Seite 3 - Security and Data Privacy

Date: 23/01/15
EuroCloud Europe a.s.b.l.
Version 3.0 Rev10
EuroCloud Star Audit Certificate
No.
I - Control Topic
II - Control Scope
III - Control Question
Star Rating
Audit Goal
A03-S02-C01-Q03
Optional Control: Is the service access secured either by
Virtual Private Network (VPN) or Virtual Private Cloud (VPC)
access?
Show isolation level of connected users for highly sensitive areas (e.g.
medical patient data)
A03-S02-C01-Q04
Is a virus scanner used to protect against viruses, Trojans,
malware, etc.?
*****
Appropriate baseline security against cyber threats
A03-S02-C02-Q01
Resilience
Is load balancing carried out to increase reliability and
scalability?
*****
Evidence of appropriate load balancing across redundant services
A03-S02-C03-Q01
Password Management
Is the password management system automated?
***
No user intervention is allowed to manage customer passwords
A03-S02-C03-Q02
Are the passwords secured against unauthorized access?
***
Protection of passwords against decryption and unauthorized access
A03-S03-C01-Q01
Technical Data Privacy
Measures
Technical Data Privacy
Assessment
Is the communication between the user and the service
fully encrypted?
***
Only allow https communication between end user and cloud service
A03-S03-C01-Q02
Are the encryption technologies in use uncompromised and
at a sufficient encryption level?
***
Encryption level is according to current market standard
A03-S03-C01-Q03
Are all data stored encrypted on data storage devices?
*****
Evidence of encryption mechanism for stored data
A03-S03-C01-Q04
Are backups sufficiently secured against unauthorized
access?
***
Archived data is included into all security processes
A03-S03-C01-Q05
Is there end-to-end encryption up to persistent storage
level which denies unauthorized access by administration
persons and other third parties?
****
Key management is performed by the customer. The CSP should not be
able to decrypt stored objects.
A03-S03-C01-Q06
Is a separation of personal and transactional data in place?
****
Prevent recombination of personal data with transaction by single
account to database
A03-S03-C01-Q07
Is the combined view of personal user data and transac-
tional data denied by role definition and supported by
technical design?
*****
Prevent recombination of personal data with transaction by single
account to database
A03-S03-C01-Q08
Is there log tracking of all login activities and is it auditable
by the customer??
*****
Transparency about account activities for customer
A03-S03-C01-Q09
Is the customer enabled to assign roles and access rights
for all relevant data objects?
*****
Granular access control can be configured by customer