diff --git a/git/cocBackend/.dockerignore b/git/cocBackend/.dockerignore
index 291129473e2386bf4c883453742782606148d50d..59b782addde73800d41eea002face0296ffcf246 100755
--- a/git/cocBackend/.dockerignore
+++ b/git/cocBackend/.dockerignore
@@ -1,3 +1,3 @@
target
node_modules
-Dockerfile
+Dockerfile
\ No newline at end of file
diff --git a/git/cocBackend/Dockerfile b/git/cocBackend/Dockerfile
index 41a15d55aca863b0e547c5d4b74108b0e2cb551d..1e2607c0db307308e7aac3945069c8903cd66db8 100755
--- a/git/cocBackend/Dockerfile
+++ b/git/cocBackend/Dockerfile
@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
FROM maven:3.8.1-jdk-11 as builder
WORKDIR /code
diff --git a/git/cocBackend/pom.xml b/git/cocBackend/pom.xml
index 1bb5aebd95a8ebed65d23daaff25c384ff11a748..79b5f0ff94a984151d890a025039622fbe027771 100755
--- a/git/cocBackend/pom.xml
+++ b/git/cocBackend/pom.xml
@@ -330,6 +330,21 @@
<groupId>io.dropwizard.metrics</groupId>
<artifactId>metrics-core</artifactId>
</dependency>
+ <dependency>
+ <groupId>com.itextpdf</groupId>
+ <artifactId>itextpdf</artifactId>
+ <version>5.5.10</version>
+ </dependency>
+ <dependency>
+ <groupId>jfree</groupId>
+ <artifactId>jfreechart</artifactId>
+ <version>1.0.13</version>
+ </dependency>
+ <dependency>
+ <groupId>org.json</groupId>
+ <artifactId>json</artifactId>
+ <version>20200518</version>
+ </dependency>
<!-- jhipster-needle-maven-add-dependency -->
</dependencies>
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/ApplicationWebXml.java b/git/cocBackend/src/main/java/com/medina/coc/backend/ApplicationWebXml.java
index 4fd973745bee2fb18c4b2e1a6a6f121a79dd1f42..003f0ce139d704ce295ef152295badee502024b1 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/ApplicationWebXml.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/ApplicationWebXml.java
@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
package com.medina.coc.backend;
import org.springframework.boot.builder.SpringApplicationBuilder;
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/CocBackendApp.java b/git/cocBackend/src/main/java/com/medina/coc/backend/CocBackendApp.java
index ae4fa3329c472e5f317fadb3053c837e6245a77e..11d82bce00e596024cd4aa2eebe807b622c21d5b 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/CocBackendApp.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/CocBackendApp.java
@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
package com.medina.coc.backend;
import com.medina.coc.backend.config.ApplicationProperties;
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/GeneratedByJHipster.java b/git/cocBackend/src/main/java/com/medina/coc/backend/GeneratedByJHipster.java
index e2ae2a8a20ad97ec14ce2ef37ac5f52711f9148b..c64a6faa18a7e19054351d0f09e437167602a221 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/GeneratedByJHipster.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/GeneratedByJHipster.java
@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
package com.medina.coc.backend;
import java.lang.annotation.ElementType;
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/config/ApplicationProperties.java b/git/cocBackend/src/main/java/com/medina/coc/backend/config/ApplicationProperties.java
index 6e7cb0c97cdd96cd554883b331d82db018600a5c..d5c68b5763db3d23f3ab5fb3a5b1116a7035eb01 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/config/ApplicationProperties.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/config/ApplicationProperties.java
@@ -8,5 +8,37 @@ import org.springframework.boot.context.properties.ConfigurationProperties;
* Properties are configured in the {@code application.yml} file.
* See {@link tech.jhipster.config.JHipsterProperties} for a good example.
*/
-@ConfigurationProperties(prefix = "application", ignoreUnknownFields = false)
-public class ApplicationProperties {}
+@ConfigurationProperties(prefix = "application", ignoreUnknownFields = true)
+public class ApplicationProperties {
+
+ private String satraLoginUrl;
+
+ private String satraPracticeUrl;
+
+ private String orchestratorUrl;
+
+
+ public String getSatraLoginUrl() {
+ return satraLoginUrl;
+ }
+
+ public void setSatraLoginUrl(String satraLoginUrl) {
+ this.satraLoginUrl = satraLoginUrl;
+ }
+
+ public String getSatraPracticeUrl() {
+ return satraPracticeUrl;
+ }
+
+ public void setSatraPracticeUrl(String satraPracticeUrl) {
+ this.satraPracticeUrl = satraPracticeUrl;
+ }
+
+ public String getOrchestratorUrl() {
+ return orchestratorUrl;
+ }
+
+ public void setOrchestratorUrl(String orchestratorUrl) {
+ this.orchestratorUrl = orchestratorUrl;
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/config/Constants.java b/git/cocBackend/src/main/java/com/medina/coc/backend/config/Constants.java
index 5328b6ec84f722a989d81b45fa63bdd90d24f8bb..c8d0e53f09ac41c5343c9664dcff0713bdb1b9e6 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/config/Constants.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/config/Constants.java
@@ -10,6 +10,7 @@ public final class Constants {
public static final String SYSTEM = "system";
public static final String DEFAULT_LANGUAGE = "en";
+ public static final String NA = "N/A";
private Constants() {}
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/AuditLog.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/AuditLog.java
new file mode 100644
index 0000000000000000000000000000000000000000..d84caf033ebe91e043933cbfe292a4f3bf920cf5
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/AuditLog.java
@@ -0,0 +1,186 @@
+package com.medina.coc.backend.domain;
+
+import java.io.Serializable;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.GeneratedValue;
+import javax.persistence.GenerationType;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Size;
+
+import org.hibernate.annotations.Cache;
+import org.hibernate.annotations.CacheConcurrencyStrategy;
+
+/**
+ * AuditLog entity.\n\n@author Diego Rosado
+ */
+@Entity
+@Table(name = "audit_logs")
+@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
+public class AuditLog implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ @Id
+ @GeneratedValue(strategy = GenerationType.IDENTITY)
+ @Column(name = "id")
+ private Long id;
+
+ /**
+ * dateLog
+ */
+ @NotNull
+ @Size(max = 20)
+ @Column(name = "date_log", length = 20, nullable = false)
+ private String dateLog;
+
+ /**
+ * user
+ */
+ @NotNull
+ @Size(max = 50)
+ @Column(name = "user", length = 50, nullable = false)
+ private String user;
+
+ /**
+ * entity
+ */
+ @NotNull
+ @Size(max = 60)
+ @Column(name = "entity", length = 60, nullable = false)
+ private String entity;
+
+ /**
+ * target
+ */
+ @NotNull
+ @Size(max = 255)
+ @Column(name = "target", length = 255, nullable = false)
+ private String target;
+
+ /**
+ * operation
+ */
+ @NotNull
+ @Size(max = 10)
+ @Column(name = "operation", length = 10, nullable = false)
+ private String operation;
+
+
+ // jhipster-needle-entity-add-field - JHipster will add fields here
+
+ public Long getId() {
+ return this.id;
+ }
+
+ public AuditLog id(Long id) {
+ this.setId(id);
+ return this;
+ }
+
+ public void setId(Long id) {
+ this.id = id;
+ }
+
+ public String getDateLog() {
+ return this.dateLog;
+ }
+
+ public AuditLog dateLog(String dateLog) {
+ this.setDateLog(dateLog);
+ return this;
+ }
+
+ public void setDateLog(String dateLog) {
+ this.dateLog = dateLog;
+ }
+
+ public String getUser() {
+ return this.user;
+ }
+
+ public AuditLog user(String user) {
+ this.setUser(user);
+ return this;
+ }
+
+ public void setUser(String user) {
+ this.user = user;
+ }
+
+ public String getEntity() {
+ return this.entity;
+ }
+
+ public AuditLog entity(String entity) {
+ this.setEntity(entity);
+ return this;
+ }
+
+ public void setEntity(String entity) {
+ this.entity = entity;
+ }
+
+ public String getTarget() {
+ return this.target;
+ }
+
+ public AuditLog target(String target) {
+ this.setTarget(target);
+ return this;
+ }
+
+ public void setTarget(String target) {
+ this.target = target;
+ }
+
+ public String getOperation() {
+ return this.operation;
+ }
+
+ public AuditLog operation(String operation) {
+ this.setOperation(operation);
+ return this;
+ }
+
+ public void setOperation(String operation) {
+ this.operation = operation;
+ }
+
+
+
+ // jhipster-needle-entity-add-getters-setters - JHipster will add getters and setters here
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof AuditLog)) {
+ return false;
+ }
+ return id != null && id.equals(((AuditLog) o).id);
+ }
+
+ @Override
+ public int hashCode() {
+ // see https://vladmihalcea.com/how-to-implement-equals-and-hashcode-using-the-jpa-entity-identifier/
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "AuditLog{" +
+ "id=" + getId() +
+ ", dateLog='" + getDateLog() + "'" +
+ ", user='" + getUser() + "'" +
+ ", entity='" + getEntity() + "'" +
+ ", target='" + getTarget() + "'" +
+ ", operation='" + getOperation() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Question.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Question.java
index 76d5d77e5d75651bdd191362a74717be50336e8d..f65a26436f8378b9223562ea1ee615a0ed36dd2b 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Question.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Question.java
@@ -43,11 +43,18 @@ public class Question implements Serializable {
private String question;
/**
- * evidence
+ * defaultEvidence
*/
@NotNull
- @Column(name = "evidence", nullable = false)
- private String evidence;
+ @Column(name = "default_evidence", nullable = false)
+ private String defaultEvidence;
+
+ /**
+ * defaultComment
+ */
+ @NotNull
+ @Column(name = "default_comment", nullable = false)
+ private String defaultComment;
/**
* assuranceLevelId
@@ -116,17 +123,30 @@ public class Question implements Serializable {
this.question = question;
}
- public String getEvidence() {
- return this.evidence;
+ public String getDefaultEvidence() {
+ return this.defaultEvidence;
+ }
+
+ public Question defaultEvidence(String defaultEvidence) {
+ this.setDefaultEvidence(defaultEvidence);
+ return this;
+ }
+
+ public void setDefaultEvidence(String defaultEvidence) {
+ this.defaultEvidence = defaultEvidence;
+ }
+
+ public String getDefaultComment() {
+ return this.defaultComment;
}
- public Question evidence(String evidence) {
- this.setEvidence(evidence);
+ public Question defaultComment(String defaultComment) {
+ this.setDefaultComment(defaultComment);
return this;
}
- public void setEvidence(String evidence) {
- this.evidence = evidence;
+ public void setDefaultComment(String defaultComment) {
+ this.defaultComment = defaultComment;
}
public Long getAssuranceLevelId() {
@@ -204,7 +224,8 @@ public class Question implements Serializable {
"id=" + getId() +
", code='" + getCode() + "'" +
", question='" + getQuestion() + "'" +
- ", evidence='" + getEvidence() + "'" +
+ ", defaultEvidence='" + getDefaultEvidence() + "'" +
+ ", defaultComment='" + getDefaultComment() + "'" +
", assuranceLevelId='" + getAssuranceLevelId() + "'" +
", controlId='" + getControlId() + "'" +
", tomId='" + getTomId() + "'" +
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Questionnaire.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Questionnaire.java
index 67019ae07e500af52153a3591a41e18d2d9ca8eb..d5047eb0a30f5b60683d43f8baeaad6ff66b3c1f 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Questionnaire.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Questionnaire.java
@@ -1,6 +1,8 @@
package com.medina.coc.backend.domain;
import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
import javax.persistence.Column;
import javax.persistence.Entity;
@@ -13,6 +15,8 @@ import javax.validation.constraints.NotNull;
import org.hibernate.annotations.Cache;
import org.hibernate.annotations.CacheConcurrencyStrategy;
+import com.medina.coc.backend.util.CollectionUtil;
+
/**
* Questionnaire entity.\n\n@author Diego Rosado
*/
@@ -27,20 +31,61 @@ public class Questionnaire implements Serializable {
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private Long id;
+
+ /**
+ * name
+ */
+ @NotNull
+ @Column(name = "name", nullable = false)
+ private String name;
+
+ /**
+ * evidences
+ */
+ @NotNull
+ @Column(name = "evidences", nullable = false)
+ private String evidences;
+
+ /**
+ * comments
+ */
+ @NotNull
+ @Column(name = "comments", nullable = false)
+ private String comments;
+
+ /**
+ * lastUpdate
+ */
+ @Column(name = "last_update", nullable = true)
+ private Long lastUpdate;
/**
* frameworkId
*/
@NotNull
- @Column(name = "frameworkId", nullable = false)
+ @Column(name = "framework_id", nullable = false)
private Long frameworkId;
/**
- * purposeId
+ * controlId
*/
@NotNull
- @Column(name = "purposeId", nullable = false)
- private Long purposeId;
+ @Column(name = "control_id", nullable = false)
+ private Long controlId;
+
+ /**
+ * tomId
+ */
+ @NotNull
+ @Column(name = "tom_id", nullable = false)
+ private Long tomId;
+
+ /**
+ * assuranceLevelId
+ */
+ @NotNull
+ @Column(name = "assuranceLevelId", nullable = false)
+ private Long assuranceLevelId;
/**
* questionId
@@ -63,6 +108,11 @@ public class Questionnaire implements Serializable {
@Column(name = "userId", nullable = false)
private String userId;
+ /**
+ * questionnaireNonConformityList
+ */
+ private transient List<QuestionnaireNonConformity> questionnaireNonConformityList = new ArrayList<QuestionnaireNonConformity>();
+
public Long getId() {
return this.id;
@@ -76,6 +126,58 @@ public class Questionnaire implements Serializable {
public void setId(Long id) {
this.id = id;
}
+
+ public String getName() {
+ return this.name;
+ }
+
+ public Questionnaire name(String name) {
+ this.setName(name);
+ return this;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public String getEvidences() {
+ return this.evidences;
+ }
+
+ public Questionnaire evidences(String evidences) {
+ this.setEvidences(evidences);
+ return this;
+ }
+
+ public void setEvidences(String evidences) {
+ this.evidences = evidences;
+ }
+
+ public String getComments() {
+ return this.comments;
+ }
+
+ public Questionnaire comments(String comments) {
+ this.setComments(comments);
+ return this;
+ }
+
+ public void setComments(String comments) {
+ this.comments = comments;
+ }
+
+ public Long getLastUpdate() {
+ return this.lastUpdate;
+ }
+
+ public Questionnaire lastUpdate(Long lastUpdate) {
+ this.setLastUpdate(lastUpdate);
+ return this;
+ }
+
+ public void setLastUpdate(Long lastUpdate) {
+ this.lastUpdate = lastUpdate;
+ }
public Long getFrameworkId() {
return this.frameworkId;
@@ -90,17 +192,43 @@ public class Questionnaire implements Serializable {
this.frameworkId = frameworkId;
}
- public Long getPurposeId() {
- return this.purposeId;
+ public Long getControlId() {
+ return this.controlId;
}
- public Questionnaire purposeId(Long purposeId) {
- this.setPurposeId(purposeId);
+ public Questionnaire controlId(Long controlId) {
+ this.setControlId(controlId);
return this;
}
- public void setPurposeId(Long purposeId) {
- this.purposeId = purposeId;
+ public void setControlId(Long controlId) {
+ this.controlId = controlId;
+ }
+
+ public Long getTomId() {
+ return this.tomId;
+ }
+
+ public Questionnaire tomId(Long tomId) {
+ this.setTomId(tomId);
+ return this;
+ }
+
+ public void setTomId(Long tomId) {
+ this.tomId = tomId;
+ }
+
+ public Long getAssuranceLevelId() {
+ return this.assuranceLevelId;
+ }
+
+ public Questionnaire assuranceLevelId(Long assuranceLevelId) {
+ this.setAssuranceLevelId(assuranceLevelId);
+ return this;
+ }
+
+ public void setAssuranceLevelId(Long assuranceLevelId) {
+ this.assuranceLevelId = assuranceLevelId;
}
public Long getQuestionId() {
@@ -141,6 +269,14 @@ public class Questionnaire implements Serializable {
public void setUserId(String userId) {
this.userId = userId;
}
+
+ public List<QuestionnaireNonConformity> getQuestionnaireNonConformityList() {
+ return CollectionUtil.isNullOrEmpty(questionnaireNonConformityList) ? new ArrayList<QuestionnaireNonConformity>() : questionnaireNonConformityList;
+ }
+
+ public void setQuestionnaireNonConformityList(List<QuestionnaireNonConformity> questionnaireNonConformityList) {
+ this.questionnaireNonConformityList = CollectionUtil.isNullOrEmpty(questionnaireNonConformityList) ? new ArrayList<QuestionnaireNonConformity>() : questionnaireNonConformityList;
+ }
@Override
public boolean equals(Object o) {
@@ -163,8 +299,14 @@ public class Questionnaire implements Serializable {
public String toString() {
return "Questionnaire{" +
"id=" + getId() +
+ ", name='" + getName() + "'" +
+ ", evidences='" + getEvidences() + "'" +
+ ", comments='" + getComments() + "'" +
+ ", lastUpdate='" + getLastUpdate() + "'" +
", frameworkId='" + getFrameworkId() + "'" +
- ", purposeId='" + getPurposeId() + "'" +
+ ", controlId='" + getControlId() + "'" +
+ ", tomId='" + getTomId() + "'" +
+ ", assuranceLevelId='" + getAssuranceLevelId() + "'" +
", questionId='" + getQuestionId() + "'" +
", answerId='" + getAnswerId() + "'" +
", userId='" + getUserId() + "'" +
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/QuestionnaireNonConformity.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/QuestionnaireNonConformity.java
new file mode 100644
index 0000000000000000000000000000000000000000..df873f690af11502c60f9ad82663e5e84f435686
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/QuestionnaireNonConformity.java
@@ -0,0 +1,148 @@
+package com.medina.coc.backend.domain;
+
+import java.io.Serializable;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.IdClass;
+import javax.persistence.Table;
+import javax.validation.constraints.NotNull;
+
+import org.hibernate.annotations.Cache;
+import org.hibernate.annotations.CacheConcurrencyStrategy;
+
+import com.medina.coc.backend.domain.key.QuestionnaireNonConformityId;
+
+/**
+ * QuestionnaireNonConformity entity.\n\n@author Diego Rosado
+ */
+@Entity
+@Table(name = "questionnaire_non_conformities")
+@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
+@IdClass(QuestionnaireNonConformityId.class)
+public class QuestionnaireNonConformity implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * questionnaireName
+ */
+ @Id
+ @Column(name = "questionnaire_name")
+ private String questionnaireName;
+
+ /**
+ * tomId
+ */
+ @Id
+ @Column(name = "tom_id")
+ private Long tomId;
+
+ /**
+ * comments
+ */
+ @NotNull
+ @Column(name = "comments", nullable = false)
+ private String comments;
+
+ /**
+ * compliance
+ */
+ @NotNull
+ @Column(name = "compliance", nullable = false)
+ private String compliance;
+
+
+ public QuestionnaireNonConformity() {}
+
+ public QuestionnaireNonConformity(String questionnaireName, Long tomId,
+ String comments, String compliance) {
+ this.questionnaireName = questionnaireName;
+ this.tomId = tomId;
+ this.comments = comments;
+ this.compliance = compliance;
+ }
+
+
+
+ public String getQuestionnaireName() {
+ return this.questionnaireName;
+ }
+
+ public QuestionnaireNonConformity questionnaireName(String questionnaireName) {
+ this.setQuestionnaireName(questionnaireName);
+ return this;
+ }
+
+ public void setQuestionnaireName(String questionnaireName) {
+ this.questionnaireName = questionnaireName;
+ }
+
+ public Long getTomId() {
+ return this.tomId;
+ }
+
+ public QuestionnaireNonConformity tomId(Long tomId) {
+ this.setTomId(tomId);
+ return this;
+ }
+
+ public void setTomId(Long tomId) {
+ this.tomId = tomId;
+ }
+
+ public String getComments() {
+ return this.comments;
+ }
+
+ public QuestionnaireNonConformity comments(String comments) {
+ this.setComments(comments);
+ return this;
+ }
+
+ public void setComments(String comments) {
+ this.comments = comments;
+ }
+
+ public String getCompliance() {
+ return this.compliance;
+ }
+
+ public QuestionnaireNonConformity compliance(String compliance) {
+ this.setCompliance(compliance);
+ return this;
+ }
+
+ public void setCompliance(String compliance) {
+ this.compliance = compliance;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof QuestionnaireNonConformity)) {
+ return false;
+ }
+ return tomId != null && tomId.equals(((QuestionnaireNonConformity) o).tomId);
+ }
+
+ @Override
+ public int hashCode() {
+ // see https://vladmihalcea.com/how-to-implement-equals-and-hashcode-using-the-jpa-entity-identifier/
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireNonConformity{" +
+ "questionnaireName=" + getQuestionnaireName() +
+ ", tomId='" + getTomId() + "'" +
+ ", comments='" + getComments() + "'" +
+ ", compliance='" + getCompliance() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/QuestionnairePurpose.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/QuestionnairePurpose.java
deleted file mode 100755
index 0f82824c7f0c15cb13950563a200e94c47d1467f..0000000000000000000000000000000000000000
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/QuestionnairePurpose.java
+++ /dev/null
@@ -1,89 +0,0 @@
-package com.medina.coc.backend.domain;
-
-import java.io.Serializable;
-
-import javax.persistence.Column;
-import javax.persistence.Entity;
-import javax.persistence.GeneratedValue;
-import javax.persistence.GenerationType;
-import javax.persistence.Id;
-import javax.persistence.Table;
-import javax.validation.constraints.NotNull;
-
-import org.hibernate.annotations.Cache;
-import org.hibernate.annotations.CacheConcurrencyStrategy;
-
-/**
- * QuestionnairePurpose entity.\n\n@author Diego Rosado
- */
-@Entity
-@Table(name = "questionnaire_purpose")
-@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
-public class QuestionnairePurpose implements Serializable {
-
- private static final long serialVersionUID = 1L;
-
- @Id
- @GeneratedValue(strategy = GenerationType.IDENTITY)
- @Column(name = "id")
- private Long id;
-
- /**
- * purpose
- */
- @NotNull
- @Column(name = "purpose", nullable = false)
- private String purpose;
-
-
- public Long getId() {
- return this.id;
- }
-
- public QuestionnairePurpose id(Long id) {
- this.setId(id);
- return this;
- }
-
- public void setId(Long id) {
- this.id = id;
- }
-
- public String getPurpose() {
- return this.purpose;
- }
-
- public QuestionnairePurpose purpose(String purpose) {
- this.setPurpose(purpose);
- return this;
- }
-
- public void setPurpose(String purpose) {
- this.purpose = purpose;
- }
-
- @Override
- public boolean equals(Object o) {
- if (this == o) {
- return true;
- }
- if (!(o instanceof QuestionnairePurpose)) {
- return false;
- }
- return id != null && id.equals(((QuestionnairePurpose) o).id);
- }
-
- @Override
- public int hashCode() {
- return getClass().hashCode();
- }
-
- // prettier-ignore
- @Override
- public String toString() {
- return "QuestionnairePurpose{" +
- "id=" + getId() +
- ", purpose='" + getPurpose() + "'" +
- "}";
- }
-}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/SecurityControl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/SecurityControl.java
index a7fa70fb635f420cabf2692c0c33842bd9fcc165..3619d283619a051271442c3581419e05d3518258 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/SecurityControl.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/SecurityControl.java
@@ -52,20 +52,6 @@ public class SecurityControl implements Serializable {
@Column(name = "description", nullable = false)
private String description;
- /**
- * guidance
- */
- @NotNull
- @Column(name = "guidance", nullable = false)
- private String guidance;
-
- /**
- * riskReductionWeight
- */
- @NotNull
- @Column(name = "risk_reduction_weight", nullable = false)
- private Float riskReductionWeight;
-
@OneToMany(mappedBy = "securityControl")
@Cache(usage = CacheConcurrencyStrategy.READ_WRITE)
@JsonIgnoreProperties(value = { "securityControl" }, allowSetters = true)
@@ -153,32 +139,6 @@ public class SecurityControl implements Serializable {
this.description = description;
}
- public String getGuidance() {
- return this.guidance;
- }
-
- public SecurityControl guidance(String guidance) {
- this.setGuidance(guidance);
- return this;
- }
-
- public void setGuidance(String guidance) {
- this.guidance = guidance;
- }
-
- public Float getRiskReductionWeight() {
- return this.riskReductionWeight;
- }
-
- public SecurityControl riskReductionWeight(Float riskReductionWeight) {
- this.setRiskReductionWeight(riskReductionWeight);
- return this;
- }
-
- public void setRiskReductionWeight(Float riskReductionWeight) {
- this.riskReductionWeight = riskReductionWeight;
- }
-
public Set<SimilarControl> getSimilarControls() {
return this.similarControls;
}
@@ -276,8 +236,6 @@ public class SecurityControl implements Serializable {
", name='" + getName() + "'" +
", objective='" + getObjective() + "'" +
", description='" + getDescription() + "'" +
- ", guidance='" + getGuidance() + "'" +
- ", riskReductionWeight=" + getRiskReductionWeight() +
"}";
}
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Tom.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Tom.java
index dadc06a2e08d640ec1f9804d4478e4a7a4839311..938cb7be324aeda7f62cde16908121afa30c450d 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Tom.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/Tom.java
@@ -62,6 +62,12 @@ public class Tom implements Serializable {
@Enumerated(EnumType.STRING)
@Column(name = "type", nullable = false)
private Type type;
+
+ /**
+ * guidance
+ */
+ @Column(name = "guidance", nullable = true)
+ private String guidance;
@ManyToOne(optional = false)
@NotNull
@@ -151,6 +157,19 @@ public class Tom implements Serializable {
public void setType(Type type) {
this.type = type;
}
+
+ public String getGuidance() {
+ return this.guidance;
+ }
+
+ public Tom guidance(String guidance) {
+ this.setGuidance(guidance);
+ return this;
+ }
+
+ public void setGuidance(String guidance) {
+ this.guidance = guidance;
+ }
public SecurityControl getSecurityControl() {
return this.securityControl;
@@ -207,6 +226,7 @@ public class Tom implements Serializable {
", description='" + getDescription() + "'" +
", assuranceLevel='" + getAssuranceLevel() + "'" +
", type='" + getType() + "'" +
+ ", guidance='" + getGuidance() + "'" +
"}";
}
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/User.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/User.java
index 7fd13257ab15374e37a89a4c77d6c023d8c9a9d4..638dfdcd930d6e27f4392d8b8b4751d44df0445c 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/User.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/User.java
@@ -47,6 +47,10 @@ public class User extends AbstractAuditingEntity implements Serializable {
@Size(min = 5, max = 254)
@Column(length = 254, unique = true)
private String email;
+
+ @Size(min = 255)
+ @Column(length = 255)
+ private String company;
@NotNull
@Column(nullable = false)
@@ -111,6 +115,14 @@ public class User extends AbstractAuditingEntity implements Serializable {
public void setEmail(String email) {
this.email = email;
}
+
+ public String getCompany() {
+ return company;
+ }
+
+ public void setCompany(String company) {
+ this.company = company;
+ }
public String getImageUrl() {
return imageUrl;
@@ -169,6 +181,7 @@ public class User extends AbstractAuditingEntity implements Serializable {
", firstName='" + firstName + '\'' +
", lastName='" + lastName + '\'' +
", email='" + email + '\'' +
+ ", company='" + company + '\'' +
", imageUrl='" + imageUrl + '\'' +
", activated='" + activated + '\'' +
", langKey='" + langKey + '\'' +
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/enumeration/AssuranceLevel.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/enumeration/AssuranceLevel.java
index 24a7e4702fc91ab73909b8322994609d5a48d659..9666997f2dcee8687e85c0c45bce1659804524bf 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/enumeration/AssuranceLevel.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/enumeration/AssuranceLevel.java
@@ -4,9 +4,9 @@ package com.medina.coc.backend.domain.enumeration;
* The AssuranceLevel enumeration.
*/
public enum AssuranceLevel {
- BASIC("Basic"),
- SUBSTANTIAL("Substantial"),
- HIGH("High");
+ Basic("Basic"),
+ Substantial("Substantial"),
+ High("High");
private final String value;
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/enumeration/AssuranceLevelId.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/enumeration/AssuranceLevelId.java
new file mode 100644
index 0000000000000000000000000000000000000000..499d7174cc6fe0afa674dfaccac4b648a7c3c8f8
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/enumeration/AssuranceLevelId.java
@@ -0,0 +1,20 @@
+package com.medina.coc.backend.domain.enumeration;
+
+/**
+ * The AssuranceLevelId enumeration.
+ */
+public enum AssuranceLevelId {
+ Basic("1"),
+ Substantial("2"),
+ High("3");
+
+ private final String value;
+
+ AssuranceLevelId(String value) {
+ this.value = value;
+ }
+
+ public String getValue() {
+ return value;
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/enumeration/AuditLogs.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/enumeration/AuditLogs.java
new file mode 100644
index 0000000000000000000000000000000000000000..cb81e8bb4feb38c2393bf6e29d530ebf48f766af
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/enumeration/AuditLogs.java
@@ -0,0 +1,23 @@
+package com.medina.coc.backend.domain.enumeration;
+
+/**
+ * The AssuranceLevel enumeration.
+ */
+public enum AuditLogs {
+ FRAMEWORKS("Frameworks"),
+ CATEGORIES("Categories"),
+ CONTROLS("Controls"),
+ REQUIREMENTS("Requirements"),
+ SIMILAR_CONTROLS("Similar Controls"),
+ IMPLEMENTATION_GUIDELINES("Implementation Guidelines");
+
+ private final String value;
+
+ AuditLogs(String value) {
+ this.value = value;
+ }
+
+ public String getValue() {
+ return value;
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/key/QuestionnaireNonConformityId.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/key/QuestionnaireNonConformityId.java
new file mode 100644
index 0000000000000000000000000000000000000000..7c0e0d623f07619dbceecf9bdafed6394c400886
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/key/QuestionnaireNonConformityId.java
@@ -0,0 +1,54 @@
+package com.medina.coc.backend.domain.key;
+
+import java.io.Serializable;
+
+/**
+ * Primary Key for QuestionnaireNonConformityId entity.
+ */
+public class QuestionnaireNonConformityId implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * questionnaireName
+ */
+ private String questionnaireName;
+
+ /**
+ * tomId
+ */
+ private Long tomId;
+
+
+
+ public String getQuestionnaireName() {
+ return this.questionnaireName;
+ }
+
+ public void setQuestionnaireName(String questionnaireName) {
+ this.questionnaireName = questionnaireName;
+ }
+
+ public Long getTomId() {
+ return this.tomId;
+ }
+
+ public void setTomId(Long tomId) {
+ this.tomId = tomId;
+ }
+
+ @Override
+ public int hashCode() {
+ // see https://vladmihalcea.com/how-to-implement-equals-and-hashcode-using-the-jpa-entity-identifier/
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireNonConformityId{" +
+ "questionnaireName=" + getQuestionnaireName() +
+ ", tomId='" + getTomId() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireCloudService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireCloudService.java
new file mode 100644
index 0000000000000000000000000000000000000000..1708428f41565af449936f8721d06b097acfd386
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireCloudService.java
@@ -0,0 +1,65 @@
+package com.medina.coc.backend.domain.request;
+
+import java.io.Serializable;
+
+/**
+ * QuestionnaireCloudService entity.
+ */
+public class QuestionnaireCloudService implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ private String id;
+ private String name;
+
+
+ public QuestionnaireCloudService() {}
+
+ public QuestionnaireCloudService(final String id, final String name) {
+ this.id = id;
+ this.name = name;
+ }
+
+
+ public String getId() {
+ return id;
+ }
+
+ public void setId(String id) {
+ this.id = id;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.id = name;
+ }
+
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof QuestionnaireCloudService)) {
+ return false;
+ }
+ return id != null && id.equals(((QuestionnaireCloudService) o).id);
+ }
+
+ @Override
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireCloudService{" +
+ "id=" + getId() +
+ ", name='" + getName() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireQuestionsInfo.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireQuestionsInfo.java
new file mode 100644
index 0000000000000000000000000000000000000000..06969021bffc45418499605f3193ab07bd4dbb05
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireQuestionsInfo.java
@@ -0,0 +1,74 @@
+package com.medina.coc.backend.domain.request;
+
+import java.io.Serializable;
+
+/**
+ * QuestionnaireQuestionsInfo entity.
+ */
+public class QuestionnaireQuestionsInfo implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ private Integer basic;
+ private Integer substantial;
+ private Integer high;
+
+
+ public QuestionnaireQuestionsInfo() {
+ basic = 0;
+ substantial = 0;
+ high = 0;
+ }
+
+
+ public Integer getBasic() {
+ return basic;
+ }
+
+ public void setBasic(Integer basic) {
+ this.basic = basic;
+ }
+
+ public Integer getSubstantial() {
+ return substantial;
+ }
+
+ public void setSubstantial(Integer substantial) {
+ this.substantial = substantial;
+ }
+
+ public Integer getHigh() {
+ return high;
+ }
+
+ public void setHigh(Integer high) {
+ this.high = high;
+ }
+
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof QuestionnaireQuestionsInfo)) {
+ return false;
+ }
+ return basic != null && basic.equals(((QuestionnaireQuestionsInfo) o).basic);
+ }
+
+ @Override
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireQuestionsInfo{" +
+ "basic=" + getBasic() +
+ ", substantial='" + getSubstantial() + "'" +
+ ", high='" + getHigh() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReport.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReport.java
new file mode 100644
index 0000000000000000000000000000000000000000..bf0af941e719098ce1cb336de3e4742f4b946a11
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReport.java
@@ -0,0 +1,69 @@
+package com.medina.coc.backend.domain.request;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * QuestionnaireReport entity.
+ */
+public class QuestionnaireReport implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ private Integer page;
+ private List<QuestionnaireReportConcept> concepts = new ArrayList<QuestionnaireReportConcept>();
+ private List<String> additionalInfo = new ArrayList<String>();
+
+
+ public Integer getPage() {
+ return page;
+ }
+
+ public void setPage(Integer page) {
+ this.page = page;
+ }
+
+ public List<QuestionnaireReportConcept> getConcepts() {
+ return concepts;
+ }
+
+ public void setConcepts(List<QuestionnaireReportConcept> concepts) {
+ this.concepts = concepts;
+ }
+
+ public List<String> getAdditionalInfo() {
+ return additionalInfo;
+ }
+
+ public void setAdditionalInfo(List<String> additionalInfo) {
+ this.additionalInfo = additionalInfo;
+ }
+
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof QuestionnaireReport)) {
+ return false;
+ }
+ return page != null && page.equals(((QuestionnaireReport) o).page);
+ }
+
+ @Override
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireReport{" +
+ "page=" + getPage() +
+ ", concepts='" + getConcepts().size() + "'" +
+ ", additionalInfo='" + getAdditionalInfo().size() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReportConcept.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReportConcept.java
new file mode 100644
index 0000000000000000000000000000000000000000..b64618d322c7a7475378b310162aec73488947df
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReportConcept.java
@@ -0,0 +1,69 @@
+package com.medina.coc.backend.domain.request;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * QuestionnaireReportConcept entity.
+ */
+public class QuestionnaireReportConcept implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ private String name;
+ private Boolean isCategory;
+ private List<QuestionnaireReportTom> toms = new ArrayList<QuestionnaireReportTom>();
+
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public Boolean getIsCategory() {
+ return isCategory;
+ }
+
+ public void setIsCategory(Boolean isCategory) {
+ this.isCategory = isCategory;
+ }
+
+ public List<QuestionnaireReportTom> getToms() {
+ return toms;
+ }
+
+ public void setToms(List<QuestionnaireReportTom> toms) {
+ this.toms = toms;
+ }
+
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof QuestionnaireReportConcept)) {
+ return false;
+ }
+ return name != null && name.equals(((QuestionnaireReportConcept) o).name);
+ }
+
+ @Override
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireReportConcept{" +
+ "name=" + getName() +
+ ", isCategory='" + getIsCategory() + "'" +
+ ", toms='" + getToms() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReportTom.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReportTom.java
new file mode 100644
index 0000000000000000000000000000000000000000..42b28b6fa6899b716fbe4f15a3e5b1b4af76a1e6
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReportTom.java
@@ -0,0 +1,67 @@
+package com.medina.coc.backend.domain.request;
+
+import java.io.Serializable;
+
+/**
+ * QuestionnaireReportTom entity.
+ */
+public class QuestionnaireReportTom implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ private String code;
+ private String compliance;
+ private String nonConformities;
+
+
+ public String getCode() {
+ return code;
+ }
+
+ public void setCode(String code) {
+ this.code = code;
+ }
+
+ public String getCompliance() {
+ return compliance;
+ }
+
+ public void setCompliance(String compliance) {
+ this.compliance = compliance;
+ }
+
+ public String getNonConformities() {
+ return nonConformities;
+ }
+
+ public void setNonConformities(String nonConformities) {
+ this.nonConformities = nonConformities;
+ }
+
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof QuestionnaireReportTom)) {
+ return false;
+ }
+ return code != null && code.equals(((QuestionnaireReportTom) o).code);
+ }
+
+ @Override
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireReportTom{" +
+ "code=" + getCode() +
+ ", compliance='" + getCompliance() + "'" +
+ ", nonConformities='" + getNonConformities() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReportWrapper.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReportWrapper.java
new file mode 100644
index 0000000000000000000000000000000000000000..9c33d2363b29b13edcc6ebe25a9745fd7e6ceae7
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireReportWrapper.java
@@ -0,0 +1,58 @@
+package com.medina.coc.backend.domain.request;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * QuestionnaireReportWrapper entity.
+ */
+public class QuestionnaireReportWrapper implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ private List<QuestionnaireReport> report = new ArrayList<QuestionnaireReport>();
+ private List<QuestionnaireScore> score = new ArrayList<QuestionnaireScore>();
+ private List<Integer> totalScore = new ArrayList<Integer>();
+
+
+ public List<QuestionnaireReport> getReport() {
+ return report;
+ }
+
+ public void setReport(List<QuestionnaireReport> report) {
+ this.report = report;
+ }
+
+ public List<QuestionnaireScore> getScore() {
+ return score;
+ }
+
+ public void setScore(List<QuestionnaireScore> score) {
+ this.score = score;
+ }
+
+ public List<Integer> getTotalScore() {
+ return totalScore;
+ }
+
+ public void setTotalScore(List<Integer> totalScore) {
+ this.totalScore = totalScore;
+ }
+
+
+ @Override
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireReportWrapper{" +
+ "report='" + getReport().size() + "'" +
+ "score='" + getScore().size() + "'" +
+ "totalScore='" + getTotalScore().size() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireScore.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireScore.java
new file mode 100644
index 0000000000000000000000000000000000000000..2d2b28758dadb307b24a6fda0fa410b2a7261bfe
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireScore.java
@@ -0,0 +1,67 @@
+package com.medina.coc.backend.domain.request;
+
+import java.io.Serializable;
+
+/**
+ * QuestionnaireReportConcept entity.
+ */
+public class QuestionnaireScore implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ private String category;
+ private String control;
+ private Double score;
+
+
+ public String getCategory() {
+ return category;
+ }
+
+ public void setCategory(String category) {
+ this.category = category;
+ }
+
+ public String getControl() {
+ return control;
+ }
+
+ public void setControl(String control) {
+ this.control = control;
+ }
+
+ public Double getScore() {
+ return score;
+ }
+
+ public void setScore(Double score) {
+ this.score = score;
+ }
+
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof QuestionnaireScore)) {
+ return false;
+ }
+ return category != null && category.equals(((QuestionnaireScore) o).category);
+ }
+
+ @Override
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireScore{" +
+ "category=" + getCategory() +
+ ", control='" + getControl() + "'" +
+ ", score='" + getScore() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireWrapper.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireWrapper.java
new file mode 100644
index 0000000000000000000000000000000000000000..d26bf764d743730f5ce2b2b0c43a2df629a08ef9
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/request/QuestionnaireWrapper.java
@@ -0,0 +1,61 @@
+package com.medina.coc.backend.domain.request;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+import com.medina.coc.backend.domain.Questionnaire;
+
+/**
+ * QuestionnaireWrapper entity.
+ */
+public class QuestionnaireWrapper implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ private String id;
+ private List<Questionnaire> questionnaire = new ArrayList<Questionnaire>();
+
+
+ public String getId() {
+ return id;
+ }
+
+ public void setId(String id) {
+ this.id = id;
+ }
+
+ public List<Questionnaire> getQuestionnaire() {
+ return questionnaire;
+ }
+
+ public void setQuestionnaire(List<Questionnaire> questionnaire) {
+ this.questionnaire = questionnaire;
+ }
+
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof QuestionnaireWrapper)) {
+ return false;
+ }
+ return id != null && id.equals(((QuestionnaireWrapper) o).id);
+ }
+
+ @Override
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireWrapper{" +
+ "id=" + getId() +
+ ", questionnaire='" + getQuestionnaire().size() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/satra/SatraPartnerSurvey.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/satra/SatraPartnerSurvey.java
new file mode 100644
index 0000000000000000000000000000000000000000..3ccda8af75e90f4d45265c11aa521d9236060b51
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/satra/SatraPartnerSurvey.java
@@ -0,0 +1,68 @@
+package com.medina.coc.backend.domain.satra;
+
+import java.io.Serializable;
+
+/**
+ * SatraPartnerSurvey entity.
+ */
+public class SatraPartnerSurvey implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ private Integer answer_value;
+ private String question_id;
+ private String related;
+
+
+
+ public Integer getAnswer_value() {
+ return answer_value;
+ }
+
+ public void setAnswer_value(Integer answer_value) {
+ this.answer_value = answer_value;
+ }
+
+ public String getQuestion_id() {
+ return question_id;
+ }
+
+ public void setQuestion_id(String question_id) {
+ this.question_id = question_id;
+ }
+
+ public String getRelated() {
+ return related;
+ }
+
+ public void setRelated(String related) {
+ this.related = related;
+ }
+
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof SatraPartnerSurvey)) {
+ return false;
+ }
+ return question_id != null && question_id.equals(((SatraPartnerSurvey) o).question_id);
+ }
+
+ @Override
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "SatraPartnerSurvey{" +
+ "question_id=" + getQuestion_id() +
+ ", answer_value='" + getAnswer_value() + "'" +
+ ", related='" + getRelated() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/domain/satra/SatraRequest.java b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/satra/SatraRequest.java
new file mode 100644
index 0000000000000000000000000000000000000000..0fc2c54ccf4c1a449045db49752d08dc59f317c2
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/domain/satra/SatraRequest.java
@@ -0,0 +1,90 @@
+package com.medina.coc.backend.domain.satra;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * SatraRequest entity.
+ */
+public class SatraRequest implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ private Long assurance_level;
+ private Integer certification_schema; // 1 = EUCS (always)
+ private String data;
+ private List<SatraPartnerSurvey> partner_survey;
+
+
+ public SatraRequest() {
+ partner_survey = new ArrayList<SatraPartnerSurvey>();
+ }
+
+ public SatraRequest(final Long assurance_level, final Integer certification_schema, final String data) {
+ this.assurance_level = assurance_level;
+ this.certification_schema = certification_schema;
+ this.data = data;
+ partner_survey = new ArrayList<SatraPartnerSurvey>();
+ }
+
+ public Long getAssurance_level() {
+ return assurance_level;
+ }
+
+ public void setAssurance_level(Long assurance_level) {
+ this.assurance_level = assurance_level;
+ }
+
+ public Integer getCertification_schema() {
+ return certification_schema;
+ }
+
+ public void setCertification_schema(Integer certification_schema) {
+ this.certification_schema = certification_schema;
+ }
+
+ public String getData() {
+ return data;
+ }
+
+ public void setData(String data) {
+ this.data = data;
+ }
+
+ public List<SatraPartnerSurvey> getPartner_survey() {
+ return partner_survey;
+ }
+
+ public void setPartner_survey(List<SatraPartnerSurvey> partner_survey) {
+ this.partner_survey = partner_survey;
+ }
+
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof SatraRequest)) {
+ return false;
+ }
+ return data != null && data.equals(((SatraRequest) o).data);
+ }
+
+ @Override
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "SatraRequest{" +
+ "assurance_level=" + getAssurance_level() +
+ ", certification_schema=" + getCertification_schema() +
+ ", data=" + getData() +
+ ", partner_survey='" + getPartner_survey().size() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/repository/AuditLogRepository.java b/git/cocBackend/src/main/java/com/medina/coc/backend/repository/AuditLogRepository.java
new file mode 100644
index 0000000000000000000000000000000000000000..004d611e3c45fdf558ef8a1e1e664e56394940af
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/repository/AuditLogRepository.java
@@ -0,0 +1,21 @@
+package com.medina.coc.backend.repository;
+
+import java.util.List;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.stereotype.Repository;
+
+import com.medina.coc.backend.domain.AuditLog;
+
+/**
+ * Spring Data SQL repository for the AuditLog entity.
+ */
+@SuppressWarnings("unused")
+@Repository
+public interface AuditLogRepository extends JpaRepository<AuditLog, Long>, JpaSpecificationExecutor<AuditLog> {
+
+ @Query("select a from AuditLog a order by a.dateLog desc")
+ public List<AuditLog> findAllAuditLogs();
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionRepository.java b/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionRepository.java
index 17425c90af42e4698a081de8f957323020fb2da9..2973e0e2ce1357623090f25beea4fa0d64f62c89 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionRepository.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionRepository.java
@@ -2,6 +2,7 @@ package com.medina.coc.backend.repository;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
+import org.springframework.data.jpa.repository.Query;
import org.springframework.stereotype.Repository;
import com.medina.coc.backend.domain.Question;
@@ -10,4 +11,8 @@ import com.medina.coc.backend.domain.Question;
* Spring Data SQL repository for the Question entity.
*/
@Repository
-public interface QuestionRepository extends JpaRepository<Question, Long>, JpaSpecificationExecutor<Question> {}
+public interface QuestionRepository extends JpaRepository<Question, Long>, JpaSpecificationExecutor<Question> {
+
+ @Query("select count(q) from Question q where q.assuranceLevelId = ?1")
+ int countQuestionsByAssuranceLevel(Long assuranceLevelId);
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionnaireNonConformityRepository.java b/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionnaireNonConformityRepository.java
new file mode 100644
index 0000000000000000000000000000000000000000..3234fe702d6e04385e025cbd54882ac714b87ecf
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionnaireNonConformityRepository.java
@@ -0,0 +1,37 @@
+package com.medina.coc.backend.repository;
+
+import java.util.List;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.stereotype.Repository;
+
+import com.medina.coc.backend.domain.QuestionnaireNonConformity;
+
+/**
+ * Spring Data SQL repository for the QuestionnaireNonConformity entity.
+ */
+@Repository
+public interface QuestionnaireNonConformityRepository extends JpaRepository<QuestionnaireNonConformity, Long>, JpaSpecificationExecutor<QuestionnaireNonConformity> {
+
+ @Query("select q from QuestionnaireNonConformity q where q.questionnaireName = ?1")
+ List<QuestionnaireNonConformity> findQuestionnaireNonConformitiesByQuestionnaireName(String questionnaireName);
+
+ @Query("update QuestionnaireNonConformity q set q.comments = ?3, q.compliance = ?4 where q.questionnaireName = ?1 and q.tomId = ?2")
+ @Modifying
+ void updateQuestionnaireNonConformityByQuestionnaireNameAndTomId(String questionnaireName, Long tomId, String comments, String compliance);
+
+ @Query("delete from QuestionnaireNonConformity q where q.questionnaireName = ?1")
+ @Modifying
+ void deleteQuestionnaireNonConformityByQuestionnaireName(String questionnaireName);
+
+ @Query("delete from QuestionnaireNonConformity q where q.questionnaireName = ?1 and q.tomId in (?2)")
+ @Modifying
+ void deleteQuestionnaireNonConformityByQuestionnaireNameAndTomIds(String questionnaireName, List<Long> tomIds);
+
+ @Query("delete from QuestionnaireNonConformity q where q.questionnaireName = ?1 and q.tomId = ?2")
+ @Modifying
+ void deleteQuestionnaireNonConformityByKeys(String questionnaireName, Long tomId);
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionnairePurposeRepository.java b/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionnairePurposeRepository.java
deleted file mode 100755
index f652e374a6bb85a17c21f300957ae5e8f76e946a..0000000000000000000000000000000000000000
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionnairePurposeRepository.java
+++ /dev/null
@@ -1,13 +0,0 @@
-package com.medina.coc.backend.repository;
-
-import org.springframework.data.jpa.repository.JpaRepository;
-import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
-import org.springframework.stereotype.Repository;
-
-import com.medina.coc.backend.domain.QuestionnairePurpose;
-
-/**
- * Spring Data SQL repository for the QuestionnairePurpose entity.
- */
-@Repository
-public interface QuestionnairePurposeRepository extends JpaRepository<QuestionnairePurpose, Long>, JpaSpecificationExecutor<QuestionnairePurpose> {}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionnaireRepository.java b/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionnaireRepository.java
index 0c49049ee8b5bcefea29c13f55a2373cb77f6093..55ee009cbd70273581426e36b4cd6e3307f26213 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionnaireRepository.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/repository/QuestionnaireRepository.java
@@ -1,11 +1,27 @@
package com.medina.coc.backend.repository;
-import com.medina.coc.backend.domain.Questionnaire;
-import org.springframework.data.jpa.repository.*;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.Query;
import org.springframework.stereotype.Repository;
+import org.springframework.transaction.annotation.Transactional;
+
+import com.medina.coc.backend.domain.Questionnaire;
/**
* Spring Data SQL repository for the Questionnaire entity.
*/
@Repository
-public interface QuestionnaireRepository extends JpaRepository<Questionnaire, Long>, JpaSpecificationExecutor<Questionnaire> {}
+public interface QuestionnaireRepository extends JpaRepository<Questionnaire, Long>, JpaSpecificationExecutor<Questionnaire> {
+
+ @Query("delete from Questionnaire q where q.name = ?1 and q.assuranceLevelId = ?2")
+ @Modifying(flushAutomatically = true)
+ @Transactional
+ void deleteQuestionnaireByKeys(String name, Long assuranceLevelId);
+
+ @Query("delete from Questionnaire q where q.name = ?1")
+ @Modifying(flushAutomatically = true)
+ @Transactional
+ void deleteQuestionnaireByName(String name);
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/repository/SecurityControlFrameworkRepository.java b/git/cocBackend/src/main/java/com/medina/coc/backend/repository/SecurityControlFrameworkRepository.java
index c8db293d516ec6cb31e54601c6c29ca301cf6b3e..f003f7139aa88eb07af8ad80d9a99152a2f2fa73 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/repository/SecurityControlFrameworkRepository.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/repository/SecurityControlFrameworkRepository.java
@@ -21,4 +21,4 @@ public interface SecurityControlFrameworkRepository
+ "and scc.security_control_framework_id = scf.id and scf.name = :frameworkName",
nativeQuery = true)
Boolean frameworkHasRequirements(@Param("frameworkName") String frameworkName);
- }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/security/AuthoritiesConstants.java b/git/cocBackend/src/main/java/com/medina/coc/backend/security/AuthoritiesConstants.java
index 3977c72988d34ba372d698cac8b0f7e1ccc01370..bfba3448198e843518221b72fee982428dabf52d 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/security/AuthoritiesConstants.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/security/AuthoritiesConstants.java
@@ -10,6 +10,22 @@ public final class AuthoritiesConstants {
public static final String USER = "ROLE_USER";
public static final String ANONYMOUS = "ROLE_ANONYMOUS";
+
+ public static final String SECURITY_GOVERNANCE = "SecurityGovernance";
+
+ public static final String SECURITY_ANALYST = "SecurityAnalyst";
+
+ public static final String DOMAIN_GOVERNANCE = "DomainGovernance";
+
+ public static final String PRODUCT_OWNER = "ProductOwner";
+
+ public static final String PRODUCT_SECURITY_ENG = "ProductSecurityEng";
+
+ public static final String CISO = "CISO";
+
+ public static final String CUSTOMER = "Customer";
+
+ public static final String AUDITOR = "Auditor";
private AuthoritiesConstants() {}
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/security/SecurityUtils.java b/git/cocBackend/src/main/java/com/medina/coc/backend/security/SecurityUtils.java
index 076ed9859b338b3a51718795528cdea6e1ef659f..1732bc38b8ca213b852f4b2d475f06c6e223fdab 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/security/SecurityUtils.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/security/SecurityUtils.java
@@ -3,6 +3,7 @@ package com.medina.coc.backend.security;
import java.util.*;
import java.util.stream.Collectors;
import java.util.stream.Stream;
+
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -12,6 +13,8 @@ import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import com.nimbusds.jose.shaded.json.JSONArray;
+
/**
* Utility class for Spring Security.
*/
@@ -30,6 +33,15 @@ public final class SecurityUtils {
SecurityContext securityContext = SecurityContextHolder.getContext();
return Optional.ofNullable(extractPrincipal(securityContext.getAuthentication()));
}
+
+ public static String getAuthenticationToken() {
+ SecurityContext securityContext = SecurityContextHolder.getContext();
+ Authentication authentication = securityContext.getAuthentication();
+ if (authentication != null) {
+ return (String) ((JwtAuthenticationToken) authentication).getToken().getTokenValue();
+ }
+ return null;
+ }
private static String extractPrincipal(Authentication authentication) {
if (authentication == null) {
@@ -49,6 +61,27 @@ public final class SecurityUtils {
}
return null;
}
+
+ /**
+ * Extrac the cloud services from the token
+ *
+ * @return List
+ */
+ public static List<String> extractCloudServices() {
+ SecurityContext securityContext = SecurityContextHolder.getContext();
+ Authentication authentication = securityContext.getAuthentication();
+ List<String> result = null;
+ if (authentication != null && authentication instanceof JwtAuthenticationToken) {
+ final JSONArray cloudservices = (JSONArray) ((JwtAuthenticationToken) authentication).getToken().getClaims().get("cloudserviceid");
+ if (cloudservices != null && !cloudservices.isEmpty()) {
+ result = new ArrayList<String>();
+ for (int i = 0;i < cloudservices.size();i++) {
+ result.add((String) cloudservices.get(i));
+ }
+ }
+ }
+ return result;
+ }
/**
* Check if a user is authenticated.
@@ -113,6 +146,6 @@ public final class SecurityUtils {
}
private static List<GrantedAuthority> mapRolesToGrantedAuthorities(Collection<String> roles) {
- return roles.stream().filter(role -> role.startsWith("ROLE_")).map(SimpleGrantedAuthority::new).collect(Collectors.toList());
+ return roles.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList());
}
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/AuditLogQueryService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/AuditLogQueryService.java
new file mode 100644
index 0000000000000000000000000000000000000000..c889476abbedcc28819b0bb6a371e0c9c3738aa2
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/AuditLogQueryService.java
@@ -0,0 +1,113 @@
+package com.medina.coc.backend.service;
+
+import java.util.List;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.Pageable;
+import org.springframework.data.jpa.domain.Specification;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import com.medina.coc.backend.domain.AuditLog;
+import com.medina.coc.backend.domain.AuditLog_;
+import com.medina.coc.backend.repository.AuditLogRepository;
+import com.medina.coc.backend.service.criteria.AuditLogCriteria;
+import com.medina.coc.backend.service.dto.AuditLogDTO;
+import com.medina.coc.backend.service.mapper.AuditLogMapper;
+
+import tech.jhipster.service.QueryService;
+
+/**
+ * Service for executing complex queries for {@link AuditLog} entities in the database.
+ * The main input is a {@link AuditLogCriteria} which gets converted to {@link Specification},
+ * in a way that all the filters must apply.
+ * It returns a {@link List} of {@link AuditLogDTO} or a {@link Page} of {@link AuditLogDTO} which fulfills the criteria.
+ */
+@Service
+@Transactional(readOnly = true)
+public class AuditLogQueryService extends QueryService<AuditLog> {
+
+ private final Logger log = LoggerFactory.getLogger(AuditLogQueryService.class);
+
+ private final AuditLogRepository auditLogRepository;
+
+ private final AuditLogMapper auditLogMapper;
+
+ public AuditLogQueryService(AuditLogRepository auditLogRepository, AuditLogMapper auditLogMapper) {
+ this.auditLogRepository = auditLogRepository;
+ this.auditLogMapper = auditLogMapper;
+ }
+
+ /**
+ * Return a {@link List} of {@link AuditLogDTO} which matches the criteria from the database.
+ * @param criteria The object which holds all the filters, which the entities should match.
+ * @return the matching entities.
+ */
+ @Transactional(readOnly = true)
+ public List<AuditLogDTO> findByCriteria(AuditLogCriteria criteria) {
+ log.debug("find by criteria : {}", criteria);
+ final Specification<AuditLog> specification = createSpecification(criteria);
+ return auditLogMapper.toDto(auditLogRepository.findAll(specification));
+ }
+
+ /**
+ * Return a {@link Page} of {@link AuditLogDTO} which matches the criteria from the database.
+ * @param criteria The object which holds all the filters, which the entities should match.
+ * @param page The page, which should be returned.
+ * @return the matching entities.
+ */
+ @Transactional(readOnly = true)
+ public Page<AuditLogDTO> findByCriteria(AuditLogCriteria criteria, Pageable page) {
+ log.debug("find by criteria : {}, page: {}", criteria, page);
+ final Specification<AuditLog> specification = createSpecification(criteria);
+ return auditLogRepository.findAll(specification, page).map(auditLogMapper::toDto);
+ }
+
+ /**
+ * Return the number of matching entities in the database.
+ * @param criteria The object which holds all the filters, which the entities should match.
+ * @return the number of matching entities.
+ */
+ @Transactional(readOnly = true)
+ public long countByCriteria(AuditLogCriteria criteria) {
+ log.debug("count by criteria : {}", criteria);
+ final Specification<AuditLog> specification = createSpecification(criteria);
+ return auditLogRepository.count(specification);
+ }
+
+ /**
+ * Function to convert {@link AuditLogCriteria} to a {@link Specification}
+ * @param criteria The object which holds all the filters, which the entities should match.
+ * @return the matching {@link Specification} of the entity.
+ */
+ protected Specification<AuditLog> createSpecification(AuditLogCriteria criteria) {
+ Specification<AuditLog> specification = Specification.where(null);
+ if (criteria != null) {
+ // This has to be called first, because the distinct method returns null
+ if (criteria.getDistinct() != null) {
+ specification = specification.and(distinct(criteria.getDistinct()));
+ }
+ if (criteria.getId() != null) {
+ specification = specification.and(buildRangeSpecification(criteria.getId(), AuditLog_.id));
+ }
+ if (criteria.getDateLog() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getDateLog(), AuditLog_.dateLog));
+ }
+ if (criteria.getUser() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getUser(), AuditLog_.user));
+ }
+ if (criteria.getEntity() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getEntity(), AuditLog_.entity));
+ }
+ if (criteria.getTarget() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getTarget(), AuditLog_.target));
+ }
+ if (criteria.getOperation() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getOperation(), AuditLog_.operation));
+ }
+ }
+ return specification;
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/AuditLogService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/AuditLogService.java
new file mode 100644
index 0000000000000000000000000000000000000000..2cba8d0e678cc4227b4131a4fffdca3ef016ff1a
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/AuditLogService.java
@@ -0,0 +1,34 @@
+package com.medina.coc.backend.service;
+
+import java.util.List;
+import java.util.Optional;
+
+import com.medina.coc.backend.service.dto.AuditLogDTO;
+
+/**
+ * Service Interface for managing {@link com.medina.coc.backend.domain.AuditLog}.
+ */
+public interface AuditLogService {
+ /**
+ * Get all the auditLogs.
+ *
+ * @return the list of entities.
+ */
+ List<AuditLogDTO> findAll();
+
+ /**
+ * Get the "id" auditLog.
+ *
+ * @param id the id of the entity.
+ * @return the entity.
+ */
+ Optional<AuditLogDTO> findOne(Long id);
+
+ /**
+ * Save an auditLog.
+ *
+ * @param AuditLogDTO the entity to save.
+ * @return the persisted entity.
+ */
+ AuditLogDTO save(AuditLogDTO auditLogDTO);
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionQueryService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionQueryService.java
index 7fcdad049a4870833e572f28029f54ff327d616a..fc8dd14872ef78679d287098abf101b0aa03ec19 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionQueryService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionQueryService.java
@@ -98,8 +98,11 @@ public class QuestionQueryService extends QueryService<Question> {
if (criteria.getQuestion() != null) {
specification = specification.and(buildStringSpecification(criteria.getQuestion(), Question_.question));
}
- if (criteria.getEvidence() != null) {
- specification = specification.and(buildStringSpecification(criteria.getEvidence(), Question_.evidence));
+ if (criteria.getDefaultEvidence() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getDefaultEvidence(), Question_.defaultEvidence));
+ }
+ if (criteria.getDefaultComment() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getDefaultComment(), Question_.defaultComment));
}
if (criteria.getAssuranceLevelId() != null) {
specification = specification.and(buildRangeSpecification(criteria.getAssuranceLevelId(), Question_.assuranceLevelId));
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionService.java
index 55cc8135a9c1706e6615da6cb48ad739abe77829..f9d75ac04f3e6f8c95791865a85a59d3148fe66c 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionService.java
@@ -23,4 +23,12 @@ public interface QuestionService {
* @return the entity.
*/
Optional<QuestionDTO> findOne(Long id);
+
+ /**
+ * Count all the questions discriminating the assurance level.
+ *
+ * @param assuranceLevelId the assuranceLevelId.
+ * @return the entity.
+ */
+ int countQuestionsByAssuranceLevel(Long assuranceLevelId);
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireNonConformityQueryService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireNonConformityQueryService.java
new file mode 100644
index 0000000000000000000000000000000000000000..a7687e866c0fe8a7b6c305c325ed12170d401c42
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireNonConformityQueryService.java
@@ -0,0 +1,107 @@
+package com.medina.coc.backend.service;
+
+import java.util.List;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.Pageable;
+import org.springframework.data.jpa.domain.Specification;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import com.medina.coc.backend.domain.QuestionnaireNonConformity;
+import com.medina.coc.backend.domain.QuestionnaireNonConformity_;
+import com.medina.coc.backend.repository.QuestionnaireNonConformityRepository;
+import com.medina.coc.backend.service.criteria.QuestionnaireNonConformityCriteria;
+import com.medina.coc.backend.service.dto.QuestionnaireNonConformityDTO;
+import com.medina.coc.backend.service.mapper.QuestionnaireNonConformityMapper;
+
+import tech.jhipster.service.QueryService;
+
+/**
+ * Service for executing complex queries for {@link QuestionnaireNonConformity} entities in the database.
+ * The main input is a {@link QuestionnaireNonConformityCriteria} which gets converted to {@link Specification},
+ * in a way that all the filters must apply.
+ * It returns a {@link List} of {@link QuestionnaireNonConformityDTO} or a {@link Page} of {@link QuestionnaireNonConformityDTO} which fulfills the criteria.
+ */
+@Service
+@Transactional(readOnly = true)
+public class QuestionnaireNonConformityQueryService extends QueryService<QuestionnaireNonConformity> {
+
+ private final Logger log = LoggerFactory.getLogger(QuestionnaireNonConformityQueryService.class);
+
+ private final QuestionnaireNonConformityRepository questionnaireNonConformityRepository;
+
+ private final QuestionnaireNonConformityMapper questionnaireNonConformityMapper;
+
+ public QuestionnaireNonConformityQueryService(QuestionnaireNonConformityRepository questionnaireNonConformityRepository, QuestionnaireNonConformityMapper questionnaireNonConformityMapper) {
+ this.questionnaireNonConformityRepository = questionnaireNonConformityRepository;
+ this.questionnaireNonConformityMapper = questionnaireNonConformityMapper;
+ }
+
+ /**
+ * Return a {@link List} of {@link QuestionnaireNonConformityDTO} which matches the criteria from the database.
+ * @param criteria The object which holds all the filters, which the entities should match.
+ * @return the matching entities.
+ */
+ @Transactional(readOnly = true)
+ public List<QuestionnaireNonConformityDTO> findByCriteria(QuestionnaireNonConformityCriteria criteria) {
+ log.debug("find by criteria : {}", criteria);
+ final Specification<QuestionnaireNonConformity> specification = createSpecification(criteria);
+ return questionnaireNonConformityMapper.toDto(questionnaireNonConformityRepository.findAll(specification));
+ }
+
+ /**
+ * Return a {@link Page} of {@link QuestionnaireNonConformityDTO} which matches the criteria from the database.
+ * @param criteria The object which holds all the filters, which the entities should match.
+ * @param page The page, which should be returned.
+ * @return the matching entities.
+ */
+ @Transactional(readOnly = true)
+ public Page<QuestionnaireNonConformityDTO> findByCriteria(QuestionnaireNonConformityCriteria criteria, Pageable page) {
+ log.debug("find by criteria : {}, page: {}", criteria, page);
+ final Specification<QuestionnaireNonConformity> specification = createSpecification(criteria);
+ return questionnaireNonConformityRepository.findAll(specification, page).map(questionnaireNonConformityMapper::toDto);
+ }
+
+ /**
+ * Return the number of matching entities in the database.
+ * @param criteria The object which holds all the filters, which the entities should match.
+ * @return the number of matching entities.
+ */
+ @Transactional(readOnly = true)
+ public long countByCriteria(QuestionnaireNonConformityCriteria criteria) {
+ log.debug("count by criteria : {}", criteria);
+ final Specification<QuestionnaireNonConformity> specification = createSpecification(criteria);
+ return questionnaireNonConformityRepository.count(specification);
+ }
+
+ /**
+ * Function to convert {@link QuestionnaireNonConformityCriteria} to a {@link Specification}
+ * @param criteria The object which holds all the filters, which the entities should match.
+ * @return the matching {@link Specification} of the entity.
+ */
+ protected Specification<QuestionnaireNonConformity> createSpecification(QuestionnaireNonConformityCriteria criteria) {
+ Specification<QuestionnaireNonConformity> specification = Specification.where(null);
+ if (criteria != null) {
+ // This has to be called first, because the distinct method returns null
+ if (criteria.getDistinct() != null) {
+ specification = specification.and(distinct(criteria.getDistinct()));
+ }
+ if (criteria.getQuestionnaireName() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getQuestionnaireName(), QuestionnaireNonConformity_.questionnaireName));
+ }
+ if (criteria.getTomId() != null) {
+ specification = specification.and(buildRangeSpecification(criteria.getTomId(), QuestionnaireNonConformity_.tomId));
+ }
+ if (criteria.getComments() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getComments(), QuestionnaireNonConformity_.comments));
+ }
+ if (criteria.getCompliance() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getCompliance(), QuestionnaireNonConformity_.compliance));
+ }
+ }
+ return specification;
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireNonConformityService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireNonConformityService.java
new file mode 100644
index 0000000000000000000000000000000000000000..45e92926bfe409c0198ffbda89e229550e9ca9b7
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireNonConformityService.java
@@ -0,0 +1,66 @@
+package com.medina.coc.backend.service;
+
+import java.util.List;
+
+import com.medina.coc.backend.domain.QuestionnaireNonConformity;
+import com.medina.coc.backend.service.dto.QuestionnaireNonConformityDTO;
+
+/**
+ * Service Interface for managing {@link com.medina.coc.backend.domain.QuestionnaireNonConformity}.
+ */
+public interface QuestionnaireNonConformityService {
+ /**
+ * Get all the questionnaireNonConformities.
+ *
+ * @return the list of entities.
+ */
+ List<QuestionnaireNonConformityDTO> findAll();
+
+ /**
+ * Get the "questionnaireName" questionnaireNonConformities.
+ *
+ * @param questionnaireName the questionnaireName.
+ * @return the entity.
+ */
+ List<QuestionnaireNonConformityDTO> findByQuestionnaireName(String questionnaireName);
+
+ /**
+ * Save a questionnaireNonConformity.
+ *
+ * @param questionnaireNonConformity the entity to save.
+ * @return the persisted entity.
+ */
+ List<QuestionnaireNonConformity> save(List<QuestionnaireNonConformity> questionnaireNonConformity);
+
+ /**
+ * Update a questionnaireNonConformity.
+ *
+ * @param questionnaireName the questionnaireName.
+ * @param tomId the tomId.
+ * @param comments the comments.
+ */
+ void update(String questionnaireName, Long tomId, String comments, String compliance);
+
+ /**
+ * Delete a questionnaireNonConformity by questionnaireName.
+ *
+ * @param questionnaireName the questionnaireName.
+ */
+ void deleteByQuestionnaireName(String questionnaireName);
+
+ /**
+ * Delete a questionnaireNonConformity by questionnaireName and tomIds.
+ *
+ * @param questionnaireName the questionnaireName.
+ * @param tomIds the tomIds.
+ */
+ void deleteByQuestionnaireNameAndTomIds(String questionnaireName, List<Long> tomIds);
+
+ /**
+ * Delete a questionnaireNonConformity by keys.
+ *
+ * @param questionnaireName the questionnaireName.
+ * @param tomId the tomId.
+ */
+ void deleteByKeys(String questionnaireName, Long tomId);
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnairePurposeQueryService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnairePurposeQueryService.java
deleted file mode 100755
index f7b380b178a32642cb1535e5489d92258c4c480f..0000000000000000000000000000000000000000
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnairePurposeQueryService.java
+++ /dev/null
@@ -1,101 +0,0 @@
-package com.medina.coc.backend.service;
-
-import java.util.List;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.data.domain.Page;
-import org.springframework.data.domain.Pageable;
-import org.springframework.data.jpa.domain.Specification;
-import org.springframework.stereotype.Service;
-import org.springframework.transaction.annotation.Transactional;
-
-import com.medina.coc.backend.domain.QuestionnairePurpose;
-import com.medina.coc.backend.domain.QuestionnairePurpose_;
-import com.medina.coc.backend.repository.QuestionnairePurposeRepository;
-import com.medina.coc.backend.service.criteria.QuestionnairePurposeCriteria;
-import com.medina.coc.backend.service.dto.QuestionnairePurposeDTO;
-import com.medina.coc.backend.service.mapper.QuestionnairePurposeMapper;
-
-import tech.jhipster.service.QueryService;
-
-/**
- * Service for executing complex queries for {@link QuestionnairePurpose} entities in the database.
- * The main input is a {@link QuestionnairePurposeCriteria} which gets converted to {@link Specification},
- * in a way that all the filters must apply.
- * It returns a {@link List} of {@link QuestionnairePurposeDTO} or a {@link Page} of {@link QuestionnairePurposeDTO} which fulfills the criteria.
- */
-@Service
-@Transactional(readOnly = true)
-public class QuestionnairePurposeQueryService extends QueryService<QuestionnairePurpose> {
-
- private final Logger log = LoggerFactory.getLogger(QuestionnairePurposeQueryService.class);
-
- private final QuestionnairePurposeRepository questionnairePurposeRepository;
-
- private final QuestionnairePurposeMapper questionnairePurposeMapper;
-
- public QuestionnairePurposeQueryService(QuestionnairePurposeRepository questionnairePurposeRepository, QuestionnairePurposeMapper questionnairePurposeMapper) {
- this.questionnairePurposeRepository = questionnairePurposeRepository;
- this.questionnairePurposeMapper = questionnairePurposeMapper;
- }
-
- /**
- * Return a {@link List} of {@link QuestionnairePurposeDTO} which matches the criteria from the database.
- * @param criteria The object which holds all the filters, which the entities should match.
- * @return the matching entities.
- */
- @Transactional(readOnly = true)
- public List<QuestionnairePurposeDTO> findByCriteria(QuestionnairePurposeCriteria criteria) {
- log.debug("find by criteria : {}", criteria);
- final Specification<QuestionnairePurpose> specification = createSpecification(criteria);
- return questionnairePurposeMapper.toDto(questionnairePurposeRepository.findAll(specification));
- }
-
- /**
- * Return a {@link Page} of {@link QuestionnairePurposeDTO} which matches the criteria from the database.
- * @param criteria The object which holds all the filters, which the entities should match.
- * @param page The page, which should be returned.
- * @return the matching entities.
- */
- @Transactional(readOnly = true)
- public Page<QuestionnairePurposeDTO> findByCriteria(QuestionnairePurposeCriteria criteria, Pageable page) {
- log.debug("find by criteria : {}, page: {}", criteria, page);
- final Specification<QuestionnairePurpose> specification = createSpecification(criteria);
- return questionnairePurposeRepository.findAll(specification, page).map(questionnairePurposeMapper::toDto);
- }
-
- /**
- * Return the number of matching entities in the database.
- * @param criteria The object which holds all the filters, which the entities should match.
- * @return the number of matching entities.
- */
- @Transactional(readOnly = true)
- public long countByCriteria(QuestionnairePurposeCriteria criteria) {
- log.debug("count by criteria : {}", criteria);
- final Specification<QuestionnairePurpose> specification = createSpecification(criteria);
- return questionnairePurposeRepository.count(specification);
- }
-
- /**
- * Function to convert {@link QuestionnairePurposeCriteria} to a {@link Specification}
- * @param criteria The object which holds all the filters, which the entities should match.
- * @return the matching {@link Specification} of the entity.
- */
- protected Specification<QuestionnairePurpose> createSpecification(QuestionnairePurposeCriteria criteria) {
- Specification<QuestionnairePurpose> specification = Specification.where(null);
- if (criteria != null) {
- // This has to be called first, because the distinct method returns null
- if (criteria.getDistinct() != null) {
- specification = specification.and(distinct(criteria.getDistinct()));
- }
- if (criteria.getId() != null) {
- specification = specification.and(buildRangeSpecification(criteria.getId(), QuestionnairePurpose_.id));
- }
- if (criteria.getPurpose() != null) {
- specification = specification.and(buildStringSpecification(criteria.getPurpose(), QuestionnairePurpose_.purpose));
- }
- }
- return specification;
- }
-}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnairePurposeService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnairePurposeService.java
deleted file mode 100755
index 5f6c1960b9440f6561abbf80885db53c8034bd05..0000000000000000000000000000000000000000
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnairePurposeService.java
+++ /dev/null
@@ -1,26 +0,0 @@
-package com.medina.coc.backend.service;
-
-import java.util.List;
-import java.util.Optional;
-
-import com.medina.coc.backend.service.dto.QuestionnairePurposeDTO;
-
-/**
- * Service Interface for managing {@link com.medina.coc.backend.domain.QuestionnairePurpose}.
- */
-public interface QuestionnairePurposeService {
- /**
- * Get all.
- *
- * @return the list of entities.
- */
- List<QuestionnairePurposeDTO> findAll();
-
- /**
- * Get the "id" questionnairePurpose.
- *
- * @param id the id of the entity.
- * @return the entity.
- */
- Optional<QuestionnairePurposeDTO> findOne(Long id);
-}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireQueryService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireQueryService.java
index 4297f0dd8d1e73a03c2d650d81f924d9888c6b12..b1df0ff7554ad6ceb3f7bc8a7030dff7b99d3669 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireQueryService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireQueryService.java
@@ -93,11 +93,29 @@ public class QuestionnaireQueryService extends QueryService<Questionnaire> {
if (criteria.getId() != null) {
specification = specification.and(buildRangeSpecification(criteria.getId(), Questionnaire_.id));
}
+ if (criteria.getName() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getName(), Questionnaire_.name));
+ }
+ if (criteria.getEvidences() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getEvidences(), Questionnaire_.evidences));
+ }
+ if (criteria.getComments() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getComments(), Questionnaire_.comments));
+ }
+ if (criteria.getLastUpdate() != null) {
+ specification = specification.and(buildRangeSpecification(criteria.getLastUpdate(), Questionnaire_.lastUpdate));
+ }
if (criteria.getFrameworkId() != null) {
specification = specification.and(buildRangeSpecification(criteria.getFrameworkId(), Questionnaire_.frameworkId));
}
- if (criteria.getPurposeId() != null) {
- specification = specification.and(buildRangeSpecification(criteria.getPurposeId(), Questionnaire_.purposeId));
+ if (criteria.getControlId() != null) {
+ specification = specification.and(buildRangeSpecification(criteria.getControlId(), Questionnaire_.controlId));
+ }
+ if (criteria.getTomId() != null) {
+ specification = specification.and(buildRangeSpecification(criteria.getTomId(), Questionnaire_.tomId));
+ }
+ if (criteria.getAssuranceLevelId() != null) {
+ specification = specification.and(buildRangeSpecification(criteria.getAssuranceLevelId(), Questionnaire_.assuranceLevelId));
}
if (criteria.getQuestionId() != null) {
specification = specification.and(buildRangeSpecification(criteria.getQuestionId(), Questionnaire_.questionId));
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireService.java
index 0e0a1f81b6ac7598074ef56cb2bd4d5ef6940274..516993b2b6db6ea27ab51760eac958bd1b72b744 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/QuestionnaireService.java
@@ -3,6 +3,7 @@ package com.medina.coc.backend.service;
import java.util.List;
import java.util.Optional;
+import com.medina.coc.backend.domain.Questionnaire;
import com.medina.coc.backend.service.dto.QuestionnaireDTO;
/**
@@ -23,4 +24,33 @@ public interface QuestionnaireService {
* @return the entity.
*/
Optional<QuestionnaireDTO> findOne(Long id);
+
+ /**
+ * Save a questionnaire.
+ *
+ * @param questionnaire the entity to save.
+ * @return the persisted entity.
+ */
+ List<Questionnaire> save(List<Questionnaire> questionnaire);
+
+ /**
+ * Update a questionnaire.
+ *
+ * @param questionnaire the entity to save.
+ */
+ void update(Questionnaire questionnaire);
+
+ /**
+ * Delete a questionnaire.
+ *
+ * @param questionnaire the questionnaire.
+ */
+ void delete(Questionnaire questionnaire);
+
+ /**
+ * Delete a questionnaire by name.
+ *
+ * @param name the name.
+ */
+ void deleteByName(String name);
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/ReferenceTomService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/ReferenceTomService.java
index a7fd089d1b59f870769761ab7c940bdd61b34b54..f4282bcffaa26c4c7a27ef3a0c240fa60362d103 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/ReferenceTomService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/ReferenceTomService.java
@@ -38,11 +38,4 @@ public interface ReferenceTomService {
* @return the entity.
*/
Optional<ReferenceTomDTO> findOne(Long id);
-
- /**
- * Delete the "id" referenceTom.
- *
- * @param id the id of the entity.
- */
- void delete(Long id);
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlCategoryService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlCategoryService.java
index 1bf8020847f63fadd36e3db053692b280649914d..4886cf7ada2ad33d3d8960c47d083ef6b4f8c3e1 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlCategoryService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlCategoryService.java
@@ -38,11 +38,4 @@ public interface SecurityControlCategoryService {
* @return the entity.
*/
Optional<SecurityControlCategoryDTO> findOne(Long id);
-
- /**
- * Delete the "id" securityControlCategory.
- *
- * @param id the id of the entity.
- */
- void delete(Long id);
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlFrameworkService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlFrameworkService.java
index 63023d15a625d778dc2cd6d2ec900373c1c152e5..2a9eb47cddb8594f5c54f83e0507e8099b8180a8 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlFrameworkService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlFrameworkService.java
@@ -1,9 +1,10 @@
package com.medina.coc.backend.service;
-import com.medina.coc.backend.service.dto.SecurityControlFrameworkDTO;
import java.util.List;
import java.util.Optional;
+import com.medina.coc.backend.service.dto.SecurityControlFrameworkDTO;
+
/**
* Service Interface for managing {@link com.medina.coc.backend.domain.SecurityControlFramework}.
*/
@@ -39,13 +40,6 @@ public interface SecurityControlFrameworkService {
*/
Optional<SecurityControlFrameworkDTO> findOne(Long id);
- /**
- * Delete the "id" securityControlFramework.
- *
- * @param id the id of the entity.
- */
- void delete(Long id);
-
/**
* check if security framework has requirements
*
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlQueryService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlQueryService.java
index f5fcab6f52c0e50a4fa0e2a10768fc17cb909838..8570f583b7d3bd204a9b66d42e356d9e5e68d612 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlQueryService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlQueryService.java
@@ -102,13 +102,6 @@ public class SecurityControlQueryService extends QueryService<SecurityControl> {
if (criteria.getDescription() != null) {
specification = specification.and(buildStringSpecification(criteria.getDescription(), SecurityControl_.description));
}
- if (criteria.getGuidance() != null) {
- specification = specification.and(buildStringSpecification(criteria.getGuidance(), SecurityControl_.guidance));
- }
- if (criteria.getRiskReductionWeight() != null) {
- specification =
- specification.and(buildRangeSpecification(criteria.getRiskReductionWeight(), SecurityControl_.riskReductionWeight));
- }
if (criteria.getSimilarControlsId() != null) {
specification =
specification.and(
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlService.java
index 3f5e0e54a30ecb50dda55ae413230693b09e17bd..63d613903d83f39033d8b9ea78a406ec01ad2f2a 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SecurityControlService.java
@@ -48,11 +48,4 @@ public interface SecurityControlService {
* @return the entity.
*/
Optional<SecurityControlDTO> findOne(Long id);
-
- /**
- * Delete the "id" securityControl.
- *
- * @param id the id of the entity.
- */
- void delete(Long id);
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SimilarControlQueryService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SimilarControlQueryService.java
index 2f438ada286562d38542bc943674e4b6f3cf4497..38d1defa66b28d0744c17a92173a43fa33a3abc4 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SimilarControlQueryService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SimilarControlQueryService.java
@@ -111,6 +111,24 @@ public class SimilarControlQueryService extends QueryService<SimilarControl> {
)
);
}
+ if (criteria.getSecurityControlName() != null) {
+ specification =
+ specification.and(
+ buildSpecification(
+ criteria.getSecurityControlName(),
+ root -> root.join(SimilarControl_.securityControl, JoinType.LEFT).get(SecurityControl_.name)
+ )
+ );
+ }
+ if (criteria.getSecurityControlObjective() != null) {
+ specification =
+ specification.and(
+ buildSpecification(
+ criteria.getSecurityControlObjective(),
+ root -> root.join(SimilarControl_.securityControl, JoinType.LEFT).get(SecurityControl_.objective)
+ )
+ );
+ }
}
return specification;
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SimilarControlService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SimilarControlService.java
index 3dd643d73f42eac63988d54ceaf9e324a1fa4c72..66f7838703bc639d4f1d1179c7321a5cf48f375d 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/SimilarControlService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/SimilarControlService.java
@@ -38,11 +38,4 @@ public interface SimilarControlService {
* @return the entity.
*/
Optional<SimilarControlDTO> findOne(Long id);
-
- /**
- * Delete the "id" similarControl.
- *
- * @param id the id of the entity.
- */
- void delete(Long id);
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/TomQueryService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/TomQueryService.java
index 89e5a348c6533bb8b7893515aaedf88c03d1fde2..b4a3693f01f80a980177175a3b70f3ebb22d75c9 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/TomQueryService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/TomQueryService.java
@@ -105,6 +105,9 @@ public class TomQueryService extends QueryService<Tom> {
if (criteria.getType() != null) {
specification = specification.and(buildSpecification(criteria.getType(), Tom_.type));
}
+ if (criteria.getGuidance() != null) {
+ specification = specification.and(buildStringSpecification(criteria.getGuidance(), Tom_.guidance));
+ }
if (criteria.getSecurityControlId() != null) {
specification =
specification.and(
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/TomService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/TomService.java
index f090319e1b343cf5b1394b39247a3279383f84bd..5161c892a8151da6f1e01001665d26182d3e27f8 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/TomService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/TomService.java
@@ -38,13 +38,6 @@ public interface TomService {
* @return the entity.
*/
Optional<TomDTO> findOne(Long id);
-
- /**
- * Delete the "id" tom.
- *
- * @param id the id of the entity.
- */
- void delete(Long id);
/**
* get Toms by framework name and assuranceLevel
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/UserService.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/UserService.java
index bd66c57311c428f0ecccb1aa4d1f7ca5fee6ffe3..2f31f3136daf79bfac58755ef8d7c465726b0b95 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/UserService.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/UserService.java
@@ -1,16 +1,13 @@
package com.medina.coc.backend.service;
-import com.medina.coc.backend.config.Constants;
-import com.medina.coc.backend.domain.Authority;
-import com.medina.coc.backend.domain.User;
-import com.medina.coc.backend.repository.AuthorityRepository;
-import com.medina.coc.backend.repository.UserRepository;
-import com.medina.coc.backend.security.SecurityUtils;
-import com.medina.coc.backend.service.dto.AdminUserDTO;
-import com.medina.coc.backend.service.dto.UserDTO;
import java.time.Instant;
-import java.util.*;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
import java.util.stream.Collectors;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.cache.CacheManager;
@@ -23,6 +20,15 @@ import org.springframework.security.oauth2.server.resource.authentication.JwtAut
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
+import com.medina.coc.backend.config.Constants;
+import com.medina.coc.backend.domain.Authority;
+import com.medina.coc.backend.domain.User;
+import com.medina.coc.backend.repository.AuthorityRepository;
+import com.medina.coc.backend.repository.UserRepository;
+import com.medina.coc.backend.security.SecurityUtils;
+import com.medina.coc.backend.service.dto.AdminUserDTO;
+import com.medina.coc.backend.service.dto.UserDTO;
+
/**
* Service class for managing users.
*/
@@ -53,7 +59,7 @@ public class UserService {
* @param langKey language key.
* @param imageUrl image URL of user.
*/
- public void updateUser(String firstName, String lastName, String email, String langKey, String imageUrl) {
+ public void updateUser(String firstName, String lastName, String email, String company, String langKey, String imageUrl) {
SecurityUtils
.getCurrentUserLogin()
.flatMap(userRepository::findOneByLogin)
@@ -63,6 +69,9 @@ public class UserService {
if (email != null) {
user.setEmail(email.toLowerCase());
}
+ if (company != null) {
+ user.setCompany(company);
+ }
user.setLangKey(langKey);
user.setImageUrl(imageUrl);
this.clearUserCaches(user);
@@ -115,12 +124,12 @@ public class UserService {
Instant idpModifiedDate = (Instant) details.get("updated_at");
if (idpModifiedDate.isAfter(dbModifiedDate)) {
log.debug("Updating user '{}' in local database", user.getLogin());
- updateUser(user.getFirstName(), user.getLastName(), user.getEmail(), user.getLangKey(), user.getImageUrl());
+ updateUser(user.getFirstName(), user.getLastName(), user.getEmail(), user.getCompany(), user.getLangKey(), user.getImageUrl());
}
// no last updated info, blindly update
} else {
log.debug("Updating user '{}' in local database", user.getLogin());
- updateUser(user.getFirstName(), user.getLastName(), user.getEmail(), user.getLangKey(), user.getImageUrl());
+ updateUser(user.getFirstName(), user.getLastName(), user.getEmail(), user.getCompany(), user.getLangKey(), user.getImageUrl());
}
} else {
log.debug("Saving user '{}' in local database", user.getLogin());
@@ -195,6 +204,11 @@ public class UserService {
} else {
user.setEmail((String) details.get("sub"));
}
+ if (details.get("company") != null) {
+ user.setCompany(((String) details.get("company")));
+ } else {
+ user.setCompany((String) details.get("sub"));
+ }
if (details.get("langKey") != null) {
user.setLangKey((String) details.get("langKey"));
} else if (details.get("locale") != null) {
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/AuditLogCriteria.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/AuditLogCriteria.java
new file mode 100644
index 0000000000000000000000000000000000000000..cbac383577736fd0a683ab45f173baa0f48e5cda
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/AuditLogCriteria.java
@@ -0,0 +1,191 @@
+package com.medina.coc.backend.service.criteria;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+import tech.jhipster.service.Criteria;
+import tech.jhipster.service.filter.Filter;
+import tech.jhipster.service.filter.LongFilter;
+import tech.jhipster.service.filter.StringFilter;
+
+/**
+ * Criteria class for the {@link com.medina.coc.backend.domain.AuditLog} entity. This class is used
+ * in {@link com.medina.coc.backend.web.rest.AuditLogResource} to receive all the possible filtering options from
+ * the Http GET request parameters.
+ * For example the following could be a valid request:
+ * {@code /audit-logs?id.greaterThan=5&attr1.contains=something&attr2.specified=false}
+ * As Spring is unable to properly convert the types, unless specific {@link Filter} class are used, we need to use
+ * fix type specific filters.
