cryptographic key management established and are the
key users separated from the key managers?
*****
Evidence of key management
A03-S01-C01-Q05
Is communication to relevant parties guaranteed in the
case of security breaches and unauthorized data access?
*****
Communication plan with all parties in the case of security breaches as
part of the security policies
A03-S01-C01-Q06
Are operational staff trained in IT security on a regular
basis?
***** (
A)
**** (
B)
*** (
C)
A - Evidence of training and testing by a training institute for IEC 62443
B - Evidence of training and testing
C - Training plan and participation plan provided
A03-S01-C01-Q07
Are the operational staff trained in policies relating to
access to personal data and Data Privacy?
**** (
A;B)
*** (
C)
A - Dedicated training with attestation
B - Policies in place and confirmed by each individual
C - Policies referenced in HR contract
A03-S01-C02-Q01
Preventive Measures
Are regular security checks or penetration tests carried
out?
***** (
A)
**** (
B)
*** (
C)
Proactive security monitoring and verification of procedures
A03-S01-C02-Q02
Are regular emergency drills carried out and documented?
***** (
A)
**** (
B)
Show capabilities to deal with emergency situations and to reduce risk
and length of service interruption.
A03-S01-C02-Q03
Is the entitlement and authorization process for new
customers appropriate?
**** (
A)
*** (
B)
Protect other customers from being affected by suspicious or anony-
mous users (cyber and crime threads).
A03-S01-C02-Q04
Are the current security procedures appropriate to com-
mon requirements for web and application security with
respect to the chosen technology?
****
A03-S02-C01-Q01
Technical Security
Cyber Security
Does a firewall system protect the infrastructure according
to the current level of technology?
***
Evidence of base line protection.
A03-S02-C01-Q02
Is the system protected from DOS and DDOS attacks from
the Internet?
****
Evidence of base line protection.