+ */
+public class AuditLogCriteria implements Serializable, Criteria {
+
+ private static final long serialVersionUID = 1L;
+
+ private LongFilter id;
+
+ private StringFilter dateLog;
+
+ private StringFilter user;
+
+ private StringFilter entity;
+
+ private StringFilter target;
+
+ private StringFilter operation;
+
+ private Boolean distinct;
+
+ public AuditLogCriteria() {}
+
+ public AuditLogCriteria(AuditLogCriteria other) {
+ this.id = other.id == null ? null : other.id.copy();
+ this.dateLog = other.dateLog == null ? null : other.dateLog.copy();
+ this.user = other.user == null ? null : other.user.copy();
+ this.entity = other.entity == null ? null : other.entity.copy();
+ this.target = other.target == null ? null : other.target.copy();
+ this.operation = other.operation == null ? null : other.operation.copy();
+ this.distinct = other.distinct;
+ }
+
+ @Override
+ public AuditLogCriteria copy() {
+ return new AuditLogCriteria(this);
+ }
+
+ public LongFilter getId() {
+ return id;
+ }
+
+ public LongFilter id() {
+ if (id == null) {
+ id = new LongFilter();
+ }
+ return id;
+ }
+
+ public void setId(LongFilter id) {
+ this.id = id;
+ }
+
+ public StringFilter getDateLog() {
+ return dateLog;
+ }
+
+ public StringFilter dateLog() {
+ if (dateLog == null) {
+ dateLog = new StringFilter();
+ }
+ return dateLog;
+ }
+
+ public void setDateLog(StringFilter dateLog) {
+ this.dateLog = dateLog;
+ }
+
+ public StringFilter getUser() {
+ return user;
+ }
+
+ public StringFilter user() {
+ if (user == null) {
+ user = new StringFilter();
+ }
+ return user;
+ }
+
+ public void setUser(StringFilter user) {
+ this.user = user;
+ }
+
+ public StringFilter getEntity() {
+ return entity;
+ }
+
+ public StringFilter entity() {
+ if (entity == null) {
+ entity = new StringFilter();
+ }
+ return entity;
+ }
+
+ public void setEntity(StringFilter entity) {
+ this.entity = entity;
+ }
+
+ public StringFilter getTarget() {
+ return target;
+ }
+
+ public StringFilter target() {
+ if (target == null) {
+ target = new StringFilter();
+ }
+ return target;
+ }
+
+ public void setTarget(StringFilter target) {
+ this.target = target;
+ }
+
+ public StringFilter getOperation() {
+ return operation;
+ }
+
+ public StringFilter operation() {
+ if (operation == null) {
+ operation = new StringFilter();
+ }
+ return operation;
+ }
+
+ public void setOperation(StringFilter operation) {
+ this.operation = operation;
+ }
+
+ public Boolean getDistinct() {
+ return distinct;
+ }
+
+ public void setDistinct(Boolean distinct) {
+ this.distinct = distinct;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ final AuditLogCriteria that = (AuditLogCriteria) o;
+ return (
+ Objects.equals(id, that.id) &&
+ Objects.equals(dateLog, that.dateLog) &&
+ Objects.equals(user, that.user) &&
+ Objects.equals(entity, that.entity) &&
+ Objects.equals(target, that.target) &&
+ Objects.equals(operation, that.operation) &&
+ Objects.equals(distinct, that.distinct)
+ );
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(id, dateLog, user, entity, target, operation, distinct);
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "AuditLogCriteria{" +
+ (id != null ? "id=" + id + ", " : "") +
+ (dateLog != null ? "dateLog=" + dateLog + ", " : "") +
+ (user != null ? "user=" + user + ", " : "") +
+ (entity != null ? "entity=" + entity + ", " : "") +
+ (target != null ? "target=" + target + ", " : "") +
+ (operation != null ? "operation=" + operation + ", " : "") +
+ (distinct != null ? "distinct=" + distinct + ", " : "") +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionCriteria.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionCriteria.java
index 8e51b8ae58f55ac0de2d354a423e4443355e1e53..f23a01562e57c5dca7e15ef0a76209d233c5808a 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionCriteria.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionCriteria.java
@@ -27,7 +27,9 @@ public class QuestionCriteria implements Serializable, Criteria {
private StringFilter question;
- private StringFilter evidence;
+ private StringFilter defaultEvidence;
+
+ private StringFilter defaultComment;
private LongFilter assuranceLevelId;
@@ -45,7 +47,8 @@ public class QuestionCriteria implements Serializable, Criteria {
this.id = other.id == null ? null : other.id.copy();
this.code = other.code == null ? null : other.code.copy();
this.question = other.question == null ? null : other.question.copy();
- this.evidence = other.evidence == null ? null : other.evidence.copy();
+ this.defaultEvidence = other.defaultEvidence == null ? null : other.defaultEvidence.copy();
+ this.defaultComment = other.defaultComment == null ? null : other.defaultComment.copy();
this.assuranceLevelId = other.assuranceLevelId == null ? null : other.assuranceLevelId.copy();
this.controlId = other.controlId == null ? null : other.controlId.copy();
this.tomId = other.tomId == null ? null : other.tomId.copy();
@@ -103,19 +106,34 @@ public class QuestionCriteria implements Serializable, Criteria {
this.question = question;
}
- public StringFilter getEvidence() {
- return evidence;
+ public StringFilter getDefaultEvidence() {
+ return defaultEvidence;
+ }
+
+ public StringFilter defaultEvidence() {
+ if (defaultEvidence == null) {
+ defaultEvidence = new StringFilter();
+ }
+ return defaultEvidence;
+ }
+
+ public void setDefaultEvidence(StringFilter defaultEvidence) {
+ this.defaultEvidence = defaultEvidence;
+ }
+
+ public StringFilter getDefaultComment() {
+ return defaultComment;
}
- public StringFilter evidence() {
- if (evidence == null) {
- evidence = new StringFilter();
+ public StringFilter defaultComment() {
+ if (defaultComment == null) {
+ defaultComment = new StringFilter();
}
- return evidence;
+ return defaultComment;
}
- public void setEvidence(StringFilter evidence) {
- this.evidence = evidence;
+ public void setDefaultComment(StringFilter defaultComment) {
+ this.defaultComment = defaultComment;
}
public LongFilter getAssuranceLevelId() {
@@ -199,7 +217,8 @@ public class QuestionCriteria implements Serializable, Criteria {
Objects.equals(id, that.id) &&
Objects.equals(code, that.code) &&
Objects.equals(question, that.question) &&
- Objects.equals(evidence, that.evidence) &&
+ Objects.equals(defaultEvidence, that.defaultEvidence) &&
+ Objects.equals(defaultComment, that.defaultComment) &&
Objects.equals(assuranceLevelId, that.assuranceLevelId) &&
Objects.equals(controlId, that.controlId) &&
Objects.equals(tomId, that.tomId) &&
@@ -214,7 +233,8 @@ public class QuestionCriteria implements Serializable, Criteria {
id,
code,
question,
- evidence,
+ defaultEvidence,
+ defaultComment,
assuranceLevelId,
controlId,
tomId,
@@ -230,7 +250,8 @@ public class QuestionCriteria implements Serializable, Criteria {
(id != null ? "id=" + id + ", " : "") +
(code != null ? "code=" + code + ", " : "") +
(question != null ? "question=" + question + ", " : "") +
- (evidence != null ? "evidence=" + evidence + ", " : "") +
+ (defaultEvidence != null ? "defaultEvidence=" + defaultEvidence + ", " : "") +
+ (defaultComment != null ? "defaultComment=" + defaultComment + ", " : "") +
(assuranceLevelId != null ? "assuranceLevelId=" + assuranceLevelId + ", " : "") +
(controlId != null ? "controlId=" + controlId + ", " : "") +
(tomId != null ? "tomId=" + tomId + ", " : "") +
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionnaireCriteria.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionnaireCriteria.java
index 2f6c0bdeaea75170eebf81cfddcda8a118bb6a94..5a640dd041673a133f8ec0f030f791d6d42a92e3 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionnaireCriteria.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionnaireCriteria.java
@@ -23,9 +23,21 @@ public class QuestionnaireCriteria implements Serializable, Criteria {
private LongFilter id;
+ private StringFilter name;
+
+ private StringFilter evidences;
+
+ private StringFilter comments;
+
+ private LongFilter lastUpdate;
+
private LongFilter frameworkId;
- private LongFilter purposeId;
+ private LongFilter controlId;
+
+ private LongFilter tomId;
+
+ private LongFilter assuranceLevelId;
private LongFilter questionId;
@@ -39,8 +51,14 @@ public class QuestionnaireCriteria implements Serializable, Criteria {
public QuestionnaireCriteria(QuestionnaireCriteria other) {
this.id = other.id == null ? null : other.id.copy();
+ this.name = other.name == null ? null : other.name.copy();
+ this.evidences = other.evidences == null ? null : other.evidences.copy();
+ this.comments = other.comments == null ? null : other.comments.copy();
+ this.lastUpdate = other.lastUpdate == null ? null : other.lastUpdate.copy();
this.frameworkId = other.frameworkId == null ? null : other.frameworkId.copy();
- this.purposeId = other.purposeId == null ? null : other.purposeId.copy();
+ this.controlId = other.controlId == null ? null : other.controlId.copy();
+ this.tomId = other.tomId == null ? null : other.tomId.copy();
+ this.assuranceLevelId = other.assuranceLevelId == null ? null : other.assuranceLevelId.copy();
this.questionId = other.questionId == null ? null : other.questionId.copy();
this.answerId = other.answerId == null ? null : other.answerId.copy();
this.userId = other.userId == null ? null : other.userId.copy();
@@ -67,6 +85,66 @@ public class QuestionnaireCriteria implements Serializable, Criteria {
this.id = id;
}
+ public StringFilter getName() {
+ return name;
+ }
+
+ public StringFilter name() {
+ if (name == null) {
+ name = new StringFilter();
+ }
+ return name;
+ }
+
+ public void setName(StringFilter name) {
+ this.name = name;
+ }
+
+ public StringFilter getEvidences() {
+ return evidences;
+ }
+
+ public StringFilter evidences() {
+ if (evidences == null) {
+ evidences = new StringFilter();
+ }
+ return evidences;
+ }
+
+ public void setEvidences(StringFilter evidences) {
+ this.evidences = evidences;
+ }
+
+ public StringFilter getComments() {
+ return comments;
+ }
+
+ public StringFilter comments() {
+ if (comments == null) {
+ comments = new StringFilter();
+ }
+ return comments;
+ }
+
+ public void setComments(StringFilter comments) {
+ this.comments = comments;
+ }
+
+ public LongFilter getLastUpdate() {
+ return lastUpdate;
+ }
+
+ public LongFilter lastUpdate() {
+ if (lastUpdate == null) {
+ lastUpdate = new LongFilter();
+ }
+ return lastUpdate;
+ }
+
+ public void setLastUpdate(LongFilter lastUpdate) {
+ this.lastUpdate = lastUpdate;
+ }
+
public LongFilter getFrameworkId() {
return frameworkId;
}
@@ -81,20 +159,50 @@ public class QuestionnaireCriteria implements Serializable, Criteria {
public void setFrameworkId(LongFilter frameworkId) {
this.frameworkId = frameworkId;
}
+
+ public LongFilter getControlId() {
+ return controlId;
+ }
- public LongFilter getPurposeId() {
- return purposeId;
+ public LongFilter controlId() {
+ if (controlId == null) {
+ controlId = new LongFilter();
+ }
+ return controlId;
+ }
+
+ public void setControlId(LongFilter controlId) {
+ this.controlId = controlId;
+ }
+
+ public LongFilter getTomId() {
+ return tomId;
+ }
+
+ public LongFilter tomId() {
+ if (tomId == null) {
+ tomId = new LongFilter();
+ }
+ return tomId;
+ }
+
+ public void setTomId(LongFilter tomId) {
+ this.tomId = tomId;
+ }
+
+ public LongFilter getAssuranceLevelId() {
+ return assuranceLevelId;
}
- public LongFilter purposeId() {
- if (purposeId == null) {
- purposeId = new LongFilter();
+ public LongFilter assuranceLevelId() {
+ if (assuranceLevelId == null) {
+ assuranceLevelId = new LongFilter();
}
- return purposeId;
+ return assuranceLevelId;
}
- public void setPurposeId(LongFilter purposeId) {
- this.purposeId = purposeId;
+ public void setAssuranceLevelId(LongFilter assuranceLevelId) {
+ this.assuranceLevelId = assuranceLevelId;
}
public LongFilter getQuestionId() {
@@ -161,8 +269,14 @@ public class QuestionnaireCriteria implements Serializable, Criteria {
final QuestionnaireCriteria that = (QuestionnaireCriteria) o;
return (
Objects.equals(id, that.id) &&
+ Objects.equals(name, that.name) &&
+ Objects.equals(evidences, that.evidences) &&
+ Objects.equals(comments, that.comments) &&
+ Objects.equals(lastUpdate, that.lastUpdate) &&
Objects.equals(frameworkId, that.frameworkId) &&
- Objects.equals(purposeId, that.purposeId) &&
+ Objects.equals(controlId, that.controlId) &&
+ Objects.equals(tomId, that.tomId) &&
+ Objects.equals(assuranceLevelId, that.assuranceLevelId) &&
Objects.equals(questionId, that.questionId) &&
Objects.equals(answerId, that.answerId) &&
Objects.equals(userId, that.userId) &&
@@ -174,8 +288,14 @@ public class QuestionnaireCriteria implements Serializable, Criteria {
public int hashCode() {
return Objects.hash(
id,
+ name,
+ evidences,
+ comments,
+ lastUpdate,
frameworkId,
- purposeId,
+ controlId,
+ tomId,
+ assuranceLevelId,
questionId,
answerId,
userId,
@@ -188,8 +308,14 @@ public class QuestionnaireCriteria implements Serializable, Criteria {
public String toString() {
return "QuestionnaireCriteria{" +
(id != null ? "id=" + id + ", " : "") +
+ (name != null ? "name=" + name + ", " : "") +
+ (evidences != null ? "evidences=" + evidences + ", " : "") +
+ (comments != null ? "comments=" + comments + ", " : "") +
+ (lastUpdate != null ? "lastUpdate=" + lastUpdate + ", " : "") +
(frameworkId != null ? "frameworkId=" + frameworkId + ", " : "") +
- (purposeId != null ? "purposeId=" + purposeId + ", " : "") +
+ (controlId != null ? "controlId=" + controlId + ", " : "") +
+ (tomId != null ? "tomId=" + tomId + ", " : "") +
+ (assuranceLevelId != null ? "assuranceLevelId=" + assuranceLevelId + ", " : "") +
(questionId != null ? "questionId=" + questionId + ", " : "") +
(answerId != null ? "answerId=" + answerId + ", " : "") +
(userId != null ? "userId=" + userId + ", " : "") +
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionnaireNonConformityCriteria.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionnaireNonConformityCriteria.java
new file mode 100644
index 0000000000000000000000000000000000000000..85369c3ebdb3b5c9abe113ebf6d9db1261ed1bfc
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionnaireNonConformityCriteria.java
@@ -0,0 +1,154 @@
+package com.medina.coc.backend.service.criteria;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+import tech.jhipster.service.Criteria;
+import tech.jhipster.service.filter.Filter;
+import tech.jhipster.service.filter.LongFilter;
+import tech.jhipster.service.filter.StringFilter;
+
+/**
+ * Criteria class for the {@link com.medina.coc.backend.domain.QuestionnaireNonConformity} entity. This class is used
+ * in {@link com.medina.coc.backend.web.rest.QuestionnaireNonConformityResource} to receive all the possible filtering options from
+ * the Http GET request parameters.
+ * For example the following could be a valid request:
+ * {@code /questionnaire-non-conformities?id.greaterThan=5&attr1.contains=something&attr2.specified=false}
+ * As Spring is unable to properly convert the types, unless specific {@link Filter} class are used, we need to use
+ * fix type specific filters.
+ */
+public class QuestionnaireNonConformityCriteria implements Serializable, Criteria {
+
+ private static final long serialVersionUID = 1L;
+
+ private StringFilter questionnaireName;
+
+ private LongFilter tomId;
+
+ private StringFilter comments;
+
+ private StringFilter compliance;
+
+ private Boolean distinct;
+
+ public QuestionnaireNonConformityCriteria() {}
+
+ public QuestionnaireNonConformityCriteria(QuestionnaireNonConformityCriteria other) {
+ this.questionnaireName = other.questionnaireName == null ? null : other.questionnaireName.copy();
+ this.tomId = other.tomId == null ? null : other.tomId.copy();
+ this.distinct = other.distinct;
+ }
+
+ @Override
+ public QuestionnaireNonConformityCriteria copy() {
+ return new QuestionnaireNonConformityCriteria(this);
+ }
+
+ public StringFilter getQuestionnaireName() {
+ return questionnaireName;
+ }
+
+ public StringFilter questionnaireName() {
+ if (questionnaireName == null) {
+ questionnaireName = new StringFilter();
+ }
+ return questionnaireName;
+ }
+
+ public void setQuestionnaireName(StringFilter questionnaireName) {
+ this.questionnaireName = questionnaireName;
+ }
+
+ public LongFilter getTomId() {
+ return tomId;
+ }
+
+ public LongFilter tomId() {
+ if (tomId == null) {
+ tomId = new LongFilter();
+ }
+ return tomId;
+ }
+
+ public void setTomId(LongFilter tomId) {
+ this.tomId = tomId;
+ }
+
+ public StringFilter getComments() {
+ return comments;
+ }
+
+ public StringFilter comments() {
+ if (comments == null) {
+ comments = new StringFilter();
+ }
+ return comments;
+ }
+
+ public void setComments(StringFilter comments) {
+ this.comments = comments;
+ }
+
+ public StringFilter getCompliance() {
+ return compliance;
+ }
+
+ public StringFilter compliance() {
+ if (compliance == null) {
+ compliance = new StringFilter();
+ }
+ return compliance;
+ }
+
+ public void setCompliance(StringFilter compliance) {
+ this.compliance = compliance;
+ }
+
+ public Boolean getDistinct() {
+ return distinct;
+ }
+
+ public void setDistinct(Boolean distinct) {
+ this.distinct = distinct;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ final QuestionnaireNonConformityCriteria that = (QuestionnaireNonConformityCriteria) o;
+ return (
+ Objects.equals(questionnaireName, that.questionnaireName) &&
+ Objects.equals(tomId, that.tomId) &&
+ Objects.equals(comments, that.comments) &&
+ Objects.equals(compliance, that.compliance) &&
+ Objects.equals(distinct, that.distinct)
+ );
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(
+ questionnaireName,
+ tomId,
+ comments,
+ compliance,
+ distinct
+ );
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireNonConformityCriteria{" +
+ (questionnaireName != null ? "questionnaireName=" + questionnaireName + ", " : "") +
+ (tomId != null ? "tomId=" + tomId + ", " : "") +
+ (comments != null ? "comments=" + comments + ", " : "") +
+ (compliance != null ? "compliance=" + compliance + ", " : "") +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionnairePurposeCriteria.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionnairePurposeCriteria.java
deleted file mode 100755
index 941d2b841b6085af06cd87da5255b7895d280118..0000000000000000000000000000000000000000
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/QuestionnairePurposeCriteria.java
+++ /dev/null
@@ -1,115 +0,0 @@
-package com.medina.coc.backend.service.criteria;
-
-import java.io.Serializable;
-import java.util.Objects;
-
-import tech.jhipster.service.Criteria;
-import tech.jhipster.service.filter.Filter;
-import tech.jhipster.service.filter.LongFilter;
-import tech.jhipster.service.filter.StringFilter;
-
-/**
- * Criteria class for the {@link com.medina.coc.backend.domain.QuestionnairePurpose} entity. This class is used
- * in {@link com.medina.coc.backend.web.rest.QuestionnairePurpose} to receive all the possible filtering options from
- * the Http GET request parameters.
- * For example the following could be a valid request:
- * {@code /questionnaires?id.greaterThan=5&attr1.contains=something&attr2.specified=false}
- * As Spring is unable to properly convert the types, unless specific {@link Filter} class are used, we need to use
- * fix type specific filters.
- */
-public class QuestionnairePurposeCriteria implements Serializable, Criteria {
-
- private static final long serialVersionUID = 1L;
-
- private LongFilter id;
-
- private StringFilter purpose;
-
- private Boolean distinct;
-
- public QuestionnairePurposeCriteria() {}
-
- public QuestionnairePurposeCriteria(QuestionnairePurposeCriteria other) {
- this.id = other.id == null ? null : other.id.copy();
- this.purpose = other.purpose == null ? null : other.purpose.copy();
- this.distinct = other.distinct;
- }
-
- @Override
- public QuestionnairePurposeCriteria copy() {
- return new QuestionnairePurposeCriteria(this);
- }
-
- public LongFilter getId() {
- return id;
- }
-
- public LongFilter id() {
- if (id == null) {
- id = new LongFilter();
- }
- return id;
- }
-
- public void setId(LongFilter id) {
- this.id = id;
- }
-
- public StringFilter getPurpose() {
- return purpose;
- }
-
- public StringFilter purpose() {
- if (purpose == null) {
- purpose = new StringFilter();
- }
- return purpose;
- }
-
- public void setPurpose(StringFilter purpose) {
- this.purpose = purpose;
- }
-
- public Boolean getDistinct() {
- return distinct;
- }
-
- public void setDistinct(Boolean distinct) {
- this.distinct = distinct;
- }
-
- @Override
- public boolean equals(Object o) {
- if (this == o) {
- return true;
- }
- if (o == null || getClass() != o.getClass()) {
- return false;
- }
- final QuestionnairePurposeCriteria that = (QuestionnairePurposeCriteria) o;
- return (
- Objects.equals(id, that.id) &&
- Objects.equals(purpose, that.purpose) &&
- Objects.equals(distinct, that.distinct)
- );
- }
-
- @Override
- public int hashCode() {
- return Objects.hash(
- id,
- purpose,
- distinct
- );
- }
-
- // prettier-ignore
- @Override
- public String toString() {
- return "QuestionnairePurposeCriteria{" +
- (id != null ? "id=" + id + ", " : "") +
- (purpose != null ? "purpose=" + purpose + ", " : "") +
- (distinct != null ? "distinct=" + distinct + ", " : "") +
- "}";
- }
-}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/SecurityControlCriteria.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/SecurityControlCriteria.java
index 19c83e70a1adbaa96ec6b14340d8fa616f6c2623..0b8a5083c25d629617e437088fca28d401965e6f 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/SecurityControlCriteria.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/SecurityControlCriteria.java
@@ -34,10 +34,6 @@ public class SecurityControlCriteria implements Serializable, Criteria {
private StringFilter description;
- private StringFilter guidance;
-
- private FloatFilter riskReductionWeight;
-
private LongFilter similarControlsId;
private LongFilter securityControlCategoryId;
@@ -54,8 +50,6 @@ public class SecurityControlCriteria implements Serializable, Criteria {
this.name = other.name == null ? null : other.name.copy();
this.objective = other.objective == null ? null : other.objective.copy();
this.description = other.description == null ? null : other.description.copy();
- this.guidance = other.guidance == null ? null : other.guidance.copy();
- this.riskReductionWeight = other.riskReductionWeight == null ? null : other.riskReductionWeight.copy();
this.similarControlsId = other.similarControlsId == null ? null : other.similarControlsId.copy();
this.securityControlCategoryId = other.securityControlCategoryId == null ? null : other.securityControlCategoryId.copy();
this.resourceId = other.resourceId == null ? null : other.resourceId.copy();
@@ -142,36 +136,6 @@ public class SecurityControlCriteria implements Serializable, Criteria {
this.description = description;
}
- public StringFilter getGuidance() {
- return guidance;
- }
-
- public StringFilter guidance() {
- if (guidance == null) {
- guidance = new StringFilter();
- }
- return guidance;
- }
-
- public void setGuidance(StringFilter guidance) {
- this.guidance = guidance;
- }
-
- public FloatFilter getRiskReductionWeight() {
- return riskReductionWeight;
- }
-
- public FloatFilter riskReductionWeight() {
- if (riskReductionWeight == null) {
- riskReductionWeight = new FloatFilter();
- }
- return riskReductionWeight;
- }
-
- public void setRiskReductionWeight(FloatFilter riskReductionWeight) {
- this.riskReductionWeight = riskReductionWeight;
- }
-
public LongFilter getSimilarControlsId() {
return similarControlsId;
}
@@ -240,8 +204,6 @@ public class SecurityControlCriteria implements Serializable, Criteria {
Objects.equals(name, that.name) &&
Objects.equals(objective, that.objective) &&
Objects.equals(description, that.description) &&
- Objects.equals(guidance, that.guidance) &&
- Objects.equals(riskReductionWeight, that.riskReductionWeight) &&
Objects.equals(similarControlsId, that.similarControlsId) &&
Objects.equals(securityControlCategoryId, that.securityControlCategoryId) &&
Objects.equals(resourceId, that.resourceId) &&
@@ -257,8 +219,6 @@ public class SecurityControlCriteria implements Serializable, Criteria {
name,
objective,
description,
- guidance,
- riskReductionWeight,
similarControlsId,
securityControlCategoryId,
resourceId,
@@ -275,8 +235,6 @@ public class SecurityControlCriteria implements Serializable, Criteria {
(name != null ? "name=" + name + ", " : "") +
(objective != null ? "objective=" + objective + ", " : "") +
(description != null ? "description=" + description + ", " : "") +
- (guidance != null ? "guidance=" + guidance + ", " : "") +
- (riskReductionWeight != null ? "riskReductionWeight=" + riskReductionWeight + ", " : "") +
(similarControlsId != null ? "similarControlsId=" + similarControlsId + ", " : "") +
(securityControlCategoryId != null ? "securityControlCategoryId=" + securityControlCategoryId + ", " : "") +
(resourceId != null ? "resourceId=" + resourceId + ", " : "") +
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/SimilarControlCriteria.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/SimilarControlCriteria.java
index 8dcb19f46c365f8bea00323ca9f2dd917923e7ae..f246e1904cd4825f62e768a8e0d14842e62e4ac4 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/SimilarControlCriteria.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/SimilarControlCriteria.java
@@ -33,6 +33,10 @@ public class SimilarControlCriteria implements Serializable, Criteria {
private StringFilter securityControlFrameworkName;
private LongFilter securityControlId;
+
+ private StringFilter securityControlName;
+
+ private StringFilter securityControlObjective;
private Boolean distinct;
@@ -44,6 +48,8 @@ public class SimilarControlCriteria implements Serializable, Criteria {
this.name = other.name == null ? null : other.name.copy();
this.securityControlFrameworkName = other.securityControlFrameworkName == null ? null : other.securityControlFrameworkName.copy();
this.securityControlId = other.securityControlId == null ? null : other.securityControlId.copy();
+ this.securityControlName = other.securityControlName == null ? null : other.securityControlName.copy();
+ this.securityControlObjective = other.securityControlObjective == null ? null : other.securityControlObjective.copy();
this.distinct = other.distinct;
}
@@ -126,6 +132,36 @@ public class SimilarControlCriteria implements Serializable, Criteria {
public void setSecurityControlId(LongFilter securityControlId) {
this.securityControlId = securityControlId;
}
+
+ public StringFilter getSecurityControlName() {
+ return securityControlName;
+ }
+
+ public StringFilter securityControlName() {
+ if (securityControlName == null) {
+ securityControlName = new StringFilter();
+ }
+ return securityControlName;
+ }
+
+ public void setSecurityControlName(StringFilter securityControlName) {
+ this.securityControlName = securityControlName;
+ }
+
+ public StringFilter getSecurityControlObjective() {
+ return securityControlObjective;
+ }
+
+ public StringFilter securityControlObjective() {
+ if (securityControlObjective == null) {
+ securityControlObjective = new StringFilter();
+ }
+ return securityControlObjective;
+ }
+
+ public void setSecurityControlObjective(StringFilter securityControlObjective) {
+ this.securityControlObjective = securityControlObjective;
+ }
public Boolean getDistinct() {
return distinct;
@@ -150,13 +186,15 @@ public class SimilarControlCriteria implements Serializable, Criteria {
Objects.equals(name, that.name) &&
Objects.equals(securityControlFrameworkName, that.securityControlFrameworkName) &&
Objects.equals(securityControlId, that.securityControlId) &&
+ Objects.equals(securityControlName, that.securityControlName) &&
+ Objects.equals(securityControlObjective, that.securityControlObjective) &&
Objects.equals(distinct, that.distinct)
);
}
@Override
public int hashCode() {
- return Objects.hash(id, code, name, securityControlFrameworkName, securityControlId, distinct);
+ return Objects.hash(id, code, name, securityControlFrameworkName, securityControlId, securityControlName, securityControlObjective, distinct);
}
// prettier-ignore
@@ -168,6 +206,8 @@ public class SimilarControlCriteria implements Serializable, Criteria {
(name != null ? "name=" + name + ", " : "") +
(securityControlFrameworkName != null ? "securityControlFrameworkName=" + securityControlFrameworkName + ", " : "") +
(securityControlId != null ? "securityControlId=" + securityControlId + ", " : "") +
+ (securityControlName != null ? "securityControlName=" + securityControlName + ", " : "") +
+ (securityControlObjective != null ? "securityControlObjective=" + securityControlObjective + ", " : "") +
(distinct != null ? "distinct=" + distinct + ", " : "") +
"}";
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/TomCriteria.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/TomCriteria.java
index d4454e404af15c6d6b68523419afb11a80d000b8..04c5095ced60274f24807e33aebe17f45b770cc7 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/TomCriteria.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/criteria/TomCriteria.java
@@ -1,15 +1,13 @@
package com.medina.coc.backend.service.criteria;
-import com.medina.coc.backend.domain.enumeration.AssuranceLevel;
-import com.medina.coc.backend.domain.enumeration.Type;
import java.io.Serializable;
import java.util.Objects;
+
+import com.medina.coc.backend.domain.enumeration.AssuranceLevel;
+import com.medina.coc.backend.domain.enumeration.Type;
+
import tech.jhipster.service.Criteria;
-import tech.jhipster.service.filter.BooleanFilter;
-import tech.jhipster.service.filter.DoubleFilter;
import tech.jhipster.service.filter.Filter;
-import tech.jhipster.service.filter.FloatFilter;
-import tech.jhipster.service.filter.IntegerFilter;
import tech.jhipster.service.filter.LongFilter;
import tech.jhipster.service.filter.StringFilter;
@@ -71,6 +69,8 @@ public class TomCriteria implements Serializable, Criteria {
private AssuranceLevelFilter assuranceLevel;
private TypeFilter type;
+
+ private StringFilter guidance;
private LongFilter securityControlId;
@@ -85,6 +85,7 @@ public class TomCriteria implements Serializable, Criteria {
this.description = other.description == null ? null : other.description.copy();
this.assuranceLevel = other.assuranceLevel == null ? null : other.assuranceLevel.copy();
this.type = other.type == null ? null : other.type.copy();
+ this.guidance = other.guidance == null ? null : other.guidance.copy();
this.securityControlId = other.securityControlId == null ? null : other.securityControlId.copy();
this.distinct = other.distinct;
}
@@ -183,6 +184,21 @@ public class TomCriteria implements Serializable, Criteria {
public void setType(TypeFilter type) {
this.type = type;
}
+
+ public StringFilter getGuidance() {
+ return guidance;
+ }
+
+ public StringFilter guidance() {
+ if (guidance == null) {
+ guidance = new StringFilter();
+ }
+ return guidance;
+ }
+
+ public void setGuidance(StringFilter guidance) {
+ this.guidance = guidance;
+ }
public LongFilter getSecurityControlId() {
return securityControlId;
@@ -223,6 +239,7 @@ public class TomCriteria implements Serializable, Criteria {
Objects.equals(description, that.description) &&
Objects.equals(assuranceLevel, that.assuranceLevel) &&
Objects.equals(type, that.type) &&
+ Objects.equals(guidance, that.guidance) &&
Objects.equals(securityControlId, that.securityControlId) &&
Objects.equals(distinct, that.distinct)
);
@@ -243,6 +260,7 @@ public class TomCriteria implements Serializable, Criteria {
(description != null ? "description=" + description + ", " : "") +
(assuranceLevel != null ? "assuranceLevel=" + assuranceLevel + ", " : "") +
(type != null ? "type=" + type + ", " : "") +
+ (guidance != null ? "guidance=" + guidance + ", " : "") +
(securityControlId != null ? "securityControlId=" + securityControlId + ", " : "") +
(distinct != null ? "distinct=" + distinct + ", " : "") +
"}";
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/AdminUserDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/AdminUserDTO.java
index 3b1f7596b80c497bb0c1ef463e2f93d6957acb7a..edca77283ad01ee6220bfdd2c42b0243f81b9d8f 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/AdminUserDTO.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/AdminUserDTO.java
@@ -29,6 +29,9 @@ public class AdminUserDTO {
@Email
@Size(min = 5, max = 254)
private String email;
+
+ @Size(max = 255)
+ private String company;
@Size(max = 256)
private String imageUrl;
@@ -58,6 +61,7 @@ public class AdminUserDTO {
this.firstName = user.getFirstName();
this.lastName = user.getLastName();
this.email = user.getEmail();
+ this.company = user.getCompany();
this.activated = user.isActivated();
this.imageUrl = user.getImageUrl();
this.langKey = user.getLangKey();
@@ -107,6 +111,14 @@ public class AdminUserDTO {
public void setEmail(String email) {
this.email = email;
}
+
+ public String getCompany() {
+ return company;
+ }
+
+ public void setCompany(String company) {
+ this.company = company;
+ }
public String getImageUrl() {
return imageUrl;
@@ -180,6 +192,7 @@ public class AdminUserDTO {
", firstName='" + firstName + '\'' +
", lastName='" + lastName + '\'' +
", email='" + email + '\'' +
+ ", company='" + company + '\'' +
", imageUrl='" + imageUrl + '\'' +
", activated=" + activated +
", langKey='" + langKey + '\'' +
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/AuditLogDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/AuditLogDTO.java
new file mode 100644
index 0000000000000000000000000000000000000000..523d1fd68e3eca52faff8a437bc69440b44ea313
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/AuditLogDTO.java
@@ -0,0 +1,154 @@
+package com.medina.coc.backend.service.dto;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+import javax.validation.constraints.NotNull;
+
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+
+/**
+ * A DTO for the {@link com.medina.coc.backend.domain.AuditLog} entity.
+ */
+@ApiModel(description = "AuditLog entity.\n\n@author Diego Rosado")
+public class AuditLogDTO implements Serializable {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 1L;
+
+ private Long id;
+
+ /**
+ * dateLog
+ */
+ @NotNull
+ @ApiModelProperty(value = "dateLog", required = true)
+ private String dateLog;
+
+ /**
+ * user
+ */
+ @NotNull
+ @ApiModelProperty(value = "user", required = true)
+ private String user;
+
+ /**
+ * entity
+ */
+ @NotNull
+ @ApiModelProperty(value = "entity", required = true)
+ private String entity;
+
+ /**
+ * target
+ */
+ @NotNull
+ @ApiModelProperty(value = "target", required = true)
+ private String target;
+
+ /**
+ * operation
+ */
+ @NotNull
+ @ApiModelProperty(value = "operation", required = true)
+ private String operation;
+
+
+ public AuditLogDTO() {}
+
+ public AuditLogDTO(final String dateLog, final String user, final String entity,
+ final String target, final String operation) {
+ this.dateLog = dateLog;
+ this.user = user;
+ this.entity = entity;
+ this.target = target;
+ this.operation = operation;
+ }
+
+
+
+ public Long getId() {
+ return id;
+ }
+
+ public void setId(Long id) {
+ this.id = id;
+ }
+
+ public String getDateLog() {
+ return dateLog;
+ }
+
+ public void setDateLog(String dateLog) {
+ this.dateLog = dateLog;
+ }
+
+ public String getUser() {
+ return user;
+ }
+
+ public void setUser(String user) {
+ this.user = user;
+ }
+
+ public String getEntity() {
+ return entity;
+ }
+
+ public void setEntity(String entity) {
+ this.entity = entity;
+ }
+
+ public String getTarget() {
+ return target;
+ }
+
+ public void setTarget(String target) {
+ this.target = target;
+ }
+
+ public String getOperation() {
+ return operation;
+ }
+
+ public void setOperation(String operation) {
+ this.operation = operation;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof AuditLogDTO)) {
+ return false;
+ }
+
+ AuditLogDTO auditLogDTO = (AuditLogDTO) o;
+ if (this.id == null) {
+ return false;
+ }
+ return Objects.equals(this.id, auditLogDTO.id);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(this.id);
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "AuditLogDTO{" +
+ "id=" + getId() +
+ ", dateLog='" + getDateLog() + "'" +
+ ", user=" + getUser() +
+ ", entity=" + getEntity() +
+ ", target=" + getTarget() +
+ ", operation=" + getOperation() +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionAssuranceLevelDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionAssuranceLevelDTO.java
index 70a5e815ce5d20f27757be8408f749b456026bd2..359c8da90e33da592a7da0dbf8b06cfd005b73ef 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionAssuranceLevelDTO.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionAssuranceLevelDTO.java
@@ -1,10 +1,15 @@
package com.medina.coc.backend.service.dto;
import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
import java.util.Objects;
import javax.validation.constraints.NotNull;
+import com.medina.coc.backend.domain.request.QuestionnaireCloudService;
+import com.medina.coc.backend.util.CollectionUtil;
+
import io.swagger.annotations.ApiModel;
import io.swagger.annotations.ApiModelProperty;
@@ -25,6 +30,11 @@ public class QuestionAssuranceLevelDTO implements Serializable {
@NotNull
@ApiModelProperty(value = "assuranceLevel", required = true)
private String assuranceLevel;
+
+ /**
+ * cloudServiceList
+ */
+ private List<QuestionnaireCloudService> questionnaireCloudServiceList = new ArrayList<QuestionnaireCloudService>();
public Long getId() {
return id;
@@ -41,6 +51,14 @@ public class QuestionAssuranceLevelDTO implements Serializable {
public void setAssuranceLevel(String assuranceLevel) {
this.assuranceLevel = assuranceLevel;
}
+
+ public List<QuestionnaireCloudService> getQuestionnaireCloudServiceList() {
+ return CollectionUtil.isNullOrEmpty(questionnaireCloudServiceList) ? new ArrayList<QuestionnaireCloudService>() : questionnaireCloudServiceList;
+ }
+
+ public void setQuestionnaireCloudServiceList(List<QuestionnaireCloudService> questionnaireCloudServiceList) {
+ this.questionnaireCloudServiceList = CollectionUtil.isNullOrEmpty(questionnaireCloudServiceList) ? new ArrayList<QuestionnaireCloudService>() : questionnaireCloudServiceList;
+ }
@Override
public boolean equals(Object o) {
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionDTO.java
index b583d1128728a3d43a5622f0bef8d1e1f70fcb43..e83c7811c22ca9c1e6855e4f126156c8123dfb19 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionDTO.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionDTO.java
@@ -34,11 +34,18 @@ public class QuestionDTO implements Serializable {
private String question;
/**
- * evidence
+ * defaultEvidence
*/
@NotNull
- @ApiModelProperty(value = "evidence", required = true)
- private String evidence;
+ @ApiModelProperty(value = "defaultEvidence", required = true)
+ private String defaultEvidence;
+
+ /**
+ * defaultComment
+ */
+ @NotNull
+ @ApiModelProperty(value = "defaultComment", required = true)
+ private String defaultComment;
/**
* assuranceLevelId
@@ -92,12 +99,20 @@ public class QuestionDTO implements Serializable {
this.question = question;
}
- public String getEvidence() {
- return evidence;
+ public String getDefaultEvidence() {
+ return defaultEvidence;
+ }
+
+ public void setDefaultEvidence(String defaultEvidence) {
+ this.defaultEvidence = defaultEvidence;
+ }
+
+ public String getDefaultComment() {
+ return defaultComment;
}
- public void setEvidence(String evidence) {
- this.evidence = evidence;
+ public void setDefaultComment(String defaultComment) {
+ this.defaultComment = defaultComment;
}
public String getAssuranceLevelId() {
@@ -160,7 +175,8 @@ public class QuestionDTO implements Serializable {
"id=" + getId() +
", code='" + getCode() + "'" +
", question='" + getQuestion() + "'" +
- ", evidence='" + getEvidence() + "'" +
+ ", defaultEvidence='" + getDefaultEvidence() + "'" +
+ ", defaultComment='" + getDefaultComment() + "'" +
", assuranceLevelId='" + getAssuranceLevelId() + "'" +
", controlId='" + getControlId() + "'" +
", tomId='" + getTomId() + "'" +
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionnaireDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionnaireDTO.java
index 572901110efc077be9849f4f24d142321738150e..ec6908fb83f0a80105753b5f1861f77430095ca8 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionnaireDTO.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionnaireDTO.java
@@ -18,6 +18,33 @@ public class QuestionnaireDTO implements Serializable {
private Long id;
+
+ /**
+ * name
+ */
+ @NotNull
+ @ApiModelProperty(value = "name", required = true)
+ private String name;
+
+ /**
+ * evidences
+ */
+ @NotNull
+ @ApiModelProperty(value = "evidences", required = true)
+ private String evidences;
+
+ /**
+ * comments
+ */
+ @NotNull
+ @ApiModelProperty(value = "comments", required = true)
+ private String comments;
+
+ /**
+ * lastUpdate
+ */
+ @ApiModelProperty(value = "lastUpdate", required = false)
+ private Long lastUpdate;
/**
* frameworkId
@@ -27,11 +54,25 @@ public class QuestionnaireDTO implements Serializable {
private Long frameworkId;
/**
- * purposeId
+ * controlId
+ */
+ @NotNull
+ @ApiModelProperty(value = "controlId", required = true)
+ private Long controlId;
+
+ /**
+ * tomId
*/
@NotNull
- @ApiModelProperty(value = "purposeId", required = true)
- private Long purposeId;
+ @ApiModelProperty(value = "tomId", required = true)
+ private Long tomId;
+
+ /**
+ * assuranceLevelId
+ */
+ @NotNull
+ @ApiModelProperty(value = "assuranceLevelId", required = true)
+ private Long assuranceLevelId;
/**
* questionId
@@ -62,6 +103,38 @@ public class QuestionnaireDTO implements Serializable {
public void setId(Long id) {
this.id = id;
}
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public String getEvidences() {
+ return evidences;
+ }
+
+ public void setEvidences(String evidences) {
+ this.evidences = evidences;
+ }
+
+ public String getComments() {
+ return comments;
+ }
+
+ public void setComments(String comments) {
+ this.comments = comments;
+ }
+
+ public Long getLastUpdate() {
+ return lastUpdate;
+ }
+
+ public void setLastUpdate(Long lastUpdate) {
+ this.lastUpdate = lastUpdate;
+ }
public Long getFrameworkId() {
return frameworkId;
@@ -71,12 +144,28 @@ public class QuestionnaireDTO implements Serializable {
this.frameworkId = frameworkId;
}
- public Long getPurposeId() {
- return purposeId;
+ public Long getControlId() {
+ return controlId;
+ }
+
+ public void setControlId(Long controlId) {
+ this.controlId = controlId;
+ }
+
+ public Long getTomId() {
+ return tomId;
+ }
+
+ public void setTomId(Long tomId) {
+ this.tomId = tomId;
+ }
+
+ public Long getAssuranceLevelId() {
+ return assuranceLevelId;
}
- public void setPurposeId(Long purposeId) {
- this.purposeId = purposeId;
+ public void setAssuranceLevelId(Long assuranceLevelId) {
+ this.assuranceLevelId = assuranceLevelId;
}
public Long getQuestionId() {
@@ -129,8 +218,14 @@ public class QuestionnaireDTO implements Serializable {
public String toString() {
return "QuestionnaireDTO{" +
"id=" + getId() +
+ ", name='" + getName() + "'" +
+ ", evidences='" + getEvidences() + "'" +
+ ", comments='" + getComments() + "'" +
+ ", lastUpdate='" + getLastUpdate() + "'" +
", frameworkId='" + getFrameworkId() + "'" +
- ", purposeId='" + getPurposeId() + "'" +
+ ", controlId='" + getControlId() + "'" +
+ ", tomId='" + getTomId() + "'" +
+ ", assuranceLevelId='" + getAssuranceLevelId() + "'" +
", questionId=" + getQuestionId() +
", answerId=" + getAnswerId() +
", userId=" + getUserId() +
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionnaireNonConformityDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionnaireNonConformityDTO.java
new file mode 100644
index 0000000000000000000000000000000000000000..e5f8b1a0667145f72da2808b09d32c75b5331b0f
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionnaireNonConformityDTO.java
@@ -0,0 +1,112 @@
+package com.medina.coc.backend.service.dto;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+import javax.validation.constraints.NotNull;
+
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+
+/**
+ * A DTO for the {@link com.medina.coc.backend.domain.QuestionnaireNonConformityDTO} entity.
+ */
+@ApiModel(description = "QuestionnaireNonConformityDTO entity.\n\n@author Diego Rosado")
+public class QuestionnaireNonConformityDTO implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+
+ /**
+ * questionnaireName
+ */
+ @NotNull
+ @ApiModelProperty(value = "questionnaireName", required = true)
+ private String questionnaireName;
+
+ /**
+ * tomId
+ */
+ @NotNull
+ @ApiModelProperty(value = "tomId", required = true)
+ private Long tomId;
+
+ /**
+ * comments
+ */
+ @NotNull
+ @ApiModelProperty(value = "comments", required = true)
+ private String comments;
+
+ /**
+ * compliance
+ */
+ @NotNull
+ @ApiModelProperty(value = "compliance", required = true)
+ private String compliance;
+
+
+ public String getQuestionnaireName() {
+ return questionnaireName;
+ }
+
+ public void setQuestionnaireName(String questionnaireName) {
+ this.questionnaireName = questionnaireName;
+ }
+
+ public Long getTomId() {
+ return tomId;
+ }
+
+ public void setTomId(Long tomId) {
+ this.tomId = tomId;
+ }
+
+ public String getComments() {
+ return comments;
+ }
+
+ public void setComments(String comments) {
+ this.comments = comments;
+ }
+
+ public String getCompliance() {
+ return compliance;
+ }
+
+ public void setCompliance(String compliance) {
+ this.compliance = compliance;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof QuestionnaireNonConformityDTO)) {
+ return false;
+ }
+
+ QuestionnaireNonConformityDTO questionnaireDTO = (QuestionnaireNonConformityDTO) o;
+ if (this.questionnaireName == null) {
+ return false;
+ }
+ return Objects.equals(this.questionnaireName, questionnaireDTO.questionnaireName);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(this.questionnaireName);
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "QuestionnaireNonConformityDTO{" +
+ "questionnaireName=" + getQuestionnaireName() +
+ ", tomId='" + getTomId() + "'" +
+ ", comments='" + getComments() + "'" +
+ ", compliance='" + getCompliance() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionnairePurposeDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionnairePurposeDTO.java
deleted file mode 100755
index 398625291452feeb0c1aa996ad2152eba02630bf..0000000000000000000000000000000000000000
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/QuestionnairePurposeDTO.java
+++ /dev/null
@@ -1,74 +0,0 @@
-package com.medina.coc.backend.service.dto;
-
-import java.io.Serializable;
-import java.util.Objects;
-
-import javax.validation.constraints.NotNull;
-
-import io.swagger.annotations.ApiModel;
-import io.swagger.annotations.ApiModelProperty;
-
-/**
- * A DTO for the {@link com.medina.coc.backend.domain.QuestionnairePurpose} entity.
- */
-@ApiModel(description = "QuestionnairePurpose entity.\n\n@author Diego Rosado")
-public class QuestionnairePurposeDTO implements Serializable {
-
- private static final long serialVersionUID = 1L;
-
-
- private Long id;
-
- /**
- * purpose
- */
- @NotNull
- @ApiModelProperty(value = "purpose", required = true)
- private String purpose;
-
- public Long getId() {
- return id;
- }
-
- public void setId(Long id) {
- this.id = id;
- }
-
- public String getPurpose() {
- return purpose;
- }
-
- public void setPurpose(String purpose) {
- this.purpose = purpose;
- }
-
- @Override
- public boolean equals(Object o) {
- if (this == o) {
- return true;
- }
- if (!(o instanceof QuestionnairePurposeDTO)) {
- return false;
- }
-
- QuestionnairePurposeDTO questionnairePurposeDTO = (QuestionnairePurposeDTO) o;
- if (this.id == null) {
- return false;
- }
- return Objects.equals(this.id, questionnairePurposeDTO.id);
- }
-
- @Override
- public int hashCode() {
- return Objects.hash(this.id);
- }
-
- // prettier-ignore
- @Override
- public String toString() {
- return "QuestionnairePurposeDTO{" +
- "id=" + getId() +
- ", purpose='" + getPurpose() + "'" +
- "}";
- }
-}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/SecurityControlDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/SecurityControlDTO.java
index ff802498f40149c5b93e34a283c0241b58a347e4..e95299d8e9b46ae17c912f343049ed9f16063bc1 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/SecurityControlDTO.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/SecurityControlDTO.java
@@ -44,20 +44,6 @@ public class SecurityControlDTO implements Serializable {
@ApiModelProperty(value = "description", required = true)
private String description;
- /**
- * guidance
- */
- @NotNull
- @ApiModelProperty(value = "guidance", required = true)
- private String guidance;
-
- /**
- * riskReductionWeight
- */
- @NotNull
- @ApiModelProperty(value = "riskReductionWeight", required = true)
- private Float riskReductionWeight;
-
private SecurityControlCategoryDTO securityControlCategory;
private Set<ResourceDTO> resources = new HashSet<>();
@@ -102,22 +88,6 @@ public class SecurityControlDTO implements Serializable {
this.description = description;
}
- public String getGuidance() {
- return guidance;
- }
-
- public void setGuidance(String guidance) {
- this.guidance = guidance;
- }
-
- public Float getRiskReductionWeight() {
- return riskReductionWeight;
- }
-
- public void setRiskReductionWeight(Float riskReductionWeight) {
- this.riskReductionWeight = riskReductionWeight;
- }
-
public SecurityControlCategoryDTO getSecurityControlCategory() {
return securityControlCategory;
}
@@ -164,8 +134,6 @@ public class SecurityControlDTO implements Serializable {
", name='" + getName() + "'" +
", objective='" + getObjective() + "'" +
", description='" + getDescription() + "'" +
- ", guidance='" + getGuidance() + "'" +
- ", riskReductionWeight=" + getRiskReductionWeight() +
", securityControlCategory=" + getSecurityControlCategory() +
", resources=" + getResources() +
"}";
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/TomDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/TomDTO.java
index d72e1349757bebddc39a2d2a556b4bee467d3a36..5dba7697448f6d2b220ce67fa685227cbf873114 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/TomDTO.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/TomDTO.java
@@ -57,6 +57,12 @@ public class TomDTO implements Serializable {
@NotNull
@ApiModelProperty(value = "type", required = true)
private Type type;
+
+ /**
+ * guidance
+ */
+ @ApiModelProperty(value = "guidance", required = false)
+ private String guidance;
private SecurityControlDTO securityControl;
@@ -109,6 +115,14 @@ public class TomDTO implements Serializable {
public void setType(Type type) {
this.type = type;
}
+
+ public String getGuidance() {
+ return guidance;
+ }
+
+ public void setGuidance(String guidance) {
+ this.guidance = guidance;
+ }
public SecurityControlDTO getSecurityControl() {
return securityControl;
@@ -157,6 +171,7 @@ public class TomDTO implements Serializable {
", description='" + getDescription() + "'" +
", assuranceLevel='" + getAssuranceLevel() + "'" +
", type='" + getType() + "'" +
+ ", guidance='" + getGuidance() + "'" +
", securityControl=" + getSecurityControl() +
"}";
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityControlCategoryFullDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityControlCategoryFullDTO.java
new file mode 100644
index 0000000000000000000000000000000000000000..673a67050b8287bacd7d749955a0733b1384ab5b
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityControlCategoryFullDTO.java
@@ -0,0 +1,145 @@
+package com.medina.coc.backend.service.dto.request;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+
+import javax.validation.constraints.NotNull;
+
+import com.medina.coc.backend.service.dto.SecurityControlCategoryDTO;
+
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+
+/**
+ * A DTO for the {@link com.medina.coc.backend.domain.SecurityControlCategoryFullDTO} entity.
+ */
+@ApiModel(description = "SecurityControlCategoryFullDTO entity.")
+public class SecurityControlCategoryFullDTO implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * securityControlCategoryId
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlCategoryId", required = true)
+ private Long securityControlCategoryId;
+
+ /**
+ * securityControlCategoryCode
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlCategoryCode", required = true)
+ private String securityControlCategoryCode;
+
+ /**
+ * securityControlCategoryName
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlCategoryName", required = true)
+ private String securityControlCategoryName;
+
+ /**
+ * securityControlCategoryDescription
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlCategoryDescription", required = true)
+ private String securityControlCategoryDescription;
+
+ /**
+ * securityControlList
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlList", required = true)
+ private List<SecurityControlFullDTO> securityControlList;
+
+
+ /**
+ * Constructor
+ * @param securityControlCategoryDTO
+ */
+ public SecurityControlCategoryFullDTO(final SecurityControlCategoryDTO securityControlCategoryDTO) {
+ securityControlCategoryId = securityControlCategoryDTO.getId();
+ securityControlCategoryCode = securityControlCategoryDTO.getCode();
+ securityControlCategoryName = securityControlCategoryDTO.getName();
+ securityControlCategoryDescription = securityControlCategoryDTO.getDescription();
+
+ securityControlList = new ArrayList<SecurityControlFullDTO>();
+ }
+
+
+
+ public Long getSecurityControlCategoryId() {
+ return securityControlCategoryId;
+ }
+
+ public void setSecurityControlCategoryId(Long securityControlCategoryId) {
+ this.securityControlCategoryId = securityControlCategoryId;
+ }
+
+ public String getSecurityControlCategoryCode() {
+ return securityControlCategoryCode;
+ }
+
+ public void setSecurityControlCategoryCode(String securityControlCategoryCode) {
+ this.securityControlCategoryCode = securityControlCategoryCode;
+ }
+
+ public String getSecurityControlCategoryName() {
+ return securityControlCategoryName;
+ }
+
+ public void setSecurityControlCategoryName(String securityControlCategoryName) {
+ this.securityControlCategoryName = securityControlCategoryName;
+ }
+
+ public String getSecurityControlCategoryDescription() {
+ return securityControlCategoryDescription;
+ }
+
+ public void setSecurityControlCategoryDescription(String securityControlCategoryDescription) {
+ this.securityControlCategoryDescription = securityControlCategoryDescription;
+ }
+
+ public List<SecurityControlFullDTO> getSecurityControlList() {
+ return securityControlList == null ? new ArrayList<SecurityControlFullDTO>() : securityControlList;
+ }
+
+ public void setSecurityControlList(List<SecurityControlFullDTO> securityControlList) {
+ this.securityControlList = securityControlList == null ? new ArrayList<SecurityControlFullDTO>() : securityControlList;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof SecurityControlCategoryFullDTO)) {
+ return false;
+ }
+
+ SecurityControlCategoryFullDTO securityControlCategoryFullDTO = (SecurityControlCategoryFullDTO) o;
+ if (this.securityControlCategoryId == null) {
+ return false;
+ }
+ return Objects.equals(this.securityControlCategoryId, securityControlCategoryFullDTO.securityControlCategoryId);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(this.securityControlCategoryId);
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "SecurityControlCategoryFullDTO{" +
+ "securityControlCategoryId=" + getSecurityControlCategoryId() +
+ ", securityControlCategoryCode='" + getSecurityControlCategoryCode() + "'" +
+ ", securityControlCategoryName='" + getSecurityControlCategoryName() + "'" +
+ ", securityControlCategoryDescription='" + getSecurityControlCategoryDescription() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityControlFrameworkFullDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityControlFrameworkFullDTO.java
new file mode 100644
index 0000000000000000000000000000000000000000..9d5540bed5e4a9cad760f0d499404b2d858b6bba
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityControlFrameworkFullDTO.java
@@ -0,0 +1,162 @@
+package com.medina.coc.backend.service.dto.request;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+
+import javax.validation.constraints.NotNull;
+
+import com.medina.coc.backend.service.dto.SecurityControlFrameworkDTO;
+
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+
+/**
+ * A DTO for the {@link com.medina.coc.backend.domain.request.SecurityControlFrameworkFull} entity.
+ */
+@ApiModel(description = "SecurityControlFramework entity.\n\n@author Diego Rosado")
+public class SecurityControlFrameworkFullDTO implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * securityControlFrameworkId
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlFrameworkId", required = true)
+ private Long securityControlFrameworkId;
+
+ /**
+ * securityControlFrameworkName
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlFrameworkName", required = true)
+ private String securityControlFrameworkName;
+
+ /**
+ * securityControlFrameworkDescription
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlFrameworkDescription", required = true)
+ private String securityControlFrameworkDescription;
+
+ /**
+ * securityControlFrameworkVersion
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlFrameworkVersion", required = true)
+ private String securityControlFrameworkVersion;
+
+ /**
+ * securityControlCategoryList
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlCategoryList", required = true)
+ private List<SecurityControlCategoryFullDTO> securityControlCategoryList;
+
+ /**
+ * securityMetricList
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricList", required = true)
+ private List<SecurityMetricFullDTO> securityMetricList;
+
+
+
+ /**
+ * Constructor
+ * @param securityControlFrameworkDTO
+ */
+ public SecurityControlFrameworkFullDTO(final SecurityControlFrameworkDTO securityControlFrameworkDTO) {
+ securityControlFrameworkId = securityControlFrameworkDTO.getId();
+ securityControlFrameworkName = securityControlFrameworkDTO.getName();
+ securityControlFrameworkDescription = securityControlFrameworkDTO.getDescription();
+ securityControlFrameworkVersion = securityControlFrameworkDTO.getVersion();
+
+ securityControlCategoryList = new ArrayList<SecurityControlCategoryFullDTO>();
+ securityMetricList = new ArrayList<SecurityMetricFullDTO>();
+ }
+
+
+
+ public Long getSecurityControlFrameworkId() {
+ return this.securityControlFrameworkId;
+ }
+
+ public void setSecurityControlFrameworkId(Long securityControlFrameworkId) {
+ this.securityControlFrameworkId = securityControlFrameworkId;
+ }
+
+ public String getSecurityControlFrameworkName() {
+ return this.securityControlFrameworkName;
+ }
+
+ public void setSecurityControlFrameworkName(String securityControlFrameworkName) {
+ this.securityControlFrameworkName = securityControlFrameworkName;
+ }
+
+ public String getSecurityControlFrameworkDescription() {
+ return this.securityControlFrameworkDescription;
+ }
+
+ public void setSecurityControlFrameworkDescription(String securityControlFrameworkDescription) {
+ this.securityControlFrameworkDescription = securityControlFrameworkDescription;
+ }
+
+ public String getSecurityControlFrameworkVersion() {
+ return this.securityControlFrameworkVersion;
+ }
+
+ public void setSecurityControlFrameworkVersion(String securityControlFrameworkVersion) {
+ this.securityControlFrameworkVersion = securityControlFrameworkVersion;
+ }
+
+ public List<SecurityControlCategoryFullDTO> getSecurityControlCategoryList() {
+ return securityControlCategoryList == null ? new ArrayList<SecurityControlCategoryFullDTO>() : securityControlCategoryList;
+ }
+
+ public void setSecurityControlCategoryList(List<SecurityControlCategoryFullDTO> securityControlCategoryList) {
+ this.securityControlCategoryList = securityControlCategoryList == null ? new ArrayList<SecurityControlCategoryFullDTO>() : securityControlCategoryList;
+ }
+
+ public List<SecurityMetricFullDTO> getSecurityMetricList() {
+ return securityMetricList == null ? new ArrayList<SecurityMetricFullDTO>() : securityMetricList;
+ }
+
+ public void setSecurityMetricList(List<SecurityMetricFullDTO> securityMetricList) {
+ this.securityMetricList = securityMetricList == null ? new ArrayList<SecurityMetricFullDTO>() : securityMetricList;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof SecurityControlFrameworkFullDTO)) {
+ return false;
+ }
+
+ SecurityControlFrameworkFullDTO securityControlFrameworkFullDTO = (SecurityControlFrameworkFullDTO) o;
+ if (this.securityControlFrameworkId == null) {
+ return false;
+ }
+ return Objects.equals(this.securityControlFrameworkId, securityControlFrameworkFullDTO.securityControlFrameworkId);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(this.securityControlFrameworkId);
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "SecurityControlFrameworkFullDTO{" +
+ "securityControlFrameworkId=" + getSecurityControlFrameworkId() +
+ ", securityControlFrameworkName='" + getSecurityControlFrameworkName() + "'" +
+ ", securityControlFrameworkDescription='" + getSecurityControlFrameworkDescription() + "'" +
+ ", securityControlFrameworkVersion='" + getSecurityControlFrameworkVersion() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityControlFullDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityControlFullDTO.java
new file mode 100644
index 0000000000000000000000000000000000000000..01e0fd3d0e3627b7cafb192cbd1ee5c3ab219332
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityControlFullDTO.java
@@ -0,0 +1,178 @@
+package com.medina.coc.backend.service.dto.request;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+
+import javax.validation.constraints.NotNull;
+
+import com.medina.coc.backend.service.dto.SecurityControlDTO;
+
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+
+/**
+ * A DTO for the {@link com.medina.coc.backend.domain.SecurityControlFullDTO} entity.
+ */
+@ApiModel(description = "SecurityControl entity.")
+public class SecurityControlFullDTO implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * securityControlId
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlId", required = true)
+ private Long securityControlId;
+
+ /**
+ * securityControlCode
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlCode", required = true)
+ private String securityControlCode;
+
+ /**
+ * securityControlName
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlName", required = true)
+ private String securityControlName;
+
+ /**
+ * securityControlObjective
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlObjective", required = true)
+ private String securityControlObjective;
+
+ /**
+ * securityControlDescription
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityControlDescription", required = true)
+ private String securityControlDescription;
+
+ /**
+ * similarControlList
+ */
+ @NotNull
+ @ApiModelProperty(value = "similarControlList", required = true)
+ private List<SimilarControlFullDTO> similarControlList;
+
+ /**
+ * tomList
+ */
+ @NotNull
+ @ApiModelProperty(value = "tomList", required = true)
+ private List<TomFullDTO> tomList;
+
+
+ /**
+ * Constructor
+ * @param securityControlDTO
+ */
+ public SecurityControlFullDTO(final SecurityControlDTO securityControlDTO) {
+ securityControlId = securityControlDTO.getId();
+ securityControlCode = securityControlDTO.getCode();
+ securityControlName = securityControlDTO.getName();
+ securityControlObjective = securityControlDTO.getObjective();
+ securityControlDescription = securityControlDTO.getDescription();
+
+ similarControlList = new ArrayList<SimilarControlFullDTO>();
+ tomList = new ArrayList<TomFullDTO>();
+ }
+
+
+
+ public Long getSecurityControlId() {
+ return securityControlId;
+ }
+
+ public void setSecurityControlId(Long securityControlId) {
+ this.securityControlId = securityControlId;
+ }
+
+ public String getSecurityControlCode() {
+ return securityControlCode;
+ }
+
+ public void setSecurityControlCode(String securityControlCode) {
+ this.securityControlCode = securityControlCode;
+ }
+
+ public String getSecurityControlName() {
+ return securityControlName;
+ }
+
+ public void setSecurityControlName(String securityControlName) {
+ this.securityControlName = securityControlName;
+ }
+
+ public String getSecurityControlObjective() {
+ return securityControlObjective;
+ }
+
+ public void setSecurityControlObjective(String securityControlObjective) {
+ this.securityControlObjective = securityControlObjective;
+ }
+
+ public String getSecurityControlDescription() {
+ return securityControlDescription;
+ }
+
+ public void setSecurityControlDescription(String securityControlDescription) {
+ this.securityControlDescription = securityControlDescription;
+ }
+
+ public List<SimilarControlFullDTO> getSimilarControlList() {
+ return similarControlList == null ? new ArrayList<SimilarControlFullDTO>() : similarControlList;
+ }
+
+ public void setSimilarControlList(List<SimilarControlFullDTO> similarControlList) {
+ this.similarControlList = similarControlList == null ? new ArrayList<SimilarControlFullDTO>() : similarControlList;
+ }
+
+ public List<TomFullDTO> getTomList() {
+ return tomList == null ? new ArrayList<TomFullDTO>() : tomList;
+ }
+
+ public void setTomList(List<TomFullDTO> tomList) {
+ this.tomList = tomList == null ? new ArrayList<TomFullDTO>() : tomList;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof SecurityControlFullDTO)) {
+ return false;
+ }
+
+ SecurityControlFullDTO securityControlFullDTO = (SecurityControlFullDTO) o;
+ if (this.securityControlId == null) {
+ return false;
+ }
+ return Objects.equals(this.securityControlId, securityControlFullDTO.securityControlId);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(this.securityControlId);
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "SecurityControlFullDTO{" +
+ "securityControlId=" + getSecurityControlId() +
+ ", securityControlCode='" + getSecurityControlCode() + "'" +
+ ", securityControlName='" + getSecurityControlName() + "'" +
+ ", securityControlObjective='" + getSecurityControlObjective() + "'" +
+ ", securityControlDescription='" + getSecurityControlDescription() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityMetricFullDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityMetricFullDTO.java
new file mode 100644
index 0000000000000000000000000000000000000000..08229c6f8870580da8b66b1d7e6100a7fb7f50a9
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SecurityMetricFullDTO.java
@@ -0,0 +1,311 @@
+package com.medina.coc.backend.service.dto.request;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+import javax.validation.constraints.NotNull;
+
+import com.medina.coc.backend.service.dto.SecurityMetricDTO;
+
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+
+/**
+ * A DTO for the {@link com.medina.coc.backend.domain.SecurityMetricFullDTO} entity.
+ */
+@ApiModel(description = "SecurityMetricFullDTO entity.")
+public class SecurityMetricFullDTO implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * securityMetricId
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricId", required = true)
+ private Long securityMetricId;
+
+ /**
+ * securityMetricMetricId
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricMetricId", required = true)
+ private String securityMetricMetricId;
+
+ /**
+ * securityMetricCategory
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricCategory", required = true)
+ private String securityMetricCategory;
+
+ /**
+ * securityMetricName
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricName", required = true)
+ private String securityMetricName;
+
+ /**
+ * securityMetricSource
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricSource", required = true)
+ private String securityMetricSource;
+
+ /**
+ * securityMetricDescription
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricDescription", required = true)
+ private String securityMetricDescription;
+
+ /**
+ * securityMetricScale
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricScale", required = true)
+ private String securityMetricScale;
+
+ /**
+ * securityMetricOperator
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricOperator", required = true)
+ private String securityMetricOperator;
+
+ /**
+ * securityMetricTargetValue
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricTargetValue", required = true)
+ private String securityMetricTargetValue;
+
+ /**
+ * securityMetricTargetValueDatatype
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricTargetValueDatatype", required = true)
+ private String securityMetricTargetValueDatatype;
+
+ /**
+ * securityMetricInterval
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricInterval", required = true)
+ private String securityMetricInterval;
+
+ /**
+ * securityMetricTargetResourceType
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricTargetResourceType", required = true)
+ private String securityMetricTargetResourceType;
+
+ /**
+ * securityMetricSecurityFeature
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricSecurityFeature", required = true)
+ private String securityMetricSecurityFeature;
+
+ /**
+ * securityMetricKeywords
+ */
+ @NotNull
+ @ApiModelProperty(value = "securityMetricKeywords", required = true)
+ private String securityMetricKeywords;
+
+ /**
+ * relatedTom
+ */
+ @NotNull
+ @ApiModelProperty(value = "relatedTom", required = true)
+ private TomFullDTO relatedTom;
+
+
+ /**
+ * Constructor
+ * @param securityMetricDTO
+ */
+ public SecurityMetricFullDTO(final SecurityMetricDTO securityMetricDTO) {
+ securityMetricId = securityMetricDTO.getId();
+ securityMetricMetricId = securityMetricDTO.getMetricId();
+ securityMetricCategory = securityMetricDTO.getCategory();
+ securityMetricName = securityMetricDTO.getName();
+ securityMetricSource = securityMetricDTO.getSource();
+ securityMetricDescription = securityMetricDTO.getDescription();
+ securityMetricScale = securityMetricDTO.getScale();
+ securityMetricOperator = securityMetricDTO.getOperator();
+ securityMetricTargetValue = securityMetricDTO.getTargetValue();
+ securityMetricTargetValueDatatype = securityMetricDTO.getTargetValueDatatype();
+ securityMetricInterval = securityMetricDTO.getInterval();
+ securityMetricTargetResourceType = securityMetricDTO.getTargetResourceType();
+ securityMetricSecurityFeature = securityMetricDTO.getSecurityFeature();
+ securityMetricKeywords = securityMetricDTO.getKeywords();
+ }
+
+
+
+ public Long getSecurityMetricId() {
+ return securityMetricId;
+ }
+
+ public void setSecurityMetricId(Long securityMetricId) {
+ this.securityMetricId = securityMetricId;
+ }
+
+ public String getSecurityMetricMetricId() {
+ return securityMetricMetricId;
+ }
+
+ public void setSecurityMetricMetricId(String securityMetricMetricId) {
+ this.securityMetricMetricId = securityMetricMetricId;
+ }
+
+ public String getSecurityMetricCategory() {
+ return securityMetricCategory;
+ }
+
+ public void setSecurityMetricCategory(String securityMetricCategory) {
+ this.securityMetricCategory = securityMetricCategory;
+ }
+
+ public String getSecurityMetricName() {
+ return securityMetricName;
+ }
+
+ public void setSecurityMetricName(String securityMetricName) {
+ this.securityMetricName = securityMetricName;
+ }
+
+ public String getSecurityMetricSource() {
+ return securityMetricSource;
+ }
+
+ public void setSecurityMetricSource(String securityMetricSource) {
+ this.securityMetricSource = securityMetricSource;
+ }
+
+ public String getSecurityMetricDescription() {
+ return securityMetricDescription;
+ }
+
+ public void setSecurityMetricDescription(String securityMetricDescription) {
+ this.securityMetricDescription = securityMetricDescription;
+ }
+
+ public String getSecurityMetricScale() {
+ return securityMetricScale;
+ }
+
+ public void setSecurityMetricScale(String securityMetricScale) {
+ this.securityMetricScale = securityMetricScale;
+ }
+
+ public String getSecurityMetricOperator() {
+ return securityMetricOperator;
+ }
+
+ public void setSecurityMetricOperator(String securityMetricOperator) {
+ this.securityMetricOperator = securityMetricOperator;
+ }
+
+ public String getSecurityMetricTargetValue() {
+ return securityMetricTargetValue;
+ }
+
+ public void setSecurityMetricTargetValue(String securityMetricTargetValue) {
+ this.securityMetricTargetValue = securityMetricTargetValue;
+ }
+
+ public String getSecurityMetricTargetValueDatatype() {
+ return securityMetricTargetValueDatatype;
+ }
+
+ public void setSecurityMetricTargetValueDatatype(String securityMetricTargetValueDatatype) {
+ this.securityMetricTargetValueDatatype = securityMetricTargetValueDatatype;
+ }
+
+ public String getSecurityMetricInterval() {
+ return securityMetricInterval;
+ }
+
+ public void setSecurityMetricInterval(String securityMetricInterval) {
+ this.securityMetricInterval = securityMetricInterval;
+ }
+
+ public String getSecurityMetricTargetResourceType() {
+ return securityMetricTargetResourceType;
+ }
+
+ public void setSecurityMetricTargetResourceType(String securityMetricTargetResourceType) {
+ this.securityMetricTargetResourceType = securityMetricTargetResourceType;
+ }
+
+ public String getSecurityMetricSecurityFeature() {
+ return securityMetricSecurityFeature;
+ }
+
+ public void setSecurityMetricSecurityFeature(String securityMetricSecurityFeature) {
+ this.securityMetricSecurityFeature = securityMetricSecurityFeature;
+ }
+
+ public String getSecurityMetricKeywords() {
+ return securityMetricKeywords;
+ }
+
+ public void setSecurityMetricKeywords(String securityMetricKeywords) {
+ this.securityMetricKeywords = securityMetricKeywords;
+ }
+
+ public TomFullDTO getRelatedTom() {
+ return relatedTom;
+ }
+
+ public void setRelatedTom(TomFullDTO relatedTom) {
+ this.relatedTom = relatedTom;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof SecurityMetricFullDTO)) {
+ return false;
+ }
+
+ SecurityMetricFullDTO securityMetricFullDTO = (SecurityMetricFullDTO) o;
+ if (this.securityMetricId == null) {
+ return false;
+ }
+ return Objects.equals(this.securityMetricId, securityMetricFullDTO.securityMetricId);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(this.securityMetricId);
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "SecurityMetricFullDTO{" +
+ "securityMetricId=" + getSecurityMetricId() +
+ ", securityMetricMetricId='" + getSecurityMetricMetricId() + "'" +
+ ", securityMetricCategory='" + getSecurityMetricCategory() + "'" +
+ ", securityMetricName='" + getSecurityMetricName() + "'" +
+ ", securityMetricSource='" + getSecurityMetricSource() + "'" +
+ ", securityMetricDescription='" + getSecurityMetricDescription() + "'" +
+ ", securityMetricScale='" + getSecurityMetricScale() + "'" +
+ ", securityMetricOperator='" + getSecurityMetricOperator() + "'" +
+ ", securityMetricTargetValue='" + getSecurityMetricTargetValue() + "'" +
+ ", securityMetricTargetValueDatatype='" + getSecurityMetricTargetValueDatatype() + "'" +
+ ", securityMetricInterval='" + getSecurityMetricInterval() + "'" +
+ ", securityMetricTargetResourceType='" + getSecurityMetricTargetResourceType() + "'" +
+ ", securityMetricSecurityFeature='" + getSecurityMetricSecurityFeature() + "'" +
+ ", securityMetricKeywords='" + getSecurityMetricKeywords() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SimilarControlFullDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SimilarControlFullDTO.java
new file mode 100644
index 0000000000000000000000000000000000000000..73351d102d700bdc3795d86256ef76306d1972a1
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/SimilarControlFullDTO.java
@@ -0,0 +1,127 @@
+package com.medina.coc.backend.service.dto.request;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+import javax.validation.constraints.NotNull;
+
+import com.medina.coc.backend.service.dto.SimilarControlDTO;
+
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+
+/**
+ * A DTO for the {@link com.medina.coc.backend.domain.SimilarControl} entity.
+ */
+@ApiModel(description = "SimilarControlFullDTO entity.")
+public class SimilarControlFullDTO implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * similarControlId
+ */
+ @NotNull
+ @ApiModelProperty(value = "similarControlId", required = true)
+ private Long similarControlId;
+
+ /**
+ * similarControlCode
+ */
+ @NotNull
+ @ApiModelProperty(value = "similarControlCode", required = true)
+ private String similarControlCode;
+
+ /**
+ * similarControlName
+ */
+ @NotNull
+ @ApiModelProperty(value = "similarControlName", required = true)
+ private String similarControlName;
+
+ /**
+ * similarControlecurityControlFrameworkName
+ */
+ @NotNull
+ @ApiModelProperty(value = "similarControlecurityControlFrameworkName", required = true)
+ private String similarControlSecurityControlFrameworkName;
+
+
+
+ /**
+ * Constructor
+ * @param similarControlDTO
+ */
+ public SimilarControlFullDTO(final SimilarControlDTO similarControlDTO) {
+ similarControlId = similarControlDTO.getId();
+ similarControlCode = similarControlDTO.getCode();
+ similarControlName = similarControlDTO.getName();
+ similarControlSecurityControlFrameworkName = similarControlDTO.getSecurityControlFrameworkName();
+ }
+
+
+
+ public Long getSimilarControlId() {
+ return similarControlId;
+ }
+
+ public void setSimilarControlId(Long similarControlId) {
+ this.similarControlId = similarControlId;
+ }
+
+ public String getSimilarControlCode() {
+ return similarControlCode;
+ }
+
+ public void setSimilarControlCode(String similarControlCode) {
+ this.similarControlCode = similarControlCode;
+ }
+
+ public String getSimilarControlName() {
+ return similarControlName;
+ }
+
+ public void setSimilarControlName(String similarControlName) {
+ this.similarControlName = similarControlName;
+ }
+
+ public String getSimilarControlSecurityControlFrameworkName() {
+ return similarControlSecurityControlFrameworkName;
+ }
+
+ public void setSimilarControlSecurityControlFrameworkName(String similarControlSecurityControlFrameworkName) {
+ this.similarControlSecurityControlFrameworkName = similarControlSecurityControlFrameworkName;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof SimilarControlFullDTO)) {
+ return false;
+ }
+
+ SimilarControlFullDTO similarControlFullDTO = (SimilarControlFullDTO) o;
+ if (this.similarControlId == null) {
+ return false;
+ }
+ return Objects.equals(this.similarControlId, similarControlFullDTO.similarControlId);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(this.similarControlId);
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "SimilarControlFullDTO{" +
+ "similarControlId=" + getSimilarControlId() +
+ ", similarControlCode='" + getSimilarControlCode() + "'" +
+ ", similarControlName='" + getSimilarControlName() + "'" +
+ ", similarControlSecurityControlFrameworkName='" + getSimilarControlSecurityControlFrameworkName() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/TomFullDTO.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/TomFullDTO.java
new file mode 100644
index 0000000000000000000000000000000000000000..f3fb539e5bb1b0a9273db2393003994633e3d64f
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/dto/request/TomFullDTO.java
@@ -0,0 +1,156 @@
+package com.medina.coc.backend.service.dto.request;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+import javax.validation.constraints.NotNull;
+
+import com.medina.coc.backend.service.dto.TomDTO;
+
+import io.swagger.annotations.ApiModel;
+import io.swagger.annotations.ApiModelProperty;
+
+/**
+ * A DTO for the {@link com.medina.coc.backend.domain.TomFullDTO} entity.
+ */
+@ApiModel(description = "Tom entity.")
+public class TomFullDTO implements Serializable {
+
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * tomId
+ */
+ @NotNull
+ @ApiModelProperty(value = "tomId", required = true)
+ private Long tomId;
+
+ /**
+ * tomCode
+ */
+ @NotNull
+ @ApiModelProperty(value = "tomCode", required = true)
+ private String tomCode;
+
+ /**
+ * tomName
+ */
+ @NotNull
+ @ApiModelProperty(value = "tomName", required = true)
+ private String tomName;
+
+ /**
+ * tomDescription
+ */
+ @NotNull
+ @ApiModelProperty(value = "tomDescription", required = true)
+ private String tomDescription;
+
+ /**
+ * tomAssuranceLevel
+ */
+ @NotNull
+ @ApiModelProperty(value = "tomAssuranceLevel", required = true)
+ private String tomAssuranceLevel;
+
+ /**
+ * tomType
+ */
+ @NotNull
+ @ApiModelProperty(value = "tomType", required = true)
+ private String tomType;
+
+
+ public TomFullDTO(final TomDTO tomDTO) {
+ tomId = tomDTO.getId();
+ tomCode = tomDTO.getCode();
+ tomName = tomDTO.getName();
+ tomDescription = tomDTO.getDescription();
+ tomAssuranceLevel = tomDTO.getAssuranceLevel().getValue();
+ tomType = tomDTO.getType().getValue();
+ }
+
+
+
+ public Long getTomId() {
+ return tomId;
+ }
+
+ public void setTomId(Long tomId) {
+ this.tomId = tomId;
+ }
+
+ public String getTomCode() {
+ return tomCode;
+ }
+
+ public void setTomCode(String tomCode) {
+ this.tomCode = tomCode;
+ }
+
+ public String getTomName() {
+ return tomName;
+ }
+
+ public void setTomName(String tomName) {
+ this.tomName = tomName;
+ }
+
+ public String getTomDescription() {
+ return tomDescription;
+ }
+
+ public void setTomDescription(String tomDescription) {
+ this.tomDescription = tomDescription;
+ }
+
+ public String getTomAssuranceLevel() {
+ return tomAssuranceLevel;
+ }
+
+ public void setTomAssuranceLevel(String tomAssuranceLevel) {
+ this.tomAssuranceLevel = tomAssuranceLevel;
+ }
+
+ public String getTomType() {
+ return tomType;
+ }
+
+ public void setTomType(String tomType) {
+ this.tomType = tomType;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (!(o instanceof TomFullDTO)) {
+ return false;
+ }
+
+ TomFullDTO tomFullDTO = (TomFullDTO) o;
+ if (this.tomId == null) {
+ return false;
+ }
+ return Objects.equals(this.tomId, tomFullDTO.tomId);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(this.tomId);
+ }
+
+ // prettier-ignore
+ @Override
+ public String toString() {
+ return "TomFullDTO{" +
+ "tomId=" + getTomId() +
+ ", tomCode='" + getTomCode() + "'" +
+ ", tomName='" + getTomName() + "'" +
+ ", tomDescription='" + getTomDescription() + "'" +
+ ", tomAssuranceLevel='" + getTomAssuranceLevel() + "'" +
+ ", tomType='" + getTomType() + "'" +
+ "}";
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/AuditLogServiceImpl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/AuditLogServiceImpl.java
new file mode 100644
index 0000000000000000000000000000000000000000..ca4752f8b0b95b5ff08f2bf60e5fbcbb6603e520
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/AuditLogServiceImpl.java
@@ -0,0 +1,58 @@
+package com.medina.coc.backend.service.impl;
+
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Optional;
+import java.util.stream.Collectors;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import com.medina.coc.backend.domain.AuditLog;
+import com.medina.coc.backend.repository.AuditLogRepository;
+import com.medina.coc.backend.service.AuditLogService;
+import com.medina.coc.backend.service.dto.AuditLogDTO;
+import com.medina.coc.backend.service.mapper.AuditLogMapper;
+
+/**
+ * Service Implementation for managing {@link AuditLog}.
+ */
+@Service
+@Transactional
+public class AuditLogServiceImpl implements AuditLogService {
+
+ private final Logger log = LoggerFactory.getLogger(AuditLogServiceImpl.class);
+
+ private final AuditLogRepository auditLogRepository;
+
+ private final AuditLogMapper auditLogMapper;
+
+ public AuditLogServiceImpl(AuditLogRepository auditLogRepository, AuditLogMapper auditLogMapper) {
+ this.auditLogRepository = auditLogRepository;
+ this.auditLogMapper = auditLogMapper;
+ }
+
+ @Override
+ @Transactional(readOnly = true)
+ public List<AuditLogDTO> findAll() {
+ log.debug("Request to get all AuditLogs");
+ return auditLogRepository.findAllAuditLogs().stream().map(auditLogMapper::toDto).collect(Collectors.toCollection(LinkedList::new));
+ }
+
+ @Override
+ @Transactional(readOnly = true)
+ public Optional<AuditLogDTO> findOne(Long id) {
+ log.debug("Request to get AuditLog : {}", id);
+ return auditLogRepository.findById(id).map(auditLogMapper::toDto);
+ }
+
+ @Override
+ public AuditLogDTO save(AuditLogDTO auditLogDTO) {
+ log.debug("Request to save AuditLog : {}", auditLogDTO);
+ AuditLog auditLog = auditLogMapper.toEntity(auditLogDTO);
+ auditLog = auditLogRepository.save(auditLog);
+ return auditLogMapper.toDto(auditLog);
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionServiceImpl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionServiceImpl.java
index a2d16d86ed4429b122238dc9e4a11f96746da589..d12e4a43e8641fc3db1a15c80cfa955deb0dadcd 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionServiceImpl.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionServiceImpl.java
@@ -47,4 +47,11 @@ public class QuestionServiceImpl implements QuestionService {
log.debug("Request to get Question : {}", id);
return questionRepository.findById(id).map(questionMapper::toDto);
}
+
+ @Override
+ @Transactional(readOnly = true)
+ public int countQuestionsByAssuranceLevel(Long assuranceLevelId) {
+ log.debug("Request to count the Questions : {}");
+ return questionRepository.countQuestionsByAssuranceLevel(assuranceLevelId);
+ }
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionnaireNonConformityServiceImpl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionnaireNonConformityServiceImpl.java
new file mode 100644
index 0000000000000000000000000000000000000000..558f5013dfe3811a1d9e06aa5b016a6d544ec4ea
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionnaireNonConformityServiceImpl.java
@@ -0,0 +1,79 @@
+package com.medina.coc.backend.service.impl;
+
+import java.util.LinkedList;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import com.medina.coc.backend.domain.QuestionnaireNonConformity;
+import com.medina.coc.backend.repository.QuestionnaireNonConformityRepository;
+import com.medina.coc.backend.service.QuestionnaireNonConformityService;
+import com.medina.coc.backend.service.dto.QuestionnaireNonConformityDTO;
+import com.medina.coc.backend.service.mapper.QuestionnaireNonConformityMapper;
+
+/**
+ * Service Implementation for managing {@link QuestionnaireNonConformity}.
+ */
+@Service
+@Transactional
+public class QuestionnaireNonConformityServiceImpl implements QuestionnaireNonConformityService {
+
+ private final Logger log = LoggerFactory.getLogger(QuestionnaireNonConformityServiceImpl.class);
+
+ private final QuestionnaireNonConformityRepository questionnaireNonConformityRepository;
+
+ private final QuestionnaireNonConformityMapper questionnaireNonConformityMapper;
+
+ public QuestionnaireNonConformityServiceImpl(QuestionnaireNonConformityRepository questionnaireNonConformityRepository, QuestionnaireNonConformityMapper questionnaireNonConformityMapper) {
+ this.questionnaireNonConformityRepository = questionnaireNonConformityRepository;
+ this.questionnaireNonConformityMapper = questionnaireNonConformityMapper;
+ }
+
+ @Override
+ @Transactional(readOnly = true)
+ public List<QuestionnaireNonConformityDTO> findAll() {
+ log.debug("Request to get all QuestionnaireNonConformities");
+ return questionnaireNonConformityRepository.findAll().stream().map(questionnaireNonConformityMapper::toDto).collect(Collectors.toCollection(LinkedList::new));
+ }
+
+ @Override
+ @Transactional(readOnly = true)
+ public List<QuestionnaireNonConformityDTO> findByQuestionnaireName(String questionnaireName) {
+ log.debug("Request to get QuestionnaireNonConformities : {}", questionnaireName);
+ return questionnaireNonConformityRepository.findQuestionnaireNonConformitiesByQuestionnaireName(questionnaireName).stream().map(questionnaireNonConformityMapper::toDto).collect(Collectors.toCollection(LinkedList::new));
+ }
+
+ @Override
+ public List<QuestionnaireNonConformity> save(List<QuestionnaireNonConformity> questionnaireNonConformity) {
+ log.debug("Request to save QuestionnaireNonConformity : {}");
+ return questionnaireNonConformityRepository.saveAll(questionnaireNonConformity);
+ }
+
+ @Override
+ public void update(String questionnaireName, Long tomId, String comments, String compliance) {
+ log.debug("Request to update a QuestionnaireNonConformity : {}");
+ questionnaireNonConformityRepository.updateQuestionnaireNonConformityByQuestionnaireNameAndTomId(questionnaireName, tomId, comments, compliance);
+ }
+
+ @Override
+ public void deleteByQuestionnaireName(String questionnaireName) {
+ log.debug("Request to delete a QuestionnaireNonConformity : {}");
+ questionnaireNonConformityRepository.deleteQuestionnaireNonConformityByQuestionnaireName(questionnaireName);
+ }
+
+ @Override
+ public void deleteByQuestionnaireNameAndTomIds(String questionnaireName, List<Long> tomIds) {
+ log.debug("Request to delete QuestionnaireNonConformities : {}");
+ questionnaireNonConformityRepository.deleteQuestionnaireNonConformityByQuestionnaireNameAndTomIds(questionnaireName, tomIds);
+ }
+
+ @Override
+ public void deleteByKeys(String questionnaireName, Long tomId) {
+ log.debug("Request to delete a QuestionnaireNonConformity : {}");
+ questionnaireNonConformityRepository.deleteQuestionnaireNonConformityByKeys(questionnaireName, tomId);
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionnairePurposeServiceImpl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionnairePurposeServiceImpl.java
deleted file mode 100755
index 4ab2c7d0638da12b77804dc18b97f697b298bd8e..0000000000000000000000000000000000000000
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionnairePurposeServiceImpl.java
+++ /dev/null
@@ -1,50 +0,0 @@
-package com.medina.coc.backend.service.impl;
-
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Optional;
-import java.util.stream.Collectors;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Service;
-import org.springframework.transaction.annotation.Transactional;
-
-import com.medina.coc.backend.domain.QuestionnairePurpose;
-import com.medina.coc.backend.repository.QuestionnairePurposeRepository;
-import com.medina.coc.backend.service.QuestionnairePurposeService;
-import com.medina.coc.backend.service.dto.QuestionnairePurposeDTO;
-import com.medina.coc.backend.service.mapper.QuestionnairePurposeMapper;
-
-/**
- * Service Implementation for managing {@link QuestionnairePurpose}.
- */
-@Service
-@Transactional
-public class QuestionnairePurposeServiceImpl implements QuestionnairePurposeService {
-
- private final Logger log = LoggerFactory.getLogger(QuestionnairePurposeServiceImpl.class);
-
- private final QuestionnairePurposeRepository questionnairePurposeRepository;
-
- private final QuestionnairePurposeMapper questionnairePurposeMapper;
-
- public QuestionnairePurposeServiceImpl(QuestionnairePurposeRepository questionnairePurposeRepository, QuestionnairePurposeMapper questionnairePurposeMapper) {
- this.questionnairePurposeRepository = questionnairePurposeRepository;
- this.questionnairePurposeMapper = questionnairePurposeMapper;
- }
-
- @Override
- @Transactional(readOnly = true)
- public List<QuestionnairePurposeDTO> findAll() {
- log.debug("Request to get all QuestionnairePurposes");
- return questionnairePurposeRepository.findAll().stream().map(questionnairePurposeMapper::toDto).collect(Collectors.toCollection(LinkedList::new));
- }
-
- @Override
- @Transactional(readOnly = true)
- public Optional<QuestionnairePurposeDTO> findOne(Long id) {
- log.debug("Request to get QuestionnairePurpose : {}", id);
- return questionnairePurposeRepository.findById(id).map(questionnairePurposeMapper::toDto);
- }
-}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionnaireServiceImpl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionnaireServiceImpl.java
index 9a5bc4ab6dc3d90e601e67aeef15ec5263f5ee29..62beb58c4d5e859ef5832de07bd742ad95318a7e 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionnaireServiceImpl.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/QuestionnaireServiceImpl.java
@@ -1,5 +1,6 @@
package com.medina.coc.backend.service.impl;
+import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import java.util.Optional;
@@ -47,4 +48,32 @@ public class QuestionnaireServiceImpl implements QuestionnaireService {
log.debug("Request to get Questionnaire : {}", id);
return questionnaireRepository.findById(id).map(questionnaireMapper::toDto);
}
+
+ @Override
+ public List<Questionnaire> save(List<Questionnaire> questionnaire) {
+ log.debug("Request to save Questionnaire : {}");
+ return questionnaireRepository.saveAll(questionnaire);
+ }
+
+ @Override
+ public void update(Questionnaire questionnaire) {
+ log.debug("Request to update Questionnaire : {}");
+ questionnaireRepository.saveAndFlush(questionnaire);
+ }
+
+ @Override
+ @Transactional
+ public void delete(Questionnaire questionnaire) {
+ log.debug("Request to delete a Questionnaire : {}");
+ List<Questionnaire> list = new ArrayList<Questionnaire>();
+ list.add(questionnaire);
+ questionnaireRepository.deleteAllInBatch(list);
+ }
+
+ @Override
+ @Transactional
+ public void deleteByName(String name) {
+ log.debug("Request to delete a Questionnaire : {}");
+ questionnaireRepository.deleteQuestionnaireByName(name);
+ }
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/ReferenceTomServiceImpl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/ReferenceTomServiceImpl.java
index f7e954b7ccb77bffe8961975d0003c3ffabfa916..a1508b74cfad23f685fbcf29247d05b95531f4b0 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/ReferenceTomServiceImpl.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/ReferenceTomServiceImpl.java
@@ -68,10 +68,4 @@ public class ReferenceTomServiceImpl implements ReferenceTomService {
log.debug("Request to get ReferenceTom : {}", id);
return referenceTomRepository.findById(id).map(referenceTomMapper::toDto);
}
-
- @Override
- public void delete(Long id) {
- log.debug("Request to delete ReferenceTom : {}", id);
- referenceTomRepository.deleteById(id);
- }
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlCategoryServiceImpl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlCategoryServiceImpl.java
index 53dd717013ef536de498a37ce07892b658298d74..7e4b74148c27c68813a779496843e7365e9bebed 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlCategoryServiceImpl.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlCategoryServiceImpl.java
@@ -75,10 +75,4 @@ public class SecurityControlCategoryServiceImpl implements SecurityControlCatego
log.debug("Request to get SecurityControlCategory : {}", id);
return securityControlCategoryRepository.findById(id).map(securityControlCategoryMapper::toDto);
}
-
- @Override
- public void delete(Long id) {
- log.debug("Request to delete SecurityControlCategory : {}", id);
- securityControlCategoryRepository.deleteById(id);
- }
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlFrameworkServiceImpl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlFrameworkServiceImpl.java
index 498d7b8b7d05101a7e44e1351df11aceba6ca20d..cda36dd8755ea9a610c134f1007ef55f319776be 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlFrameworkServiceImpl.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlFrameworkServiceImpl.java
@@ -1,19 +1,21 @@
package com.medina.coc.backend.service.impl;
-import com.medina.coc.backend.domain.SecurityControlFramework;
-import com.medina.coc.backend.repository.SecurityControlFrameworkRepository;
-import com.medina.coc.backend.service.SecurityControlFrameworkService;
-import com.medina.coc.backend.service.dto.SecurityControlFrameworkDTO;
-import com.medina.coc.backend.service.mapper.SecurityControlFrameworkMapper;
import java.util.LinkedList;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
+import com.medina.coc.backend.domain.SecurityControlFramework;
+import com.medina.coc.backend.repository.SecurityControlFrameworkRepository;
+import com.medina.coc.backend.service.SecurityControlFrameworkService;
+import com.medina.coc.backend.service.dto.SecurityControlFrameworkDTO;
+import com.medina.coc.backend.service.mapper.SecurityControlFrameworkMapper;
+
/**
* Service Implementation for managing {@link SecurityControlFramework}.
*/
@@ -76,12 +78,6 @@ public class SecurityControlFrameworkServiceImpl implements SecurityControlFrame
return securityControlFrameworkRepository.findById(id).map(securityControlFrameworkMapper::toDto);
}
- @Override
- public void delete(Long id) {
- log.debug("Request to delete SecurityControlFramework : {}", id);
- securityControlFrameworkRepository.deleteById(id);
- }
-
@Override
public Boolean frameworkHasRequirements(String frameworkName) {
log.debug("Request to frameworkHasRequirements : {}", frameworkName);
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlServiceImpl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlServiceImpl.java
index a94f35f1a97b9fbfc1cf950e883ccdfabe66145b..2140d87f4d5b9f0c146edfdcf1c658d5bb2b05c9 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlServiceImpl.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SecurityControlServiceImpl.java
@@ -78,10 +78,4 @@ public class SecurityControlServiceImpl implements SecurityControlService {
log.debug("Request to get SecurityControl : {}", id);
return securityControlRepository.findOneWithEagerRelationships(id).map(securityControlMapper::toDto);
}
-
- @Override
- public void delete(Long id) {
- log.debug("Request to delete SecurityControl : {}", id);
- securityControlRepository.deleteById(id);
- }
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SimilarControlServiceImpl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SimilarControlServiceImpl.java
index 0f41a56fde7d6795cffbcb2ab41f4f3eba4aff0b..c82822ca5cbfc40664c29e757a701eff5d371959 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SimilarControlServiceImpl.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/SimilarControlServiceImpl.java
@@ -72,10 +72,4 @@ public class SimilarControlServiceImpl implements SimilarControlService {
log.debug("Request to get SimilarControl : {}", id);
return similarControlRepository.findById(id).map(similarControlMapper::toDto);
}
-
- @Override
- public void delete(Long id) {
- log.debug("Request to delete SimilarControl : {}", id);
- similarControlRepository.deleteById(id);
- }
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/TomServiceImpl.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/TomServiceImpl.java
index 8d2793b6b4ce65253f52d4bc151b6f6ca0a8ff78..6f697050dabd221107d84f671519dd682c98a53e 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/TomServiceImpl.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/impl/TomServiceImpl.java
@@ -69,12 +69,6 @@ public class TomServiceImpl implements TomService {
return tomRepository.findById(id).map(tomMapper::toDto);
}
- @Override
- public void delete(Long id) {
- log.debug("Request to delete Tom : {}", id);
- tomRepository.deleteById(id);
- }
-
@Override
public List<TomDTO> getTomsByFrameworkNameAndAssurance(String frameworkName, String assuranceLevel) {
log.debug("Request to get Tom with framework name : {}", frameworkName);
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/AuditLogMapper.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/AuditLogMapper.java
new file mode 100644
index 0000000000000000000000000000000000000000..a36c2286ff82cf24388ee4581267d99eb923116c
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/AuditLogMapper.java
@@ -0,0 +1,29 @@
+package com.medina.coc.backend.service.mapper;
+
+import java.util.Set;
+
+import org.mapstruct.BeanMapping;
+import org.mapstruct.Mapper;
+import org.mapstruct.Mapping;
+import org.mapstruct.Named;
+
+import com.medina.coc.backend.domain.AuditLog;
+import com.medina.coc.backend.service.dto.AuditLogDTO;
+
+/**
+ * Mapper for the entity {@link AuditLog} and its DTO {@link AuditLogDTO}.
+ */
+@Mapper(componentModel = "spring")
+public interface AuditLogMapper extends EntityMapper<AuditLogDTO, AuditLog> {
+ AuditLogDTO toDto(AuditLog s);
+
+ @Named("nameSet")
+ @BeanMapping(ignoreByDefault = true)
+ @Mapping(target = "id", source = "id")
+ @Mapping(target = "dateLog", source = "dateLog")
+ @Mapping(target = "user", source = "user")
+ @Mapping(target = "entity", source = "entity")
+ @Mapping(target = "target", source = "target")
+ @Mapping(target = "operation", source = "operation")
+ Set<AuditLogDTO> toDtoNameSet(Set<AuditLog> auditLog);
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionMapper.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionMapper.java
index f4f03996aa2f64e6341b4b882838ef42fd2923e2..9070d01960cd8255a18c748fc579af8f0e019e61 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionMapper.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionMapper.java
@@ -22,7 +22,8 @@ public interface QuestionMapper extends EntityMapper<QuestionDTO, Question> {
@Mapping(target = "id", source = "id")
@Mapping(target = "code", source = "code")
@Mapping(target = "question", source = "question")
- @Mapping(target = "evidence", source = "evidence")
+ @Mapping(target = "defaultEvidence", source = "defaultEvidence")
+ @Mapping(target = "defaultComment", source = "defaultComment")
@Mapping(target = "assuranceLevelId", source = "assuranceLevelId")
@Mapping(target = "controlId", source = "controlId")
@Mapping(target = "tomId", source = "tomId")
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionnaireMapper.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionnaireMapper.java
index f66e28ebd5f91b7cfefbbaf131643342b5c24fc1..ebfdfe709d6e4b47811662bc44ddc275e28e3e04 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionnaireMapper.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionnaireMapper.java
@@ -15,8 +15,14 @@ public interface QuestionnaireMapper extends EntityMapper<QuestionnaireDTO, Ques
@Named("nameSet")
@BeanMapping(ignoreByDefault = true)
@Mapping(target = "id", source = "id")
+ @Mapping(target = "name", source = "name")
+ @Mapping(target = "evidences", source = "evidences")
+ @Mapping(target = "comments", source = "comments")
+ @Mapping(target = "lastUpdate", source = "lastUpdate")
@Mapping(target = "frameworkId", source = "frameworkId")
- @Mapping(target = "purposeId", source = "purposeId")
+ @Mapping(target = "controlId", source = "controlId")
+ @Mapping(target = "tomId", source = "tomId")
+ @Mapping(target = "assuranceLevelId", source = "assuranceLevelId")
@Mapping(target = "questionId", source = "questionId")
@Mapping(target = "answerId", source = "answerId")
@Mapping(target = "userId", source = "userId")
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionnaireNonConformityMapper.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionnaireNonConformityMapper.java
new file mode 100644
index 0000000000000000000000000000000000000000..705d2a254759af674b7456d37b2ac5412bb04348
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionnaireNonConformityMapper.java
@@ -0,0 +1,27 @@
+package com.medina.coc.backend.service.mapper;
+
+import java.util.Set;
+
+import org.mapstruct.BeanMapping;
+import org.mapstruct.Mapper;
+import org.mapstruct.Mapping;
+import org.mapstruct.Named;
+
+import com.medina.coc.backend.domain.QuestionnaireNonConformity;
+import com.medina.coc.backend.service.dto.QuestionnaireNonConformityDTO;
+
+/**
+ * Mapper for the entity {@link QuestionnaireNonConformity} and its DTO {@link QuestionnaireNonConformityDTO}.
+ */
+@Mapper(componentModel = "spring")
+public interface QuestionnaireNonConformityMapper extends EntityMapper<QuestionnaireNonConformityDTO, QuestionnaireNonConformity> {
+ QuestionnaireNonConformityDTO toDto(QuestionnaireNonConformity s);
+
+ @Named("nameSet")
+ @BeanMapping(ignoreByDefault = true)
+ @Mapping(target = "questionnaireName", source = "questionnaireName")
+ @Mapping(target = "tomId", source = "tomId")
+ @Mapping(target = "comments", source = "comments")
+ @Mapping(target = "compliance", source = "compliance")
+ Set<QuestionnaireNonConformityDTO> toDtoNameSet(Set<QuestionnaireNonConformity> questionnaireNonConformity);
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionnairePurposeMapper.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionnairePurposeMapper.java
deleted file mode 100755
index 355596130af1aa4ec8079ac76e58dddfb222841a..0000000000000000000000000000000000000000
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/QuestionnairePurposeMapper.java
+++ /dev/null
@@ -1,25 +0,0 @@
-package com.medina.coc.backend.service.mapper;
-
-import java.util.Set;
-
-import org.mapstruct.BeanMapping;
-import org.mapstruct.Mapper;
-import org.mapstruct.Mapping;
-import org.mapstruct.Named;
-
-import com.medina.coc.backend.domain.QuestionnairePurpose;
-import com.medina.coc.backend.service.dto.QuestionnairePurposeDTO;
-
-/**
- * Mapper for the entity {@link QuestionnairePurpose} and its DTO {@link QuestionnairePurposeDTO}.
- */
-@Mapper(componentModel = "spring")
-public interface QuestionnairePurposeMapper extends EntityMapper<QuestionnairePurposeDTO, QuestionnairePurpose> {
- QuestionnairePurposeDTO toDto(QuestionnairePurpose s);
-
- @Named("nameSet")
- @BeanMapping(ignoreByDefault = true)
- @Mapping(target = "id", source = "id")
- @Mapping(target = "purpose", source = "purpose")
- Set<QuestionnairePurposeDTO> toDtoNameSet(Set<QuestionnairePurpose> questionnairePurpose);
-}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/SimilarControlMapper.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/SimilarControlMapper.java
index cf732fc6add24703d627a23e1bfaa5efd8a5b2ae..cd29a7677f85f2681699b98f89f8e299b0b71800 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/SimilarControlMapper.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/SimilarControlMapper.java
@@ -1,8 +1,14 @@
package com.medina.coc.backend.service.mapper;
-import com.medina.coc.backend.domain.*;
+import java.util.Set;
+
+import org.mapstruct.BeanMapping;
+import org.mapstruct.Mapper;
+import org.mapstruct.Mapping;
+import org.mapstruct.Named;
+
+import com.medina.coc.backend.domain.SimilarControl;
import com.medina.coc.backend.service.dto.SimilarControlDTO;
-import org.mapstruct.*;
/**
* Mapper for the entity {@link SimilarControl} and its DTO {@link SimilarControlDTO}.
@@ -11,4 +17,10 @@ import org.mapstruct.*;
public interface SimilarControlMapper extends EntityMapper<SimilarControlDTO, SimilarControl> {
@Mapping(target = "securityControl", source = "securityControl", qualifiedByName = "name")
SimilarControlDTO toDto(SimilarControl s);
+
+ @Named("nameSet")
+ @BeanMapping(ignoreByDefault = true)
+ @Mapping(target = "id", source = "id")
+ @Mapping(target = "name", source = "name")
+ Set<SimilarControlDTO> toDtoNameSet(Set<SimilarControl> resource);
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/UserMapper.java b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/UserMapper.java
index a4f817ea4d70bddb0decfb63db17f11d81ac671c..48007aaabf5795e7369115397640adeee233e7d5 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/UserMapper.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/service/mapper/UserMapper.java
@@ -50,6 +50,7 @@ public class UserMapper {
user.setFirstName(userDTO.getFirstName());
user.setLastName(userDTO.getLastName());
user.setEmail(userDTO.getEmail());
+ user.setCompany(userDTO.getCompany());
user.setImageUrl(userDTO.getImageUrl());
user.setActivated(userDTO.isActivated());
user.setLangKey(userDTO.getLangKey());
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/util/JsonUtil.java b/git/cocBackend/src/main/java/com/medina/coc/backend/util/JsonUtil.java
new file mode 100644
index 0000000000000000000000000000000000000000..45ae259096ec704468ec474348e7df501086882f
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/util/JsonUtil.java
@@ -0,0 +1,69 @@
+package com.medina.coc.backend.util;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.json.JSONArray;
+import org.json.JSONObject;
+
+
+/**
+ * Utilities to manage JSON objects.
+ * @author Tecnalia
+ * @version 1.0
+ */
+public final class JsonUtil {
+
+ /**
+ * Builds a JSON object from a source String.
+ * @param sourceString The sourceString.
+ * @return JSONObject
+ */
+ public static JSONObject buildJSONObjectFromString(final String sourceString) {
+ if (!StringUtil.isNullOrEmpty(sourceString)) {
+ return new JSONObject(sourceString);
+ }
+ return null;
+ }
+
+
+ /**
+ * Builds a String property from a JSON object.
+ * @param json The JSON object.
+ * @param property The property.
+ * @return String
+ */
+ public static String buildStringProperty(final JSONObject json, final String property) {
+ if (!json.isNull(property) &&
+ !StringUtil.isNullOrEmpty(json.get(property).toString()) &&
+ !json.get(property).toString().trim().equalsIgnoreCase("null")) {
+ return json.get(property).toString().trim();
+ }
+ return null;
+ }
+
+
+ /**
+ * Builds an Array property from a JSON object.
+ * @param json The JSON object.
+ * @param property The property.
+ * @return List
+ */
+ public static List<String> buildArrayProperty(final JSONObject json, final String property) {
+ if (!json.isNull(property)) {
+ if (!StringUtil.isNullOrEmpty(json.get(property).toString()) &&
+ !json.get(property).toString().trim().equalsIgnoreCase("null")) {
+ final JSONArray jsonArray = (JSONArray)json.get(property);
+ if (jsonArray != null) {
+ List<String> result = new ArrayList<String>();
+ for (int i = 0;i < jsonArray.length();i++){
+ result.add(jsonArray.get(i).toString().trim());
+ }
+ return result;
+ }
+ return null;
+ }
+ }
+ return null;
+ }
+}
\ No newline at end of file
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/util/RestUtil.java b/git/cocBackend/src/main/java/com/medina/coc/backend/util/RestUtil.java
new file mode 100644
index 0000000000000000000000000000000000000000..8cd0547ea08399aa35b51c3f33b3d1d8695d8d6f
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/util/RestUtil.java
@@ -0,0 +1,44 @@
+package com.medina.coc.backend.util;
+
+import org.springframework.http.client.SimpleClientHttpRequestFactory;
+import org.springframework.web.client.RestTemplate;
+
+
+/**
+ * Utilities to manage REST.
+ * @author Tecnalia
+ * @version 1.0
+ */
+public final class RestUtil {
+
+ /**
+ * Creates a new RestTemplate object.
+ * @return RestTemplate
+ */
+ public static RestTemplate createRestTemplate() {
+ final SimpleClientHttpRequestFactory clientHttpRequestFactory = new SimpleClientHttpRequestFactory();
+ clientHttpRequestFactory.setConnectTimeout(4000);
+ clientHttpRequestFactory.setReadTimeout(4000);
+ return new RestTemplate(clientHttpRequestFactory);
+ }
+
+ /**
+ * Creates a new "long timeout" RestTemplate object.
+ * @return RestTemplate
+ */
+ public static RestTemplate createLongTimeoutRestTemplate() {
+ final SimpleClientHttpRequestFactory clientHttpRequestFactory = new SimpleClientHttpRequestFactory();
+ clientHttpRequestFactory.setConnectTimeout(20000);
+ clientHttpRequestFactory.setReadTimeout(20000);
+ return new RestTemplate(clientHttpRequestFactory);
+ }
+
+ /**
+ * Creates a new RestTemplate object with no timeout.
+ * @return RestTemplate
+ */
+ public static RestTemplate createNoTimeoutRestTemplate() {
+ final SimpleClientHttpRequestFactory clientHttpRequestFactory = new SimpleClientHttpRequestFactory();
+ return new RestTemplate(clientHttpRequestFactory);
+ }
+}
\ No newline at end of file
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/util/SSLUtil.java b/git/cocBackend/src/main/java/com/medina/coc/backend/util/SSLUtil.java
new file mode 100644
index 0000000000000000000000000000000000000000..74adcf5a2592fd3e4c89c53e4eaaf619043f2008
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/util/SSLUtil.java
@@ -0,0 +1,53 @@
+package com.medina.coc.backend.util;
+
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+
+/**
+ * Utilities to manage SSL connections.
+ * @author Tecnalia
+ * @version 1.0
+ */
+public final class SSLUtil {
+
+ /**
+ * Disables the SSL verification.
+ * @throws NoSuchAlgorithmException
+ * @throws KeyManagementException
+ */
+ public static void disableSslVerification() throws NoSuchAlgorithmException, KeyManagementException {
+ // Create a trust manager that does not validate certificate chains
+ TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
+ public X509Certificate[] getAcceptedIssuers() {
+ return null;
+ }
+ public void checkClientTrusted(X509Certificate[] certs, String authType) {}
+ public void checkServerTrusted(X509Certificate[] certs, String authType) {}
+ }
+ };
+
+ // Install the all-trusting trust manager
+ SSLContext context = SSLContext.getInstance("SSL");
+ context.init(null, trustAllCerts, new java.security.SecureRandom());
+ HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
+
+ // Create all-trusting host name verifier
+ HostnameVerifier allHostsValid = new HostnameVerifier() {
+ public boolean verify(String hostname, SSLSession session) {
+ return true;
+ }
+ };
+
+ // Install the all-trusting host verifier
+ HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
+ }
+}
\ No newline at end of file
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/util/SpiderWebPlotPatch.java b/git/cocBackend/src/main/java/com/medina/coc/backend/util/SpiderWebPlotPatch.java
new file mode 100644
index 0000000000000000000000000000000000000000..2db45b40f1ccdc4ce179a79d72fdc13a17003a14
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/util/SpiderWebPlotPatch.java
@@ -0,0 +1,145 @@
+package com.medina.coc.backend.util;
+
+import java.awt.AlphaComposite;
+import java.awt.Color;
+import java.awt.Composite;
+import java.awt.Graphics2D;
+import java.awt.font.FontRenderContext;
+import java.awt.font.LineMetrics;
+import java.awt.geom.AffineTransform;
+import java.awt.geom.Arc2D;
+import java.awt.geom.Line2D;
+import java.awt.geom.Point2D;
+import java.awt.geom.Rectangle2D;
+import java.text.NumberFormat;
+
+import org.jfree.chart.plot.SpiderWebPlot;
+import org.jfree.data.category.CategoryDataset;
+
+public class SpiderWebPlotPatch {
+
+ public SpiderWebPlot getPlot(CategoryDataset data) {
+
+ final SpiderWebPlot plot = new SpiderWebPlot(data) {
+ private static final long serialVersionUID = 1L;
+
+ // put this many labels on each axis.
+ private int ticks = DEFAULT_TICKS;
+ private static final int DEFAULT_TICKS = 5;
+ private NumberFormat format = NumberFormat.getInstance();
+
+ // constant for creating perpendicular tick marks.
+ private static final double PERPENDICULAR = 90;
+
+ // the size of a tick mark, as a percentage of the entire line length.
+ private static final double TICK_SCALE = 0.015;
+
+ // the gap between the axis line and the numeric label itself.
+ private int valueLabelGap = DEFAULT_GAP;
+ private static final int DEFAULT_GAP = 10;
+
+ // the threshold used for determining if something is "on" the axis
+ private static final double THRESHOLD = 20;
+
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ protected void drawLabel(final Graphics2D g2, final Rectangle2D plotArea, final double value, final int cat,
+ final double startAngle, final double extent) {
+ super.drawLabel(g2, plotArea, value, cat, startAngle, extent);
+ final FontRenderContext frc = g2.getFontRenderContext();
+ final double[] transformed = new double[2];
+ final double[] transformer = new double[2];
+ final Arc2D arc1 = new Arc2D.Double(plotArea, startAngle, 0, Arc2D.OPEN);
+ for (int i = 1; i <= ticks; i++) {
+
+ final Point2D point1 = arc1.getEndPoint();
+
+ final double deltaX = plotArea.getCenterX();
+ final double deltaY = plotArea.getCenterY();
+ double labelX = point1.getX() - deltaX;
+ double labelY = point1.getY() - deltaY;
+
+ final double scale = ((double) i / (double) ticks);
+ final AffineTransform tx = AffineTransform.getScaleInstance(scale, scale);
+ // for getting the tick mark start points.
+ final AffineTransform pointTrans = AffineTransform.getScaleInstance(scale + TICK_SCALE, scale + TICK_SCALE);
+ transformer[0] = labelX;
+ transformer[1] = labelY;
+ pointTrans.transform(transformer, 0, transformed, 0, 1);
+ final double pointX = transformed[0] + deltaX;
+ final double pointY = transformed[1] + deltaY;
+ tx.transform(transformer, 0, transformed, 0, 1);
+ labelX = transformed[0] + deltaX;
+ labelY = transformed[1] + deltaY;
+
+ double rotated = (PERPENDICULAR);
+
+ AffineTransform rotateTrans = AffineTransform.getRotateInstance(Math.toRadians(rotated), labelX, labelY);
+ transformer[0] = pointX;
+ transformer[1] = pointY;
+ rotateTrans.transform(transformer, 0, transformed, 0, 1);
+ final double x1 = transformed[0];
+ final double y1 = transformed[1];
+
+ rotated = (-PERPENDICULAR);
+ rotateTrans = AffineTransform.getRotateInstance(Math.toRadians(rotated), labelX, labelY);
+
+ rotateTrans.transform(transformer, 0, transformed, 0, 1);
+
+ final Composite saveComposite = g2.getComposite();
+ g2.setComposite(AlphaComposite.getInstance(AlphaComposite.SRC_OVER, 1.0f));
+
+ g2.draw(new Line2D.Double(transformed[0], transformed[1], x1, y1));
+
+ if (startAngle == this.getStartAngle()) {
+ final String label = format.format(((double) i / (double) ticks) * this.getMaxValue());
+ //final String label = format.format(((double) i / (double) ticks) * 100);
+ final LineMetrics lm = getLabelFont().getLineMetrics(label, frc);
+ final double ascent = lm.getAscent();
+
+ // move based on quadrant.
+ if (Math.abs(labelX - plotArea.getCenterX()) < THRESHOLD) {
+ // on Y Axis, label to right.
+ labelX += valueLabelGap;
+ // center vertically.
+ labelY += ascent / (float) 2;
+ } else if (Math.abs(labelY - plotArea.getCenterY()) < THRESHOLD) {
+ // on X Axis, label underneath.
+ labelY += valueLabelGap;
+ } else if (labelX >= plotArea.getCenterX()) {
+ if (labelY < plotArea.getCenterY()) {
+ // quadrant 1
+ labelX += valueLabelGap;
+ labelY += valueLabelGap;
+ } else {
+ // quadrant 2
+ labelX -= valueLabelGap;
+ labelY += valueLabelGap;
+ }
+ } else {
+ if (labelY > plotArea.getCenterY()) {
+ // quadrant 3
+ labelX -= valueLabelGap;
+ labelY -= valueLabelGap;
+ } else {
+ // quadrant 4
+ labelX += valueLabelGap;
+ labelY -= valueLabelGap;
+ }
+ }
+ g2.setPaint(getLabelPaint());
+ g2.setFont(getLabelFont());
+ g2.setColor(Color.GRAY);
+ g2.drawString(label, (float) labelX, (float) labelY);
+ }
+ g2.setComposite(saveComposite);
+ }
+ }
+ };
+ return plot;
+ }
+
+}
\ No newline at end of file
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/util/StringUtil.java b/git/cocBackend/src/main/java/com/medina/coc/backend/util/StringUtil.java
new file mode 100644
index 0000000000000000000000000000000000000000..6f1eeeb5607ba8417d5bb6ff99b4f45790821694
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/util/StringUtil.java
@@ -0,0 +1,18 @@
+package com.medina.coc.backend.util;
+
+/**
+ * Utilities to manage strings.
+ * @author Tecnalia
+ * @version 1.0
+ */
+public final class StringUtil {
+
+ /**
+ * Checks if a String is null or empty.
+ * @param sourceString The source string.
+ * @return boolean
+ */
+ public static boolean isNullOrEmpty(final String sourceString) {
+ return sourceString == null || sourceString.trim().length() == 0 || sourceString.trim().equalsIgnoreCase("null");
+ }
+}
\ No newline at end of file
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/AuditLogResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/AuditLogResource.java
new file mode 100644
index 0000000000000000000000000000000000000000..1ae2d70eba08e8c6ffb17e77e3c8c9c7368eb7b1
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/AuditLogResource.java
@@ -0,0 +1,90 @@
+package com.medina.coc.backend.web.rest;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.List;
+import java.util.Optional;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.medina.coc.backend.service.AuditLogService;
+import com.medina.coc.backend.service.dto.AuditLogDTO;
+import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
+
+import tech.jhipster.web.util.HeaderUtil;
+import tech.jhipster.web.util.ResponseUtil;
+
+/**
+ * REST controller for managing {@link com.medina.coc.backend.domain.AuditLog}.
+ */
+@RestController
+@RequestMapping("/api")
+public class AuditLogResource {
+
+ private final Logger log = LoggerFactory.getLogger(AuditLogResource.class);
+
+ private static final String ENTITY_NAME = "audit-log";
+
+ @Value("${jhipster.clientApp.name}")
+ private String applicationName;
+
+ private final AuditLogService auditLogService;
+
+ public AuditLogResource(AuditLogService auditLogService) {
+ this.auditLogService = auditLogService;
+ }
+
+ /**
+ * {@code GET /audit-logs} : get all the auditLogs.
+ *
+ * @return the {@link ResponseEntity} with status {@code 200 (OK)} and the list of questions in body.
+ */
+ @GetMapping("/audit-logs")
+ public ResponseEntity<List<AuditLogDTO>> getAllAuditLogs() {
+ log.debug("REST request to get AuditLogs");
+ List<AuditLogDTO> entityList = auditLogService.findAll();
+ return ResponseEntity.ok().body(entityList);
+ }
+
+ /**
+ * {@code GET /audit-logs/:id} : get the "id" resource.
+ *
+ * @param id the id of the auditLogDTO to retrieve.
+ * @return the {@link ResponseEntity} with status {@code 200 (OK)} and with body the auditLogDTO, or with status {@code 404 (Not Found)}.
+ */
+ @GetMapping("/audit-logs/{id}")
+ public ResponseEntity<AuditLogDTO> getAuditLog(@PathVariable Long id) {
+ log.debug("REST request to get AuditLog : {}", id);
+ Optional<AuditLogDTO> auditLogDTO = auditLogService.findOne(id);
+ return ResponseUtil.wrapOrNotFound(auditLogDTO);
+ }
+
+ /**
+ * {@code POST /audit-logs} : Create a new auditLog.
+ *
+ * @param auditLogDTO the auditLogDTO to create.
+ * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the new auditLogDTO, or with status {@code 400 (Bad Request)} if the auditLog has already an ID.
+ * @throws URISyntaxException if the Location URI syntax is incorrect.
+ */
+ @PostMapping("/audit-logs")
+ public ResponseEntity<AuditLogDTO> createAuditLogDTO(@RequestBody AuditLogDTO auditLogDTO) throws URISyntaxException {
+ log.debug("REST request to save AuditLog : {}", auditLogDTO);
+ if (auditLogDTO.getId() != null) {
+ throw new BadRequestAlertException("A new image cannot already have an ID", ENTITY_NAME, "idexists");
+ }
+ AuditLogDTO result = auditLogService.save(auditLogDTO);
+ return ResponseEntity
+ .created(new URI("/api/audit-logs/" + result.getId()))
+ .headers(HeaderUtil.createEntityCreationAlert(applicationName, false, ENTITY_NAME, result.getId().toString()))
+ .body(result);
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionAssuranceLevelResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionAssuranceLevelResource.java
index 2274c0358417b5cf31eb4ce611fb064abd5b2dbe..7e482ef8723260030bd29b6492c32c375a8465c2 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionAssuranceLevelResource.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionAssuranceLevelResource.java
@@ -1,22 +1,34 @@
package com.medina.coc.backend.web.rest;
+import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
+import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
-import com.medina.coc.backend.repository.QuestionAssuranceLevelRepository;
+import com.medina.coc.backend.domain.request.QuestionnaireCloudService;
+import com.medina.coc.backend.security.SecurityUtils;
import com.medina.coc.backend.service.QuestionAssuranceLevelQueryService;
import com.medina.coc.backend.service.QuestionAssuranceLevelService;
import com.medina.coc.backend.service.criteria.QuestionAssuranceLevelCriteria;
import com.medina.coc.backend.service.dto.QuestionAssuranceLevelDTO;
+import com.medina.coc.backend.util.CollectionUtil;
+import com.medina.coc.backend.util.JsonUtil;
+import com.medina.coc.backend.util.RestUtil;
+import com.medina.coc.backend.util.StringUtil;
import tech.jhipster.web.util.ResponseUtil;
@@ -31,20 +43,19 @@ public class QuestionAssuranceLevelResource {
@Value("${jhipster.clientApp.name}")
private String applicationName;
+
+ @Value("${application.orchestrator-url}")
+ private String orchestratorUrl;
private final QuestionAssuranceLevelService questionAssuranceLevelService;
- private final QuestionAssuranceLevelRepository questionAssuranceLevelRepository;
-
private final QuestionAssuranceLevelQueryService questionAssuranceLevelQueryService;
public QuestionAssuranceLevelResource(
QuestionAssuranceLevelService questionAssuranceLevelService,
- QuestionAssuranceLevelRepository questionAssuranceLevelRepository,
QuestionAssuranceLevelQueryService questionAssuranceLevelQueryService
) {
this.questionAssuranceLevelService = questionAssuranceLevelService;
- this.questionAssuranceLevelRepository = questionAssuranceLevelRepository;
this.questionAssuranceLevelQueryService = questionAssuranceLevelQueryService;
}
@@ -58,6 +69,39 @@ public class QuestionAssuranceLevelResource {
public ResponseEntity<List<QuestionAssuranceLevelDTO>> getAllQuestionAssuranceLevels(QuestionAssuranceLevelCriteria criteria) {
log.debug("REST request to get QuestionAssuranceLevels by criteria: {}", criteria);
List<QuestionAssuranceLevelDTO> entityList = questionAssuranceLevelQueryService.findByCriteria(criteria);
+ if (!CollectionUtil.isNullOrEmpty(entityList)) {
+ final List<String> cloudservices = SecurityUtils.extractCloudServices();
+ if (!CollectionUtil.isNullOrEmpty(cloudservices)) {
+ List<QuestionnaireCloudService> temp = new ArrayList<QuestionnaireCloudService>();
+ HttpHeaders httpHeaders = new HttpHeaders();
+ httpHeaders.setContentType(MediaType.APPLICATION_JSON);
+ httpHeaders.add("Authorization", "Bearer " + SecurityUtils.getAuthenticationToken());
+ final HttpEntity<Void> entity = new HttpEntity<>(httpHeaders);
+ for (String str : cloudservices) {
+ try {
+ final String finalUrl = orchestratorUrl.replace("{1}", str);
+ log.info("*********** Orchestrator URL **************");
+ log.info(finalUrl);
+ log.info("*******************************************");
+ final ResponseEntity<String> response = RestUtil.createRestTemplate().exchange(finalUrl, HttpMethod.GET, entity, String.class);
+ if (response.getStatusCodeValue() == HttpStatus.OK.value() && !StringUtil.isNullOrEmpty(response.getBody())) {
+ final JSONObject json = JsonUtil.buildJSONObjectFromString(response.getBody().trim());
+ temp.add(new QuestionnaireCloudService(str, json.getString("name").trim()));
+ log.info("Response: [200]");
+ log.info("Found service :: " + str + " :: " + json.getString("name").trim());
+ log.info("*******************************************");
+ } else {
+ log.info("Response: [" + response.getStatusCodeValue() + "]");
+ log.info("*******************************************");
+ }
+ } catch (Exception e) {
+ log.info(e.getMessage());
+ log.info("*******************************************");
+ }
+ }
+ entityList.get(0).setQuestionnaireCloudServiceList(temp);
+ }
+ }
return ResponseEntity.ok().body(entityList);
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionResource.java
index d08c5266f1cb40641b7b17e47d8370ce3117030b..77802ce0cf8aa24cd4a28f1213277eec7a962e41 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionResource.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionResource.java
@@ -1,6 +1,8 @@
package com.medina.coc.backend.web.rest;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import java.util.Optional;
import org.slf4j.Logger;
@@ -12,10 +14,12 @@ import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
-import com.medina.coc.backend.repository.QuestionRepository;
+import com.hazelcast.internal.util.CollectionUtil;
+import com.medina.coc.backend.service.QuestionAssuranceLevelService;
import com.medina.coc.backend.service.QuestionQueryService;
import com.medina.coc.backend.service.QuestionService;
import com.medina.coc.backend.service.criteria.QuestionCriteria;
+import com.medina.coc.backend.service.dto.QuestionAssuranceLevelDTO;
import com.medina.coc.backend.service.dto.QuestionDTO;
import tech.jhipster.web.util.ResponseUtil;
@@ -34,18 +38,18 @@ public class QuestionResource {
private final QuestionService questionService;
- private final QuestionRepository questionRepository;
-
private final QuestionQueryService questionQueryService;
+
+ QuestionAssuranceLevelService questionAssuranceLevelService;
public QuestionResource(
QuestionService questionService,
- QuestionRepository questionRepository,
- QuestionQueryService questionQueryService
+ QuestionQueryService questionQueryService,
+ QuestionAssuranceLevelService questionAssuranceLevelService
) {
this.questionService = questionService;
- this.questionRepository = questionRepository;
this.questionQueryService = questionQueryService;
+ this.questionAssuranceLevelService = questionAssuranceLevelService;
}
/**
@@ -72,6 +76,28 @@ public class QuestionResource {
log.debug("REST request to count Questions by criteria: {}", criteria);
return ResponseEntity.ok().body(questionQueryService.countByCriteria(criteria));
}
+
+ /**
+ * {@code GET /questions/count-extended} : count all the questions discriminating the assurance level.
+ *
+ * @param criteria the criteria which the requested entities should match.
+ * @return the {@link ResponseEntity} with status {@code 200 (OK)} and the count in body.
+ */
+ @GetMapping("/questions/count-extended")
+ public ResponseEntity<Map<Long, Integer>> countQuestionsExtended() {
+ log.debug("REST request to count Questions (extended): {}");
+
+ List<QuestionAssuranceLevelDTO> listAssuranceLevels = questionAssuranceLevelService.findAll();
+ if (!CollectionUtil.isEmpty(listAssuranceLevels)) {
+ Map<Long, Integer> result = new HashMap<Long, Integer>();
+ for (QuestionAssuranceLevelDTO dto : listAssuranceLevels) {
+ result.put(dto.getId(), questionService.countQuestionsByAssuranceLevel(dto.getId()));
+ }
+ return ResponseEntity.ok().body(result);
+ }
+
+ return ResponseEntity.ok().body(null);
+ }
/**
* {@code GET /questions/:id} : get the "id" resource.
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionnaireNonConformityResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionnaireNonConformityResource.java
new file mode 100644
index 0000000000000000000000000000000000000000..d749249fe616ca01cd4a396e49841914f47f33ca
--- /dev/null
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionnaireNonConformityResource.java
@@ -0,0 +1,127 @@
+package com.medina.coc.backend.web.rest;
+
+import java.net.URISyntaxException;
+import java.util.List;
+
+import javax.validation.Valid;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.hazelcast.internal.util.CollectionUtil;
+import com.medina.coc.backend.domain.QuestionnaireNonConformity;
+import com.medina.coc.backend.repository.QuestionnaireNonConformityRepository;
+import com.medina.coc.backend.service.QuestionnaireNonConformityQueryService;
+import com.medina.coc.backend.service.QuestionnaireNonConformityService;
+import com.medina.coc.backend.service.criteria.QuestionnaireNonConformityCriteria;
+import com.medina.coc.backend.service.dto.QuestionnaireNonConformityDTO;
+
+/**
+ * REST controller for managing {@link com.medina.coc.backend.domain.QuestionnaireNonConformity}.
+ */
+@RestController
+@RequestMapping("/api")
+public class QuestionnaireNonConformityResource {
+
+ private final Logger log = LoggerFactory.getLogger(QuestionnaireNonConformityResource.class);
+
+ private static final String ENTITY_NAME = "cocBackendQuestionnaireNonConformity";
+
+ @Value("${jhipster.clientApp.name}")
+ private String applicationName;
+
+ private final QuestionnaireNonConformityService questionnaireNonConformityService;
+
+ private final QuestionnaireNonConformityRepository questionnaireNonConformityRepository;
+
+ private final QuestionnaireNonConformityQueryService questionnaireNonConformityQueryService;
+
+ public QuestionnaireNonConformityResource(
+ QuestionnaireNonConformityService questionnaireNonConformityService,
+ QuestionnaireNonConformityRepository questionnaireNonConformityRepository,
+ QuestionnaireNonConformityQueryService questionnaireNonConformityQueryService
+ ) {
+ this.questionnaireNonConformityService = questionnaireNonConformityService;
+ this.questionnaireNonConformityRepository = questionnaireNonConformityRepository;
+ this.questionnaireNonConformityQueryService = questionnaireNonConformityQueryService;
+ }
+
+ /**
+ * {@code GET /questionnaire-non-conformities} : get all the questionnaire non-conformites.
+ *
+ * @param criteria the criteria which the requested entities should match.
+ * @return the {@link ResponseEntity} with status {@code 200 (OK)} and the list of questionnaire non-conformites in body.
+ */
+ @GetMapping("/questionnaire-non-conformities")
+ public ResponseEntity<List<QuestionnaireNonConformityDTO>> getAllQuestionnaireNonConformities(QuestionnaireNonConformityCriteria criteria) {
+ log.debug("REST request to get QuestionnaireNonConformities by criteria: {}", criteria);
+ List<QuestionnaireNonConformityDTO> entityList = questionnaireNonConformityQueryService.findByCriteria(criteria);
+ return ResponseEntity.ok().body(entityList);
+ }
+
+ /**
+ * {@code GET /questionnaire-non-conformities/count} : count all the questionnaire non-conformities.
+ *
+ * @param criteria the criteria which the requested entities should match.
+ * @return the {@link ResponseEntity} with status {@code 200 (OK)} and the count in body.
+ */
+ @GetMapping("/questionnaire-non-conformities/count")
+ public ResponseEntity<Long> countQuestionnaireNonConformities(QuestionnaireNonConformityCriteria criteria) {
+ log.debug("REST request to count QuestionnaireNonConformities by criteria: {}", criteria);
+ return ResponseEntity.ok().body(questionnaireNonConformityQueryService.countByCriteria(criteria));
+ }
+
+ /**
+ * {@code GET /questionnaire-non-conformities/:id} : get the "questionnaireName" resources.
+ *
+ * @param questionnaireName the questionnaireName of the questionnaireNonConformityDTOs to retrieve.
+ * @return the {@link ResponseEntity} with status {@code 200 (OK)} and with body the questionnaireNonConformityDTOs, or with status {@code 404 (Not Found)}.
+ */
+ @GetMapping("/questionnaire-non-conformities/{questionnaireName}")
+ public ResponseEntity<List<QuestionnaireNonConformityDTO>> getQuestionnaireNonConformitiesByQuestionnaireName(@PathVariable String questionnaireName) {
+ log.debug("REST request to get QuestionnaireNonConformity : {}", questionnaireName);
+ return ResponseEntity.ok().body(questionnaireNonConformityService.findByQuestionnaireName(questionnaireName));
+ }
+
+ /**
+ * {@code POST /questionnaire-non-conformities/create} : Create a new QuestionnaireNonConformity.
+ *
+ * @param questionnaireNonConformity the questionnaireNonConformity to create.
+ * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the new questionnaireNonConformity, or with status {@code 400 (Bad Request)} if the questionnaireNonConformity has already an ID.
+ * @throws URISyntaxException if the Location URI syntax is incorrect.
+ */
+ @PostMapping("/questionnaire-non-conformities/create")
+ public ResponseEntity<List<QuestionnaireNonConformity>> createQuestionnaireNonConformity(@Valid @RequestBody List<QuestionnaireNonConformity> questionnaireNonConformity)
+ throws URISyntaxException {
+ log.debug("REST request to save QuestionnaireNonConformity : {}");
+ questionnaireNonConformityService.save(questionnaireNonConformity);
+ return ResponseEntity.ok().body(questionnaireNonConformity);
+ }
+
+
+ /**
+ * {@code POST /questionnaire-non-conformities/save} : Saves a QuestionnaireNonConformity.
+ *
+ * @param questionnaireNonConformity the questionnaireNonConformity to save.
+ * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the questionnaireNonConformity.
+ * @throws URISyntaxException if the Location URI syntax is incorrect.
+ */
+ @PostMapping("/questionnaire-non-conformities/save")
+ public ResponseEntity<List<QuestionnaireNonConformity>> saveQuestionnaireNonConformity(@Valid @RequestBody List<QuestionnaireNonConformity> questionnaireNonConformity)
+ throws URISyntaxException {
+ log.debug("REST request to save QuestionnaireNonConformity : {}");
+ if (!CollectionUtil.isEmpty(questionnaireNonConformity)) {
+ questionnaireNonConformityService.deleteByQuestionnaireName(questionnaireNonConformity.get(0).getQuestionnaireName());
+ questionnaireNonConformityService.save(questionnaireNonConformity);
+ }
+ return ResponseEntity.ok().body(questionnaireNonConformity);
+ }
+}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionnairePurposeResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionnairePurposeResource.java
deleted file mode 100755
index 3d2982f3fa0fe281b78916bcc4c81d2e758ed3dc..0000000000000000000000000000000000000000
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionnairePurposeResource.java
+++ /dev/null
@@ -1,88 +0,0 @@
-package com.medina.coc.backend.web.rest;
-
-import java.util.List;
-import java.util.Optional;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
-
-import com.medina.coc.backend.repository.QuestionnairePurposeRepository;
-import com.medina.coc.backend.service.QuestionnairePurposeQueryService;
-import com.medina.coc.backend.service.QuestionnairePurposeService;
-import com.medina.coc.backend.service.criteria.QuestionnairePurposeCriteria;
-import com.medina.coc.backend.service.dto.QuestionnairePurposeDTO;
-
-import tech.jhipster.web.util.ResponseUtil;
-
-/**
- * REST controller for managing {@link com.medina.coc.backend.domain.QuestionnairePurpose}.
- */
-@RestController
-@RequestMapping("/api")
-public class QuestionnairePurposeResource {
-
- private final Logger log = LoggerFactory.getLogger(QuestionnairePurposeResource.class);
-
- @Value("${jhipster.clientApp.name}")
- private String applicationName;
-
- private final QuestionnairePurposeService questionnairePurposeService;
-
- private final QuestionnairePurposeRepository questionnairePurposeRepository;
-
- private final QuestionnairePurposeQueryService questionnairePurposeQueryService;
-
- public QuestionnairePurposeResource(
- QuestionnairePurposeService questionnairePurposeService,
- QuestionnairePurposeRepository questionnairePurposeRepository,
- QuestionnairePurposeQueryService questionnairePurposeQueryService
- ) {
- this.questionnairePurposeService = questionnairePurposeService;
- this.questionnairePurposeRepository = questionnairePurposeRepository;
- this.questionnairePurposeQueryService = questionnairePurposeQueryService;
- }
-
- /**
- * {@code GET /questionnaire-purposes} : get all the questionnaire purposes.
- *
- * @param criteria the criteria which the requested entities should match.
- * @return the {@link ResponseEntity} with status {@code 200 (OK)} and the list of questionnaire purposes in body.
- */
- @GetMapping("/questionnaire-purposes")
- public ResponseEntity<List<QuestionnairePurposeDTO>> getAllQuestionnairePurposes(QuestionnairePurposeCriteria criteria) {
- log.debug("REST request to get QuestionnairePurposes by criteria: {}", criteria);
- List<QuestionnairePurposeDTO> entityList = questionnairePurposeQueryService.findByCriteria(criteria);
- return ResponseEntity.ok().body(entityList);
- }
-
- /**
- * {@code GET /questionnaire-purposes/count} : count all the questionnaire purposes.
- *
- * @param criteria the criteria which the requested entities should match.
- * @return the {@link ResponseEntity} with status {@code 200 (OK)} and the count in body.
- */
- @GetMapping("/questionnaire-purposes/count")
- public ResponseEntity<Long> countQuestionnairePurposes(QuestionnairePurposeCriteria criteria) {
- log.debug("REST request to count QuestionnairePurposes by criteria: {}", criteria);
- return ResponseEntity.ok().body(questionnairePurposeQueryService.countByCriteria(criteria));
- }
-
- /**
- * {@code GET /questionnaire-purposes/:id} : get the "id" resource.
- *
- * @param id the id of the questionnairePurposeDTO to retrieve.
- * @return the {@link ResponseEntity} with status {@code 200 (OK)} and with body the questionnairePurposeDTO, or with status {@code 404 (Not Found)}.
- */
- @GetMapping("/questionnaire-purposes/{id}")
- public ResponseEntity<QuestionnairePurposeDTO> getQuestionnairePurpose(@PathVariable Long id) {
- log.debug("REST request to get QuestionnairePurpose : {}", id);
- Optional<QuestionnairePurposeDTO> questionnairePurposeDTO = questionnairePurposeService.findOne(id);
- return ResponseUtil.wrapOrNotFound(questionnairePurposeDTO);
- }
-}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionnaireResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionnaireResource.java
index 02db149d055230eb9f32c4b6163a86f83f1e6d0c..71ad0de5ce6484432e03d2a0ccc5a44d02700c81 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionnaireResource.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/QuestionnaireResource.java
@@ -1,22 +1,92 @@
package com.medina.coc.backend.web.rest;
+import java.awt.BasicStroke;
+import java.awt.Color;
+import java.awt.Graphics2D;
+import java.awt.geom.Rectangle2D;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import java.util.Optional;
+import javax.validation.Valid;
+
+import org.jfree.chart.JFreeChart;
+import org.jfree.chart.plot.SpiderWebPlot;
+import org.jfree.data.category.DefaultCategoryDataset;
+import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
+import org.springframework.transaction.annotation.Transactional;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
-import com.medina.coc.backend.repository.QuestionnaireRepository;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.itextpdf.awt.DefaultFontMapper;
+import com.itextpdf.awt.PdfGraphics2D;
+import com.itextpdf.text.BadElementException;
+import com.itextpdf.text.BaseColor;
+import com.itextpdf.text.Chunk;
+import com.itextpdf.text.Document;
+import com.itextpdf.text.DocumentException;
+import com.itextpdf.text.Element;
+import com.itextpdf.text.Font;
+import com.itextpdf.text.Font.FontFamily;
+import com.itextpdf.text.Image;
+import com.itextpdf.text.Paragraph;
+import com.itextpdf.text.Phrase;
+import com.itextpdf.text.Rectangle;
+import com.itextpdf.text.pdf.ColumnText;
+import com.itextpdf.text.pdf.PdfContentByte;
+import com.itextpdf.text.pdf.PdfPCell;
+import com.itextpdf.text.pdf.PdfPTable;
+import com.itextpdf.text.pdf.PdfTemplate;
+import com.itextpdf.text.pdf.PdfWriter;
+import com.medina.coc.backend.domain.Questionnaire;
+import com.medina.coc.backend.domain.QuestionnaireNonConformity;
+import com.medina.coc.backend.domain.enumeration.AssuranceLevelId;
+import com.medina.coc.backend.domain.request.QuestionnaireQuestionsInfo;
+import com.medina.coc.backend.domain.request.QuestionnaireReport;
+import com.medina.coc.backend.domain.request.QuestionnaireReportConcept;
+import com.medina.coc.backend.domain.request.QuestionnaireReportTom;
+import com.medina.coc.backend.domain.request.QuestionnaireReportWrapper;
+import com.medina.coc.backend.domain.request.QuestionnaireScore;
+import com.medina.coc.backend.domain.request.QuestionnaireWrapper;
+import com.medina.coc.backend.domain.satra.SatraPartnerSurvey;
+import com.medina.coc.backend.domain.satra.SatraRequest;
+import com.medina.coc.backend.service.QuestionService;
+import com.medina.coc.backend.service.QuestionnaireNonConformityService;
import com.medina.coc.backend.service.QuestionnaireQueryService;
import com.medina.coc.backend.service.QuestionnaireService;
+import com.medina.coc.backend.service.TomService;
import com.medina.coc.backend.service.criteria.QuestionnaireCriteria;
+import com.medina.coc.backend.service.dto.QuestionDTO;
import com.medina.coc.backend.service.dto.QuestionnaireDTO;
+import com.medina.coc.backend.service.dto.QuestionnaireNonConformityDTO;
+import com.medina.coc.backend.service.dto.TomDTO;
+import com.medina.coc.backend.util.CollectionUtil;
+import com.medina.coc.backend.util.JsonUtil;
+import com.medina.coc.backend.util.RestUtil;
+import com.medina.coc.backend.util.SpiderWebPlotPatch;
+import com.medina.coc.backend.util.StringUtil;
import tech.jhipster.web.util.ResponseUtil;
@@ -28,24 +98,38 @@ import tech.jhipster.web.util.ResponseUtil;
public class QuestionnaireResource {
private final Logger log = LoggerFactory.getLogger(QuestionnaireResource.class);
-
+
@Value("${jhipster.clientApp.name}")
private String applicationName;
+
+ @Value("${application.satra-login-url}")
+ private String satraLoginUrl;
+
+ @Value("${application.satra-practice-url}")
+ private String satraPracticeUrl;
private final QuestionnaireService questionnaireService;
- private final QuestionnaireRepository questionnaireRepository;
-
private final QuestionnaireQueryService questionnaireQueryService;
+
+ private final QuestionnaireNonConformityService questionnaireNonConformityService;
+
+ private final TomService tomService;
+
+ private final QuestionService questionService;
public QuestionnaireResource(
QuestionnaireService questionnaireService,
- QuestionnaireRepository questionnaireRepository,
- QuestionnaireQueryService questionnaireQueryService
+ QuestionnaireQueryService questionnaireQueryService,
+ QuestionnaireNonConformityService questionnaireNonConformityService,
+ TomService tomService,
+ QuestionService questionService
) {
this.questionnaireService = questionnaireService;
- this.questionnaireRepository = questionnaireRepository;
this.questionnaireQueryService = questionnaireQueryService;
+ this.questionnaireNonConformityService = questionnaireNonConformityService;
+ this.tomService = tomService;
+ this.questionService = questionService;
}
/**
@@ -72,6 +156,30 @@ public class QuestionnaireResource {
log.debug("REST request to count Questionnaires by criteria: {}", criteria);
return ResponseEntity.ok().body(questionnaireQueryService.countByCriteria(criteria));
}
+
+ /**
+ * {@code GET /questionnaires/count-questions} : count all the questions.
+ *
+ * @return the {@link ResponseEntity} with status {@code 200 (OK)} and the count in body.
+ */
+ @GetMapping("/questionnaires/count-questions")
+ public ResponseEntity<QuestionnaireQuestionsInfo> countQuestions() {
+ log.debug("REST request to count Questions: {}");
+ QuestionnaireQuestionsInfo result = new QuestionnaireQuestionsInfo();
+ final List<QuestionDTO> questions = questionService.findAll();
+ if (!CollectionUtil.isNullOrEmpty(questions)) {
+ for (QuestionDTO question : questions) {
+ if (Integer.valueOf(question.getAssuranceLevelId()) == Integer.valueOf(AssuranceLevelId.Basic.getValue())) {
+ result.setBasic(result.getBasic() + 1);
+ } else if (Integer.valueOf(question.getAssuranceLevelId()) == Integer.valueOf(AssuranceLevelId.Substantial.getValue())) {
+ result.setSubstantial(result.getSubstantial() + 1);
+ } else if (Integer.valueOf(question.getAssuranceLevelId()) == Integer.valueOf(AssuranceLevelId.High.getValue())) {
+ result.setHigh(result.getHigh() + 1);
+ }
+ }
+ }
+ return ResponseEntity.ok().body(result);
+ }
/**
* {@code GET /questionnaires/:id} : get the "id" resource.
@@ -85,4 +193,627 @@ public class QuestionnaireResource {
Optional<QuestionnaireDTO> questionnaireDTO = questionnaireService.findOne(id);
return ResponseUtil.wrapOrNotFound(questionnaireDTO);
}
+
+ /**
+ * {@code POST /questionnaires/create} : Create a new Questionnaire.
+ *
+ * @param questionnaire the questionnaire to create.
+ * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the new questionnaire, or with status {@code 400 (Bad Request)} if the questionnaire has already an ID.
+ * @throws URISyntaxException if the Location URI syntax is incorrect.
+ */
+ @PostMapping("/questionnaires/create")
+ public ResponseEntity<List<Questionnaire>> createQuestionnaire(@Valid @RequestBody List<Questionnaire> questionnaire)
+ throws URISyntaxException {
+ log.debug("REST request to save Questionnaire : {}");
+
+ // Create the questionnaire
+ if (!CollectionUtil.isNullOrEmpty(questionnaire)) {
+ questionnaireService.save(questionnaire);
+
+ // Create the non-conformities
+ final List<TomDTO> tomList = tomService.findAll();
+ if (!CollectionUtil.isNullOrEmpty(tomList)) {
+ List<QuestionnaireNonConformity> nonConformities = new ArrayList<QuestionnaireNonConformity>();
+ for (TomDTO tom : tomList) {
+ nonConformities.add(new QuestionnaireNonConformity(questionnaire.get(0).getName(), tom.getId(), "", ""));
+ }
+ questionnaireNonConformityService.save(nonConformities);
+ }
+ }
+
+ return ResponseEntity.ok().body(questionnaire);
+ }
+
+
+ /**
+ * {@code POST /questionnaires/save} : Saves a Questionnaire.
+ *
+ * @param questionnaire the questionnaire to save.
+ * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the questionnaire.
+ * @throws URISyntaxException if the Location URI syntax is incorrect.
+ * @throws NoSuchAlgorithmException
+ * @throws KeyManagementException
+ */
+ @PostMapping("/questionnaires/save")
+ @Transactional
+ public ResponseEntity<QuestionnaireWrapper> saveQuestionnaire(@Valid @RequestBody QuestionnaireWrapper questionnaireWrapper)
+ throws URISyntaxException, KeyManagementException, NoSuchAlgorithmException {
+ log.debug("REST request to save Questionnaire : {}");
+ if (!CollectionUtil.isNullOrEmpty(questionnaireWrapper.getQuestionnaire())) {
+ for (Questionnaire row : questionnaireWrapper.getQuestionnaire()) {
+ questionnaireService.update(row);
+ }
+
+ // Update the non-conformities
+ final List<QuestionnaireNonConformity> questionnaireNonConformityList = questionnaireWrapper.getQuestionnaire().get(0).getQuestionnaireNonConformityList();
+ if (!CollectionUtil.isNullOrEmpty(questionnaireNonConformityList)) {
+ for (QuestionnaireNonConformity nonConformity : questionnaireNonConformityList) {
+ questionnaireNonConformityService.update(nonConformity.getQuestionnaireName(), nonConformity.getTomId(), nonConformity.getComments(), nonConformity.getCompliance());
+ }
+ }
+
+ try {
+ final SatraRequest requestObj = buildSatraRequest(questionnaireWrapper.getQuestionnaire());
+
+ // Authenticate
+ log.info("************************************************************");
+ log.info("Authenticating in SATRA...");
+ log.info(satraLoginUrl);
+ log.info(satraPracticeUrl);
+ ResponseEntity<String> response = RestUtil.createRestTemplate().getForEntity(satraLoginUrl, String.class);
+ if (response.getStatusCodeValue() == HttpStatus.OK.value() && !StringUtil.isNullOrEmpty(response.getBody())) {
+ log.info("Authentication in SATRA OK!");
+ final JSONObject json = JsonUtil.buildJSONObjectFromString(response.getBody().trim());
+ final String token = json.getString("access_resp").trim();
+ if (!StringUtil.isNullOrEmpty(token)) {
+ // Call SATRA
+ List<String> logs = buildSatraLog(questionnaireWrapper.getId(), requestObj);
+ for (String str : logs) {
+ log.info(str);
+ }
+ log.info(buildSatraJSONLog(questionnaireWrapper.getId(), requestObj));
+ HttpHeaders httpHeaders = new HttpHeaders();
+ httpHeaders.setContentType(MediaType.APPLICATION_JSON);
+ httpHeaders.add("access-resp", token);
+ final HttpEntity<SatraRequest> entity = new HttpEntity<SatraRequest>(requestObj, httpHeaders);
+ response = RestUtil.createRestTemplate().postForEntity(satraPracticeUrl.replace("{1}", questionnaireWrapper.getId()), entity, String.class);
+ if (response.getStatusCodeValue() == HttpStatus.OK.value() && !StringUtil.isNullOrEmpty(response.getBody())) {
+ log.info("SATRA RESPONSE :: OK");
+ } else {
+ log.info("SATRA RESPONSE :: NOOK");
+ log.info(response.getBody());
+ }
+ log.info("************************************************************");
+ }
+ }
+ } catch (Exception e) {
+ log.info("SATRA RESPONSE :: NOOK");
+ log.info(e.getMessage());
+ log.info("************************************************************");
+ }
+ }
+
+ return ResponseEntity.ok().body(questionnaireWrapper);
+ }
+
+
+ /**
+ * {@code POST /questionnaires/report-pdf} : Saves a Questionnaire as a PDF.
+ *
+ * @param questionnaireReport the questionnaireReport to save.
+ * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the questionnaireReport.
+ * @throws URISyntaxException if the Location URI syntax is incorrect.
+ */
+ @PostMapping("/questionnaires/report-pdf")
+ @Transactional
+ public ResponseEntity<byte[]> saveQuestionnaireReportAsPDF(@RequestBody String object) throws URISyntaxException {
+ log.debug("REST request to save QuestionnaireReport as PDF : {}");
+ try {
+ if (!StringUtil.isNullOrEmpty(object)) {
+ final ObjectMapper mapper = new ObjectMapper();
+ QuestionnaireReportWrapper report = mapper.readValue(object, QuestionnaireReportWrapper.class);
+
+ log.debug("Building the PDF document...");
+ byte[] result = buildPDF(report);
+ return ResponseEntity.ok().body(result);
+ }
+ } catch (Exception e) {
+ return ResponseEntity.badRequest().body(null);
+ }
+ return ResponseEntity.badRequest().body(null);
+ }
+
+
+ /**
+ * {@code POST /questionnaires/deleteByName} : Deletes a Questionnaire by name.
+ *
+ * @param object the name of the questionnaire to delete.
+ * @return the {@link ResponseEntity} with status 200.
+ * @throws URISyntaxException if the Location URI syntax is incorrect.
+ */
+ @PostMapping("/questionnaires/deleteByName")
+ @Transactional
+ public ResponseEntity<Void> deleteQuestionnaireByName(@RequestBody String object) throws URISyntaxException {
+ log.debug("REST request to delete Questionnaire : {}");
+ try {
+ if (!StringUtil.isNullOrEmpty(object)) {
+ questionnaireNonConformityService.deleteByQuestionnaireName(object);
+ questionnaireService.deleteByName(object);
+ return ResponseEntity.noContent().build();
+ }
+ } catch (Exception e) {
+ return ResponseEntity.badRequest().body(null);
+ }
+ return ResponseEntity.badRequest().body(null);
+ }
+
+
+
+ /*
+ * Build the PDF as a byte array
+ */
+ private byte[] buildPDF(QuestionnaireReportWrapper reportWrapper) throws DocumentException, IOException {
+ ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+ List<QuestionnaireReport> report = reportWrapper.getReport();
+
+ // Open Document
+ Document document = new Document();
+ PdfWriter writer = PdfWriter.getInstance(document, byteArrayOutputStream);
+ document.open();
+
+ // Define Fonts
+ Font[] fonts = buildPDFFonts();
+
+ // Define the cover (first page)
+ PdfContentByte pdfContentByte = writer.getDirectContent();
+ ColumnText.showTextAligned(pdfContentByte, Element.ALIGN_RIGHT, new Phrase("MEDINA", fonts[9]), document.right(), document.top(), 0);
+ document.add(buildPDFCover(fonts, report.get(0).getAdditionalInfo(), report.get(0).getPage()));
+
+ // Define the report
+ final int len = report.size();
+ for (int i = 1;i < len;i++) {
+ final List<QuestionnaireReportConcept> concepts = report.get(i).getConcepts();
+ if (!CollectionUtil.isNullOrEmpty(concepts)) {
+ // Add new page
+ document.newPage();
+ ColumnText.showTextAligned(pdfContentByte, Element.ALIGN_RIGHT, new Phrase("MEDINA", fonts[9]), document.right(), document.top(), 0);
+ for (QuestionnaireReportConcept concept : concepts) {
+ Paragraph paragraph = null;
+ if (concept.getIsCategory()) {
+ paragraph = new Paragraph(concept.getName(), fonts[4]);
+ paragraph.setSpacingAfter(260f);
+ } else {
+ paragraph = new Paragraph(concept.getName(), fonts[5]);
+ paragraph.setSpacingAfter(6f);
+ }
+ paragraph.setAlignment(Element.ALIGN_JUSTIFIED);
+ document.add(paragraph);
+
+ // Draw the radar chart
+ if (concept.getIsCategory()) {
+ document.add(buildSpiderChart(writer, concept.getName(), reportWrapper.getScore()));
+ }
+
+ if (!concept.getIsCategory()) {
+ final List<QuestionnaireReportTom> toms = concept.getToms();
+ paragraph = new Paragraph("- Requirements with FULL compliance:", fonts[6]);
+ paragraph.setIndentationLeft(28f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ for (QuestionnaireReportTom tom : toms) {
+ if (tom.getCompliance().equals("YES")) {
+ paragraph = new Paragraph("Requirement: " + tom.getCode(), fonts[7]);
+ paragraph.setIndentationLeft(64f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ if (!StringUtil.isNullOrEmpty(tom.getNonConformities())) {
+ paragraph = new Paragraph(tom.getNonConformities(), fonts[8]);
+ paragraph.setIndentationLeft(90f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ }
+ }
+ }
+
+ paragraph = new Paragraph("- Requirements with PARTIAL compliance:", fonts[6]);
+ paragraph.setIndentationLeft(28f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ for (QuestionnaireReportTom tom : toms) {
+ if (tom.getCompliance().equals("PARTIAL")) {
+ paragraph = new Paragraph("Requirement: " + tom.getCode(), fonts[7]);
+ paragraph.setIndentationLeft(64f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ if (!StringUtil.isNullOrEmpty(tom.getNonConformities())) {
+ paragraph = new Paragraph(tom.getNonConformities(), fonts[8]);
+ paragraph.setIndentationLeft(90f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ }
+ }
+ }
+
+ paragraph = new Paragraph("- NON-COMPLIANT requirements:", fonts[6]);
+ paragraph.setIndentationLeft(28f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ for (QuestionnaireReportTom tom : toms) {
+ if (tom.getCompliance().equals("NO")) {
+ paragraph = new Paragraph("Requirement: " + tom.getCode(), fonts[7]);
+ paragraph.setIndentationLeft(64f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ if (!StringUtil.isNullOrEmpty(tom.getNonConformities())) {
+ paragraph = new Paragraph(tom.getNonConformities(), fonts[8]);
+ paragraph.setIndentationLeft(90f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ }
+ }
+ }
+
+ paragraph = new Paragraph("- Requirements with compliance NOT APPLICABLE:", fonts[6]);
+ paragraph.setIndentationLeft(28f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ for (QuestionnaireReportTom tom : toms) {
+ if (tom.getCompliance().equals("N/A")) {
+ paragraph = new Paragraph("Requirement: " + tom.getCode(), fonts[7]);
+ paragraph.setIndentationLeft(64f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ if (!StringUtil.isNullOrEmpty(tom.getNonConformities())) {
+ paragraph = new Paragraph(tom.getNonConformities(), fonts[8]);
+ paragraph.setIndentationLeft(90f);
+ paragraph.setSpacingAfter(6f);
+ document.add(paragraph);
+ }
+ }
+ }
+ }
+ document.add(Chunk.NEWLINE);
+ }
+
+ // Add the page
+ document.add(buildPDFFooter(fonts, report.get(i).getPage()));
+ }
+ }
+
+ // Add new page
+ document.newPage();
+
+ // Close document
+ document.close();
+
+ return (byteArrayOutputStream != null ? byteArrayOutputStream.toByteArray() : null);
+ }
+
+
+ /*
+ * Build the PDF fonts.
+ */
+ private Font[] buildPDFFonts() {
+ Font[] fonts = new Font[10];
+ fonts[0] = new Font(FontFamily.HELVETICA, 24, Font.NORMAL);
+ fonts[1] = new Font(FontFamily.HELVETICA, 16, Font.NORMAL);
+ fonts[1].setColor(new BaseColor(0, 153, 160));
+ fonts[2] = new Font(FontFamily.HELVETICA, 14, Font.NORMAL);
+ fonts[3] = new Font(FontFamily.HELVETICA, 10, Font.ITALIC);
+ fonts[4] = new Font(FontFamily.HELVETICA, 14, Font.BOLD);
+ fonts[5] = new Font(FontFamily.HELVETICA, 11, Font.NORMAL);
+ fonts[5].setColor(new BaseColor(0, 153, 160));
+ fonts[6] = new Font(FontFamily.HELVETICA, 11, Font.NORMAL);
+ fonts[7] = new Font(FontFamily.HELVETICA, 10, Font.NORMAL);
+ fonts[7].setColor(new BaseColor(78, 78, 78));
+ fonts[8] = new Font(FontFamily.HELVETICA, 9, Font.NORMAL);
+ fonts[8].setColor(new BaseColor(136, 136, 136));
+ fonts[9] = new Font(FontFamily.HELVETICA, 20, Font.BOLD);
+ fonts[9].setColor(new BaseColor(197, 228, 229));
+ return fonts;
+ }
+
+
+ /*
+ * Build the PDF cover
+ */
+ private PdfPTable buildPDFCover(final Font[] fonts, final List<String> additionalInfo, final Integer page) {
+ PdfPTable table = new PdfPTable(new float[] { 10, 10, 10, 50, 20 });
+ table.setWidthPercentage(100);
+
+ PdfPCell[] row = new PdfPCell[2];
+ for (int i = 0;i < row.length;i++) {
+ row[i] = new PdfPCell(new Paragraph(""));
+ row[i].setBorder(Rectangle.NO_BORDER);
+ row[i].setFixedHeight(60f);
+ row[i].setColspan(i == 1 ? 4 : 1);
+ table.addCell(row[i]);
+ }
+
+ row = new PdfPCell[2];
+ for (int i = 0;i < row.length;i++) {
+ row[i] = i == 0 ? new PdfPCell(new Paragraph("")) : new PdfPCell(new Paragraph(additionalInfo.get(0), fonts[0]));
+ row[i].setBorder(Rectangle.NO_BORDER);
+ row[i].setFixedHeight(90f);
+ row[i].setColspan(i == 1 ? 4 : 1);
+ table.addCell(row[i]);
+ }
+
+ // Security Framework
+ row = new PdfPCell[3];
+ for (int i = 0;i < row.length;i++) {
+ row[i] = i < 2 ? new PdfPCell(new Paragraph("")) : new PdfPCell(new Paragraph("Security Framework:", fonts[1]));
+ row[i].setBorder(Rectangle.NO_BORDER);
+ row[i].setFixedHeight(30f);
+ row[i].setColspan(i == 2 ? 3 : 1);
+ table.addCell(row[i]);
+ }
+
+ row = new PdfPCell[4];
+ for (int i = 0;i < row.length;i++) {
+ row[i] = i < 3 ? new PdfPCell(new Paragraph("")) : new PdfPCell(new Paragraph(additionalInfo.get(4), fonts[2]));
+ row[i].setBorder(Rectangle.NO_BORDER);
+ row[i].setFixedHeight(70f);
+ row[i].setColspan(i == 3 ? 2 : 1);
+ table.addCell(row[i]);
+ }
+
+ // Assurance level
+ row = new PdfPCell[3];
+ for (int i = 0;i < row.length;i++) {
+ row[i] = i < 2 ? new PdfPCell(new Paragraph("")) : new PdfPCell(new Paragraph("Assurance level:", fonts[1]));
+ row[i].setBorder(Rectangle.NO_BORDER);
+ row[i].setFixedHeight(30f);
+ row[i].setColspan(i == 2 ? 3 : 1);
+ table.addCell(row[i]);
+ }
+
+ row = new PdfPCell[4];
+ for (int i = 0;i < row.length;i++) {
+ row[i] = i < 3 ? new PdfPCell(new Paragraph("")) : new PdfPCell(new Paragraph(additionalInfo.get(2), fonts[2]));
+ row[i].setBorder(Rectangle.NO_BORDER);
+ row[i].setFixedHeight(70f);
+ row[i].setColspan(i == 3 ? 2 : 1);
+ table.addCell(row[i]);
+ }
+
+ // Cloud Service
+ row = new PdfPCell[3];
+ for (int i = 0;i < row.length;i++) {
+ row[i] = i < 2 ? new PdfPCell(new Paragraph("")) : new PdfPCell(new Paragraph("Cloud service:", fonts[1]));
+ row[i].setBorder(Rectangle.NO_BORDER);
+ row[i].setFixedHeight(30f);
+ row[i].setColspan(i == 2 ? 3 : 1);
+ table.addCell(row[i]);
+ }
+
+ row = new PdfPCell[4];
+ for (int i = 0;i < row.length;i++) {
+ row[i] = i < 3 ? new PdfPCell(new Paragraph("")) : new PdfPCell(new Paragraph(additionalInfo.get(3), fonts[2]));
+ row[i].setBorder(Rectangle.NO_BORDER);
+ row[i].setFixedHeight(70f);
+ row[i].setColspan(i == 3 ? 2 : 1);
+ table.addCell(row[i]);
+ }
+
+ // Date
+ row = new PdfPCell[3];
+ for (int i = 0;i < row.length;i++) {
+ row[i] = i < 2 ? new PdfPCell(new Paragraph("")) : new PdfPCell(new Paragraph("Report date:", fonts[1]));
+ row[i].setBorder(Rectangle.NO_BORDER);
+ row[i].setFixedHeight(30f);
+ row[i].setColspan(i == 2 ? 3 : 1);
+ table.addCell(row[i]);
+ }
+
+ row = new PdfPCell[4];
+ for (int i = 0;i < row.length;i++) {
+ row[i] = i < 3 ? new PdfPCell(new Paragraph("")) : new PdfPCell(new Paragraph(additionalInfo.get(1), fonts[2]));
+ row[i].setBorder(Rectangle.NO_BORDER);
+ row[i].setFixedHeight(70f);
+ row[i].setColspan(i == 3 ? 2 : 1);
+ table.addCell(row[i]);
+ }
+
+ // First footer
+ row[0] = new PdfPCell(new Paragraph("Generated by: MEDINA Catalogue of Controls and Metrics", fonts[3]));
+ row[0].setBorder(Rectangle.NO_BORDER);
+ row[0].setColspan(4);
+ row[0].setVerticalAlignment(Element.ALIGN_BOTTOM);
+ row[0].setUseAscender(true);
+
+ // Page
+ row[1] = new PdfPCell(new Paragraph("Page " + page, fonts[3]));
+ row[1].setHorizontalAlignment(PdfPCell.ALIGN_RIGHT);
+ row[1].setBorder(Rectangle.NO_BORDER);
+ row[1].setVerticalAlignment(Element.ALIGN_BOTTOM);
+ row[1].setUseAscender(true);
+
+ table.addCell(row[0]);
+ table.addCell(row[1]);
+ table.setExtendLastRow(true);
+ return table;
+ }
+
+
+ /*
+ * Build the PDF footer
+ */
+ private PdfPTable buildPDFFooter(final Font[] fonts, final Integer page) {
+ PdfPTable table = new PdfPTable(new float[] { 80, 20 });
+ table.setWidthPercentage(100);
+ table.setExtendLastRow(true);
+
+ PdfPCell[] footer = new PdfPCell[2];
+ footer[0] = new PdfPCell(new Paragraph("Generated by: MEDINA Catalogue of Controls and Metrics", fonts[3]));
+ footer[0].setBorder(Rectangle.NO_BORDER);
+ footer[0].setVerticalAlignment(Element.ALIGN_BOTTOM);
+ footer[0].setUseAscender(true);
+
+ footer[1] = new PdfPCell(new Paragraph("Page " + page, fonts[3]));
+ footer[1].setHorizontalAlignment(PdfPCell.ALIGN_RIGHT);
+ footer[1].setBorder(Rectangle.NO_BORDER);
+ footer[1].setVerticalAlignment(Element.ALIGN_BOTTOM);
+ footer[1].setUseAscender(true);
+
+ table.addCell(footer[0]);
+ table.addCell(footer[1]);
+ return table;
+ }
+
+
+ /*
+ * Build the radar chart
+ */
+ private Image buildSpiderChart(final PdfWriter writer, final String category, final List<QuestionnaireScore> score) throws IOException, BadElementException {
+ // Define main variables
+ final float[] size = { writer.getPageSize().getHeight(), writer.getPageSize().getWidth() };
+ PdfContentByte pdfContentByte = writer.getDirectContent();
+ PdfTemplate pdfTemplate = pdfContentByte.createTemplate(size[0] * .44f + 1, size[1] * .44f + 1);
+
+ // Build the chart
+ final DefaultCategoryDataset dataset = buildSpiderChartDataSet(category, score);
+ SpiderWebPlotPatch patch = new SpiderWebPlotPatch();
+ SpiderWebPlot plot = patch.getPlot(dataset);
+ plot.setLabelFont(new java.awt.Font("Arial", java.awt.Font.BOLD, 7));
+ plot.setAxisLineStroke(new BasicStroke(1f));
+ JFreeChart radarChart = new JFreeChart(plot);
+ radarChart.removeLegend();
+ ((SpiderWebPlot) radarChart.getPlot()).setBackgroundPaint(new Color(197, 228, 229));
+
+ // Draw the chart
+ Graphics2D graphics2d = new PdfGraphics2D(pdfTemplate, size[0] * .44f + 1, size[1] * .44f + 1, new DefaultFontMapper());
+ Rectangle2D rectangle2d = new Rectangle2D.Float(0, 0, size[0] * .44f, size[1] * .44f);
+ radarChart.draw(graphics2d, rectangle2d);
+ graphics2d.dispose();
+
+ // Convert the chart to an image
+ Image chartImage = Image.getInstance(pdfTemplate);
+ chartImage.setAbsolutePosition(110f, size[1] - 84.f);
+ return chartImage;
+ }
+
+
+ /*
+ * Built the radar chart dataset
+ */
+ private DefaultCategoryDataset buildSpiderChartDataSet(final String category, final List<QuestionnaireScore> score) {
+ // Build categories = controls
+ List<String> controlList = new ArrayList<String>();
+ for (QuestionnaireScore obj : score) {
+ if (category.equalsIgnoreCase(obj.getCategory())) {
+ controlList.add(obj.getControl());
+ }
+ }
+
+ // Build the dataset
+ DefaultCategoryDataset dataset = new DefaultCategoryDataset();
+ for (String control : controlList) {
+ for (QuestionnaireScore obj : score) {
+ if (control.equalsIgnoreCase(obj.getControl())) {
+ obj.setScore(Math.round((obj.getScore() != null ? obj.getScore() : 0) * 100.0) / 100.0);
+ dataset.addValue(obj.getScore(), "", control + " (" + obj.getScore() + "%)");
+ }
+ }
+ }
+ return dataset;
+ }
+
+
+ /*
+ * Build the compliance map
+ */
+ private Map<String, Integer> buildComplianceMap() {
+ Map<String, Integer> mapCompliance = new HashMap<String, Integer>();
+ mapCompliance.put("YES", 1);
+ mapCompliance.put("NO", 2);
+ mapCompliance.put("PARTIAL", 3);
+ mapCompliance.put("N/A", 4);
+ return mapCompliance;
+ }
+
+
+ /*
+ * Buil the SATRA request
+ */
+ private SatraRequest buildSatraRequest(final List<Questionnaire> questionnaire) {
+ /* Example: Question_id: "996" ; Related: "PSS-04.1B" ; Answer_value: 1 */
+ final SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy");
+ SatraRequest requestObj = new SatraRequest(questionnaire.get(0).getAssuranceLevelId(), 1, sdf.format(new Date()));
+
+ // Check in "non-conformities" list if the question has its compliance resolved
+ Map<String, Integer> mapCompliance = buildComplianceMap();
+ final List<QuestionnaireNonConformityDTO> nonConformities = questionnaireNonConformityService.findByQuestionnaireName(questionnaire.get(0).getName());
+ final List<TomDTO> toms = tomService.findAll();
+ if (!CollectionUtil.isNullOrEmpty(nonConformities) && !CollectionUtil.isNullOrEmpty(toms)) {
+ for (QuestionnaireNonConformityDTO nonConformity : nonConformities) {
+ if (!StringUtil.isNullOrEmpty(nonConformity.getCompliance())) {
+ SatraPartnerSurvey partnerSurvey = new SatraPartnerSurvey();
+ partnerSurvey.setQuestion_id(nonConformity.getTomId().toString());
+ partnerSurvey.setAnswer_value(mapCompliance.get(nonConformity.getCompliance()));
+ for (TomDTO tom : toms) {
+ if (nonConformity.getTomId().longValue() == tom.getId().longValue()) {
+ partnerSurvey.setRelated(tom.getCode());
+ break;
+ }
+ }
+ requestObj.getPartner_survey().add(partnerSurvey);
+ }
+ }
+ }
+ return requestObj;
+ }
+
+
+ /*
+ * Build SATRA log
+ */
+ private List<String> buildSatraLog(final String id, final SatraRequest request) {
+ List<String> result = new ArrayList<String>();
+ result.add("************************************************************");
+ result.add("Calling to SATRA... ");
+ result.add("------------------------------------------------------------");
+ result.add(" Cloud Service ID :: " + id);
+ result.add(" Assurance level :: " + request.getAssurance_level());
+ result.add(" Certification schema :: " + request.getCertification_schema());
+ result.add(" Data :: " + request.getData());
+ result.add(" Survey ::");
+ result.add(" [");
+ short counter = 1;
+ for (SatraPartnerSurvey survey : request.getPartner_survey()) {
+ if (counter > 1) {
+ result.add(" ------------------");
+ }
+ result.add(" Question id :: " + survey.getQuestion_id());
+ result.add(" Related :: " + survey.getRelated());
+ result.add(" Answer value :: " + survey.getAnswer_value());
+ counter++;
+ }
+ result.add(" ]");
+ result.add("************************************************************");
+ return result;
+ }
+
+
+ /*
+ * Build SATRA JSON log
+ */
+ private String buildSatraJSONLog(final String id, final SatraRequest request) {
+ String result = new String("{\"assurance_level\": ");
+ result += request.getAssurance_level() + ", ";
+ result += "\"certification_schema\": " + request.getCertification_schema() + ", ";
+ result += "\"data\": \"" + request.getData() + "\", \"partner_survey\": [";
+ short counter = 1;
+ for (SatraPartnerSurvey survey : request.getPartner_survey()) {
+ if (counter > 1) {
+ result += ", ";
+ }
+ result += "{\"question_id\": \"" + survey.getQuestion_id() + "\", ";
+ result += "\"related\": \"" + survey.getRelated() + "\", ";
+ result += "\"answer_value\": " + survey.getAnswer_value() + "}";
+ counter++;
+ }
+ result += "]}";
+ return result;
+ }
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/ReferenceTomResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/ReferenceTomResource.java
index d7e116d4938db557c77683af6acc8f78afd5296a..1f85f500f438c2b07cdeced12e07fce34b5125dc 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/ReferenceTomResource.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/ReferenceTomResource.java
@@ -1,23 +1,43 @@
package com.medina.coc.backend.web.rest;
-import com.medina.coc.backend.repository.ReferenceTomRepository;
-import com.medina.coc.backend.service.ReferenceTomQueryService;
-import com.medina.coc.backend.service.ReferenceTomService;
-import com.medina.coc.backend.service.criteria.ReferenceTomCriteria;
-import com.medina.coc.backend.service.dto.ReferenceTomDTO;
-import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
-import java.net.URI;
import java.net.URISyntaxException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
+
import javax.validation.Valid;
import javax.validation.constraints.NotNull;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PutMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.medina.coc.backend.domain.enumeration.AuditLogs;
+import com.medina.coc.backend.repository.ReferenceTomRepository;
+import com.medina.coc.backend.security.SecurityUtils;
+import com.medina.coc.backend.service.AuditLogService;
+import com.medina.coc.backend.service.ReferenceTomQueryService;
+import com.medina.coc.backend.service.ReferenceTomService;
+import com.medina.coc.backend.service.SecurityControlService;
+import com.medina.coc.backend.service.TomService;
+import com.medina.coc.backend.service.criteria.ReferenceTomCriteria;
+import com.medina.coc.backend.service.dto.AuditLogDTO;
+import com.medina.coc.backend.service.dto.ReferenceTomDTO;
+import com.medina.coc.backend.service.dto.SecurityControlDTO;
+import com.medina.coc.backend.service.dto.TomDTO;
+import com.medina.coc.backend.util.CollectionUtil;
+import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
+
import tech.jhipster.web.util.HeaderUtil;
import tech.jhipster.web.util.ResponseUtil;
@@ -40,36 +60,27 @@ public class ReferenceTomResource {
private final ReferenceTomRepository referenceTomRepository;
private final ReferenceTomQueryService referenceTomQueryService;
+
+ private final SecurityControlService securityControlService;
+
+ private final TomService tomService;
+
+ private final AuditLogService auditLogService;
public ReferenceTomResource(
ReferenceTomService referenceTomService,
ReferenceTomRepository referenceTomRepository,
- ReferenceTomQueryService referenceTomQueryService
+ ReferenceTomQueryService referenceTomQueryService,
+ SecurityControlService securityControlService,
+ TomService tomService,
+ AuditLogService auditLogService
) {
this.referenceTomService = referenceTomService;
this.referenceTomRepository = referenceTomRepository;
this.referenceTomQueryService = referenceTomQueryService;
- }
-
- /**
- * {@code POST /reference-toms} : Create a new referenceTom.
- *
- * @param referenceTomDTO the referenceTomDTO to create.
- * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the new referenceTomDTO, or with status {@code 400 (Bad Request)} if the referenceTom has already an ID.
- * @throws URISyntaxException if the Location URI syntax is incorrect.
- */
- @PostMapping("/reference-toms")
- public ResponseEntity<ReferenceTomDTO> createReferenceTom(@Valid @RequestBody ReferenceTomDTO referenceTomDTO)
- throws URISyntaxException {
- log.debug("REST request to save ReferenceTom : {}", referenceTomDTO);
- if (referenceTomDTO.getId() != null) {
- throw new BadRequestAlertException("A new referenceTom cannot already have an ID", ENTITY_NAME, "idexists");
- }
- ReferenceTomDTO result = referenceTomService.save(referenceTomDTO);
- return ResponseEntity
- .created(new URI("/api/reference-toms/" + result.getId()))
- .headers(HeaderUtil.createEntityCreationAlert(applicationName, false, ENTITY_NAME, result.getId().toString()))
- .body(result);
+ this.securityControlService = securityControlService;
+ this.tomService = tomService;
+ this.auditLogService = auditLogService;
}
/**
@@ -100,6 +111,16 @@ public class ReferenceTomResource {
}
ReferenceTomDTO result = referenceTomService.save(referenceTomDTO);
+
+ SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+ auditLogService.save(new AuditLogDTO(
+ sdf.format(new Date()),
+ SecurityUtils.getCurrentUserLogin().get(),
+ AuditLogs.IMPLEMENTATION_GUIDELINES.getValue(),
+ referenceTomDTO.getTom().getName(),
+ "UPDATE"
+ ));
+
return ResponseEntity
.ok()
.headers(HeaderUtil.createEntityUpdateAlert(applicationName, false, ENTITY_NAME, referenceTomDTO.getId().toString()))
@@ -152,6 +173,26 @@ public class ReferenceTomResource {
public ResponseEntity<List<ReferenceTomDTO>> getAllReferenceToms(ReferenceTomCriteria criteria) {
log.debug("REST request to get ReferenceToms by criteria: {}", criteria);
List<ReferenceTomDTO> entityList = referenceTomQueryService.findByCriteria(criteria);
+ if (!CollectionUtil.isNullOrEmpty(entityList)) {
+ final List<SecurityControlDTO> securityControls = this.securityControlService.findAll();
+ final List<TomDTO> toms = this.tomService.findAll();
+ for (ReferenceTomDTO referenceTomDTO : entityList) {
+ final String controlName = referenceTomDTO.getTom().getName().split("\\.")[0];
+ for (SecurityControlDTO securityControlDTO : securityControls) {
+ if (securityControlDTO.getName().equalsIgnoreCase(controlName)) {
+ referenceTomDTO.getTom().setSecurityControl(securityControlDTO);
+ break;
+ }
+ }
+ for (TomDTO tom : toms) {
+ if (referenceTomDTO.getTom().getName().equals(tom.getName())) {
+ referenceTomDTO.getTom().setDescription(tom.getDescription());
+ break;
+ }
+ }
+ }
+
+ }
return ResponseEntity.ok().body(entityList);
}
@@ -179,20 +220,4 @@ public class ReferenceTomResource {
Optional<ReferenceTomDTO> referenceTomDTO = referenceTomService.findOne(id);
return ResponseUtil.wrapOrNotFound(referenceTomDTO);
}
-
- /**
- * {@code DELETE /reference-toms/:id} : delete the "id" referenceTom.
- *
- * @param id the id of the referenceTomDTO to delete.
- * @return the {@link ResponseEntity} with status {@code 204 (NO_CONTENT)}.
- */
- @DeleteMapping("/reference-toms/{id}")
- public ResponseEntity<Void> deleteReferenceTom(@PathVariable Long id) {
- log.debug("REST request to delete ReferenceTom : {}", id);
- referenceTomService.delete(id);
- return ResponseEntity
- .noContent()
- .headers(HeaderUtil.createEntityDeletionAlert(applicationName, false, ENTITY_NAME, id.toString()))
- .build();
- }
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlCategoryResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlCategoryResource.java
index 75fb2a0f3111c68d4d68dbd6013b48f276698d76..92d7d8615aa7b35c62088706a29b710e08b4ad2b 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlCategoryResource.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlCategoryResource.java
@@ -1,23 +1,38 @@
package com.medina.coc.backend.web.rest;
-import com.medina.coc.backend.repository.SecurityControlCategoryRepository;
-import com.medina.coc.backend.service.SecurityControlCategoryQueryService;
-import com.medina.coc.backend.service.SecurityControlCategoryService;
-import com.medina.coc.backend.service.criteria.SecurityControlCategoryCriteria;
-import com.medina.coc.backend.service.dto.SecurityControlCategoryDTO;
-import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
-import java.net.URI;
import java.net.URISyntaxException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
+
import javax.validation.Valid;
import javax.validation.constraints.NotNull;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PutMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.medina.coc.backend.domain.enumeration.AuditLogs;
+import com.medina.coc.backend.repository.SecurityControlCategoryRepository;
+import com.medina.coc.backend.security.SecurityUtils;
+import com.medina.coc.backend.service.AuditLogService;
+import com.medina.coc.backend.service.SecurityControlCategoryQueryService;
+import com.medina.coc.backend.service.SecurityControlCategoryService;
+import com.medina.coc.backend.service.criteria.SecurityControlCategoryCriteria;
+import com.medina.coc.backend.service.dto.AuditLogDTO;
+import com.medina.coc.backend.service.dto.SecurityControlCategoryDTO;
+import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
+
import tech.jhipster.web.util.HeaderUtil;
import tech.jhipster.web.util.ResponseUtil;
@@ -40,37 +55,19 @@ public class SecurityControlCategoryResource {
private final SecurityControlCategoryRepository securityControlCategoryRepository;
private final SecurityControlCategoryQueryService securityControlCategoryQueryService;
+
+ private final AuditLogService auditLogService;
public SecurityControlCategoryResource(
SecurityControlCategoryService securityControlCategoryService,
SecurityControlCategoryRepository securityControlCategoryRepository,
- SecurityControlCategoryQueryService securityControlCategoryQueryService
+ SecurityControlCategoryQueryService securityControlCategoryQueryService,
+ AuditLogService auditLogService
) {
this.securityControlCategoryService = securityControlCategoryService;
this.securityControlCategoryRepository = securityControlCategoryRepository;
this.securityControlCategoryQueryService = securityControlCategoryQueryService;
- }
-
- /**
- * {@code POST /security-control-categories} : Create a new securityControlCategory.
- *
- * @param securityControlCategoryDTO the securityControlCategoryDTO to create.
- * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the new securityControlCategoryDTO, or with status {@code 400 (Bad Request)} if the securityControlCategory has already an ID.
- * @throws URISyntaxException if the Location URI syntax is incorrect.
- */
- @PostMapping("/security-control-categories")
- public ResponseEntity<SecurityControlCategoryDTO> createSecurityControlCategory(
- @Valid @RequestBody SecurityControlCategoryDTO securityControlCategoryDTO
- ) throws URISyntaxException {
- log.debug("REST request to save SecurityControlCategory : {}", securityControlCategoryDTO);
- if (securityControlCategoryDTO.getId() != null) {
- throw new BadRequestAlertException("A new securityControlCategory cannot already have an ID", ENTITY_NAME, "idexists");
- }
- SecurityControlCategoryDTO result = securityControlCategoryService.save(securityControlCategoryDTO);
- return ResponseEntity
- .created(new URI("/api/security-control-categories/" + result.getId()))
- .headers(HeaderUtil.createEntityCreationAlert(applicationName, false, ENTITY_NAME, result.getId().toString()))
- .body(result);
+ this.auditLogService = auditLogService;
}
/**
@@ -101,6 +98,16 @@ public class SecurityControlCategoryResource {
}
SecurityControlCategoryDTO result = securityControlCategoryService.save(securityControlCategoryDTO);
+
+ SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+ auditLogService.save(new AuditLogDTO(
+ sdf.format(new Date()),
+ SecurityUtils.getCurrentUserLogin().get(),
+ AuditLogs.CATEGORIES.getValue(),
+ securityControlCategoryDTO.getName(),
+ "UPDATE"
+ ));
+
return ResponseEntity
.ok()
.headers(HeaderUtil.createEntityUpdateAlert(applicationName, false, ENTITY_NAME, securityControlCategoryDTO.getId().toString()))
@@ -180,20 +187,4 @@ public class SecurityControlCategoryResource {
Optional<SecurityControlCategoryDTO> securityControlCategoryDTO = securityControlCategoryService.findOne(id);
return ResponseUtil.wrapOrNotFound(securityControlCategoryDTO);
}
-
- /**
- * {@code DELETE /security-control-categories/:id} : delete the "id" securityControlCategory.
- *
- * @param id the id of the securityControlCategoryDTO to delete.
- * @return the {@link ResponseEntity} with status {@code 204 (NO_CONTENT)}.
- */
- @DeleteMapping("/security-control-categories/{id}")
- public ResponseEntity<Void> deleteSecurityControlCategory(@PathVariable Long id) {
- log.debug("REST request to delete SecurityControlCategory : {}", id);
- securityControlCategoryService.delete(id);
- return ResponseEntity
- .noContent()
- .headers(HeaderUtil.createEntityDeletionAlert(applicationName, false, ENTITY_NAME, id.toString()))
- .build();
- }
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlFrameworkResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlFrameworkResource.java
index 3aa48a5de1a3ee175cb8ad565c9d22deaee63ca7..fd738884c51863ffb2335e0d719baea36d7b7cf2 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlFrameworkResource.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlFrameworkResource.java
@@ -1,23 +1,59 @@
package com.medina.coc.backend.web.rest;
-import com.medina.coc.backend.repository.SecurityControlFrameworkRepository;
-import com.medina.coc.backend.service.SecurityControlFrameworkQueryService;
-import com.medina.coc.backend.service.SecurityControlFrameworkService;
-import com.medina.coc.backend.service.criteria.SecurityControlFrameworkCriteria;
-import com.medina.coc.backend.service.dto.SecurityControlFrameworkDTO;
-import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
-import java.net.URI;
import java.net.URISyntaxException;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
+
import javax.validation.Valid;
import javax.validation.constraints.NotNull;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PutMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.medina.coc.backend.domain.RelTomSecurityMetric;
+import com.medina.coc.backend.domain.enumeration.AuditLogs;
+import com.medina.coc.backend.repository.RelTomSecurityMetricRepository;
+import com.medina.coc.backend.repository.SecurityControlFrameworkRepository;
+import com.medina.coc.backend.security.SecurityUtils;
+import com.medina.coc.backend.service.AuditLogService;
+import com.medina.coc.backend.service.SecurityControlCategoryService;
+import com.medina.coc.backend.service.SecurityControlFrameworkQueryService;
+import com.medina.coc.backend.service.SecurityControlFrameworkService;
+import com.medina.coc.backend.service.SecurityControlService;
+import com.medina.coc.backend.service.SecurityMetricService;
+import com.medina.coc.backend.service.SimilarControlService;
+import com.medina.coc.backend.service.TomService;
+import com.medina.coc.backend.service.criteria.SecurityControlFrameworkCriteria;
+import com.medina.coc.backend.service.dto.AuditLogDTO;
+import com.medina.coc.backend.service.dto.SecurityControlCategoryDTO;
+import com.medina.coc.backend.service.dto.SecurityControlDTO;
+import com.medina.coc.backend.service.dto.SecurityControlFrameworkDTO;
+import com.medina.coc.backend.service.dto.SecurityMetricDTO;
+import com.medina.coc.backend.service.dto.SimilarControlDTO;
+import com.medina.coc.backend.service.dto.TomDTO;
+import com.medina.coc.backend.service.dto.request.SecurityControlCategoryFullDTO;
+import com.medina.coc.backend.service.dto.request.SecurityControlFrameworkFullDTO;
+import com.medina.coc.backend.service.dto.request.SecurityControlFullDTO;
+import com.medina.coc.backend.service.dto.request.SecurityMetricFullDTO;
+import com.medina.coc.backend.service.dto.request.SimilarControlFullDTO;
+import com.medina.coc.backend.service.dto.request.TomFullDTO;
+import com.medina.coc.backend.util.CollectionUtil;
+import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
+
import tech.jhipster.web.util.HeaderUtil;
import tech.jhipster.web.util.ResponseUtil;
@@ -40,37 +76,43 @@ public class SecurityControlFrameworkResource {
private final SecurityControlFrameworkRepository securityControlFrameworkRepository;
private final SecurityControlFrameworkQueryService securityControlFrameworkQueryService;
+
+ private final SecurityControlCategoryService securityControlCategoryService;
+
+ private final SecurityControlService securityControlService;
+
+ private final SimilarControlService similarControlService;
+
+ private final TomService tomService;
+
+ private final SecurityMetricService securityMetricService;
+
+ private final RelTomSecurityMetricRepository relTomSecurityMetricRepository;
+
+ private final AuditLogService auditLogService;
public SecurityControlFrameworkResource(
SecurityControlFrameworkService securityControlFrameworkService,
SecurityControlFrameworkRepository securityControlFrameworkRepository,
- SecurityControlFrameworkQueryService securityControlFrameworkQueryService
+ SecurityControlFrameworkQueryService securityControlFrameworkQueryService,
+ SecurityControlCategoryService securityControlCategoryService,
+ SecurityControlService securityControlService,
+ SimilarControlService similarControlService,
+ TomService tomService,
+ SecurityMetricService securityMetricService,
+ RelTomSecurityMetricRepository relTomSecurityMetricRepository,
+ AuditLogService auditLogService
) {
this.securityControlFrameworkService = securityControlFrameworkService;
this.securityControlFrameworkRepository = securityControlFrameworkRepository;
this.securityControlFrameworkQueryService = securityControlFrameworkQueryService;
- }
-
- /**
- * {@code POST /security-control-frameworks} : Create a new securityControlFramework.
- *
- * @param securityControlFrameworkDTO the securityControlFrameworkDTO to create.
- * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the new securityControlFrameworkDTO, or with status {@code 400 (Bad Request)} if the securityControlFramework has already an ID.
- * @throws URISyntaxException if the Location URI syntax is incorrect.
- */
- @PostMapping("/security-control-frameworks")
- public ResponseEntity<SecurityControlFrameworkDTO> createSecurityControlFramework(
- @Valid @RequestBody SecurityControlFrameworkDTO securityControlFrameworkDTO
- ) throws URISyntaxException {
- log.debug("REST request to save SecurityControlFramework : {}", securityControlFrameworkDTO);
- if (securityControlFrameworkDTO.getId() != null) {
- throw new BadRequestAlertException("A new securityControlFramework cannot already have an ID", ENTITY_NAME, "idexists");
- }
- SecurityControlFrameworkDTO result = securityControlFrameworkService.save(securityControlFrameworkDTO);
- return ResponseEntity
- .created(new URI("/api/security-control-frameworks/" + result.getId()))
- .headers(HeaderUtil.createEntityCreationAlert(applicationName, false, ENTITY_NAME, result.getId().toString()))
- .body(result);
+ this.securityControlCategoryService = securityControlCategoryService;
+ this.securityControlService = securityControlService;
+ this.similarControlService = similarControlService;
+ this.tomService = tomService;
+ this.securityMetricService = securityMetricService;
+ this.relTomSecurityMetricRepository = relTomSecurityMetricRepository;
+ this.auditLogService = auditLogService;
}
/**
@@ -101,6 +143,16 @@ public class SecurityControlFrameworkResource {
}
SecurityControlFrameworkDTO result = securityControlFrameworkService.save(securityControlFrameworkDTO);
+
+ SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+ auditLogService.save(new AuditLogDTO(
+ sdf.format(new Date()),
+ SecurityUtils.getCurrentUserLogin().get(),
+ AuditLogs.FRAMEWORKS.getValue(),
+ securityControlFrameworkDTO.getName(),
+ "UPDATE"
+ ));
+
return ResponseEntity
.ok()
.headers(
@@ -182,22 +234,6 @@ public class SecurityControlFrameworkResource {
Optional<SecurityControlFrameworkDTO> securityControlFrameworkDTO = securityControlFrameworkService.findOne(id);
return ResponseUtil.wrapOrNotFound(securityControlFrameworkDTO);
}
-
- /**
- * {@code DELETE /security-control-frameworks/:id} : delete the "id" securityControlFramework.
- *
- * @param id the id of the securityControlFrameworkDTO to delete.
- * @return the {@link ResponseEntity} with status {@code 204 (NO_CONTENT)}.
- */
- @DeleteMapping("/security-control-frameworks/{id}")
- public ResponseEntity<Void> deleteSecurityControlFramework(@PathVariable Long id) {
- log.debug("REST request to delete SecurityControlFramework : {}", id);
- securityControlFrameworkService.delete(id);
- return ResponseEntity
- .noContent()
- .headers(HeaderUtil.createEntityDeletionAlert(applicationName, false, ENTITY_NAME, id.toString()))
- .build();
- }
/**
* {@code GET /security-control-frameworks/checkHasRequirements/:name} : check securityControlFramework has requirements
@@ -212,4 +248,112 @@ public class SecurityControlFrameworkResource {
Boolean hasRequirements = this.securityControlFrameworkService.frameworkHasRequirements(name);
return hasRequirements;
}
+
+
+ /**
+ * {@code GET /security-control-frameworks-full} : get all the securityControlFrameworks (full mode).
+
+ * @return the {@link ResponseEntity} with status {@code 200 (OK)} and the list of securityControlFrameworks in body.
+ */
+ @GetMapping("/security-control-frameworks-full")
+ public ResponseEntity<List<SecurityControlFrameworkFullDTO>> getAllSecurityControlFullFrameworks() {
+ log.debug("REST request to get SecurityControlFrameworks");
+
+ // Obtain the list of Security Control Frameworks, Security Control Categories, Security Controls, Similar Controls, Requirements and Security Metrics
+ final List<SecurityControlFrameworkDTO> frameworkList = securityControlFrameworkService.findAll();
+ if (CollectionUtil.isNullOrEmpty(frameworkList)) {
+ return ResponseEntity.ok().body(null);
+ }
+ List<SecurityControlCategoryDTO> categoryList = securityControlCategoryService.findAll();
+ categoryList = categoryList == null ? new ArrayList<SecurityControlCategoryDTO>() : categoryList;
+ List<SecurityControlDTO> controlList = securityControlService.findAll();
+ controlList = controlList == null ? new ArrayList<SecurityControlDTO>() : controlList;
+ List<SimilarControlDTO> similarControlList = similarControlService.findAll();
+ similarControlList = similarControlList == null ? new ArrayList<SimilarControlDTO>() : similarControlList;
+ List<TomDTO> tomList = tomService.findAll();
+ tomList = tomList == null ? new ArrayList<TomDTO>() : tomList;
+ List<SecurityMetricDTO> securityMetricList = securityMetricService.findAll();
+ securityMetricList = securityMetricList == null ? new ArrayList<SecurityMetricDTO>() : securityMetricList;
+ List<RelTomSecurityMetric> relTomSecurityMetricList = relTomSecurityMetricRepository.findAll();
+ relTomSecurityMetricList = relTomSecurityMetricList == null ? new ArrayList<RelTomSecurityMetric>() : relTomSecurityMetricList;
+
+ // Build the result List and iterate the framework list
+ List<SecurityControlFrameworkFullDTO> result = new ArrayList<SecurityControlFrameworkFullDTO>();
+ for (SecurityControlFrameworkDTO frameworkDTO : frameworkList) {
+ SecurityControlFrameworkFullDTO currentFrameworkDTO = new SecurityControlFrameworkFullDTO(frameworkDTO);
+
+ // Iterate the category list, looking for the categories belonging to the current framework
+ List<SecurityControlCategoryFullDTO> categoryDTOList = new ArrayList<SecurityControlCategoryFullDTO>();
+ for (SecurityControlCategoryDTO categoryDTO : categoryList) {
+ if (categoryDTO.getSecurityControlFramework().getId().longValue() == frameworkDTO.getId().longValue()) {
+ SecurityControlCategoryFullDTO currentCategoryDTO = new SecurityControlCategoryFullDTO(categoryDTO);
+
+ // Iterate the control list, looking for the controls belonging to the current category
+ List<SecurityControlFullDTO> controlDTOList = new ArrayList<SecurityControlFullDTO>();
+ for (SecurityControlDTO controlDTO : controlList) {
+ if (controlDTO.getSecurityControlCategory().getId().longValue() == currentCategoryDTO.getSecurityControlCategoryId().longValue()) {
+ SecurityControlFullDTO currentControlDTO = new SecurityControlFullDTO(controlDTO);
+
+ // Iterate the Similar control list, looking for the Similar controls belonging to the current control
+ List<SimilarControlFullDTO> similarControlDTOList = new ArrayList<SimilarControlFullDTO>();
+ for (SimilarControlDTO similarControlDTO : similarControlList) {
+ if (similarControlDTO.getSecurityControl().getId().longValue() == currentControlDTO.getSecurityControlId().longValue()) {
+ // Add the current Similar control to the list
+ SimilarControlFullDTO currentSimilarControlDTO = new SimilarControlFullDTO(similarControlDTO);
+ similarControlDTOList.add(currentSimilarControlDTO);
+ }
+ }
+
+ // Iterate the Tom list, looking for the Toms belonging to the current control
+ List<TomFullDTO> tomDTOList = new ArrayList<TomFullDTO>();
+ for (TomDTO tomDTO : tomList) {
+ if (tomDTO.getSecurityControl().getId().longValue() == currentControlDTO.getSecurityControlId().longValue()) {
+ // Add the current TOM to the list
+ TomFullDTO currentTomDTO = new TomFullDTO(tomDTO);
+ tomDTOList.add(currentTomDTO);
+ }
+ }
+
+ // Add the current control to the list
+ currentControlDTO.setSimilarControlList(similarControlDTOList);
+ currentControlDTO.setTomList(tomDTOList);
+ controlDTOList.add(currentControlDTO);
+ }
+ }
+
+ // Add the current category to the list
+ currentCategoryDTO.setSecurityControlList(controlDTOList);
+ categoryDTOList.add(currentCategoryDTO);
+ }
+ }
+
+ // Iterate the metric list
+ List<SecurityMetricFullDTO> securityMetricDTOList = new ArrayList<SecurityMetricFullDTO>();
+ for (SecurityMetricDTO securityMetricDTO : securityMetricList) {
+ SecurityMetricFullDTO currentSecurityMetricDTO = new SecurityMetricFullDTO(securityMetricDTO);
+
+ // Iterate the relationship between Toms and Security metrics
+ for (RelTomSecurityMetric relTomSecurityMetric : relTomSecurityMetricList) {
+ if (relTomSecurityMetric.getSecurityMetricId().longValue() == currentSecurityMetricDTO.getSecurityMetricId().longValue()) {
+ for (TomDTO tomDTO : tomList) {
+ if (tomDTO.getId().longValue() == relTomSecurityMetric.getTomId().longValue()) {
+ currentSecurityMetricDTO.setRelatedTom(new TomFullDTO(tomDTO));
+ break;
+ }
+ }
+ }
+ }
+
+ // Add the current metric to the list
+ securityMetricDTOList.add(currentSecurityMetricDTO);
+ }
+
+ // Add the current framework to the result
+ currentFrameworkDTO.setSecurityControlCategoryList(categoryDTOList);
+ currentFrameworkDTO.setSecurityMetricList(securityMetricDTOList);
+ result.add(currentFrameworkDTO);
+ }
+
+ return ResponseEntity.ok().body(result);
+ }
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlResource.java
index 7b27a3b5d89b3038d0c92750306e8155e3efdb29..141cad4e4b45ca56e77b866824025f2db4094d53 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlResource.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityControlResource.java
@@ -1,23 +1,38 @@
package com.medina.coc.backend.web.rest;
-import com.medina.coc.backend.repository.SecurityControlRepository;
-import com.medina.coc.backend.service.SecurityControlQueryService;
-import com.medina.coc.backend.service.SecurityControlService;
-import com.medina.coc.backend.service.criteria.SecurityControlCriteria;
-import com.medina.coc.backend.service.dto.SecurityControlDTO;
-import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
-import java.net.URI;
import java.net.URISyntaxException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
+
import javax.validation.Valid;
import javax.validation.constraints.NotNull;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PutMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.medina.coc.backend.domain.enumeration.AuditLogs;
+import com.medina.coc.backend.repository.SecurityControlRepository;
+import com.medina.coc.backend.security.SecurityUtils;
+import com.medina.coc.backend.service.AuditLogService;
+import com.medina.coc.backend.service.SecurityControlQueryService;
+import com.medina.coc.backend.service.SecurityControlService;
+import com.medina.coc.backend.service.criteria.SecurityControlCriteria;
+import com.medina.coc.backend.service.dto.AuditLogDTO;
+import com.medina.coc.backend.service.dto.SecurityControlDTO;
+import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
+
import tech.jhipster.web.util.HeaderUtil;
import tech.jhipster.web.util.ResponseUtil;
@@ -40,36 +55,19 @@ public class SecurityControlResource {
private final SecurityControlRepository securityControlRepository;
private final SecurityControlQueryService securityControlQueryService;
+
+ private final AuditLogService auditLogService;
public SecurityControlResource(
SecurityControlService securityControlService,
SecurityControlRepository securityControlRepository,
- SecurityControlQueryService securityControlQueryService
+ SecurityControlQueryService securityControlQueryService,
+ AuditLogService auditLogService
) {
this.securityControlService = securityControlService;
this.securityControlRepository = securityControlRepository;
this.securityControlQueryService = securityControlQueryService;
- }
-
- /**
- * {@code POST /security-controls} : Create a new securityControl.
- *
- * @param securityControlDTO the securityControlDTO to create.
- * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the new securityControlDTO, or with status {@code 400 (Bad Request)} if the securityControl has already an ID.
- * @throws URISyntaxException if the Location URI syntax is incorrect.
- */
- @PostMapping("/security-controls")
- public ResponseEntity<SecurityControlDTO> createSecurityControl(@Valid @RequestBody SecurityControlDTO securityControlDTO)
- throws URISyntaxException {
- log.debug("REST request to save SecurityControl : {}", securityControlDTO);
- if (securityControlDTO.getId() != null) {
- throw new BadRequestAlertException("A new securityControl cannot already have an ID", ENTITY_NAME, "idexists");
- }
- SecurityControlDTO result = securityControlService.save(securityControlDTO);
- return ResponseEntity
- .created(new URI("/api/security-controls/" + result.getId()))
- .headers(HeaderUtil.createEntityCreationAlert(applicationName, false, ENTITY_NAME, result.getId().toString()))
- .body(result);
+ this.auditLogService = auditLogService;
}
/**
@@ -100,6 +98,16 @@ public class SecurityControlResource {
}
SecurityControlDTO result = securityControlService.save(securityControlDTO);
+
+ SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+ auditLogService.save(new AuditLogDTO(
+ sdf.format(new Date()),
+ SecurityUtils.getCurrentUserLogin().get(),
+ AuditLogs.CONTROLS.getValue(),
+ securityControlDTO.getName(),
+ "UPDATE"
+ ));
+
return ResponseEntity
.ok()
.headers(HeaderUtil.createEntityUpdateAlert(applicationName, false, ENTITY_NAME, securityControlDTO.getId().toString()))
@@ -179,20 +187,4 @@ public class SecurityControlResource {
Optional<SecurityControlDTO> securityControlDTO = securityControlService.findOne(id);
return ResponseUtil.wrapOrNotFound(securityControlDTO);
}
-
- /**
- * {@code DELETE /security-controls/:id} : delete the "id" securityControl.
- *
- * @param id the id of the securityControlDTO to delete.
- * @return the {@link ResponseEntity} with status {@code 204 (NO_CONTENT)}.
- */
- @DeleteMapping("/security-controls/{id}")
- public ResponseEntity<Void> deleteSecurityControl(@PathVariable Long id) {
- log.debug("REST request to delete SecurityControl : {}", id);
- securityControlService.delete(id);
- return ResponseEntity
- .noContent()
- .headers(HeaderUtil.createEntityDeletionAlert(applicationName, false, ENTITY_NAME, id.toString()))
- .build();
- }
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityMetricResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityMetricResource.java
index 56cbd4a2a7f257fe69bae94bec2201ae0d0cffe2..ac79f2bac14376b8819e6bb3af9914864d06dc0c 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityMetricResource.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SecurityMetricResource.java
@@ -2,6 +2,7 @@ package com.medina.coc.backend.web.rest;
import java.net.URI;
import java.net.URISyntaxException;
+import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
@@ -35,6 +36,7 @@ import com.medina.coc.backend.service.dto.SecurityMetricDTO;
import com.medina.coc.backend.util.CollectionUtil;
import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
+import tech.jhipster.service.filter.LongFilter;
import tech.jhipster.web.util.HeaderUtil;
import tech.jhipster.web.util.ResponseUtil;
@@ -176,10 +178,15 @@ public class SecurityMetricResource {
@GetMapping("/security-metrics")
public ResponseEntity<List<SecurityMetricDTO>> getAllSecurityMetrics(SecurityMetricCriteria criteria) {
log.debug("REST request to get SecurityMetrics by criteria: {}", criteria);
- final List<SecurityMetricDTO> entityList = securityMetricQueryService.findByCriteria(criteria);
- // Obtain the Toms
+ // Extract tomId filter: it will be applied manually
+ final LongFilter tomIdFilter = criteria != null && criteria.getTomId() != null ? criteria.getTomId() : null;
+ criteria.setTomId(null);
+
+ // Obtain the list of Security Metrics
+ List<SecurityMetricDTO> entityList = securityMetricQueryService.findByCriteria(criteria);
if (!CollectionUtil.isNullOrEmpty(entityList)) {
+ // Obtain the Toms
List<RelTomSecurityMetric> relationList = relTomSecurityMetricRepository.findAll();
if (!CollectionUtil.isNullOrEmpty(relationList)) {
List<Tom> tomList = tomRepository.findAll();
@@ -190,7 +197,7 @@ public class SecurityMetricResource {
for (Tom tom : tomList) {
if (tom.getId().longValue() == rel.getTomId().longValue()) {
metric.getToms().add(tom);
- break;
+ //break;
}
}
}
@@ -198,6 +205,22 @@ public class SecurityMetricResource {
}
}
}
+
+ // Apply the tomId filter
+ if (tomIdFilter != null) {
+ List<SecurityMetricDTO> securityMetricList = new ArrayList<SecurityMetricDTO>();
+ for (SecurityMetricDTO metric : entityList) {
+ if (!CollectionUtil.isNullOrEmpty(metric.getToms())) {
+ for (Tom tom : metric.getToms()) {
+ // Filter: EQUALS
+ if (tomIdFilter.getEquals() != null && tomIdFilter.getEquals().longValue() == tom.getId().longValue()) {
+ securityMetricList.add(metric);
+ }
+ }
+ }
+ }
+ entityList = securityMetricList;
+ }
}
return ResponseEntity.ok().body(entityList);
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SimilarControlResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SimilarControlResource.java
index 7c1ce965d95783d0ec02fc21ab35a31ea9075d32..ad25d5763d6ef2d0995c9266abc357fd495400f6 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SimilarControlResource.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/SimilarControlResource.java
@@ -1,23 +1,41 @@
package com.medina.coc.backend.web.rest;
-import com.medina.coc.backend.repository.SimilarControlRepository;
-import com.medina.coc.backend.service.SimilarControlQueryService;
-import com.medina.coc.backend.service.SimilarControlService;
-import com.medina.coc.backend.service.criteria.SimilarControlCriteria;
-import com.medina.coc.backend.service.dto.SimilarControlDTO;
-import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
-import java.net.URI;
import java.net.URISyntaxException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
+
import javax.validation.Valid;
import javax.validation.constraints.NotNull;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PutMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.medina.coc.backend.domain.enumeration.AuditLogs;
+import com.medina.coc.backend.repository.SimilarControlRepository;
+import com.medina.coc.backend.security.SecurityUtils;
+import com.medina.coc.backend.service.AuditLogService;
+import com.medina.coc.backend.service.SecurityControlService;
+import com.medina.coc.backend.service.SimilarControlQueryService;
+import com.medina.coc.backend.service.SimilarControlService;
+import com.medina.coc.backend.service.criteria.SimilarControlCriteria;
+import com.medina.coc.backend.service.dto.AuditLogDTO;
+import com.medina.coc.backend.service.dto.SecurityControlDTO;
+import com.medina.coc.backend.service.dto.SimilarControlDTO;
+import com.medina.coc.backend.util.CollectionUtil;
+import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
+
import tech.jhipster.web.util.HeaderUtil;
import tech.jhipster.web.util.ResponseUtil;
@@ -40,36 +58,23 @@ public class SimilarControlResource {
private final SimilarControlRepository similarControlRepository;
private final SimilarControlQueryService similarControlQueryService;
+
+ private final SecurityControlService securityControlService;
+
+ private final AuditLogService auditLogService;
public SimilarControlResource(
SimilarControlService similarControlService,
SimilarControlRepository similarControlRepository,
- SimilarControlQueryService similarControlQueryService
+ SimilarControlQueryService similarControlQueryService,
+ SecurityControlService securityControlService,
+ AuditLogService auditLogService
) {
this.similarControlService = similarControlService;
this.similarControlRepository = similarControlRepository;
this.similarControlQueryService = similarControlQueryService;
- }
-
- /**
- * {@code POST /similar-controls} : Create a new similarControl.
- *
- * @param similarControlDTO the similarControlDTO to create.
- * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the new similarControlDTO, or with status {@code 400 (Bad Request)} if the similarControl has already an ID.
- * @throws URISyntaxException if the Location URI syntax is incorrect.
- */
- @PostMapping("/similar-controls")
- public ResponseEntity<SimilarControlDTO> createSimilarControl(@Valid @RequestBody SimilarControlDTO similarControlDTO)
- throws URISyntaxException {
- log.debug("REST request to save SimilarControl : {}", similarControlDTO);
- if (similarControlDTO.getId() != null) {
- throw new BadRequestAlertException("A new similarControl cannot already have an ID", ENTITY_NAME, "idexists");
- }
- SimilarControlDTO result = similarControlService.save(similarControlDTO);
- return ResponseEntity
- .created(new URI("/api/similar-controls/" + result.getId()))
- .headers(HeaderUtil.createEntityCreationAlert(applicationName, false, ENTITY_NAME, result.getId().toString()))
- .body(result);
+ this.securityControlService = securityControlService;
+ this.auditLogService = auditLogService;
}
/**
@@ -100,6 +105,17 @@ public class SimilarControlResource {
}
SimilarControlDTO result = similarControlService.save(similarControlDTO);
+
+ SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+ auditLogService.save(new AuditLogDTO(
+ sdf.format(new Date()),
+ SecurityUtils.getCurrentUserLogin().get(),
+ AuditLogs.SIMILAR_CONTROLS.getValue(),
+ similarControlDTO.getSecurityControl().getCode() + " (EUCS) / " +
+ similarControlDTO.getCode() + " (" + similarControlDTO.getSecurityControlFrameworkName() + ")",
+ "UPDATE"
+ ));
+
return ResponseEntity
.ok()
.headers(HeaderUtil.createEntityUpdateAlert(applicationName, false, ENTITY_NAME, similarControlDTO.getId().toString()))
@@ -152,6 +168,19 @@ public class SimilarControlResource {
public ResponseEntity<List<SimilarControlDTO>> getAllSimilarControls(SimilarControlCriteria criteria) {
log.debug("REST request to get SimilarControls by criteria: {}", criteria);
List<SimilarControlDTO> entityList = similarControlQueryService.findByCriteria(criteria);
+ if (!CollectionUtil.isNullOrEmpty(entityList)) {
+ final List<SecurityControlDTO> controlList = securityControlService.findAll();
+ if (!CollectionUtil.isNullOrEmpty(controlList)) {
+ for (SimilarControlDTO similarControlDTO : entityList) {
+ for (SecurityControlDTO securityControlDTO : controlList) {
+ if (similarControlDTO.getSecurityControl().getId().longValue() == securityControlDTO.getId().longValue()) {
+ similarControlDTO.setSecurityControl(securityControlDTO);
+ break;
+ }
+ }
+ }
+ }
+ }
return ResponseEntity.ok().body(entityList);
}
@@ -176,23 +205,10 @@ public class SimilarControlResource {
@GetMapping("/similar-controls/{id}")
public ResponseEntity<SimilarControlDTO> getSimilarControl(@PathVariable Long id) {
log.debug("REST request to get SimilarControl : {}", id);
- Optional<SimilarControlDTO> similarControlDTO = similarControlService.findOne(id);
- return ResponseUtil.wrapOrNotFound(similarControlDTO);
- }
-
- /**
- * {@code DELETE /similar-controls/:id} : delete the "id" similarControl.
- *
- * @param id the id of the similarControlDTO to delete.
- * @return the {@link ResponseEntity} with status {@code 204 (NO_CONTENT)}.
- */
- @DeleteMapping("/similar-controls/{id}")
- public ResponseEntity<Void> deleteSimilarControl(@PathVariable Long id) {
- log.debug("REST request to delete SimilarControl : {}", id);
- similarControlService.delete(id);
- return ResponseEntity
- .noContent()
- .headers(HeaderUtil.createEntityDeletionAlert(applicationName, false, ENTITY_NAME, id.toString()))
- .build();
+ SimilarControlDTO similarControlDTO = similarControlService.findOne(id).get();
+ if (similarControlDTO != null && similarControlDTO.getSecurityControl() != null) {
+ similarControlDTO.setSecurityControl(securityControlService.findOne(similarControlDTO.getSecurityControl().getId()).get());
+ }
+ return ResponseEntity.ok().body(similarControlDTO);
}
}
diff --git a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/TomResource.java b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/TomResource.java
index 8992433388882ddd18666ffad3f39dce5b1672fc..5be52470f89586a9dd722c3cf3c1a10f6a9cdc5a 100755
--- a/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/TomResource.java
+++ b/git/cocBackend/src/main/java/com/medina/coc/backend/web/rest/TomResource.java
@@ -1,7 +1,8 @@
package com.medina.coc.backend.web.rest;
-import java.net.URI;
import java.net.URISyntaxException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
@@ -13,11 +14,9 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PatchMapping;
import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -25,12 +24,18 @@ import org.springframework.web.bind.annotation.RestController;
import com.medina.coc.backend.domain.RelTomSecurityMetric;
import com.medina.coc.backend.domain.SecurityMetric;
+import com.medina.coc.backend.domain.enumeration.AuditLogs;
import com.medina.coc.backend.repository.RelTomSecurityMetricRepository;
import com.medina.coc.backend.repository.SecurityMetricRepository;
import com.medina.coc.backend.repository.TomRepository;
+import com.medina.coc.backend.security.SecurityUtils;
+import com.medina.coc.backend.service.AuditLogService;
+import com.medina.coc.backend.service.ReferenceTomService;
import com.medina.coc.backend.service.TomQueryService;
import com.medina.coc.backend.service.TomService;
import com.medina.coc.backend.service.criteria.TomCriteria;
+import com.medina.coc.backend.service.dto.AuditLogDTO;
+import com.medina.coc.backend.service.dto.ReferenceTomDTO;
import com.medina.coc.backend.service.dto.TomDTO;
import com.medina.coc.backend.util.CollectionUtil;
import com.medina.coc.backend.web.rest.errors.BadRequestAlertException;
@@ -61,34 +66,21 @@ public class TomResource {
private final SecurityMetricRepository securityMetricRepository;
private final RelTomSecurityMetricRepository relTomSecurityMetricRepository;
+
+ private final ReferenceTomService referenceTomService;
+
+ private final AuditLogService auditLogService;
public TomResource(TomService tomService, TomRepository tomRepository, TomQueryService tomQueryService,
- SecurityMetricRepository securityMetricRepository, RelTomSecurityMetricRepository relTomSecurityMetricRepository) {
+ SecurityMetricRepository securityMetricRepository, RelTomSecurityMetricRepository relTomSecurityMetricRepository,
+ ReferenceTomService referenceTomService, AuditLogService auditLogService) {
this.tomService = tomService;
this.tomRepository = tomRepository;
this.tomQueryService = tomQueryService;
this.securityMetricRepository = securityMetricRepository;
this.relTomSecurityMetricRepository = relTomSecurityMetricRepository;
- }
-
- /**
- * {@code POST /toms} : Create a new tom.
- *
- * @param tomDTO the tomDTO to create.
- * @return the {@link ResponseEntity} with status {@code 201 (Created)} and with body the new tomDTO, or with status {@code 400 (Bad Request)} if the tom has already an ID.
- * @throws URISyntaxException if the Location URI syntax is incorrect.
- */
- @PostMapping("/toms")
- public ResponseEntity<TomDTO> createTom(@Valid @RequestBody TomDTO tomDTO) throws URISyntaxException {
- log.debug("REST request to save Tom : {}", tomDTO);
- if (tomDTO.getId() != null) {
- throw new BadRequestAlertException("A new tom cannot already have an ID", ENTITY_NAME, "idexists");
- }
- TomDTO result = tomService.save(tomDTO);
- return ResponseEntity
- .created(new URI("/api/toms/" + result.getId()))
- .headers(HeaderUtil.createEntityCreationAlert(applicationName, false, ENTITY_NAME, result.getId().toString()))
- .body(result);
+ this.referenceTomService = referenceTomService;
+ this.auditLogService = auditLogService;
}
/**
@@ -117,6 +109,16 @@ public class TomResource {
}
TomDTO result = tomService.save(tomDTO);
+
+ SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+ auditLogService.save(new AuditLogDTO(
+ sdf.format(new Date()),
+ SecurityUtils.getCurrentUserLogin().get(),
+ AuditLogs.REQUIREMENTS.getValue(),
+ tomDTO.getName(),
+ "UPDATE"
+ ));
+
return ResponseEntity
.ok()
.headers(HeaderUtil.createEntityUpdateAlert(applicationName, false, ENTITY_NAME, tomDTO.getId().toString()))
@@ -170,8 +172,8 @@ public class TomResource {
log.debug("REST request to get Toms by criteria: {}", criteria);
final List<TomDTO> entityList = tomQueryService.findByCriteria(criteria);
- // Obtain the security metrics
if (!CollectionUtil.isNullOrEmpty(entityList)) {
+ // Obtain the security metrics
List<RelTomSecurityMetric> relationList = relTomSecurityMetricRepository.findAll();
if (!CollectionUtil.isNullOrEmpty(relationList)) {
List<SecurityMetric> securityMetricList = securityMetricRepository.findAll();
@@ -190,6 +192,19 @@ public class TomResource {
}
}
}
+
+ // Obtain the Reference TOMs
+ List<ReferenceTomDTO> refToms = referenceTomService.findAll();
+ if (!CollectionUtil.isNullOrEmpty(refToms)) {
+ for (ReferenceTomDTO refTom : refToms) {
+ for (TomDTO tom : entityList) {
+ if (refTom.getTom().getId().longValue() == tom.getId().longValue()) {
+ tom.setGuidance(String.valueOf(refTom.getId()));
+ break;
+ }
+ }
+ }
+ }
}
return ResponseEntity.ok().body(entityList);
@@ -218,8 +233,8 @@ public class TomResource {
log.debug("REST request to get Tom : {}", id);
Optional<TomDTO> tomDTO = tomService.findOne(id);
- // Obtain the security metrics
if (tomDTO != null && tomDTO.get() != null) {
+ // Obtain the security metrics
List<RelTomSecurityMetric> relationList = relTomSecurityMetricRepository.findAll();
if (!CollectionUtil.isNullOrEmpty(relationList)) {
List<SecurityMetric> securityMetricList = securityMetricRepository.findAll();
@@ -236,26 +251,21 @@ public class TomResource {
}
}
}
+
+ // Obtain the Reference TOMs
+ List<ReferenceTomDTO> refToms = referenceTomService.findAll();
+ if (!CollectionUtil.isNullOrEmpty(refToms)) {
+ for (ReferenceTomDTO refTom : refToms) {
+ if (refTom.getTom().getId().longValue() == tomDTO.get().getId().longValue()) {
+ tomDTO.get().setGuidance(String.valueOf(refTom.getId()));
+ break;
+ }
+ }
+ }
}
return ResponseUtil.wrapOrNotFound(tomDTO);
}
-
- /**
- * {@code DELETE /toms/:id} : delete the "id" tom.
- *
- * @param id the id of the tomDTO to delete.
- * @return the {@link ResponseEntity} with status {@code 204 (NO_CONTENT)}.
- */
- @DeleteMapping("/toms/{id}")
- public ResponseEntity<Void> deleteTom(@PathVariable Long id) {
- log.debug("REST request to delete Tom : {}", id);
- tomService.delete(id);
- return ResponseEntity
- .noContent()
- .headers(HeaderUtil.createEntityDeletionAlert(applicationName, false, ENTITY_NAME, id.toString()))
- .build();
- }
/**
* {@code GET /toms} : get all the toms by framework name and assuranceLevel.
diff --git a/git/cocBackend/src/main/resources/config/application.yml b/git/cocBackend/src/main/resources/config/application.yml
index 45650526df0ff68a743275460b5a1193d85f1d38..b82f3f94260979d5f78f2cdff57dad462773ece9 100755
--- a/git/cocBackend/src/main/resources/config/application.yml
+++ b/git/cocBackend/src/main/resources/config/application.yml
@@ -230,4 +230,15 @@ jhipster:
# https://www.jhipster.tech/common-application-properties/
# ===================================================================
-# application:
+application:
+ # hardcoded urls (adapt them for DEV or TEST)
+ # satra-login-url: https://risk-assessment-app-dev.k8s.medina.esilab.org/api/v1/registration/access_resp/admin/medinaPassword
+ # satra-practice-url: https://risk-assessment-app-dev.k8s.medina.esilab.org/api/v1/practice/map/{1}
+ # orchestrator-url: https://orchestrator-dev.k8s.medina.esilab.org/v1/orchestrator/cloud_services/{1}
+
+ # urls using ENV variables (set them in K8S or locally for test)
+ satra-login-url: ${SATRA_LOGIN_URL}
+ satra-practice-url: ${SATRA_PRACTICE_URL}
+ orchestrator-url: ${ORCHESTRATOR_URL}
+
+
diff --git a/git/cocBackend/src/test/java/com/medina/coc/backend/web/rest/SecurityControlResourceIT.java b/git/cocBackend/src/test/java/com/medina/coc/backend/web/rest/SecurityControlResourceIT.java
index 527778c555c2e373022ed520de8f1e533f8b1d44..1dd0bc5421a03d218d3ecda3a325d622bc7677d9 100755
--- a/git/cocBackend/src/test/java/com/medina/coc/backend/web/rest/SecurityControlResourceIT.java
+++ b/git/cocBackend/src/test/java/com/medina/coc/backend/web/rest/SecurityControlResourceIT.java
@@ -101,9 +101,7 @@ class SecurityControlResourceIT {
.code(DEFAULT_CODE)
.name(DEFAULT_NAME)
.objective(DEFAULT_OBJECTIVE)
- .description(DEFAULT_DESCRIPTION)
- .guidance(DEFAULT_GUIDANCE)
- .riskReductionWeight(DEFAULT_RISK_REDUCTION_WEIGHT);
+ .description(DEFAULT_DESCRIPTION);
// Add required entity
SecurityControlCategory securityControlCategory;
if (TestUtil.findAll(em, SecurityControlCategory.class).isEmpty()) {
@@ -128,9 +126,7 @@ class SecurityControlResourceIT {
.code(UPDATED_CODE)
.name(UPDATED_NAME)
.objective(UPDATED_OBJECTIVE)
- .description(UPDATED_DESCRIPTION)
- .guidance(UPDATED_GUIDANCE)
- .riskReductionWeight(UPDATED_RISK_REDUCTION_WEIGHT);
+ .description(UPDATED_DESCRIPTION);
// Add required entity
SecurityControlCategory securityControlCategory;
if (TestUtil.findAll(em, SecurityControlCategory.class).isEmpty()) {
@@ -172,8 +168,6 @@ class SecurityControlResourceIT {
assertThat(testSecurityControl.getName()).isEqualTo(DEFAULT_NAME);
assertThat(testSecurityControl.getObjective()).isEqualTo(DEFAULT_OBJECTIVE);
assertThat(testSecurityControl.getDescription()).isEqualTo(DEFAULT_DESCRIPTION);
- assertThat(testSecurityControl.getGuidance()).isEqualTo(DEFAULT_GUIDANCE);
- assertThat(testSecurityControl.getRiskReductionWeight()).isEqualTo(DEFAULT_RISK_REDUCTION_WEIGHT);
}
@Test
@@ -292,52 +286,6 @@ class SecurityControlResourceIT {
assertThat(securityControlList).hasSize(databaseSizeBeforeTest);
}
- @Test
- @Transactional
- void checkGuidanceIsRequired() throws Exception {
- int databaseSizeBeforeTest = securityControlRepository.findAll().size();
- // set the field null
- securityControl.setGuidance(null);
-
- // Create the SecurityControl, which fails.
- SecurityControlDTO securityControlDTO = securityControlMapper.toDto(securityControl);
-
- restSecurityControlMockMvc
- .perform(
- post(ENTITY_API_URL)
- .with(csrf())
- .contentType(MediaType.APPLICATION_JSON)
- .content(TestUtil.convertObjectToJsonBytes(securityControlDTO))
- )
- .andExpect(status().isBadRequest());
-
- List<SecurityControl> securityControlList = securityControlRepository.findAll();
- assertThat(securityControlList).hasSize(databaseSizeBeforeTest);
- }
-
- @Test
- @Transactional
- void checkRiskReductionWeightIsRequired() throws Exception {
- int databaseSizeBeforeTest = securityControlRepository.findAll().size();
- // set the field null
- securityControl.setRiskReductionWeight(null);
-
- // Create the SecurityControl, which fails.
- SecurityControlDTO securityControlDTO = securityControlMapper.toDto(securityControl);
-
- restSecurityControlMockMvc
- .perform(
- post(ENTITY_API_URL)
- .with(csrf())
- .contentType(MediaType.APPLICATION_JSON)
- .content(TestUtil.convertObjectToJsonBytes(securityControlDTO))
- )
- .andExpect(status().isBadRequest());
-
- List<SecurityControl> securityControlList = securityControlRepository.findAll();
- assertThat(securityControlList).hasSize(databaseSizeBeforeTest);
- }
-
@Test
@Transactional
void getAllSecurityControls() throws Exception {
@@ -353,9 +301,7 @@ class SecurityControlResourceIT {
.andExpect(jsonPath("$.[*].code").value(hasItem(DEFAULT_CODE)))
.andExpect(jsonPath("$.[*].name").value(hasItem(DEFAULT_NAME)))
.andExpect(jsonPath("$.[*].objective").value(hasItem(DEFAULT_OBJECTIVE)))
- .andExpect(jsonPath("$.[*].description").value(hasItem(DEFAULT_DESCRIPTION)))
- .andExpect(jsonPath("$.[*].guidance").value(hasItem(DEFAULT_GUIDANCE)))
- .andExpect(jsonPath("$.[*].riskReductionWeight").value(hasItem(DEFAULT_RISK_REDUCTION_WEIGHT.doubleValue())));
+ .andExpect(jsonPath("$.[*].description").value(hasItem(DEFAULT_DESCRIPTION)));
}
@SuppressWarnings({ "unchecked" })
@@ -391,9 +337,7 @@ class SecurityControlResourceIT {
.andExpect(jsonPath("$.code").value(DEFAULT_CODE))
.andExpect(jsonPath("$.name").value(DEFAULT_NAME))
.andExpect(jsonPath("$.objective").value(DEFAULT_OBJECTIVE))
- .andExpect(jsonPath("$.description").value(DEFAULT_DESCRIPTION))
- .andExpect(jsonPath("$.guidance").value(DEFAULT_GUIDANCE))
- .andExpect(jsonPath("$.riskReductionWeight").value(DEFAULT_RISK_REDUCTION_WEIGHT.doubleValue()));
+ .andExpect(jsonPath("$.description").value(DEFAULT_DESCRIPTION));
}
@Test
@@ -726,190 +670,6 @@ class SecurityControlResourceIT {
defaultSecurityControlShouldBeFound("description.doesNotContain=" + UPDATED_DESCRIPTION);
}
- @Test
- @Transactional
- void getAllSecurityControlsByGuidanceIsEqualToSomething() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where guidance equals to DEFAULT_GUIDANCE
- defaultSecurityControlShouldBeFound("guidance.equals=" + DEFAULT_GUIDANCE);
-
- // Get all the securityControlList where guidance equals to UPDATED_GUIDANCE
- defaultSecurityControlShouldNotBeFound("guidance.equals=" + UPDATED_GUIDANCE);
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByGuidanceIsNotEqualToSomething() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where guidance not equals to DEFAULT_GUIDANCE
- defaultSecurityControlShouldNotBeFound("guidance.notEquals=" + DEFAULT_GUIDANCE);
-
- // Get all the securityControlList where guidance not equals to UPDATED_GUIDANCE
- defaultSecurityControlShouldBeFound("guidance.notEquals=" + UPDATED_GUIDANCE);
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByGuidanceIsInShouldWork() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where guidance in DEFAULT_GUIDANCE or UPDATED_GUIDANCE
- defaultSecurityControlShouldBeFound("guidance.in=" + DEFAULT_GUIDANCE + "," + UPDATED_GUIDANCE);
-
- // Get all the securityControlList where guidance equals to UPDATED_GUIDANCE
- defaultSecurityControlShouldNotBeFound("guidance.in=" + UPDATED_GUIDANCE);
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByGuidanceIsNullOrNotNull() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where guidance is not null
- defaultSecurityControlShouldBeFound("guidance.specified=true");
-
- // Get all the securityControlList where guidance is null
- defaultSecurityControlShouldNotBeFound("guidance.specified=false");
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByGuidanceContainsSomething() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where guidance contains DEFAULT_GUIDANCE
- defaultSecurityControlShouldBeFound("guidance.contains=" + DEFAULT_GUIDANCE);
-
- // Get all the securityControlList where guidance contains UPDATED_GUIDANCE
- defaultSecurityControlShouldNotBeFound("guidance.contains=" + UPDATED_GUIDANCE);
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByGuidanceNotContainsSomething() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where guidance does not contain DEFAULT_GUIDANCE
- defaultSecurityControlShouldNotBeFound("guidance.doesNotContain=" + DEFAULT_GUIDANCE);
-
- // Get all the securityControlList where guidance does not contain UPDATED_GUIDANCE
- defaultSecurityControlShouldBeFound("guidance.doesNotContain=" + UPDATED_GUIDANCE);
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByRiskReductionWeightIsEqualToSomething() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where riskReductionWeight equals to DEFAULT_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldBeFound("riskReductionWeight.equals=" + DEFAULT_RISK_REDUCTION_WEIGHT);
-
- // Get all the securityControlList where riskReductionWeight equals to UPDATED_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldNotBeFound("riskReductionWeight.equals=" + UPDATED_RISK_REDUCTION_WEIGHT);
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByRiskReductionWeightIsNotEqualToSomething() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where riskReductionWeight not equals to DEFAULT_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldNotBeFound("riskReductionWeight.notEquals=" + DEFAULT_RISK_REDUCTION_WEIGHT);
-
- // Get all the securityControlList where riskReductionWeight not equals to UPDATED_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldBeFound("riskReductionWeight.notEquals=" + UPDATED_RISK_REDUCTION_WEIGHT);
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByRiskReductionWeightIsInShouldWork() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where riskReductionWeight in DEFAULT_RISK_REDUCTION_WEIGHT or UPDATED_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldBeFound(
- "riskReductionWeight.in=" + DEFAULT_RISK_REDUCTION_WEIGHT + "," + UPDATED_RISK_REDUCTION_WEIGHT
- );
-
- // Get all the securityControlList where riskReductionWeight equals to UPDATED_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldNotBeFound("riskReductionWeight.in=" + UPDATED_RISK_REDUCTION_WEIGHT);
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByRiskReductionWeightIsNullOrNotNull() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where riskReductionWeight is not null
- defaultSecurityControlShouldBeFound("riskReductionWeight.specified=true");
-
- // Get all the securityControlList where riskReductionWeight is null
- defaultSecurityControlShouldNotBeFound("riskReductionWeight.specified=false");
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByRiskReductionWeightIsGreaterThanOrEqualToSomething() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where riskReductionWeight is greater than or equal to DEFAULT_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldBeFound("riskReductionWeight.greaterThanOrEqual=" + DEFAULT_RISK_REDUCTION_WEIGHT);
-
- // Get all the securityControlList where riskReductionWeight is greater than or equal to UPDATED_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldNotBeFound("riskReductionWeight.greaterThanOrEqual=" + UPDATED_RISK_REDUCTION_WEIGHT);
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByRiskReductionWeightIsLessThanOrEqualToSomething() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where riskReductionWeight is less than or equal to DEFAULT_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldBeFound("riskReductionWeight.lessThanOrEqual=" + DEFAULT_RISK_REDUCTION_WEIGHT);
-
- // Get all the securityControlList where riskReductionWeight is less than or equal to SMALLER_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldNotBeFound("riskReductionWeight.lessThanOrEqual=" + SMALLER_RISK_REDUCTION_WEIGHT);
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByRiskReductionWeightIsLessThanSomething() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where riskReductionWeight is less than DEFAULT_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldNotBeFound("riskReductionWeight.lessThan=" + DEFAULT_RISK_REDUCTION_WEIGHT);
-
- // Get all the securityControlList where riskReductionWeight is less than UPDATED_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldBeFound("riskReductionWeight.lessThan=" + UPDATED_RISK_REDUCTION_WEIGHT);
- }
-
- @Test
- @Transactional
- void getAllSecurityControlsByRiskReductionWeightIsGreaterThanSomething() throws Exception {
- // Initialize the database
- securityControlRepository.saveAndFlush(securityControl);
-
- // Get all the securityControlList where riskReductionWeight is greater than DEFAULT_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldNotBeFound("riskReductionWeight.greaterThan=" + DEFAULT_RISK_REDUCTION_WEIGHT);
-
- // Get all the securityControlList where riskReductionWeight is greater than SMALLER_RISK_REDUCTION_WEIGHT
- defaultSecurityControlShouldBeFound("riskReductionWeight.greaterThan=" + SMALLER_RISK_REDUCTION_WEIGHT);
- }
-
@Test
@Transactional
void getAllSecurityControlsBySimilarControlsIsEqualToSomething() throws Exception {
@@ -1000,9 +760,7 @@ class SecurityControlResourceIT {
.andExpect(jsonPath("$.[*].code").value(hasItem(DEFAULT_CODE)))
.andExpect(jsonPath("$.[*].name").value(hasItem(DEFAULT_NAME)))
.andExpect(jsonPath("$.[*].objective").value(hasItem(DEFAULT_OBJECTIVE)))
- .andExpect(jsonPath("$.[*].description").value(hasItem(DEFAULT_DESCRIPTION)))
- .andExpect(jsonPath("$.[*].guidance").value(hasItem(DEFAULT_GUIDANCE)))
- .andExpect(jsonPath("$.[*].riskReductionWeight").value(hasItem(DEFAULT_RISK_REDUCTION_WEIGHT.doubleValue())));
+ .andExpect(jsonPath("$.[*].description").value(hasItem(DEFAULT_DESCRIPTION)));
// Check, that the count call also returns 1
restSecurityControlMockMvc
@@ -1054,9 +812,7 @@ class SecurityControlResourceIT {
.code(UPDATED_CODE)
.name(UPDATED_NAME)
.objective(UPDATED_OBJECTIVE)
- .description(UPDATED_DESCRIPTION)
- .guidance(UPDATED_GUIDANCE)
- .riskReductionWeight(UPDATED_RISK_REDUCTION_WEIGHT);
+ .description(UPDATED_DESCRIPTION);
SecurityControlDTO securityControlDTO = securityControlMapper.toDto(updatedSecurityControl);
restSecurityControlMockMvc
@@ -1076,8 +832,6 @@ class SecurityControlResourceIT {
assertThat(testSecurityControl.getName()).isEqualTo(UPDATED_NAME);
assertThat(testSecurityControl.getObjective()).isEqualTo(UPDATED_OBJECTIVE);
assertThat(testSecurityControl.getDescription()).isEqualTo(UPDATED_DESCRIPTION);
- assertThat(testSecurityControl.getGuidance()).isEqualTo(UPDATED_GUIDANCE);
- assertThat(testSecurityControl.getRiskReductionWeight()).isEqualTo(UPDATED_RISK_REDUCTION_WEIGHT);
}
@Test
@@ -1167,8 +921,7 @@ class SecurityControlResourceIT {
partialUpdatedSecurityControl
.code(UPDATED_CODE)
.objective(UPDATED_OBJECTIVE)
- .description(UPDATED_DESCRIPTION)
- .riskReductionWeight(UPDATED_RISK_REDUCTION_WEIGHT);
+ .description(UPDATED_DESCRIPTION);
restSecurityControlMockMvc
.perform(
@@ -1187,8 +940,6 @@ class SecurityControlResourceIT {
assertThat(testSecurityControl.getName()).isEqualTo(DEFAULT_NAME);
assertThat(testSecurityControl.getObjective()).isEqualTo(UPDATED_OBJECTIVE);
assertThat(testSecurityControl.getDescription()).isEqualTo(UPDATED_DESCRIPTION);
- assertThat(testSecurityControl.getGuidance()).isEqualTo(DEFAULT_GUIDANCE);
- assertThat(testSecurityControl.getRiskReductionWeight()).isEqualTo(UPDATED_RISK_REDUCTION_WEIGHT);
}
@Test
@@ -1207,9 +958,7 @@ class SecurityControlResourceIT {
.code(UPDATED_CODE)
.name(UPDATED_NAME)
.objective(UPDATED_OBJECTIVE)
- .description(UPDATED_DESCRIPTION)
- .guidance(UPDATED_GUIDANCE)
- .riskReductionWeight(UPDATED_RISK_REDUCTION_WEIGHT);
+ .description(UPDATED_DESCRIPTION);
restSecurityControlMockMvc
.perform(
@@ -1228,8 +977,6 @@ class SecurityControlResourceIT {
assertThat(testSecurityControl.getName()).isEqualTo(UPDATED_NAME);
assertThat(testSecurityControl.getObjective()).isEqualTo(UPDATED_OBJECTIVE);
assertThat(testSecurityControl.getDescription()).isEqualTo(UPDATED_DESCRIPTION);
- assertThat(testSecurityControl.getGuidance()).isEqualTo(UPDATED_GUIDANCE);
- assertThat(testSecurityControl.getRiskReductionWeight()).isEqualTo(UPDATED_RISK_REDUCTION_WEIGHT);
}
@Test
diff --git a/git/cocBackend/src/test/java/com/medina/coc/backend/web/rest/TomResourceIT.java b/git/cocBackend/src/test/java/com/medina/coc/backend/web/rest/TomResourceIT.java
index 6c9cef814a823dff60a4866580ae5810439e2f08..b5e6b4f816c036a7fe928684159e5cfca2f590ec 100755
--- a/git/cocBackend/src/test/java/com/medina/coc/backend/web/rest/TomResourceIT.java
+++ b/git/cocBackend/src/test/java/com/medina/coc/backend/web/rest/TomResourceIT.java
@@ -45,8 +45,8 @@ class TomResourceIT {
private static final String DEFAULT_DESCRIPTION = "AAAAAAAAAA";
private static final String UPDATED_DESCRIPTION = "BBBBBBBBBB";
- private static final AssuranceLevel DEFAULT_ASSURANCE_LEVEL = AssuranceLevel.BASIC;
- private static final AssuranceLevel UPDATED_ASSURANCE_LEVEL = AssuranceLevel.SUBSTANTIAL;
+ private static final AssuranceLevel DEFAULT_ASSURANCE_LEVEL = AssuranceLevel.Basic;
+ private static final AssuranceLevel UPDATED_ASSURANCE_LEVEL = AssuranceLevel.Substantial;
private static final Type DEFAULT_TYPE = Type.ORGANIZATIONAL;
private static final Type UPDATED_TYPE = Type.TECHNICAL;
diff --git a/git/cocGateway/Dockerfile b/git/cocGateway/Dockerfile
index a78a25151bfc57986a42421eb2fb4bada4320545..9b6fc20ff0fdd9c686ecbc5d4dff43295f642a9a 100755
--- a/git/cocGateway/Dockerfile
+++ b/git/cocGateway/Dockerfile
@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
FROM maven:3.8.1-jdk-11 as builder
WORKDIR /code
@@ -6,15 +5,15 @@ COPY pom.xml /code/pom.xml
# this does not seem to work as expected RUN mvn -Pprod,dev,api-docs dependency:resolve-plugins dependency:go-offline -B
# https://github.com/qaware/go-offline-maven-plugin proposes an alternative that seems to work better, but not perfectly as there are two dependencies taht I need to download manually
RUN \
- mvn -DgroupId=org.glassfish.jaxb -DartifactId=jaxb-runtime -Dversion=2.3.3 dependency:get && \
+ mvn -DgroupId=org.glassfish.jaxb -DartifactId=jaxb-runtime -Dversion=2.3.3 dependency:get && \
mvn -DgroupId=org.jboss.logging -DartifactId=jboss-logging -Dversion=3.4.1.Final dependency:get && \
- mvn -Pprod,api-docs,no-liquibase de.qaware.maven:go-offline-maven-plugin:resolve-dependencies -B
+ mvn -Pprod,api-docs,no-liquibase de.qaware.maven:go-offline-maven-plugin:resolve-dependencies -B
COPY package.json /code/package.json
COPY package-lock.json /code/package-lock.json
RUN \
- mvn -o -DnodeVersion=v14.17.1 -DnpmVersion=7.18.1 -Pprod,api-docs,no-liquibase com.github.eirslett:frontend-maven-plugin:install-node-and-npm com.github.eirslett:frontend-maven-plugin:npm -Dmaven.test.skip=true
+ mvn -o -DnodeVersion=v14.17.1 -DnpmVersion=7.18.1 -Pprod,api-docs,no-liquibase com.github.eirslett:frontend-maven-plugin:install-node-and-npm com.github.eirslett:frontend-maven-plugin:npm -Dmaven.test.skip=true
COPY sonar-project.properties /code/sonar-project.properties
COPY webpack /code/webpack
@@ -42,8 +41,8 @@ ARG EXTRA_CA_URL
RUN /bin/bash -c "[ -z $EXTRA_CA_URL ] || ( curl $EXTRA_CA_URL --output /ca.pem && keytool -import -noprompt -trustcacerts -alias ca -file /ca.pem -cacerts -storepass changeit )"
# to check if ca is installed keytool -list -cacerts -alias ca --storepass changeit
-COPY --from=builder /cocgateway.jar .
+COPY --from=builder /cocgateway.jar .
CMD echo "The cocGateway will start in ${JHIPSTER_SLEEP}s..." && \
sleep $JHIPSTER_SLEEP && \
java $JAVA_OPTS -Dspring.profiles.active=$RUN_PROFILE -jar /cocgateway.jar
-
+
\ No newline at end of file
diff --git a/git/cocGateway/src/main/java/com/medina/coc/gateway/CocGatewayApp.java b/git/cocGateway/src/main/java/com/medina/coc/gateway/CocGatewayApp.java
index cb41c87d01893a74840a5e8cf2ba57c6c83455ee..23e424dc4c8e04734f4fcbb619ca71238ebbad60 100755
--- a/git/cocGateway/src/main/java/com/medina/coc/gateway/CocGatewayApp.java
+++ b/git/cocGateway/src/main/java/com/medina/coc/gateway/CocGatewayApp.java
@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
package com.medina.coc.gateway;
import com.medina.coc.gateway.config.ApplicationProperties;
diff --git a/git/cocGateway/src/main/java/com/medina/coc/gateway/GeneratedByJHipster.java b/git/cocGateway/src/main/java/com/medina/coc/gateway/GeneratedByJHipster.java
index 55aa9030fabf6e0656ab54a3ed782a628c8727c0..22768f4d429641ed4d8647a14389c700f1be5202 100755
--- a/git/cocGateway/src/main/java/com/medina/coc/gateway/GeneratedByJHipster.java
+++ b/git/cocGateway/src/main/java/com/medina/coc/gateway/GeneratedByJHipster.java
@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
package com.medina.coc.gateway;
import java.lang.annotation.ElementType;
diff --git a/git/cocGateway/src/main/java/com/medina/coc/gateway/security/AuthoritiesConstants.java b/git/cocGateway/src/main/java/com/medina/coc/gateway/security/AuthoritiesConstants.java
index 04ef1ed03111616623b958574a4781145b334288..2ae88b44f57d117358fc4ee4415c8d0321ed2cfb 100755
--- a/git/cocGateway/src/main/java/com/medina/coc/gateway/security/AuthoritiesConstants.java
+++ b/git/cocGateway/src/main/java/com/medina/coc/gateway/security/AuthoritiesConstants.java
@@ -10,6 +10,22 @@ public final class AuthoritiesConstants {
public static final String USER = "ROLE_USER";
public static final String ANONYMOUS = "ROLE_ANONYMOUS";
+
+ public static final String SECURITY_GOVERNANCE = "SecurityGovernance";
+
+ public static final String SECURITY_ANALYST = "SecurityAnalyst";
+
+ public static final String DOMAIN_GOVERNANCE = "DomainGovernance";
+
+ public static final String PRODUCT_OWNER = "ProductOwner";
+
+ public static final String PRODUCT_SECURITY_ENG = "ProductSecurityEng";
+
+ public static final String CISO = "CISO";
+
+ public static final String CUSTOMER = "Customer";
+
+ public static final String AUDITOR = "Auditor";
private AuthoritiesConstants() {}
}
diff --git a/git/cocGateway/src/main/java/com/medina/coc/gateway/security/SecurityUtils.java b/git/cocGateway/src/main/java/com/medina/coc/gateway/security/SecurityUtils.java
index 2433c01ce9b8761d688c38192aa908edba58e1ed..9dbe927d1ffdcc83c63b83d63448a9a946f2992a 100755
--- a/git/cocGateway/src/main/java/com/medina/coc/gateway/security/SecurityUtils.java
+++ b/git/cocGateway/src/main/java/com/medina/coc/gateway/security/SecurityUtils.java
@@ -87,6 +87,6 @@ public final class SecurityUtils {
}
private static List<GrantedAuthority> mapRolesToGrantedAuthorities(Collection<String> roles) {
- return roles.stream().filter(role -> role.startsWith("ROLE_")).map(SimpleGrantedAuthority::new).collect(Collectors.toList());
+ return roles.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList());
}
}
diff --git a/git/cocGateway/src/main/java/com/medina/coc/gateway/service/UserService.java b/git/cocGateway/src/main/java/com/medina/coc/gateway/service/UserService.java
index 0509f0d9c307d8393ef6fb0f44a072df4c3f8f11..aaf1dd12abaea6c6fa4efe9bdc6316162bae7227 100755
--- a/git/cocGateway/src/main/java/com/medina/coc/gateway/service/UserService.java
+++ b/git/cocGateway/src/main/java/com/medina/coc/gateway/service/UserService.java
@@ -1,16 +1,11 @@
package com.medina.coc.gateway.service;
-import com.medina.coc.gateway.config.Constants;
-import com.medina.coc.gateway.domain.Authority;
-import com.medina.coc.gateway.domain.User;
-import com.medina.coc.gateway.repository.AuthorityRepository;
-import com.medina.coc.gateway.repository.UserRepository;
-import com.medina.coc.gateway.security.SecurityUtils;
-import com.medina.coc.gateway.service.dto.AdminUserDTO;
-import com.medina.coc.gateway.service.dto.UserDTO;
import java.time.Instant;
-import java.util.*;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
import java.util.stream.Collectors;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.data.domain.Pageable;
@@ -20,9 +15,18 @@ import org.springframework.security.oauth2.client.authentication.OAuth2Authentic
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
+
+import com.medina.coc.gateway.config.Constants;
+import com.medina.coc.gateway.domain.Authority;
+import com.medina.coc.gateway.domain.User;
+import com.medina.coc.gateway.repository.AuthorityRepository;
+import com.medina.coc.gateway.repository.UserRepository;
+import com.medina.coc.gateway.security.SecurityUtils;
+import com.medina.coc.gateway.service.dto.AdminUserDTO;
+import com.medina.coc.gateway.service.dto.UserDTO;
+
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;
-import reactor.core.scheduler.Schedulers;
/**
* Service class for managing users.
@@ -201,11 +205,17 @@ public class UserService {
Map<String, Object> attributes;
if (authToken instanceof OAuth2AuthenticationToken) {
attributes = ((OAuth2AuthenticationToken) authToken).getPrincipal().getAttributes();
+ System.out.println();
+ System.out.println("-------------------- 1 --------------------");
+ System.out.println();
} else if (authToken instanceof JwtAuthenticationToken) {
attributes = ((JwtAuthenticationToken) authToken).getTokenAttributes();
} else {
throw new IllegalArgumentException("AuthenticationToken is not OAuth2 or JWT!");
}
+ System.out.println();
+ System.out.println("-------------------- 2 --------------------");
+ System.out.println();
User user = getUser(attributes);
user.setAuthorities(
authToken
@@ -221,10 +231,16 @@ public class UserService {
)
.collect(Collectors.toSet())
);
+ System.out.println();
+ System.out.println("Authorities :: " + user.getAuthorities().size());
+ System.out.println();
return syncUserWithIdP(attributes, user).flatMap(u -> Mono.just(new AdminUserDTO(u)));
}
private static User getUser(Map<String, Object> details) {
+ System.out.println();
+ System.out.println(details.get("roles"));
+ System.out.println();
User user = new User();
Boolean activated = Boolean.TRUE;
// handle resource server JWT, where sub claim is email and uid is ID
diff --git a/git/cocGateway/src/main/resources/config/liquibase/data/authority.csv b/git/cocGateway/src/main/resources/config/liquibase/data/authority.csv
index af5c6dfa186d3b5de3b3eb854ea9a044c222459e..61a2786cef3927d9d63fe1a4511e50bdf102a15e 100755
--- a/git/cocGateway/src/main/resources/config/liquibase/data/authority.csv
+++ b/git/cocGateway/src/main/resources/config/liquibase/data/authority.csv
@@ -1,3 +1,11 @@
name
ROLE_ADMIN
ROLE_USER
+SecurityGovernance
+SecurityAnalyst
+DomainGovernance
+ProductOwner
+ProductSecurityEng
+CISO
+Customer
+Auditor
diff --git a/git/cocGateway/src/main/webapp/app/admin/admin-routing.module.ts b/git/cocGateway/src/main/webapp/app/admin/admin-routing.module.ts
index effac20e2284b885e6cb59c367358019589e57f7..b4d74d62959ecc12422ed568a0595d5bc7fb9309 100755
--- a/git/cocGateway/src/main/webapp/app/admin/admin-routing.module.ts
+++ b/git/cocGateway/src/main/webapp/app/admin/admin-routing.module.ts
@@ -14,6 +14,10 @@ import { RouterModule } from '@angular/router';
path: 'gateway',
loadChildren: () => import('./gateway/gateway.module').then(m => m.GatewayModule),
},
+ {
+ path: 'audit-logs',
+ loadChildren: () => import('./audit-logs/audit-logs.module').then(m => m.AuditLogsModule),
+ },
/* jhipster-needle-add-admin-route - JHipster will add admin routes here */
]),
],
diff --git a/git/cocGateway/src/main/webapp/app/admin/audit-logs/audit-logs.model.ts b/git/cocGateway/src/main/webapp/app/admin/audit-logs/audit-logs.model.ts
new file mode 100644
index 0000000000000000000000000000000000000000..95cd04e7e9f28e1f977fae93a375bdf079978f97
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/admin/audit-logs/audit-logs.model.ts
@@ -0,0 +1,23 @@
+export interface IAuditLogs {
+ id?: number;
+ dateLog?: string;
+ user?: string;
+ entity?: string;
+ target?: string;
+ operation?: string;
+}
+
+export class AuditLogs implements IAuditLogs {
+ constructor(
+ public id?: number,
+ public dateLog?: string,
+ public user?: string,
+ public entity?: string,
+ public target?: string,
+ public operation?: string
+ ) {}
+}
+
+export function getAuditLogsIdentifier(auditLogs: IAuditLogs): number | undefined {
+ return auditLogs.id;
+}
diff --git a/git/cocGateway/src/main/webapp/app/admin/audit-logs/audit-logs.module.ts b/git/cocGateway/src/main/webapp/app/admin/audit-logs/audit-logs.module.ts
new file mode 100644
index 0000000000000000000000000000000000000000..ff5f2e33be73fe55387c23d50d1dfe99af06884d
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/admin/audit-logs/audit-logs.module.ts
@@ -0,0 +1,12 @@
+import { NgModule } from '@angular/core';
+import { SharedModule } from 'app/shared/shared.module';
+import { AuditLogsComponent } from './list/audit-logs.component';
+import { AuditLogsRoutingModule } from './route/audit-logs-routing.module';
+
+@NgModule({
+ imports: [SharedModule, AuditLogsRoutingModule],
+ declarations: [
+ AuditLogsComponent,
+ ],
+})
+export class AuditLogsModule {}
diff --git a/git/cocGateway/src/main/webapp/app/admin/audit-logs/list/audit-logs.component.html b/git/cocGateway/src/main/webapp/app/admin/audit-logs/list/audit-logs.component.html
new file mode 100644
index 0000000000000000000000000000000000000000..a5c2bc8d085d2d241f278d888280e3214cef7967
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/admin/audit-logs/list/audit-logs.component.html
@@ -0,0 +1,42 @@
+<div>
+ <h2 id="page-heading" data-cy="AuditLogsHeading">
+ <span jhiTranslate="cocGatewayApp.cocBackendAuditLogs.home.title">Audit Logs</span>
+ <div class="d-flex justify-content-end">
+ <button class="btn btn-info mr-2" (click)="loadAll()" [disabled]="isLoading" style="background-color: #0099a0!important; border-color: #0099a0!important;">
+ <fa-icon icon="sync" [spin]="isLoading"></fa-icon>
+ <span jhiTranslate="cocGatewayApp.cocBackendAuditLogs.home.refreshListLabel">Refresh List</span>
+ </button>
+ </div>
+ </h2>
+
+ <jhi-alert-error></jhi-alert-error>
+
+ <jhi-alert></jhi-alert>
+
+ <div class="alert alert-warning" id="no-result" *ngIf="auditLogs?.length === 0">
+ <span jhiTranslate="cocGatewayApp.cocBackendAuditLogs.home.notFound">No Audit Logs found</span>
+ </div>
+
+ <div class="table-responsive" id="entities" *ngIf="auditLogs && auditLogs.length > 0">
+ <table class="table table-striped" aria-describedby="page-heading">
+ <thead>
+ <tr>
+ <th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendAuditLogs.dateLog">Date</span></th>
+ <th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendAuditLogs.user">User</span></th>
+ <th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendAuditLogs.entity">Entity</span></th>
+ <th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendAuditLogs.target">Target</span></th>
+ <th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendAuditLogs.operation">Operation</span></th>
+ </tr>
+ </thead>
+ <tbody style="font-size: 11px;">
+ <tr *ngFor="let auditLog of auditLogs; trackBy: trackId" data-cy="entityTable">
+ <td style="vertical-align: middle;">{{ auditLog.dateLog }}</td>
+ <td style="vertical-align: middle;">{{ auditLog.user }}</td>
+ <td style="vertical-align: middle;">{{ auditLog.entity }}</td>
+ <td style="vertical-align: middle;">{{ auditLog.target }}</td>
+ <td style="vertical-align: middle;">{{ auditLog.operation }}</td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+</div>
diff --git a/git/cocGateway/src/main/webapp/app/admin/audit-logs/list/audit-logs.component.ts b/git/cocGateway/src/main/webapp/app/admin/audit-logs/list/audit-logs.component.ts
new file mode 100644
index 0000000000000000000000000000000000000000..0654ddfcc299bfcc87f0469ba8e7143459dab8d1
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/admin/audit-logs/list/audit-logs.component.ts
@@ -0,0 +1,40 @@
+import { Component, OnInit } from '@angular/core';
+import { HttpResponse } from '@angular/common/http';
+import { NgbModal } from '@ng-bootstrap/ng-bootstrap';
+
+import { IAuditLogs } from '../audit-logs.model';
+import { AuditLogsService } from '../service/audit-logs.service';
+
+@Component({
+ selector: 'jhi-audit-logs',
+ templateUrl: './audit-logs.component.html',
+})
+export class AuditLogsComponent implements OnInit {
+ auditLogs?: IAuditLogs[];
+ isLoading = false;
+ account: Account | null = null;
+
+ constructor(protected auditLogsService: AuditLogsService, protected modalService: NgbModal) {}
+
+ loadAll(): void {
+ this.isLoading = true;
+
+ this.auditLogsService.query().subscribe(
+ (res: HttpResponse<IAuditLogs[]>) => {
+ this.isLoading = false;
+ this.auditLogs = res.body ?? [];
+ },
+ () => {
+ this.isLoading = false;
+ }
+ );
+ }
+
+ ngOnInit(): void {
+ this.loadAll();
+ }
+
+ trackId(index: number, item: IAuditLogs): number {
+ return item.id!;
+ }
+}
diff --git a/git/cocGateway/src/main/webapp/app/admin/audit-logs/route/audit-logs-routing-resolve.service.ts b/git/cocGateway/src/main/webapp/app/admin/audit-logs/route/audit-logs-routing-resolve.service.ts
new file mode 100644
index 0000000000000000000000000000000000000000..f1c2ecec9315da33465f1cac637df76804983fe7
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/admin/audit-logs/route/audit-logs-routing-resolve.service.ts
@@ -0,0 +1,30 @@
+import { Injectable } from '@angular/core';
+import { HttpResponse } from '@angular/common/http';
+import { Resolve, ActivatedRouteSnapshot, Router } from '@angular/router';
+import { Observable, of, EMPTY } from 'rxjs';
+import { mergeMap } from 'rxjs/operators';
+
+import { IAuditLogs, AuditLogs } from '../audit-logs.model';
+import { AuditLogsService } from '../service/audit-logs.service';
+
+@Injectable({ providedIn: 'root' })
+export class AuditLogsRoutingResolveService implements Resolve<IAuditLogs> {
+ constructor(protected service: AuditLogsService, protected router: Router) {}
+
+ resolve(route: ActivatedRouteSnapshot): Observable<IAuditLogs> | Observable<never> {
+ const id = route.params['id'];
+ if (id) {
+ return this.service.find(id).pipe(
+ mergeMap((auditLogs: HttpResponse<AuditLogs>) => {
+ if (auditLogs.body) {
+ return of(auditLogs.body);
+ } else {
+ this.router.navigate(['404']);
+ return EMPTY;
+ }
+ })
+ );
+ }
+ return of(new AuditLogs());
+ }
+}
diff --git a/git/cocGateway/src/main/webapp/app/admin/audit-logs/route/audit-logs-routing.module.ts b/git/cocGateway/src/main/webapp/app/admin/audit-logs/route/audit-logs-routing.module.ts
new file mode 100644
index 0000000000000000000000000000000000000000..f223926ec213c5c5e6275907359341e7d7522049
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/admin/audit-logs/route/audit-logs-routing.module.ts
@@ -0,0 +1,22 @@
+import { NgModule } from '@angular/core';
+import { RouterModule, Routes } from '@angular/router';
+
+import { UserRouteAccessService } from 'app/core/auth/user-route-access.service';
+import { AuditLogsComponent } from '../list/audit-logs.component';
+
+import { Authority } from 'app/config/authority.constants';
+
+const auditLogsRoute: Routes = [
+ {
+ path: '',
+ component: AuditLogsComponent,
+ data: { authorities: [Authority.ADMIN] },
+ canActivate: [UserRouteAccessService],
+ },
+];
+
+@NgModule({
+ imports: [RouterModule.forChild(auditLogsRoute)],
+ exports: [RouterModule],
+})
+export class AuditLogsRoutingModule {}
diff --git a/git/cocGateway/src/main/webapp/app/admin/audit-logs/service/audit-logs.service.ts b/git/cocGateway/src/main/webapp/app/admin/audit-logs/service/audit-logs.service.ts
new file mode 100644
index 0000000000000000000000000000000000000000..e2da0856d19cd80837779488377364185b3ae534
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/admin/audit-logs/service/audit-logs.service.ts
@@ -0,0 +1,60 @@
+import { Injectable } from '@angular/core';
+import { HttpClient, HttpResponse } from '@angular/common/http';
+import { Observable } from 'rxjs';
+
+import { isPresent } from 'app/core/util/operators';
+import { ApplicationConfigService } from 'app/core/config/application-config.service';
+import { createRequestOption } from 'app/core/request/request-util';
+import { IAuditLogs, getAuditLogsIdentifier } from '../audit-logs.model';
+
+export type EntityResponseType = HttpResponse<IAuditLogs>;
+export type EntityArrayResponseType = HttpResponse<IAuditLogs[]>;
+
+@Injectable({ providedIn: 'root' })
+export class AuditLogsService {
+ protected resourceUrl = this.applicationConfigService.getEndpointFor('api/audit-logs', 'cocbackend');
+
+ constructor(protected http: HttpClient, protected applicationConfigService: ApplicationConfigService) {}
+
+ update(auditLogs: IAuditLogs): Observable<EntityResponseType> {
+ return this.http.put<IAuditLogs>(
+ `${this.resourceUrl}/${getAuditLogsIdentifier(auditLogs) as number}`,
+ auditLogs,
+ { observe: 'response' }
+ );
+ }
+
+ find(id: number): Observable<EntityResponseType> {
+ return this.http.get<IAuditLogs>(`${this.resourceUrl}/${id}`, { observe: 'response' });
+ }
+
+ query(req?: any): Observable<EntityArrayResponseType> {
+ const options = createRequestOption(req);
+ return this.http.get<IAuditLogs[]>(this.resourceUrl, { params: options, observe: 'response' });
+ }
+
+ addAuditLogsToCollectionIfMissing(
+ auditLogsCollection: IAuditLogs[],
+ ...auditLogsToCheck: (IAuditLogs | null | undefined)[]
+ ): IAuditLogs[] {
+ const auditLogs: IAuditLogs[] = auditLogsToCheck.filter(isPresent);
+ if (auditLogs.length > 0) {
+ const auditLogsCollectionIdentifiers = auditLogsCollection.map(
+ auditLogsItem => getAuditLogsIdentifier(auditLogsItem)!
+ );
+ const auditLogsToAdd = auditLogs.filter(auditLogsItem => {
+ const auditLogsIdentifier = getAuditLogsIdentifier(auditLogsItem);
+ if (
+ auditLogsIdentifier == null ||
+ auditLogsCollectionIdentifiers.includes(auditLogsIdentifier)
+ ) {
+ return false;
+ }
+ auditLogsCollectionIdentifiers.push(auditLogsIdentifier);
+ return true;
+ });
+ return [...auditLogsToAdd, ...auditLogsCollection];
+ }
+ return auditLogsCollection;
+ }
+}
diff --git a/git/cocGateway/src/main/webapp/app/admin/gateway/gateway.component.html b/git/cocGateway/src/main/webapp/app/admin/gateway/gateway.component.html
index d5a31f23c7872bc91922b13da93f0c577b19c419..049ae39880367baf62c085592a13d6eda842f4b1 100755
--- a/git/cocGateway/src/main/webapp/app/admin/gateway/gateway.component.html
+++ b/git/cocGateway/src/main/webapp/app/admin/gateway/gateway.component.html
@@ -2,7 +2,7 @@
<h2>
<span id="gateway-page-heading" jhiTranslate="gateway.title">Gateway</span>
- <button class="btn btn-primary float-right" (click)="refresh()" (disabled)="(updatingRoutes)">
+ <button class="btn btn-primary float-right" (click)="refresh()" (disabled)="(updatingRoutes)" style="background-color: #0099a0!important; border-color: #0099a0!important;">
<fa-icon icon="sync"></fa-icon> <span jhiTranslate="gateway.refresh.button">Refresh</span>
</button>
</h2>
diff --git a/git/cocGateway/src/main/webapp/app/config/authority.constants.ts b/git/cocGateway/src/main/webapp/app/config/authority.constants.ts
index 1501bcf4ef3270b9c04de2df22d34566f79711f0..4481640659c261306dae2df971f6591f9efb32aa 100755
--- a/git/cocGateway/src/main/webapp/app/config/authority.constants.ts
+++ b/git/cocGateway/src/main/webapp/app/config/authority.constants.ts
@@ -1,4 +1,12 @@
export enum Authority {
ADMIN = 'ROLE_ADMIN',
USER = 'ROLE_USER',
+ SECURITY_GOVERNANCE = 'SecurityGovernance',
+ SECURITY_ANALYST = 'SecurityAnalyst',
+ DOMAIN_GOVERNANCE = 'DomainGovernance',
+ PRODUCT_OWNER = 'ProductOwner',
+ PRODUCT_SECURITY_ENG = 'ProductSecurityEng',
+ CISO = 'CISO',
+ CUSTOMER = 'Customer',
+ AUDITOR = 'Auditor'
}
diff --git a/git/cocGateway/src/main/webapp/app/config/font-awesome-icons.ts b/git/cocGateway/src/main/webapp/app/config/font-awesome-icons.ts
index 318ec8a905e7e20ca47d84d01f57bcf609104cc7..08fdd4b17f03c2c81d7631ef2d92e504fec2457a 100755
--- a/git/cocGateway/src/main/webapp/app/config/font-awesome-icons.ts
+++ b/git/cocGateway/src/main/webapp/app/config/font-awesome-icons.ts
@@ -40,6 +40,9 @@ import {
faArrowUp,
faArrowDown,
faClone,
+ faQuestionCircle,
+ faInfoCircle,
+ faTools
// jhipster-needle-add-icon-import
} from '@fortawesome/free-solid-svg-icons';
@@ -85,5 +88,8 @@ export const fontAwesomeIcons = [
faArrowUp,
faArrowDown,
faClone,
+ faQuestionCircle,
+ faInfoCircle,
+ faTools
// jhipster-needle-add-icon-import
];
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/delete/questionnaire-delete-dialog.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/delete/questionnaire-delete-dialog.component.html
new file mode 100644
index 0000000000000000000000000000000000000000..1d3711ca283d0298156229a91fb7076a7cc2e392
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/delete/questionnaire-delete-dialog.component.html
@@ -0,0 +1,19 @@
+<div class="modal-header">
+ <h4 class="modal-title" data-cy="questionnaireInfoDialogHeading" jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.infoTitle">Questionnaires info</h4>
+</div>
+
+<div class="modal-body">
+ <div style="margin: 12px 0 12px 0;">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.removeQuestion">Are you sure you want to remove the selected Questionnaire?</span>
+ </div>
+</div>
+
+<div class="modal-footer">
+ <button type="button" class="btn btn-secondary" style="background-color: #0099a0!important; border-color: #0099a0!important;" data-dismiss="modal" (click)="cancel()">
+ <fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.close">Close</span>
+ </button>
+
+ <button id="jhi-confirm-delete-resource" class="btn btn-secondary" data-cy="entityConfirmDeleteButton" style="background-color: #c70e33!important; border-color: #c70e33!important;" (click)="remove()">
+ <fa-icon icon="times"></fa-icon> <span jhiTranslate="entity.action.remove">Remove</span>
+ </button>
+</div>
\ No newline at end of file
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/delete/questionnaire-delete-dialog.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/delete/questionnaire-delete-dialog.component.ts
new file mode 100644
index 0000000000000000000000000000000000000000..323aba07e410de06869ba2aa07d9c37c4f5d5f20
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/delete/questionnaire-delete-dialog.component.ts
@@ -0,0 +1,23 @@
+import { Component } from '@angular/core';
+import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
+
+import { QuestionnaireService } from '../service/questionnaire.service';
+
+@Component({
+ templateUrl: './questionnaire-delete-dialog.component.html',
+})
+export class QuestionnaireDeleteDialogComponent {
+ selectedQuestionnaire?: string;
+
+ constructor(protected questionnaireService: QuestionnaireService, protected activeModal: NgbActiveModal) {}
+
+ cancel(): void {
+ this.activeModal.dismiss();
+ }
+
+ remove(): void {
+ this.questionnaireService.deleteByName(this.selectedQuestionnaire).subscribe(() => {});
+ this.activeModal.dismiss();
+ window.location.reload();
+ }
+}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/info/questionnaire-info-dialog.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/info/questionnaire-info-dialog.component.html
new file mode 100644
index 0000000000000000000000000000000000000000..4bcafe96a5b51dfbd1d321d776c102094b348be1
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/info/questionnaire-info-dialog.component.html
@@ -0,0 +1,41 @@
+<div class="modal-header">
+ <h4 class="modal-title" data-cy="questionnaireInfoDialogHeading" jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.infoTitle">Questionnaires info</h4>
+</div>
+
+<div class="modal-body">
+ <table style="width: 100%;">
+ <tr style="height: 32px;">
+ <td style="width: 60%;" colspan="2"> </td>
+ <td style="width: 40%; font-weight: 600;">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.numberQuestions">Number of questions</span>
+ </td>
+ </tr>
+ <tr style="height: 32px;">
+ <td style="width: 20%;"> </td>
+ <td style="width: 40%;">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.basicQuestions">Basic level of assurance:</span>
+ </td>
+ <td style="width: 40%; padding-left: 56px; color: #0099a0!important;">{{info?.basic}}</td>
+ </tr>
+ <tr style="height: 32px;">
+ <td style="width: 20%;"> </td>
+ <td style="width: 40%;">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.substantialQuestions">Substantial level of assurance:</span>
+ </td>
+ <td style="width: 40%; padding-left: 56px; color: #0099a0!important;">{{info?.substantial}}</td>
+ </tr>
+ <tr style="height: 32px;">
+ <td style="width: 20%;"> </td>
+ <td style="width: 40%;">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.highQuestions">High level of assurance:</span>
+ </td>
+ <td style="width: 40%; padding-left: 56px; color: #0099a0!important;">{{info?.high}}</td>
+ </tr>
+ </table>
+</div>
+
+<div class="modal-footer">
+ <button type="button" class="btn btn-secondary" style="background-color: #0099a0!important; border-color: #0099a0!important;" data-dismiss="modal" (click)="cancel()">
+ <fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.close">Close</span>
+ </button>
+</div>
\ No newline at end of file
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/info/questionnaire-info-dialog.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/info/questionnaire-info-dialog.component.ts
new file mode 100644
index 0000000000000000000000000000000000000000..7e533b693c4c8ff07ed6ee4438a2416e69748897
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/info/questionnaire-info-dialog.component.ts
@@ -0,0 +1,18 @@
+import { Component } from '@angular/core';
+import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
+
+import { IQuestionnaireQuestionInfo } from '../questionnaire-question-info.model';
+import { QuestionnaireService } from '../service/questionnaire.service';
+
+@Component({
+ templateUrl: './questionnaire-info-dialog.component.html',
+})
+export class QuestionnaireInfoDialogComponent {
+ info?: IQuestionnaireQuestionInfo;
+
+ constructor(protected questionnaireService: QuestionnaireService, protected activeModal: NgbActiveModal) {}
+
+ cancel(): void {
+ this.activeModal.dismiss();
+ }
+}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/list/questionnaire.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/list/questionnaire.component.html
index 26f4f57fc143c680e92eb55b3dd3cc1cfd4fb564..6cb8f07fd1b8494139fc36f5e12fc5da2597e859 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/list/questionnaire.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/list/questionnaire.component.html
@@ -1,113 +1,124 @@
<div>
<h2 id="page-heading" data-cy="QuestionnairesHeading">
<span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.home.title">Questionnaires</span>
+ <a (click)="openInfo()">
+ <fa-icon icon="info-circle" class="fa-thin" style="color: #0099a0!important; float: right;" title="Questionnaires info"></fa-icon>
+ </a>
</h2>
+ <div *ngIf="isSaved" style="color: #155724; background-color: #d4edda; border-color: #c3e6cb; padding: 8px 12px; border-radius: 4px;">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.updated">The Questionnaire was saved successfully</span>
+ </div>
+
<jhi-alert-error></jhi-alert-error>
<jhi-alert></jhi-alert>
+
+ <div id="waiting-container" *ngIf="!ready" style="position: fixed; z-index: 1; left: 0; top: 0; width: 100%; height: 100%; overflow: auto; background-color: rgba(0, 0, 0, 0.2); text-align: center;">
+ <img src="../../../../../content/images/loading.gif" style="margin-top: 72px; width: 70px; height: 70px;" />
+ </div>
- <div class="table-responsive" id="entities">
- <br /><br /><br />
- <!--
+ <div class="table-responsive" id="entities" *ngIf="ready">
<table style="width: 100%">
- <tr>
- <td style="width: 20%;"> </td>
- <td style="width: 10%; text-align: right">
- <img src="../../../../../content/images/construction.png" />
+ <tr *ngIf="questionnaires != null && questionnaires.length > 0">
+ <td style="width: 3%;"> </td>
+ <td colspan="3" style="width: 94%; text-align: center;">
+ <h5 jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.loadQuestionnaire" style="margin: 16px 0 0 8px; color: #fff; background: #0099a0; font-size: 17px; padding: 2px 0 2px 0; border-radius: 2px; box-shadow: 3px 3px 5px 0px rgba(204,204,204,1);">Load an existing Questionnaire</h5>
</td>
- <td style="width: 2%;"> </td>
- <td style="width: 48%;">
- The integration of the Questionnaires tool in the MEDINA Catalog is in progress.<br />To download the questionnaires in Excel format, please click
- <a href="https://tecnalia365.sharepoint.com/:x:/s/PLANPRYMEDINA-TECNALIA/EVvJ129-Y5VDhda8vyPQdTcB9D74V9qktULII_4mUiznBg" target="_blank" style="color: #0099a0; font-weight: 600; text-decoration: none;">here</a>.
- </td>
- <td style="width: 20%;"> </td>
+ <td style="width: 3%;"> </td>
</tr>
- </table>
- <br /><br /><br />
- -->
-
- <table style="width: 100%">
- <tr>
- <td style="width: 20%;"> </td>
- <td style="width: 60%;" colspan="3">
- <div class="form-group">
- <label class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.securityControlFramework"
- for="field_securityControlFramework">
- Select the Security Framework
- </label>
- <select
- class="form-control"
- id="field_securityControlFramework"
- data-cy="securityControlFramework"
- name="securityControlFramework"
- [(ngModel)]="selectedFramework">
- <option *ngFor="let framework of frameworks"
- [value]="framework.id">
- {{ framework.name }}: {{ framework.description }}
- </option>
- </select>
- </div>
+ <tr *ngIf="questionnaires != null && questionnaires.length > 0">
+ <td style="width: 3%;"> </td>
+ <td style="width: 94%; padding: 16px 0 16px 0;" colspan="3">
+ <table style="width: 100%;" *ngIf="questionnairesLoaded">
+ <tr>
+ <td style="width: 53%;">
+ <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.selectQuestionnaire" for="field_securityControlFramework">Select the Questionnaire</label>
+ <select class="form-control" id="field_questionnaire" data-cy="questionnaire" name="field_securityControlFramework" [(ngModel)]="selectedQuestionnaire" style="font-size: 13px;">
+ <option *ngFor="let questionnaire of questionnaires" [value]="questionnaire.name">
+ {{ questionnaire.shortName }}
+ </option>
+ </select>
+ </td>
+ <td style="width: 1%;"> </td>
+ <td style="width: 14%; vertical-align: bottom; text-align: center; padding-bottom: 1px;">
+ <button class="btn btn-info mr-2" [disabled]="selectedQuestionnaire.length <= 0" (click)="loadQuestionnaire()" style="width: 190px; background-color: #0099a0!important; border-color: #0099a0!important;" *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance', 'SecurityAnalyst', 'DomainGovernance', 'ProductOwner', 'ProductSecurityEng', 'CISO', 'Auditor']">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.load">Load Questionnaire</span>
+ </button>
+ </td>
+ <td style="width: 1%;"> </td>
+ <td style="width: 16%; vertical-align: bottom; padding-bottom: 1px; text-align: center;">
+ <button class="btn btn-info mr-2" style="width: 190px; background-color: #0099a0!important; border-color: #0099a0!important;" [disabled]="selectedQuestionnaire.length <= 0" (click)="report()" *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance', 'SecurityAnalyst', 'DomainGovernance', 'ProductOwner', 'ProductSecurityEng', 'CISO', 'Auditor']">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.report">Generate report</span>
+ </button>
+ </td>
+ <td style="width: 1%;"> </td>
+ <td style="width: 14%; vertical-align: bottom; text-align: center;">
+ <button class="btn btn-info mr-2" style="width: 190px; background-color: #c70e33!important; border-color: #c70e33!important;" [disabled]="selectedQuestionnaire.length <= 0" (click)="remove()" *jhiHasAnyAuthority="['ROLE_ADMIN', 'ProductOwner']">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.remove">Remove Questionnaire</span>
+ </button>
+ </td>
+ </tr>
+ </table>
</td>
- <td style="width: 20%;"> </td>
+ <td style="width: 3%;"> </td>
</tr>
- <tr><td colspan="5" style="width: 100%;"> </td></tr>
- <tr style="vertical-align: top;">
- <td style="width: 20%;"> </td>
- <td style="width: 29%;">
- <div class="form-group">
- <label class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.assuranceLevel"
- for="field_level">
- Select the assurance level
- </label>
- <div style="padding: 8px 8px; border: 1px solid #c5c5c5;">
- <div *ngFor="let level of levels" style="margin: 4px 0 0 36px;">
- <input
- type="radio"
- id="field_level"
- name="level.assuranceLevel"
- [value]="level.id"
- [(ngModel)]="selectedLevel" />
- <span>{{ level.assuranceLevel }}</span>
- </div>
- </div>
- </div>
- </td>
- <td style="width: 2%;"> </td>
- <td style="width: 29%;">
- <div class="form-group">
- <label class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.purpose"
- for="field_purpose">
- Select the purpose
- </label>
- <div style="padding: 8px 8px; border: 1px solid #c5c5c5;">
- <div *ngFor="let purpose of purposes" style="margin: 4px 0 0 36px;">
- <input
- type="radio"
- id="field_purpose"
- name="purpose.purpose"
- [value]="purpose.id"
- [(ngModel)]="selectedPurpose" />
- <span>{{ purpose.purpose }}</span>
- </div>
- </div>
- </div>
- </td>
- <td style="width: 20%;"> </td>
- </tr>
- <tr><td colspan="5" style="width: 100%;"> </td></tr>
- <tr>
- <td colspan="5" style="width: 100%; text-align: center;">
- <button class="btn btn-info mr-2" (click)="startQuestionnaire()" [disabled]="selectedFramework <= 0 || selectedLevel <= 0 || selectedPurpose < 0">
- <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.start">Start Questionnaire</span>
- </button>
+ <tr *jhiHasAnyAuthority="['ROLE_ADMIN', 'ProductOwner']">
+ <td style="width: 3%;"> </td>
+ <td style="width: 94%; padding: 16px 0 16px 0;" colspan="3">
+ <table style="width: 100%;" *ngIf="questionnairesLoaded">
+ <tr *ngIf="questionnaires != null && questionnaires.length > 0">
+ <td colspan="5" style="width: 100%;"> </td>
+ </tr>
+ <tr>
+ <td colspan="5" style="width: 100%; text-align: center;">
+ <h5 jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.startQuestionnaire" style="margin: 16px 0 0 8px; color: #fff; background: #0099a0; font-size: 17px; padding: 2px 0 2px 0; border-radius: 2px; box-shadow: 3px 3px 5px 0px rgba(204,204,204,1);">Start a new Questionnaire</h5>
+ </td>
+ </tr>
+ <tr *jhiHasAnyAuthority="['ROLE_ADMIN', 'ProductOwner']">
+ <td style="width: 49%;">
+ <div class="form-group" style="padding-top: 8px;">
+ <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.selectSecurityFramework" for="field_securityControlFramework">Select the Security Framework</label>
+ <input type="text" class="form-control" name="securityControlFramework" id="field_securityControlFramework" [value]="selectedFrameworkName" [readonly]="true" style="font-size: 13px;" />
+ </div>
+ </td>
+ <td style="width: 2%;"> </td>
+ <td style="width: 49%;">
+ <div class="form-group" style="padding-top: 8px;">
+ <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.cloudServiceId" for="field_cloudserviceid">Select Cloud Service ID</label>
+ <select class="form-control" id="field_cloudserviceid" name="field_cloudserviceid" [(ngModel)]="selectedCloudService" style="font-size: 13px;">
+ <option value=""></option>
+ <option *ngFor="let cloudService of cloudServices" [value]="cloudService.name">
+ {{ cloudService.name }}
+ </option>
+ </select>
+ </div>
+ </td>
+ </tr>
+ <tr>
+ <td style="width: 49%;">
+ <div class="form-group">
+ <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.assuranceLevel" for="field_level">Select the assurance level</label>
+ <div style="padding: 14px 0 8px 0; text-align: center; border: 1px dotted #0099a0; height: 52px;">
+ <div *ngFor="let level of levels" style="margin: 4px 24px 0 28px; display: inline;">
+ <input type="radio" id="field_level" name="field_level" [value]="level.id" [(ngModel)]="selectedLevel" />
+ <span style="color: #0099a0;">{{ level.assuranceLevel }}</span>
+ </div>
+ </div>
+ </div>
+ </td>
+ <td style="width: 2%;"> </td>
+ <td style="width: 49%; text-align: center; vertical-align: top;">
+ <button class="btn btn-info mr-2" (click)="startQuestionnaire()" [disabled]="selectedFramework <= 0 || selectedLevel <= 0 || selectedCloudService == ''" style="width: 340px; background-color: #0099a0!important; border-color: #0099a0!important; margin-top: 36px;" *jhiHasAnyAuthority="['ROLE_ADMIN', 'ProductOwner']">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.start">Start Questionnaire</span>
+ </button>
+ </td>
+ </tr>
+ </table>
</td>
+ <td style="width: 3%;"> </td>
</tr>
<tr><td colspan="5" style="width: 100%;"> </td></tr>
</table>
-
</div>
</div>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/list/questionnaire.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/list/questionnaire.component.ts
index cfb72d7305856d864b3e3e8100d8f7381170cec8..7187eaab9fe9f55e0386b3a76b9c013e6f675928 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/list/questionnaire.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/list/questionnaire.component.ts
@@ -1,70 +1,136 @@
import { Component, OnInit } from '@angular/core';
import { HttpResponse } from '@angular/common/http';
-import { Router } from '@angular/router';
+import { Router, ActivatedRoute } from '@angular/router';
+import { Observable } from 'rxjs';
+import { finalize } from 'rxjs/operators';
+import { NgbModal } from '@ng-bootstrap/ng-bootstrap';
+
+import { Account } from 'app/core/auth/account.model';
+import { AccountService } from 'app/core/auth/account.service';
import { ISecurityControlFramework } from '../../security-control-framework/security-control-framework.model';
import { IQuestionnaireQuestionAssuranceLevel } from '../questionnaire-question-assurance-level.model';
-import { IQuestionnairePurpose } from '../questionnaire-purpose.model';
+import { IQuestionnaire } from '../questionnaire.model';
+import { IQuestionnaireQuestionInfo } from '../questionnaire-question-info.model';
import { SecurityControlFrameworkService } from '../../security-control-framework/service/security-control-framework.service';
import { QuestionnaireQuestionAssuranceLevelService } from '../service/questionnaire-question-assurance-level.service';
-import { QuestionnairePurposeService } from '../service/questionnaire-purpose.service';
+import { QuestionnaireService } from '../service/questionnaire.service';
+import { QuestionnaireQuestionService } from '../service/questionnaire-question.service';
+
+import { QuestionnaireInfoDialogComponent } from '../info/questionnaire-info-dialog.component';
+import { QuestionnaireDeleteDialogComponent } from '../delete/questionnaire-delete-dialog.component';
@Component({
selector: 'jhi-resource',
templateUrl: './questionnaire.component.html',
})
export class QuestionnaireComponent implements OnInit {
+ account: Account | null = null;
+
+ questionnaires: any;
frameworks?: ISecurityControlFramework[];
levels?: IQuestionnaireQuestionAssuranceLevel[];
- purposes?: IQuestionnairePurpose[];
+ selectedQuestionnaire:string = '';
selectedFramework:number = 0;
+ selectedFrameworkName:string = '';
+ selectedFrameworkTitle:string = '';
selectedLevel:number = 0;
- selectedPurpose:number = -1;
+
+ cloudServices: any;
+ selectedCloudService:string = '';
+
isLoading = false;
+ ready = false;
+ questionnairesLoaded = false;
+ isSaved = false;
- constructor(protected frameworkService: SecurityControlFrameworkService, protected purposeService: QuestionnairePurposeService,
- protected assuranceLevelService: QuestionnaireQuestionAssuranceLevelService, private router: Router) {}
+ constructor(protected accountService: AccountService,
+ protected questionnaireService: QuestionnaireService,
+ protected frameworkService: SecurityControlFrameworkService,
+ protected assuranceLevelService: QuestionnaireQuestionAssuranceLevelService,
+ protected questionnaireQuestionService: QuestionnaireQuestionService,
+ private router: Router, private route: ActivatedRoute,
+ protected modalService: NgbModal) {
+ this.questionnaires = new Array();
+ this.frameworks = new Array();
+ this.levels = new Array();
+ this.cloudServices = new Array();
+ }
loadAll(): void {
- // Load the Security Control Frameworks
- this.isLoading = true;
- this.frameworkService.query().subscribe(
- (res: HttpResponse<ISecurityControlFramework[]>) => {
- this.isLoading = false;
- this.frameworks = res.body ?? [];
- if (this.frameworks != null && this.frameworks.length == 1 && this.frameworks[0].id != null) {
- this.selectedFramework = this.frameworks[0].id;
- }
- },
- () => {
- this.isLoading = false;
- }
- );
-
- // Load the Assurance Levels
- this.isLoading = true;
- this.assuranceLevelService.query().subscribe(
- (res: HttpResponse<IQuestionnaireQuestionAssuranceLevel[]>) => {
- this.isLoading = false;
- this.levels = res.body ?? [];
- },
- () => {
- this.isLoading = false;
- }
+ this.isSaved = this.route.snapshot.queryParams['isSaved'] == null ? false : this.route.snapshot.queryParams['isSaved'];
+ if (this.isSaved) {
+ setTimeout(() => { this.isSaved = false; }, 4000);
+ }
+
+ // Load the logged user
+ this.accountService.getAuthenticationState().subscribe(
+ account => (this.account = account)
);
- // Load the Purposes
- this.isLoading = true;
- this.purposeService.query().subscribe(
- (res: HttpResponse<IQuestionnairePurpose[]>) => {
- this.isLoading = false;
- this.purposes = res.body ?? [];
- },
- () => {
- this.isLoading = false;
- }
- );
+ // Load the existing questionnaires
+ this.isLoading = true;
+ this.questionnaireService.query().subscribe(
+ (res: HttpResponse<IQuestionnaire[]>) => {
+ let result = res.body ?? [];
+ if (result != null && result.length > 0) {
+ for (let i = 0;i < result.length;i++) {
+ let levelId:any = result[i].assuranceLevelId;
+ let level:any = result[i].assuranceLevelId;
+ if (this.levels != null && this.levels.length > 0) {
+ for (let j = 0;j < this.levels.length;j++) {
+ if (result[i].assuranceLevelId == this.levels[j].id) {
+ level = this.levels[j].assuranceLevel;
+ break;
+ }
+ }
+ }
+ this.questionnaires.push({ id: result[i].id, name: result[i].name, levelId: levelId, level: level, shortName: result[i]!.name!.replace(/\(.*?\)/g, '') });
+ }
+
+ // Remove the duplicates
+ this.questionnaires = this.questionnaires.filter((li: any, idx: any, self: any) => self.map((itm: any) => itm.name).indexOf(li.name) === idx);
+ //this.ready = true;
+ this.questionnairesLoaded = true;
+ }
+
+ // Load the Security Control Frameworks
+ this.frameworkService.query().subscribe(
+ (res: HttpResponse<ISecurityControlFramework[]>) => {
+ this.frameworks = res.body ?? [];
+ if (this.frameworks != null && this.frameworks.length == 1 && this.frameworks[0].id != null) {
+ this.selectedFramework = this.frameworks[0].id;
+ this.selectedFrameworkName = this.frameworks[0].name + ': ' + this.frameworks[0].description;
+ this.selectedFrameworkTitle = this.frameworks[0].name!;
+ }
+
+ // Load the Assurance Levels
+ this.assuranceLevelService.query().subscribe(
+ (res: HttpResponse<IQuestionnaireQuestionAssuranceLevel[]>) => {
+ this.levels = res.body ?? [];
+
+ // Load the cloud services
+ if (this.levels != null && this.levels.length > 0 && this.levels[0].questionnaireCloudServiceList != null && this.levels[0].questionnaireCloudServiceList.length > 0) {
+ for (let i = 0;i < this.levels[0].questionnaireCloudServiceList.length;i++) {
+ this.cloudServices.push({ name: this.levels[0].questionnaireCloudServiceList[i]!.name, value: this.levels[0].questionnaireCloudServiceList[i]!.id });
+ }
+ }
+ },
+ () => { this.isLoading = false; this.ready = true; });
+
+ this.ready = true;
+
+
+ },
+ () => { this.isLoading = false; this.ready = true; });
+
+ this.isLoading = false;
+ this.ready = true;
+ this.questionnairesLoaded = true;
+ },
+ () => { this.isLoading = false; this.ready = true; this.questionnairesLoaded = true; });
+
}
@@ -73,7 +139,114 @@ export class QuestionnaireComponent implements OnInit {
}
+ getSelectedCloudServiceId(): string {
+ for (let i = 0;i < this.levels![0].questionnaireCloudServiceList!.length;i++) {
+ if (this.levels![0].questionnaireCloudServiceList![i].name === this.selectedQuestionnaire.split(' >> ')[1].trim()) {
+ return this.levels![0].questionnaireCloudServiceList![i].id;
+ }
+ }
+ return '';
+ }
+
+
+ loadQuestionnaire(): void {
+ this.router.navigate(['/questionnaire/question'], { queryParams: { selectedQuestionnaire: this.selectedQuestionnaire, selectedCloudService: this.getSelectedCloudServiceId(), selectedCategory: 1, selectedControl: 1 }});
+ }
+
+
+ openInfo(): void {
+ // Load the count of questions
+ this.isLoading = true;
+ this.questionnaireService.countQuestions().subscribe(
+ (res: HttpResponse<IQuestionnaireQuestionInfo[]>) => {
+ this.isLoading = false;
+ let result = res.body ?? null;
+ if (result != null) {
+ const modalRef = this.modalService.open(QuestionnaireInfoDialogComponent, { size: 'lg', backdrop: 'static' });
+ modalRef.componentInstance.info = result;
+ }
+ },
+ () => { this.isLoading = false; this.ready = true; });
+ }
+
+
+ report(): void {
+ this.router.navigate(['/questionnaire/report'], { queryParams: { selectedQuestionnaire: this.selectedQuestionnaire, selectedFramework: this.selectedFrameworkName }});
+ }
+
+
+ remove(): void {
+ const modalRef = this.modalService.open(QuestionnaireDeleteDialogComponent, { size: 'lg', backdrop: 'static' });
+ modalRef.componentInstance.selectedQuestionnaire = this.selectedQuestionnaire;
+ }
+
+
startQuestionnaire(): void {
- this.router.navigate(['/questionnaire/question'], { queryParams: {selectedFramework: this.selectedFramework, selectedCategory: 1, selectedLevel: this.selectedLevel, selectedPurpose: this.selectedPurpose}});
+ this.isSaved = false;
+ this.ready = false;
+
+ // Build the name
+ let date = new Date();
+ let dateStr = date.getFullYear() + '-' + ('0' + (date.getMonth() + 1)).slice(-2) + '-' + ('0' + date.getDate()).slice(-2);
+ this.selectedQuestionnaire = dateStr + ' >> ' + this.selectedCloudService + ' >> ' + this.selectedFrameworkTitle + ' (' + this.selectedFramework + ')';
+ for (let i = 0;i < this.levels!.length;i++) {
+ if (this.levels![i].id == this.selectedLevel) {
+ this.selectedQuestionnaire += ' >> ' + this.levels![i].assuranceLevel! + ' (' + this.selectedLevel + ')';
+ break;
+ }
+ }
+
+ // Check if the Questionnaire already exists
+ let found:boolean = false;
+ if (this.questionnaires != null && this.questionnaires.length > 0) {
+ for (let i = 0;i < this.questionnaires.length;i++) {
+ if (this.questionnaires[i].name == this.selectedQuestionnaire) {
+ this.selectedLevel = this.questionnaires[i].levelId;
+ found = true;
+ break;
+ }
+ }
+ }
+
+ if (found) {
+ // Redirect to the Questionnaire
+ this.router.navigate(['/questionnaire/question'], { queryParams: { selectedQuestionnaire: this.selectedQuestionnaire, selectedCloudService: this.getSelectedCloudServiceId(), selectedCategory: 1, selectedControl: 1 }});
+ } else {
+ // Obtain the existing Questions
+ this.isLoading = true;
+ this.questionnaireQuestionService.query().subscribe(
+ (res: HttpResponse<any>) => {
+ this.isLoading = false;
+ // Create the Questionnaire in the database
+ if (res.body.length > 0) {
+ let newQuestionnaire:IQuestionnaire[] = new Array();
+ for (let i = 0;i < res.body.length;i++) {
+ newQuestionnaire.push({ id: 0, name: this.selectedQuestionnaire, evidences: res.body[i].defaultEvidence, comments: '', lastUpdate: null, frameworkId: this.selectedFramework, controlId: res.body[i].controlId, tomId: res.body[i].tomId, assuranceLevelId: this.selectedLevel, questionId: res.body[i].id, answerId: 5, userId: this.account?.login });
+ }
+ this.subscribeToSaveResponse(this.questionnaireService.create(newQuestionnaire));
+ }
+ },
+ () => { this.isLoading = false; this.ready = true; });
+ }
+ }
+
+
+ protected subscribeToSaveResponse(result: Observable<HttpResponse<IQuestionnaire[]>>): void {
+ result.pipe(finalize(() => this.onSaveFinalize())).subscribe(
+ () => this.onSaveSuccess(),
+ () => this.onSaveError()
+ );
+ }
+
+
+ protected onSaveSuccess(): void {
+ // Redirect to the Questionnaire
+ this.router.navigate(['/questionnaire/question'], { queryParams: { selectedQuestionnaire: this.selectedQuestionnaire, selectedCloudService: this.getSelectedCloudServiceId(), selectedCategory: 1, selectedControl: 1 }});
}
+
+
+ protected onSaveError(): void {}
+
+
+ protected onSaveFinalize(): void {}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question-poc.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question-poc.component.html
deleted file mode 100755
index 6db9cbc0177c2b1751365d6c2f7210042790b17e..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question-poc.component.html
+++ /dev/null
@@ -1,216 +0,0 @@
-<div>
- <h2 id="page-heading" data-cy="QuestionnairesHeading">
- <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.home.singularTitle">Questionnaire</span>
- </h2>
-
- <jhi-alert-error></jhi-alert-error>
-
- <jhi-alert></jhi-alert>
-
- <div class="table-responsive" id="questions">
- <br /><br />
- <table style="width: 100%">
- <tr>
- <td style="width: 16%; background: #efefef; border-radius: 4px; vertical-align: top; font-size: 12px; padding: 8px 2px 8px 2px;">
- <span style="margin-top: 12px; font-size: 20px; padding-left: 6px;">Navigation</span><br />
- <ul style="padding-left: 18px;">
- <li style="margin-top: 12px;"><span style="font-weight: 600;">A1: Organisation of Information Security</span></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A2: Information Security Policies</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A3: Risk Management</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A4: Human Resources</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A5: Asset Management</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A6: Physical Security</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A7: Operational Security</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A8: Identity, Authentication and Access Control Management</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A9: Cryptography and Key Management</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A10: Communication Security</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A11: Portability and Interoperability</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A12: Change and Configuration Management</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A13: Development of Information Systems</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A14: Procurement Management</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A15: Incident Management</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A16: Business Continuity</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A17: Compliance</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A18: User Documentation</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A19: Dealing with Investigation Requests from Government Agencies</a></li>
- <li style="margin-top: 12px;"><a style="color: #0099a0; font-weight: 600; text-decoration: none;">A20: Product Safety and Security</a></li>
- </ul>
- </td>
- <td style="width: 84%;">
- <table style="width: 100%">
- <tr>
- <td style="width: 1%;"> </td>
- <td style="width: 98%;"><h5 style="color: #0099a0;">A1: Organisation of Information Security</h5></td>
- <td style="width: 1%;"> </td>
- </tr>
- <tr>
- <td style="width: 1%;"> </td>
- <td style="width: 98%; background: #efefef; color: #0099a0; padding: 4px; border-radius: 8px; font-weight: 600;">
- OIS-01: The CSP operates an information security management system (ISMS). The scope of the ISMS covers the CSP's organisational units, locations and processes for providing the cloud service.
- </td>
- <td style="width: 1%;"> </td>
- </tr>
- </table>
- <br />
- <table style="width: 100%">
- <tr>
- <td style="width: 1%;"> </td>
- <td style="width: 7%; background: #0099a0; color: #fff; border-radius: 8px; font-size: 12px; font-weight: 600; text-align: center;">BASIC</td>
- <td style="width: 1%;"> </td>
- <td style="width: 90%; background: #efefef; color: #0099a0; padding: 4px; border-radius: 8px;">
- <strong>OIS-01.1B:</strong> The CSP shall define, implement, maintain and continually improve an information security management system (ISMS), covering at least the operational units, locations and processes for providing the cloud service.
- </td>
- <td style="width: 1%;"> </td>
- </tr>
- </table>
- <br />
- <table style="width: 100%">
- <tr>
- <td style="width: 6%;"> </td>
- <td style="width: 93%;">
- <table style="width: 100%">
- <tr>
- <td style="width: 100%; font-weight: 600;" colspan="4">1) Has the CSP an information security management system (ISMS) documented?</td>
- </tr>
- <tr>
- <td style="width: 30%; padding-left: 72px;">
- <input type="radio" id="question1_1" name="question1" value="0" /> Fully supported.<br />
- <input type="radio" id="question1_2" name="question1" value="50" /> Partially supported.<br />
- <input type="radio" id="question1_3" name="question1" value="100" /> Not supported at all.<br />
- <input type="radio" id="question1_4" name="question1" value="-1" /> Not applicable.
- </td>
- <td style="width: 34%;">
- <div style="width: 100%;">
- <span style="font-size: 12px; color: #0099a0;">Evidence:</span>
- <br />
- <textarea id="evidence1" name="evidence1" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;">- Documented Information Security Management System (ISMS)</textarea>
- </div>
- </td>
- <td style="width: 2%;"> </td>
- <td style="width: 34%;">
- <div style="width: 100%; float: right;">
- <span style="font-size: 12px; color: #0099a0;">Comments:</span>
- <br />
- <textarea id="comments1" name="comments1" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;"></textarea>
- </div>
- </td>
- </tr>
- </table>
- <br />
- <table style="width: 100%">
- <tr>
- <td style="width: 100%; font-weight: 600;" colspan="4">2) Does the CSP implement an information security management system (ISMS)?</td>
- </tr>
- <tr>
- <td style="width: 30%; padding-left: 72px;">
- <input type="radio" id="question2_1" name="question1" value="0" /> Fully supported.<br />
- <input type="radio" id="question2_2" name="question1" value="50" /> Partially supported.<br />
- <input type="radio" id="question2_3" name="question1" value="100" /> Not supported at all.<br />
- <input type="radio" id="question2_4" name="question1" value="-1" /> Not applicable.
- </td>
- <td style="width: 34%;">
- <div style="width: 100%; float: right;">
- <span style="font-size: 12px; color: #0099a0;">Evidence:</span>
- <br />
- <textarea id="evidence2" name="evidence2" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;">- Quality records derived from the implementation of the defined ISMS</textarea>
- </div>
- </td>
- <td style="width: 2%;"> </td>
- <td style="width: 34%;">
- <div style="width: 100%; float: right;">
- <span style="font-size: 12px; color: #0099a0;">Comments:</span>
- <br />
- <textarea id="comments2" name="comments2" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;"></textarea>
- </div>
- </td>
- </tr>
- </table>
- <br />
- <table style="width: 100%">
- <tr>
- <td style="width: 100%; font-weight: 600;" colspan="4">3) Does the CSP maintain an information security management system (ISMS)?</td>
- </tr>
- <tr>
- <td style="width: 30%; padding-left: 72px;">
- <input type="radio" id="question3_1" name="question1" value="0" /> Fully supported.<br />
- <input type="radio" id="question3_2" name="question1" value="50" /> Partially supported.<br />
- <input type="radio" id="question3_3" name="question1" value="100" /> Not supported at all.<br />
- <input type="radio" id="question3_4" name="question1" value="-1" /> Not applicable.
- </td>
- <td style="width: 34%;">
- <div style="width: 100%; float: right;">
- <span style="font-size: 12px; color: #0099a0;">Evidence:</span>
- <br />
- <textarea id="evidence3" name="evidence3" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;">- Documented updates and changes to the ISMS</textarea>
- </div>
- </td>
- <td style="width: 2%;"> </td>
- <td style="width: 34%;">
- <div style="width: 100%; float: right;">
- <span style="font-size: 12px; color: #0099a0;">Comments:</span>
- <br />
- <textarea id="comments3" name="comments3" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;"></textarea>
- </div>
- </td>
- </tr>
- </table>
- <br />
- <table style="width: 100%">
- <tr>
- <td style="width: 100%; font-weight: 600;" colspan="4">4) Does the CSP continually improve the information security management system (ISMS)?</td>
- </tr>
- <tr>
- <td style="width: 30%; vertical-align: middle; padding-left: 72px;">
- <input type="radio" id="question4_1" name="question1" value="0" /> Fully supported.<br />
- <input type="radio" id="question4_2" name="question1" value="50" /> Partially supported.<br />
- <input type="radio" id="question4_3" name="question1" value="100" /> Not supported at all.<br />
- <input type="radio" id="question4_4" name="question1" value="-1" /> Not applicable.
- </td>
- <td style="width: 34%;">
- <div style="width: 100%; float: right;">
- <span style="font-size: 12px; color: #0099a0;">Evidence:</span>
- <br />
- <textarea id="evidence4" name="evidence4" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;">- Documented improvement actions to the ISMS - Documented ISMS improvement plan - Documented improvemens to the ISMS</textarea>
- </div>
- </td>
- <td style="width: 2%;"> </td>
- <td style="width: 34%;">
- <div style="width: 100%; float: right;">
- <span style="font-size: 12px; color: #0099a0;">Comments:</span>
- <br />
- <textarea id="comments4" name="comments4" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;"></textarea>
- </div>
- </td>
- </tr>
- </table>
- </td>
- <td style="width: 1%;"> </td>
- </tr>
- <tr><td colspan="3" style="width: 100%;"> </td></tr>
- <tr>
- <td style="width: 1%;"> </td>
- <td colspan="2" style="width: 99%;">Non-conformities of the category:</td>
- </tr>
- <tr>
- <td style="width: 1%;"> </td>
- <td style="width: 98%;">
- <textarea id="nonconformities_1" name="nonconformities_1" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;"></textarea>
- </td>
- <td style="width: 1%;"> </td>
- </tr>
- <tr>
- <td colspan="3" style="width: 100%; text-align: center;">
- <button class="btn btn-warning mr-2">
- Save
- </button>
- <button class="btn btn-info mr-2" (click)="next()">
- Next
- </button>
- </td>
- </tr>
- </table>
- <tr>
- <td>
- </table>
- </div>
-</div>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question-poc.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question-poc.component.ts
deleted file mode 100755
index 4fb7f0d66d94fff83e48aaccf5685c3aba5cf79f..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question-poc.component.ts
+++ /dev/null
@@ -1,32 +0,0 @@
-import { Component, OnInit } from '@angular/core';
-import { HttpResponse } from '@angular/common/http';
-import { Router } from '@angular/router';
-
-import { IQuestionnaireQuestion } from '../questionnaire-question.model';
-import { QuestionnaireService } from '../service/questionnaire.service';
-
-@Component({
- selector: 'jhi-resource',
- templateUrl: './questionnaire-question-poc.component.html',
-})
-export class QuestionnaireQuestionPocComponent implements OnInit {
- isLoading = false;
-
- constructor(protected questionnaireService: QuestionnaireService, private router: Router) {}
-
- loadAll(): void {
- // Load the Questions
- //this.isLoading = true;
- console.log('Load all questions');
- }
-
-
- ngOnInit(): void {
- this.loadAll();
- }
-
-
- next(): void {
- //this.router.navigate(['/questionnaire/question2']);
- }
-}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question.component.html
index 5c741bf9b99df082eb743480dd8a9edd6e8a0105..f90ae3032b26ccff634593a1e1d411fbe593befb 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question.component.html
@@ -1,14 +1,20 @@
<div>
<h2 id="page-heading" data-cy="QuestionnairesHeading">
<span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.home.singularTitle">Questionnaire</span>
- <!--<fa-icon icon="sync" [spin]="isLoading"></fa-icon>-->
- </h2>
+ </h2>
+ <h3 style="margin-bottom: -24px;">
+ <div style="font-size: 14px; background: #0099a0; color: #fff; padding: 8px 16px 6px 16px; border-radius: 4px; text-align: center; box-shadow: 3px 3px 5px 0px rgba(204,204,204,1);">{{selectedQuestionnaireShort}}</div>
+ </h3>
<jhi-alert-error></jhi-alert-error>
<jhi-alert></jhi-alert>
- <div class="table-responsive" id="questions">
+ <div id="waiting-container" *ngIf="!ready" style="position: fixed; z-index: 1; left: 0; top: 0; width: 100%; height: 100%; overflow: auto; background-color: rgba(0, 0, 0, 0.2); text-align: center;">
+ <img src="../../../../../content/images/loading.gif" style="margin-top: 72px; width: 70px; height: 70px;" />
+ </div>
+
+ <div class="table-responsive" id="questions" *ngIf="ready">
<br /><br />
<table style="width: 100%">
<tr>
@@ -17,9 +23,21 @@
<ul style="padding-left: 18px;">
<li *ngFor="let category of categories" style="margin-top: 12px;">
<span style="font-weight: 600;" *ngIf="category.id == selectedCategory">{{category.code}}: {{category.name}}</span>
- <a style="color: #0099a0; font-weight: 600; text-decoration: none;" *ngIf="category.id != selectedCategory" (click)="goToCategory(category?.id!)">
- {{category.code}}: {{category.name}}
- </a>
+ <div *ngIf="category.id != selectedCategory">
+ <div *ngIf="isAdmin">
+ <a style="color: #0099a0; font-weight: 600; text-decoration: none;" (click)="save(false, false, false, true, false, category?.id!, 0)">
+ {{category.code}}: {{category.name}}
+ </a>
+ </div>
+ <div *ngIf="!isAdmin">
+ <a style="color: #0099a0; font-weight: 600; text-decoration: none;" (click)="save(false, false, false, true, false, category?.id!, 0)" *jhiHasAnyAuthority="['ProductOwner']">
+ {{category.code}}: {{category.name}}
+ </a>
+ <a style="color: #0099a0; font-weight: 600; text-decoration: none;" (click)="goTo(category?.id!, 0)" *jhiHasAnyAuthority="['ROLE_USER', 'SecurityGovernance', 'SecurityAnalyst', 'DomainGovernance', 'ProductSecurityEng', 'CISO', 'Auditor']">
+ {{category.code}}: {{category.name}}
+ </a>
+ </div>
+ </div>
</li>
</ul>
</td>
@@ -33,49 +51,97 @@
<tr>
<td style="width: 1%;"> </td>
<td style="width: 98%;">
- <table style="width: 100%" *ngFor="let currentControl of currentCategory.controls">
+ <hr style="margin-top: 2px;" />
+ <h6 style="color: #888; display: inline;"><span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.chooseControl">Choose a Control:</span></h6>
+ <h6 *ngFor="let controlItem of currentCategory.controlList" style="color: #fff; display: inline-flex; padding: 4px 6px 5px 6px; background: #0099a0; font-size: 13px; border-radius: 10px; margin-left: 8px;">
+ <div *ngIf="controlItem?.id != currentCategory?.currentControl?.id">
+ <div *ngIf="isAdmin">
+ <a (click)="save(false, false, false, false, true, currentCategory?.id!, controlItem?.id!)" style="cursor: pointer;">{{controlItem?.code}}</a>
+ </div>
+ <div *ngIf="!isAdmin">
+ <a (click)="save(false, false, false, false, true, currentCategory?.id!, controlItem?.id!)" style="cursor: pointer;" *jhiHasAnyAuthority="['ProductOwner', 'Auditor']">{{controlItem?.code}}</a>
+ <a (click)="goTo(currentCategory?.id!, controlItem?.id!)" style="cursor: pointer;" *jhiHasAnyAuthority="['ROLE_USER', 'SecurityGovernance', 'SecurityAnalyst', 'DomainGovernance', 'ProductSecurityEng', 'CISO']">{{controlItem?.code}}</a>
+ </div>
+ </div>
+ <span *ngIf="controlItem?.id == currentCategory?.currentControl?.id" style="color: #c5c5c5; font-weight: 600;">{{controlItem?.code}}</span>
+ </h6>
+ <hr style="margin-bottom: -12px;" />
+ </td>
+ <td style="width: 1%;"> </td>
+ </tr>
+ <tr><td colspan="3" style="width: 100%;"> </td></tr>
+ <tr>
+ <td style="width: 1%;"> </td>
+ <td style="width: 98%;">
+ <table style="width: 100%">
<tr>
- <td style="width: 100%; background: #efefef; color: #0099a0; padding: 4px; border-radius: 8px; font-weight: 600;">
- {{currentControl?.code}}: {{currentControl?.description}}
- </td>
+ <td style="width: 100%; background: #efefef; color: #0099a0; padding: 4px; border-radius: 8px; font-weight: 600; white-space: pre-wrap;">{{currentCategory?.currentControl?.code}}: {{currentCategory?.currentControl?.description}}</td>
</tr>
<tr><td style="width: 100%;"> </td></tr>
- <tr>
+ <tr *ngIf="currentCategory.currentControl?.toms == null || currentCategory.currentControl?.toms.length == 0">
+ <td style="width: 100%; padding-left: 48px; font-weight: 600; font-size: 14px;">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.noRequirementsAssociated">The selected assurance level has no requirements associated to this control</span>
+ </td>
+ </tr>
+ <tr *ngIf="currentCategory.currentControl?.toms != null && currentCategory.currentControl?.toms.length > 0">
<td style="width: 100%;">
- <table style="width: 100%" *ngFor="let currentTom of currentControl.toms">
+ <table style="width: 100%" *ngFor="let currentTom of currentCategory.currentControl?.toms">
<tr>
<td style="width: 2%;"> </td>
- <td style="width: 98%;">
- <div style="width: 100%; padding: 4px; background: #f7f4f4; color: #0099a0; border: 1px dotted #0099a0; border-radius: 4px;">
- {{currentTom?.code}}: {{currentTom?.description}}
- </div>
+ <td style="width: 98%;" colspan="3">
+ <div style="width: 100%; padding: 4px; background: #f7f4f4; color: #0099a0; border: 1px dotted #0099a0; border-radius: 4px; font-weight: 600; font-size: 13px; white-space: pre-wrap;">{{currentTom?.code}}: {{currentTom?.description}}</div>
+ </td>
+ </tr>
+ <tr *ngIf="currentTom.questions == null || currentTom.questions.length == 0">
+ <td colspan="4" style="width: 100%; padding-left: 48px; font-weight: 600; font-size: 14px;">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.noQuestionsAssociated">The selected assurance level has no questions associated to this requirement</span>
</td>
</tr>
<tr *ngFor="let currentQuestion of currentTom.questions">
- <td colspan="2" style="width: 100%;">
+ <td colspan="4" style="width: 100%;">
<table style="width: 100%;">
<tr>
<td style="width: 3%;"> </td>
<td style="width: 96%; padding-top: 12px;">
- <span style="font-weight: 600;">{{currentQuestion.question}}</span><br />
+ <span style="font-weight: 600; font-size: 14px;">{{currentQuestion.code}}: {{currentQuestion.question}}</span><br />
<table style="width: 100%">
<tr>
- <td style="width: 30%; padding: 4px 0 0 64px;">
+ <td style="width: 30%; padding: 4px 0 0 64px; font-size: 14px;">
<div style="width: 100%;" *ngFor="let answer of answers">
- <input type="radio" id="question{{currentQuestion.id}}_{{answer.id}}" name="question{{currentQuestion.id}}_{{answer.id}}" value="{{answer.value}}" /> {{answer.answer}}<br />
+ <div *ngIf="isAdmin">
+ <input [disabled]="false" type="radio" id="question_{{currentQuestion.id}}_{{currentQuestion.tomId}}_{{answer.id}}" name="question{{currentQuestion.id}}" value="{{currentQuestion.answerId}}" [checked]="answer.id == currentQuestion.answerId" (change)="calculateCompliance(currentTom?.id)" />
+ {{answer.answer}}
+ </div>
+ <div *ngIf="!isAdmin">
+ <input [disabled]="true" type="radio" id="question_{{currentQuestion.id}}_{{currentQuestion.tomId}}_{{answer.id}}" name="question{{currentQuestion.id}}" value="{{currentQuestion.answerId}}" [checked]="answer.id == currentQuestion.answerId" (change)="calculateCompliance(currentTom?.id)" *jhiHasAnyAuthority="['Auditor']" />
+ <input [disabled]="false" type="radio" id="question_{{currentQuestion.id}}_{{currentQuestion.tomId}}_{{answer.id}}" name="question{{currentQuestion.id}}" value="{{currentQuestion.answerId}}" [checked]="answer.id == currentQuestion.answerId" (change)="calculateCompliance(currentTom?.id)" *jhiHasAnyAuthority="['ROLE_USER', 'ProductOwner', 'SecurityGovernance', 'SecurityAnalyst', 'DomainGovernance', 'ProductSecurityEng', 'CISO']" />
+ {{answer.answer}}
+ </div>
</div>
</td>
<td style="width: 34%;">
<div style="width: 100%;">
<span style="font-size: 12px; color: #0099a0;" jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.evidence">Evidence:</span><br />
- <textarea id="evidence{{currentQuestion.id}}" name="evidence{{currentQuestion.id}}" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;">{{currentQuestion.evidence}}</textarea>
+ <div *ngIf="isAdmin">
+ <textarea [disabled]="false" id="evidences_{{currentQuestion.id}}" name="evidences_{{currentQuestion.id}}" style="border: solid 1px #0099a0; font-size: 12px; width: 100%; height: 52px; color: #0099a0; white-space: pre-wrap;">{{currentQuestion.defaultEvidence}}</textarea>
+ </div>
+ <div *ngIf="!isAdmin">
+ <textarea [disabled]="true" id="evidences_{{currentQuestion.id}}" name="evidences_{{currentQuestion.id}}" style="border: solid 1px #0099a0; font-size: 12px; width: 100%; height: 52px; color: #0099a0; white-space: pre-wrap;" *jhiHasAnyAuthority="['Auditor']">{{currentQuestion.defaultEvidence}}</textarea>
+ <textarea [disabled]="false" id="evidences_{{currentQuestion.id}}" name="evidences_{{currentQuestion.id}}" style="border: solid 1px #0099a0; font-size: 12px; width: 100%; height: 52px; color: #0099a0; white-space: pre-wrap;" *jhiHasAnyAuthority="['ROLE_USER', 'ProductOwner', 'SecurityGovernance', 'SecurityAnalyst', 'DomainGovernance', 'ProductSecurityEng', 'CISO']">{{currentQuestion.defaultEvidence}}</textarea>
+ </div>
</div>
</td>
<td style="width: 2%;"> </td>
<td style="width: 34%;">
<div style="width: 100%; float: right;">
<span style="font-size: 12px; color: #0099a0;" jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.comments">Comments:</span><br />
- <textarea id="comments{{currentQuestion.id}}" name="comments{{currentQuestion.id}}" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;"></textarea>
+ <div *ngIf="isAdmin">
+ <textarea [disabled]="false" id="comments_{{currentQuestion.id}}" name="comments_{{currentQuestion.id}}" style="border: solid 1px #0099a0; font-size: 12px; width: 100%; height: 52px; color: #0099a0; white-space: pre-wrap;">{{currentQuestion.defaultComment}}</textarea>
+ </div>
+ <div *ngIf="!isAdmin">
+ <textarea [disabled]="true" id="comments_{{currentQuestion.id}}" name="comments_{{currentQuestion.id}}" style="border: solid 1px #0099a0; font-size: 12px; width: 100%; height: 52px; color: #0099a0; white-space: pre-wrap;" *jhiHasAnyAuthority="['Auditor']">{{currentQuestion.defaultComment}}</textarea>
+ <textarea [disabled]="false" id="comments_{{currentQuestion.id}}" name="comments_{{currentQuestion.id}}" style="border: solid 1px #0099a0; font-size: 12px; width: 100%; height: 52px; color: #0099a0; white-space: pre-wrap;" *jhiHasAnyAuthority="['ROLE_USER', 'ProductOwner', 'SecurityGovernance', 'SecurityAnalyst', 'DomainGovernance', 'ProductSecurityEng', 'CISO']">{{currentQuestion.defaultComment}}</textarea>
+ </div>
</div>
</td>
</tr>
@@ -86,20 +152,36 @@
</table>
</td>
</tr>
- <tr><td colspan="2" style="width: 100%;"> </td></tr>
+ <tr><td colspan="4" style="width: 100%;"> </td></tr>
<tr>
<td style="width: 2%;"> </td>
- <td style="width: 98%;">
- <span style="color: #0099a0; font-size: 14px; font-weight: 600;" jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.nonConformities">Non-conformities of the requirement:</span>
+ <td style="width: 68%;">
+ <span style="color: #0099a0; font-size: 14px; font-weight: 600;" jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.nonConformities">Non-conformities of the requirement {{currentTom?.code}}:</span>
+ </td>
+ <td style="width: 1%;"> </td>
+ <td style="width: 29%;">
+ <span *ngIf="currentTom?.compliance.length == 0"> </span>
+ <span *ngIf="currentTom?.compliance.length > 0" style="color: #0099a0; font-size: 14px; font-weight: 600;" jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.compliance">Compliance:</span>
</td>
</tr>
<tr>
<td style="width: 2%;"> </td>
- <td style="width: 98%;">
- <textarea id="nonconformities_{{currentTom?.id}}" name="nonconformities_{{currentTom?.id}}" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;"></textarea>
+ <td style="width: 68%;">
+ <div *ngIf="isAdmin">
+ <textarea [disabled]="false" id="nonconformities_{{currentTom?.id}}" name="nonconformities_{{currentTom?.id}}" style="border: solid 1px #0099a0; font-size: 12px; width: 100%; height: 52px; color: #0099a0;">{{currentTom?.nonConformities}}</textarea>
+ </div>
+ <div *ngIf="!isAdmin">
+ <textarea [disabled]="false" id="nonconformities_{{currentTom?.id}}" name="nonconformities_{{currentTom?.id}}" style="border: solid 1px #0099a0; font-size: 12px; width: 100%; height: 52px; color: #0099a0;" *jhiHasAnyAuthority="['Auditor']">{{currentTom?.nonConformities}}</textarea>
+ <textarea [disabled]="true" id="nonconformities_{{currentTom?.id}}" name="nonconformities_{{currentTom?.id}}" style="border: solid 1px #0099a0; font-size: 12px; width: 100%; height: 52px; color: #0099a0;" *jhiHasAnyAuthority="['ROLE_USER', 'ProductOwner', 'SecurityGovernance', 'SecurityAnalyst', 'DomainGovernance', 'ProductSecurityEng', 'CISO']">{{currentTom?.nonConformities}}</textarea>
+ </div>
+ </td>
+ <td style="width: 1%;"> </td>
+ <td style="width: 29%;">
+ <span *ngIf="currentTom?.compliance.length == 0"> </span>
+ <input *ngIf="currentTom?.compliance.length > 0" type="text" class="form-control" name="compliance_{{currentTom?.id}}" id="compliance_{{currentTom?.id}}" style="font-size: 16px; border: none; background: #0099a017; text-align: center; height: 52px; margin-top: -6px" [readonly]="true" value="{{currentTom?.compliance}}" />
</td>
</tr>
- <tr><td colspan="2" style="width: 100%;"> </td></tr>
+ <tr><td colspan="4" style="width: 100%;"> </td></tr>
</table>
</td>
</tr>
@@ -109,41 +191,56 @@
<td style="width: 1%;"> </td>
</tr>
</table>
- <!--
- <br />
<table style="width: 100%">
<tr>
- <td style="width: 1%;"> </td>
- <td style="width: 98%;">
- <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.nonConformities">Non-conformities of the requirement:</span>
- </td>
- <td style="width: 1%;"> </td>
- </tr>
- <tr>
- <td style="width: 1%;"> </td>
- <td style="width: 98%;">
- <textarea id="nonconformities_{{currentCategory?.id}}" name="nonconformities_{{currentCategory?.id}}" style="border: solid 1px #0099a0; font-size: 10px; width: 100%; height: 52px; color: #0099a0;"></textarea>
- </td>
- <td style="width: 1%;"> </td>
- </tr>
- </table>
- -->
- <br />
- <table style="width: 100%">
- <tr>
- <td style="width: 1%;"> </td>
- <td style="width: 69%;">
- <button class="btn btn-info mr-2" *ngIf="currentCategory?.id! > minCategory!" (click)="goToCategory(currentCategory?.id! - 1)">
- <span jhiTranslate="entity.action.previous">Previous</span>
- </button>
- <button class="btn btn-info mr-2" *ngIf="currentCategory?.id! < maxCategory!" (click)="goToCategory(currentCategory?.id! + 1)">
- <span jhiTranslate="entity.action.next">Next</span>
- </button>
- </td>
- <td style="width: 30%; text-align: right;">
- <button class="btn btn-info mr-2">
- <span jhiTranslate="entity.action.save" (click)="save()">Save</span>
- </button>
+ <td style="width: 100%;">
+ <div style="float: right; display: inline-flex;">
+ <div>
+ <div *ngIf="isAdmin">
+ <button class="btn btn-info mr-2" style="background-color: #c70e33!important; border-color: #c70e33!important;">
+ <span jhiTranslate="entity.action.exit" (click)="save(true, false, false, false, false, -1, -1)">Exit</span>
+ </button>
+ </div>
+ <div *ngIf="!isAdmin">
+ <button class="btn btn-info mr-2" style="background-color: #c70e33!important; border-color: #c70e33!important;" *jhiHasAnyAuthority="['ProductOwner', 'Auditor']">
+ <span jhiTranslate="entity.action.exit" (click)="save(true, false, false, false, false, -1, -1)">Exit</span>
+ </button>
+ <button class="btn btn-info mr-2" (click)="exit()" style="background-color: #c70e33!important; border-color: #c70e33!important;" *jhiHasAnyAuthority="['ROLE_USER', 'SecurityGovernance', 'SecurityAnalyst', 'DomainGovernance', 'ProductSecurityEng', 'CISO']">
+ <span jhiTranslate="entity.action.exit">Exit</span>
+ </button>
+ </div>
+ </div>
+ <div *ngIf="currentCategory?.currentControl?.id > 1 || currentCategory?.id! > minCategory!">
+ <div *ngIf="isAdmin">
+ <button class="btn btn-info mr-2" (click)="previous(currentCategory?.id!, currentCategory?.currentControl?.id!, true)" style="background-color: #0099a0!important; border-color: #0099a0!important;">
+ <span jhiTranslate="entity.action.previous">Previous</span>
+ </button>
+ </div>
+ <div *ngIf="!isAdmin">
+ <button class="btn btn-info mr-2" (click)="previous(currentCategory?.id!, currentCategory?.currentControl?.id!, true)" style="background-color: #0099a0!important; border-color: #0099a0!important;" *jhiHasAnyAuthority="['ProductOwner', 'Auditor']">
+ <span jhiTranslate="entity.action.previous">Previous</span>
+ </button>
+ <button class="btn btn-info mr-2" (click)="previous(currentCategory?.id!, currentCategory?.currentControl?.id!, false)" style="background-color: #0099a0!important; border-color: #0099a0!important;" *jhiHasAnyAuthority="['ROLE_USER', 'SecurityGovernance', 'SecurityAnalyst', 'DomainGovernance', 'ProductSecurityEng', 'CISO']">
+ <span jhiTranslate="entity.action.previous">Previous</span>
+ </button>
+ </div>
+ </div>
+ <div *ngIf="currentCategory?.id! < maxCategory! || currentCategory?.currentControl?.id! < maxControl!">
+ <div *ngIf="isAdmin">
+ <button class="btn btn-info mr-2" (click)="next(currentCategory?.id!, currentCategory?.currentControl?.id!, true)" style="background-color: #0099a0!important; border-color: #0099a0!important;">
+ <span jhiTranslate="entity.action.next">Next</span>
+ </button>
+ </div>
+ <div *ngIf="!isAdmin">
+ <button class="btn btn-info mr-2" (click)="next(currentCategory?.id!, currentCategory?.currentControl?.id!, true)" style="background-color: #0099a0!important; border-color: #0099a0!important;" *jhiHasAnyAuthority="['ProductOwner', 'Auditor']">
+ <span jhiTranslate="entity.action.next">Next</span>
+ </button>
+ <button class="btn btn-info mr-2" (click)="next(currentCategory?.id!, currentCategory?.currentControl?.id!, false)" style="background-color: #0099a0!important; border-color: #0099a0!important;" *jhiHasAnyAuthority="['ROLE_USER', 'SecurityGovernance', 'SecurityAnalyst', 'DomainGovernance', 'ProductSecurityEng', 'CISO']">
+ <span jhiTranslate="entity.action.next">Next</span>
+ </button>
+ </div>
+ </div>
+ </div>
</td>
</tr>
</table>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question.component.ts
index 6466779d647deefb8bd6bf31d50acaa98041a455..0c4d57d3cdc4f7a563ac18820be1a582a4bd746e 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question.component.ts
@@ -1,6 +1,13 @@
import { Component, OnInit } from '@angular/core';
import { HttpResponse } from '@angular/common/http';
import { Router, ActivatedRoute } from '@angular/router';
+import { Observable } from 'rxjs';
+import { finalize } from 'rxjs/operators';
+import { TranslateService } from '@ngx-translate/core';
+
+import { Account } from 'app/core/auth/account.model';
+import { AccountService } from 'app/core/auth/account.service';
+import { Authority } from 'app/config/authority.constants';
import { ISecurityControlCategory } from '../../security-control-category/security-control-category.model';
import { ISecurityControl } from '../../security-control/security-control.model';
@@ -8,6 +15,7 @@ import { ITom } from '../../tom/tom.model';
import { IQuestionnaire } from '../questionnaire.model';
import { IQuestionnaireQuestionAnswer } from '../questionnaire-question-answer.model';
import { IQuestionnaireQuestion } from '../questionnaire-question.model';
+import { IQuestionnaireNonConformity } from '../questionnaire-non-conformity.model';
import { SecurityControlCategoryService } from '../../security-control-category/service/security-control-category.service';
import { SecurityControlService } from '../../security-control/service/security-control.service';
@@ -15,150 +23,290 @@ import { TomService } from '../../tom/service/tom.service';
import { QuestionnaireService } from '../service/questionnaire.service';
import { QuestionnaireQuestionService } from '../service/questionnaire-question.service';
import { QuestionnaireQuestionAnswerService } from '../service/questionnaire-question-answer.service';
+import { QuestionnaireNonConformityService } from '../service/questionnaire-non-conformity.service';
@Component({
selector: 'jhi-resource',
templateUrl: './questionnaire-question.component.html',
})
export class QuestionnaireQuestionComponent implements OnInit {
- categories: ISecurityControlCategory[];
+ account: Account | null = null;
+ isAdmin = false;
+
+ categories: any[];
questionnaire?: IQuestionnaire[];
- answers?: IQuestionnaireQuestionAnswer[];
+ answers: IQuestionnaireQuestionAnswer[];
+ nonConformities: IQuestionnaireNonConformity[];
+ previousCategory: any;
currentCategory: any;
+ selectedQuestionnaire?: string;
+ selectedQuestionnaireShort?: string;
selectedFramework?: number;
selectedCategory?: number;
+ selectedControl?: number;
selectedLevel?: number;
- selectedPurpose?: number;
+ selectedLevelText?: string;
+ selectedCloudService?: string;
minCategory?: number;
maxCategory?: number;
+ minControl?: number;
+ maxControl?: number;
isLoading = false;
+ ready = false;
+
+ saveButton = false;
+ previousButton = false;
+ nextButton = false;
+ categoryButton = false;
+ controlButton = false;
- constructor(protected questionnaireService: QuestionnaireService,
+ constructor(protected accountService: AccountService,
+ protected questionnaireService: QuestionnaireService,
protected securityControlCategoryService: SecurityControlCategoryService,
protected securityControlService: SecurityControlService,
protected tomService: TomService,
protected questionnaireQuestionAnswerService: QuestionnaireQuestionAnswerService,
protected questionnaireQuestionService: QuestionnaireQuestionService,
- private router: Router, private route: ActivatedRoute) {
+ protected questionnaireNonConformityService: QuestionnaireNonConformityService,
+ private router: Router, private route: ActivatedRoute,
+ private translate: TranslateService) {
this.categories = new Array();
+ this.answers = new Array();
+ this.nonConformities = new Array();
+ this.previousCategory = { id: 0 };
this.currentCategory = {};
this.minCategory = 99999;
this.maxCategory = -1;
+ this.minControl = 99999;
+ this.maxControl = -1;
}
loadAll(): void {
- this.selectedFramework = this.route.snapshot.queryParams['selectedFramework'];
+ this.selectedQuestionnaire = this.route.snapshot.queryParams['selectedQuestionnaire'];
+ this.selectedQuestionnaireShort = this.selectedQuestionnaire!.replace(/\(.*?\)/g, '');
+ let splitted = this.selectedQuestionnaire!.split(' >> ');
+ let regExp = /\(([^)]+)\)/;
+ this.selectedFramework = parseInt(regExp.exec(splitted[2].trim())![1]);
+ this.selectedLevel = parseInt(regExp.exec(splitted[3].trim())![1]);
+ this.selectedLevelText = (splitted[3].trim().substring(0, splitted[3].indexOf('('))).trim();
this.selectedCategory = this.route.snapshot.queryParams['selectedCategory'];
- this.selectedLevel = this.route.snapshot.queryParams['selectedLevel'];
- this.selectedPurpose = this.route.snapshot.queryParams['selectedPurpose'];
+ this.selectedControl = this.route.snapshot.queryParams['selectedControl'];
+ this.selectedCloudService = this.route.snapshot.queryParams['selectedCloudService'];
- // Load the Questionnaire
- this.isLoading = true;
- this.questionnaireService.query({'frameworkId.equals': this.selectedFramework}).subscribe(
- (res: HttpResponse<IQuestionnaire[]>) => {
- this.isLoading = false;
- this.questionnaire = res.body ?? [];
- },
- () => {
- this.isLoading = false;
- }
+ // Load the logged user and check if it is admin
+ this.accountService.getAuthenticationState().subscribe(
+ account => (this.account = account)
);
+ for (let i = 0;i < this.account!.authorities.length;i++) {
+ if (this.account!.authorities[i] == Authority.ADMIN) {
+ this.isAdmin = true;
+ break;
+ }
+ }
- // Load the Categories corresponding to the selected framework
- this.isLoading = true;
- this.securityControlCategoryService.query({'securityControlFrameworkId.equals': this.selectedFramework}).subscribe(
- (res: HttpResponse<ISecurityControlCategory[]>) => {
+ // Load the Questionnaire
+ this.isLoading = true;
+ this.questionnaireService.query({'name.equals': this.selectedQuestionnaire}).subscribe(
+ (res: HttpResponse<IQuestionnaire[]>) => {
this.isLoading = false;
- this.categories = res.body ?? [];
- if (this.categories != null && this.categories.length > 0) {
- for (let i = 0;i < this.categories.length;i++) {
- if (this.categories[i].id == this.selectedCategory) {
- this.currentCategory = this.categories[i];
- }
-
- if (this.maxCategory! < this.categories[i].id!) {
- this.maxCategory = this.categories[i].id;
- }
- if (this.categories[i].id == this.selectedCategory) {
- this.currentCategory = this.categories[i];
- }
- delete this.currentCategory['description'];
- delete this.currentCategory['securityControlFramework'];
- this.currentCategory['controls'] = new Array();
- }
-
- if (this.currentCategory != null && this.currentCategory.id != null) {
- // Load the Controls corresponding to the current category
- this.isLoading = true;
- this.securityControlService.query({'securityControlCategoryId.equals': this.currentCategory.id}).subscribe(
- (res: HttpResponse<ISecurityControl[]>) => {
- this.isLoading = false;
- this.currentCategory.controls = res.body ?? [];
- if (this.currentCategory.controls != null && this.currentCategory.controls.length > 0) {
- // Fix the information about the controls
- for (let i = 0;i < this.currentCategory.controls.length;i++) {
- delete this.currentCategory.controls[i].guidance;
- delete this.currentCategory.controls[i].objective;
- delete this.currentCategory.controls[i].resources;
- delete this.currentCategory.controls[i].riskReductionWeight;
- delete this.currentCategory.controls[i].securityControlCategory;
- this.currentCategory.controls[i]['toms'] = new Array();
- }
-
- // Load all the TOMs
- this.isLoading = true;
- this.tomService.query().subscribe(
- (res: HttpResponse<ITom[]>) => {
- this.isLoading = false;
- let toms = res.body ?? [];
- if (toms != null && toms.length > 0) {
- for (let i = 0;i < this.currentCategory.controls.length;i++) {
- for (let j = 0;j < toms.length;j++) {
- if (this.currentCategory.controls[i].id == toms[j].securityControl?.id!) {
- this.currentCategory.controls[i].toms.push(toms[j]);
+ this.questionnaire = res.body ?? [];
+ if (this.questionnaire != null && this.questionnaire.length > 0) {
+ // Load the non-conformities
+ this.isLoading = true;
+ this.questionnaireNonConformityService.find('' + this.selectedQuestionnaire).subscribe(
+ (res: HttpResponse<IQuestionnaire[]>) => {
+ this.isLoading = false;
+ this.nonConformities = res.body ?? [];
+
+ // Load the Categories corresponding to the selected framework
+ this.isLoading = true;
+ this.securityControlCategoryService.query({'securityControlFrameworkId.equals': this.selectedFramework}).subscribe(
+ (res: HttpResponse<ISecurityControlCategory[]>) => {
+ this.isLoading = false;
+ this.categories = res.body ?? [];
+ if (this.categories != null && this.categories.length > 0) {
+ for (let i = 0;i < this.categories.length;i++) {
+ if (this.categories[i].id! == this.selectedCategory) {
+ this.currentCategory = this.categories[i];
+ if (i > 0) {
+ this.previousCategory = this.categories[i - 1];
+ }
+ }
+
+ if (this.minCategory! > this.categories[i].id!) {
+ this.minCategory = this.categories[i].id;
+ }
+
+ if (this.maxCategory! < this.categories[i].id!) {
+ this.maxCategory = this.categories[i].id;
+ }
+
+ // Fix the information about the previous category
+ delete this.previousCategory['description'];
+ delete this.previousCategory['securityControlFramework'];
+ this.previousCategory['controlList'] = new Array();
+ this.previousCategory['currentControl'] = {};
+
+ // Fix the information about the current category
+ delete this.currentCategory['description'];
+ delete this.currentCategory['securityControlFramework'];
+ this.currentCategory['controlList'] = new Array();
+ this.currentCategory['currentControl'] = {};
+ }
+
+ if (this.previousCategory != null && this.previousCategory.id != null && this.previousCategory.id > 0) {
+ // Load the Controls corresponding to the previous category
+ this.isLoading = true;
+ this.securityControlService.query({'securityControlCategoryId.equals': this.previousCategory.id}).subscribe(
+ (res: HttpResponse<ISecurityControl[]>) => {
+ this.isLoading = false;
+ this.previousCategory.controlList = res.body ?? [];
+ if (this.previousCategory.controlList != null && this.previousCategory.controlList.length > 0) {
+ // Fix the information about the controls
+ for (let i = 0;i < this.previousCategory.controlList.length;i++) {
+ delete this.previousCategory.controlList[i].guidance;
+ delete this.previousCategory.controlList[i].objective;
+ delete this.previousCategory.controlList[i].resources;
+ delete this.previousCategory.controlList[i].riskReductionWeight;
+ delete this.previousCategory.controlList[i].securityControlCategory;
}
}
-
- // Fix the information about the TOMs
- for (let j = 0;j < this.currentCategory.controls[i].toms.length;j++) {
- delete this.currentCategory.controls[i].toms[j].securityControl;
- delete this.currentCategory.controls[i].toms[j].securityMetrics;
- delete this.currentCategory.controls[i].toms[j].type;
- this.currentCategory.controls[i].toms[j].questions = new Array();
- }
- }
-
- // Load the questions
- this.isLoading = true;
- this.questionnaireQuestionService.query({'assuranceLevelId.lessThanOrEqual': this.selectedLevel, 'frameworkId.equals': this.selectedFramework}).subscribe(
- (res: HttpResponse<IQuestionnaireQuestion[]>) => {
- this.isLoading = false;
- let questions = res.body ?? [];
- if (questions != null && questions.length > 0) {
- for (let i = 0;i < this.currentCategory.controls.length;i++) {
- for (let j = 0;j < this.currentCategory.controls[i].toms.length;j++) {
- for (let k = 0;k < questions.length;k++) {
- if (this.currentCategory.controls[i].toms[j].id == questions[k].tomId) {
- this.currentCategory.controls[i].toms[j].questions.push(questions[k]);
+ },() => { this.isLoading = false; });
+ }
+
+ if (this.currentCategory != null && this.currentCategory.id != null) {
+ // Load the Controls corresponding to the current category
+ this.isLoading = true;
+ this.securityControlService.query({'securityControlCategoryId.equals': this.currentCategory.id}).subscribe(
+ (res: HttpResponse<ISecurityControl[]>) => {
+ this.isLoading = false;
+ this.currentCategory.controlList = res.body ?? [];
+ if (this.currentCategory.controlList != null && this.currentCategory.controlList.length > 0) {
+ // Fix the information about the controls
+ for (let i = 0;i < this.currentCategory.controlList.length;i++) {
+ if (this.minControl! > this.currentCategory.controlList[i].id!) {
+ this.minControl = this.currentCategory.controlList[i].id;
+ }
+
+ if (this.maxControl! < this.currentCategory.controlList[i].id!) {
+ this.maxControl = this.currentCategory.controlList[i].id;
+ }
+
+ delete this.currentCategory.controlList[i].guidance;
+ delete this.currentCategory.controlList[i].objective;
+ delete this.currentCategory.controlList[i].resources;
+ delete this.currentCategory.controlList[i].riskReductionWeight;
+ delete this.currentCategory.controlList[i].securityControlCategory;
+
+ // Establish the current control
+ if (this.selectedControl == null || this.selectedControl == 0) {
+ this.currentCategory.currentControl = this.currentCategory.controlList[0];
+ } else if (this.currentCategory.controlList[i].id == this.selectedControl) {
+ this.currentCategory.currentControl = this.currentCategory.controlList[i];
+ }
+ }
+ this.currentCategory.currentControl['toms'] = new Array();
+
+ // Load all the TOMs
+ this.isLoading = true;
+ this.tomService.query().subscribe(
+ (res: HttpResponse<ITom[]>) => {
+ this.isLoading = false;
+ let toms = res.body ?? [];
+ if (toms != null && toms.length > 0) {
+ for (let i = 0;i < toms.length;i++) {
+ if (toms[i].assuranceLevel == this.selectedLevelText && this.currentCategory.currentControl.id == toms[i].securityControl?.id!) {
+ this.currentCategory.currentControl.toms.push(toms[i]);
}
}
+
+ // Fix the information about the TOMs
+ for (let i = 0;i < this.currentCategory.currentControl.toms.length;i++) {
+ delete this.currentCategory.currentControl.toms[i].securityControl;
+ delete this.currentCategory.currentControl.toms[i].securityMetrics;
+ delete this.currentCategory.currentControl.toms[i].type;
+ this.currentCategory.currentControl.toms[i].questions = new Array();
+ if (this.currentCategory.currentControl.toms[i].description.indexOf('<br>') != -1) {
+ this.currentCategory.currentControl.toms[i].description = this.currentCategory.currentControl.toms[i].description.replaceAll('<br>', '\r\n');
+ }
+ this.currentCategory.currentControl.toms[i]['nonConformities'] = '';
+ this.currentCategory.currentControl.toms[i]['compliance'] = '';
+ if (this.nonConformities != null && this.nonConformities.length > 0) {
+ for (let j = 0;j < this.nonConformities.length;j++) {
+ if (this.currentCategory.currentControl.toms[i].id == this.nonConformities[j].tomId) {
+ this.currentCategory.currentControl.toms[i].nonConformities = this.nonConformities[j].comments;
+ this.currentCategory.currentControl.toms[i].compliance = this.nonConformities[j].compliance;
+ break;
+ }
+ }
+ }
+ }
+
+ // Load the questions
+ this.isLoading = true;
+ this.questionnaireQuestionService.query({'assuranceLevelId.lessThanOrEqual': this.selectedLevel, 'frameworkId.equals': this.selectedFramework}).subscribe(
+ (res: HttpResponse<IQuestionnaireQuestion[]>) => {
+ this.isLoading = false;
+ let questions:any = res.body ?? [];
+ if (questions != null && questions.length > 0) {
+ for (let i = 0;i < this.currentCategory.currentControl.toms.length;i++) {
+ for (let j = 0;j < questions.length;j++) {
+ if (this.currentCategory.currentControl.toms[i].id == questions[j].tomId) {
+ this.currentCategory.currentControl.toms[i].questions.push(questions[j]);
+ }
+ }
+ }
+
+ // Fix the information about the questions
+ for (let i = 0;i < questions.length;i++) {
+ questions[i]['answerId'] = 5;
+ for (let j = 0;j < this.questionnaire!.length;j++) {
+ if (questions[i].id === this.questionnaire![j].questionId) {
+ questions[i].answerId = this.questionnaire![j].answerId;
+ if (this.questionnaire![j].lastUpdate != null) {
+ questions[i].defaultEvidence = this.questionnaire![j].evidences;
+ questions[i].defaultComment = this.questionnaire![j].comments;
+ }
+ break;
+ }
+ }
+ }
+
+ for (let i = 0;i < this.currentCategory.currentControl.toms.length;i++) {
+ for (let j = 0;j < this.currentCategory.currentControl.toms[i].questions.length;j++) {
+ this.currentCategory.currentControl.toms[i].questions[j].code = this.currentCategory.currentControl.toms[i].questions[j].code.split('-')[0];
+ if (this.currentCategory.currentControl.toms[i].questions[j].question.indexOf('<br>') != -1) {
+ this.currentCategory.currentControl.toms[i].questions[j].question = this.currentCategory.currentControl.toms[i].questions[j].question.replaceAll('<br>', '\r\n');
+ }
+ if (this.currentCategory.currentControl.toms[i].questions[j].defaultEvidence.indexOf('<br>') != -1) {
+ this.currentCategory.currentControl.toms[i].questions[j].defaultEvidence = this.currentCategory.currentControl.toms[i].questions[j].defaultEvidence.replaceAll('<br>', '\r\n');
+ }
+ }
+ }
+ }
+ },
+ () => { this.isLoading = false; this.ready = true; });
}
- }
+ },
+ () => { this.isLoading = false; this.ready = true; });
}
- },
- () => { this.isLoading = false; });
+ },
+ () => { this.isLoading = false; this.ready = true; });
}
- },
- () => { this.isLoading = false; });
- }
- },
- () => { this.isLoading = false; });
- }
- }
- },
- () => { this.isLoading = false; });
+ }
+ },
+ () => { this.isLoading = false; this.ready = true; });
+ },
+ () => { this.isLoading = false; }
+ );
+ }
+ },
+ () => { this.isLoading = false; }
+ );
+
+
// Load the visible Answers
this.isLoading = true;
@@ -166,8 +314,9 @@ export class QuestionnaireQuestionComponent implements OnInit {
(res: HttpResponse<IQuestionnaireQuestionAnswer[]>) => {
this.isLoading = false;
this.answers = res.body ?? [];
+ setTimeout(() => { this.ready = true; }, 1000);
},
- () => { this.isLoading = false; });
+ () => { this.isLoading = false; this.ready = true; });
}
@@ -176,15 +325,208 @@ export class QuestionnaireQuestionComponent implements OnInit {
}
- goToCategory(category: number): void {
+ goTo(category: number, control: number): void {
this.router.navigateByUrl('/', { skipLocationChange: true }).then(() => {
- this.router.navigate(['/questionnaire/question'], { queryParams: { selectedFramework: this.selectedFramework, selectedCategory: +category, selectedLevel: this.selectedLevel, selectedPurpose: this.selectedPurpose }});
+ this.router.navigate(['/questionnaire/question'], { queryParams: { selectedQuestionnaire: this.selectedQuestionnaire, selectedCloudService: this.selectedCloudService, selectedCategory: +category, selectedControl: control }});
});
}
-
-
- save(): void {
- console.log('Save');
- //this.router.navigate(['/questionnaire/question'], { queryParams: {selectedFramework: this.selectedFramework, selectedCategory: 1, selectedLevel: this.selectedLevel, selectedPurpose: this.selectedPurpose}});
+
+
+ calculateCompliance(tomId: number): string {
+ // Declare the needed variables
+ let complianceCounter = { "yes": 0, "no": 0, "partial": 0, "na": 0, "empty": 0 };
+ let compliance = '';
+ let radios = document.querySelectorAll("input[type=radio]");
+
+ // Read all the questions corresponding to the tomId
+ for (let i = 0;i < this.currentCategory.currentControl.toms.length;i++) {
+ if (tomId === this.currentCategory.currentControl.toms[i].id) {
+ complianceCounter = { "yes": 0, "no": 0, "partial": 0, "na": 0, "empty": 0 };
+ for (let j = 0;j < this.currentCategory.currentControl.toms[i].questions.length;j++) {
+ // Read the radio buttons corresponding to each question
+ let found = false;
+ for (let k = 0;k < radios.length;k++) {
+ let radio = radios[k] as HTMLInputElement;
+ let ids = radio.id.split('_');
+ if (this.currentCategory.currentControl.toms[i].questions[j].id === +ids[1]) {
+ if (radio.checked) {
+ if (+ids[3] == 1) {
+ found = true;
+ complianceCounter.yes += 1;
+ } else if (+ids[3] == 2) {
+ found = true;
+ complianceCounter.partial += 1;
+ } else if (+ids[3] == 3) {
+ found = true;
+ complianceCounter.no += 1;
+ } else if (+ids[3] == 4) {
+ found = true;
+ complianceCounter.na += 1;
+ }
+ }
+ }
+ }
+ if (!found) {
+ complianceCounter.empty += 1;
+ }
+ }
+
+ // Map the complianceCounter to the final compliance
+ if (complianceCounter.empty > 0) {
+ compliance = '';
+ } else if (complianceCounter.na > 0 && complianceCounter.yes == 0 && complianceCounter.no == 0 && complianceCounter.partial == 0) {
+ compliance = this.translate.instant('global.compliance.na');
+ } else if (complianceCounter.partial > 0) {
+ compliance = this.translate.instant('global.compliance.partial');
+ } else if ((complianceCounter.yes > 0 || complianceCounter.na > 0) && complianceCounter.no == 0 && complianceCounter.partial == 0) {
+ compliance = this.translate.instant('global.compliance.yes');
+ } else if (complianceCounter.no > 0) {
+ if (complianceCounter.na >= 0 && complianceCounter.yes == 0 && complianceCounter.partial == 0) {
+ compliance = this.translate.instant('global.compliance.no');
+ } else if (complianceCounter.na >= 0 && (complianceCounter.yes > 0 || complianceCounter.partial > 0)) {
+ compliance = this.translate.instant('global.compliance.partial');
+ }
+ }
+
+ this.currentCategory.currentControl.toms[i].compliance = compliance;
+ break;
+ }
+ }
+
+ return compliance;
+ }
+
+
+ save(saveButton: boolean, previousButton: boolean, nextButton: boolean, categoryButton: boolean, controlButton: boolean, category: number, control: number): void {
+ this.ready = false;
+
+ // Rebuild the questionnaire to save (only the shown questions)
+ let questionnaireTemp = new Array();
+ for (let i = 0;i < this.currentCategory.currentControl.toms.length;i++) {
+ for (let j = 0;j < this.questionnaire!.length;j++) {
+ if (this.currentCategory.currentControl.toms[i].id === this.questionnaire![j].tomId) {
+ questionnaireTemp.push(this.questionnaire![j]);
+ }
+ }
+ }
+ this.questionnaire = questionnaireTemp;
+
+ // Establish the button flags
+ this.saveButton = saveButton;
+ this.previousButton = previousButton;
+ this.nextButton = nextButton;
+ this.categoryButton = categoryButton;
+ this.controlButton = controlButton;
+
+ // Read the radio buttons with the answers
+ let radios = document.querySelectorAll("input[type=radio]");
+ for (let i = 0;i < radios.length;i++) {
+ let radio = radios[i] as HTMLInputElement;
+ if (radio.checked) {
+ let ids = radio.id.split('_');
+ for (let j = 0;j < this.questionnaire!.length;j++) {
+ if (this.questionnaire![j].questionId == +ids[1]) {
+ this.questionnaire![j].answerId = +ids[3];
+ }
+ }
+ }
+ }
+
+ // Read the textareas with the evidences and comments
+ for (let i = 0;i < this.questionnaire!.length;i++) {
+ let evidences = document.querySelector("[id='evidences_" + this.questionnaire![i].questionId + "']");
+ if (evidences != null) {
+ let evidencesValue = evidences as HTMLTextAreaElement;
+ this.questionnaire![i].evidences = evidencesValue.value.trim();
+ }
+
+ let comments = document.querySelector("[id='comments_" + this.questionnaire![i].questionId + "']");
+ if (comments != null) {
+ let commentsValue = comments as HTMLTextAreaElement;
+ this.questionnaire![i].comments = commentsValue.value.trim();
+ }
+
+ // Establish the "last update" timestamp
+ this.questionnaire![i].lastUpdate = new Date().getTime();
+ }
+
+ if (this.questionnaire != null && this.questionnaire!.length > 0) {
+ // Read the textareas with the non-conformities and calculate the compliance
+ this.nonConformities = new Array();
+ for (let i = 0;i < this.currentCategory.currentControl.toms.length;i++) {
+ let calculatedCompliance = this.calculateCompliance(this.currentCategory.currentControl.toms[i].id);
+ let nonConformities = document.querySelector("[id='nonconformities_" + this.currentCategory.currentControl.toms[i].id + "']");
+ if (nonConformities != null) {
+ let nonConformitiesValue = nonConformities as HTMLTextAreaElement;
+ this.nonConformities.push({ questionnaireName: '' + this.selectedQuestionnaire, tomId: this.currentCategory.currentControl.toms[i].id, comments: nonConformitiesValue.value.trim(), compliance: calculatedCompliance });
+ }
+ }
+ this.questionnaire![0].questionnaireNonConformityList = this.nonConformities;
+ }
+ let wrapper = {id: this.selectedCloudService!, questionnaire: this.questionnaire!};
+ this.subscribeToSaveResponse(this.questionnaireService.update(wrapper), category, control);
+ }
+
+
+ previous(category: number, control: number, save: boolean): void {
+ if (control == null || ((+control - 1) < this.minControl!)) {
+ category = this.previousCategory.id;
+ control = this.previousCategory.controlList[this.previousCategory.controlList.length - 1].id;
+ } else {
+ control -= 1;
+ }
+ if (save) {
+ this.save(false, true, false, false, false, category, control);
+ } else {
+ this.goTo(category, control);
+ }
}
+
+
+ next(category: number, control: number, save: boolean): void {
+ if (control == null || ((+control + 1) > this.maxControl!)) {
+ category += 1;
+ control = 0;
+ } else {
+ for (let i = 0;i < this.currentCategory.controlList.length;i++) {
+ if (this.currentCategory.controlList[i].id == control) {
+ control = this.currentCategory.controlList[i + 1].id;
+ break;
+ }
+ }
+ }
+ if (save) {
+ this.save(false, false, true, false, false, category, control);
+ } else {
+ this.goTo(category, control);
+ }
+ }
+
+
+ exit(): void {
+ this.router.navigate(['/questionnaire']);
+ }
+
+
+ protected subscribeToSaveResponse(result: Observable<HttpResponse<IQuestionnaire[]>>, category: number, control: number): void {
+ result.pipe(finalize(() => this.onSaveFinalize())).subscribe(
+ () => this.onSaveSuccess(category, control),
+ () => this.onSaveError()
+ );
+ }
+
+
+ protected onSaveSuccess(category: number, control: number): void {
+ if (this.saveButton) {
+ this.router.navigate(['/questionnaire'], { queryParams: { isSaved: true }});
+ } else if (this.previousButton || this.nextButton || this.categoryButton || this.controlButton) {
+ this.goTo(category, control);
+ }
+ }
+
+
+ protected onSaveError(): void {}
+
+
+ protected onSaveFinalize(): void {}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-non-conformity.model.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-non-conformity.model.ts
new file mode 100644
index 0000000000000000000000000000000000000000..92fbab0d483d5e4bf4d0e3f2a9a5eba9a9760c87
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-non-conformity.model.ts
@@ -0,0 +1,15 @@
+export interface IQuestionnaireNonConformity {
+ questionnaireName?: string;
+ tomId?: number;
+ comments?: string;
+ compliance?: string;
+}
+
+export class QuestionnaireNonConformity implements IQuestionnaireNonConformity {
+ constructor(
+ public questionnaireName?: string,
+ public tomId?: number,
+ public comments?: string,
+ public compliance?: string,
+ ) {}
+}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-purpose.model.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-purpose.model.ts
deleted file mode 100755
index 3fc08f577df19f22bd4f4ee8f2f0b8ad1bf1b769..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-purpose.model.ts
+++ /dev/null
@@ -1,11 +0,0 @@
-export interface IQuestionnairePurpose {
- id?: number;
- purpose?: string;
-}
-
-export class QuestionnairePurpose implements IQuestionnairePurpose {
- constructor(
- public id?: number,
- public purpose?: string,
- ) {}
-}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-question-assurance-level.model.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-question-assurance-level.model.ts
index 307c3a8f63b94c36ffe12ad453b25940938372fd..1404e986fecaaee3faec1adf18a80f0793c6923d 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-question-assurance-level.model.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-question-assurance-level.model.ts
@@ -1,11 +1,13 @@
export interface IQuestionnaireQuestionAssuranceLevel {
id?: number;
assuranceLevel?: string;
+ questionnaireCloudServiceList?: any[];
}
export class QuestionnaireQuestionAssuranceLevel implements IQuestionnaireQuestionAssuranceLevel {
constructor(
public id?: number,
public assuranceLevel?: string,
+ public questionnaireCloudServiceList?: any[],
) {}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-question-info.model.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-question-info.model.ts
new file mode 100644
index 0000000000000000000000000000000000000000..2d5815ae0c51e78cd72c30edc942618c84fa2957
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-question-info.model.ts
@@ -0,0 +1,13 @@
+export interface IQuestionnaireQuestionInfo {
+ basic?: number;
+ substantial?: number;
+ high?: number;
+}
+
+export class QuestionnaireQuestionInfo implements IQuestionnaireQuestionInfo {
+ constructor(
+ public basic?: number,
+ public substantial?: number,
+ public high?: number,
+ ) {}
+}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-question.model.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-question.model.ts
index 7f1083b4e2be3cf55c62df03c3df320be2dbad87..3814994d5d19c8e7e1eec9eec57c0a9498ef30f8 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-question.model.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire-question.model.ts
@@ -2,7 +2,8 @@ export interface IQuestionnaireQuestion {
id?: number;
code?: string;
question?: string;
- evidence?: string;
+ defaultEvidence?: string;
+ defaultComment?: string;
assuranceLevelId?: number;
controlId?: number;
tomId?: number;
@@ -14,7 +15,8 @@ export class QuestionnaireQuestion implements IQuestionnaireQuestion {
public id?: number,
public code?: string,
public question?: string,
- public evidence?: string,
+ public defaultEvidence?: string,
+ public defaultComment?: string,
public assuranceLevelId?: number,
public controlId?: number,
public tomId?: number,
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire.model.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire.model.ts
index 6f3edb5b51a8e14c272d499657b2970f6f8f1b4e..18c1b10601297ede77020b7cbddee6a478ca526f 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire.model.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire.model.ts
@@ -1,20 +1,34 @@
export interface IQuestionnaire {
id?: number;
+ name?: string;
+ evidences?: string;
+ comments?: string;
+ lastUpdate?: number | null;
frameworkId?: number;
- purposeId?: number;
+ controlId?: number;
+ tomId?: number;
+ assuranceLevelId?: number;
questionId?: number;
answerId?: number;
userId?: string;
+ questionnaireNonConformityList?: any[];
}
export class Questionnaire implements IQuestionnaire {
constructor(
public id?: number,
+ public name?: string,
+ public evidences?: string,
+ public comments?: string,
+ public lastUpdate?: number | null,
public frameworkId?: number,
- public purposeId?: number,
+ public controlId?: number,
+ public tomId?: number,
+ public assuranceLevelId?: number,
public questionId?: number,
public answerId?: number,
public userId?: string,
+ public questionnaireNonConformityList?: any[],
) {}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire.module.ts
index 1905229c2f262196c00c14e97f9defcd7d1d460a..fa9c510abbd4fe0a3e3b01de6917534fa0b5aac6 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/questionnaire.module.ts
@@ -2,11 +2,13 @@ import { NgModule } from '@angular/core';
import { SharedModule } from 'app/shared/shared.module';
import { QuestionnaireComponent } from './list/questionnaire.component';
import { QuestionnaireQuestionComponent } from './question/questionnaire-question.component';
-import { QuestionnaireQuestionPocComponent } from './question/questionnaire-question-poc.component';
+import { QuestionnaireReportComponent } from './report/questionnaire-report.component';
+import { QuestionnaireInfoDialogComponent } from './info/questionnaire-info-dialog.component';
+import { QuestionnaireDeleteDialogComponent } from './delete/questionnaire-delete-dialog.component';
import { QuestionnaireRoutingModule } from './route/questionnaire-routing.module';
@NgModule({
imports: [SharedModule, QuestionnaireRoutingModule],
- declarations: [QuestionnaireComponent, QuestionnaireQuestionComponent, QuestionnaireQuestionPocComponent],
+ declarations: [QuestionnaireComponent, QuestionnaireQuestionComponent, QuestionnaireReportComponent, QuestionnaireInfoDialogComponent, QuestionnaireDeleteDialogComponent],
})
export class CocBackendQuestionnaireModule {}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/report/questionnaire-report.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/report/questionnaire-report.component.html
new file mode 100644
index 0000000000000000000000000000000000000000..125f9fbe09310b868903871b6f737dd546143794
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/report/questionnaire-report.component.html
@@ -0,0 +1,16 @@
+<div>
+ <h2 id="page-heading" data-cy="QuestionnairesHeading">
+ <span jhiTranslate="cocGatewayApp.cocBackendQuestionnaire.home.reportTitle">Generating report...</span>
+ </h2>
+
+ <jhi-alert-error></jhi-alert-error>
+
+ <jhi-alert></jhi-alert>
+
+
+ <div id="report">
+ <div id="waiting-container"style="position: fixed; z-index: 1; left: 0; top: 0; width: 100%; height: 100%; overflow: auto; background-color: rgba(0, 0, 0, 0.2); text-align: center;">
+ <img src="../../../../../content/images/loading.gif" style="margin-top: 272px; width: 70px; height: 70px;" />
+ </div>
+ </div>
+</div>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question-poc.component.spec.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/report/questionnaire-report.component.spec.ts
old mode 100755
new mode 100644
similarity index 75%
rename from git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question-poc.component.spec.ts
rename to git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/report/questionnaire-report.component.spec.ts
index 5ec4444b57b812974fedc4e78e9ff4e4537fd27e..f73b8f8e54d87fa872124a44a7319fd9b2d39f37
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/question/questionnaire-question-poc.component.spec.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/report/questionnaire-report.component.spec.ts
@@ -5,23 +5,23 @@ import { of } from 'rxjs';
import { QuestionnaireService } from '../service/questionnaire.service';
-import { QuestionnaireQuestionComponent } from './questionnaire-question.component';
+import { QuestionnaireReportComponent } from './questionnaire-report.component';
describe('Component Tests', () => {
describe('Questionnaire Management Component', () => {
- let comp: QuestionnaireQuestionComponent;
- let fixture: ComponentFixture<QuestionnaireQuestionComponent>;
+ let comp: QuestionnaireReportComponent;
+ let fixture: ComponentFixture<QuestionnaireReportComponent>;
let service: QuestionnaireService;
beforeEach(() => {
TestBed.configureTestingModule({
imports: [HttpClientTestingModule],
- declarations: [QuestionnaireQuestionComponent],
+ declarations: [QuestionnaireReportComponent],
})
- .overrideTemplate(QuestionnaireQuestionComponent, '')
+ .overrideTemplate(QuestionnaireReportComponent, '')
.compileComponents();
- fixture = TestBed.createComponent(QuestionnaireQuestionComponent);
+ fixture = TestBed.createComponent(QuestionnaireReportComponent);
comp = fixture.componentInstance;
service = TestBed.inject(QuestionnaireService);
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/report/questionnaire-report.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/report/questionnaire-report.component.ts
new file mode 100644
index 0000000000000000000000000000000000000000..675237bb5de7c313985a96929d2438c527781588
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/report/questionnaire-report.component.ts
@@ -0,0 +1,207 @@
+import { Component, OnInit } from '@angular/core';
+import { HttpResponse } from '@angular/common/http';
+import { Router, ActivatedRoute } from '@angular/router';
+
+import { ISecurityControlCategory } from '../../security-control-category/security-control-category.model';
+import { ISecurityControl } from '../../security-control/security-control.model';
+import { ITom } from '../../tom/tom.model';
+import { IQuestionnaire } from '../questionnaire.model';
+import { IQuestionnaireNonConformity } from '../questionnaire-non-conformity.model';
+
+import { SecurityControlCategoryService } from '../../security-control-category/service/security-control-category.service';
+import { SecurityControlService } from '../../security-control/service/security-control.service';
+import { TomService } from '../../tom/service/tom.service';
+import { QuestionnaireService } from '../service/questionnaire.service';
+import { QuestionnaireNonConformityService } from '../service/questionnaire-non-conformity.service';
+
+@Component({
+ selector: 'jhi-resource',
+ templateUrl: './questionnaire-report.component.html',
+})
+export class QuestionnaireReportComponent implements OnInit {
+ categories: any[];
+ controls: any[];
+ toms: any[];
+ questionnaire?: IQuestionnaire[];
+ nonConformities: IQuestionnaireNonConformity[];
+ report: any[];
+ scoreItems: any[];
+ totalScoreItems: any[];
+
+ selectedQuestionnaire?: string;
+ selectedFramework?: string;
+ selectedLevel?: string;
+ selectedCloudService?: string;
+
+ isLoading = false;
+
+ constructor(
+ protected securityControlCategoryService: SecurityControlCategoryService,
+ protected securityControlService: SecurityControlService,
+ protected tomService: TomService,
+ protected questionnaireService: QuestionnaireService,
+ protected questionnaireNonConformityService: QuestionnaireNonConformityService,
+ private router: Router, private route: ActivatedRoute) {
+ this.categories = new Array();
+ this.controls = new Array();
+ this.toms = new Array();
+ this.nonConformities = new Array();
+ this.report = new Array();
+ this.scoreItems = new Array();
+ this.totalScoreItems = new Array();
+ }
+
+ loadAll(): void {
+ this.selectedQuestionnaire = this.route.snapshot.queryParams['selectedQuestionnaire'];
+ let splitted = this.selectedQuestionnaire!.split(' >> ');
+ this.selectedFramework = (splitted[2].trim().substring(0, splitted[2].indexOf('('))).trim();
+ this.selectedLevel = (splitted[3].trim().substring(0, splitted[3].indexOf('('))).trim();
+ this.selectedCloudService = splitted[1].trim();
+
+ // Load the Questionnaire
+ this.isLoading = true;
+ this.questionnaireService.query({'name.equals': this.selectedQuestionnaire}).subscribe(
+ (res: HttpResponse<IQuestionnaire[]>) => {
+ this.isLoading = false;
+ this.questionnaire = res.body ?? [];
+ if (this.questionnaire != null && this.questionnaire.length > 0) {
+ // Load the non-conformities
+ this.isLoading = true;
+ this.questionnaireNonConformityService.find('' + this.selectedQuestionnaire).subscribe(
+ (res: HttpResponse<IQuestionnaire[]>) => {
+ this.isLoading = false;
+ this.nonConformities = res.body ?? [];
+ },
+ () => { this.isLoading = false; }
+ );
+
+ // Load the Categories corresponding to the selected framework
+ this.isLoading = true;
+ this.securityControlCategoryService.query({'securityControlFrameworkId.equals': this.questionnaire[0].frameworkId}).subscribe(
+ (res: HttpResponse<ISecurityControlCategory[]>) => {
+ this.isLoading = false;
+ this.categories = res.body ?? [];
+ if (this.categories != null && this.categories.length > 0) {
+ // Load the Controls
+ this.isLoading = true;
+ this.securityControlService.query().subscribe(
+ (res: HttpResponse<ISecurityControl[]>) => {
+ this.isLoading = false;
+ this.controls = res.body ?? [];
+ if (this.controls != null && this.controls.length > 0) {
+ // Load the TOMs
+ this.isLoading = true;
+ this.tomService.query().subscribe(
+ (res: HttpResponse<ITom[]>) => {
+ this.isLoading = false;
+ this.toms = res.body ?? [];
+ if (this.controls != null && this.controls.length > 0) {
+ this.buildObject();
+ }
+ },
+ () => { this.isLoading = false; });
+ }
+ },
+ () => { this.isLoading = false; });
+ }
+ },
+ () => { this.isLoading = false; });
+ }
+ },
+ () => { this.isLoading = false; } );
+ }
+
+
+ buildObject(): void {
+ let date = new Date();
+ let dateStr = date.getFullYear() + '-' + ('0' + (date.getMonth() + 1)).slice(-2) + '-' + ('0' + date.getDate()).slice(-2);
+
+ // Build the first page
+ let reportItem = { 'page': 1, 'concepts': new Array(), 'additionalInfo': new Array('Questionnaire report', dateStr, this.selectedLevel, this.selectedCloudService, this.selectedFramework) };
+ this.report.push(reportItem);
+
+ let pageCounter = 2;
+ const numControls = 2;
+ if (this.categories != null && this.categories.length > 0) {
+ for (let i = 0;i < this.categories.length;i++) {
+ reportItem = { 'page': pageCounter, 'concepts': new Array(), 'additionalInfo': new Array() };
+ let concepts = new Array();
+ concepts.push({ 'name': this.categories[i]!.code + ': ' + this.categories[i]!.name, 'isCategory': true, 'toms': new Array() });
+ if (this.controls != null && this.controls.length > 0) {
+ for (let j = 0;j < this.controls.length;j++) {
+ let score = 0;
+ let numQuestions = 0;
+ if (this.categories[i].id == this.controls[j].securityControlCategory!.id) {
+ let scoreItem = { 'category': this.categories[i]!.code + ': ' + this.categories[i]!.name, 'control': this.controls[j]!.code, score: 0 };
+ let tomArray = new Array();
+ if (this.toms != null && this.toms.length > 0) {
+ for (let k = 0;k < this.toms.length;k++) {
+ if (this.toms[k].securityControl!.id == this.controls[j].id) {
+ for (let l = 0;l < this.nonConformities.length;l++) {
+ if (this.nonConformities[l].tomId == this.toms[k].id && this.nonConformities[l].compliance != '') {
+ tomArray.push({ 'code': this.toms[k].code, 'nonConformities': this.nonConformities[l].comments, 'compliance': this.nonConformities[l].compliance });
+ break;
+ }
+ }
+
+ for (let l = 0;l < this.questionnaire!.length;l++) {
+ if (this.questionnaire![l].tomId == this.toms[k].id) {
+ if (this.questionnaire![l].answerId == 1) {
+ score += 100;
+ numQuestions += 1;
+ } else if (this.questionnaire![l].answerId == 2) {
+ score += 50;
+ numQuestions += 1;
+ } else if (this.questionnaire![l].answerId == 3) {
+ numQuestions += 1;
+ }
+ }
+ }
+ }
+ }
+ }
+ concepts.push({ 'name': this.controls[j]!.code + ': ' + this.controls[j]!.description, 'isCategory': false, 'toms': tomArray });
+ scoreItem.score = score / numQuestions;
+ this.scoreItems.push(scoreItem);
+ }
+ }
+
+ if (concepts != null && concepts.length > 0) {
+ for (let j = 0;j < concepts.length;j += numControls) {
+ this.report.push(JSON.parse(JSON.stringify({ 'page': pageCounter, 'concepts': concepts.slice(j, j + numControls), 'additionalInfo': new Array() })));
+ pageCounter += 1;
+ }
+ }
+ }
+ }
+ this.saveAsPdf();
+ }
+ }
+
+
+ ngOnInit(): void {
+ this.loadAll();
+ }
+
+
+ back(): void {
+ this.router.navigate(['/questionnaire']);
+ }
+
+
+ saveAsPdf(): void {
+ let reportWrapper = { report: this.report, score: this.scoreItems };
+ this.questionnaireService.export(reportWrapper).subscribe((response: any) => {
+ const blob = new Blob([response.body], {type: 'application/pdf'});
+ let url = URL.createObjectURL(blob);
+ let hiddenElement = document.createElement("a");
+ hiddenElement.href = url;
+ hiddenElement.download = this.selectedCloudService + '_questionnaire_report.pdf';
+ hiddenElement.target = "_blank";
+ document.body.appendChild(hiddenElement);
+ hiddenElement.click();
+ setTimeout(function() {URL.revokeObjectURL(url), 100});
+ this.back();
+ }
+ )}
+}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/route/questionnaire-routing.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/route/questionnaire-routing.module.ts
index da6fc23af5716b2af8553eafeb7b90886f7f02e1..8a891bdf10f91b52985a054edea55a9bde7219d3 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/route/questionnaire-routing.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/route/questionnaire-routing.module.ts
@@ -4,22 +4,27 @@ import { RouterModule, Routes } from '@angular/router';
import { UserRouteAccessService } from 'app/core/auth/user-route-access.service';
import { QuestionnaireComponent } from '../list/questionnaire.component';
import { QuestionnaireQuestionComponent } from '../question/questionnaire-question.component';
-import { QuestionnaireQuestionPocComponent } from '../question/questionnaire-question-poc.component';
+import { QuestionnaireReportComponent } from '../report/questionnaire-report.component';
+
+import { Authority } from 'app/config/authority.constants';
const questionnaireRoute: Routes = [
{
path: '',
component: QuestionnaireComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
canActivate: [UserRouteAccessService],
},
{
path: 'question',
component: QuestionnaireQuestionComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
canActivate: [UserRouteAccessService],
},
{
- path: 'question-poc',
- component: QuestionnaireQuestionPocComponent,
+ path: 'report',
+ component: QuestionnaireReportComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
canActivate: [UserRouteAccessService],
}
];
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-purpose.service.spec.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-non-conformity.service.spec.ts
old mode 100755
new mode 100644
similarity index 100%
rename from git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-purpose.service.spec.ts
rename to git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-non-conformity.service.spec.ts
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-non-conformity.service.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-non-conformity.service.ts
new file mode 100644
index 0000000000000000000000000000000000000000..eb287a9500f38f6a67bf1dc9e2de21c05d918c1b
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-non-conformity.service.ts
@@ -0,0 +1,34 @@
+import { Injectable } from '@angular/core';
+import { HttpClient, HttpResponse } from '@angular/common/http';
+import { Observable } from 'rxjs';
+
+import { ApplicationConfigService } from 'app/core/config/application-config.service';
+import { createRequestOption } from 'app/core/request/request-util';
+import { IQuestionnaireNonConformity } from '../questionnaire-non-conformity.model';
+
+export type EntityResponseType = HttpResponse<IQuestionnaireNonConformity>;
+export type EntityArrayResponseType = HttpResponse<IQuestionnaireNonConformity[]>;
+
+@Injectable({ providedIn: 'root' })
+export class QuestionnaireNonConformityService {
+ protected questionnaireNonConformityUrl = this.applicationConfigService.getEndpointFor('api/questionnaire-non-conformities', 'cocbackend');
+
+ constructor(protected http: HttpClient, protected applicationConfigService: ApplicationConfigService) {}
+
+ find(questionnaireName: string): Observable<EntityArrayResponseType> {
+ return this.http.get<IQuestionnaireNonConformity[]>(`${this.questionnaireNonConformityUrl}/${questionnaireName}`, { observe: 'response' });
+ }
+
+ create(questionnaireNonConformity: IQuestionnaireNonConformity[]): Observable<EntityArrayResponseType> {
+ return this.http.post<IQuestionnaireNonConformity[]>(`${this.questionnaireNonConformityUrl}/create`, questionnaireNonConformity, { observe: 'response' });
+ }
+
+ update(questionnaireNonConformity: IQuestionnaireNonConformity[]): Observable<EntityArrayResponseType> {
+ return this.http.post<IQuestionnaireNonConformity[]>(`${this.questionnaireNonConformityUrl}/save`, questionnaireNonConformity, { observe: 'response' });
+ }
+
+ query(req?: any): Observable<EntityArrayResponseType> {
+ const options = createRequestOption(req);
+ return this.http.get<IQuestionnaireNonConformity[]>(this.questionnaireNonConformityUrl, { params: options, observe: 'response' });
+ }
+}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-purpose.service.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-purpose.service.ts
deleted file mode 100755
index 80ab20832bdfc793d4f2fdb911287ac2b372c33e..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-purpose.service.ts
+++ /dev/null
@@ -1,26 +0,0 @@
-import { Injectable } from '@angular/core';
-import { HttpClient, HttpResponse } from '@angular/common/http';
-import { Observable } from 'rxjs';
-
-import { ApplicationConfigService } from 'app/core/config/application-config.service';
-import { createRequestOption } from 'app/core/request/request-util';
-import { IQuestionnairePurpose } from '../questionnaire-purpose.model';
-
-export type EntityResponseType = HttpResponse<IQuestionnairePurpose>;
-export type EntityArrayResponseType = HttpResponse<IQuestionnairePurpose[]>;
-
-@Injectable({ providedIn: 'root' })
-export class QuestionnairePurposeService {
- protected questionnairePurposeUrl = this.applicationConfigService.getEndpointFor('api/questionnaire-purposes', 'cocbackend');
-
- constructor(protected http: HttpClient, protected applicationConfigService: ApplicationConfigService) {}
-
- find(id: number): Observable<EntityResponseType> {
- return this.http.get<IQuestionnairePurpose>(`${this.questionnairePurposeUrl}/${id}`, { observe: 'response' });
- }
-
- query(req?: any): Observable<EntityArrayResponseType> {
- const options = createRequestOption(req);
- return this.http.get<IQuestionnairePurpose[]>(this.questionnairePurposeUrl, { params: options, observe: 'response' });
- }
-}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-question.service.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-question.service.ts
index ba5095629d5d89cbd09e27fc3e0593b762076fd0..a617e927616cafeabfbfbec51c6947a9c64bd81b 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-question.service.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire-question.service.ts
@@ -23,4 +23,8 @@ export class QuestionnaireQuestionService {
const options = createRequestOption(req);
return this.http.get<IQuestionnaireQuestion[]>(this.questionnaireQuestionUrl, { params: options, observe: 'response' });
}
+
+ count(): Observable<any> {
+ return this.http.get<any>(`${this.questionnaireQuestionUrl}/count`, { observe: 'response' });
+ }
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire.service.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire.service.ts
index 895f6d4e59db54b983439b74ae905378609ec743..eaf14a2088efa0242bf498635ec403158c4121a4 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire.service.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/questionnaire/service/questionnaire.service.ts
@@ -1,11 +1,12 @@
import { Injectable } from '@angular/core';
-import { HttpClient, HttpResponse } from '@angular/common/http';
+import { HttpClient, HttpHeaders, HttpResponse } from '@angular/common/http';
import { Observable } from 'rxjs';
import { isPresent } from 'app/core/util/operators';
import { ApplicationConfigService } from 'app/core/config/application-config.service';
import { createRequestOption } from 'app/core/request/request-util';
import { IQuestionnaire, getQuestionnaireIdentifier } from '../questionnaire.model';
+import { IQuestionnaireQuestionInfo } from '../questionnaire-question-info.model';
export type EntityResponseType = HttpResponse<IQuestionnaire>;
export type EntityArrayResponseType = HttpResponse<IQuestionnaire[]>;
@@ -16,12 +17,12 @@ export class QuestionnaireService {
constructor(protected http: HttpClient, protected applicationConfigService: ApplicationConfigService) {}
- create(questionnaire: IQuestionnaire): Observable<EntityResponseType> {
- return this.http.post<IQuestionnaire>(this.questionnaireUrl, questionnaire, { observe: 'response' });
+ create(questionnaires: IQuestionnaire[]): Observable<EntityArrayResponseType> {
+ return this.http.post<IQuestionnaire[]>(`${this.questionnaireUrl}/create`, questionnaires, { observe: 'response' });
}
- update(questionnaire: IQuestionnaire): Observable<EntityResponseType> {
- return this.http.put<IQuestionnaire>(`${this.questionnaireUrl}/${getQuestionnaireIdentifier(questionnaire) as number}`, questionnaire, { observe: 'response' });
+ update(questionnaire: any): Observable<EntityArrayResponseType> {
+ return this.http.post<any>(`${this.questionnaireUrl}/save`, questionnaire, { observe: 'response' });
}
partialUpdate(questionnaire: IQuestionnaire): Observable<EntityResponseType> {
@@ -42,6 +43,19 @@ export class QuestionnaireService {
delete(id: number): Observable<HttpResponse<{}>> {
return this.http.delete(`${this.questionnaireUrl}/${id}`, { observe: 'response' });
}
+
+ deleteByName(object: any): Observable<HttpResponse<{}>> {
+ return this.http.post<any>(`${this.questionnaireUrl}/deleteByName`, object, { observe: 'response' });
+ }
+
+ export(object: any): Observable<any> {
+ const httpHeaders = new HttpHeaders({ 'Content-Type': 'application/json' });
+ return this.http.post<any>(`${this.questionnaireUrl}/report-pdf`, object, { headers: httpHeaders, responseType: 'arrayBuffer' as 'json', observe: 'response' as 'body' });
+ }
+
+ countQuestions(): Observable<any> {
+ return this.http.get<IQuestionnaireQuestionInfo>(`${this.questionnaireUrl}/count-questions`, { observe: 'response' });
+ }
addResourceToCollectionIfMissing(questionnaireCollection: IQuestionnaire[], ...questionnairesToCheck: (IQuestionnaire | null | undefined)[]): IQuestionnaire[] {
const questionnaires: IQuestionnaire[] = questionnairesToCheck.filter(isPresent);
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/delete/reference-tom-delete-dialog.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/delete/reference-tom-delete-dialog.component.html
deleted file mode 100755
index fe484744039fa3c3ac3bb4af8e8c47585ad6419e..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/delete/reference-tom-delete-dialog.component.html
+++ /dev/null
@@ -1,29 +0,0 @@
-<form *ngIf="referenceTom" name="deleteForm" (ngSubmit)="confirmDelete(referenceTom.id!)">
- <div class="modal-header">
- <h4 class="modal-title" data-cy="referenceTomDeleteDialogHeading" jhiTranslate="entity.delete.title">Confirm delete operation</h4>
-
- <button type="button" class="close" data-dismiss="modal" aria-hidden="true" (click)="cancel()">×</button>
- </div>
-
- <div class="modal-body">
- <jhi-alert-error></jhi-alert-error>
-
- <p
- id="jhi-delete-referenceTom-heading"
- jhiTranslate="cocGatewayApp.cocBackendReferenceTom.delete.question"
- [translateValues]="{ id: referenceTom.id }"
- >
- Are you sure you want to delete this Reference Tom?
- </p>
- </div>
-
- <div class="modal-footer">
- <button type="button" class="btn btn-secondary" data-dismiss="modal" (click)="cancel()">
- <fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
- </button>
-
- <button id="jhi-confirm-delete-referenceTom" data-cy="entityConfirmDeleteButton" type="submit" class="btn btn-danger">
- <fa-icon icon="times"></fa-icon> <span jhiTranslate="entity.action.delete">Delete</span>
- </button>
- </div>
-</form>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/delete/reference-tom-delete-dialog.component.spec.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/delete/reference-tom-delete-dialog.component.spec.ts
deleted file mode 100755
index 2e71cd769ad3fe96e5d1017ca4e8b8cbef1036ab..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/delete/reference-tom-delete-dialog.component.spec.ts
+++ /dev/null
@@ -1,65 +0,0 @@
-jest.mock('@ng-bootstrap/ng-bootstrap');
-
-import { ComponentFixture, TestBed, inject, fakeAsync, tick } from '@angular/core/testing';
-import { HttpResponse } from '@angular/common/http';
-import { HttpClientTestingModule } from '@angular/common/http/testing';
-import { of } from 'rxjs';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { ReferenceTomService } from '../service/reference-tom.service';
-
-import { ReferenceTomDeleteDialogComponent } from './reference-tom-delete-dialog.component';
-
-describe('Component Tests', () => {
- describe('ReferenceTom Management Delete Component', () => {
- let comp: ReferenceTomDeleteDialogComponent;
- let fixture: ComponentFixture<ReferenceTomDeleteDialogComponent>;
- let service: ReferenceTomService;
- let mockActiveModal: NgbActiveModal;
-
- beforeEach(() => {
- TestBed.configureTestingModule({
- imports: [HttpClientTestingModule],
- declarations: [ReferenceTomDeleteDialogComponent],
- providers: [NgbActiveModal],
- })
- .overrideTemplate(ReferenceTomDeleteDialogComponent, '')
- .compileComponents();
- fixture = TestBed.createComponent(ReferenceTomDeleteDialogComponent);
- comp = fixture.componentInstance;
- service = TestBed.inject(ReferenceTomService);
- mockActiveModal = TestBed.inject(NgbActiveModal);
- });
-
- describe('confirmDelete', () => {
- it('Should call delete service on confirmDelete', inject(
- [],
- fakeAsync(() => {
- // GIVEN
- jest.spyOn(service, 'delete').mockReturnValue(of(new HttpResponse({})));
-
- // WHEN
- comp.confirmDelete(123);
- tick();
-
- // THEN
- expect(service.delete).toHaveBeenCalledWith(123);
- expect(mockActiveModal.close).toHaveBeenCalledWith('deleted');
- })
- ));
-
- it('Should not call delete service on clear', () => {
- // GIVEN
- jest.spyOn(service, 'delete');
-
- // WHEN
- comp.cancel();
-
- // THEN
- expect(service.delete).not.toHaveBeenCalled();
- expect(mockActiveModal.close).not.toHaveBeenCalled();
- expect(mockActiveModal.dismiss).toHaveBeenCalled();
- });
- });
- });
-});
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/delete/reference-tom-delete-dialog.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/delete/reference-tom-delete-dialog.component.ts
deleted file mode 100755
index c33801d3267b7d4f36434fbeae2d204054a5eaff..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/delete/reference-tom-delete-dialog.component.ts
+++ /dev/null
@@ -1,24 +0,0 @@
-import { Component } from '@angular/core';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { IReferenceTom } from '../reference-tom.model';
-import { ReferenceTomService } from '../service/reference-tom.service';
-
-@Component({
- templateUrl: './reference-tom-delete-dialog.component.html',
-})
-export class ReferenceTomDeleteDialogComponent {
- referenceTom?: IReferenceTom;
-
- constructor(protected referenceTomService: ReferenceTomService, protected activeModal: NgbActiveModal) {}
-
- cancel(): void {
- this.activeModal.dismiss();
- }
-
- confirmDelete(id: number): void {
- this.referenceTomService.delete(id).subscribe(() => {
- this.activeModal.close('deleted');
- });
- }
-}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/detail/reference-tom-detail.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/detail/reference-tom-detail.component.html
index 3920472a8dfa3a33aacdfb8cad1c4fa5a3bfaaef..20ca5e4452a18712a0b3368d738ac7327305d325 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/detail/reference-tom-detail.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/detail/reference-tom-detail.component.html
@@ -12,33 +12,23 @@
<jhi-alert></jhi-alert>
<dl class="row-md jh-entity-details">
- <!-- <dt><span jhiTranslate="global.field.id">ID</span></dt>
- <dd>
- <span>{{ referenceTom.id }}</span>
- </dd> -->
- <dt>
- <span
- jhiTranslate="cocGatewayApp.cocBackendReferenceTom.referenceTomImpl"
- [ngbTooltip]="'cocGatewayApp.cocBackendReferenceTom.help.referenceTomImpl' | translate"
- >Reference Tom Impl</span
- >
- </dt>
- <dd>
- <span>{{ referenceTom.referenceTomImpl }}</span>
- </dd>
<dt><span jhiTranslate="cocGatewayApp.cocBackendReferenceTom.tom">Tom</span></dt>
<dd>
<div *ngIf="referenceTom.tom">
- <a [routerLink]="['/tom', referenceTom.tom?.id, 'view']">{{ referenceTom.tom?.name }}</a>
+ <a [routerLink]="['/tom', referenceTom.tom?.id, 'view']" style="color: #0099a0; font-weight: 600; text-decoration: none;">{{ referenceTom.tom?.name }}</a>
</div>
</dd>
</dl>
-
- <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton">
+
+ <div [innerHTML]="referenceTom.referenceTomImpl" style="background: #efefef; padding: 12px; border-radius: 8px; font-size: 13px;"></div>
+
+ <br />
+
+ <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="arrow-left"></fa-icon> <span jhiTranslate="entity.action.back">Back</span>
</button>
- <button type="button" [routerLink]="['/reference-tom', referenceTom.id, 'edit']" class="btn btn-primary">
+ <button type="button" [routerLink]="['/reference-tom', referenceTom.id, 'edit']" class="btn btn-primary" style="background-color: #0099a0!important; border-color: #0099a0!important;" *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']">
<fa-icon icon="pencil-alt"></fa-icon> <span jhiTranslate="entity.action.edit">Edit</span>
</button>
</div>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/detail/reference-tom-detail.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/detail/reference-tom-detail.component.ts
index 5810522dbacdb9211e4d69e78b01770e14d9d843..3c30c999c506bb7d0701b9300c456724bfda50df 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/detail/reference-tom-detail.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/detail/reference-tom-detail.component.ts
@@ -14,6 +14,7 @@ export class ReferenceTomDetailComponent implements OnInit {
ngOnInit(): void {
this.activatedRoute.data.subscribe(({ referenceTom }) => {
+ referenceTom.referenceTomImpl = referenceTom.referenceTomImpl?.replace(/'/g, "\\'");
this.referenceTom = referenceTom;
});
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/list/reference-tom.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/list/reference-tom.component.html
index df81f5dbe8a3b79e2b2eaab5e8e87c17fa2bcf5e..75a2815bba53ba7a39b1bf808ad9fdc05f3da582 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/list/reference-tom.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/list/reference-tom.component.html
@@ -3,20 +3,10 @@
<span jhiTranslate="cocGatewayApp.cocBackendReferenceTom.home.title">Reference Toms</span>
<div class="d-flex justify-content-end">
- <button class="btn btn-info mr-2" (click)="loadAll()" [disabled]="isLoading">
+ <button class="btn btn-info mr-2" (click)="loadAll()" [disabled]="isLoading" style="background-color: #0099a0!important; border-color: #0099a0!important;">
<fa-icon icon="sync" [spin]="isLoading"></fa-icon>
<span jhiTranslate="cocGatewayApp.cocBackendReferenceTom.home.refreshListLabel">Refresh List</span>
</button>
-
- <button
- id="jh-create-entity"
- data-cy="entityCreateButton"
- class="btn btn-primary jh-create-entity create-reference-tom"
- [routerLink]="['/reference-tom/new']"
- >
- <fa-icon icon="plus"></fa-icon>
- <span jhiTranslate="cocGatewayApp.cocBackendReferenceTom.home.createLabel"> Create a new Reference Tom </span>
- </button>
</div>
</h2>
@@ -26,18 +16,22 @@
»
<small><strong>
<a [routerLink]="['/security-control-framework']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
- <span jhiTranslate="global.menu.entities.cocBackendSecurityControlFramework">Security Control Frameworks</span>
+ <span jhiTranslate="global.menu.entities.cocBackendSecurityControlFramework">Frameworks</span>
</a>
»
<a [routerLink]="['/security-control-category']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
- <span jhiTranslate="global.menu.entities.cocBackendSecurityControlCategory">Security Control Category</span>
+ <span jhiTranslate="global.menu.entities.cocBackendSecurityControlCategory">Category</span>
</a>
»
<a [routerLink]="['/security-control']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
- <span jhiTranslate="global.menu.entities.cocBackendSecurityControl">Security Control</span>
+ <span jhiTranslate="global.menu.entities.cocBackendSecurityControl">Control</span>
+ </a>
+ »
+ <a [routerLink]="['/tom']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
+ <span jhiTranslate="global.menu.entities.cocBackendTom">Requirements</span>
</a>
»
- <span jhiTranslate="global.menu.entities.cocBackendReferenceTom">Reference TOMs</span>
+ <span jhiTranslate="global.menu.entities.cocBackendReferenceTom">Implementation guidelines</span>
</strong></small>
<br/><br/>
<!-- End: Breadcrumb -->
@@ -54,22 +48,30 @@
<table class="table table-striped" aria-describedby="page-heading">
<thead>
<tr>
- <!-- <th scope="col"><span jhiTranslate="global.field.id">ID</span></th> -->
- <th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendReferenceTom.referenceTomImpl">Reference TOM</span></th>
- <th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendReferenceTom.tom">TOM</span></th>
+ <th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendReferenceTom.tomCode">Requirement Code</span></th>
+ <th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendReferenceTom.tomDescription">Requirement Description</span></th>
+ <th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendReferenceTom.securityControlCode">Control Code</span></th>
+ <th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendReferenceTom.securityControlName">Control Name</span></th>
<th scope="col"></th>
</tr>
</thead>
- <tbody>
+ <tbody style="font-size: 11px;">
<tr *ngFor="let referenceTom of referenceToms; trackBy: trackId" data-cy="entityTable">
- <td>{{ referenceTom.referenceTomImpl }}</td>
- <td>{{ referenceTom.tom?.name }}</td>
- <td class="text-right">
+ <td style="vertical-align: middle;">
+ <a [routerLink]="['/tom', referenceTom.tom?.id, 'view']" style="color: #0099a0; font-weight: 600; text-decoration: none;">{{ referenceTom.tom?.name }}</a>
+ </td>
+ <td style="vertical-align: middle;">{{ referenceTom.tom?.description }}</td>
+ <td style="vertical-align: middle;">
+ <a [routerLink]="['/security-control', referenceTom.tom?.securityControl?.id, 'view']" style="color: #0099a0; font-weight: 600; text-decoration: none;">{{ referenceTom.tom?.securityControl?.code }}</a>
+ </td>
+ <td style="vertical-align: middle;">{{ referenceTom.tom?.securityControl?.objective }}</td>
+ <td class="text-right" style="vertical-align: middle;">
<div class="btn-group">
<button
type="submit"
[routerLink]="['/reference-tom', referenceTom.id, 'view']"
class="btn btn-info btn-sm"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
data-cy="entityDetailsButton"
>
<fa-icon icon="eye"></fa-icon>
@@ -80,16 +82,13 @@
type="submit"
[routerLink]="['/reference-tom', referenceTom.id, 'edit']"
class="btn btn-primary btn-sm"
+ style="background-color: #0099a0!important; border-color: #0099a0!important; margin-left: 4px;"
data-cy="entityEditButton"
+ *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']"
>
<fa-icon icon="pencil-alt"></fa-icon>
<span class="d-none d-md-inline" jhiTranslate="entity.action.edit">Edit</span>
</button>
-
- <button type="submit" (click)="delete(referenceTom)" class="btn btn-danger btn-sm" data-cy="entityDeleteButton">
- <fa-icon icon="times"></fa-icon>
- <span class="d-none d-md-inline" jhiTranslate="entity.action.delete">Delete</span>
- </button>
</div>
</td>
</tr>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/list/reference-tom.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/list/reference-tom.component.ts
index 79cdea53ffc9b627883499c00a378bee8387d97e..a2cc21f94ac189cb6cb6c266ab730151d221fbf8 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/list/reference-tom.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/list/reference-tom.component.ts
@@ -4,7 +4,6 @@ import { NgbModal } from '@ng-bootstrap/ng-bootstrap';
import { IReferenceTom } from '../reference-tom.model';
import { ReferenceTomService } from '../service/reference-tom.service';
-import { ReferenceTomDeleteDialogComponent } from '../delete/reference-tom-delete-dialog.component';
@Component({
selector: 'jhi-reference-tom',
@@ -37,15 +36,4 @@ export class ReferenceTomComponent implements OnInit {
trackId(index: number, item: IReferenceTom): number {
return item.id!;
}
-
- delete(referenceTom: IReferenceTom): void {
- const modalRef = this.modalService.open(ReferenceTomDeleteDialogComponent, { size: 'lg', backdrop: 'static' });
- modalRef.componentInstance.referenceTom = referenceTom;
- // unsubscribe not needed because closed completes on modal close
- modalRef.closed.subscribe(reason => {
- if (reason === 'deleted') {
- this.loadAll();
- }
- });
- }
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/reference-tom.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/reference-tom.module.ts
index 3a649a0d613727ee97e096c386a9e647d8e1c828..919e4c873e3f76dd5ac9346044db086c51cb85cd 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/reference-tom.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/reference-tom.module.ts
@@ -3,12 +3,10 @@ import { SharedModule } from 'app/shared/shared.module';
import { ReferenceTomComponent } from './list/reference-tom.component';
import { ReferenceTomDetailComponent } from './detail/reference-tom-detail.component';
import { ReferenceTomUpdateComponent } from './update/reference-tom-update.component';
-import { ReferenceTomDeleteDialogComponent } from './delete/reference-tom-delete-dialog.component';
import { ReferenceTomRoutingModule } from './route/reference-tom-routing.module';
@NgModule({
imports: [SharedModule, ReferenceTomRoutingModule],
- declarations: [ReferenceTomComponent, ReferenceTomDetailComponent, ReferenceTomUpdateComponent, ReferenceTomDeleteDialogComponent],
- entryComponents: [ReferenceTomDeleteDialogComponent],
+ declarations: [ReferenceTomComponent, ReferenceTomDetailComponent, ReferenceTomUpdateComponent],
})
export class CocBackendReferenceTomModule {}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/route/reference-tom-routing.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/route/reference-tom-routing.module.ts
index 285f358c946c2ea76756537cac0f794e31d0be79..f284ca8ac06b070b911650accc4a3e9574238da1 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/route/reference-tom-routing.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/route/reference-tom-routing.module.ts
@@ -7,23 +7,19 @@ import { ReferenceTomDetailComponent } from '../detail/reference-tom-detail.comp
import { ReferenceTomUpdateComponent } from '../update/reference-tom-update.component';
import { ReferenceTomRoutingResolveService } from './reference-tom-routing-resolve.service';
+import { Authority } from 'app/config/authority.constants';
+
const referenceTomRoute: Routes = [
{
path: '',
component: ReferenceTomComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
canActivate: [UserRouteAccessService],
},
{
path: ':id/view',
component: ReferenceTomDetailComponent,
- resolve: {
- referenceTom: ReferenceTomRoutingResolveService,
- },
- canActivate: [UserRouteAccessService],
- },
- {
- path: 'new',
- component: ReferenceTomUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
resolve: {
referenceTom: ReferenceTomRoutingResolveService,
},
@@ -32,6 +28,7 @@ const referenceTomRoute: Routes = [
{
path: ':id/edit',
component: ReferenceTomUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.SECURITY_GOVERNANCE] },
resolve: {
referenceTom: ReferenceTomRoutingResolveService,
},
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/service/reference-tom.service.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/service/reference-tom.service.ts
index 93f597d39ac018dcabeb26f1a0f7d13fb6b0e4c7..99318936b4cffd6f2fe28a1adb6659b43aeec0d9 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/service/reference-tom.service.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/service/reference-tom.service.ts
@@ -16,10 +16,6 @@ export class ReferenceTomService {
constructor(protected http: HttpClient, protected applicationConfigService: ApplicationConfigService) {}
- create(referenceTom: IReferenceTom): Observable<EntityResponseType> {
- return this.http.post<IReferenceTom>(this.resourceUrl, referenceTom, { observe: 'response' });
- }
-
update(referenceTom: IReferenceTom): Observable<EntityResponseType> {
return this.http.put<IReferenceTom>(`${this.resourceUrl}/${getReferenceTomIdentifier(referenceTom) as number}`, referenceTom, {
observe: 'response',
@@ -41,10 +37,6 @@ export class ReferenceTomService {
return this.http.get<IReferenceTom[]>(this.resourceUrl, { params: options, observe: 'response' });
}
- delete(id: number): Observable<HttpResponse<{}>> {
- return this.http.delete(`${this.resourceUrl}/${id}`, { observe: 'response' });
- }
-
addReferenceTomToCollectionIfMissing(
referenceTomCollection: IReferenceTom[],
...referenceTomsToCheck: (IReferenceTom | null | undefined)[]
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/update/reference-tom-update.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/update/reference-tom-update.component.html
index e9fd4ba02459b51f7cc30094dd62202eab3eae5d..c9e2d8745141933561009cd66421d05c35d3f0dd 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/update/reference-tom-update.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/update/reference-tom-update.component.html
@@ -16,6 +16,18 @@
<label class="form-control-label" jhiTranslate="global.field.id" for="field_id">ID</label>
<input type="number" class="form-control" name="id" id="field_id" data-cy="id" formControlName="id" [readonly]="true" />
</div>
+
+ <div class="form-group">
+ <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendReferenceTom.tom" for="field_tom">Tom</label>
+ <select class="form-control" id="field_tom" data-cy="tom" name="tom" formControlName="tom" [attr.disabled]="true">
+ <option *ngIf="!editForm.get('tom')!.value" [ngValue]="null" selected></option>
+ <option
+ [ngValue]="tomOption.id === editForm.get('tom')!.value?.id ? editForm.get('tom')!.value : tomOption"
+ *ngFor="let tomOption of tomsSharedCollection; trackBy: trackTomById">
+ {{ tomOption.name }}
+ </option>
+ </select>
+ </div>
<div class="form-group">
<label
@@ -25,42 +37,11 @@
[ngbTooltip]="'cocGatewayApp.cocBackendReferenceTom.help.referenceTomImpl' | translate"
>Reference Tom Impl</label
>
- <input
- type="text"
- class="form-control"
- name="referenceTomImpl"
- id="field_referenceTomImpl"
- data-cy="referenceTomImpl"
- formControlName="referenceTomImpl"
- />
- <div
- *ngIf="
- editForm.get('referenceTomImpl')!.invalid &&
- (editForm.get('referenceTomImpl')!.dirty || editForm.get('referenceTomImpl')!.touched)
- "
- >
- <small
- class="form-text text-danger"
- *ngIf="editForm.get('referenceTomImpl')?.errors?.required"
- jhiTranslate="entity.validation.required"
- >
- This field is required.
- </small>
- </div>
+ <br />
+ <textarea id="field_referenceTomImpl" name="referenceTomImpl" formControlName="referenceTomImpl" [value]="editForm.get('referenceTomImpl')!.value" style="width: 100%; height: 460px; border: 1px solid #ddd; border-radius: 4px; padding: 12px; "></textarea>
</div>
- <div class="form-group">
- <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendReferenceTom.tom" for="field_tom">Tom</label>
- <select class="form-control" id="field_tom" data-cy="tom" name="tom" formControlName="tom">
- <option *ngIf="!editForm.get('tom')!.value" [ngValue]="null" selected></option>
- <option
- [ngValue]="tomOption.id === editForm.get('tom')!.value?.id ? editForm.get('tom')!.value : tomOption"
- *ngFor="let tomOption of tomsSharedCollection; trackBy: trackTomById"
- >
- {{ tomOption.name }}
- </option>
- </select>
- </div>
+
<div *ngIf="editForm.get(['tom'])!.invalid && (editForm.get(['tom'])!.dirty || editForm.get(['tom'])!.touched)">
<small class="form-text text-danger" *ngIf="editForm.get(['tom'])?.errors?.required" jhiTranslate="entity.validation.required">
This field is required.
@@ -69,7 +50,7 @@
</div>
<div>
- <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()">
+ <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
</button>
@@ -79,6 +60,8 @@
data-cy="entityCreateSaveButton"
[disabled]="editForm.invalid || isSaving"
class="btn btn-primary"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
+ *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']"
>
<fa-icon icon="save"></fa-icon> <span jhiTranslate="entity.action.save">Save</span>
</button>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/update/reference-tom-update.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/update/reference-tom-update.component.ts
index 99c3e7c8e995ed880ec2643d9ded5e582da7a77a..b1d75bd4469e02378dff4761cb63d0f597b3e37e 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/update/reference-tom-update.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/reference-tom/update/reference-tom-update.component.ts
@@ -47,10 +47,12 @@ export class ReferenceTomUpdateComponent implements OnInit {
save(): void {
this.isSaving = true;
const referenceTom = this.createFromForm();
+
+ // Escape single quotes
+ referenceTom.referenceTomImpl = referenceTom.referenceTomImpl?.replace(/'/g, "\\'");
+
if (referenceTom.id !== undefined) {
this.subscribeToSaveResponse(this.referenceTomService.update(referenceTom));
- } else {
- this.subscribeToSaveResponse(this.referenceTomService.create(referenceTom));
}
}
@@ -78,6 +80,7 @@ export class ReferenceTomUpdateComponent implements OnInit {
}
protected updateForm(referenceTom: IReferenceTom): void {
+ referenceTom.referenceTomImpl = referenceTom.referenceTomImpl?.replace("\\'", "'");
this.editForm.patchValue({
id: referenceTom.id,
referenceTomImpl: referenceTom.referenceTomImpl,
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/resource-type/list/resource-type.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/resource-type/list/resource-type.component.html
index 1d318144303e845157d08a6427210a405e4a7795..ced3b1905d2df378e4ddfc1fa03e0cafa236fb38 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/resource-type/list/resource-type.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/resource-type/list/resource-type.component.html
@@ -38,7 +38,7 @@
<th scope="col"></th>
</tr>
</thead>
- <tbody>
+ <tbody style="font-size: 11px;">
<tr *ngFor="let resourceType of resourceTypes; trackBy: trackId" data-cy="entityTable">
<td>
<a [routerLink]="['/resource-type', resourceType.id, 'view']">{{ resourceType.id }}</a>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/resource/list/resource.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/resource/list/resource.component.html
index 0d412bb9b24473de1c259235cd7cbdf491fdfe9c..eec60b6de58695f32162f51501d4e86358f936c9 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/resource/list/resource.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/resource/list/resource.component.html
@@ -44,7 +44,7 @@
<th scope="col"></th>
</tr>
</thead>
- <tbody>
+ <tbody style="font-size: 11px;">
<tr *ngFor="let resource of resources; trackBy: trackId" data-cy="entityTable">
<td>
<a [routerLink]="['/resource', resource.id, 'view']">{{ resource.id }}</a>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/delete/security-control-category-delete-dialog.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/delete/security-control-category-delete-dialog.component.html
deleted file mode 100755
index 15cb3fa8a2ea18ea6c55840229279af67677fab1..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/delete/security-control-category-delete-dialog.component.html
+++ /dev/null
@@ -1,31 +0,0 @@
-<form *ngIf="securityControlCategory" name="deleteForm" (ngSubmit)="confirmDelete(securityControlCategory.id!)">
- <div class="modal-header">
- <h4 class="modal-title" data-cy="securityControlCategoryDeleteDialogHeading" jhiTranslate="entity.delete.title">
- Confirm delete operation
- </h4>
-
- <button type="button" class="close" data-dismiss="modal" aria-hidden="true" (click)="cancel()">×</button>
- </div>
-
- <div class="modal-body">
- <jhi-alert-error></jhi-alert-error>
-
- <p
- id="jhi-delete-securityControlCategory-heading"
- jhiTranslate="cocGatewayApp.cocBackendSecurityControlCategory.delete.question"
- [translateValues]="{ id: securityControlCategory.id }"
- >
- Are you sure you want to delete this Security Control Category?
- </p>
- </div>
-
- <div class="modal-footer">
- <button type="button" class="btn btn-secondary" data-dismiss="modal" (click)="cancel()">
- <fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
- </button>
-
- <button id="jhi-confirm-delete-securityControlCategory" data-cy="entityConfirmDeleteButton" type="submit" class="btn btn-danger">
- <fa-icon icon="times"></fa-icon> <span jhiTranslate="entity.action.delete">Delete</span>
- </button>
- </div>
-</form>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/delete/security-control-category-delete-dialog.component.spec.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/delete/security-control-category-delete-dialog.component.spec.ts
deleted file mode 100755
index 057574cd5d86eb08f75c85fc34346f6091713ea4..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/delete/security-control-category-delete-dialog.component.spec.ts
+++ /dev/null
@@ -1,65 +0,0 @@
-jest.mock('@ng-bootstrap/ng-bootstrap');
-
-import { ComponentFixture, TestBed, inject, fakeAsync, tick } from '@angular/core/testing';
-import { HttpResponse } from '@angular/common/http';
-import { HttpClientTestingModule } from '@angular/common/http/testing';
-import { of } from 'rxjs';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { SecurityControlCategoryService } from '../service/security-control-category.service';
-
-import { SecurityControlCategoryDeleteDialogComponent } from './security-control-category-delete-dialog.component';
-
-describe('Component Tests', () => {
- describe('SecurityControlCategory Management Delete Component', () => {
- let comp: SecurityControlCategoryDeleteDialogComponent;
- let fixture: ComponentFixture<SecurityControlCategoryDeleteDialogComponent>;
- let service: SecurityControlCategoryService;
- let mockActiveModal: NgbActiveModal;
-
- beforeEach(() => {
- TestBed.configureTestingModule({
- imports: [HttpClientTestingModule],
- declarations: [SecurityControlCategoryDeleteDialogComponent],
- providers: [NgbActiveModal],
- })
- .overrideTemplate(SecurityControlCategoryDeleteDialogComponent, '')
- .compileComponents();
- fixture = TestBed.createComponent(SecurityControlCategoryDeleteDialogComponent);
- comp = fixture.componentInstance;
- service = TestBed.inject(SecurityControlCategoryService);
- mockActiveModal = TestBed.inject(NgbActiveModal);
- });
-
- describe('confirmDelete', () => {
- it('Should call delete service on confirmDelete', inject(
- [],
- fakeAsync(() => {
- // GIVEN
- jest.spyOn(service, 'delete').mockReturnValue(of(new HttpResponse({})));
-
- // WHEN
- comp.confirmDelete(123);
- tick();
-
- // THEN
- expect(service.delete).toHaveBeenCalledWith(123);
- expect(mockActiveModal.close).toHaveBeenCalledWith('deleted');
- })
- ));
-
- it('Should not call delete service on clear', () => {
- // GIVEN
- jest.spyOn(service, 'delete');
-
- // WHEN
- comp.cancel();
-
- // THEN
- expect(service.delete).not.toHaveBeenCalled();
- expect(mockActiveModal.close).not.toHaveBeenCalled();
- expect(mockActiveModal.dismiss).toHaveBeenCalled();
- });
- });
- });
-});
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/delete/security-control-category-delete-dialog.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/delete/security-control-category-delete-dialog.component.ts
deleted file mode 100755
index a825d8beb45f472a4d1f02894e82730524540dde..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/delete/security-control-category-delete-dialog.component.ts
+++ /dev/null
@@ -1,24 +0,0 @@
-import { Component } from '@angular/core';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { ISecurityControlCategory } from '../security-control-category.model';
-import { SecurityControlCategoryService } from '../service/security-control-category.service';
-
-@Component({
- templateUrl: './security-control-category-delete-dialog.component.html',
-})
-export class SecurityControlCategoryDeleteDialogComponent {
- securityControlCategory?: ISecurityControlCategory;
-
- constructor(protected securityControlCategoryService: SecurityControlCategoryService, protected activeModal: NgbActiveModal) {}
-
- cancel(): void {
- this.activeModal.dismiss();
- }
-
- confirmDelete(id: number): void {
- this.securityControlCategoryService.delete(id).subscribe(() => {
- this.activeModal.close('deleted');
- });
- }
-}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/detail/security-control-category-detail.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/detail/security-control-category-detail.component.html
index fabf062e1bbec6ae564b1a193a97a1ef39add39c..a7ebbe7bbaae0dd37adbc34fdb63b246bd3329e4 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/detail/security-control-category-detail.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/detail/security-control-category-detail.component.html
@@ -51,18 +51,18 @@
</dt>
<dd>
<div *ngIf="securityControlCategory.securityControlFramework">
- <a [routerLink]="['/security-control-framework', securityControlCategory.securityControlFramework?.id, 'view']">{{
- securityControlCategory.securityControlFramework?.name
- }}</a>
+ <a [routerLink]="['/security-control-framework', securityControlCategory.securityControlFramework?.id, 'view']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
+ {{securityControlCategory.securityControlFramework?.name}}
+ </a>
</div>
</dd>
</dl>
- <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton">
+ <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="arrow-left"></fa-icon> <span jhiTranslate="entity.action.back">Back</span>
</button>
- <button type="button" [routerLink]="['/security-control-category', securityControlCategory.id, 'edit']" class="btn btn-primary">
+ <button type="button" [routerLink]="['/security-control-category', securityControlCategory.id, 'edit']" class="btn btn-primary" style="background-color: #0099a0!important; border-color: #0099a0!important;" *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']">
<fa-icon icon="pencil-alt"></fa-icon> <span jhiTranslate="entity.action.edit">Edit</span>
</button>
</div>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/list/security-control-category.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/list/security-control-category.component.html
index c5736e8cc62c5e43e72f4b90a12fa20319cb1816..801718313a69dc9646cf31752186903e7e3a1e1f 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/list/security-control-category.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/list/security-control-category.component.html
@@ -5,22 +5,10 @@
<span *ngIf="frameworkText != null">{{frameworkText}})</span>
<div class="d-flex justify-content-end">
- <button class="btn btn-info mr-2" (click)="loadAll()" [disabled]="isLoading">
+ <button class="btn btn-info mr-2" (click)="loadAll()" [disabled]="isLoading" style="background-color: #0099a0!important; border-color: #0099a0!important;">
<fa-icon icon="sync" [spin]="isLoading"></fa-icon>
<span jhiTranslate="cocGatewayApp.cocBackendSecurityControlCategory.home.refreshListLabel">Refresh List</span>
</button>
-
- <button
- id="jh-create-entity"
- data-cy="entityCreateButton"
- class="btn btn-primary jh-create-entity create-security-control-category"
- [routerLink]="['/security-control-category/new']"
- >
- <fa-icon icon="plus"></fa-icon>
- <span jhiTranslate="cocGatewayApp.cocBackendSecurityControlCategory.home.createLabel">
- Create a new Security Control Category
- </span>
- </button>
</div>
</h2>
@@ -58,17 +46,17 @@
<th scope="col" style="width: 5%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControlCategory.code">Code</span></th>
<th scope="col" style="width: 15%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControlCategory.name">Name</span></th>
<th scope="col" style="width: 35%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControlCategory.description">Description</span></th>
- <th scope="col" style="width: 15%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControlCategory.securityControlFramework">Security Control Framework</span></th>
- <th scope="col" style="width: 15%;"><span jhiTranslate="entity.action.relatedControlsLong">Related controls</span></th>
+ <th scope="col" style="width: 15%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControlCategory.securityControlFramework">Framework</span></th>
+ <th scope="col" style="width: 15%;"><span jhiTranslate="entity.action.relatedControls">Controls</span></th>
<th scope="col" style="width: 15%;"></th>
</tr>
</thead>
- <tbody>
+ <tbody style="font-size: 11px;">
<tr *ngFor="let securityControlCategory of securityControlCategories; trackBy: trackId" data-cy="entityTable">
- <td>{{ securityControlCategory.code }}</td>
- <td>{{ securityControlCategory.name }}</td>
- <td>{{ securityControlCategory.description }}</td>
- <td>
+ <td style="vertical-align: middle;">{{ securityControlCategory.code }}</td>
+ <td style="vertical-align: middle;">{{ securityControlCategory.name }}</td>
+ <td style="vertical-align: middle; text-align: justify;">{{ securityControlCategory.description }}</td>
+ <td style="vertical-align: middle;">
<div *ngIf="securityControlCategory.securityControlFramework">
<a (click)="goToFrameworkState()" style="color: #0099a0; font-weight: 600;">
{{securityControlCategory.securityControlFramework?.name}}
@@ -76,18 +64,19 @@
</a>
</div>
</td>
- <td>
+ <td style="vertical-align: middle;">
<a [routerLink]="['/security-control']" [queryParams]="{paramCategoryId: securityControlCategory.id, paramFrameworkText: frameworkText, paramCategoryText: securityControlCategory.name}" style="color: #0099a0; font-weight: 600; text-decoration: none;">
<span class="d-none d-md-inline" jhiTranslate="entity.action.relatedControls">Controls</span>
<fa-icon icon="arrow-down"></fa-icon>
</a>
</td>
- <td class="text-right">
+ <td class="text-right" style="vertical-align: middle;">
<div class="btn-group">
<button
type="submit"
[routerLink]="['/security-control-category', securityControlCategory.id, 'view']"
class="btn btn-info btn-sm"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
data-cy="entityDetailsButton"
>
<fa-icon icon="eye"></fa-icon>
@@ -98,16 +87,13 @@
type="submit"
[routerLink]="['/security-control-category', securityControlCategory.id, 'edit']"
class="btn btn-primary btn-sm"
+ style="background-color: #0099a0!important; border-color: #0099a0!important; margin-left: 4px;"
data-cy="entityEditButton"
+ *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']"
>
<fa-icon icon="pencil-alt"></fa-icon>
<span class="d-none d-md-inline" jhiTranslate="entity.action.edit">Edit</span>
</button>
-
- <button type="submit" (click)="delete(securityControlCategory)" class="btn btn-danger btn-sm" data-cy="entityDeleteButton">
- <fa-icon icon="times"></fa-icon>
- <span class="d-none d-md-inline" jhiTranslate="entity.action.delete">Delete</span>
- </button>
</div>
</td>
</tr>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/list/security-control-category.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/list/security-control-category.component.ts
index d44d06913e78f3c2f7d6676d0fc5d64994d45481..eda444105f9794682868d4f567e355b0ffc991a7 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/list/security-control-category.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/list/security-control-category.component.ts
@@ -5,7 +5,6 @@ import { Router, ActivatedRoute } from '@angular/router';
import { ISecurityControlCategory } from '../security-control-category.model';
import { SecurityControlCategoryService } from '../service/security-control-category.service';
-import { SecurityControlCategoryDeleteDialogComponent } from '../delete/security-control-category-delete-dialog.component';
@Component({
selector: 'jhi-security-control-category',
@@ -56,20 +55,8 @@ export class SecurityControlCategoryComponent implements OnInit {
trackId(index: number, item: ISecurityControlCategory): number {
return item.id!;
}
-
- delete(securityControlCategory: ISecurityControlCategory): void {
- const modalRef = this.modalService.open(SecurityControlCategoryDeleteDialogComponent, { size: 'lg', backdrop: 'static' });
- modalRef.componentInstance.securityControlCategory = securityControlCategory;
- // unsubscribe not needed because closed completes on modal close
- modalRef.closed.subscribe(reason => {
- if (reason === 'deleted') {
- this.loadAll();
- }
- });
- }
goToFrameworkState(): void {
- //this.router.navigate(['/security-control-framework'], { queryParams: {paramFrameworkId: this.frameworkId}});
this.router.navigate(['/security-control-framework']);
}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/route/security-control-category-routing.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/route/security-control-category-routing.module.ts
index 52656ff037b0b4309f507e4854eca5605133360c..d5cbd29f3ddb26f1310c49d669380eec0b7073f7 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/route/security-control-category-routing.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/route/security-control-category-routing.module.ts
@@ -7,23 +7,19 @@ import { SecurityControlCategoryDetailComponent } from '../detail/security-contr
import { SecurityControlCategoryUpdateComponent } from '../update/security-control-category-update.component';
import { SecurityControlCategoryRoutingResolveService } from './security-control-category-routing-resolve.service';
+import { Authority } from 'app/config/authority.constants';
+
const securityControlCategoryRoute: Routes = [
{
path: '',
component: SecurityControlCategoryComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
canActivate: [UserRouteAccessService],
},
{
path: ':id/view',
component: SecurityControlCategoryDetailComponent,
- resolve: {
- securityControlCategory: SecurityControlCategoryRoutingResolveService,
- },
- canActivate: [UserRouteAccessService],
- },
- {
- path: 'new',
- component: SecurityControlCategoryUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
resolve: {
securityControlCategory: SecurityControlCategoryRoutingResolveService,
},
@@ -32,6 +28,7 @@ const securityControlCategoryRoute: Routes = [
{
path: ':id/edit',
component: SecurityControlCategoryUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.SECURITY_GOVERNANCE] },
resolve: {
securityControlCategory: SecurityControlCategoryRoutingResolveService,
},
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/security-control-category.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/security-control-category.module.ts
index 367e499a76da6334ad4b8c69f087e55274f9e822..eba52ede30668601162803020f5915c0cb80e259 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/security-control-category.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/security-control-category.module.ts
@@ -3,7 +3,6 @@ import { SharedModule } from 'app/shared/shared.module';
import { SecurityControlCategoryComponent } from './list/security-control-category.component';
import { SecurityControlCategoryDetailComponent } from './detail/security-control-category-detail.component';
import { SecurityControlCategoryUpdateComponent } from './update/security-control-category-update.component';
-import { SecurityControlCategoryDeleteDialogComponent } from './delete/security-control-category-delete-dialog.component';
import { SecurityControlCategoryRoutingModule } from './route/security-control-category-routing.module';
@NgModule({
@@ -12,8 +11,6 @@ import { SecurityControlCategoryRoutingModule } from './route/security-control-c
SecurityControlCategoryComponent,
SecurityControlCategoryDetailComponent,
SecurityControlCategoryUpdateComponent,
- SecurityControlCategoryDeleteDialogComponent,
],
- entryComponents: [SecurityControlCategoryDeleteDialogComponent],
})
export class CocBackendSecurityControlCategoryModule {}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/service/security-control-category.service.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/service/security-control-category.service.ts
index bd053b7f1fd2703becb4cea9341165c9e08954c6..0e4a396a5041469230eb5cd27238b316bbcbec8d 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/service/security-control-category.service.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/service/security-control-category.service.ts
@@ -16,10 +16,6 @@ export class SecurityControlCategoryService {
constructor(protected http: HttpClient, protected applicationConfigService: ApplicationConfigService) {}
- create(securityControlCategory: ISecurityControlCategory): Observable<EntityResponseType> {
- return this.http.post<ISecurityControlCategory>(this.resourceUrl, securityControlCategory, { observe: 'response' });
- }
-
update(securityControlCategory: ISecurityControlCategory): Observable<EntityResponseType> {
return this.http.put<ISecurityControlCategory>(
`${this.resourceUrl}/${getSecurityControlCategoryIdentifier(securityControlCategory) as number}`,
@@ -45,10 +41,6 @@ export class SecurityControlCategoryService {
return this.http.get<ISecurityControlCategory[]>(this.resourceUrl, { params: options, observe: 'response' });
}
- delete(id: number): Observable<HttpResponse<{}>> {
- return this.http.delete(`${this.resourceUrl}/${id}`, { observe: 'response' });
- }
-
addSecurityControlCategoryToCollectionIfMissing(
securityControlCategoryCollection: ISecurityControlCategory[],
...securityControlCategoriesToCheck: (ISecurityControlCategory | null | undefined)[]
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/update/security-control-category-update.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/update/security-control-category-update.component.html
index dc19eebe8fe1aab0b8c9e0b36ebdbee87f37d53a..c20b8d06ac9b0ab8328c89bb0b35abe47ec28853 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/update/security-control-category-update.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/update/security-control-category-update.component.html
@@ -6,7 +6,7 @@
data-cy="SecurityControlCategoryCreateUpdateHeading"
jhiTranslate="cocGatewayApp.cocBackendSecurityControlCategory.home.createOrEditLabel"
>
- Create or edit a Security Control Category
+ Edit a Security Control Category
</h2>
<div>
@@ -25,12 +25,7 @@
[ngbTooltip]="'cocGatewayApp.cocBackendSecurityControlCategory.help.code' | translate"
>Code</label
>
- <input type="text" class="form-control" name="code" id="field_code" data-cy="code" formControlName="code" />
- <div *ngIf="editForm.get('code')!.invalid && (editForm.get('code')!.dirty || editForm.get('code')!.touched)">
- <small class="form-text text-danger" *ngIf="editForm.get('code')?.errors?.required" jhiTranslate="entity.validation.required">
- This field is required.
- </small>
- </div>
+ <input type="text" class="form-control" name="code" id="field_code" data-cy="code" formControlName="code" [readonly]="true" />
</div>
<div class="form-group">
@@ -41,12 +36,7 @@
[ngbTooltip]="'cocGatewayApp.cocBackendSecurityControlCategory.help.name' | translate"
>Name</label
>
- <input type="text" class="form-control" name="name" id="field_name" data-cy="name" formControlName="name" />
- <div *ngIf="editForm.get('name')!.invalid && (editForm.get('name')!.dirty || editForm.get('name')!.touched)">
- <small class="form-text text-danger" *ngIf="editForm.get('name')?.errors?.required" jhiTranslate="entity.validation.required">
- This field is required.
- </small>
- </div>
+ <input type="text" class="form-control" name="name" id="field_name" data-cy="name" formControlName="name" [readonly]="true" />
</div>
<div class="form-group">
@@ -75,55 +65,28 @@
</small>
</div>
</div>
-
<div class="form-group">
<label
class="form-control-label"
jhiTranslate="cocGatewayApp.cocBackendSecurityControlCategory.securityControlFramework"
- for="field_securityControlFramework"
- >Security Control Framework</label
+ for="field_securityFramework"
+ [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControlCategory.securityControlFramework' | translate"
+ >Security Framework</label
>
- <select
+ <input
+ type="text"
class="form-control"
- id="field_securityControlFramework"
- data-cy="securityControlFramework"
name="securityControlFramework"
- formControlName="securityControlFramework"
- >
- <option *ngIf="!editForm.get('securityControlFramework')!.value" [ngValue]="null" selected></option>
- <option
- [ngValue]="
- securityControlFrameworkOption.id === editForm.get('securityControlFramework')!.value?.id
- ? editForm.get('securityControlFramework')!.value
- : securityControlFrameworkOption
- "
- *ngFor="
- let securityControlFrameworkOption of securityControlFrameworksSharedCollection;
- trackBy: trackSecurityControlFrameworkById
- "
- >
- {{ securityControlFrameworkOption.name }}
- </option>
- </select>
- </div>
- <div
- *ngIf="
- editForm.get(['securityControlFramework'])!.invalid &&
- (editForm.get(['securityControlFramework'])!.dirty || editForm.get(['securityControlFramework'])!.touched)
- "
- >
- <small
- class="form-text text-danger"
- *ngIf="editForm.get(['securityControlFramework'])?.errors?.required"
- jhiTranslate="entity.validation.required"
- >
- This field is required.
- </small>
+ id="field_securityControlFramework"
+ data-cy="description"
+ [value]="editForm.get('securityControlFramework')!.value?.name"
+ [readonly]="true" />
+
</div>
</div>
<div>
- <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()">
+ <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
</button>
@@ -133,6 +96,8 @@
data-cy="entityCreateSaveButton"
[disabled]="editForm.invalid || isSaving"
class="btn btn-primary"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
+ *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']"
>
<fa-icon icon="save"></fa-icon> <span jhiTranslate="entity.action.save">Save</span>
</button>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/update/security-control-category-update.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/update/security-control-category-update.component.ts
index e1360d6f2cf79feb4bd78a88795663eb940846c1..53e695e48243a88e1f12acb84d2be46ce847c576 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/update/security-control-category-update.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-category/update/security-control-category-update.component.ts
@@ -51,8 +51,6 @@ export class SecurityControlCategoryUpdateComponent implements OnInit {
const securityControlCategory = this.createFromForm();
if (securityControlCategory.id !== undefined) {
this.subscribeToSaveResponse(this.securityControlCategoryService.update(securityControlCategory));
- } else {
- this.subscribeToSaveResponse(this.securityControlCategoryService.create(securityControlCategory));
}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/delete/security-control-framework-delete-dialog.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/delete/security-control-framework-delete-dialog.component.html
deleted file mode 100755
index b9f30984e67d167e08688ac9c16ef346e674d41b..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/delete/security-control-framework-delete-dialog.component.html
+++ /dev/null
@@ -1,31 +0,0 @@
-<form *ngIf="securityControlFramework" name="deleteForm" (ngSubmit)="confirmDelete(securityControlFramework.id!)">
- <div class="modal-header">
- <h4 class="modal-title" data-cy="securityControlFrameworkDeleteDialogHeading" jhiTranslate="entity.delete.title">
- Confirm delete operation
- </h4>
-
- <button type="button" class="close" data-dismiss="modal" aria-hidden="true" (click)="cancel()">×</button>
- </div>
-
- <div class="modal-body">
- <jhi-alert-error></jhi-alert-error>
-
- <p
- id="jhi-delete-securityControlFramework-heading"
- jhiTranslate="cocGatewayApp.cocBackendSecurityControlFramework.delete.question"
- [translateValues]="{ id: securityControlFramework.id }"
- >
- Are you sure you want to delete this Security Control Framework?
- </p>
- </div>
-
- <div class="modal-footer">
- <button type="button" class="btn btn-secondary" data-dismiss="modal" (click)="cancel()">
- <fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
- </button>
-
- <button id="jhi-confirm-delete-securityControlFramework" data-cy="entityConfirmDeleteButton" type="submit" class="btn btn-danger">
- <fa-icon icon="times"></fa-icon> <span jhiTranslate="entity.action.delete">Delete</span>
- </button>
- </div>
-</form>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/delete/security-control-framework-delete-dialog.component.spec.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/delete/security-control-framework-delete-dialog.component.spec.ts
deleted file mode 100755
index c6f42e55bf49e6130631e47c7371d01d5df0e265..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/delete/security-control-framework-delete-dialog.component.spec.ts
+++ /dev/null
@@ -1,65 +0,0 @@
-jest.mock('@ng-bootstrap/ng-bootstrap');
-
-import { ComponentFixture, TestBed, inject, fakeAsync, tick } from '@angular/core/testing';
-import { HttpResponse } from '@angular/common/http';
-import { HttpClientTestingModule } from '@angular/common/http/testing';
-import { of } from 'rxjs';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { SecurityControlFrameworkService } from '../service/security-control-framework.service';
-
-import { SecurityControlFrameworkDeleteDialogComponent } from './security-control-framework-delete-dialog.component';
-
-describe('Component Tests', () => {
- describe('SecurityControlFramework Management Delete Component', () => {
- let comp: SecurityControlFrameworkDeleteDialogComponent;
- let fixture: ComponentFixture<SecurityControlFrameworkDeleteDialogComponent>;
- let service: SecurityControlFrameworkService;
- let mockActiveModal: NgbActiveModal;
-
- beforeEach(() => {
- TestBed.configureTestingModule({
- imports: [HttpClientTestingModule],
- declarations: [SecurityControlFrameworkDeleteDialogComponent],
- providers: [NgbActiveModal],
- })
- .overrideTemplate(SecurityControlFrameworkDeleteDialogComponent, '')
- .compileComponents();
- fixture = TestBed.createComponent(SecurityControlFrameworkDeleteDialogComponent);
- comp = fixture.componentInstance;
- service = TestBed.inject(SecurityControlFrameworkService);
- mockActiveModal = TestBed.inject(NgbActiveModal);
- });
-
- describe('confirmDelete', () => {
- it('Should call delete service on confirmDelete', inject(
- [],
- fakeAsync(() => {
- // GIVEN
- jest.spyOn(service, 'delete').mockReturnValue(of(new HttpResponse({})));
-
- // WHEN
- comp.confirmDelete(123);
- tick();
-
- // THEN
- expect(service.delete).toHaveBeenCalledWith(123);
- expect(mockActiveModal.close).toHaveBeenCalledWith('deleted');
- })
- ));
-
- it('Should not call delete service on clear', () => {
- // GIVEN
- jest.spyOn(service, 'delete');
-
- // WHEN
- comp.cancel();
-
- // THEN
- expect(service.delete).not.toHaveBeenCalled();
- expect(mockActiveModal.close).not.toHaveBeenCalled();
- expect(mockActiveModal.dismiss).toHaveBeenCalled();
- });
- });
- });
-});
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/delete/security-control-framework-delete-dialog.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/delete/security-control-framework-delete-dialog.component.ts
deleted file mode 100755
index ce1503a8bd712e89de5fe6685225acf9522805c6..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/delete/security-control-framework-delete-dialog.component.ts
+++ /dev/null
@@ -1,24 +0,0 @@
-import { Component } from '@angular/core';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { ISecurityControlFramework } from '../security-control-framework.model';
-import { SecurityControlFrameworkService } from '../service/security-control-framework.service';
-
-@Component({
- templateUrl: './security-control-framework-delete-dialog.component.html',
-})
-export class SecurityControlFrameworkDeleteDialogComponent {
- securityControlFramework?: ISecurityControlFramework;
-
- constructor(protected securityControlFrameworkService: SecurityControlFrameworkService, protected activeModal: NgbActiveModal) {}
-
- cancel(): void {
- this.activeModal.dismiss();
- }
-
- confirmDelete(id: number): void {
- this.securityControlFrameworkService.delete(id).subscribe(() => {
- this.activeModal.close('deleted');
- });
- }
-}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/detail/security-control-framework-detail.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/detail/security-control-framework-detail.component.html
index 972f79fff76b7cd86d508d046b7f82f4b16a296b..90ae88251ce186a42b11973943aa2db6da98c9e1 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/detail/security-control-framework-detail.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/detail/security-control-framework-detail.component.html
@@ -48,11 +48,11 @@
</dd>
</dl>
- <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton">
+ <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="arrow-left"></fa-icon> <span jhiTranslate="entity.action.back">Back</span>
</button>
- <button type="button" [routerLink]="['/security-control-framework', securityControlFramework.id, 'edit']" class="btn btn-primary">
+ <button type="button" [routerLink]="['/security-control-framework', securityControlFramework.id, 'edit']" class="btn btn-primary" style="background-color: #0099a0!important; border-color: #0099a0!important;" *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']">
<fa-icon icon="pencil-alt"></fa-icon> <span jhiTranslate="entity.action.edit">Edit</span>
</button>
</div>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/list/security-control-framework.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/list/security-control-framework.component.html
index 49dacdc416c55a6dd906fbd2a0b038117b9e111a..79056cede24adb70c83a9d363485c04575773189 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/list/security-control-framework.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/list/security-control-framework.component.html
@@ -3,22 +3,10 @@
<span jhiTranslate="cocGatewayApp.cocBackendSecurityControlFramework.home.title">Security Control Frameworks</span>
<div class="d-flex justify-content-end">
- <button class="btn btn-info mr-2" (click)="loadAll()" [disabled]="isLoading">
+ <button class="btn btn-info mr-2" (click)="loadAll()" [disabled]="isLoading" style="background-color: #0099a0!important; border-color: #0099a0!important;">
<fa-icon icon="sync" [spin]="isLoading"></fa-icon>
<span jhiTranslate="cocGatewayApp.cocBackendSecurityControlFramework.home.refreshListLabel">Refresh List</span>
</button>
-
- <button
- id="jh-create-entity"
- data-cy="entityCreateButton"
- class="btn btn-primary jh-create-entity create-security-control-framework"
- [routerLink]="['/security-control-framework/new']"
- >
- <fa-icon icon="plus"></fa-icon>
- <span jhiTranslate="cocGatewayApp.cocBackendSecurityControlFramework.home.createLabel">
- Create a new Security Control Framework
- </span>
- </button>
</div>
</h2>
@@ -42,23 +30,19 @@
<table class="table table-striped" aria-describedby="page-heading">
<thead>
<tr>
- <!-- <th scope="col"><span jhiTranslate="global.field.id">ID</span></th> -->
<th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControlFramework.name">Name</span></th>
<th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControlFramework.description">Description</span></th>
<th scope="col"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControlFramework.version">Version</span></th>
- <th scope="col"><span jhiTranslate="entity.action.relatedCategoriesLong">Related categories</span></th>
+ <th scope="col"><span jhiTranslate="entity.action.relatedCategories">Categories</span></th>
<th scope="col"></th>
</tr>
</thead>
- <tbody>
+ <tbody style="font-size: 11px;">
<tr *ngFor="let securityControlFramework of securityControlFrameworks; trackBy: trackId" data-cy="entityTable">
- <!-- <td>
- <a [routerLink]="['/security-control-framework', securityControlFramework.id, 'view']">{{ securityControlFramework.id }}</a>
- </td> -->
- <td>{{ securityControlFramework.name }}</td>
- <td>{{ securityControlFramework.description }}</td>
- <td>{{ securityControlFramework.version }}</td>
- <td>
+ <td style="vertical-align: middle;">{{ securityControlFramework.name }}</td>
+ <td style="vertical-align: middle; text-align: justify;">{{ securityControlFramework.description }}</td>
+ <td style="vertical-align: middle;">{{ securityControlFramework.version }}</td>
+ <td style="vertical-align: middle;">
<a [routerLink]="['/security-control-category']" [queryParams]="{paramFrameworkId: securityControlFramework.id, paramFrameworkText: securityControlFramework.name}" style="color: #0099a0; font-weight: 600; text-decoration: none;">
<span class="d-none d-md-inline" jhiTranslate="entity.action.relatedCategories">Categories</span>
<fa-icon icon="arrow-down"></fa-icon>
@@ -70,6 +54,7 @@
type="submit"
[routerLink]="['/security-control-framework', securityControlFramework.id, 'view']"
class="btn btn-info btn-sm"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
data-cy="entityDetailsButton"
>
<fa-icon icon="eye"></fa-icon>
@@ -80,16 +65,13 @@
type="submit"
[routerLink]="['/security-control-framework', securityControlFramework.id, 'edit']"
class="btn btn-primary btn-sm"
+ style="background-color: #0099a0!important; border-color: #0099a0!important; margin-left: 4px;"
data-cy="entityEditButton"
+ *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']"
>
<fa-icon icon="pencil-alt"></fa-icon>
<span class="d-none d-md-inline" jhiTranslate="entity.action.edit">Edit</span>
</button>
-
- <button type="submit" (click)="delete(securityControlFramework)" class="btn btn-danger btn-sm" data-cy="entityDeleteButton">
- <fa-icon icon="times"></fa-icon>
- <span class="d-none d-md-inline" jhiTranslate="entity.action.delete">Delete</span>
- </button>
</div>
</td>
</tr>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/list/security-control-framework.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/list/security-control-framework.component.ts
index ba70fe27a8a74c4a188ac87b8db8a089e3327786..03fe804bbe43308e22c339fb2fd495be9cb9ec23 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/list/security-control-framework.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/list/security-control-framework.component.ts
@@ -4,7 +4,6 @@ import { NgbModal } from '@ng-bootstrap/ng-bootstrap';
import { ISecurityControlFramework } from '../security-control-framework.model';
import { SecurityControlFrameworkService } from '../service/security-control-framework.service';
-import { SecurityControlFrameworkDeleteDialogComponent } from '../delete/security-control-framework-delete-dialog.component';
@Component({
selector: 'jhi-security-control-framework',
@@ -13,11 +12,12 @@ import { SecurityControlFrameworkDeleteDialogComponent } from '../delete/securit
export class SecurityControlFrameworkComponent implements OnInit {
securityControlFrameworks?: ISecurityControlFramework[];
isLoading = false;
+ account: Account | null = null;
constructor(protected securityControlFrameworkService: SecurityControlFrameworkService, protected modalService: NgbModal) {}
loadAll(): void {
- this.isLoading = true;
+ this.isLoading = true;
this.securityControlFrameworkService.query().subscribe(
(res: HttpResponse<ISecurityControlFramework[]>) => {
@@ -37,15 +37,4 @@ export class SecurityControlFrameworkComponent implements OnInit {
trackId(index: number, item: ISecurityControlFramework): number {
return item.id!;
}
-
- delete(securityControlFramework: ISecurityControlFramework): void {
- const modalRef = this.modalService.open(SecurityControlFrameworkDeleteDialogComponent, { size: 'lg', backdrop: 'static' });
- modalRef.componentInstance.securityControlFramework = securityControlFramework;
- // unsubscribe not needed because closed completes on modal close
- modalRef.closed.subscribe(reason => {
- if (reason === 'deleted') {
- this.loadAll();
- }
- });
- }
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/route/security-control-framework-routing.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/route/security-control-framework-routing.module.ts
index 30a9a5eab8c35d18c668a67a137a0ca6f0e10a44..78a869ecceab3eecbf506bb7b4e6db9b8bd27c1d 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/route/security-control-framework-routing.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/route/security-control-framework-routing.module.ts
@@ -7,23 +7,19 @@ import { SecurityControlFrameworkDetailComponent } from '../detail/security-cont
import { SecurityControlFrameworkUpdateComponent } from '../update/security-control-framework-update.component';
import { SecurityControlFrameworkRoutingResolveService } from './security-control-framework-routing-resolve.service';
+import { Authority } from 'app/config/authority.constants';
+
const securityControlFrameworkRoute: Routes = [
{
path: '',
component: SecurityControlFrameworkComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
canActivate: [UserRouteAccessService],
},
{
path: ':id/view',
component: SecurityControlFrameworkDetailComponent,
- resolve: {
- securityControlFramework: SecurityControlFrameworkRoutingResolveService,
- },
- canActivate: [UserRouteAccessService],
- },
- {
- path: 'new',
- component: SecurityControlFrameworkUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
resolve: {
securityControlFramework: SecurityControlFrameworkRoutingResolveService,
},
@@ -32,6 +28,7 @@ const securityControlFrameworkRoute: Routes = [
{
path: ':id/edit',
component: SecurityControlFrameworkUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.SECURITY_GOVERNANCE] },
resolve: {
securityControlFramework: SecurityControlFrameworkRoutingResolveService,
},
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/security-control-framework.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/security-control-framework.module.ts
index 4abe56fea86a1c37e0b6e9a633dcc49d7883b0f8..37ce64c05038b22d51323d8047b8796dae6eb721 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/security-control-framework.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/security-control-framework.module.ts
@@ -3,7 +3,6 @@ import { SharedModule } from 'app/shared/shared.module';
import { SecurityControlFrameworkComponent } from './list/security-control-framework.component';
import { SecurityControlFrameworkDetailComponent } from './detail/security-control-framework-detail.component';
import { SecurityControlFrameworkUpdateComponent } from './update/security-control-framework-update.component';
-import { SecurityControlFrameworkDeleteDialogComponent } from './delete/security-control-framework-delete-dialog.component';
import { SecurityControlFrameworkRoutingModule } from './route/security-control-framework-routing.module';
@NgModule({
@@ -12,8 +11,6 @@ import { SecurityControlFrameworkRoutingModule } from './route/security-control-
SecurityControlFrameworkComponent,
SecurityControlFrameworkDetailComponent,
SecurityControlFrameworkUpdateComponent,
- SecurityControlFrameworkDeleteDialogComponent,
],
- entryComponents: [SecurityControlFrameworkDeleteDialogComponent],
})
export class CocBackendSecurityControlFrameworkModule {}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/service/security-control-framework.service.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/service/security-control-framework.service.ts
index 183d3d9e6dcf14c0bf0fad93d052d894b5aa57eb..575073ecec948b30a6beffd8d2fd63cafa3550f7 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/service/security-control-framework.service.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/service/security-control-framework.service.ts
@@ -16,10 +16,6 @@ export class SecurityControlFrameworkService {
constructor(protected http: HttpClient, protected applicationConfigService: ApplicationConfigService) {}
- create(securityControlFramework: ISecurityControlFramework): Observable<EntityResponseType> {
- return this.http.post<ISecurityControlFramework>(this.resourceUrl, securityControlFramework, { observe: 'response' });
- }
-
update(securityControlFramework: ISecurityControlFramework): Observable<EntityResponseType> {
return this.http.put<ISecurityControlFramework>(
`${this.resourceUrl}/${getSecurityControlFrameworkIdentifier(securityControlFramework) as number}`,
@@ -45,10 +41,6 @@ export class SecurityControlFrameworkService {
return this.http.get<ISecurityControlFramework[]>(this.resourceUrl, { params: options, observe: 'response' });
}
- delete(id: number): Observable<HttpResponse<{}>> {
- return this.http.delete(`${this.resourceUrl}/${id}`, { observe: 'response' });
- }
-
checkHasRequirements(name: string): Observable<any> {
return this.http.get(`${this.resourceUrl}/checkHasRequirements/${name}`);
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/update/security-control-framework-update.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/update/security-control-framework-update.component.html
index 31b681d57cd6d1ef1becbddecdb8c5a1480ee43b..b2dfc164d59d28e55dd26e48b0264782b9af2377 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/update/security-control-framework-update.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/update/security-control-framework-update.component.html
@@ -6,7 +6,7 @@
data-cy="SecurityControlFrameworkCreateUpdateHeading"
jhiTranslate="cocGatewayApp.cocBackendSecurityControlFramework.home.createOrEditLabel"
>
- Create or edit a Security Control Framework
+ Edit a Security Control Framework
</h2>
<div>
@@ -25,12 +25,7 @@
[ngbTooltip]="'cocGatewayApp.cocBackendSecurityControlFramework.help.name' | translate"
>Name</label
>
- <input type="text" class="form-control" name="name" id="field_name" data-cy="name" formControlName="name" />
- <div *ngIf="editForm.get('name')!.invalid && (editForm.get('name')!.dirty || editForm.get('name')!.touched)">
- <small class="form-text text-danger" *ngIf="editForm.get('name')?.errors?.required" jhiTranslate="entity.validation.required">
- This field is required.
- </small>
- </div>
+ <input type="text" class="form-control" name="name" id="field_name" data-cy="name" formControlName="name" [readonly]="true" />
</div>
<div class="form-group">
@@ -82,7 +77,7 @@
</div>
<div>
- <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()">
+ <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
</button>
@@ -92,6 +87,8 @@
data-cy="entityCreateSaveButton"
[disabled]="editForm.invalid || isSaving"
class="btn btn-primary"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
+ *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']"
>
<fa-icon icon="save"></fa-icon> <span jhiTranslate="entity.action.save">Save</span>
</button>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/update/security-control-framework-update.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/update/security-control-framework-update.component.ts
index 00e938c9a8373de3c222b776718a8862c6d39229..2d31a2a1f75148b91fd68e761e588ae1dd1c3f18 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/update/security-control-framework-update.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control-framework/update/security-control-framework-update.component.ts
@@ -43,8 +43,6 @@ export class SecurityControlFrameworkUpdateComponent implements OnInit {
const securityControlFramework = this.createFromForm();
if (securityControlFramework.id !== undefined) {
this.subscribeToSaveResponse(this.securityControlFrameworkService.update(securityControlFramework));
- } else {
- this.subscribeToSaveResponse(this.securityControlFrameworkService.create(securityControlFramework));
}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/delete/security-control-delete-dialog.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/delete/security-control-delete-dialog.component.html
deleted file mode 100755
index fe95a9a20a5323df0348ed920f77f8a3b09404f3..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/delete/security-control-delete-dialog.component.html
+++ /dev/null
@@ -1,29 +0,0 @@
-<form *ngIf="securityControl" name="deleteForm" (ngSubmit)="confirmDelete(securityControl.id!)">
- <div class="modal-header">
- <h4 class="modal-title" data-cy="securityControlDeleteDialogHeading" jhiTranslate="entity.delete.title">Confirm delete operation</h4>
-
- <button type="button" class="close" data-dismiss="modal" aria-hidden="true" (click)="cancel()">×</button>
- </div>
-
- <div class="modal-body">
- <jhi-alert-error></jhi-alert-error>
-
- <p
- id="jhi-delete-securityControl-heading"
- jhiTranslate="cocGatewayApp.cocBackendSecurityControl.delete.question"
- [translateValues]="{ id: securityControl.id }"
- >
- Are you sure you want to delete this Security Control?
- </p>
- </div>
-
- <div class="modal-footer">
- <button type="button" class="btn btn-secondary" data-dismiss="modal" (click)="cancel()">
- <fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
- </button>
-
- <button id="jhi-confirm-delete-securityControl" data-cy="entityConfirmDeleteButton" type="submit" class="btn btn-danger">
- <fa-icon icon="times"></fa-icon> <span jhiTranslate="entity.action.delete">Delete</span>
- </button>
- </div>
-</form>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/delete/security-control-delete-dialog.component.spec.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/delete/security-control-delete-dialog.component.spec.ts
deleted file mode 100755
index e72b208ce1c5b4b71b86a2a5d445894906581b30..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/delete/security-control-delete-dialog.component.spec.ts
+++ /dev/null
@@ -1,65 +0,0 @@
-jest.mock('@ng-bootstrap/ng-bootstrap');
-
-import { ComponentFixture, TestBed, inject, fakeAsync, tick } from '@angular/core/testing';
-import { HttpResponse } from '@angular/common/http';
-import { HttpClientTestingModule } from '@angular/common/http/testing';
-import { of } from 'rxjs';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { SecurityControlService } from '../service/security-control.service';
-
-import { SecurityControlDeleteDialogComponent } from './security-control-delete-dialog.component';
-
-describe('Component Tests', () => {
- describe('SecurityControl Management Delete Component', () => {
- let comp: SecurityControlDeleteDialogComponent;
- let fixture: ComponentFixture<SecurityControlDeleteDialogComponent>;
- let service: SecurityControlService;
- let mockActiveModal: NgbActiveModal;
-
- beforeEach(() => {
- TestBed.configureTestingModule({
- imports: [HttpClientTestingModule],
- declarations: [SecurityControlDeleteDialogComponent],
- providers: [NgbActiveModal],
- })
- .overrideTemplate(SecurityControlDeleteDialogComponent, '')
- .compileComponents();
- fixture = TestBed.createComponent(SecurityControlDeleteDialogComponent);
- comp = fixture.componentInstance;
- service = TestBed.inject(SecurityControlService);
- mockActiveModal = TestBed.inject(NgbActiveModal);
- });
-
- describe('confirmDelete', () => {
- it('Should call delete service on confirmDelete', inject(
- [],
- fakeAsync(() => {
- // GIVEN
- jest.spyOn(service, 'delete').mockReturnValue(of(new HttpResponse({})));
-
- // WHEN
- comp.confirmDelete(123);
- tick();
-
- // THEN
- expect(service.delete).toHaveBeenCalledWith(123);
- expect(mockActiveModal.close).toHaveBeenCalledWith('deleted');
- })
- ));
-
- it('Should not call delete service on clear', () => {
- // GIVEN
- jest.spyOn(service, 'delete');
-
- // WHEN
- comp.cancel();
-
- // THEN
- expect(service.delete).not.toHaveBeenCalled();
- expect(mockActiveModal.close).not.toHaveBeenCalled();
- expect(mockActiveModal.dismiss).toHaveBeenCalled();
- });
- });
- });
-});
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/delete/security-control-delete-dialog.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/delete/security-control-delete-dialog.component.ts
deleted file mode 100755
index 393f74be72c26db0455f6c9339549d2cd4298e91..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/delete/security-control-delete-dialog.component.ts
+++ /dev/null
@@ -1,24 +0,0 @@
-import { Component } from '@angular/core';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { ISecurityControl } from '../security-control.model';
-import { SecurityControlService } from '../service/security-control.service';
-
-@Component({
- templateUrl: './security-control-delete-dialog.component.html',
-})
-export class SecurityControlDeleteDialogComponent {
- securityControl?: ISecurityControl;
-
- constructor(protected securityControlService: SecurityControlService, protected activeModal: NgbActiveModal) {}
-
- cancel(): void {
- this.activeModal.dismiss();
- }
-
- confirmDelete(id: number): void {
- this.securityControlService.delete(id).subscribe(() => {
- this.activeModal.close('deleted');
- });
- }
-}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/detail/security-control-detail.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/detail/security-control-detail.component.html
index 647e32322569ce9abe13105b28bd8a1075a15b6b..3b8e44b58ba2aea2e57b6187c924afd5be065d44 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/detail/security-control-detail.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/detail/security-control-detail.component.html
@@ -12,10 +12,6 @@
<jhi-alert></jhi-alert>
<dl class="row-md jh-entity-details">
- <dt><span jhiTranslate="global.field.id">ID</span></dt>
- <dd>
- <span>{{ securityControl.id }}</span>
- </dd>
<dt>
<span
jhiTranslate="cocGatewayApp.cocBackendSecurityControl.code"
@@ -28,9 +24,9 @@
</dd>
<dt>
<span
- jhiTranslate="cocGatewayApp.cocBackendSecurityControl.name"
- [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.name' | translate"
- >Name</span
+ jhiTranslate="cocGatewayApp.cocBackendSecurityControl.controlId"
+ [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.controlId' | translate"
+ >Control ID</span
>
</dt>
<dd>
@@ -38,9 +34,9 @@
</dd>
<dt>
<span
- jhiTranslate="cocGatewayApp.cocBackendSecurityControl.objective"
- [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.objective' | translate"
- >Objective</span
+ jhiTranslate="cocGatewayApp.cocBackendSecurityControl.name"
+ [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.name' | translate"
+ >Name</span
>
</dt>
<dd>
@@ -56,48 +52,21 @@
<dd>
<span>{{ securityControl.description }}</span>
</dd>
- <dt>
- <span
- jhiTranslate="cocGatewayApp.cocBackendSecurityControl.guidance"
- [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.guidance' | translate"
- >Guidance</span
- >
- </dt>
- <dd>
- <span>{{ securityControl.guidance }}</span>
- </dd>
- <dt>
- <span
- jhiTranslate="cocGatewayApp.cocBackendSecurityControl.riskReductionWeight"
- [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.riskReductionWeight' | translate"
- >Risk Reduction Weight</span
- >
- </dt>
- <dd>
- <span>{{ securityControl.riskReductionWeight }}</span>
- </dd>
<dt><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.securityControlCategory">Security Control Category</span></dt>
<dd>
<div *ngIf="securityControl.securityControlCategory">
- <a [routerLink]="['/security-control-category', securityControl.securityControlCategory?.id, 'view']">{{
+ <a [routerLink]="['/security-control-category', securityControl.securityControlCategory?.id, 'view']" style="color: #0099a0; font-weight: 600; text-decoration: none;">{{
securityControl.securityControlCategory?.name
}}</a>
</div>
</dd>
- <!-- <dt><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.resource">Resource</span></dt>
- <dd>
- <span *ngFor="let resource of securityControl.resources; let last = last">
- <a [routerLink]="['/resource', resource?.id, 'view']">{{ resource.name }}</a
- >{{ last ? '' : ', ' }}
- </span>
- </dd> -->
</dl>
- <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton">
+ <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="arrow-left"></fa-icon> <span jhiTranslate="entity.action.back">Back</span>
</button>
- <button type="button" [routerLink]="['/security-control', securityControl.id, 'edit']" class="btn btn-primary">
+ <button type="button" [routerLink]="['/security-control', securityControl.id, 'edit']" class="btn btn-primary" style="background-color: #0099a0!important; border-color: #0099a0!important;" *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']">
<fa-icon icon="pencil-alt"></fa-icon> <span jhiTranslate="entity.action.edit">Edit</span>
</button>
</div>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/list/security-control.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/list/security-control.component.html
index aa9fbf211d899ac4689f1faa3950344761d1c0be..12fe3b50e99631cc915d839e7f7585d9f4beef08 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/list/security-control.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/list/security-control.component.html
@@ -7,18 +7,10 @@
<div class="d-flex justify-content-end">
<div class="btn-toolbar" role="toolbar" aria-label="Toolbar with button groups">
<button type="button" class="btn btn-outline-primary mr-2" (click)="collapse.toggle()" [attr.aria-expanded]="!isCollapsed"
+ style="background-color: #0099a0!important; border-color: #0099a0!important; color: #fff;"
aria-controls="metricsFilter">
Show/Hide filter
</button>
-
- <button
- id="jh-create-entity"
- data-cy="entityCreateButton"
- class="btn btn-primary jh-create-entity create-security-control"
- [routerLink]="['/security-control/new']">
- <fa-icon icon="plus"></fa-icon>
- <span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.home.createLabel"> Create a new Security Control </span>
- </button>
</div>
</div>
</h2>
@@ -29,7 +21,7 @@
»
<small><strong>
<a *ngIf="frameworkText == null" [routerLink]="['/security-control-framework']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
- <span *ngIf="frameworkText == null" jhiTranslate="global.menu.entities.cocBackendSecurityControlFramework">Security Control Frameworks</span>
+ <span *ngIf="frameworkText == null" jhiTranslate="global.menu.entities.cocBackendSecurityControlFramework">Frameworks</span>
</a>
<a *ngIf="frameworkText != null" (click)="goToFrameworkState()" style="color: #0099a0; font-weight: 600;">
<span *ngIf="frameworkText != null" jhiTranslate="cocGatewayApp.cocBackendSecurityControl.home.framework">Framework:</span>
@@ -37,14 +29,14 @@
</a>
»
<a *ngIf="categoryText == null" [routerLink]="['/security-control-category']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
- <span *ngIf="categoryText == null" jhiTranslate="global.menu.entities.cocBackendSecurityControlCategory">Security Control Category</span>
+ <span *ngIf="categoryText == null" jhiTranslate="global.menu.entities.cocBackendSecurityControlCategory">Category</span>
</a>
<a *ngIf="categoryText != null" (click)="goToCategoryState()" style="color: #0099a0; font-weight: 600;">
<span *ngIf="categoryText != null" jhiTranslate="cocGatewayApp.cocBackendSecurityControl.home.category">Category:</span>
<span *ngIf="categoryText != null">{{categoryText}}</span>
</a>
»
- <span jhiTranslate="global.menu.entities.cocBackendSecurityControl">Security Control</span>
+ <span jhiTranslate="global.menu.entities.cocBackendSecurityControl">Control</span>
</strong></small>
<br/><br/>
<!-- End: Breadcrumb -->
@@ -60,22 +52,14 @@
<label class="form-control-label" for="field_name">Name</label>
<input type="text" class="form-control" id="field_name" formControlName="name"/>
</div>
- <div class="form-group col-md-4">
- <label class="form-control-label" for="field_objective">Objective</label>
- <input type="text" class="form-control" id="field_objective" formControlName="objective"/>
- </div>
- </div>
- <div class="row">
<div class="form-group col-md-4">
<label class="form-control-label" for="field_description">Description</label>
<input type="text" class="form-control" id="field_description" formControlName="description"/>
</div>
- <div class="form-group col-md-4">
- <label class="form-control-label" for="field_guidance">Guidance</label>
- <input type="text" class="form-control" id="field_guidance" formControlName="guidance"/>
- </div>
- <div class="form-group col-md-4">
- <label class="form-control-label" for="field_securityControlCategory">Security Control Category</label>
+ </div>
+ <div class="row">
+ <div class="form-group col-md-12">
+ <label class="form-control-label" for="field_securityControlCategory">Category</label>
<select class="form-control" formControlName="securityControlCategoryId" id="field_securityControlCategory" data-cy="securityControlCategoryId">
<option value="0"></option>
<option [value]="categoryOption.id"
@@ -110,28 +94,21 @@
<table class="table table-striped" aria-describedby="page-heading">
<thead>
<tr>
- <!-- <th scope="col"><span jhiTranslate="global.field.id">ID</span></th> -->
- <th scope="col" style="width: 5%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.name">Name</span></th>
- <th scope="col" style="width: 15%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.objective">Objective</span></th>
- <th scope="col" style="width: 30%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.description">Description</span></th>
- <th scope="col" style="width: 5%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.guidance">Guidance</span></th>
- <th scope="col" style="width: 5%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.riskReductionWeight">Risk Reduction Weight</span></th>
- <th scope="col" style="width: 15%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.securityControlCategory">Security Control Category</span></th>
- <th scope="col" style="width: 10%;"><span jhiTranslate="entity.action.relatedTomsLong">Related TOMs</span></th>
+ <th scope="col" style="width: 5%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.code">Code</span></th>
+ <th scope="col" style="width: 14%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.name">Name</span></th>
+ <th scope="col" style="width: 22%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.description">Description</span></th>
+ <th scope="col" style="width: 14%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.securityControlCategory">Category</span></th>
+ <th scope="col" style="width: 13%;"><span jhiTranslate="entity.action.relatedToms">Requirements</span></th>
+ <th scope="col" style="width: 7%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityControl.otherFrameworks">Other Frameworks</span></th>
<th scope="col" style="width: 15%;"></th>
</tr>
</thead>
- <tbody>
+ <tbody style="font-size: 11px;">
<tr *ngFor="let securityControl of securityControls; trackBy: trackId" data-cy="entityTable">
- <!-- <td>
- <a [routerLink]="['/security-control', securityControl.id, 'view']">{{ securityControl.id }}</a>
- </td> -->
- <td>{{ securityControl.name }}</td>
- <td>{{ securityControl.objective }}</td>
- <td>{{ securityControl.description }}</td>
- <td>{{ securityControl.guidance }}</td>
- <td>{{ securityControl.riskReductionWeight }}</td>
- <td>
+ <td style="vertical-align: middle;">{{ securityControl.code }}</td>
+ <td style="vertical-align: middle;">{{ securityControl.objective }}</td>
+ <td style="vertical-align: middle; text-align: justify;">{{ securityControl.description }}</td>
+ <td style="vertical-align: middle;">
<div *ngIf="securityControl.securityControlCategory">
<a (click)="goToCategoryState()" style="color: #0099a0; font-weight: 600;">
{{securityControl.securityControlCategory?.name}}
@@ -139,19 +116,26 @@
</a>
</div>
</td>
- <td>
+ <td style="border-right: 1px dotted #999; vertical-align: middle;">
<a [routerLink]="['/tom']" [queryParams]="{paramFrameworkText: frameworkText, paramCategoryText: categoryText, paramControlId: securityControl.id, paramControlText: securityControl.name}" style="color: #0099a0; font-weight: 600; text-decoration: none;">
- <span class="d-none d-md-inline" jhiTranslate="entity.action.relatedToms">TOMs</span>
+ <span class="d-none d-md-inline" jhiTranslate="entity.action.relatedToms">Requirements</span>
+ <fa-icon icon="arrow-down"></fa-icon>
+ </a>
+ </td>
+ <td style="vertical-align: middle;">
+ <a [routerLink]="['/similar-control']" [queryParams]="{paramControlId: securityControl.id, paramFrameworkText: frameworkText, paramCategoryText: categoryText, paramControlText: securityControl.name }" style="color: #0099a0; font-weight: 600; text-decoration: none;">
+ <span class="d-none d-md-inline" jhiTranslate="cocGatewayApp.cocBackendSecurityControl.similarControls">Similar Controls</span>
<fa-icon icon="arrow-down"></fa-icon>
</a>
</td>
- <td class="text-right">
+ <td class="text-right" style="vertical-align: middle;">
<div class="btn-group">
<button
type="submit"
[routerLink]="['/security-control', securityControl.id, 'view']"
class="btn btn-info btn-sm"
data-cy="entityDetailsButton"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
>
<fa-icon icon="eye"></fa-icon>
<span class="d-none d-md-inline" jhiTranslate="entity.action.view">View</span>
@@ -161,16 +145,13 @@
type="submit"
[routerLink]="['/security-control', securityControl.id, 'edit']"
class="btn btn-primary btn-sm"
+ style="background-color: #0099a0!important; border-color: #0099a0!important; margin-left: 4px;"
data-cy="entityEditButton"
+ *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']"
>
<fa-icon icon="pencil-alt"></fa-icon>
<span class="d-none d-md-inline" jhiTranslate="entity.action.edit">Edit</span>
</button>
-
- <button type="submit" (click)="delete(securityControl)" class="btn btn-danger btn-sm" data-cy="entityDeleteButton">
- <fa-icon icon="times"></fa-icon>
- <span class="d-none d-md-inline" jhiTranslate="entity.action.delete">Delete</span>
- </button>
</div>
</td>
</tr>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/list/security-control.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/list/security-control.component.ts
index 067f879316e7db6b02c8498cbe12b23c8889347d..b447d6bcb48875dfcfadebdf047802060e2b03c9 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/list/security-control.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/list/security-control.component.ts
@@ -1,11 +1,12 @@
import { Component, OnInit } from '@angular/core';
import { HttpResponse } from '@angular/common/http';
import { NgbModal } from '@ng-bootstrap/ng-bootstrap';
-import { ActivatedRoute } from '@angular/router';
+import { Router, ActivatedRoute } from '@angular/router';
import { ISecurityControl } from '../security-control.model';
+import { ISimilarControl } from '../../similar-control/similar-control.model';
import { SecurityControlService } from '../service/security-control.service';
-import { SecurityControlDeleteDialogComponent } from '../delete/security-control-delete-dialog.component';
+import { SimilarControlService } from '../../similar-control/service/similar-control.service';
import { ISecurityControlCategory } from '../../security-control-category/security-control-category.model';
import { FormBuilder } from '@angular/forms';
import { SecurityControlCategoryService } from '../../security-control-category/service/security-control-category.service';
@@ -36,9 +37,11 @@ export class SecurityControlComponent implements OnInit {
constructor(
protected securityControlService: SecurityControlService,
protected securityControlCategoryService: SecurityControlCategoryService,
+ protected similarControlService: SimilarControlService,
protected modalService: NgbModal,
protected formBuilder: FormBuilder,
- private route: ActivatedRoute) {}
+ private route: ActivatedRoute,
+ private router: Router) {}
ngOnInit(): void {
this.loadSecurityControlCategories();
@@ -62,6 +65,25 @@ export class SecurityControlComponent implements OnInit {
(res: HttpResponse<ISecurityControl[]>) => {
this.isLoading = false;
this.securityControls = res.body ?? [];
+
+ if (this.securityControls != null && this.securityControls.length > 0) {
+ this.similarControlService.query().subscribe(
+ (res: HttpResponse<ISimilarControl[]>) => {
+ this.isLoading = false;
+ let similarControls = res.body ?? [];
+ if (similarControls != null && similarControls.length > 0) {
+ for (let i = 0;i < this.securityControls!.length;i++) {
+ this.securityControls![i]['similarControls'] = new Array();
+ for (let j = 0;j < similarControls.length;j++) {
+ if (this.securityControls![i].id === similarControls[j]!.securityControl!.id) {
+ this.securityControls![i].similarControls!.push(similarControls[j]);
+ }
+ }
+ }
+ }
+ },
+ () => { this.isLoading = false; } )
+ }
},
() => {
this.isLoading = false;
@@ -74,12 +96,30 @@ export class SecurityControlComponent implements OnInit {
(res: HttpResponse<ISecurityControl[]>) => {
this.isLoading = false;
this.securityControls = res.body ?? [];
+ if (this.securityControls != null && this.securityControls.length > 0) {
+ this.similarControlService.query().subscribe(
+ (res: HttpResponse<ISimilarControl[]>) => {
+ this.isLoading = false;
+ let similarControls = res.body ?? [];
+ if (similarControls != null && similarControls.length > 0) {
+ for (let i = 0;i < this.securityControls!.length;i++) {
+ this.securityControls![i]['similarControls'] = new Array();
+ for (let j = 0;j < similarControls.length;j++) {
+ if (this.securityControls![i].id === similarControls[j]!.securityControl!.id) {
+ this.securityControls![i].similarControls!.push(similarControls[j]);
+ }
+ }
+ }
+ }
+ },
+ () => { this.isLoading = false; } )
+ }
},
() => {
this.isLoading = false;
}
);
- }
+ }
}
loadSecurityControlCategories(): void {
@@ -109,19 +149,34 @@ export class SecurityControlComponent implements OnInit {
const dynamicFilter: any={};
let hasFilter=false;
if (this.searchForm.value.code!==''){
- dynamicFilter['code.contains'] = this.searchForm.value.code;
+ let text = this.searchForm.value.code.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['code.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['code.contains'] = text;
+ }
hasFilter=true;
}
if (this.searchForm.value.name!==''){
- dynamicFilter['name.contains'] = this.searchForm.value.name;
+ let text = this.searchForm.value.name.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['objective.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['objective.contains'] = text;
+ }
hasFilter=true;
}
if (this.searchForm.value.objective!==''){
- dynamicFilter['objective.contains'] = this.searchForm.value.objective;
+ dynamicFilter['name.contains'] = this.searchForm.value.objective;
hasFilter=true;
}
if (this.searchForm.value.description!==''){
- dynamicFilter['description.contains'] = this.searchForm.value.description;
+ let text = this.searchForm.value.description.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['description.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['description.contains'] = text;
+ }
hasFilter=true;
}
if (this.searchForm.value.guidance!==''){
@@ -156,23 +211,17 @@ export class SecurityControlComponent implements OnInit {
trackSecurityControlCategoryById(index: number, item: ISecurityControlCategory): number {
return item.id!;
}
-
- delete(securityControl: ISecurityControl): void {
- const modalRef = this.modalService.open(SecurityControlDeleteDialogComponent, { size: 'lg', backdrop: 'static' });
- modalRef.componentInstance.securityControl = securityControl;
- // unsubscribe not needed because closed completes on modal close
- modalRef.closed.subscribe(reason => {
- if (reason === 'deleted') {
- this.loadAll();
- }
- });
- }
goToFrameworkState(): void {
- window.history.go(-2);
+ this.router.navigate(['/security-control-framework']);
}
goToCategoryState(): void {
- window.history.back();
+ //window.history.back();
+ if (this.route.snapshot.queryParams['paramCategoryId'] == null || typeof this.route.snapshot.queryParams['paramCategoryId'] == 'undefined') {
+ this.router.navigate(['/security-control-category']);
+ } else {
+ window.history.back();
+ }
}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/route/security-control-routing.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/route/security-control-routing.module.ts
index d1fcb7dd8c668362229f1e5669d27efaf444d32a..9d2f09f197a47013118ba2b85917f96f384c82ed 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/route/security-control-routing.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/route/security-control-routing.module.ts
@@ -7,23 +7,19 @@ import { SecurityControlDetailComponent } from '../detail/security-control-detai
import { SecurityControlUpdateComponent } from '../update/security-control-update.component';
import { SecurityControlRoutingResolveService } from './security-control-routing-resolve.service';
+import { Authority } from 'app/config/authority.constants';
+
const securityControlRoute: Routes = [
{
path: '',
component: SecurityControlComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
canActivate: [UserRouteAccessService],
},
{
path: ':id/view',
component: SecurityControlDetailComponent,
- resolve: {
- securityControl: SecurityControlRoutingResolveService,
- },
- canActivate: [UserRouteAccessService],
- },
- {
- path: 'new',
- component: SecurityControlUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
resolve: {
securityControl: SecurityControlRoutingResolveService,
},
@@ -32,6 +28,7 @@ const securityControlRoute: Routes = [
{
path: ':id/edit',
component: SecurityControlUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.SECURITY_GOVERNANCE] },
resolve: {
securityControl: SecurityControlRoutingResolveService,
},
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/security-control.model.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/security-control.model.ts
index 43126ede212764c7b96ecd5f5a6a26f850385d57..785fa5ed2e47a09b9d9e48d1c2c55978270807cb 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/security-control.model.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/security-control.model.ts
@@ -8,8 +8,6 @@ export interface ISecurityControl {
name?: string;
objective?: string;
description?: string;
- guidance?: string;
- riskReductionWeight?: number;
similarControls?: ISimilarControl[] | null;
securityControlCategory?: ISecurityControlCategory;
resources?: IResource[] | null;
@@ -22,8 +20,6 @@ export class SecurityControl implements ISecurityControl {
public name?: string,
public objective?: string,
public description?: string,
- public guidance?: string,
- public riskReductionWeight?: number,
public similarControls?: ISimilarControl[] | null,
public securityControlCategory?: ISecurityControlCategory,
public resources?: IResource[] | null
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/security-control.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/security-control.module.ts
index 61679e4b60bb56810056515651d3c87352e3e756..fa9f9735a1f8f0d8a5023ece329c0d334cb8ff7e 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/security-control.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/security-control.module.ts
@@ -3,7 +3,6 @@ import { SharedModule } from 'app/shared/shared.module';
import { SecurityControlComponent } from './list/security-control.component';
import { SecurityControlDetailComponent } from './detail/security-control-detail.component';
import { SecurityControlUpdateComponent } from './update/security-control-update.component';
-import { SecurityControlDeleteDialogComponent } from './delete/security-control-delete-dialog.component';
import { SecurityControlRoutingModule } from './route/security-control-routing.module';
@NgModule({
@@ -12,8 +11,6 @@ import { SecurityControlRoutingModule } from './route/security-control-routing.m
SecurityControlComponent,
SecurityControlDetailComponent,
SecurityControlUpdateComponent,
- SecurityControlDeleteDialogComponent,
],
- entryComponents: [SecurityControlDeleteDialogComponent],
})
export class CocBackendSecurityControlModule {}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/service/security-control.service.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/service/security-control.service.ts
index 519e01aed8f93ca9c2f8119965bf78a2257b4fe5..c6f443193968c40e93412c1671105d017a8afd5f 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/service/security-control.service.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/service/security-control.service.ts
@@ -16,10 +16,6 @@ export class SecurityControlService {
constructor(protected http: HttpClient, protected applicationConfigService: ApplicationConfigService) {}
- create(securityControl: ISecurityControl): Observable<EntityResponseType> {
- return this.http.post<ISecurityControl>(this.resourceUrl, securityControl, { observe: 'response' });
- }
-
update(securityControl: ISecurityControl): Observable<EntityResponseType> {
return this.http.put<ISecurityControl>(
`${this.resourceUrl}/${getSecurityControlIdentifier(securityControl) as number}`,
@@ -45,10 +41,6 @@ export class SecurityControlService {
return this.http.get<ISecurityControl[]>(this.resourceUrl, { params: options, observe: 'response' });
}
- delete(id: number): Observable<HttpResponse<{}>> {
- return this.http.delete(`${this.resourceUrl}/${id}`, { observe: 'response' });
- }
-
addSecurityControlToCollectionIfMissing(
securityControlCollection: ISecurityControl[],
...securityControlsToCheck: (ISecurityControl | null | undefined)[]
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/update/security-control-update.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/update/security-control-update.component.html
index 0234d2ce30ca15f06e62f48c97cd4045e21d22dc..3959e70c125a048410abdd0df612b36062d1c9bb 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/update/security-control-update.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/update/security-control-update.component.html
@@ -6,7 +6,7 @@
data-cy="SecurityControlCreateUpdateHeading"
jhiTranslate="cocGatewayApp.cocBackendSecurityControl.home.createOrEditLabel"
>
- Create or edit a Security Control
+ Edit a Security Control
</h2>
<div>
@@ -25,48 +25,29 @@
[ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.code' | translate"
>Code</label
>
- <input type="text" class="form-control" name="code" id="field_code" data-cy="code" formControlName="code" />
- <div *ngIf="editForm.get('code')!.invalid && (editForm.get('code')!.dirty || editForm.get('code')!.touched)">
- <small class="form-text text-danger" *ngIf="editForm.get('code')?.errors?.required" jhiTranslate="entity.validation.required">
- This field is required.
- </small>
- </div>
+ <input type="text" class="form-control" name="code" id="field_code" data-cy="code" formControlName="code" [readonly]="true" />
</div>
<div class="form-group">
<label
class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendSecurityControl.name"
+ jhiTranslate="cocGatewayApp.cocBackendSecurityControl.controlId"
for="field_name"
- [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.name' | translate"
+ [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.controlId' | translate"
>Name</label
>
- <input type="text" class="form-control" name="name" id="field_name" data-cy="name" formControlName="name" />
- <div *ngIf="editForm.get('name')!.invalid && (editForm.get('name')!.dirty || editForm.get('name')!.touched)">
- <small class="form-text text-danger" *ngIf="editForm.get('name')?.errors?.required" jhiTranslate="entity.validation.required">
- This field is required.
- </small>
- </div>
+ <input type="text" class="form-control" name="name" id="field_name" data-cy="name" formControlName="name" [readonly]="true" />
</div>
<div class="form-group">
<label
class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendSecurityControl.objective"
+ jhiTranslate="cocGatewayApp.cocBackendSecurityControl.name"
for="field_objective"
- [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.objective' | translate"
+ [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.name' | translate"
>Objective</label
>
- <input type="text" class="form-control" name="objective" id="field_objective" data-cy="objective" formControlName="objective" />
- <div *ngIf="editForm.get('objective')!.invalid && (editForm.get('objective')!.dirty || editForm.get('objective')!.touched)">
- <small
- class="form-text text-danger"
- *ngIf="editForm.get('objective')?.errors?.required"
- jhiTranslate="entity.validation.required"
- >
- This field is required.
- </small>
- </div>
+ <input type="text" class="form-control" name="objective" id="field_objective" data-cy="objective" formControlName="objective" [readonly]="true" />
</div>
<div class="form-group">
@@ -95,126 +76,26 @@
</small>
</div>
</div>
-
+
<div class="form-group">
- <label
- class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendSecurityControl.guidance"
- for="field_guidance"
- [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.guidance' | translate"
- >Guidance</label
- >
- <input type="text" class="form-control" name="guidance" id="field_guidance" data-cy="guidance" formControlName="guidance" />
- <div *ngIf="editForm.get('guidance')!.invalid && (editForm.get('guidance')!.dirty || editForm.get('guidance')!.touched)">
- <small
- class="form-text text-danger"
- *ngIf="editForm.get('guidance')?.errors?.required"
- jhiTranslate="entity.validation.required"
- >
- This field is required.
- </small>
- </div>
- </div>
-
- <div class="form-group">
- <label
- class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendSecurityControl.riskReductionWeight"
- for="field_riskReductionWeight"
- [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.help.riskReductionWeight' | translate"
- >Risk Reduction Weight</label
- >
- <input
- type="number"
- class="form-control"
- name="riskReductionWeight"
- id="field_riskReductionWeight"
- data-cy="riskReductionWeight"
- formControlName="riskReductionWeight"
- />
- <div
- *ngIf="
- editForm.get('riskReductionWeight')!.invalid &&
- (editForm.get('riskReductionWeight')!.dirty || editForm.get('riskReductionWeight')!.touched)
- "
- >
- <small
- class="form-text text-danger"
- *ngIf="editForm.get('riskReductionWeight')?.errors?.required"
- jhiTranslate="entity.validation.required"
- >
- This field is required.
- </small>
- <small
- class="form-text text-danger"
- [hidden]="!editForm.get('riskReductionWeight')?.errors?.number"
- jhiTranslate="entity.validation.number"
- >
- This field should be a number.
- </small>
- </div>
- </div>
-
- <div class="form-group">
- <label
- class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendSecurityControl.securityControlCategory"
- for="field_securityControlCategory"
- >Security Control Category</label
- >
- <select
- class="form-control"
- id="field_securityControlCategory"
- data-cy="securityControlCategory"
- name="securityControlCategory"
- formControlName="securityControlCategory"
- >
+ <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendSecurityControl.securityControlCategory" for="field_securityControlCategory"
+ [ngbTooltip]="'cocGatewayApp.cocBackendSecurityControl.securityControlCategory' | translate">Security Control Category</label>
+
+ <select class="form-control" id="field_securityControlCategory" data-cy="securityControlCategory" name="securityControlCategory" formControlName="securityControlCategory" [attr.disabled]="true">
<option *ngIf="!editForm.get('securityControlCategory')!.value" [ngValue]="null" selected></option>
<option
- [ngValue]="
- securityControlCategoryOption.id === editForm.get('securityControlCategory')!.value?.id
- ? editForm.get('securityControlCategory')!.value
- : securityControlCategoryOption
- "
- *ngFor="
- let securityControlCategoryOption of securityControlCategoriesSharedCollection;
- trackBy: trackSecurityControlCategoryById
- "
+ [ngValue]="securityControlCategoryOption.id === editForm.get('securityControlCategory')!.value?.id ? editForm.get('securityControlCategory')!.value : securityControlCategoryOption"
+ *ngFor="let securityControlCategoryOption of securityControlCategoriesSharedCollection; trackBy: trackSecurityControlCategoryById"
>
{{ securityControlCategoryOption.name }}
</option>
</select>
</div>
- <div
- *ngIf="
- editForm.get(['securityControlCategory'])!.invalid &&
- (editForm.get(['securityControlCategory'])!.dirty || editForm.get(['securityControlCategory'])!.touched)
- "
- >
- <small
- class="form-text text-danger"
- *ngIf="editForm.get(['securityControlCategory'])?.errors?.required"
- jhiTranslate="entity.validation.required"
- >
- This field is required.
- </small>
- </div>
-
- <div class="form-group">
- <label jhiTranslate="cocGatewayApp.cocBackendSecurityControl.resource" for="field_resources">Resource</label>
- <select class="form-control" id="field_resources" data-cy="resource" multiple name="resources" formControlName="resources">
- <option
- [ngValue]="getSelectedResource(resourceOption, editForm.get('resources')!.value)"
- *ngFor="let resourceOption of resourcesSharedCollection; trackBy: trackResourceById"
- >
- {{ resourceOption.name }}
- </option>
- </select>
- </div>
+
</div>
<div>
- <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()">
+ <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
</button>
@@ -224,6 +105,8 @@
data-cy="entityCreateSaveButton"
[disabled]="editForm.invalid || isSaving"
class="btn btn-primary"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
+ *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']"
>
<fa-icon icon="save"></fa-icon> <span jhiTranslate="entity.action.save">Save</span>
</button>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/update/security-control-update.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/update/security-control-update.component.ts
index 0a6097ffb8afcaab46519cf7ec29e5d85a06b14b..efa63278c34e149095b45278b597328483de2e99 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/update/security-control-update.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-control/update/security-control-update.component.ts
@@ -9,8 +9,6 @@ import { ISecurityControl, SecurityControl } from '../security-control.model';
import { SecurityControlService } from '../service/security-control.service';
import { ISecurityControlCategory } from 'app/entities/cocBackend/security-control-category/security-control-category.model';
import { SecurityControlCategoryService } from 'app/entities/cocBackend/security-control-category/service/security-control-category.service';
-import { IResource } from 'app/entities/cocBackend/resource/resource.model';
-import { ResourceService } from 'app/entities/cocBackend/resource/service/resource.service';
@Component({
selector: 'jhi-security-control-update',
@@ -20,7 +18,6 @@ export class SecurityControlUpdateComponent implements OnInit {
isSaving = false;
securityControlCategoriesSharedCollection: ISecurityControlCategory[] = [];
- resourcesSharedCollection: IResource[] = [];
editForm = this.fb.group({
id: [],
@@ -28,16 +25,12 @@ export class SecurityControlUpdateComponent implements OnInit {
name: [null, [Validators.required]],
objective: [null, [Validators.required]],
description: [null, [Validators.required]],
- guidance: [null, [Validators.required]],
- riskReductionWeight: [null, [Validators.required]],
securityControlCategory: [null, Validators.required],
- resources: [],
});
constructor(
protected securityControlService: SecurityControlService,
protected securityControlCategoryService: SecurityControlCategoryService,
- protected resourceService: ResourceService,
protected activatedRoute: ActivatedRoute,
protected fb: FormBuilder
) {}
@@ -59,8 +52,6 @@ export class SecurityControlUpdateComponent implements OnInit {
const securityControl = this.createFromForm();
if (securityControl.id !== undefined) {
this.subscribeToSaveResponse(this.securityControlService.update(securityControl));
- } else {
- this.subscribeToSaveResponse(this.securityControlService.create(securityControl));
}
}
@@ -68,21 +59,6 @@ export class SecurityControlUpdateComponent implements OnInit {
return item.id!;
}
- trackResourceById(index: number, item: IResource): number {
- return item.id!;
- }
-
- getSelectedResource(option: IResource, selectedVals?: IResource[]): IResource {
- if (selectedVals) {
- for (const selectedVal of selectedVals) {
- if (option.id === selectedVal.id) {
- return selectedVal;
- }
- }
- }
- return option;
- }
-
protected subscribeToSaveResponse(result: Observable<HttpResponse<ISecurityControl>>): void {
result.pipe(finalize(() => this.onSaveFinalize())).subscribe(
() => this.onSaveSuccess(),
@@ -109,8 +85,6 @@ export class SecurityControlUpdateComponent implements OnInit {
name: securityControl.name,
objective: securityControl.objective,
description: securityControl.description,
- guidance: securityControl.guidance,
- riskReductionWeight: securityControl.riskReductionWeight,
securityControlCategory: securityControl.securityControlCategory,
resources: securityControl.resources,
});
@@ -119,10 +93,6 @@ export class SecurityControlUpdateComponent implements OnInit {
this.securityControlCategoriesSharedCollection,
securityControl.securityControlCategory
);
- this.resourcesSharedCollection = this.resourceService.addResourceToCollectionIfMissing(
- this.resourcesSharedCollection,
- ...(securityControl.resources ?? [])
- );
}
protected loadRelationshipsOptions(): void {
@@ -141,16 +111,6 @@ export class SecurityControlUpdateComponent implements OnInit {
(securityControlCategories: ISecurityControlCategory[]) =>
(this.securityControlCategoriesSharedCollection = securityControlCategories)
);
-
- this.resourceService
- .query()
- .pipe(map((res: HttpResponse<IResource[]>) => res.body ?? []))
- .pipe(
- map((resources: IResource[]) =>
- this.resourceService.addResourceToCollectionIfMissing(resources, ...(this.editForm.get('resources')!.value ?? []))
- )
- )
- .subscribe((resources: IResource[]) => (this.resourcesSharedCollection = resources));
}
protected createFromForm(): ISecurityControl {
@@ -161,10 +121,7 @@ export class SecurityControlUpdateComponent implements OnInit {
name: this.editForm.get(['name'])!.value,
objective: this.editForm.get(['objective'])!.value,
description: this.editForm.get(['description'])!.value,
- guidance: this.editForm.get(['guidance'])!.value,
- riskReductionWeight: this.editForm.get(['riskReductionWeight'])!.value,
securityControlCategory: this.editForm.get(['securityControlCategory'])!.value,
- resources: this.editForm.get(['resources'])!.value,
};
}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/detail/security-metric-detail.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/detail/security-metric-detail.component.html
index 0891c7ab6dc78dd0f29b308d3f6630a5af0e29d3..6d024e96a1bc9bf382f335888064c7fbd19321f6 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/detail/security-metric-detail.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/detail/security-metric-detail.component.html
@@ -12,10 +12,6 @@
<jhi-alert></jhi-alert>
<dl class="row-md jh-entity-details">
- <!-- <dt><span jhiTranslate="global.field.id">ID</span></dt>
- <dd>
- <span>{{ securityMetric.id }}</span>
- </dd> -->
<dt><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.metricId">Metric Id</span></dt>
<dd>
<span>{{ securityMetric.metricId }}</span>
@@ -122,31 +118,23 @@
<div *ngFor="let tom of securityMetric.toms">{{ tom?.name }}</div>
</dd>
- <!--
- <dt><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.referenceTom">Reference Tom</span></dt>
- <dd>
- <div *ngIf="securityMetric.referenceTom">
- <a [routerLink]="['/reference-tom', securityMetric.referenceTom?.id, 'view']">{{
- securityMetric.referenceTom?.referenceTomImpl
- }}</a>
- </div>
- </dd>
- -->
<dt><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.resourceType">Resource Type</span></dt>
<dd>
<div *ngIf="securityMetric.resourceType">
<a [routerLink]="['/resource-type', securityMetric.resourceType?.id, 'view']">{{ securityMetric.resourceType?.name }}</a>
</div>
</dd>
+
+ <dt><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.securityFeature">Security feature</span></dt>
+ <dd>{{ securityMetric.securityFeature }}</dd>
+
+ <dt><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.keywords">Keywords</span></dt>
+ <dd>{{ securityMetric.keywords }}</dd>
</dl>
- <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton">
+ <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="arrow-left"></fa-icon> <span jhiTranslate="entity.action.back">Back</span>
</button>
-
- <button type="button" [routerLink]="['/security-metric', securityMetric.id, 'edit']" class="btn btn-primary">
- <fa-icon icon="pencil-alt"></fa-icon> <span jhiTranslate="entity.action.edit">Edit</span>
- </button>
</div>
</div>
</div>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/list/security-metric.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/list/security-metric.component.html
index 7e4e7610c4d3cb1f687a01fe62abab4b9b5a1345..7c97024cd2a7811846cb8982e455c8f8ee058c0a 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/list/security-metric.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/list/security-metric.component.html
@@ -7,6 +7,7 @@
<div class="d-flex justify-content-end">
<button type="button" class="btn btn-outline-primary" (click)="collapse.toggle()" [attr.aria-expanded]="!isCollapsed"
+ style="background-color: #0099a0!important; border-color: #0099a0!important; color: #fff;"
aria-controls="metricsFilter">
Show/Hide filter
</button>
@@ -40,7 +41,7 @@
<span *ngIf="controlText != null" jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.home.control">Control:</span>
<span *ngIf="controlText != null">{{controlText}}</span>
</a>
- »
+ »
<a *ngIf="tomText == null" [routerLink]="['/tom']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
<span *ngIf="tomText == null" jhiTranslate="global.menu.entities.cocBackendTom">TOMs</span>
</a>
@@ -71,26 +72,20 @@
</div>
</div>
<div class="row">
- <div class="form-group col-md-4">
+ <div class="form-group col-md-8">
<label class="form-control-label" for="field_description">Description</label>
<input type="text" class="form-control" id="field_description" formControlName="description"/>
</div>
<div class="form-group col-md-4">
- <label class="form-control-label" for="field_targetResourceType">Target Resource Type</label>
- <input type="text" class="form-control" id="field_targetResourceType" formControlName="targetResourceType"/>
- </div>
- <!--
- <div class="form-group col-md-4">
- <label class="form-control-label" for="field_securityControlFramework">TOM</label>
- <select class="form-control" formControlName="tomId" id="field_securityControlFramework" data-cy="tomId">
+ <label class="form-control-label" for="field_tom">Requirement</label>
+ <select class="form-control" formControlName="tomId" id="field_tom" data-cy="tomId">
<option value="0"></option>
<option [value]="tomOption.id"
- *ngFor="let tomOption of tomsSharedCollection;trackBy: trackTomById">
+ *ngFor="let tomOption of sortToms();trackBy: trackTomById">
{{ tomOption.name }}
</option>
</select>
</div>
- -->
</div>
<input type="submit" style="visibility:hidden"/>
</form>
@@ -116,44 +111,23 @@
<table class="table table-striped" aria-describedby="page-heading">
<thead>
<tr>
- <!-- <th scope="col"><span jhiTranslate="global.field.id">ID</span></th> -->
<th scope="col" style="width: 8%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.category">Category</span></th>
<th scope="col" style="width: 10%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.name">Name</span></th>
<th scope="col" style="width: 7%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.source">Source</span></th>
<th scope="col" style="width: 35%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.description">Description</span></th>
- <!--<th scope="col" style="width: 10%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.scale">Scale</span></th>-->
<th scope="col" style="width: 7%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.operator">Operator</span></th>
- <!--
- <th scope="col" style="width: 7%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.targetValue">Target Value</span></th>
- <th scope="col" style="width: 8%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.targetValueDatatype">Target Value Datatype</span></th>
- <th scope="col" style="width: 5%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.interval">Interval</span></th>
- <th scope="col" style="width: 19%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.targetResourceType">Target Resource Type</span></th>
- -->
- <th scope="col" style="width: 11%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.relatedToms">Related TOMs</span></th>
- <!--
- <th scope="col" style="width: 10%;"><span jhiTranslate="cocGatewayApp.cocBackendSecurityMetric.resourceType">Resource Type</span></th>
- -->
+ <th scope="col" style="width: 11%;"><span jhiTranslate="entity.action.relatedToms">Requirements</span></th>
<th scope="col" style="width: 5%;"></th>
</tr>
</thead>
- <tbody>
+ <tbody style="font-size: 11px;">
<tr *ngFor="let securityMetric of securityMetrics; trackBy: trackId" data-cy="entityTable">
- <!-- <td>
- <a [routerLink]="['/security-metric', securityMetric.id, 'view']">{{ securityMetric.id }}</a>
- </td> -->
- <td>{{ securityMetric.category }}</td>
- <td>{{ securityMetric.name }}</td>
- <td>{{ securityMetric.source }}</td>
- <td>{{ securityMetric.description }}</td>
- <!--<td>{{ securityMetric.scale }}</td>-->
- <td>{{ securityMetric.operator }}</td>
- <!--
- <td>{{ securityMetric.targetValue }}</td>
- <td>{{ securityMetric.targetValueDatatype }}</td>
- <td>{{ securityMetric.interval }}</td>
- <td>{{ securityMetric.targetResourceType }}</td>
- -->
- <td>
+ <td style="vertical-align: middle;">{{ securityMetric.category }}</td>
+ <td style="vertical-align: middle;">{{ securityMetric.name }}</td>
+ <td style="vertical-align: middle;">{{ securityMetric.source }}</td>
+ <td style="vertical-align: middle; text-align: justify;">{{ securityMetric.description }}</td>
+ <td style="vertical-align: middle;">{{ securityMetric.operator }}</td>
+ <td style="vertical-align: middle;">
<div *ngIf="securityMetric.toms != null && securityMetric.toms.length > 0">
<div *ngFor="let tom of securityMetric.toms">
<a (click)="goToTomState()" style="color: #0099a0; font-weight: 600;">
@@ -163,39 +137,18 @@
</div>
</div>
</td>
- <!--
- <td>
- <div *ngIf="securityMetric.resourceType">
- <a [routerLink]="['/resource-type', securityMetric.resourceType?.id, 'view']">{{ securityMetric.resourceType?.name }}</a>
- </div>
- </td>
- -->
- <td class="text-right">
+ <td class="text-right" style="vertical-align: middle;">
<div class="btn-group">
<button
type="submit"
[routerLink]="['/security-metric', securityMetric.id, 'view']"
class="btn btn-info btn-sm"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
data-cy="entityDetailsButton"
>
<fa-icon icon="eye"></fa-icon>
<span class="d-none d-md-inline" jhiTranslate="entity.action.view">View</span>
</button>
-
- <!-- <button
- type="submit"
- [routerLink]="['/security-metric', securityMetric.id, 'edit']"
- class="btn btn-primary btn-sm"
- data-cy="entityEditButton"
- >
- <fa-icon icon="pencil-alt"></fa-icon>
- <span class="d-none d-md-inline" jhiTranslate="entity.action.edit">Edit</span>
- </button>
-
- <button type="submit" (click)="delete(securityMetric)" class="btn btn-danger btn-sm" data-cy="entityDeleteButton">
- <fa-icon icon="times"></fa-icon>
- <span class="d-none d-md-inline" jhiTranslate="entity.action.delete">Delete</span>
- </button> -->
</div>
</td>
</tr>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/list/security-metric.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/list/security-metric.component.ts
index b7f42a715ec1c269a883cc62f9dfef8907e0e248..de689057100521eb3acc4ada18f2757405f96a0f 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/list/security-metric.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/list/security-metric.component.ts
@@ -1,11 +1,10 @@
import { Component, OnInit } from '@angular/core';
import { HttpResponse } from '@angular/common/http';
import { NgbModal } from '@ng-bootstrap/ng-bootstrap';
-import { ActivatedRoute } from '@angular/router';
+import { Router, ActivatedRoute } from '@angular/router';
import { ISecurityMetric } from '../security-metric.model';
import { SecurityMetricService } from '../service/security-metric.service';
-import { SecurityMetricDeleteDialogComponent } from '../delete/security-metric-delete-dialog.component';
import { FormBuilder } from '@angular/forms';
import { TomService } from '../../tom/service/tom.service';
import { ITom } from '../../tom/tom.model';
@@ -25,13 +24,16 @@ export class SecurityMetricComponent implements OnInit {
controlText = null;
tomText = null;
+ tomSharedCollection: ITom[] = [];
+
searchForm = this.formBuilder.group({
metricId:'',
category:'',
name:'',
source:'',
targetResourceType:'',
- description:''
+ description:'',
+ tomId:'0'
});
constructor(
@@ -39,10 +41,11 @@ export class SecurityMetricComponent implements OnInit {
protected tomService: TomService,
protected modalService: NgbModal,
protected formBuilder: FormBuilder,
- private route: ActivatedRoute) {}
+ private route: ActivatedRoute,
+ private router: Router) {}
ngOnInit(): void {
- //this.loadToms();
+ this.loadToms();
this.loadAll();
}
@@ -56,7 +59,8 @@ export class SecurityMetricComponent implements OnInit {
name:'',
source:'',
targetResourceType:'',
- description:''
+ description:'',
+ tomId:'0'
});
if (this.route.snapshot.queryParams['paramTomId'] == null || typeof this.route.snapshot.queryParams['paramTomId'] == 'undefined') {
@@ -64,23 +68,6 @@ export class SecurityMetricComponent implements OnInit {
(res: HttpResponse<ISecurityMetric[]>) => {
this.isLoading = false;
this.securityMetrics = res.body ?? [];
- /*
- if (this.securityMetrics != null && this.securityMetrics.length > 0) {
- for (let i = 0;i < this.securityMetrics.length;i++) {
- const metric = this.securityMetrics[i];
- if (metric.toms != null && metric.toms.length > 0) {
- metric.tomsTextList = '';
- for (let j = 0;j < metric.toms.length;j++) {
- const tom = metric.toms[j];
- if (j > 0) {
- metric.tomsTextList += ', ';
- }
- metric.tomsTextList += tom.name;
- }
- }
- }
- }
- */
},
() => {
this.isLoading = false;
@@ -95,23 +82,6 @@ export class SecurityMetricComponent implements OnInit {
(res: HttpResponse<ISecurityMetric[]>) => {
this.isLoading = false;
this.securityMetrics = res.body ?? [];
- /*
- if (this.securityMetrics != null && this.securityMetrics.length > 0) {
- for (let i = 0;i < this.securityMetrics.length;i++) {
- const metric = this.securityMetrics[i];
- if (metric.toms != null && metric.toms.length > 0) {
- metric.tomsTextList = '';
- for (let j = 0;j < metric.toms.length;j++) {
- const tom = metric.toms[j];
- if (j > 0) {
- metric.tomsTextList += ', ';
- }
- metric.tomsTextList += tom.name;
- }
- }
- }
- }
- */
},
() => {
this.isLoading = false;
@@ -119,6 +89,29 @@ export class SecurityMetricComponent implements OnInit {
);
}
}
+
+ loadToms(): void {
+ this.tomService
+ .query()
+ .pipe(map((res: HttpResponse<ITom[]>) => res.body ?? []))
+ .pipe(
+ map((tomSharedCollection: ITom[]) =>
+ this.tomService.addTomToCollectionIfMissing(tomSharedCollection)
+ )
+ )
+ .subscribe(
+ (toms: ITom[]) => {
+ this.tomSharedCollection = toms;
+ },
+ () => {
+ this.isLoading = false;
+ }
+ );
+ }
+
+ sortToms() {
+ return this.tomSharedCollection.sort((a, b) => (a.name! < b.name! ? -1 : 1));
+ }
search(): void {
this.isLoading = true;
@@ -130,15 +123,30 @@ export class SecurityMetricComponent implements OnInit {
hasFilter=true;
}
if (this.searchForm.value.category!==''){
- dynamicFilter['category.contains'] = this.searchForm.value.category;
+ let text = this.searchForm.value.category.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['category.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['category.contains'] = text;
+ }
hasFilter=true;
}
if (this.searchForm.value.name!==''){
- dynamicFilter['name.contains'] = this.searchForm.value.name;
+ let text = this.searchForm.value.name.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['name.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['name.contains'] = text;
+ }
hasFilter=true;
}
if (this.searchForm.value.source!==''){
- dynamicFilter['source.equals'] = this.searchForm.value.source;
+ let text = this.searchForm.value.source.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['source.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['source.contains'] = text;
+ }
hasFilter=true;
}
if (this.searchForm.value.targetResourceType!==''){
@@ -146,7 +154,16 @@ export class SecurityMetricComponent implements OnInit {
hasFilter=true;
}
if (this.searchForm.value.description!==''){
- dynamicFilter['description.contains'] = this.searchForm.value.description;
+ let text = this.searchForm.value.description.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['description.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['description.contains'] = text;
+ }
+ hasFilter=true;
+ }
+ if (this.searchForm.value.tomId!=='0'){
+ dynamicFilter['tomId.equals'] = this.searchForm.value.tomId;
hasFilter=true;
}
if (!hasFilter){
@@ -158,8 +175,6 @@ export class SecurityMetricComponent implements OnInit {
(res: HttpResponse<ISecurityMetric[]>) => {
this.isLoading = false;
this.securityMetrics = res.body ?? [];
- console.log("3");
- console.log(this.securityMetrics);
},
() => {
this.isLoading = false;
@@ -172,19 +187,37 @@ export class SecurityMetricComponent implements OnInit {
return item.id!;
}
+ trackTomById(index: number, item: ITom): number {
+ return item.id!;
+ }
+
goToFrameworkState(): void {
- window.history.go(-4);
+ this.router.navigate(['/security-control-framework']);
}
goToCategoryState(): void {
- window.history.go(-3);
+ //window.history.go(-3);
+ if (this.route.snapshot.queryParams['paramTomId'] == null || typeof this.route.snapshot.queryParams['paramTomId'] == 'undefined') {
+ this.router.navigate(['/security-control-category']);
+ } else {
+ window.history.go(-3);
+ }
}
goToControlState(): void {
- window.history.go(-2);
+ //window.history.go(-2);
+ if (this.route.snapshot.queryParams['paramTomId'] == null || typeof this.route.snapshot.queryParams['paramTomId'] == 'undefined') {
+ this.router.navigate(['/security-control']);
+ } else {
+ window.history.go(-2);
+ }
}
goToTomState(): void {
- window.history.back();
+ if (this.route.snapshot.queryParams['paramTomId'] == null || typeof this.route.snapshot.queryParams['paramTomId'] == 'undefined') {
+ this.router.navigate(['/tom']);
+ } else {
+ window.history.back();
+ }
}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/route/security-metric-routing.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/route/security-metric-routing.module.ts
index 0caa2bbe0657b308a53451e2e2940aedc085f1ab..b600cf4275ff69eea9f136d06282c5de7377b622 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/route/security-metric-routing.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/route/security-metric-routing.module.ts
@@ -7,31 +7,19 @@ import { SecurityMetricDetailComponent } from '../detail/security-metric-detail.
import { SecurityMetricUpdateComponent } from '../update/security-metric-update.component';
import { SecurityMetricRoutingResolveService } from './security-metric-routing-resolve.service';
+import { Authority } from 'app/config/authority.constants';
+
const securityMetricRoute: Routes = [
{
path: '',
component: SecurityMetricComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
canActivate: [UserRouteAccessService],
},
{
path: ':id/view',
component: SecurityMetricDetailComponent,
- resolve: {
- securityMetric: SecurityMetricRoutingResolveService,
- },
- canActivate: [UserRouteAccessService],
- },
- {
- path: 'new',
- component: SecurityMetricUpdateComponent,
- resolve: {
- securityMetric: SecurityMetricRoutingResolveService,
- },
- canActivate: [UserRouteAccessService],
- },
- {
- path: ':id/edit',
- component: SecurityMetricUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
resolve: {
securityMetric: SecurityMetricRoutingResolveService,
},
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/security-metric.model.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/security-metric.model.ts
index 459a1af80b0d23bf3903590ea382761b2778e99e..209b7d97da86531e14368ac05f029c71e86f687d 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/security-metric.model.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/security-metric.model.ts
@@ -19,6 +19,8 @@ export interface ISecurityMetric {
toms?: ITom[];
referenceTom?: IReferenceTom | null;
resourceType?: IResourceType | null;
+ securityFeature?: string | null;
+ keywords?: string | null;
}
export class SecurityMetric implements ISecurityMetric {
@@ -38,7 +40,9 @@ export class SecurityMetric implements ISecurityMetric {
public tom?: ITom,
public toms?: ITom[],
public referenceTom?: IReferenceTom | null,
- public resourceType?: IResourceType | null
+ public resourceType?: IResourceType | null,
+ public securityFeature?: string | null,
+ public keywords?: string | null
) {}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/update/security-metric-update.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/update/security-metric-update.component.html
index 2642d65a3afa290d50e5977b4edb9186c1074220..1c291c6afb3666039cf978e993ea471a621b78ea 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/update/security-metric-update.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/security-metric/update/security-metric-update.component.html
@@ -286,7 +286,7 @@
</div>
<div>
- <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()">
+ <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
</button>
@@ -296,6 +296,7 @@
data-cy="entityCreateSaveButton"
[disabled]="editForm.invalid || isSaving"
class="btn btn-primary"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
>
<fa-icon icon="save"></fa-icon> <span jhiTranslate="entity.action.save">Save</span>
</button>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/delete/similar-control-delete-dialog.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/delete/similar-control-delete-dialog.component.html
deleted file mode 100755
index cddfcd00404964cf255fcf9c0619df0dcb109971..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/delete/similar-control-delete-dialog.component.html
+++ /dev/null
@@ -1,29 +0,0 @@
-<form *ngIf="similarControl" name="deleteForm" (ngSubmit)="confirmDelete(similarControl.id!)">
- <div class="modal-header">
- <h4 class="modal-title" data-cy="similarControlDeleteDialogHeading" jhiTranslate="entity.delete.title">Confirm delete operation</h4>
-
- <button type="button" class="close" data-dismiss="modal" aria-hidden="true" (click)="cancel()">×</button>
- </div>
-
- <div class="modal-body">
- <jhi-alert-error></jhi-alert-error>
-
- <p
- id="jhi-delete-similarControl-heading"
- jhiTranslate="cocGatewayApp.cocBackendSimilarControl.delete.question"
- [translateValues]="{ id: similarControl.id }"
- >
- Are you sure you want to delete this Similar Control?
- </p>
- </div>
-
- <div class="modal-footer">
- <button type="button" class="btn btn-secondary" data-dismiss="modal" (click)="cancel()">
- <fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
- </button>
-
- <button id="jhi-confirm-delete-similarControl" data-cy="entityConfirmDeleteButton" type="submit" class="btn btn-danger">
- <fa-icon icon="times"></fa-icon> <span jhiTranslate="entity.action.delete">Delete</span>
- </button>
- </div>
-</form>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/delete/similar-control-delete-dialog.component.spec.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/delete/similar-control-delete-dialog.component.spec.ts
deleted file mode 100755
index 16186164a3b034b2e79f0142dd9da7a6375a0136..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/delete/similar-control-delete-dialog.component.spec.ts
+++ /dev/null
@@ -1,65 +0,0 @@
-jest.mock('@ng-bootstrap/ng-bootstrap');
-
-import { ComponentFixture, TestBed, inject, fakeAsync, tick } from '@angular/core/testing';
-import { HttpResponse } from '@angular/common/http';
-import { HttpClientTestingModule } from '@angular/common/http/testing';
-import { of } from 'rxjs';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { SimilarControlService } from '../service/similar-control.service';
-
-import { SimilarControlDeleteDialogComponent } from './similar-control-delete-dialog.component';
-
-describe('Component Tests', () => {
- describe('SimilarControl Management Delete Component', () => {
- let comp: SimilarControlDeleteDialogComponent;
- let fixture: ComponentFixture<SimilarControlDeleteDialogComponent>;
- let service: SimilarControlService;
- let mockActiveModal: NgbActiveModal;
-
- beforeEach(() => {
- TestBed.configureTestingModule({
- imports: [HttpClientTestingModule],
- declarations: [SimilarControlDeleteDialogComponent],
- providers: [NgbActiveModal],
- })
- .overrideTemplate(SimilarControlDeleteDialogComponent, '')
- .compileComponents();
- fixture = TestBed.createComponent(SimilarControlDeleteDialogComponent);
- comp = fixture.componentInstance;
- service = TestBed.inject(SimilarControlService);
- mockActiveModal = TestBed.inject(NgbActiveModal);
- });
-
- describe('confirmDelete', () => {
- it('Should call delete service on confirmDelete', inject(
- [],
- fakeAsync(() => {
- // GIVEN
- jest.spyOn(service, 'delete').mockReturnValue(of(new HttpResponse({})));
-
- // WHEN
- comp.confirmDelete(123);
- tick();
-
- // THEN
- expect(service.delete).toHaveBeenCalledWith(123);
- expect(mockActiveModal.close).toHaveBeenCalledWith('deleted');
- })
- ));
-
- it('Should not call delete service on clear', () => {
- // GIVEN
- jest.spyOn(service, 'delete');
-
- // WHEN
- comp.cancel();
-
- // THEN
- expect(service.delete).not.toHaveBeenCalled();
- expect(mockActiveModal.close).not.toHaveBeenCalled();
- expect(mockActiveModal.dismiss).toHaveBeenCalled();
- });
- });
- });
-});
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/delete/similar-control-delete-dialog.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/delete/similar-control-delete-dialog.component.ts
deleted file mode 100755
index 4292882322a660aa46e1a04e54c2c0c9ded4690f..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/delete/similar-control-delete-dialog.component.ts
+++ /dev/null
@@ -1,24 +0,0 @@
-import { Component } from '@angular/core';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { ISimilarControl } from '../similar-control.model';
-import { SimilarControlService } from '../service/similar-control.service';
-
-@Component({
- templateUrl: './similar-control-delete-dialog.component.html',
-})
-export class SimilarControlDeleteDialogComponent {
- similarControl?: ISimilarControl;
-
- constructor(protected similarControlService: SimilarControlService, protected activeModal: NgbActiveModal) {}
-
- cancel(): void {
- this.activeModal.dismiss();
- }
-
- confirmDelete(id: number): void {
- this.similarControlService.delete(id).subscribe(() => {
- this.activeModal.close('deleted');
- });
- }
-}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/detail/similar-control-detail.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/detail/similar-control-detail.component.html
index 9df5d7595d175bc871fc959c997c7336e0a1cb2a..6bce33dfa4816d281a78c26a6c73a1dcf9c033b5 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/detail/similar-control-detail.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/detail/similar-control-detail.component.html
@@ -12,55 +12,42 @@
<jhi-alert></jhi-alert>
<dl class="row-md jh-entity-details">
- <!-- <dt><span jhiTranslate="global.field.id">ID</span></dt>
- <dd>
- <span>{{ similarControl.id }}</span>
- </dd> -->
<dt>
- <span
- jhiTranslate="cocGatewayApp.cocBackendSimilarControl.code"
- [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.help.code' | translate"
- >Code</span
- >
+ <span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.eucsControlId" [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.eucsControlId' | translate">EUCS Control ID</span>
</dt>
<dd>
- <span>{{ similarControl.code }}</span>
+ <span>{{ similarControl.securityControl?.name }}</span>
</dd>
<dt>
- <span
- jhiTranslate="cocGatewayApp.cocBackendSimilarControl.name"
- [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.help.name' | translate"
- >Name</span
- >
+ <span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.eucsControlName" [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.eucsControlName' | translate">EUCS Control Name</span>
</dt>
<dd>
- <span>{{ similarControl.name }}</span>
+ <span>{{ similarControl.securityControl?.objective }}</span>
</dd>
<dt>
- <span
- jhiTranslate="cocGatewayApp.cocBackendSimilarControl.securityControlFrameworkName"
- [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.help.securityControlFrameworkName' | translate"
- >Security Control Framework Name</span
- >
+ <span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.securityControlFrameworkName" [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.securityControlFrameworkName' | translate">Security Framework</span>
</dt>
<dd>
<span>{{ similarControl.securityControlFrameworkName }}</span>
</dd>
- <dt><span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.securityControl">Security Control</span></dt>
+ <dt>
+ <span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.similarControlId" [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.similarControlId' | translate">Similar Control ID</span>
+ </dt>
+ <dd>
+ <span>{{ similarControl.code }}</span>
+ </dd>
+ <dt>
+ <span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.similarControlName" [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.similarControlName' | translate">Similar Control Name</span>
+ </dt>
<dd>
- <div *ngIf="similarControl.securityControl">
- <a [routerLink]="['/security-control', similarControl.securityControl?.id, 'view']">{{
- similarControl.securityControl?.name
- }}</a>
- </div>
+ <span>{{ similarControl.name }}</span>
</dd>
</dl>
-
- <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton">
+ <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="arrow-left"></fa-icon> <span jhiTranslate="entity.action.back">Back</span>
</button>
- <button type="button" [routerLink]="['/similar-control', similarControl.id, 'edit']" class="btn btn-primary">
+ <button type="button" [routerLink]="['/similar-control', similarControl.id, 'edit']" class="btn btn-primary" style="background-color: #0099a0!important; border-color: #0099a0!important;" *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']">
<fa-icon icon="pencil-alt"></fa-icon> <span jhiTranslate="entity.action.edit">Edit</span>
</button>
</div>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/list/similar-control.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/list/similar-control.component.html
index 8828a1182fe911b901ba5931043a8c137c7cb7b9..cbc8029b09d91f7c85686da86d4dbe7c9947a481 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/list/similar-control.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/list/similar-control.component.html
@@ -7,18 +7,10 @@
<div class="d-flex justify-content-end">
<div class="btn-toolbar" role="toolbar" aria-label="Toolbar with button groups">
<button type="button" class="btn btn-outline-primary mr-2" (click)="collapse.toggle()" [attr.aria-expanded]="!isCollapsed"
+ style="background-color: #0099a0!important; border-color: #0099a0!important; color: #fff;"
aria-controls="metricsFilter">
Show/Hide filter
</button>
-
- <button
- id="jh-create-entity"
- data-cy="entityCreateButton"
- class="btn btn-primary jh-create-entity create-similar-control"
- [routerLink]="['/similar-control/new']">
- <fa-icon icon="plus"></fa-icon>
- <span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.home.createLabel"> Create a new Similar Control </span>
- </button>
</div>
</div>
</h2>
@@ -43,6 +35,11 @@
<span *ngIf="categoryText != null" jhiTranslate="cocGatewayApp.cocBackendSimilarControl.home.category">Category:</span>
<span *ngIf="categoryText != null">{{categoryText}}</span>
</a>
+ <span *ngIf="controlText != null"> » </span>
+ <a *ngIf="controlText != null" (click)="goToControlState()" style="color: #0099a0; font-weight: 600;">
+ <span *ngIf="controlText != null" jhiTranslate="cocGatewayApp.cocBackendSimilarControl.home.control">Control:</span>
+ <span *ngIf="controlText != null">{{controlText}}</span>
+ </a>
»
<span jhiTranslate="global.menu.entities.cocBackendSimilarControl">Similar Controls</span>
</strong></small>
@@ -52,28 +49,16 @@
<div #collapse="ngbCollapse" [(ngbCollapse)]="isCollapsed">
<form [formGroup]="searchForm" (ngSubmit)="search()">
<div class="row">
- <div class="form-group col-md-2">
- <label class="form-control-label" for="field_code">Code</label>
- <input type="text" class="form-control" id="field_code" formControlName="code"/>
- </div>
<div class="form-group col-md-4">
- <label class="form-control-label" for="field_name">Name</label>
- <input type="text" class="form-control" id="field_name" formControlName="name"/>
+ <label class="form-control-label" for="field_securityControlName">EUCS Control ID</label>
+ <input type="text" class="form-control" id="field_securityControlName" formControlName="securityControlName"/>
</div>
- </div>
- <div class="row">
- <div class="form-group col-md-2">
- <label class="form-control-label" for="field_securityControl">Security Control</label>
- <select class="form-control" formControlName="securityControlId" id="field_securityControl" data-cy="securityControlId">
- <option value="0"></option>
- <option [value]="controlOption.id"
- *ngFor="let controlOption of securityControlsSharedCollection;trackBy: trackSecurityControlById">
- {{ controlOption.name }}
- </option>
- </select>
+ <div class="form-group col-md-4">
+ <label class="form-control-label" for="field_securityControlObjective">EUCS Control Name</label>
+ <input type="text" class="form-control" id="field_securityControlObjective" formControlName="securityControlObjective"/>
</div>
<div class="form-group col-md-4">
- <label class="form-control-label" for="field_securityControlFrameworkName">Security Control Framework Name</label>
+ <label class="form-control-label" for="field_securityControlFrameworkName">Framework</label>
<input type="text" class="form-control" id="field_securityControlFrameworkName" formControlName="securityControlFrameworkName"/>
</div>
</div>
@@ -102,29 +87,40 @@
<table class="table table-striped" aria-describedby="page-heading">
<thead>
<tr>
- <!-- <th scope="col"><span jhiTranslate="global.field.id">ID</span></th> -->
- <th scope="col" style="width: 30%;"><span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.securityControl">Framework Security Control</span></th>
- <th scope="col" style="width: 15%;"><span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.similarControl">Similar Control</span></th>
- <th scope="col" style="width: 20%;"><span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.controlName">Control Name</span></th>
- <th scope="col" style="width: 20%;"><span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.securityControlFrameworkName">Security Framework</span></th>
+ <th scope="col" style="width: 12%;"><span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.eucsControlId">EUCS Control ID</span></th>
+ <th scope="col" style="width: 25%;"><span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.eucsControlName">EUCS Control Name</span></th>
+ <th scope="col" style="width: 18%;"><span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.securityControlFrameworkName">Security Framework</span></th>
+ <th scope="col" style="width: 12%;"><span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.similarControlId">Similar Control ID</span></th>
+ <th scope="col" style="width: 18%;"><span jhiTranslate="cocGatewayApp.cocBackendSimilarControl.similarControlName">Similar Control Name</span></th>
+ <th scope="col" style="width: 15%;"></th>
<th scope="col" style="width: 15%;"></th>
</tr>
</thead>
- <tbody>
+ <tbody style="font-size: 11px;">
<tr *ngFor="let similarControl of similarControls; trackBy: trackId" data-cy="entityTable">
- <!-- <td>
- <a [routerLink]="['/similar-control', similarControl.id, 'view']">{{ similarControl.id }}</a>
- </td> -->
- <td>({{ similarControl.securityControlFrameworkName }}) {{ similarControl.securityControl?.name }}</td>
- <td>{{ similarControl.code }}</td>
- <td>{{ similarControl.name }}</td>
- <td>{{ similarControl.securityControlFrameworkName }}</td>
- <td class="text-right">
+ <td style="vertical-align: middle;">{{ similarControl.securityControl?.name }}</td>
+ <td style="vertical-align: middle; border-right: 1px dotted #999;">{{ similarControl.securityControl?.objective }}</td>
+ <td style="vertical-align: middle;">{{ similarControl.securityControlFrameworkName }}</td>
+ <td style="vertical-align: middle;">{{ similarControl.code }}</td>
+ <td style="vertical-align: middle; border-right: 1px dotted #999;">{{ similarControl.name }}</td>
+ <td style="vertical-align: middle;">
+ <a *ngIf="controlText == null" [routerLink]="['/security-control-category']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
+ <span *ngIf="controlText == null" jhiTranslate="global.menu.entities.cocBackendSecurityControlCategory">Security Categories</span>
+ <fa-icon icon="arrow-up"></fa-icon>
+ </a>
+ <a *ngIf="controlText != null" (click)="goToControlState()" style="color: #0099a0; font-weight: 600;">
+ <span *ngIf="controlText != null" jhiTranslate="cocGatewayApp.cocBackendSimilarControl.home.control">Control:</span>
+ <span *ngIf="controlText != null">{{controlText}}</span>
+ <fa-icon icon="arrow-up"></fa-icon>
+ </a>
+ </td>
+ <td class="text-right" style="vertical-align: middle;">
<div class="btn-group">
<button
type="submit"
[routerLink]="['/similar-control', similarControl.id, 'view']"
class="btn btn-info btn-sm"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
data-cy="entityDetailsButton"
>
<fa-icon icon="eye"></fa-icon>
@@ -135,16 +131,13 @@
type="submit"
[routerLink]="['/similar-control', similarControl.id, 'edit']"
class="btn btn-primary btn-sm"
+ style="background-color: #0099a0!important; border-color: #0099a0!important; margin-left: 4px;"
data-cy="entityEditButton"
+ *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']"
>
<fa-icon icon="pencil-alt"></fa-icon>
<span class="d-none d-md-inline" jhiTranslate="entity.action.edit">Edit</span>
</button>
-
- <button type="submit" (click)="delete(similarControl)" class="btn btn-danger btn-sm" data-cy="entityDeleteButton">
- <fa-icon icon="times"></fa-icon>
- <span class="d-none d-md-inline" jhiTranslate="entity.action.delete">Delete</span>
- </button>
</div>
</td>
</tr>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/list/similar-control.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/list/similar-control.component.ts
index f282be67fc5db21308d1cd932d7ff55bc8928f4a..2ec6846a7e889f122ee39ff957e29e6f7f756dc3 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/list/similar-control.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/list/similar-control.component.ts
@@ -1,10 +1,10 @@
import { Component, OnInit } from '@angular/core';
import { HttpResponse } from '@angular/common/http';
import { NgbModal } from '@ng-bootstrap/ng-bootstrap';
+import { ActivatedRoute } from '@angular/router';
import { ISimilarControl } from '../similar-control.model';
import { SimilarControlService } from '../service/similar-control.service';
-import { SimilarControlDeleteDialogComponent } from '../delete/similar-control-delete-dialog.component';
import { ISecurityControl } from '../../security-control/security-control.model';
import { FormBuilder } from '@angular/forms';
import { SecurityControlService } from '../../security-control/service/security-control.service';
@@ -22,12 +22,16 @@ export class SimilarControlComponent implements OnInit {
frameworkText = null;
categoryText = null;
+ controlText = null;
+ parentSecurityControl = null;
searchForm = this.formBuilder.group({
code:'',
name:'',
securityControlFrameworkName:'',
- securityControlId:'0'
+ securityControlId:'0',
+ securityControlName:'',
+ securityControlObjective:''
});
@@ -35,7 +39,8 @@ export class SimilarControlComponent implements OnInit {
protected similarControlService: SimilarControlService,
protected securityControlService: SecurityControlService,
protected modalService: NgbModal,
- protected formBuilder: FormBuilder) {}
+ protected formBuilder: FormBuilder,
+ private route: ActivatedRoute) {}
ngOnInit(): void {
this.loadSecurityControls();
@@ -49,17 +54,45 @@ export class SimilarControlComponent implements OnInit {
code:'',
name:'',
securityControlFrameworkName:'',
- securityControlId:'0'
+ securityControlId:'0',
+ securityControlName:'',
+ securityControlObjective:''
});
- this.similarControlService.query().subscribe(
- (res: HttpResponse<ISimilarControl[]>) => {
- this.isLoading = false;
- this.similarControls = res.body ?? [];
- },
- () => {
- this.isLoading = false;
- }
- );
+
+ this.frameworkText = this.route.snapshot.queryParams['paramFrameworkText'];
+ this.categoryText = this.route.snapshot.queryParams['paramCategoryText'];
+ this.controlText = this.route.snapshot.queryParams['paramControlText'];
+ this.parentSecurityControl = this.route.snapshot.queryParams['paramControlId'];
+
+ if (this.parentSecurityControl == null || typeof this.parentSecurityControl == 'undefined') {
+ this.similarControlService.query().subscribe(
+ (res: HttpResponse<ISimilarControl[]>) => {
+ this.isLoading = false;
+ this.similarControls = res.body ?? [];
+ },
+ () => {
+ this.isLoading = false;
+ }
+ );
+ } else {
+ this.similarControlService.query().subscribe(
+ (res: HttpResponse<ISimilarControl[]>) => {
+ this.isLoading = false;
+ this.similarControls = new Array();
+ let temp = res.body ?? [];
+ if (temp != null && temp.length > 0) {
+ for (let i = 0;i < temp.length;i++) {
+ if (temp[i]!.securityControl!.id == this.parentSecurityControl) {
+ this.similarControls.push(temp[i]);
+ }
+ }
+ }
+ },
+ () => {
+ this.isLoading = false;
+ }
+ );
+ }
}
search(): void {
@@ -76,13 +109,36 @@ export class SimilarControlComponent implements OnInit {
hasFilter=true;
}
if (this.searchForm.value.securityControlFrameworkName!==''){
- dynamicFilter['securityControlFrameworkName.contains'] = this.searchForm.value.securityControlFrameworkName;
+ let text = this.searchForm.value.securityControlFrameworkName.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['securityControlFrameworkName.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['securityControlFrameworkName.contains'] = text;
+ }
hasFilter=true;
}
if (this.searchForm.value.securityControlId!=='0'){
dynamicFilter['securityControlId.equals'] = this.searchForm.value.securityControlId;
hasFilter=true;
}
+ if (this.searchForm.value.securityControlName!==''){
+ let text = this.searchForm.value.securityControlName.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['securityControlName.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['securityControlName.contains'] = text;
+ }
+ hasFilter=true;
+ }
+ if (this.searchForm.value.securityControlObjective!==''){
+ let text = this.searchForm.value.securityControlObjective.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['securityControlObjective.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['securityControlObjective.contains'] = text;
+ }
+ hasFilter=true;
+ }
if (!hasFilter){
this.loadAll();
}else{
@@ -109,17 +165,6 @@ export class SimilarControlComponent implements OnInit {
return item.id!;
}
- delete(similarControl: ISimilarControl): void {
- const modalRef = this.modalService.open(SimilarControlDeleteDialogComponent, { size: 'lg', backdrop: 'static' });
- modalRef.componentInstance.similarControl = similarControl;
- // unsubscribe not needed because closed completes on modal close
- modalRef.closed.subscribe(reason => {
- if (reason === 'deleted') {
- this.loadAll();
- }
- });
- }
-
loadSecurityControls(): void {
this.securityControlService
.query()
@@ -142,10 +187,14 @@ export class SimilarControlComponent implements OnInit {
}
goToFrameworkState(): void {
- window.history.go(-2);
+ window.history.go(-3);
}
goToCategoryState(): void {
+ window.history.go(-2);
+ }
+
+ goToControlState(): void {
window.history.back();
}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/route/similar-control-routing.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/route/similar-control-routing.module.ts
index 0f9f10c424a8e9c4d487d13f2c006235ff71ceb8..1d16de227fe1f59259f289a89e0e4d342a515961 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/route/similar-control-routing.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/route/similar-control-routing.module.ts
@@ -7,23 +7,19 @@ import { SimilarControlDetailComponent } from '../detail/similar-control-detail.
import { SimilarControlUpdateComponent } from '../update/similar-control-update.component';
import { SimilarControlRoutingResolveService } from './similar-control-routing-resolve.service';
+import { Authority } from 'app/config/authority.constants';
+
const similarControlRoute: Routes = [
{
path: '',
component: SimilarControlComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
canActivate: [UserRouteAccessService],
},
{
path: ':id/view',
component: SimilarControlDetailComponent,
- resolve: {
- similarControl: SimilarControlRoutingResolveService,
- },
- canActivate: [UserRouteAccessService],
- },
- {
- path: 'new',
- component: SimilarControlUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
resolve: {
similarControl: SimilarControlRoutingResolveService,
},
@@ -32,6 +28,7 @@ const similarControlRoute: Routes = [
{
path: ':id/edit',
component: SimilarControlUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.SECURITY_GOVERNANCE] },
resolve: {
similarControl: SimilarControlRoutingResolveService,
},
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/service/similar-control.service.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/service/similar-control.service.ts
index 9dcbb6b97840985121bbfa12ae8c017c6e081ab8..7ca9493fc7a3ae67e32b01d83a005581611f6a46 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/service/similar-control.service.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/service/similar-control.service.ts
@@ -16,10 +16,6 @@ export class SimilarControlService {
constructor(protected http: HttpClient, protected applicationConfigService: ApplicationConfigService) {}
- create(similarControl: ISimilarControl): Observable<EntityResponseType> {
- return this.http.post<ISimilarControl>(this.resourceUrl, similarControl, { observe: 'response' });
- }
-
update(similarControl: ISimilarControl): Observable<EntityResponseType> {
return this.http.put<ISimilarControl>(`${this.resourceUrl}/${getSimilarControlIdentifier(similarControl) as number}`, similarControl, {
observe: 'response',
@@ -43,10 +39,6 @@ export class SimilarControlService {
return this.http.get<ISimilarControl[]>(this.resourceUrl, { params: options, observe: 'response' });
}
- delete(id: number): Observable<HttpResponse<{}>> {
- return this.http.delete(`${this.resourceUrl}/${id}`, { observe: 'response' });
- }
-
addSimilarControlToCollectionIfMissing(
similarControlCollection: ISimilarControl[],
...similarControlsToCheck: (ISimilarControl | null | undefined)[]
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/similar-control.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/similar-control.module.ts
index 87c42ad7da7fb0e1f6f85869258025f19245caac..9313937d8f6b3c2350b7efdd5fd86de4b241f707 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/similar-control.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/similar-control.module.ts
@@ -3,7 +3,6 @@ import { SharedModule } from 'app/shared/shared.module';
import { SimilarControlComponent } from './list/similar-control.component';
import { SimilarControlDetailComponent } from './detail/similar-control-detail.component';
import { SimilarControlUpdateComponent } from './update/similar-control-update.component';
-import { SimilarControlDeleteDialogComponent } from './delete/similar-control-delete-dialog.component';
import { SimilarControlRoutingModule } from './route/similar-control-routing.module';
@NgModule({
@@ -12,8 +11,6 @@ import { SimilarControlRoutingModule } from './route/similar-control-routing.mod
SimilarControlComponent,
SimilarControlDetailComponent,
SimilarControlUpdateComponent,
- SimilarControlDeleteDialogComponent,
],
- entryComponents: [SimilarControlDeleteDialogComponent],
})
export class CocBackendSimilarControlModule {}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/update/similar-control-update.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/update/similar-control-update.component.html
index 216596effd4f4477c5ba004353d08bc0356b5267..e876450c081a40f79ac8107c09ebe91cf724acbb 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/update/similar-control-update.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/update/similar-control-update.component.html
@@ -6,7 +6,7 @@
data-cy="SimilarControlCreateUpdateHeading"
jhiTranslate="cocGatewayApp.cocBackendSimilarControl.home.createOrEditLabel"
>
- Create or edit a Similar Control
+ Edit a Similar Control
</h2>
<div>
@@ -16,116 +16,57 @@
<label class="form-control-label" jhiTranslate="global.field.id" for="field_id">ID</label>
<input type="number" class="form-control" name="id" id="field_id" data-cy="id" formControlName="id" [readonly]="true" />
</div>
-
+
<div class="form-group">
- <label
- class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendSimilarControl.code"
- for="field_code"
- [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.help.code' | translate"
- >Code</label
- >
- <input type="text" class="form-control" name="code" id="field_code" data-cy="code" formControlName="code" />
- <div *ngIf="editForm.get('code')!.invalid && (editForm.get('code')!.dirty || editForm.get('code')!.touched)">
- <small class="form-text text-danger" *ngIf="editForm.get('code')?.errors?.required" jhiTranslate="entity.validation.required">
- This field is required.
- </small>
+ <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendSimilarControl.eucsControl" for="field_securityControl" [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.eucsControl' | translate">EUCS Control</label>
+
+ <select class="form-control" id="field_securityControl" data-cy="securityControl" name="securityControl" formControlName="securityControl">
+ <option *ngIf="!editForm.get('securityControl')!.value" [ngValue]="null" selected></option>
+ <option
+ [ngValue]="securityControlOption.id === editForm.get('securityControl')!.value?.id ? editForm.get('securityControl')!.value : securityControlOption"
+ *ngFor="let securityControlOption of securityControlsSharedCollection; trackBy: trackSecurityControlById"
+ >
+ {{ securityControlOption.code }}: {{ securityControlOption.objective }}
+ </option>
+ </select>
+
+
+ <!--
+ <div *ngIf="editForm.get('securityControl.code')!.invalid && (editForm.get('securityControl.code')!.dirty || editForm.get('securityControl.code')!.touched)">
+ <small class="form-text text-danger" *ngIf="editForm.get('securityControl.code')?.errors?.required" jhiTranslate="entity.validation.required">This field is required.</small>
</div>
+ -->
</div>
<div class="form-group">
- <label
- class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendSimilarControl.name"
- for="field_name"
- [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.help.name' | translate"
- >Name</label
- >
- <input type="text" class="form-control" name="name" id="field_name" data-cy="name" formControlName="name" />
- <div *ngIf="editForm.get('name')!.invalid && (editForm.get('name')!.dirty || editForm.get('name')!.touched)">
- <small class="form-text text-danger" *ngIf="editForm.get('name')?.errors?.required" jhiTranslate="entity.validation.required">
- This field is required.
- </small>
+ <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendSimilarControl.securityControlFrameworkName" for="field_securityControlFrameworkName" [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.securityControlFrameworkName' | translate">Security Framework</label>
+ <input type="text" class="form-control" name="securityControlFrameworkName" id="field_securityControlFrameworkName" data-cy="securityControlFrameworkName" formControlName="securityControlFrameworkName" />
+ <div *ngIf="editForm.get('securityControlFrameworkName')!.invalid && (editForm.get('securityControlFrameworkName')!.dirty || editForm.get('securityControlFrameworkName')!.touched)">
+ <small class="form-text text-danger" *ngIf="editForm.get('securityControlFrameworkName')?.errors?.required" jhiTranslate="entity.validation.required">This field is required.</small>
</div>
</div>
-
+
<div class="form-group">
- <label
- class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendSimilarControl.securityControlFrameworkName"
- for="field_securityControlFrameworkName"
- [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.help.securityControlFrameworkName' | translate"
- >Security Control Framework Name</label
- >
- <input
- type="text"
- class="form-control"
- name="securityControlFrameworkName"
- id="field_securityControlFrameworkName"
- data-cy="securityControlFrameworkName"
- formControlName="securityControlFrameworkName"
- />
- <div
- *ngIf="
- editForm.get('securityControlFrameworkName')!.invalid &&
- (editForm.get('securityControlFrameworkName')!.dirty || editForm.get('securityControlFrameworkName')!.touched)
- "
- >
- <small
- class="form-text text-danger"
- *ngIf="editForm.get('securityControlFrameworkName')?.errors?.required"
- jhiTranslate="entity.validation.required"
- >
- This field is required.
- </small>
+ <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendSimilarControl.similarControlId" for="field_code" [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.similarControlId' | translate">Similar Control ID</label>
+ <input type="text" class="form-control" name="code" id="field_code" data-cy="code" formControlName="code" />
+ <div *ngIf="editForm.get('code')!.invalid && (editForm.get('code')!.dirty || editForm.get('code')!.touched)">
+ <small class="form-text text-danger" *ngIf="editForm.get('code')?.errors?.required" jhiTranslate="entity.validation.required">This field is required.</small>
</div>
</div>
-
+
<div class="form-group">
- <label
- class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendSimilarControl.securityControl"
- for="field_securityControl"
- >Security Control</label
- >
- <select
- class="form-control"
- id="field_securityControl"
- data-cy="securityControl"
- name="securityControl"
- formControlName="securityControl"
- >
- <option *ngIf="!editForm.get('securityControl')!.value" [ngValue]="null" selected></option>
- <option
- [ngValue]="
- securityControlOption.id === editForm.get('securityControl')!.value?.id
- ? editForm.get('securityControl')!.value
- : securityControlOption
- "
- *ngFor="let securityControlOption of securityControlsSharedCollection; trackBy: trackSecurityControlById"
- >
- {{ securityControlOption.name }}
- </option>
- </select>
- </div>
- <div
- *ngIf="
- editForm.get(['securityControl'])!.invalid &&
- (editForm.get(['securityControl'])!.dirty || editForm.get(['securityControl'])!.touched)
- "
- >
- <small
- class="form-text text-danger"
- *ngIf="editForm.get(['securityControl'])?.errors?.required"
- jhiTranslate="entity.validation.required"
- >
- This field is required.
- </small>
+ <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendSimilarControl.similarControlName" for="field_name" [ngbTooltip]="'cocGatewayApp.cocBackendSimilarControl.similarControlName' | translate">Similar Control Name</label>
+ <input type="text" class="form-control" name="name" id="field_name" data-cy="name" formControlName="name" />
+ <div *ngIf="editForm.get('name')!.invalid && (editForm.get('name')!.dirty || editForm.get('name')!.touched)">
+ <small class="form-text text-danger" *ngIf="editForm.get('name')?.errors?.required" jhiTranslate="entity.validation.required">This field is required.</small>
+ </div>
</div>
+
+
</div>
<div>
- <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()">
+ <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
</button>
@@ -135,6 +76,8 @@
data-cy="entityCreateSaveButton"
[disabled]="editForm.invalid || isSaving"
class="btn btn-primary"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
+ *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']"
>
<fa-icon icon="save"></fa-icon> <span jhiTranslate="entity.action.save">Save</span>
</button>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/update/similar-control-update.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/update/similar-control-update.component.ts
index dbb05a37283da021520488ddac6dd9b82330b7cc..3d8424023be646fc32b45e4f002db1c7b78dfaff 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/update/similar-control-update.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/similar-control/update/similar-control-update.component.ts
@@ -24,7 +24,7 @@ export class SimilarControlUpdateComponent implements OnInit {
code: [null, [Validators.required]],
name: [null, [Validators.required]],
securityControlFrameworkName: [null, [Validators.required]],
- securityControl: [null, Validators.required],
+ securityControl: [null, [Validators.required]],
});
constructor(
@@ -51,8 +51,6 @@ export class SimilarControlUpdateComponent implements OnInit {
const similarControl = this.createFromForm();
if (similarControl.id !== undefined) {
this.subscribeToSaveResponse(this.similarControlService.update(similarControl));
- } else {
- this.subscribeToSaveResponse(this.similarControlService.create(similarControl));
}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/target-value/list/target-value.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/target-value/list/target-value.component.html
index a93e0accfa6e51ec8d5981969ae2b756a72c7bd8..9755bf5a23831fd4bfe1845e16115c58ee0028d0 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/target-value/list/target-value.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/target-value/list/target-value.component.html
@@ -37,7 +37,7 @@
<th scope="col"></th>
</tr>
</thead>
- <tbody>
+ <tbody style="font-size: 11px;">
<tr *ngFor="let targetValue of targetValues; trackBy: trackId" data-cy="entityTable">
<td>
<a [routerLink]="['/target-value', targetValue.id, 'view']">{{ targetValue.id }}</a>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/delete/tom-delete-dialog.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/delete/tom-delete-dialog.component.html
deleted file mode 100755
index b76b897fbb3e70698e5f33e37c01bb089780c046..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/delete/tom-delete-dialog.component.html
+++ /dev/null
@@ -1,25 +0,0 @@
-<form *ngIf="tom" name="deleteForm" (ngSubmit)="confirmDelete(tom.id!)">
- <div class="modal-header">
- <h4 class="modal-title" data-cy="tomDeleteDialogHeading" jhiTranslate="entity.delete.title">Confirm delete operation</h4>
-
- <button type="button" class="close" data-dismiss="modal" aria-hidden="true" (click)="cancel()">×</button>
- </div>
-
- <div class="modal-body">
- <jhi-alert-error></jhi-alert-error>
-
- <p id="jhi-delete-tom-heading" jhiTranslate="cocGatewayApp.cocBackendTom.delete.question" [translateValues]="{ id: tom.id }">
- Are you sure you want to delete this Requirement?
- </p>
- </div>
-
- <div class="modal-footer">
- <button type="button" class="btn btn-secondary" data-dismiss="modal" (click)="cancel()">
- <fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
- </button>
-
- <button id="jhi-confirm-delete-tom" data-cy="entityConfirmDeleteButton" type="submit" class="btn btn-danger">
- <fa-icon icon="times"></fa-icon> <span jhiTranslate="entity.action.delete">Delete</span>
- </button>
- </div>
-</form>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/delete/tom-delete-dialog.component.spec.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/delete/tom-delete-dialog.component.spec.ts
deleted file mode 100755
index 3d1e3f2cc38db37103cfef79b872c254b18a4d08..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/delete/tom-delete-dialog.component.spec.ts
+++ /dev/null
@@ -1,65 +0,0 @@
-jest.mock('@ng-bootstrap/ng-bootstrap');
-
-import { ComponentFixture, TestBed, inject, fakeAsync, tick } from '@angular/core/testing';
-import { HttpResponse } from '@angular/common/http';
-import { HttpClientTestingModule } from '@angular/common/http/testing';
-import { of } from 'rxjs';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { TomService } from '../service/tom.service';
-
-import { TomDeleteDialogComponent } from './tom-delete-dialog.component';
-
-describe('Component Tests', () => {
- describe('Tom Management Delete Component', () => {
- let comp: TomDeleteDialogComponent;
- let fixture: ComponentFixture<TomDeleteDialogComponent>;
- let service: TomService;
- let mockActiveModal: NgbActiveModal;
-
- beforeEach(() => {
- TestBed.configureTestingModule({
- imports: [HttpClientTestingModule],
- declarations: [TomDeleteDialogComponent],
- providers: [NgbActiveModal],
- })
- .overrideTemplate(TomDeleteDialogComponent, '')
- .compileComponents();
- fixture = TestBed.createComponent(TomDeleteDialogComponent);
- comp = fixture.componentInstance;
- service = TestBed.inject(TomService);
- mockActiveModal = TestBed.inject(NgbActiveModal);
- });
-
- describe('confirmDelete', () => {
- it('Should call delete service on confirmDelete', inject(
- [],
- fakeAsync(() => {
- // GIVEN
- jest.spyOn(service, 'delete').mockReturnValue(of(new HttpResponse({})));
-
- // WHEN
- comp.confirmDelete(123);
- tick();
-
- // THEN
- expect(service.delete).toHaveBeenCalledWith(123);
- expect(mockActiveModal.close).toHaveBeenCalledWith('deleted');
- })
- ));
-
- it('Should not call delete service on clear', () => {
- // GIVEN
- jest.spyOn(service, 'delete');
-
- // WHEN
- comp.cancel();
-
- // THEN
- expect(service.delete).not.toHaveBeenCalled();
- expect(mockActiveModal.close).not.toHaveBeenCalled();
- expect(mockActiveModal.dismiss).toHaveBeenCalled();
- });
- });
- });
-});
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/delete/tom-delete-dialog.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/delete/tom-delete-dialog.component.ts
deleted file mode 100755
index 6cd1ef2734c2a1fa4d4e3e50fc4f53cd2aa9acc7..0000000000000000000000000000000000000000
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/delete/tom-delete-dialog.component.ts
+++ /dev/null
@@ -1,24 +0,0 @@
-import { Component } from '@angular/core';
-import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap';
-
-import { ITom } from '../tom.model';
-import { TomService } from '../service/tom.service';
-
-@Component({
- templateUrl: './tom-delete-dialog.component.html',
-})
-export class TomDeleteDialogComponent {
- tom?: ITom;
-
- constructor(protected tomService: TomService, protected activeModal: NgbActiveModal) {}
-
- cancel(): void {
- this.activeModal.dismiss();
- }
-
- confirmDelete(id: number): void {
- this.tomService.delete(id).subscribe(() => {
- this.activeModal.close('deleted');
- });
- }
-}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/detail/tom-detail.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/detail/tom-detail.component.html
index 5bc2862cdd7e086eb448eb48653c0cdfedeeff97..3ac03ecd00c05cf3b5a1fff1cba3015315e1165e 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/detail/tom-detail.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/detail/tom-detail.component.html
@@ -22,14 +22,6 @@
<dd>
<span>{{ tom.code }}</span>
</dd>
- <dt>
- <span jhiTranslate="cocGatewayApp.cocBackendTom.name" [ngbTooltip]="'cocGatewayApp.cocBackendTom.help.name' | translate"
- >Name</span
- >
- </dt>
- <dd>
- <span>{{ tom.name }}</span>
- </dd>
<dt>
<span
jhiTranslate="cocGatewayApp.cocBackendTom.description"
@@ -51,17 +43,22 @@
<span jhiTranslate="{{ 'cocGatewayApp.AssuranceLevel.' + tom.assuranceLevel }}">{{ tom.assuranceLevel }}</span>
</dd>
<dt>
- <span jhiTranslate="cocGatewayApp.cocBackendTom.type" [ngbTooltip]="'cocGatewayApp.cocBackendTom.help.type' | translate"
- >Type</span
+ <span
+ jhiTranslate="cocGatewayApp.cocBackendTom.implementationGuideline"
+ [ngbTooltip]="'cocGatewayApp.cocBackendTom.implementationGuideline' | translate"
+ >Implementation guideline</span
>
</dt>
<dd>
- <span jhiTranslate="{{ 'cocGatewayApp.Type.' + tom.type }}">{{ tom.type }}</span>
+ <a *ngIf="tom.guidance != null" [routerLink]="['/reference-tom', tom.guidance, 'view']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
+ <span jhiTranslate="global.compliance.yes">YES</span>
+ </a>
+ <span *ngIf="tom.guidance == null" jhiTranslate="global.compliance.no">NO</span>
</dd>
<dt><span jhiTranslate="cocGatewayApp.cocBackendTom.securityControl">Security Control</span></dt>
<dd>
<div *ngIf="tom.securityControl">
- <a [routerLink]="['/security-control', tom.securityControl?.id, 'view']">{{ tom.securityControl?.name }}</a>
+ <a [routerLink]="['/security-control', tom.securityControl?.id, 'view']" style="color: #0099a0; font-weight: 600; text-decoration: none;">{{ tom.securityControl?.name }}</a>
</div>
</dd>
@@ -74,11 +71,11 @@
</dl>
- <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton">
+ <button type="submit" (click)="previousState()" class="btn btn-info" data-cy="entityDetailsBackButton" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="arrow-left"></fa-icon> <span jhiTranslate="entity.action.back">Back</span>
</button>
- <button type="button" [routerLink]="['/tom', tom.id, 'edit']" class="btn btn-primary">
+ <button type="button" [routerLink]="['/tom', tom.id, 'edit']" class="btn btn-primary" style="background-color: #0099a0!important; border-color: #0099a0!important;" *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']">
<fa-icon icon="pencil-alt"></fa-icon> <span jhiTranslate="entity.action.edit">Edit</span>
</button>
</div>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/list/tom.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/list/tom.component.html
index d42e5d4b5767e566476992489e8db93a9018442d..bb9c8dfd2d61893b9c947b21dfcc107ebbaf7bbd 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/list/tom.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/list/tom.component.html
@@ -7,20 +7,10 @@
<div class="d-flex justify-content-end">
<div class="btn-toolbar" role="toolbar" aria-label="Toolbar with button groups">
<button type="button" class="btn btn-outline-primary mr-2" (click)="collapse.toggle()" [attr.aria-expanded]="!isCollapsed"
+ style="background-color: #0099a0!important; border-color: #0099a0!important; color: #fff;"
aria-controls="metricsFilter">
Show/Hide filter
</button>
-
- <!--
- <button
- id="jh-create-entity"
- data-cy="entityCreateButton"
- class="btn btn-primary jh-create-entity create-tom"
- [routerLink]="['/tom/new']">
- <fa-icon icon="plus"></fa-icon>
- <span jhiTranslate="cocGatewayApp.cocBackendTom.home.createLabel"> Create a new requirement </span>
- </button>
- -->
</div>
</div>
</h2>
@@ -31,7 +21,7 @@
»
<small><strong>
<a *ngIf="frameworkText == null" [routerLink]="['/security-control-framework']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
- <span *ngIf="frameworkText == null" jhiTranslate="global.menu.entities.cocBackendSecurityControlFramework">Security Control Frameworks</span>
+ <span *ngIf="frameworkText == null" jhiTranslate="global.menu.entities.cocBackendSecurityControlFramework">Frameworks</span>
</a>
<a *ngIf="frameworkText != null" (click)="goToFrameworkState()" style="color: #0099a0; font-weight: 600;">
<span *ngIf="frameworkText != null" jhiTranslate="cocGatewayApp.cocBackendTom.home.framework">Framework:</span>
@@ -39,7 +29,7 @@
</a>
»
<a *ngIf="categoryText == null" [routerLink]="['/security-control-category']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
- <span *ngIf="categoryText == null" jhiTranslate="global.menu.entities.cocBackendSecurityControlCategory">Security Control Category</span>
+ <span *ngIf="categoryText == null" jhiTranslate="global.menu.entities.cocBackendSecurityControlCategory">Category</span>
</a>
<a *ngIf="categoryText != null" (click)="goToCategoryState()" style="color: #0099a0; font-weight: 600;">
<span *ngIf="categoryText != null" jhiTranslate="cocGatewayApp.cocBackendTom.home.category">Category:</span>
@@ -66,40 +56,26 @@
<label class="form-control-label" for="field_code">Code</label>
<input type="text" class="form-control" id="field_code" formControlName="code"/>
</div>
- <div class="form-group col-md-3">
- <label class="form-control-label" for="field_assuranceLevel">Assurance Level</label>
- <select class="form-control" formControlName="assuranceLevel" id="field_assuranceLevel" data-cy="assuranceLevel">
- <option value=""></option>
- <option *ngFor="let assuranceLevelKey of assuranceLevelKeys" [value]="assuranceLevelKey">{{assuranceLevel[assuranceLevelKey]}}</option>
- </select>
+ <div class="form-group col-md-9">
+ <label class="form-control-label" for="field_description">Description</label>
+ <input type="text" class="form-control" id="field_description" formControlName="description"/>
</div>
- <div class="form-group col-md-3">
+ </div>
+ <div class="row">
+ <div class="form-group col-md-6">
<label class="form-control-label" for="field_type">Type</label>
<select class="form-control" formControlName="type" id="field_type" data-cy="type">
<option value=""></option>
<option *ngFor="let typeKey of typeKeys" [value]="typeKey">{{type[typeKey]}}</option>
</select>
</div>
- <div class="form-group col-md-3">
- <label class="form-control-label" for="field_securityControl">Security Control</label>
- <select class="form-control" formControlName="securityControlId" id="field_securityControl" data-cy="securityControlId">
- <option value="0"></option>
- <option [value]="controlOption.id"
- *ngFor="let controlOption of securityControlsSharedCollection;trackBy: trackSecurityControlById">
- {{ controlOption.name }}
- </option>
+ <div class="form-group col-md-6">
+ <label class="form-control-label" for="field_assuranceLevel">Assurance level</label>
+ <select class="form-control" formControlName="assuranceLevel" id="field_assuranceLevel" data-cy="assuranceLevel">
+ <option value=""></option>
+ <option *ngFor="let assuranceLevelKey of assuranceLevelKeys" [value]="assuranceLevelKey">{{assuranceLevel[assuranceLevelKey]}}</option>
</select>
</div>
- </div>
- <div class="row">
- <div class="form-group col-md-3">
- <label class="form-control-label" for="field_name">Name</label>
- <input type="text" class="form-control" id="field_name" formControlName="name"/>
- </div>
- <div class="form-group col-md-9">
- <label class="form-control-label" for="field_description">Description</label>
- <input type="text" class="form-control" id="field_description" formControlName="description"/>
- </div>
</div>
<input type="submit" style="visibility:hidden"/>
</form>
@@ -127,25 +103,23 @@
<thead>
<tr>
<!-- <th scope="col"><span jhiTranslate="global.field.id">ID</span></th> -->
- <th scope="col" style="width: 7%;"><span jhiTranslate="cocGatewayApp.cocBackendTom.name">Name</span></th>
- <th scope="col" style="width: 32%;"><span jhiTranslate="cocGatewayApp.cocBackendTom.description">Description</span></th>
+ <th scope="col" style="width: 6%;"><span jhiTranslate="cocGatewayApp.cocBackendTom.code">Code</span></th>
+ <th scope="col" style="width: 26%;"><span jhiTranslate="cocGatewayApp.cocBackendTom.description">Description</span></th>
<th scope="col" style="width: 13%;"><span jhiTranslate="cocGatewayApp.cocBackendTom.assuranceLevel">Assurance Level</span></th>
<th scope="col" style="width: 13%;"><span jhiTranslate="cocGatewayApp.cocBackendTom.type">Type</span></th>
- <th scope="col" style="width: 10%;"><span jhiTranslate="cocGatewayApp.cocBackendTom.securityControl">Security Control</span></th>
- <th scope="col" style="width: 10%;"><span jhiTranslate="entity.action.relatedMetricsLong">Related Security Metrics</span></th>
- <th scope="col" style="width: 15%;"></th>
+ <th scope="col" style="width: 10%;"><span jhiTranslate="cocGatewayApp.cocBackendTom.securityControl">Control</span></th>
+ <th scope="col" style="width: 10%;"><span jhiTranslate="cocGatewayApp.cocBackendTom.implementationGuidelines">Implementation guidelines</span></th>
+ <th scope="col" style="width: 10%;"><span jhiTranslate="entity.action.relatedMetrics">Metrics</span></th>
+ <th scope="col" style="width: 12%;"></th>
</tr>
</thead>
- <tbody>
+ <tbody style="font-size: 11px;">
<tr *ngFor="let tom of toms; trackBy: trackId" data-cy="entityTable">
- <!-- <td>
- <a [routerLink]="['/tom', tom.id, 'view']">{{ tom.id }}</a>
- </td> -->
- <td>{{ tom.name }}</td>
- <td>{{ tom.description }}</td>
- <td jhiTranslate="{{ 'cocGatewayApp.AssuranceLevel.' + tom.assuranceLevel }}">{{ tom.assuranceLevel }}</td>
- <td jhiTranslate="{{ 'cocGatewayApp.Type.' + tom.type }}">{{ tom.type }}</td>
- <td>
+ <td style="vertical-align: middle;">{{ tom.name }}</td>
+ <td style="vertical-align: middle; text-align: justify;">{{ tom.description }}</td>
+ <td style="vertical-align: middle;" jhiTranslate="{{ 'cocGatewayApp.AssuranceLevel.' + tom.assuranceLevel }}">{{ tom.assuranceLevel }}</td>
+ <td style="vertical-align: middle;" jhiTranslate="{{ 'cocGatewayApp.Type.' + tom.type }}">{{ tom.type }}</td>
+ <td style="vertical-align: middle;">
<div *ngIf="tom.securityControl">
<a (click)="goToControlState()" style="color: #0099a0; font-weight: 600;">
{{ tom.securityControl?.name }}
@@ -153,31 +127,29 @@
</a>
</div>
</td>
- <td>
+ <td style="vertical-align: middle;">
+ <span *ngIf="tom.guidance == null">-----</span>
+ <a *ngIf="tom.guidance != null" [routerLink]="['/reference-tom', tom.guidance, 'view']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
+ <span class="d-none d-md-inline" jhiTranslate="cocGatewayApp.cocBackendTom.implementationGuideline">Implementation guideline</span>
+ </a>
+ </td>
+ <td style="vertical-align: middle;">
<span *ngIf="tom.securityMetrics == null || tom.securityMetrics.length== 0" style="font-style: italic;" jhiTranslate="cocGatewayApp.cocBackendTom.noMetrics"></span>
<a *ngIf="tom.securityMetrics != null && tom.securityMetrics.length > 0" [routerLink]="['/security-metric']" [queryParams]="{paramFrameworkText: frameworkText, paramCategoryText: categoryText, paramControlText: controlText, paramTomId: tom.id, paramTomText: tom.name}" style="color: #0099a0; font-weight: 600; text-decoration: none;">
<span class="d-none d-md-inline" jhiTranslate="entity.action.relatedMetrics">Metrics</span>
<fa-icon icon="arrow-down"></fa-icon>
</a>
</td>
- <td class="text-right">
+ <td class="text-right" style="vertical-align: middle;">
<div class="btn-group">
- <button type="submit" [routerLink]="['/tom', tom.id, 'view']" class="btn btn-info btn-sm" data-cy="entityDetailsButton">
+ <button type="submit" [routerLink]="['/tom', tom.id, 'view']" class="btn btn-info btn-sm" data-cy="entityDetailsButton" style="background-color: #0099a0!important; border-color: #0099a0!important;">
<fa-icon icon="eye"></fa-icon>
<span class="d-none d-md-inline" jhiTranslate="entity.action.view">View</span>
</button>
-
- <button type="submit" [routerLink]="['/tom', tom.id, 'edit']" class="btn btn-primary btn-sm" data-cy="entityEditButton">
+ <button type="submit" [routerLink]="['/tom', tom.id, 'edit']" class="btn btn-primary btn-sm" data-cy="entityEditButton" style="background-color: #0099a0!important; border-color: #0099a0!important; margin-left: 4px;" *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']">
<fa-icon icon="pencil-alt"></fa-icon>
<span class="d-none d-md-inline" jhiTranslate="entity.action.edit">Edit</span>
</button>
-
- <!--
- <button type="submit" (click)="delete(tom)" class="btn btn-danger btn-sm" data-cy="entityDeleteButton">
- <fa-icon icon="times"></fa-icon>
- <span class="d-none d-md-inline" jhiTranslate="entity.action.delete">Delete</span>
- </button>
- -->
</div>
</td>
</tr>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/list/tom.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/list/tom.component.ts
index a11ac86e9bd29f1c1adb0167cde632942969c63c..f8235238c279b20a55451c07c03fbb68e62d869d 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/list/tom.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/list/tom.component.ts
@@ -1,11 +1,10 @@
import { Component, OnInit } from '@angular/core';
import { HttpResponse } from '@angular/common/http';
import { NgbModal } from '@ng-bootstrap/ng-bootstrap';
-import { ActivatedRoute } from '@angular/router';
+import { Router, ActivatedRoute } from '@angular/router';
import { ITom } from '../tom.model';
import { TomService } from '../service/tom.service';
-import { TomDeleteDialogComponent } from '../delete/tom-delete-dialog.component';
import { ISecurityControl } from '../../security-control/security-control.model';
import { FormBuilder } from '@angular/forms';
import { SecurityControlService } from '../../security-control/service/security-control.service';
@@ -45,7 +44,8 @@ export class TomComponent implements OnInit {
protected securityControlService: SecurityControlService,
protected modalService: NgbModal,
protected formBuilder: FormBuilder,
- private route: ActivatedRoute) {}
+ private route: ActivatedRoute,
+ private router: Router) {}
ngOnInit(): void {
this.loadSecurityControls();
@@ -98,7 +98,12 @@ export class TomComponent implements OnInit {
const dynamicFilter: any={};
let hasFilter=false;
if (this.searchForm.value.code!==''){
- dynamicFilter['code.contains'] = this.searchForm.value.code;
+ let text = this.searchForm.value.code.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['code.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['code.contains'] = text;
+ }
hasFilter=true;
}
if (this.searchForm.value.name!==''){
@@ -106,7 +111,12 @@ export class TomComponent implements OnInit {
hasFilter=true;
}
if (this.searchForm.value.description!==''){
- dynamicFilter['description.contains'] = this.searchForm.value.description;
+ let text = this.searchForm.value.description.trim();
+ if ((text[0] == '"' && text[text.length -1] == '"') || (text[0] == "'" && text[text.length -1] == "'")) {
+ dynamicFilter['description.equals'] = text.substring(1, text.length - 1);
+ } else {
+ dynamicFilter['description.contains'] = text;
+ }
hasFilter=true;
}
if (this.searchForm.value.assuranceLevel!==''){
@@ -145,17 +155,6 @@ export class TomComponent implements OnInit {
trackSecurityControlById(index: number, item: ISecurityControl): number {
return item.id!;
}
-
- delete(tom: ITom): void {
- const modalRef = this.modalService.open(TomDeleteDialogComponent, { size: 'lg', backdrop: 'static' });
- modalRef.componentInstance.tom = tom;
- // unsubscribe not needed because closed completes on modal close
- modalRef.closed.subscribe(reason => {
- if (reason === 'deleted') {
- this.loadAll();
- }
- });
- }
loadSecurityControls(): void {
this.securityControlService
@@ -187,14 +186,24 @@ export class TomComponent implements OnInit {
}
goToFrameworkState(): void {
- window.history.go(-3);
+ this.router.navigate(['/security-control-framework']);
}
goToCategoryState(): void {
- window.history.go(-2);
+ //window.history.go(-2);
+ if (this.route.snapshot.queryParams['paramControlId'] == null || typeof this.route.snapshot.queryParams['paramControlId'] == 'undefined') {
+ this.router.navigate(['/security-control-category']);
+ } else {
+ window.history.go(-2);
+ }
}
goToControlState(): void {
- window.history.back();
+ //window.history.back();
+ if (this.route.snapshot.queryParams['paramControlId'] == null || typeof this.route.snapshot.queryParams['paramControlId'] == 'undefined') {
+ this.router.navigate(['/security-control']);
+ } else {
+ window.history.back();
+ }
}
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/route/tom-routing.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/route/tom-routing.module.ts
index 63eb8792a9736746fe22d811aacbef72553c3780..ba76c201ce81b5c21a8c9768ef50b15cdafd389e 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/route/tom-routing.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/route/tom-routing.module.ts
@@ -7,23 +7,19 @@ import { TomDetailComponent } from '../detail/tom-detail.component';
import { TomUpdateComponent } from '../update/tom-update.component';
import { TomRoutingResolveService } from './tom-routing-resolve.service';
+import { Authority } from 'app/config/authority.constants';
+
const tomRoute: Routes = [
{
path: '',
component: TomComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
canActivate: [UserRouteAccessService],
},
{
path: ':id/view',
component: TomDetailComponent,
- resolve: {
- tom: TomRoutingResolveService,
- },
- canActivate: [UserRouteAccessService],
- },
- {
- path: 'new',
- component: TomUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR] },
resolve: {
tom: TomRoutingResolveService,
},
@@ -32,6 +28,7 @@ const tomRoute: Routes = [
{
path: ':id/edit',
component: TomUpdateComponent,
+ data: { authorities: [Authority.ADMIN, Authority.SECURITY_GOVERNANCE] },
resolve: {
tom: TomRoutingResolveService,
},
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/service/tom.service.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/service/tom.service.ts
index 111201718db2f0511998a2b4c517da36873e2b7c..747c00193d84a86832ac0f9b6036a45a9b8382ee 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/service/tom.service.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/service/tom.service.ts
@@ -16,10 +16,6 @@ export class TomService {
constructor(protected http: HttpClient, protected applicationConfigService: ApplicationConfigService) {}
- create(tom: ITom): Observable<EntityResponseType> {
- return this.http.post<ITom>(this.resourceUrl, tom, { observe: 'response' });
- }
-
update(tom: ITom): Observable<EntityResponseType> {
return this.http.put<ITom>(`${this.resourceUrl}/${getTomIdentifier(tom) as number}`, tom, { observe: 'response' });
}
@@ -37,10 +33,6 @@ export class TomService {
return this.http.get<ITom[]>(this.resourceUrl, { params: options, observe: 'response' });
}
- delete(id: number): Observable<HttpResponse<{}>> {
- return this.http.delete(`${this.resourceUrl}/${id}`, { observe: 'response' });
- }
-
getByFrameworkNameAndAssuranceLevel(frameworkName: string, assuranceLevel: string): Observable<EntityArrayResponseType> {
const options: HttpParams = new HttpParams();
return this.http.get<ITom[]>(`${this.resourceUrl}/framework-assurance/${frameworkName}/${assuranceLevel}`, { params: options, observe: 'response' });
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/tom.model.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/tom.model.ts
index 4ba209891d9c5e9b8e4b4e0e977de6d6f9f1b9c7..ed5287683cc72d7546a3908e42e66e35e38c99f9 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/tom.model.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/tom.model.ts
@@ -10,6 +10,7 @@ export interface ITom {
description?: string;
assuranceLevel?: AssuranceLevel | null;
type?: Type;
+ guidance?: string;
securityControl?: ISecurityControl;
securityMetrics?: ISecurityMetric[];
}
@@ -22,6 +23,7 @@ export class Tom implements ITom {
public description?: string,
public assuranceLevel?: AssuranceLevel | null,
public type?: Type,
+ public guidance?: string,
public securityControl?: ISecurityControl,
public securityMetrics?: ISecurityMetric[]
) {}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/tom.module.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/tom.module.ts
index 70542c5e88558979bbeaee5ec8b0eaeae8a6c51f..a6bf33092b0a98439e965e3f5c45837513c126c8 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/tom.module.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/tom.module.ts
@@ -3,12 +3,10 @@ import { SharedModule } from 'app/shared/shared.module';
import { TomComponent } from './list/tom.component';
import { TomDetailComponent } from './detail/tom-detail.component';
import { TomUpdateComponent } from './update/tom-update.component';
-import { TomDeleteDialogComponent } from './delete/tom-delete-dialog.component';
import { TomRoutingModule } from './route/tom-routing.module';
@NgModule({
imports: [SharedModule, TomRoutingModule],
- declarations: [TomComponent, TomDetailComponent, TomUpdateComponent, TomDeleteDialogComponent],
- entryComponents: [TomDeleteDialogComponent],
+ declarations: [TomComponent, TomDetailComponent, TomUpdateComponent],
})
export class CocBackendTomModule {}
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/update/tom-update.component.html b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/update/tom-update.component.html
index b01dca8e78ea84275d58a1c8483fc112c6cd10f7..3580b9eb1cc02d71716cb35b7728a95a062fc014 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/update/tom-update.component.html
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/update/tom-update.component.html
@@ -2,7 +2,7 @@
<div class="col-8">
<form name="editForm" role="form" novalidate (ngSubmit)="save()" [formGroup]="editForm">
<h2 id="jhi-tom-heading" data-cy="TomCreateUpdateHeading" jhiTranslate="cocGatewayApp.cocBackendTom.home.createOrEditLabel">
- Create or edit a Requirement
+ Edit a Requirement
</h2>
<div>
@@ -21,28 +21,18 @@
[ngbTooltip]="'cocGatewayApp.cocBackendTom.help.code' | translate"
>Code</label
>
- <input type="text" class="form-control" name="code" id="field_code" data-cy="code" formControlName="code" />
- <div *ngIf="editForm.get('code')!.invalid && (editForm.get('code')!.dirty || editForm.get('code')!.touched)">
- <small class="form-text text-danger" *ngIf="editForm.get('code')?.errors?.required" jhiTranslate="entity.validation.required">
- This field is required.
- </small>
- </div>
+ <input type="text" class="form-control" name="code" id="field_code" data-cy="code" formControlName="code" [readonly]="true" />
</div>
- <div class="form-group">
+ <div class="form-group" [hidden]="true">
<label
class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendTom.name"
+ jhiTranslate="cocGatewayApp.cocBackendTom.reqId"
for="field_name"
- [ngbTooltip]="'cocGatewayApp.cocBackendTom.help.name' | translate"
+ [ngbTooltip]="'cocGatewayApp.cocBackendTom.help.reqId' | translate"
>Name</label
>
- <input type="text" class="form-control" name="name" id="field_name" data-cy="name" formControlName="name" />
- <div *ngIf="editForm.get('name')!.invalid && (editForm.get('name')!.dirty || editForm.get('name')!.touched)">
- <small class="form-text text-danger" *ngIf="editForm.get('name')?.errors?.required" jhiTranslate="entity.validation.required">
- This field is required.
- </small>
- </div>
+ <input type="text" class="form-control" name="name" id="field_name" data-cy="name" formControlName="name" [readonly]="true" />
</div>
<div class="form-group">
@@ -80,83 +70,47 @@
[ngbTooltip]="'cocGatewayApp.cocBackendTom.help.assuranceLevel' | translate"
>Assurance Level</label
>
- <select
- class="form-control"
- name="assuranceLevel"
- formControlName="assuranceLevel"
- id="field_assuranceLevel"
- data-cy="assuranceLevel"
- >
- <option [ngValue]="null">{{ 'cocGatewayApp.AssuranceLevel.null' | translate }}</option>
- <option value="BASIC">{{ 'cocGatewayApp.AssuranceLevel.BASIC' | translate }}</option>
- <option value="SUBSTANTIAL">{{ 'cocGatewayApp.AssuranceLevel.SUBSTANTIAL' | translate }}</option>
- <option value="HIGH">{{ 'cocGatewayApp.AssuranceLevel.HIGH' | translate }}</option>
- </select>
+ <input type="text" class="form-control" name="assuranceLevel" id="field_assuranceLevel" data-cy="assuranceLevel" formControlName="assuranceLevel" [readonly]="true" />
</div>
-
+
<div class="form-group">
<label
class="form-control-label"
- jhiTranslate="cocGatewayApp.cocBackendTom.type"
- for="field_type"
- [ngbTooltip]="'cocGatewayApp.cocBackendTom.help.type' | translate"
- >Type</label
+ jhiTranslate="cocGatewayApp.cocBackendTom.implementationGuideline"
+ for="field_guidance"
+ [ngbTooltip]="'cocGatewayApp.cocBackendTom.implementationGuideline' | translate"
+ >Implementation guideline</label
>
- <select class="form-control" name="type" formControlName="type" id="field_type" data-cy="type">
- <option [ngValue]="null">{{ 'cocGatewayApp.Type.null' | translate }}</option>
- <option value="ORGANIZATIONAL">{{ 'cocGatewayApp.Type.ORGANIZATIONAL' | translate }}</option>
- <option value="TECHNICAL">{{ 'cocGatewayApp.Type.TECHNICAL' | translate }}</option>
- <option value="ORGANIZATIONAL_TECHNICAL">{{ 'cocGatewayApp.Type.ORGANIZATIONAL_TECHNICAL' | translate }}</option>
- </select>
- <div *ngIf="editForm.get('type')!.invalid && (editForm.get('type')!.dirty || editForm.get('type')!.touched)">
- <small class="form-text text-danger" *ngIf="editForm.get('type')?.errors?.required" jhiTranslate="entity.validation.required">
- This field is required.
- </small>
- </div>
+ <br />
+ <a *ngIf="editForm.get('guidance')!.value != null" [routerLink]="['/reference-tom', editForm.get('guidance'), 'view']" style="color: #0099a0; font-weight: 600; text-decoration: none;">
+ <span jhiTranslate="global.compliance.yes">YES</span>
+ </a>
+ <span *ngIf="editForm.get('guidance')!.value == null" jhiTranslate="global.compliance.no">NO</span>
</div>
-
+
<div class="form-group">
- <label class="form-control-label" jhiTranslate="cocGatewayApp.cocBackendTom.securityControl" for="field_securityControl"
+ <label
+ class="form-control-label"
+ jhiTranslate="cocGatewayApp.cocBackendTom.securityControl"
+ for="field_securityControl"
+ [ngbTooltip]="'cocGatewayApp.cocBackendTom.securityControl' | translate"
>Security Control</label
>
- <select
- class="form-control"
- id="field_securityControl"
- data-cy="securityControl"
- name="securityControl"
- formControlName="securityControl"
- >
+
+ <select class="form-control" id="field_securityControl" data-cy="securityControl" name="securityControl" formControlName="securityControl" [attr.disabled]="true">
<option *ngIf="!editForm.get('securityControl')!.value" [ngValue]="null" selected></option>
<option
- [ngValue]="
- securityControlOption.id === editForm.get('securityControl')!.value?.id
- ? editForm.get('securityControl')!.value
- : securityControlOption
- "
+ [ngValue]="securityControlOption.id === editForm.get('securityControl')!.value?.id ? editForm.get('securityControl')!.value : securityControlOption"
*ngFor="let securityControlOption of securityControlsSharedCollection; trackBy: trackSecurityControlById"
>
{{ securityControlOption.name }}
</option>
</select>
- </div>
- <div
- *ngIf="
- editForm.get(['securityControl'])!.invalid &&
- (editForm.get(['securityControl'])!.dirty || editForm.get(['securityControl'])!.touched)
- "
- >
- <small
- class="form-text text-danger"
- *ngIf="editForm.get(['securityControl'])?.errors?.required"
- jhiTranslate="entity.validation.required"
- >
- This field is required.
- </small>
- </div>
+ </div>
</div>
<div>
- <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()">
+ <button type="button" id="cancel-save" data-cy="entityCreateCancelButton" class="btn btn-secondary" (click)="previousState()" style="background-color: #c70e33!important; border-color: #c70e33!important;">
<fa-icon icon="ban"></fa-icon> <span jhiTranslate="entity.action.cancel">Cancel</span>
</button>
@@ -166,6 +120,8 @@
data-cy="entityCreateSaveButton"
[disabled]="editForm.invalid || isSaving"
class="btn btn-primary"
+ style="background-color: #0099a0!important; border-color: #0099a0!important;"
+ *jhiHasAnyAuthority="['ROLE_ADMIN', 'SecurityGovernance']"
>
<fa-icon icon="save"></fa-icon> <span jhiTranslate="entity.action.save">Save</span>
</button>
diff --git a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/update/tom-update.component.ts b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/update/tom-update.component.ts
index b8799630c7b04b5d0f64311eca500b3ab4519b72..792112b6bd2dc018e5ed4c4f656e87cd67154b6d 100755
--- a/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/update/tom-update.component.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/cocBackend/tom/update/tom-update.component.ts
@@ -26,6 +26,7 @@ export class TomUpdateComponent implements OnInit {
description: [null, [Validators.required]],
assuranceLevel: [],
type: [null, [Validators.required]],
+ guidance: [null],
securityControl: [null, Validators.required],
});
@@ -53,8 +54,6 @@ export class TomUpdateComponent implements OnInit {
const tom = this.createFromForm();
if (tom.id !== undefined) {
this.subscribeToSaveResponse(this.tomService.update(tom));
- } else {
- this.subscribeToSaveResponse(this.tomService.create(tom));
}
}
@@ -89,6 +88,7 @@ export class TomUpdateComponent implements OnInit {
description: tom.description,
assuranceLevel: tom.assuranceLevel,
type: tom.type,
+ guidance: tom.guidance,
securityControl: tom.securityControl,
});
@@ -119,6 +119,7 @@ export class TomUpdateComponent implements OnInit {
description: this.editForm.get(['description'])!.value,
assuranceLevel: this.editForm.get(['assuranceLevel'])!.value,
type: this.editForm.get(['type'])!.value,
+ guidance: this.editForm.get(['guidance'])!.value,
securityControl: this.editForm.get(['securityControl'])!.value,
};
}
diff --git a/git/cocGateway/src/main/webapp/app/entities/enumerations/assurance-level.model.ts b/git/cocGateway/src/main/webapp/app/entities/enumerations/assurance-level.model.ts
index be3dfbcaa33bf3f976342a6ff185b6a9824187ed..3e7823218c438148129595af4529179f6eb5ac16 100755
--- a/git/cocGateway/src/main/webapp/app/entities/enumerations/assurance-level.model.ts
+++ b/git/cocGateway/src/main/webapp/app/entities/enumerations/assurance-level.model.ts
@@ -1,7 +1,7 @@
export enum AssuranceLevel {
- BASIC = 'Basic',
+ Basic = 'Basic',
- SUBSTANTIAL = 'Substantial',
+ Substantial = 'Substantial',
- HIGH = 'High',
+ High = 'High',
}
diff --git a/git/cocGateway/src/main/webapp/app/home/home.component.html b/git/cocGateway/src/main/webapp/app/home/home.component.html
index 7105ef5428a5b202044355be9aedd02a3309662f..252e754ddb4ed70c7cd33f1c64e6b6c1106238db 100755
--- a/git/cocGateway/src/main/webapp/app/home/home.component.html
+++ b/git/cocGateway/src/main/webapp/app/home/home.component.html
@@ -4,7 +4,7 @@
</div>
<div class="col-md-9">
- <h1><span>Welcome to MEDINA Catalogue of metrics, controls and TOMs!</span></h1>
+ <h1><span>Welcome to MEDINA Catalogue of metrics, controls and Requirements!</span></h1>
<div [ngSwitch]="account !== null">
<div class="alert alert-success" *ngSwitchCase="true">
diff --git a/git/cocGateway/src/main/webapp/app/home/home.component.ts b/git/cocGateway/src/main/webapp/app/home/home.component.ts
index 83dc60c8a2bda33d6fd68c9896ad0fdac13c3c96..6863b31fbb0e18380c6570403e471ac5ca824d88 100755
--- a/git/cocGateway/src/main/webapp/app/home/home.component.ts
+++ b/git/cocGateway/src/main/webapp/app/home/home.component.ts
@@ -16,6 +16,7 @@ export class HomeComponent implements OnInit {
ngOnInit(): void {
this.accountService.identity().subscribe(account => (this.account = account));
+ this.accountService.getAuthenticationState().subscribe(account => (this.account = account));
}
login(): void {
diff --git a/git/cocGateway/src/main/webapp/app/home/home.route.ts b/git/cocGateway/src/main/webapp/app/home/home.route.ts
index f3677820abc332aa392d78df68910f90451de233..4f23fe0d49923b54ca6c18061b417e9e3b09d6f7 100755
--- a/git/cocGateway/src/main/webapp/app/home/home.route.ts
+++ b/git/cocGateway/src/main/webapp/app/home/home.route.ts
@@ -8,7 +8,7 @@ export const HOME_ROUTE: Route = {
path: '',
component: HomeComponent,
data: {
- authorities: [Authority.USER],
+ authorities: [Authority.ADMIN, Authority.USER, Authority.SECURITY_GOVERNANCE, Authority.SECURITY_ANALYST, Authority.DOMAIN_GOVERNANCE, Authority.PRODUCT_OWNER, Authority.PRODUCT_SECURITY_ENG, Authority.CISO, Authority.AUDITOR],
pageTitle: 'home.title',
},
canActivate: [UserRouteAccessService]
diff --git a/git/cocGateway/src/main/webapp/app/layouts/footer/footer.component.html b/git/cocGateway/src/main/webapp/app/layouts/footer/footer.component.html
index e5695623405bc8de2817287f8258880051469495..0827e050648304da5626f14a15ad15f2f1e248e3 100755
--- a/git/cocGateway/src/main/webapp/app/layouts/footer/footer.component.html
+++ b/git/cocGateway/src/main/webapp/app/layouts/footer/footer.component.html
@@ -1,2 +1,23 @@
-<div class="footer">
+<!--
+<div style="background-color: #0099a0; min-height: 90px; max-height: 90px; width: 100%; margin-top: 32px; border-radius: 2px; text-align: center;">
+ <div style="text-align: center;">
+ <img src="../../../../../content/images/copyright.png" style="width: 720px; height: 90px;" />
+ </div>
+</div>
+-->
+
+<!--<div style="background-color: #0099a0; width: 100%; left: 0; bottom: 0; text-align: center; margin-top: 24px;">-->
+<div style="background-color: #0099a0; width: 100%; left: 0; bottom: 0; text-align: center; position: fixed;">
+ <div style="color: #fff; font-size: 12px; text-align: center; width: 100%; display: flex; padding: 1px 0 4px 0;">
+ <div style="width: 10%; text-align: left; float: left; margin-left: 24px;">
+ <img src="../../../content/images/tecnalia.png" style="height: 50px; margin-top: 8px; margin-bottom: 8px;" />
+ </div>
+ <div style="width: 80%; font-size: 11px;">
+ <div style="margin-top: 8px!important;">THE WEBSITE AND ITS SERVICES ARE IN BETA VERSION AND ARE PROVIDED FOR RESEARCH PURPOSES, EXPERIMENTATION, AND SCIENTIFIC PUBLICATION.</div>
+ <div id="copyright">COPYRIGHT © {{currentYear}} FUNDACIÓN TECNALIA RESEARCH & INNOVATION ALL RIGHTS RESERVED.</div>
+ </div>
+ <div style="width: 10%; text-align: right; float: right; margin-right: 24px;">
+ <img src="../../../content/images/eur.png" style="height: 50px; margin-top: 8px; margin-bottom: 8px;" />
+ </div>
+ </div>
</div>
diff --git a/git/cocGateway/src/main/webapp/app/layouts/footer/footer.component.ts b/git/cocGateway/src/main/webapp/app/layouts/footer/footer.component.ts
index 7c640ec8af4302bd0e5914d0172021b03e591717..08fed2aa83170c6c62a68b2dc69fe8e4c0bbc610 100755
--- a/git/cocGateway/src/main/webapp/app/layouts/footer/footer.component.ts
+++ b/git/cocGateway/src/main/webapp/app/layouts/footer/footer.component.ts
@@ -4,4 +4,11 @@ import { Component } from '@angular/core';
selector: 'jhi-footer',
templateUrl: './footer.component.html',
})
-export class FooterComponent {}
+export class FooterComponent {
+
+ currentYear: number;
+
+ constructor() {
+ this.currentYear = new Date().getFullYear();
+ }
+}
diff --git a/git/cocGateway/src/main/webapp/app/layouts/main/main.component.html b/git/cocGateway/src/main/webapp/app/layouts/main/main.component.html
index 3ac9be942b1b59b899ba252f19b94051c7053ccd..8e1bbdc6a0fa03b50e54af005bed532852be9bd3 100755
--- a/git/cocGateway/src/main/webapp/app/layouts/main/main.component.html
+++ b/git/cocGateway/src/main/webapp/app/layouts/main/main.component.html
@@ -8,6 +8,6 @@
<div class="card jh-card">
<router-outlet></router-outlet>
</div>
-
<jhi-footer></jhi-footer>
+ <br />
</div>
diff --git a/git/cocGateway/src/main/webapp/app/layouts/navbar/navbar.component.html b/git/cocGateway/src/main/webapp/app/layouts/navbar/navbar.component.html
index 81df979aec31a9f9350b5f9edc481dd19c44b851..e2854f2696343777ae0200afd5b367a3e23175cd 100755
--- a/git/cocGateway/src/main/webapp/app/layouts/navbar/navbar.component.html
+++ b/git/cocGateway/src/main/webapp/app/layouts/navbar/navbar.component.html
@@ -1,6 +1,6 @@
-<nav data-cy="navbar" class="navbar navbar-dark navbar-expand-md bg-dark">
+<nav data-cy="navbar" class="navbar navbar-dark navbar-expand-md bg-dark" style="background: #262626!important;">
+ <!--
<a class="navbar-brand logo" routerLink="/" (click)="collapseNavbar()">
- <span class="logo-img"></span>
<span class="navbar-title">MEDINA Catalogue</span>
<span class="navbar-version">{{ version }}</span>
</a>
@@ -16,24 +16,22 @@
>
<fa-icon icon="bars"></fa-icon>
</a>
- <div class="navbar-collapse collapse" id="navbarResponsive" [ngbCollapse]="isNavbarCollapsed" [ngSwitch]="account !== null">
- <ul class="navbar-nav ml-auto">
+ -->
+ <div class="navbar-collapse collapse" id="navbarResponsive" [ngbCollapse]="isNavbarCollapsed" [ngSwitch]="account !== null" style="background: #262626!important;">
+ <ul class="navbar-nav ml-auto" style="background: #262626!important;">
+ <!--
<li class="nav-item" routerLinkActive="active" [routerLinkActiveOptions]="{ exact: true }">
- <a class="nav-link" routerLink="/" (click)="collapseNavbar()">
+ <a class="nav-link" routerLink="/" (click)="collapseNavbar()"
+ style="color: #fff;"
+ onMouseOver="this.style.color='#fff'; this.style.textDecoration='underline';"
+ onMouseOut="this.style.color='#fff'; this.style.textDecoration='none';">
<span>
<fa-icon icon="home"></fa-icon>
<span jhiTranslate="global.menu.home">Home</span>
</span>
</a>
</li>
- <li *ngSwitchCase="true" class="nav-item" routerLinkActive="active" [routerLinkActiveOptions]="{ exact: true }">
- <a class="nav-link" routerLink="/search" (click)="collapseNavbar()">
- <span>
- <fa-icon icon="search"></fa-icon>
- <span>Search requirements</span>
- </span>
- </a>
- </li>
+ -->
<!-- jhipster-needle-add-element-to-menu - JHipster will add new menu items here -->
<li
*ngSwitchCase="true"
@@ -43,13 +41,15 @@
routerLinkActive="active"
[routerLinkActiveOptions]="{ exact: true }"
>
- <a class="nav-link dropdown-toggle" ngbDropdownToggle href="javascript:void(0);" id="entity-menu" data-cy="entity">
+ <a class="nav-link dropdown-toggle" ngbDropdownToggle href="javascript:void(0);" id="entity-menu" data-cy="entity"
+ onMouseOver="this.style.textDecoration='underline';"
+ onMouseOut="this.style.textDecoration='none';">
<span>
<fa-icon icon="th-list"></fa-icon>
<span jhiTranslate="global.menu.entities.main">Entities</span>
</span>
</a>
- <ul class="dropdown-menu" ngbDropdownMenu aria-labelledby="entity-menu">
+ <ul class="dropdown-menu" ngbDropdownMenu aria-labelledby="entity-menu" style="background: #262626!important;">
<li>
<a
class="dropdown-item"
@@ -57,6 +57,9 @@
routerLinkActive="active"
[routerLinkActiveOptions]="{ exact: true }"
(click)="collapseNavbar()"
+ style="background: #262626!important; color: #fff!important;"
+ onMouseOver="this.style.color='#fff'; this.style.textDecoration='underline';"
+ onMouseOut="this.style.color='#fff'; this.style.textDecoration='none';"
>
<fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
<span jhiTranslate="global.menu.entities.cocBackendSecurityControlFramework">Security Framework</span>
@@ -69,6 +72,9 @@
routerLinkActive="active"
[routerLinkActiveOptions]="{ exact: true }"
(click)="collapseNavbar()"
+ style="background: #262626!important; color: #fff!important;"
+ onMouseOver="this.style.color='#fff'; this.style.textDecoration='underline';"
+ onMouseOut="this.style.color='#fff'; this.style.textDecoration='none';"
>
<fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
<span jhiTranslate="global.menu.entities.cocBackendSecurityControlCategory">Security Category</span>
@@ -81,23 +87,14 @@
routerLinkActive="active"
[routerLinkActiveOptions]="{ exact: true }"
(click)="collapseNavbar()"
+ style="background: #262626!important; color: #fff!important;"
+ onMouseOver="this.style.color='#fff'; this.style.textDecoration='underline';"
+ onMouseOut="this.style.color='#fff'; this.style.textDecoration='none';"
>
<fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
<span jhiTranslate="global.menu.entities.cocBackendSecurityControl">Security Control</span>
</a>
</li>
- <li>
- <a
- class="dropdown-item"
- routerLink="similar-control"
- routerLinkActive="active"
- [routerLinkActiveOptions]="{ exact: true }"
- (click)="collapseNavbar()"
- >
- <fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
- <span jhiTranslate="global.menu.entities.cocBackendSimilarControl">Similar Control</span>
- </a>
- </li>
<li>
<a
class="dropdown-item"
@@ -105,23 +102,14 @@
routerLinkActive="active"
[routerLinkActiveOptions]="{ exact: true }"
(click)="collapseNavbar()"
+ style="background: #262626!important; color: #fff!important;"
+ onMouseOver="this.style.color='#fff'; this.style.textDecoration='underline';"
+ onMouseOut="this.style.color='#fff'; this.style.textDecoration='none';"
>
<fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
<span jhiTranslate="global.menu.entities.cocBackendTom">Requirements</span>
</a>
</li>
- <li>
- <a
- class="dropdown-item"
- routerLink="reference-tom"
- routerLinkActive="active"
- [routerLinkActiveOptions]="{ exact: true }"
- (click)="collapseNavbar()"
- >
- <fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
- <span jhiTranslate="global.menu.entities.cocBackendReferenceTom">Reference Tom</span>
- </a>
- </li>
<li>
<a
class="dropdown-item"
@@ -129,81 +117,65 @@
routerLinkActive="active"
[routerLinkActiveOptions]="{ exact: true }"
(click)="collapseNavbar()"
+ style="background: #262626!important; color: #fff!important;"
+ onMouseOver="this.style.color='#fff'; this.style.textDecoration='underline';"
+ onMouseOut="this.style.color='#fff'; this.style.textDecoration='none';"
>
<fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
<span jhiTranslate="global.menu.entities.cocBackendSecurityMetric">Security Metric</span>
</a>
</li>
- <!--
- <li>
- <a
- class="dropdown-item"
- routerLink="resource-type"
- routerLinkActive="active"
- [routerLinkActiveOptions]="{ exact: true }"
- (click)="collapseNavbar()"
- >
- <fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
- <span jhiTranslate="global.menu.entities.cocBackendResourceType">Resource Type</span>
- </a>
- </li>
+ <li style="padding: 4px 8px 4px 8px;"><div style="width: 100%; height: 1px; background: rgb(255, 255, 255, 30%);"></div></li>
<li>
<a
class="dropdown-item"
- routerLink="target-value"
- routerLinkActive="active"
- [routerLinkActiveOptions]="{ exact: true }"
- (click)="collapseNavbar()"
- >
- <fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
- <span jhiTranslate="global.menu.entities.cocBackendTargetValue">Target Value</span>
- </a>
- </li>
- <li>
- <a
- class="dropdown-item"
- routerLink="resource"
- routerLinkActive="active"
- [routerLinkActiveOptions]="{ exact: true }"
- (click)="collapseNavbar()"
- >
- <fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
- <span jhiTranslate="global.menu.entities.cocBackendResource">Resource</span>
- </a>
- </li>
- <li>
- <a
- class="dropdown-item"
- routerLink="cloud-service"
+ routerLink="similar-control"
routerLinkActive="active"
[routerLinkActiveOptions]="{ exact: true }"
(click)="collapseNavbar()"
+ style="background: #262626!important; color: #fff!important;"
+ onMouseOver="this.style.color='#fff'; this.style.textDecoration='underline';"
+ onMouseOut="this.style.color='#fff'; this.style.textDecoration='none';"
>
- <fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
- <span jhiTranslate="global.menu.entities.cocBackendCloudService">Cloud Service</span>
+ <fa-icon icon="search" [fixedWidth]="true"></fa-icon>
+ <span jhiTranslate="global.menu.entities.cocBackendSimilarControl">Similar Controls</span>
</a>
</li>
<li>
<a
class="dropdown-item"
- routerLink="cloud-service-provider"
+ routerLink="reference-tom"
routerLinkActive="active"
[routerLinkActiveOptions]="{ exact: true }"
(click)="collapseNavbar()"
+ style="background: #262626!important; color: #fff!important;"
+ onMouseOver="this.style.color='#fff'; this.style.textDecoration='underline';"
+ onMouseOut="this.style.color='#fff'; this.style.textDecoration='none';"
>
- <fa-icon icon="asterisk" [fixedWidth]="true"></fa-icon>
- <span jhiTranslate="global.menu.entities.cocBackendCloudServiceProvider">Cloud Service Provider</span>
+ <fa-icon icon="tools" [fixedWidth]="true"></fa-icon>
+ <span jhiTranslate="global.menu.entities.cocBackendReferenceTom">Implementation guidelines</span>
</a>
</li>
- -->
<!-- jhipster-needle-add-entity-to-menu - JHipster will add entities to the menu here -->
</ul>
</li>
<li *ngSwitchCase="true" class="nav-item" routerLinkActive="active" [routerLinkActiveOptions]="{ exact: true }">
- <a class="nav-link" routerLink="/questionnaire" (click)="collapseNavbar()">
+ <a class="nav-link" routerLink="/questionnaire" (click)="collapseNavbar()"
+ onMouseOver="this.style.textDecoration='underline';"
+ onMouseOut="this.style.textDecoration='none';">
<span>
<fa-icon icon="clone"></fa-icon>
- <span>Questionnaires</span>
+ <span jhiTranslate="global.menu.entities.cocBackendQuestionnaires">Questionnaires</span>
+ </span>
+ </a>
+ </li>
+ <li *ngSwitchCase="true" class="nav-item" routerLinkActive="active" [routerLinkActiveOptions]="{ exact: true }">
+ <a class="nav-link" href="https://medina-project.eu/wp-content/uploads/MEDINA_User_Manuals/MEDINA_Catalogue_of_Controls_and_Metrics_UserManual.pdf" target="_blank" (click)="collapseNavbar()"
+ onMouseOver="this.style.textDecoration='underline';"
+ onMouseOut="this.style.textDecoration='none';">
+ <span>
+ <fa-icon icon="question-circle"></fa-icon>
+ <span jhiTranslate="global.menu.entities.cocBackendHelp">Help</span>
</span>
</a>
</li>
@@ -213,51 +185,49 @@
class="nav-item dropdown pointer"
display="dynamic"
routerLinkActive="active"
+ style="background: #262626!important; color: #fff!important;"
[routerLinkActiveOptions]="{ exact: true }"
>
- <a class="nav-link dropdown-toggle" ngbDropdownToggle href="javascript:void(0);" id="admin-menu" data-cy="adminMenu">
+ <a class="nav-link dropdown-toggle" ngbDropdownToggle href="javascript:void(0);" id="admin-menu" data-cy="adminMenu"
+ style="background: #262626!important;"
+ onMouseOver="this.style.textDecoration='underline';"
+ onMouseOut="this.style.textDecoration='none';">
<span>
<fa-icon icon="users-cog"></fa-icon>
<span jhiTranslate="global.menu.admin.main">Administration</span>
</span>
</a>
- <ul class="dropdown-menu" ngbDropdownMenu aria-labelledby="admin-menu">
+ <ul class="dropdown-menu" ngbDropdownMenu aria-labelledby="admin-menu" style="background: #262626!important;">
<li>
- <a class="dropdown-item" routerLink="admin/gateway" routerLinkActive="active" (click)="collapseNavbar()">
+ <a class="dropdown-item" routerLink="admin/gateway" routerLinkActive="active" (click)="collapseNavbar()"
+ style="background: #262626!important; color: #fff!important;"
+ onMouseOver="this.style.color='#fff'; this.style.textDecoration='underline';"
+ onMouseOut="this.style.color='#fff'; this.style.textDecoration='none';">
<fa-icon icon="road" [fixedWidth]="true"></fa-icon>
<span jhiTranslate="global.menu.admin.gateway">Gateway</span>
</a>
</li>
<li *ngIf="openAPIEnabled">
- <a class="dropdown-item" routerLink="admin/docs" routerLinkActive="active" (click)="collapseNavbar()">
+ <a class="dropdown-item" routerLink="admin/docs" routerLinkActive="active" (click)="collapseNavbar()"
+ style="background: #262626!important; color: #fff!important;"
+ onMouseOver="this.style.color='#fff'; this.style.textDecoration='underline';"
+ onMouseOut="this.style.color='#fff'; this.style.textDecoration='none';">
<fa-icon icon="book" [fixedWidth]="true"></fa-icon>
<span jhiTranslate="global.menu.admin.apidocs">API</span>
</a>
</li>
- <!-- jhipster-needle-add-element-to-admin-menu - JHipster will add entities to the admin menu here -->
- </ul>
- </li>
- <!--
- <li ngbDropdown class="nav-item dropdown pointer" display="dynamic" *ngIf="languages && languages.length > 1">
- <a class="nav-link dropdown-toggle" ngbDropdownToggle href="javascript:void(0);" id="languagesnavBarDropdown">
- <span>
- <fa-icon icon="flag"></fa-icon>
- <span jhiTranslate="global.menu.language">Language</span>
- </span>
- </a>
- <ul class="dropdown-menu" ngbDropdownMenu aria-labelledby="languagesnavBarDropdown">
- <li *ngFor="let language of languages">
- <a
- class="dropdown-item"
- [jhiActiveMenu]="language"
- href="javascript:void(0);"
- (click)="changeLanguage(language); collapseNavbar()"
- >{{ language | findLanguageFromKey }}</a
- >
+ <li>
+ <a class="dropdown-item" routerLink="admin/audit-logs" routerLinkActive="active" (click)="collapseNavbar()"
+ style="background: #262626!important; color: #fff!important;"
+ onMouseOver="this.style.color='#fff'; this.style.textDecoration='underline';"
+ onMouseOut="this.style.color='#fff'; this.style.textDecoration='none';">
+ <fa-icon icon="book" [fixedWidth]="true"></fa-icon>
+ <span jhiTranslate="global.menu.admin.auditLogs">Audit Logs</span>
+ </a>
</li>
+ <!-- jhipster-needle-add-element-to-admin-menu - JHipster will add entities to the admin menu here -->
</ul>
</li>
- -->
<!--
<li
ngbDropdown
diff --git a/git/cocGateway/src/main/webapp/content/css/footer-style.css b/git/cocGateway/src/main/webapp/content/css/footer-style.css
new file mode 100644
index 0000000000000000000000000000000000000000..4d8922936c78f846c40c6f9bbb0b0abcf75f0382
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/content/css/footer-style.css
@@ -0,0 +1,31 @@
+.medina-footer{
+ background-color:#0099a0;
+ color: white!important;
+ position: fixed;
+}
+
+footer{
+ bottom:0px;
+ left:0px;
+ width: 100%;
+ position:fixed;
+}
+
+ .medina-footer .fwr{
+ display: flex;
+ background: #0099a0;
+ width: 100%;
+ flex-wrap: wrap;
+ }
+ .medina-images-footer{
+ max-width: 100%;
+ width: 100%;
+ padding: 15px;
+ margin-right: auto;
+ margin-left: auto;
+ text-align: center;
+ }
+
+ .img-footer-height{
+ height: 70px;
+ }
\ No newline at end of file
diff --git a/git/cocGateway/src/main/webapp/content/docs/Catalogue_User_Manual.pdf b/git/cocGateway/src/main/webapp/content/docs/Catalogue_User_Manual.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..ba8e9d771c323da747fb12d0e954204971b6f182
Binary files /dev/null and b/git/cocGateway/src/main/webapp/content/docs/Catalogue_User_Manual.pdf differ
diff --git a/git/cocGateway/src/main/webapp/content/images/copyright.png b/git/cocGateway/src/main/webapp/content/images/copyright.png
new file mode 100644
index 0000000000000000000000000000000000000000..d541cf129fae50e71b94cc1d009aea3d3392b567
Binary files /dev/null and b/git/cocGateway/src/main/webapp/content/images/copyright.png differ
diff --git a/git/cocGateway/src/main/webapp/content/images/eur.png b/git/cocGateway/src/main/webapp/content/images/eur.png
new file mode 100644
index 0000000000000000000000000000000000000000..4e421c25b32d1a9f6c1db9ede3d7c2614b58a695
Binary files /dev/null and b/git/cocGateway/src/main/webapp/content/images/eur.png differ
diff --git a/git/cocGateway/src/main/webapp/content/images/grantagreement.png b/git/cocGateway/src/main/webapp/content/images/grantagreement.png
new file mode 100644
index 0000000000000000000000000000000000000000..33152c96049104766487625f0247e4e22a4580b9
Binary files /dev/null and b/git/cocGateway/src/main/webapp/content/images/grantagreement.png differ
diff --git a/git/cocGateway/src/main/webapp/content/images/loading.gif b/git/cocGateway/src/main/webapp/content/images/loading.gif
new file mode 100644
index 0000000000000000000000000000000000000000..d45c663779e2bd5ae6ae298afe85fe85fc176288
Binary files /dev/null and b/git/cocGateway/src/main/webapp/content/images/loading.gif differ
diff --git a/git/cocGateway/src/main/webapp/content/images/scorecard.jpg b/git/cocGateway/src/main/webapp/content/images/scorecard.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..474253d0c9097ef3a14fdcce27b85d7d5a66445c
Binary files /dev/null and b/git/cocGateway/src/main/webapp/content/images/scorecard.jpg differ
diff --git a/git/cocGateway/src/main/webapp/content/images/tecnalia.png b/git/cocGateway/src/main/webapp/content/images/tecnalia.png
new file mode 100644
index 0000000000000000000000000000000000000000..ac95c061e5b791f6d53f388cca7b1a7d5301da99
Binary files /dev/null and b/git/cocGateway/src/main/webapp/content/images/tecnalia.png differ
diff --git a/git/cocGateway/src/main/webapp/content/scss/global.scss b/git/cocGateway/src/main/webapp/content/scss/global.scss
index 1ab90a0117aca0c097cce70f37b1f2c4a3dfc1b3..2dc73fc2fa706ddf556374f127fcfde0b260d3aa 100755
--- a/git/cocGateway/src/main/webapp/content/scss/global.scss
+++ b/git/cocGateway/src/main/webapp/content/scss/global.scss
@@ -11,6 +11,7 @@ h1,
h2,
h3,
h4 {
+ font-family: "Open-Sans", Arial, sans-serif;
font-weight: 300;
}
diff --git a/git/cocGateway/src/main/webapp/i18n/en/cocBackend-assuranceLevel.json b/git/cocGateway/src/main/webapp/i18n/en/cocBackend-assuranceLevel.json
index b6ed23d2c285ecbc49fd996527c85afde42e1cfc..bd2049d2b820e95cf026b637800478c7248a3cd8 100755
--- a/git/cocGateway/src/main/webapp/i18n/en/cocBackend-assuranceLevel.json
+++ b/git/cocGateway/src/main/webapp/i18n/en/cocBackend-assuranceLevel.json
@@ -2,9 +2,9 @@
"cocGatewayApp": {
"AssuranceLevel": {
"null": "",
- "BASIC": "Basic",
- "SUBSTANTIAL": "Substantial",
- "HIGH": "High"
+ "Basic": "Basic",
+ "Substantial": "Substantial",
+ "High": "High"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/en/cocBackendAuditLogs.json b/git/cocGateway/src/main/webapp/i18n/en/cocBackendAuditLogs.json
new file mode 100644
index 0000000000000000000000000000000000000000..bfab2c69e311b77736354cf69d33b98cd019605b
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/i18n/en/cocBackendAuditLogs.json
@@ -0,0 +1,16 @@
+{
+ "cocGatewayApp": {
+ "cocBackendAuditLogs": {
+ "home": {
+ "title": "Audit Logs",
+ "refreshListLabel": "Refresh list",
+ "notFound": "No Audit Logs found"
+ },
+ "dateLog": "Date",
+ "user": "User",
+ "entity": "Entity",
+ "target": "Identifier",
+ "operation": "Operation"
+ }
+ }
+}
diff --git a/git/cocGateway/src/main/webapp/i18n/en/cocBackendQuestionnaire.json b/git/cocGateway/src/main/webapp/i18n/en/cocBackendQuestionnaire.json
index a8ce232eeef32dd136505d88be9f20dfa9e5aeb7..ae2503027dc96a1172e3c1da7226614a662587bb 100755
--- a/git/cocGateway/src/main/webapp/i18n/en/cocBackendQuestionnaire.json
+++ b/git/cocGateway/src/main/webapp/i18n/en/cocBackendQuestionnaire.json
@@ -4,24 +4,70 @@
"home": {
"title": "Questionnaires",
"singularTitle": "Questionnaire",
+ "reportTitle": "Generating report...",
"notFound": "No Questionnaires found"
},
+ "reporting": {
+ "date": "Questionnaire date:",
+ "assuranceLevel": "Assurance level:",
+ "purpose": "Purpose:",
+ "page": "Page"
+ },
"id": "ID",
- "securityControlFramework": "Select the Security Framework",
+ "loadQuestionnaire": "Load an existing Questionnaire",
+ "selectQuestionnaire": "Select Questionnaire",
+ "startQuestionnaire": "Start a new Questionnaire",
+ "securityControlFramework": "Framework",
+ "selectSecurityFramework": "Select the Framework",
"assuranceLevel": "Select the assurance level",
- "purpose": "Select purpose",
+ "purpose": "Select the purpose",
+ "selectCloudService": "Select Cloud Service information",
+ "cloudServiceProviderId": "Select Cloud Service Provider ID",
+ "cloudServiceId": "Select the Cloud Service",
+ "load": "Load Questionnaire",
+ "report": "Generate report",
+ "remove": "Remove Questionnaire",
"start": "Start Questionnaire",
"categories": "Categories",
+ "chooseControl": "Choose a Control:",
"evidence": "Evidence:",
"comments": "Comments:",
- "nonConformities": "Non-conformities of the requirement:"
+ "nonConformities": "Non-conformities of the requirement:",
+ "nonConformitiesReport": "Non-conformities:",
+ "compliance": "Compliance:",
+ "compliant": "Compliant",
+ "notCompliant": "Not compliant",
+ "notApplicable": "Not applicable",
+ "fullCompliance": "- Requirements with FULL compliance:",
+ "noCompliance": "- Non-compliant requirements:",
+ "partialCompliance": "- Requirements with PARTIAL compliance:",
+ "naCompliance": "- Requirements with compliance NOT APPLICABLE:",
+ "requirement": "Requirement:",
+ "updated": "The Questionnaire was saved successfully",
+ "noQuestionnaires": "There is no Questionnaire stored",
+ "noRequirementsAssociated": "The selected assurance level has no requirements associated to this control.",
+ "noQuestionsAssociated": "The selected assurance level has no questions associated to this requirement.",
+ "infoTitle": "Questionnaires info",
+ "numberQuestions": "Number of questions",
+ "basicQuestions": "Basic level of assurance:",
+ "substantialQuestions": "Substantial level of assurance:",
+ "highQuestions": "High level of assurance:",
+ "removeQuestion": "Are you sure you want to remove the selected Questionnaire?"
}
},
"cocBackendApp": {
"cocBackendQuestionnaire": {
"created": "A new Questionnaire is created with identifier {{ param }}",
- "updated": "A Questionnaire is updated with identifier {{ param }}",
+ "updated": "The Questionnaire was updated with identifier {{ param }}",
"deleted": "A Questionnaire is deleted with identifier {{ param }}"
}
+ },
+ "global": {
+ "compliance": {
+ "yes": "YES",
+ "no": "NO",
+ "partial": "PARTIAL",
+ "na": "N/A"
+ }
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/en/cocBackendReferenceTom.json b/git/cocGateway/src/main/webapp/i18n/en/cocBackendReferenceTom.json
index 3ac2bc4df88d1e990279315cadb2a5b5b785096b..84b68b6dfb7864afa2bc7d911ec5245adc3ac10e 100755
--- a/git/cocGateway/src/main/webapp/i18n/en/cocBackendReferenceTom.json
+++ b/git/cocGateway/src/main/webapp/i18n/en/cocBackendReferenceTom.json
@@ -2,21 +2,26 @@
"cocGatewayApp": {
"cocBackendReferenceTom": {
"home": {
- "title": "Reference TOMs",
+ "title": "Implementation guidelines",
"refreshListLabel": "Refresh list",
- "createLabel": "Create a new Reference TOM",
- "createOrEditLabel": "Create or edit a Reference TOM",
- "notFound": "No Reference TOMs found"
+ "createLabel": "Create a new Implementation guideline",
+ "createOrEditLabel": "Edit an Implementation guideline",
+ "notFound": "No Implementation guidelines found"
},
"delete": {
- "question": "Are you sure you want to delete Reference TOM {{ id }}?"
+ "question": "Are you sure you want to delete Implementation guideline {{ id }}?"
},
"detail": {
- "title": "Reference TOM"
+ "title": "Implementation guideline"
},
"id": "ID",
- "referenceTomImpl": "Reference TOM",
- "tom": "TOM",
+ "referenceTomImpl": "Implementation guideline",
+ "tom": "Requirement",
+ "tomCode": "Requirement Code",
+ "tomDescription": "Requirement Description",
+ "securityControl": "Control",
+ "securityControlCode": "Control Code",
+ "securityControlName": "Control Name",
"description": "Descripción",
"help": {
"referenceTomImpl": "name"
@@ -25,9 +30,9 @@
},
"cocBackendApp": {
"cocBackendReferenceTom": {
- "created": "A new Reference TOM is created with identifier {{ param }}",
- "updated": "A Reference TOM is updated with identifier {{ param }}",
- "deleted": "A Reference TOM is deleted with identifier {{ param }}"
+ "created": "A new Implementation guideline is created with identifier {{ param }}",
+ "updated": "An Implementation guideline is updated with identifier {{ param }}",
+ "deleted": "An Implementation guideline is deleted with identifier {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControl.json b/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControl.json
index 8cd16ade1291f5eb0a4796f83a56ab2993e9040a..14ee64513969251dbe985b2c6ad5e5cdeb7f1509 100755
--- a/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControl.json
+++ b/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControl.json
@@ -2,33 +2,34 @@
"cocGatewayApp": {
"cocBackendSecurityControl": {
"home": {
- "title": "Security Controls",
+ "title": "Controls",
"framework": "Framework:",
"category": "Category:",
"refreshListLabel": "Refresh list",
- "createLabel": "Create a new Security Control",
- "createOrEditLabel": "Create or edit a Security Control",
- "notFound": "No Security Controls found"
+ "createLabel": "Create a new Control",
+ "createOrEditLabel": "Edit a Control",
+ "notFound": "No Controls found"
},
"delete": {
- "question": "Are you sure you want to delete Security Control {{ id }}?"
+ "question": "Are you sure you want to delete Control {{ id }}?"
},
"detail": {
- "title": "Security Control"
+ "title": "Control"
},
"id": "ID",
"code": "Code",
"name": "Name",
+ "controlId": "Control ID",
"objective": "Objective",
"description": "Description",
- "guidance": "Guidance",
- "riskReductionWeight": "Risk Reduction Weight",
"similarControls": "Similar Controls",
- "securityControlCategory": "Security Category",
+ "otherFrameworks": "Other Frameworks",
+ "securityControlCategory": "Category",
"resource": "Resource",
"help": {
"code": "code",
"name": "name",
+ "controlId": "Control ID",
"objective": "objective",
"description": "description",
"guidance": "guidance",
@@ -38,9 +39,9 @@
},
"cocBackendApp": {
"cocBackendSecurityControl": {
- "created": "A new Security Control is created with identifier {{ param }}",
- "updated": "A Security Control is updated with identifier {{ param }}",
- "deleted": "A Security Control is deleted with identifier {{ param }}"
+ "created": "A new Control is created with identifier {{ param }}",
+ "updated": "A Control is updated with identifier {{ param }}",
+ "deleted": "A Control is deleted with identifier {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControlCategory.json b/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControlCategory.json
index a3584b04ec5a7b8ccb3892e308d36a3b834eeada..bc6165612abd53b31a43a684ee357810986bb140 100755
--- a/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControlCategory.json
+++ b/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControlCategory.json
@@ -2,24 +2,24 @@
"cocGatewayApp": {
"cocBackendSecurityControlCategory": {
"home": {
- "title": "Security Categories",
+ "title": "Categories",
"framework": "Framework:",
"refreshListLabel": "Refresh list",
- "createLabel": "Create a new Security Category",
- "createOrEditLabel": "Create or edit a Security Category",
- "notFound": "No Security Categories found"
+ "createLabel": "Create a new Category",
+ "createOrEditLabel": "Edit a Category",
+ "notFound": "No Categories found"
},
"delete": {
- "question": "Are you sure you want to delete Security Category {{ id }}?"
+ "question": "Are you sure you want to delete Category {{ id }}?"
},
"detail": {
- "title": "Security Category"
+ "title": "Category"
},
"id": "ID",
"code": "Code",
"name": "Name",
"description": "Description",
- "securityControlFramework": "Security Framework",
+ "securityControlFramework": "Framework",
"help": {
"code": "code",
"name": "name",
@@ -29,9 +29,9 @@
},
"cocBackendApp": {
"cocBackendSecurityControlCategory": {
- "created": "A new Security Category is created with identifier {{ param }}",
- "updated": "A Security Category is updated with identifier {{ param }}",
- "deleted": "A Security Category is deleted with identifier {{ param }}"
+ "created": "A new Category is created with identifier {{ param }}",
+ "updated": "A Category is updated with identifier {{ param }}",
+ "deleted": "A Category is deleted with identifier {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControlFramework.json b/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControlFramework.json
index 140cb2219d225ec96afd1bf89845232ea09d4d68..4521299e2b71ed7ffec3bdc10e00f6d42bc78e6d 100755
--- a/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControlFramework.json
+++ b/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityControlFramework.json
@@ -2,17 +2,17 @@
"cocGatewayApp": {
"cocBackendSecurityControlFramework": {
"home": {
- "title": "Security Frameworks",
+ "title": "Frameworks",
"refreshListLabel": "Refresh list",
- "createLabel": "Create a new Security Framework",
- "createOrEditLabel": "Create or edit a Security Framework",
- "notFound": "No Security Frameworks found"
+ "createLabel": "Create a new Framework",
+ "createOrEditLabel": "Edit a Framework",
+ "notFound": "No Frameworks found"
},
"delete": {
- "question": "Are you sure you want to delete Security Framework {{ id }}?"
+ "question": "Are you sure you want to delete Framework {{ id }}?"
},
"detail": {
- "title": "Security Framework"
+ "title": "Framework"
},
"id": "ID",
"name": "Name",
@@ -28,9 +28,9 @@
},
"cocBackendApp": {
"cocBackendSecurityControlFramework": {
- "created": "A new Security Framework is created with identifier {{ param }}",
- "updated": "A Security Framework is updated with identifier {{ param }}",
- "deleted": "A Security Framework is deleted with identifier {{ param }}"
+ "created": "A new Framework is created with identifier {{ param }}",
+ "updated": "A Framework is updated with identifier {{ param }}",
+ "deleted": "A Framework is deleted with identifier {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityMetric.json b/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityMetric.json
index 4cb939fb0003c3479c392e2ffb2885f9106620f3..6e9b428d8d9d9d53ec0dfbac16a5b854e20e9088 100755
--- a/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityMetric.json
+++ b/git/cocGateway/src/main/webapp/i18n/en/cocBackendSecurityMetric.json
@@ -2,21 +2,21 @@
"cocGatewayApp": {
"cocBackendSecurityMetric": {
"home": {
- "title": "Security Metrics",
+ "title": "Metrics",
"framework": "Framework:",
"category": "Category:",
"control": "Control:",
- "tom": "TOM:",
+ "tom": "Requirement:",
"refreshListLabel": "Refresh list",
- "createLabel": "Create a new Security Metric",
- "createOrEditLabel": "Create or edit a Security Metric",
- "notFound": "No Security Metrics found"
+ "createLabel": "Create a new Metric",
+ "createOrEditLabel": "Create or edit a Metric",
+ "notFound": "No Metrics found"
},
"delete": {
- "question": "Are you sure you want to delete Security Metric {{ id }}?"
+ "question": "Are you sure you want to delete Metric {{ id }}?"
},
"detail": {
- "title": "Security Metric"
+ "title": "Metric"
},
"id": "ID",
"metricId": "Metric Id",
@@ -30,10 +30,12 @@
"targetValueDatatype": "Target Value Datatype",
"interval": "Interval",
"targetResourceType": "Target Resource Type",
- "tom": "TOM",
- "relatedToms": "Related TOMs",
- "referenceTom": "Reference TOM",
+ "tom": "Requirement",
+ "relatedToms": "Requirements",
+ "referenceTom": "Implementation guideline",
"resourceType": "Resource Type",
+ "securityFeature": "Security feature",
+ "keywords": "Keywords",
"help": {
"category": "category",
"name": "name",
@@ -49,9 +51,9 @@
},
"cocBackendApp": {
"cocBackendSecurityMetric": {
- "created": "A new Security Metric is created with identifier {{ param }}",
- "updated": "A Security Metric is updated with identifier {{ param }}",
- "deleted": "A Security Metric is deleted with identifier {{ param }}"
+ "created": "A new Metric is created with identifier {{ param }}",
+ "updated": "A Metric is updated with identifier {{ param }}",
+ "deleted": "A Metric is deleted with identifier {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/en/cocBackendSimilarControl.json b/git/cocGateway/src/main/webapp/i18n/en/cocBackendSimilarControl.json
index 25e8b1bc9a40c57a05ad2fa9203e7522fa91ee41..215e31d9a4c4167753c32e8f9c0579a938e8ebeb 100755
--- a/git/cocGateway/src/main/webapp/i18n/en/cocBackendSimilarControl.json
+++ b/git/cocGateway/src/main/webapp/i18n/en/cocBackendSimilarControl.json
@@ -5,9 +5,10 @@
"title": "Similar Controls",
"framework": "Framework:",
"category": "Category:",
+ "control": "Control:",
"refreshListLabel": "Refresh list",
"createLabel": "Create a new Similar Control",
- "createOrEditLabel": "Create or edit a Similar Control",
+ "createOrEditLabel": "Edit a Similar Control",
"notFound": "No Similar Controls found"
},
"delete": {
@@ -19,10 +20,15 @@
"id": "ID",
"code": "Code",
"name": "Name",
- "securityControlFrameworkName": "Security Framework",
- "securityControl": "Framework Security Control",
+ "securityControlFrameworkName": "Framework",
+ "securityControl": "Control",
"similarControl": "Similar Control",
"controlName": "Control Name",
+ "eucsControl": "EUCS Control",
+ "eucsControlId": "EUCS Control ID",
+ "eucsControlName": "EUCS Control Name",
+ "similarControlId": "Similar Control ID",
+ "similarControlName": "Similar Control Name",
"help": {
"code": "code",
"name": "name",
diff --git a/git/cocGateway/src/main/webapp/i18n/en/cocBackendTom.json b/git/cocGateway/src/main/webapp/i18n/en/cocBackendTom.json
index 3421953d25bfbbfc9d2d472545593f642cc5aaca..781d00ff44d13c3760c6b93fc271013e2a0f557e 100755
--- a/git/cocGateway/src/main/webapp/i18n/en/cocBackendTom.json
+++ b/git/cocGateway/src/main/webapp/i18n/en/cocBackendTom.json
@@ -2,32 +2,40 @@
"cocGatewayApp": {
"cocBackendTom": {
"home": {
- "title": "TOMs",
+ "title": "Requirements",
"framework": "Framework:",
"category": "Category:",
"control": "Control:",
"refreshListLabel": "Refresh list",
- "createLabel": "Create a new TOM",
- "createOrEditLabel": "Create or edit a TOM",
- "notFound": "No TOMs found"
+ "createLabel": "Create a new Requirement",
+ "createOrEditLabel": "Edit a Requirement",
+ "notFound": "No Requirements found"
},
"delete": {
- "question": "Are you sure you want to delete TOM {{ id }}?"
+ "question": "Are you sure you want to delete Requirement {{ id }}?"
},
"detail": {
- "title": "TOM"
+ "title": "Requirement"
},
"id": "ID",
"code": "Code",
"name": "Name",
+ "reqId": "Req. ID",
"description": "Description",
"assuranceLevel": "Assurance Level",
"type": "Type",
- "securityControl": "Security Control",
+ "guidance": "Guidance",
+ "implementationGuideline": "Implementation guideline",
+ "implementationGuidelines": "Implementation guidelines",
+ "check": "Check",
+ "securityControl": "Control",
+ "securityFramework": "Framework",
"noMetrics": "No Metrics",
+ "noImplementationGuidelines": "No Implementation guidelines",
"help": {
"code": "code",
"name": "name",
+ "reqId": "Req. ID",
"description": "description",
"assuranceLevel": "assuranceLevel",
"type": "type"
@@ -36,9 +44,9 @@
},
"cocBackendApp": {
"cocBackendTom": {
- "created": "A new Tom is created with identifier {{ param }}",
- "updated": "A Tom is updated with identifier {{ param }}",
- "deleted": "A Tom is deleted with identifier {{ param }}"
+ "created": "A new Requirement is created with identifier {{ param }}",
+ "updated": "A Requirement is updated with identifier {{ param }}",
+ "deleted": "A Requirement is deleted with identifier {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/en/global.json b/git/cocGateway/src/main/webapp/i18n/en/global.json
index 5abbc4d5a5dbe2b7063885ddcd1fe7279f7cd2d1..3f7d30271f6447d66ccab1650757f5add0728baa 100755
--- a/git/cocGateway/src/main/webapp/i18n/en/global.json
+++ b/git/cocGateway/src/main/webapp/i18n/en/global.json
@@ -7,19 +7,21 @@
"home": "Home",
"jhipster-needle-menu-add-element": "JHipster will add additional menu entries here (do not translate!)",
"entities": {
- "main": "Entities",
- "cocBackendSecurityControlFramework": "Security Frameworks",
- "cocBackendSecurityControlCategory": "Security Categories",
- "cocBackendSecurityControl": "Security Controls",
+ "main": "Catalogue",
+ "cocBackendSecurityControlFramework": "Frameworks",
+ "cocBackendSecurityControlCategory": "Categories",
+ "cocBackendSecurityControl": "Controls",
"cocBackendSimilarControl": "Similar Controls",
- "cocBackendTom": "TOMs",
- "cocBackendReferenceTom": "Reference TOMs",
- "cocBackendSecurityMetric": "Security Metrics",
+ "cocBackendTom": "Requirements",
+ "cocBackendReferenceTom": "Implementation guidelines",
+ "cocBackendSecurityMetric": "Metrics",
"cocBackendResourceType": "Resource Types",
"cocBackendTargetValue": "Target Values",
"cocBackendResource": "Resources",
"cocBackendCloudService": "Cloud Services",
"cocBackendCloudServiceProvider": "Cloud Service Providers",
+ "cocBackendQuestionnaires": "Questionnaires",
+ "cocBackendHelp": "Help",
"jhipster-needle-menu-add-entry": "JHipster will add additional entities here (do not translate!)"
},
"account": {
@@ -34,6 +36,7 @@
"admin": {
"main": "Administration",
"gateway": "Gateway",
+ "auditLogs": "Audit Logs",
"userManagement": "User management",
"tracker": "User tracker",
"metrics": "Metrics",
@@ -108,20 +111,26 @@
"back": "Back",
"cancel": "Cancel",
"delete": "Delete",
+ "remove": "Remove",
"edit": "Edit",
"open": "Open",
"save": "Save",
+ "saveAndExit": "Save and exit",
+ "saveAsPdf": "Save as PDF",
"view": "View",
"previous": "Previous",
"next": "Next",
+ "exit": "Exit",
+ "close": "Close",
"relatedCategories": "Categories",
"relatedCategoriesLong": "Related Categories",
"relatedControls": "Controls",
"relatedControlsLong": "Related Controls",
- "relatedToms": "TOMs",
- "relatedTomsLong": "Related TOMs",
+ "relatedToms": "Requirements",
+ "relatedTomsLong": "Related Requirements",
"relatedMetrics": "Metrics",
- "relatedMetricsLong": "Related Security Metrics"
+ "relatedMetricsLong": "Related Security Metrics",
+ "viewList": "View list"
},
"detail": {
"field": "Field",
@@ -161,5 +170,11 @@
"not.image": "File was expected to be an image but was found to be \"{{ fileType }}\""
}
},
+ "compliance": {
+ "yes": "YES",
+ "no": "NO",
+ "partial": "PARTIAL",
+ "na": "N/A"
+ },
"footer": "This is your footer"
}
diff --git a/git/cocGateway/src/main/webapp/i18n/es/cocBackend-assuranceLevel.json b/git/cocGateway/src/main/webapp/i18n/es/cocBackend-assuranceLevel.json
index b6ed23d2c285ecbc49fd996527c85afde42e1cfc..bd2049d2b820e95cf026b637800478c7248a3cd8 100755
--- a/git/cocGateway/src/main/webapp/i18n/es/cocBackend-assuranceLevel.json
+++ b/git/cocGateway/src/main/webapp/i18n/es/cocBackend-assuranceLevel.json
@@ -2,9 +2,9 @@
"cocGatewayApp": {
"AssuranceLevel": {
"null": "",
- "BASIC": "Basic",
- "SUBSTANTIAL": "Substantial",
- "HIGH": "High"
+ "Basic": "Basic",
+ "Substantial": "Substantial",
+ "High": "High"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/es/cocBackendAuditLogs.json b/git/cocGateway/src/main/webapp/i18n/es/cocBackendAuditLogs.json
new file mode 100644
index 0000000000000000000000000000000000000000..e1cedd540f4377aa14a6e87c3a2da45b5d2f1373
--- /dev/null
+++ b/git/cocGateway/src/main/webapp/i18n/es/cocBackendAuditLogs.json
@@ -0,0 +1,16 @@
+{
+ "cocGatewayApp": {
+ "cocBackendAuditLogs": {
+ "home": {
+ "title": "Audit Logs",
+ "refreshListLabel": "Refresh list",
+ "notFound": "No Audit Logs found"
+ },
+ "dateLog": "Date",
+ "user": "User",
+ "entity": "Entity",
+ "target": "Identifier",
+ "operation": "Operation"
+ }
+ }
+}
\ No newline at end of file
diff --git a/git/cocGateway/src/main/webapp/i18n/es/cocBackendQuestionnaire.json b/git/cocGateway/src/main/webapp/i18n/es/cocBackendQuestionnaire.json
index 0c542ec2b8e44d8c97ede7d11ccdd9e354a9e275..55ec9c6aef1b02ea90169b497f2e937fd9532cb1 100755
--- a/git/cocGateway/src/main/webapp/i18n/es/cocBackendQuestionnaire.json
+++ b/git/cocGateway/src/main/webapp/i18n/es/cocBackendQuestionnaire.json
@@ -4,17 +4,55 @@
"home": {
"title": "Cuestionarios",
"singularTitle": "Cuestionario",
+ "reportTitle": "Generando informe...",
"notFound": "Ningún Cuestionario encontrado"
},
+ "reporting": {
+ "date": "Questionnaire date:",
+ "assuranceLevel": "Assurance level:",
+ "purpose": "Purpose:",
+ "page": "Page"
+ },
"id": "ID",
- "securityControlFramework": "Select the Security Framework",
+ "loadQuestionnaire": "Load an existing Questionnaire",
+ "selectQuestionnaire": "Select Questionnaire",
+ "startQuestionnaire": "Start a new Questionnaire",
+ "securityControlFramework": "Framework",
+ "selectSecurityFramework": "Select the Framework",
"assuranceLevel": "Select the assurance level",
- "purpose": "Select purpose",
+ "purpose": "Select the purpose",
+ "selectCloudService": "Select Cloud Service information",
+ "cloudServiceProviderId": "Select Cloud Service Provider ID",
+ "cloudServiceId": "Select the Cloud Service",
+ "load": "Cargar Cuestionario",
+ "report": "Generar informe",
+ "remove": "Remover Cuestionario",
"start": "Empezar Cuestionario",
"categories": "Categorías",
+ "chooseControl": "Seleccione un Control:",
"evidence": "Evidencia:",
"comments": "Comentarios:",
- "nonConformities": "No conformidades del requisito:"
+ "nonConformities": "No conformidades del requisito:",
+ "nonConformitiesReport": "Non-conformities:",
+ "compliance": "Cumplimiento:",
+ "compliant": "Cumple",
+ "notCompliant": "No cumple",
+ "notApplicable": "No aplicable",
+ "fullCompliance": "- Requirements with FULL compliance:",
+ "noCompliance": "- Non-compliant requirements:",
+ "partialCompliance": "- Requirements with PARTIAL compliance:",
+ "naCompliance": "- Requirements with compliance NOT APPLICABLE:",
+ "requirement": "Requirement:",
+ "updated": "The Questionnaire was saved successfully",
+ "noQuestionnaires": "There is no Questionnaire stored",
+ "noRequirementsAssociated": "The selected assurance level has no requirements associated to this control.",
+ "noQuestionsAssociated": "The selected assurance level has no questions associated to this requirement.",
+ "infoTitle": "Questionnaires info",
+ "numberQuestions": "Number of questions",
+ "basicQuestions": "Basic level of assurance:",
+ "substantialQuestions": "Substantial level of assurance:",
+ "highQuestions": "High level of assurance:",
+ "removeQuestion": "Are you sure you want to remove the selected Questionnaire?"
}
},
"cocBackendApp": {
@@ -23,5 +61,13 @@
"updated": "Un Cuestionario ha sido actualizado con el identificador {{ param }}",
"deleted": "Un Cuestionario ha sido eliminado con el identificador {{ param }}"
}
+ },
+ "global": {
+ "compliance": {
+ "yes": "SÍ",
+ "no": "NO",
+ "partial": "PARCIAL",
+ "na": "N/A"
+ }
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/es/cocBackendReferenceTom.json b/git/cocGateway/src/main/webapp/i18n/es/cocBackendReferenceTom.json
index a3dee7ea0d68e0cca78bb3f36b0cbe3ec109ba8a..dc1a5a5c56c32f6495aa6ce23de7215a79c8bc84 100755
--- a/git/cocGateway/src/main/webapp/i18n/es/cocBackendReferenceTom.json
+++ b/git/cocGateway/src/main/webapp/i18n/es/cocBackendReferenceTom.json
@@ -2,21 +2,26 @@
"cocGatewayApp": {
"cocBackendReferenceTom": {
"home": {
- "title": "Reference TOMs",
+ "title": "Requerimientos de referencia",
"refreshListLabel": "Refrescar lista",
- "createLabel": "Crear nuevo Reference TOM",
- "createOrEditLabel": "Crear o editar Reference TOM",
- "notFound": "Ningún Reference TOM encontrado"
+ "createLabel": "Crear nuevo Requerimiento de referencia",
+ "createOrEditLabel": "Editar Requerimiento de referencia",
+ "notFound": "Ningún Requerimiento de referencia encontrado"
},
"delete": {
- "question": "¿Seguro que quiere eliminar Reference TOM {{ id }}?"
+ "question": "¿Seguro que quiere eliminar Requerimiento de referencia {{ id }}?"
},
"detail": {
- "title": "Reference TOM"
+ "title": "Requerimiento de referencia"
},
"id": "ID",
- "referenceTomImpl": "Reference TOM",
- "tom": "TOM",
+ "referenceTomImpl": "Requerimiento de referencia",
+ "tom": "Requerimiento",
+ "tomCode": "Requirement Code",
+ "tomDescription": "Requirement Description",
+ "securityControl": "Security Control",
+ "securityControlCode": "Control Code",
+ "securityControlName": "Control Name",
"description": "Descripción",
"help": {
"referenceTomImpl": "name"
@@ -25,9 +30,9 @@
},
"cocBackendApp": {
"cocBackendReferenceTom": {
- "created": "Un nuevo Reference TOM ha sido creado con el identificador {{ param }}",
- "updated": "Un Reference TOM ha sido actualizado con el identificador {{ param }}",
- "deleted": "Un Reference TOM ha sido eliminado con el identificador {{ param }}"
+ "created": "Un nuevo Requerimiento de referencia ha sido creado con el identificador {{ param }}",
+ "updated": "Un Requerimiento de referencia ha sido actualizado con el identificador {{ param }}",
+ "deleted": "Un Requerimiento de referencia ha sido eliminado con el identificador {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControl.json b/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControl.json
index 1da50e68bd6eaac9d5b85e04b0563e3913d286c6..775cee7dd4673fe8e03fdc24bf945b71dbd51bc4 100755
--- a/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControl.json
+++ b/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControl.json
@@ -2,33 +2,34 @@
"cocGatewayApp": {
"cocBackendSecurityControl": {
"home": {
- "title": "Security Controls",
+ "title": "Controls",
"framework": "Framework:",
"category": "Categoría:",
"refreshListLabel": "Refrescar lista",
- "createLabel": "Crear nuevo Security Control",
- "createOrEditLabel": "Crear o editar Security Control",
- "notFound": "Ningún Security Controls encontrado"
+ "createLabel": "Crear nuevo Control",
+ "createOrEditLabel": "Editar Control",
+ "notFound": "Ningún Control encontrado"
},
"delete": {
- "question": "¿Seguro que quiere eliminar Security Control {{ id }}?"
+ "question": "¿Seguro que quiere eliminar Control {{ id }}?"
},
"detail": {
- "title": "Security Control"
+ "title": "Control"
},
"id": "ID",
"code": "Code",
"name": "Name",
+ "controlId": "Control ID",
"objective": "Objective",
"description": "Description",
- "guidance": "Guidance",
- "riskReductionWeight": "Risk Reduction Weight",
"similarControls": "Similar Controls",
- "securityControlCategory": "Security Category",
+ "otherFrameworks": "Other Frameworks",
+ "securityControlCategory": "Category",
"resource": "Resource",
"help": {
"code": "code",
"name": "name",
+ "controlId": "Control ID",
"objective": "objective",
"description": "description",
"guidance": "guidance",
@@ -38,9 +39,9 @@
},
"cocBackendApp": {
"cocBackendSecurityControl": {
- "created": "Un nuevo Security Control ha sido creado con el identificador {{ param }}",
- "updated": "Un Security Control ha sido actualizado con el identificador {{ param }}",
- "deleted": "Un Security Control ha sido eliminado con el identificador {{ param }}"
+ "created": "Un nuevo Control ha sido creado con el identificador {{ param }}",
+ "updated": "Un Control ha sido actualizado con el identificador {{ param }}",
+ "deleted": "Un Control ha sido eliminado con el identificador {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControlCategory.json b/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControlCategory.json
index 03c7de7e3d2b10135aa57355d35d50edabcb50df..2d390d848116afc768caffbc0dcddcd72321bef4 100755
--- a/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControlCategory.json
+++ b/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControlCategory.json
@@ -2,24 +2,24 @@
"cocGatewayApp": {
"cocBackendSecurityControlCategory": {
"home": {
- "title": "Security Categories",
+ "title": "Categorías",
"framework": "Framework:",
"refreshListLabel": "Refrescar lista",
- "createLabel": "Crear nuevo Security Category",
- "createOrEditLabel": "Crear o editar Security Category",
- "notFound": "Ningún Security Categories encontrado"
+ "createLabel": "Crear nueva Categoría",
+ "createOrEditLabel": "Editar Categoría",
+ "notFound": "Ninguna Categoría encontrada"
},
"delete": {
- "question": "¿Seguro que quiere eliminar Security Category {{ id }}?"
+ "question": "¿Seguro que quiere eliminar Categoría {{ id }}?"
},
"detail": {
- "title": "Security Category"
+ "title": "Categoría"
},
"id": "ID",
"code": "Code",
"name": "Name",
"description": "Description",
- "securityControlFramework": "Security Framework",
+ "securityControlFramework": "Framework",
"help": {
"code": "code",
"name": "name",
@@ -29,9 +29,9 @@
},
"cocBackendApp": {
"cocBackendSecurityControlCategory": {
- "created": "Un nuevo Security Category ha sido creado con el identificador {{ param }}",
- "updated": "Un Security Category ha sido actualizado con el identificador {{ param }}",
- "deleted": "Un Security Category ha sido eliminado con el identificador {{ param }}"
+ "created": "Una nueva Categoría ha sido creado con el identificador {{ param }}",
+ "updated": "Una Categoría ha sido actualizado con el identificador {{ param }}",
+ "deleted": "Una Categoría ha sido eliminado con el identificador {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControlFramework.json b/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControlFramework.json
index c443ac5a32b813b8a1d5b3aceab6b2ad158c9fa3..8b78c1bfee9a0ec3f8d75ec09f064fcab8a3d13e 100755
--- a/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControlFramework.json
+++ b/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityControlFramework.json
@@ -2,17 +2,17 @@
"cocGatewayApp": {
"cocBackendSecurityControlFramework": {
"home": {
- "title": "Security Frameworks",
+ "title": "Frameworks",
"refreshListLabel": "Refrescar lista",
- "createLabel": "Crear nuevo Security Framework",
- "createOrEditLabel": "Crear o editar Security Framework",
- "notFound": "Ningún Security Frameworks encontrado"
+ "createLabel": "Crear nuevo Framework",
+ "createOrEditLabel": "Editar Framework",
+ "notFound": "Ningún Framework encontrado"
},
"delete": {
- "question": "¿Seguro que quiere eliminar Security Framework {{ id }}?"
+ "question": "¿Seguro que quiere eliminar Framework {{ id }}?"
},
"detail": {
- "title": "Security Framework"
+ "title": "Framework"
},
"id": "ID",
"name": "Name",
@@ -28,9 +28,9 @@
},
"cocBackendApp": {
"cocBackendSecurityControlFramework": {
- "created": "Un nuevo Security Framework ha sido creado con el identificador {{ param }}",
- "updated": "Un Security Framework ha sido actualizado con el identificador {{ param }}",
- "deleted": "Un Security Framework ha sido eliminado con el identificador {{ param }}"
+ "created": "Un nuevo Framework ha sido creado con el identificador {{ param }}",
+ "updated": "Un Framework ha sido actualizado con el identificador {{ param }}",
+ "deleted": "Un Framework ha sido eliminado con el identificador {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityMetric.json b/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityMetric.json
index e51ada280da42667a15ff1a2f765beca6b34810e..80afaa294f36e1fa98004ae57b2c7e074c8dbb6a 100755
--- a/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityMetric.json
+++ b/git/cocGateway/src/main/webapp/i18n/es/cocBackendSecurityMetric.json
@@ -2,21 +2,21 @@
"cocGatewayApp": {
"cocBackendSecurityMetric": {
"home": {
- "title": "Security Metrics",
+ "title": "Métricas",
"framework": "Framework:",
"category": "Categoría:",
"control": "Control:",
- "tom": "TOM:",
+ "tom": "Requerimiento:",
"refreshListLabel": "Refrescar lista",
- "createLabel": "Crear nuevo Security Metric",
- "createOrEditLabel": "Crear o editar Security Metric",
- "notFound": "Ningún Security Metrics encontrado"
+ "createLabel": "Crear nueva Métrica",
+ "createOrEditLabel": "Crear o editar Métrica",
+ "notFound": "Ninguna Métrica encontrada"
},
"delete": {
- "question": "¿Seguro que quiere eliminar Security Metric {{ id }}?"
+ "question": "¿Seguro que quiere eliminar Métrica {{ id }}?"
},
"detail": {
- "title": "Security Metric"
+ "title": "Métrica"
},
"id": "ID",
"metricId": "Metric Id",
@@ -30,10 +30,12 @@
"targetValueDatatype": "Target Value Datatype",
"interval": "Interval",
"targetResourceType": "Target Resource Type",
- "tom": "TOM",
- "relatedToms": "Related TOMs",
- "referenceTom": "Reference TOM",
+ "tom": "Requerimiento",
+ "relatedToms": "Requerimientos relacionados",
+ "referenceTom": "Implementation guideline",
"resourceType": "Resource Type",
+ "securityFeature": "Security feature",
+ "keywords": "Keywords",
"help": {
"category": "category",
"name": "name",
@@ -49,9 +51,9 @@
},
"cocBackendApp": {
"cocBackendSecurityMetric": {
- "created": "Un nuevo Security Metric ha sido creado con el identificador {{ param }}",
- "updated": "Un Security Metric ha sido actualizado con el identificador {{ param }}",
- "deleted": "Un Security Metric ha sido eliminado con el identificador {{ param }}"
+ "created": "Una nueva Métrica ha sido creada con el identificador {{ param }}",
+ "updated": "Una Métrica ha sido actualizada con el identificador {{ param }}",
+ "deleted": "Una Métrica ha sido eliminada con el identificador {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/es/cocBackendSimilarControl.json b/git/cocGateway/src/main/webapp/i18n/es/cocBackendSimilarControl.json
index 956940267c3b9273521eadf396b1919caac371b1..02fcb0d0bb0b30709df0a91da3188c519b905252 100755
--- a/git/cocGateway/src/main/webapp/i18n/es/cocBackendSimilarControl.json
+++ b/git/cocGateway/src/main/webapp/i18n/es/cocBackendSimilarControl.json
@@ -5,10 +5,11 @@
"title": "Similar Controls",
"framework": "Framework:",
"category": "Categoría:",
+ "control": "Control:",
"refreshListLabel": "Refrescar lista",
"createLabel": "Crear nuevo Similar Control",
- "createOrEditLabel": "Crear o editar Similar Control",
- "notFound": "Ningún Similar Controls encontrado"
+ "createOrEditLabel": "Editar Similar Control",
+ "notFound": "Ningún Similar Control encontrado"
},
"delete": {
"question": "¿Seguro que quiere eliminar Similar Control {{ id }}?"
@@ -19,10 +20,15 @@
"id": "ID",
"code": "Code",
"name": "Name",
- "securityControlFrameworkName": "Security Framework",
- "securityControl": "Framework Security Control",
+ "securityControlFrameworkName": "Framework",
+ "securityControl": "Control",
"similarControl": "Similar Control",
"controlName": "Control Name",
+ "eucsControl": "EUCS Control",
+ "eucsControlId": "EUCS Control ID",
+ "eucsControlName": "EUCS Control Name",
+ "similarControlId": "Similar Control ID",
+ "similarControlName": "Similar Control Name",
"help": {
"code": "code",
"name": "name",
diff --git a/git/cocGateway/src/main/webapp/i18n/es/cocBackendTom.json b/git/cocGateway/src/main/webapp/i18n/es/cocBackendTom.json
index e74fcb76b69fad831326fcd343166856981aabdd..97453604b17c05928cf82cc60f6404fdf06e3038 100755
--- a/git/cocGateway/src/main/webapp/i18n/es/cocBackendTom.json
+++ b/git/cocGateway/src/main/webapp/i18n/es/cocBackendTom.json
@@ -2,32 +2,40 @@
"cocGatewayApp": {
"cocBackendTom": {
"home": {
- "title": "TOMs",
+ "title": "Requerimientos",
"framework": "Framework:",
"category": "Categoría:",
"control": "Control:",
"refreshListLabel": "Refrescar lista",
- "createLabel": "Crear nuevo TOM",
- "createOrEditLabel": "Crear o editar TOM",
- "notFound": "Ningún TOM encontrado"
+ "createLabel": "Crear nuevo Requerimiento",
+ "createOrEditLabel": "Editar Requerimiento",
+ "notFound": "Ningún Requerimiento encontrado"
},
"delete": {
- "question": "¿Seguro que quiere eliminar TOM {{ id }}?"
+ "question": "¿Seguro que quiere eliminar Requerimiento {{ id }}?"
},
"detail": {
- "title": "TOM"
+ "title": "Requerimiento"
},
"id": "ID",
"code": "Code",
"name": "Name",
+ "reqId": "Req. ID",
"description": "Description",
"assuranceLevel": "Assurance Level",
"type": "Type",
- "securityControl": "Security Control",
+ "guidance": "Guidance",
+ "implementationGuideline": "Implementation guideline",
+ "implementationGuidelines": "Implementation guidelines",
+ "check": "Check",
+ "securityControl": "Control",
+ "securityFramework": "Framework",
"noMetrics": "No Metrics",
+ "noImplementationGuidelines": "No Implementation guidelines",
"help": {
"code": "code",
"name": "name",
+ "reqId": "Req. ID",
"description": "description",
"assuranceLevel": "assuranceLevel",
"type": "type"
@@ -36,9 +44,9 @@
},
"cocBackendApp": {
"cocBackendTom": {
- "created": "Un nuevo TOM ha sido creado con el identificador {{ param }}",
- "updated": "Un TOM ha sido actualizado con el identificador {{ param }}",
- "deleted": "Un TOM ha sido eliminado con el identificador {{ param }}"
+ "created": "Un nuevo Requerimiento ha sido creado con el identificador {{ param }}",
+ "updated": "Un Requerimiento ha sido actualizado con el identificador {{ param }}",
+ "deleted": "Un Requerimiento ha sido eliminado con el identificador {{ param }}"
}
}
}
diff --git a/git/cocGateway/src/main/webapp/i18n/es/global.json b/git/cocGateway/src/main/webapp/i18n/es/global.json
index e1ab09a323f14af9247ad040f1977348fcffc876..1d01c7c788f3ce5a87aa08e5e5d0e3a5e92e8032 100755
--- a/git/cocGateway/src/main/webapp/i18n/es/global.json
+++ b/git/cocGateway/src/main/webapp/i18n/es/global.json
@@ -7,19 +7,21 @@
"home": "Inicio",
"jhipster-needle-menu-add-element": "JHipster will add additional menu entries here (do not translate!)",
"entities": {
- "main": "Entidades",
- "cocBackendSecurityControlFramework": "Security Frameworks",
- "cocBackendSecurityControlCategory": "Security Categories",
- "cocBackendSecurityControl": "Security Controls",
+ "main": "Catálogo",
+ "cocBackendSecurityControlFramework": "Frameworks",
+ "cocBackendSecurityControlCategory": "Categories",
+ "cocBackendSecurityControl": "Controls",
"cocBackendSimilarControl": "Similar Controls",
- "cocBackendTom": "TOMs",
- "cocBackendReferenceTom": "Reference TOMs",
- "cocBackendSecurityMetric": "Security Metrics",
+ "cocBackendTom": "Requirements",
+ "cocBackendReferenceTom": "Implementation guidelines",
+ "cocBackendSecurityMetric": "Metrics",
"cocBackendResourceType": "Resource Types",
"cocBackendTargetValue": "Target Values",
"cocBackendResource": "Resources",
"cocBackendCloudService": "Cloud Services",
"cocBackendCloudServiceProvider": "Cloud Service Providers",
+ "cocBackendQuestionnaires": "Cuestionarios",
+ "cocBackendHelp": "Ayuda",
"jhipster-needle-menu-add-entry": "JHipster will add additional entities here (do not translate!)"
},
"account": {
@@ -34,6 +36,7 @@
"admin": {
"main": "Administración",
"gateway": "Gateway",
+ "auditLogs": "Audit Logs",
"userManagement": "Gestión de usuarios",
"tracker": "Registro de usuarios",
"metrics": "Métricas",
@@ -108,20 +111,26 @@
"back": "Volver",
"cancel": "Cancelar",
"delete": "Eliminar",
+ "remove": "Eliminar",
"edit": "Editar",
"open": "Abrir",
"save": "Guardar",
+ "saveAndExit": "Guardar y salir",
+ "saveAsPdf": "Guardar como PDF",
"view": "Vista",
"previous": "Anterior",
"next": "Siguiente",
+ "exit": "Salir",
+ "close": "Cerrar",
"relatedCategories": "Categorías",
"relatedCategoriesLong": "Categorías relacionadas",
"relatedControls": "Controles",
"relatedControlsLong": "Controles relacionados",
- "relatedToms": "TOMs",
- "relatedTomsLong": "TOMs relacionados",
+ "relatedToms": "Requerimientos",
+ "relatedTomsLong": "Requerimientos relacionados",
"relatedMetrics": "Métricas",
- "relatedMetricsLong": "Métricas relacionadas"
+ "relatedMetricsLong": "Métricas relacionadas",
+ "viewList": "Ver lista"
},
"detail": {
"field": "Campo",
@@ -160,5 +169,11 @@
"not.image": "Se esperaba que el fichero fuera una imagen pero se encontro \"{{ fileType }}\""
}
},
+ "compliance": {
+ "yes": "SÍ",
+ "no": "NO",
+ "partial": "PARCIAL",
+ "na": "N/A"
+ },
"footer": "Pie de página"
}
diff --git a/git/cocGateway/src/main/webapp/index.html b/git/cocGateway/src/main/webapp/index.html
index 81ec4677e185bb9598504340d591501090e8b273..9dc0127e0a5526d5df7dd51517d3154885dd9024 100755
--- a/git/cocGateway/src/main/webapp/index.html
+++ b/git/cocGateway/src/main/webapp/index.html
@@ -12,9 +12,10 @@
<link rel="icon" href="favicon.ico" />
<link rel="manifest" href="manifest.webapp" />
<link rel="stylesheet" href="content/css/loading.css" />
+ <link rel="stylesheet" href="content/css/footer-style.css" />
<!-- jhipster-needle-add-resources-to-root - JHipster will add new resources here -->
</head>
- <body>
+ <body style="padding-bottom: 150px;">
<!--[if lt IE 9]>
<p class="browserupgrade">
You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve
diff --git a/git/cocMysql/Dockerfile b/git/cocMysql/Dockerfile
index c9ffca065399c1848c5315708b60a1afc0598983..020233567d17674fad346646e09f01e615bee646 100755
--- a/git/cocMysql/Dockerfile
+++ b/git/cocMysql/Dockerfile
@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
FROM mysql:8.0.25
ENV MYSQL_ALLOW_EMPTY_PASSWORD=yes \
diff --git a/git/cocMysql/RevisedMetricList_Script.2022-06-17.TEST.xlsx b/git/cocMysql/RevisedMetricList_Script.2022-06-17.TEST.xlsx
deleted file mode 100755
index 9f6ac14bc6424ab26039de405e75c6b3437fc32e..0000000000000000000000000000000000000000
Binary files a/git/cocMysql/RevisedMetricList_Script.2022-06-17.TEST.xlsx and /dev/null differ
diff --git a/git/cocMysql/RevisedMetricList_Script.2022-09-13.xlsx b/git/cocMysql/RevisedMetricList_Script.2022-09-13.xlsx
new file mode 100644
index 0000000000000000000000000000000000000000..ee13c723e9b30eff4541fe093fc98ca1b4f78872
Binary files /dev/null and b/git/cocMysql/RevisedMetricList_Script.2022-09-13.xlsx differ
diff --git a/git/cocMysql/startupscripts/02_createTables.sql b/git/cocMysql/startupscripts/02_createTables.sql
index c675585e01448852b0610005d96c89ed40c45c89..91106d6e17bbc26b7e03d93820fea56670428c35 100755
--- a/git/cocMysql/startupscripts/02_createTables.sql
+++ b/git/cocMysql/startupscripts/02_createTables.sql
@@ -44,8 +44,6 @@ CREATE TABLE `security_control` (
`name` varchar(255) NOT NULL COMMENT 'name',
`objective` varchar(255) NOT NULL COMMENT 'objective',
`description` mediumtext NOT NULL COMMENT 'description',
- `guidance` varchar(255) NOT NULL COMMENT 'guidance',
- `risk_reduction_weight` float NOT NULL COMMENT 'riskReductionWeight',
`security_control_category_id` bigint NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COMMENT='SecurityControl entity.';
@@ -61,6 +59,7 @@ CREATE TABLE `tom` (
`description` mediumtext NOT NULL COMMENT 'description',
`assurance_level` varchar(255) DEFAULT NULL COMMENT 'assuranceLevel',
`type` varchar(255) NOT NULL COMMENT 'type',
+ `guidance` text DEFAULT NULL COMMENT 'guidance',
`security_control_id` bigint NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COMMENT='Tom entity.';
@@ -108,7 +107,7 @@ CREATE TABLE `security_metric` (
`target_resource_type` varchar(255) DEFAULT NULL COMMENT 'targetResourceType pendiente de sacar a entidad TargetResourceType?',
`security_feature` varchar(255) DEFAULT NULL,
`keywords` varchar(255) DEFAULT NULL,
- `reference_tom_id` bigint DEFAULT NULL,
+ `reference_tom_id` bigint DEFAULT NULL COMMENT 'pending, not used, not needed',
`resource_type_id` bigint DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='SecurityMetric entity.';
@@ -227,8 +226,9 @@ DROP TABLE IF EXISTS `question`;
CREATE TABLE `question` (
`id` bigint NOT NULL AUTO_INCREMENT,
`code` varchar(20) NOT NULL COMMENT 'code',
- `question` varchar(255) NOT NULL COMMENT 'question',
- `evidence` varchar(255) NOT NULL COMMENT 'evidence',
+ `question` varchar(255) NOT NULL,
+ `default_evidence` varchar(255) NOT NULL,
+ `default_comment` varchar(255) NOT NULL,
`control_id` bigint NOT NULL,
`assurance_level_id` bigint NOT NULL,
`tom_id` bigint NOT NULL,
@@ -236,29 +236,52 @@ CREATE TABLE `question` (
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=utf8;
---
--- Create table: `questionnaire_purpose`
---
-DROP TABLE IF EXISTS `questionnaire_purpose`;
-CREATE TABLE `questionnaire_purpose` (
- `id` bigint NOT NULL AUTO_INCREMENT,
- `purpose` varchar(30) NOT NULL COMMENT 'purpose',
- PRIMARY KEY (`id`)
-) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;
-
--
-- Create table: `questionnaire`
--
DROP TABLE IF EXISTS `questionnaire`;
CREATE TABLE `questionnaire` (
`id` bigint NOT NULL AUTO_INCREMENT,
+ `name` varchar(255) NOT NULL,
+ `evidences` varchar(255) NOT NULL,
+ `comments` varchar(255) NOT NULL,
+ `last_update` bigint,
`framework_id` bigint NOT NULL,
- `purpose_id` bigint NOT NULL,
+ `control_id` bigint NOT NULL,
+ `tom_id` bigint NOT NULL,
+ `assurance_level_id` bigint NOT NULL,
`question_id` bigint NOT NULL,
`answer_id` bigint NOT NULL,
`user_id` varchar(100) NOT NULL,
+ PRIMARY KEY (`id`),
+ INDEX (`name`)
+) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
+
+--
+-- Create table: `questionnaire_non_conformities`
+--
+DROP TABLE IF EXISTS `questionnaire_non_conformities`;
+CREATE TABLE `questionnaire_non_conformities` (
+ `questionnaire_name` varchar(110) NOT NULL,
+ `tom_id` bigint NOT NULL,
+ `comments` varchar(255) NOT NULL,
+ `compliance` varchar(60) NOT NULL,
+ PRIMARY KEY (`questionnaire_name`,`tom_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+--
+-- Create table: `audit_logs`
+--
+DROP TABLE IF EXISTS `audit_logs`;
+CREATE TABLE `audit_logs` (
+ `id` bigint NOT NULL AUTO_INCREMENT,
+ `date_log` varchar(20) NOT NULL COMMENT 'date',
+ `user` varchar(50) NOT NULL COMMENT 'user',
+ `entity` varchar(60) NOT NULL COMMENT 'entity',
+ `target` varchar(255) NOT NULL COMMENT 'target',
+ `operation` varchar(10) NOT NULL COMMENT 'operation',
PRIMARY KEY (`id`)
-) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;
+) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8 COMMENT='AuditLogs entity.';
--
-- Add constraints
@@ -341,6 +364,8 @@ ALTER TABLE `rel_security_control__resource`
ALTER TABLE `rel_security_control__resource`
ADD KEY `fk_rel_security_control__resource__resource_id` (`resource_id`);
+
+
ALTER TABLE `question`
ADD CONSTRAINT `fk_question__assurance_level_id`
FOREIGN KEY (`assurance_level_id`) REFERENCES `question_assurance_level` (`id`);
@@ -358,18 +383,24 @@ ALTER TABLE `question`
FOREIGN KEY (`framework_id`) REFERENCES `security_control_framework` (`id`);
ALTER TABLE `question`
ADD KEY `fk_question__framework_id` (`framework_id`);
-
+
ALTER TABLE `questionnaire`
- ADD CONSTRAINT `fk_questionnaire__framework_id`
- FOREIGN KEY (`framework_id`) REFERENCES `security_control_framework` (`id`);
+ ADD CONSTRAINT `fk_questionnaire__control_id`
+ FOREIGN KEY (`control_id`) REFERENCES `security_control` (`id`);
+ALTER TABLE `questionnaire`
+ ADD KEY `fk_questionnaire__control_id` (`control_id`);
+
ALTER TABLE `questionnaire`
- ADD KEY `fk_questionnaire__framework_id` (`framework_id`);
+ ADD CONSTRAINT `fk_questionnaire__tom_id`
+ FOREIGN KEY (`tom_id`) REFERENCES `tom` (`id`);
+ALTER TABLE `questionnaire`
+ ADD KEY `fk_questionnaire__tom_id` (`tom_id`);
ALTER TABLE `questionnaire`
- ADD CONSTRAINT `fk_questionnaire__purpose_id`
- FOREIGN KEY (`purpose_id`) REFERENCES `questionnaire_purpose` (`id`);
+ ADD CONSTRAINT `fk_questionnaire__assurance_level_id`
+ FOREIGN KEY (`assurance_level_id`) REFERENCES `question_assurance_level` (`id`);
ALTER TABLE `questionnaire`
- ADD KEY `fk_questionnaire__purpose_id` (`purpose_id`);
+ ADD KEY `fk_questionnaire__assurance_level_id` (`assurance_level_id`);
ALTER TABLE `questionnaire`
ADD CONSTRAINT `fk_questionnaire__question_id`
@@ -410,6 +441,7 @@ CREATE TABLE `jhi_user` (
`first_name` varchar(50) DEFAULT NULL,
`last_name` varchar(50) DEFAULT NULL,
`email` varchar(191) DEFAULT NULL,
+ `company` varchar(255) DEFAULT NULL,
`image_url` varchar(256) DEFAULT NULL,
`activated` bit(1) NOT NULL,
`lang_key` varchar(10) DEFAULT NULL,
diff --git a/git/cocMysql/startupscripts/03_initialDataControlsToms.sql b/git/cocMysql/startupscripts/03_initialDataControlsToms.sql
index 1735734a2872e10777b94eafc61eee13ab0e2b58..57982c4b108938c844f5b96a9dff6aa81cda784c 100755
--- a/git/cocMysql/startupscripts/03_initialDataControlsToms.sql
+++ b/git/cocMysql/startupscripts/03_initialDataControlsToms.sql
@@ -15,7 +15,7 @@ SET FOREIGN_KEY_CHECKS=0;
-- -----------------------------------
/*!40000 ALTER TABLE `security_control_framework` DISABLE KEYS */;
INSERT INTO cocbackend.security_control_framework (id, name,description,version) VALUES
- (1, 'EUCS','EU Cloud Services certification scheme','December 2020');
+ (1, 'EUCS','EU Cloud Services certification scheme','August 2022');
/*!40000 ALTER TABLE `security_control_framework` ENABLE KEYS */;
@@ -50,948 +50,1710 @@ INSERT INTO cocbackend.security_control_category (id, code,name,description,secu
-- Table: `security_control`
-- ----------------------------------
/*!40000 ALTER TABLE `security_control` DISABLE KEYS */;
-INSERT INTO cocbackend.security_control (id,code,name,objective,description,guidance,risk_reduction_weight,security_control_category_id) VALUES
- (1,'OIS-01','OIS-01','INFORMATION SECURITY MANAGEMENT SYSTEM','The CSP operates an information security management system (ISMS). The scope of the ISMS covers the CSPs organisational units, locations and processes for providing the cloud service.','PENDING',0.0,1),
- (2,'OIS-02','OIS-02','SEGREGATION OF DUTIES','Conflicting tasks and responsibilities are separated based on an RM-01 risk assessment to reduce the risk of unauthorised or unintended changes or misuse of cloud customer data processed, stored or transmitted in the cloud service.','PENDING',0.0,1),
- (3,'OIS-03','OIS-03','CONTACT WITH AUTHORITIES AND INTEREST GROUPS','The CSP stays informed about current threats and vulnerabilities by maintaining the cooperation and coordination of security-related aspects with relevant authorities and special interest groups. The information flows into the procedures for handling risks (cf. RM-01) and vulnerabilities (cf. OPS-17).','PENDING',0.0,1),
- (4,'OIS-04','OIS-04','INFORMATION SECURITY IN PROJECT MANAGEMENT','Information security is considered in project management, regardless of the nature of the project´.','PENDING',0.0,1),
- (5,'ISP-01','ISP-01','GLOBAL INFORMATION SECURITY POLICY','The top management of the Cloud Service Provider has adopted an information security policy and communicated it to internal and external employees as well as cloud customers.','PENDING',0.0,2),
- (6,'ISP-02','ISP-02','SECURITY POLICIES AND PROCEDURES','Policies and procedures are derived from the information security policy, documented according to a uniform structure, communicated and made available to all internal and external employees of the Cloud Service Provider in an appropriate manner.','PENDING',0.0,2),
- (7,'ISP-03','ISP-03','EXCEPTIONS','Exceptions to the policies and procedures for information security as well as respective controls are explicitly listed.','PENDING',0.0,2),
- (8,'RM-01','RM-01','RISK MANAGEMENT POLICY','Risk management policies and procedures are documented and communicated to stakeholders','PENDING',0.0,3),
- (9,'RM-02','RM-02','RISK ASSESSMENT IMPLEMENTATION','Risk assessment-related policies and procedures are implemented on the entire perimeter of the cloud service','PENDING',0.0,3),
- (10,'RM-03','RM-03','RISK TREATMENT IMPLEMENTATION','Identified risks are prioritized according to their criticality and treated according to the risk policies and procedures by reducing or avoiding them through security controls, by sharing them, or by retaining them. Residual risks are accepted by the risk owners','PENDING',0.0,3),
- (11,'HR-01','HR-01','HUMAN RESOURCE POLICIES','The policies applicable to the management of internal and external employees include provisions that cover a risk classification of all information security-sensitive positions, a code of ethics, and a disciplinary procedure that applies to all of the employees involved in supplying the service who have breached the security policy.','PENDING',0.0,4),
- (12,'HR-02','HR-02','VERIFICATION OF QUALIFICATION AND TRUSTWORTHINESS','The competency and integrity of all internal and external employees in a position classified in objective HR-01 are verified prior to commencement of employment in accordance with local legislation and regulation by the CSP.','PENDING',0.0,4),
- (13,'HR-03','HR-03','EMPLOYEE TERMS AND CONDITIONS','The CSP''s internal and external employees are required by the employment terms and conditions to comply with applicable policies and instructions relating to information security, and to the CSP’s code of ethics, before being granted access to any cloud customer data or system components under the responsibility of the CSP used to provide the cloud service in the production environment.','PENDING',0.0,4),
- (14,'HR-04','HR-04','SECURITY AWARENESS AND TRAINING','The CSP operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the CSP on a regular basis.','PENDING',0.0,4),
- (15,'HR-05','HR-05','TERMINATION OR CHANGE IN EMPLOYMENT','Internal and external employees have been informed about which responsibilities, arising from the guidelines and instructions relating to information security, will remain in place when their employment is terminated or changed and for how long.
-
-Upon termination or change in employment, all the access rights of the employee are revoked or appropriately modified, and all accounts and assets are processed appropriately.','PENDING',0.0,4),
- (16,'HR-06','HR-06','CONFIDENTIALITY AGREEMENTS','Non-disclosure or confidentiality agreements are in place with internal employees, external service providers and suppliers of the CSP to protect the confidentiality of the information exchanged between them.','PENDING',0.0,4),
- (17,'AM-01','AM-01','ASSET INVENTORY','The Cloud Service Provider has established procedures for inventorying assets, including all IT to ensure complete, accurate, valid and consistent inventory throughout the asset lifecycle.','PENDING',0.0,5),
- (18,'AM-02','AM-02','ACCEPTABLE USE AND SAFE HANDLING OF ASSETS POLICY','Policies and procedures for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01, including in particular customer-owned assets and removable media.','PENDING',0.0,5),
- (19,'AM-03','AM-03','COMMISSIONING AND DECOMMISSIONING OF HARDWARE','The Cloud Service Provider has an approval procedure for the use of hardware to be commissioned or decommissioned, which is used to provide the cloud service in the production environment, depending on its intended use and based on the applicable policies and procedures.','PENDING',0.0,5),
- (20,'AM-04','AM-04','ACCEPTABLE USE, SAFE HANDLING AND RETURN OF ASSETS','The Cloud Service Provider''s internal and external employees are provably committed to the policies and instructions for acceptable use and safe handling of assets before they can be used if the Cloud Service Provider has determined in a risk assessment that loss or unauthorised access could compromise the information security of the Cloud Service.
+INSERT INTO cocbackend.security_control (id,code,name,objective,description,security_control_category_id) VALUES
-Any assets handed over are returned upon termination of employment.','PENDING',0.0,5),
- (21,'AM-05','AM-05','ASSET CLASSIFICATION AND LABELLING','Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the information it processes, stores, or transmits.','PENDING',0.0,5),
- (22,'PS-01','PS-01','PHYSICAL SECURITY PERIMETERS','The buildings and premises related to the cloud service provided are divided into zones by security perimeters, depending on the level on information security risk associated to the activities performed and assets stored in these buildings and premises.','PENDING',0.0,6),
- (23,'PS-02','PS-02','PHYSICAL SITE ACCESS CONTROL','Physical access through the security perimeters are subject to access control measures that match each zone’s security requirements and that are supported by an access control system.','PENDING',0.0,6),
- (24,'PS-03','PS-03','WORKING IN NON-PUBLIC AREAS','There are specific rules regarding work in non-public areas, to be applied by all internal and external employees who have access to these areas.','PENDING',0.0,6),
- (25,'PS-04','PS-04','EQUIPMENT PROTECTION','The equipment used in the Cloud Service Provider’s premises and buildings are protected physically against damage and unauthorized access by specific measures.','PENDING',0.0,6),
- (26,'PS-05','PS-05','PROTECTION AGAINST EXTERNAL AND ENVIRONMENTAL THREATS','The premises from which the cloud service operated, and in particular its data centres, are protected against external and environmental threats.','PENDING',0.0,6),
- (27,'OPS-01','OPS-01','CAPACITY MANAGEMENT - PLANNING','The capacities of critical resources such as personnel and IT resources are planned in order to avoid possible capacity bottlenecks.','PENDING',0.0,7),
- (28,'OPS-02','OPS-02','CAPACITY MANAGEMENT - MONITORING','The capacities of critical resources such as personnel and IT resources are monitored.','PENDING',0.0,7),
- (29,'OPS-03','OPS-03','CAPACITY MANAGEMENT - CONTROLLING OF RESOURCES','The CSCs have the ability to manage the IT resources allocated to them in order to avoid overcrowding of resources and to achieve sufficient performance.','PENDING',0.0,7),
- (30,'OPS-04','OPS-04','PROTECTION AGAINST MALWARE - POLICIES','Policies are defined that ensure the protection against malware of IT equipment related to the cloud service','PENDING',0.0,7);
-INSERT INTO cocbackend.security_control (id,code,name,objective,description,guidance,risk_reduction_weight,security_control_category_id) VALUES
- (31,'OPS-05','OPS-05','PROTECTION AGAINST MALWARE - IMPLEMENTATION','Malware protection is deployed and maintained on systems that provide the cloud service.','PENDING',0.0,7),
- (32,'OPS-06','OPS-06','DATA BACKUP AND RECOVERY - POLICIES','Policies define how measure for data backups and recovery that guarantee the availability of data while protecting its confidentiality and integrity.','PENDING',0.0,7),
- (33,'OPS-07','OPS-07','DATA BACKUP AND RECOVERY - MONITORING','The proper execution of data backups is monitored.','PENDING',0.0,7),
- (34,'OPS-08','OPS-08','DATA BACKUP AND RECOVERY - REGULAR TESTING','The proper restoration of data backups is regularly tested.','PENDING',0.0,7),
- (35,'OPS-09','OPS-09','DATA BACKUP AND RECOVERY - STORAGE','Backup data is stored at an appropriately remote location.','PENDING',0.0,7),
- (36,'OPS-10','OPS-10','LOGGING AND MONITORING - POLICIES','Policies are defined to govern logging and monitoring events on system components under the CSP’s responsibility.','PENDING',0.0,7),
- (37,'OPS-11','OPS-11','LOGGING AND MONITORING - DERIVED DATA MANAGEMENT','Policies are defined to govern the management of derived data by the CSP.','PENDING',0.0,7),
- (38,'OPS-12','OPS-12','LOGGING AND MONITORING - IDENTIFICATION OF EVENTS','Logs are monitored to identify events that may lead to security incidents.','PENDING',0.0,7),
- (39,'OPS-13','OPS-13','LOGGING AND MONITORING - ACCESS, STORAGE AND DELETION','The confidentiality, integrity and availability of logging and monitoring data are protected with measures adapted to their specific use.','PENDING',0.0,7),
- (40,'OPS-14','OPS-14','LOGGING AND MONITORING - ATTRIBUTION','Log data can be unambiguously attributed to a CSC','PENDING',0.0,7);
-INSERT INTO cocbackend.security_control (id,code,name,objective,description,guidance,risk_reduction_weight,security_control_category_id) VALUES
- (41,'OPS-15','OPS-15','LOGGING AND MONITORING - CONFIGURATION','Access to the logging and monitoring system components and to their configuration is strictly restricted.','PENDING',0.0,7),
- (42,'OPS-16','OPS-16','LOGGING AND MONITORING - AVAILABILITY','Systems for logging and monitoring are themselves monitored for availability.','PENDING',0.0,7),
- (43,'OPS-17','OPS-17','MANAGING VULNERABILITIES, MALFUNCTIONS AND ERRORS - POLICIES','Vulnerabilities in the system components used to provide the cloud service are identified and addressed in a timely manner.','PENDING',0.0,7),
- (44,'OPS-18','OPS-18','MANAGING VULNERABILITIES, MALFUNCTIONS AND ERRORS - ONLINE REGISTERS','Online registers are used to identify and publish known vulnerabilities.','PENDING',0.0,7),
- (45,'OPS-19','OPS-19','MANAGING VULNERABILITIES, MALFUNCTIONS AND ERRORS - VULNERABILITY IDENTIFICATION','Tests are performed on a regular basis to identify vulnerabilities.','PENDING',0.0,7),
- (46,'OPS-20','OPS-20','MANAGING VULNERABILITIES, MALFUNCTIONS AND ERRORS - MEASUREMENTS, ANALYSES AND ASSESSMENTS OF PROCEDURES','The vulnerability and incident handling measures are regularly evaluated and improved.','PENDING',0.0,7),
- (47,'OPS-21','OPS-21','MANAGING VULNERABILITIES, MALFUNCTIONS AND ERRORS - SYSTEM HARDENING','System components are hardened to reduce their attack surface and eliminate potential attack vectors','PENDING',0.0,7),
- (48,'OPS-22','OPS-22','SEPARATION OF DATASETS IN THE CLOUD INFRASTRUCTURE','System components are hardened to reduce their attack surface and eliminate potential attack vectors.','PENDING',0.0,7),
- (49,'IAM-01','IAM-01','POLICIES FOR ACCESS CONTROL TO INFORMATION','Policies and procedures for controlling the access to information resources are documented, communicated and made available in order to ensure that that all accesses to information have been duly authorized.','PENDING',0.0,8),
- (50,'IAM-02','IAM-02','MANAGEMENT OF USER ACCOUNTS','Policies and procedures for managing the different types of user accounts are documented, communicated and made available in order to ensure that that all accesses to information have been duly authorized.','PENDING',0.0,8),
- (51,'IAM-03','IAM-03','LOCKING, UNLOCKING AND REVOCATION OF USER ACCOUNTS','Accounts that are inactive for a long period of time or that are subject to suspicious activity are appropriately protected to reduce opportunities for abuse.','PENDING',0.0,8),
- (52,'IAM-04','IAM-04','MANAGEMENT OF ACCESS RIGHTS','Accounts that are inactive for a long period of time or that are subject to suspicious activity are appropriately protected to reduce opportunities for abuse.','PENDING',0.0,8),
- (53,'IAM-05','IAM-05','REGULAR REVIEW OF ACCESS RIGHTS','The fitness for purpose of the user accounts of all types and their associated access rights are reviewed regularly','PENDING',0.0,8),
- (54,'IAM-06','IAM-06','PRIVILEGED ACCESS RIGHTS','Privileged access rights and the user accounts of all types to which they are granted are subject to additional scrutiny.','PENDING',0.0,8),
- (55,'IAM-07','IAM-07','AUTHENTICATION MECHANISMS','Adequate authentication mechanisms are used in to be granted access to any environment and when needed within an environment.','PENDING',0.0,8),
- (56,'IAM-08','IAM-08','PROTECTION AND STRENGTH OF CREDENTIALS','Throughout their lifecycle, authentication credentials are protected to ensure that their use provides a sufficient level of confidence that the user of a specific account has been authenticated.','PENDING',0.0,8),
- (57,'IAM-09','IAM-09','GENERAL ACCESS RESTRICTIONS','The assets in and around the cloud service are managed in a way that ensure that access restrictions are enforced between different categories of assets.','PENDING',0.0,8),
- (58,'CKM-01','CKM-01','POLICIES FOR THE USE OF ENCRYPTION MECHANISMS AND KEY MANAGEMENT','Policies and procedures for encryption mechanisms and key management including technical and organisational safeguards are defined, communicated, and implemented, in order to ensure the confidentiality, authenticity and integrity of the information.','PENDING',0.0,9),
- (59,'CKM-02','CKM-02','ENCRYPTION OF DATA IN TRANSIT','Cloud customer data communicated over public networks is protected in confidentiality, integrity, and authenticity.','PENDING',0.0,9),
- (60,'CKM-03','CKM-03','ENCRYPTION OF DATA AT REST','The CSP has established procedures and technical safeguards to prevent the disclosure of cloud customers'' data during storage.','PENDING',0.0,9),
- (61,'CKM-04','CKM-04','SECURE KEY MANAGEMENT','Appropriate mechanisms for key management are in place to protect the confidentiality, authenticity cryptographic keys.','PENDING',0.0,9),
- (62,'CS-01','CS-01','TECHNICAL SAFEGUARDS','The CSP has implemented appropriate technical safeguards in order to detect and respond to network based attacks as well as to ensure the protection of information and information processing systems','PENDING',0.0,10),
- (63,'CS-02','CS-02','SECURITY REQUIREMENTS TO CONNECT WITHIN THE CSP’S NETWORK','The establishment of connections within the CSP’s network is subject to specific security requirements.','PENDING',0.0,10),
- (64,'CS-03','CS-03','MONITORING OF CONNECTIONS WITHIN THE CSP’S NETWORK','The communication flows within the cloud, internal and external, are monitored according to the regulations to respond appropriately and timely to threats','PENDING',0.0,10),
- (65,'CS-04','CS-04','CROSS-NETWORK ACCESS','Cross-network access is restricted and only authorised based on specific security assessments.','PENDING',0.0,10),
- (66,'CS-05','CS-05','NETWORKS FOR ADMINISTRATION','Administrative and operational management duties are performed on networks segregated from other networks to prevent unauthorized traffics and to maintain separation of duties.','PENDING',0.0,10),
- (67,'CS-06','CS-06','TRAFFIC SEGREGATION IN SHARED NETWORK ENVIRONMENTS','Administrative and operational management duties are performed on networks segregated from other networks to prevent unauthorized traffics and to maintain separation of duties.','PENDING',0.0,10),
- (68,'CS-07','CS-07','NETWORK TOPOLOGY DOCUMENTATION','A map of the information system is kept up and maintained, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions.','PENDING',0.0,10),
- (69,'CS-08','CS-08','SOFTWARE DEFINED NETWORKING','Software-defined networking is only used if the cloud user data is protected by appropriate measures.','PENDING',0.0,10),
- (70,'CS-09','CS-09','DATA TRANSMISSION POLICIES','Policies are defined to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction.','PENDING',0.0,10),
- (71,'PI-01','PI-01','DOCUMENTATION AND SECURITY OF INPUT AND OUTPUT INTERFACES','Inbound and outbound interfaces to/from the cloud service are documented for access from other cloud services or IT systems.','PENDING',0.0,11),
- (72,'PI-02','PI-02','CONTRACTUAL AGREEMENTS FOR THE PROVISION OF DATA','Contractual agreements define adequate information with regard to the migration of data following the termination of the contractual relationship.','PENDING',0.0,11),
- (73,'PI-03','PI-03','SECURE DELETION OF DATA','Inbound and outbound interfaces to/from the cloud service are documented for access from other cloud services or IT systems.','PENDING',0.0,11),
- (74,'CCM-01','CCM-01','POLICIES FOR CHANGES TO INFORMATION SYSTEMS','Policies and procedures are defined to control changes to information systems.','PENDING',0.0,12),
- (75,'CCM-02','CCM-02','RISK ASSESSMENT, CATEGORISATION AND PRIORITISATION OF CHANGES','Responsibilities are assigned inside the CSP organisation to ensure that sufficient resources can be assigned to define and execute the business continuity plan and that business continuity-related activities are supported.','PENDING',0.0,12),
- (76,'CCM-03','CCM-03','TESTING CHANGES','Changes to the cloud services are tested before deployment to minimize the risks of failure upon implementation.','PENDING',0.0,12),
- (77,'CCM-04','CCM-04','APPROVALS FOR PROVISION IN THE PRODUCTION ENVIRONMENT','Changes to the cloud services are approved before being deployed in the production environment.','PENDING',0.0,12),
- (78,'CCM-05','CCM-05','PERFORMING AND LOGGING CHANGES','Changes to the cloud services are performed through authorized accounts and traceable to the person or system component who initiated them.','PENDING',0.0,12),
- (79,'CCM-06','CCM-06','VERSION CONTROL','Version control is used to track individual changes and enable restoration of a previous version if required.','PENDING',0.0,12),
- (80,'DEV-01','DEV-01','POLICIES FOR THE DEVELOPMENT AND PROCUREMENT OF INFORMATION SYSTEMS','Policies are defined to define technical and organisational measures for the development of the cloud service throughout its lifecycle','PENDING',0.0,13),
- (81,'DEV-02','DEV-02','DEVELOPMENT SUPPLY CHAIN SECURITY','The supply chain of system components is considered in development security.','PENDING',0.0,13),
- (82,'DEV-03','DEV-03','SECURE DEVELOPMENT ENVIRONMENT','The development environment takes information security in consideration.','PENDING',0.0,13),
- (83,'DEV-04','DEV-04','SEPARATION OF ENVIRONMENTS','The development environment takes information security in consideration.','PENDING',0.0,13),
- (84,'DEV-05','DEV-05','DEVELOPMENT OF SECURITY FEATURES','The development environment takes information security in consideration.','PENDING',0.0,13),
- (85,'DEV-06','DEV-06','IDENTIFICATION OF VULNERABILITIES OF THE CLOUD SERVICE','Appropriate measures are taken to identify vulnerabilities introduced in the cloud service during the development process.','PENDING',0.0,13),
- (86,'DEV-07','DEV-07','OUTSOURCING OF THE DEVELOPMENT','Outsourced developments provide similar security guarantees than in-house developments.','PENDING',0.0,13),
- (87,'PM-01','PM-01','POLICIES AND PROCEDURES FOR CONTROLLING AND MONITORING THIRD PARTIES','Responsibilities are assigned inside the CSP organisation to ensure that sufficient resources can be assigned to define and execute the business continuity plan and that business continuity-related activities are supported.','PENDING',0.0,14),
- (88,'PM-02','PM-02','RISK ASSESSMENT OF SUPPLIERS','Suppliers of the CSP undergo a risk assessment to determine the security needs related to the product or service they provide.','PENDING',0.0,14),
- (89,'PM-03','PM-03','DIRECTORY OF SUPPLIERS','A centralized directory of suppliers is available to facilitate their control and monitoring.','PENDING',0.0,14),
- (90,'PM-04','PM-04','MONITORING OF COMPLIANCE WITH REQUIREMENTS','Monitoring mechanisms are in place to ensure that third parties comply with their regulatory and con obligations.','PENDING',0.0,14),
- (91,'PM-05','PM-05','EXIT STRATEGY','Strategies are documented that ensure minimum business disruption if the relationship with a supplier is terminated.','PENDING',0.0,14),
- (92,'IM-01','IM-01','POLICY FOR SECURITY INCIDENT MANAGEMENT','A policy is defined to respond to security incidents in a fast, efficient and orderly manner.','PENDING',0.0,15),
- (93,'IM-02','IM-02','PROCESSING OF SECURITY INCIDENTS','A methodology is defined and applied to process security incidents in a fast, efficient and orderly manner.','PENDING',0.0,15),
- (94,'IM-03','IM-03','DOCUMENTATION AND REPORTING OF SECURITY INCIDENTS','Security incidents are documented to and reported in a timely manner to customers.','PENDING',0.0,15),
- (95,'IM-04','IM-04','USER’S DUTY TO REPORT SECURITY INCIDENTS','Security incidents are documented to and reported in a timely manner to customers.','PENDING',0.0,15),
- (96,'IM-05','IM-05','INVOLVEMENT OF CLOUD CUSTOMERS IN THE EVENT OF INCIDENTS','Customers are kept regularly informed of the status incidents that concern them.','PENDING',0.0,15),
- (97,'IM-06','IM-06','EVALUATION AND LEARNING PROCESS','Measures are in place to continuously improve the service from experience learned in incidents','PENDING',0.0,15),
- (98,'IM-07','IM-07','INCIDENT EVIDENCE PRESERVATION','Measures are in place to preserve information related to security incidents.','PENDING',0.0,15),
- (99,'BC-01','BC-01','BUSINESS CONTINUITY POLICIES AND TOP MANAGEMENT RESPONSIBILITY','Responsibilities are assigned inside the CSP organisation to ensure that sufficient resources can be assigned to define and execute the business continuity plan and that business continuity-related activities are supported.','PENDING',0.0,16),
- (100,'BC-02','BC-02','BUSINESS IMPACT ANALYSIS PROCEDURES','Business continuity policies and procedures cover the determination of the impact of any malfunction or interruption to the cloud service or enterprise.','PENDING',0.0,16),
- (101,'BC-03','BC-03','BUSINESS CONTINUITY AND CONTINGENCY PLANNING','A business continuity framework including a business continuity plan and associated contingency plans is available.','PENDING',0.0,16),
- (102,'BC-04','BC-04','BUSINESS CONTINUITY TESTS AND EXERCISES','The business continuity framework is tested on a regular basis.','PENDING',0.0,16),
- (103,'CO-01','CO-01','IDENTIFICATION OF APPLICABLE COMPLIANCE REQUIREMENTS','The legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service are defined and documented.','PENDING',0.0,17),
- (104,'CO-02','CO-02','POLICY FOR PLANNING AND CONDUCTING AUDITS','Conditions are defined that allow audits to be conducted in a way that facilitates the gathering of evidence while minimizing interference with the delivery of the cloud service.','PENDING',0.0,17),
- (105,'CO-03','CO-03','INTERNAL AUDITS OF THE INTERNAL CONTROL SYSTEM','Subject matter experts regularly check the compliance of the Information Security Management System (ISMS) to relevant and applicable legal, regulatory, self-imposed or contractual requirements.','PENDING',0.0,17),
- (106,'CO-04','CO-04','INFORMATION ON INTERNAL CONTROL SYSTEM ASSESSMENT','The top management of the CSP is kept informed of the performance of the internal control system in order to ensure its continued suitability, adequacy and effectiveness','PENDING',0.0,17),
- (107,'DOC-01','DOC-01','GUIDELINES AND RECOMMENDATIONS FOR CLOUD CUSTOMERS','Provide information to assist the cloud customer in the secure configuration, installation and use of the cloud service.','PENDING',0.0,18),
- (108,'DOC-02','DOC-02','ONLINE REGISTER OF KNOWN VULNERABILITIES','Provide information to assist the cloud customer in the secure configuration, installation and use of the cloud service.','PENDING',0.0,18),
- (109,'DOC-03','DOC-03','LOCATIONS OF DATA PROCESSING AND STORAGE','Provide transparent information about the location of the data and of its processing.','PENDING',0.0,18),
- (110,'DOC-04','DOC-04','JUSTIFICATION OF THE TARGETED ASSURANCE LEVEL','Provide a rationale for the assurance level target by the cloud service.','PENDING',0.0,18),
- (111,'DOC-05','DOC-05','GUIDELINES AND RECOMMENDATIONS FOR COMPOSITION','Provide the information required by customers that want to use the cloud service as a base service f certified cloud service.','PENDING',0.0,18),
- (112,'DOC-06','DOC-06','CONTRIBUTION TO THE FULFILMENT OF REQUIREMENTS FOR COMPOSITION','Provide the information required by customers that want to use the CSP as subservice organization for the cloud service','PENDING',0.0,18),
- (113,'INQ-01','INQ-01','LEGAL ASSESSMENT OF INVESTIGATIVE INQUIRIES','Investigative inquiries are assessed before determining further steps to be taken.','PENDING',0.0,19),
- (114,'INQ-02','INQ-02','INFORMING CLOUD CUSTOMERS ABOUT INVESTIGATION REQUESTS','Cloud customers are kept informed of ongoing investigations if legally permitted.','PENDING',0.0,19),
- (115,'INQ-03','INQ-03','CONDITIONS FOR ACCESS TO OR DISCLOSURE OF DATA IN INVESTIGATION REQUESTS','Investigators only have access to the data required for their investigation after validation of the legality of their request','PENDING',0.0,19),
- (116,'PSS-01','PSS-01','ERROR HANDLING AND LOGGING MECHANISMS','Cloud customers have access to sufficient information about the cloud service through error handling and logging mechanisms.','PENDING',0.0,20),
- (117,'PSS-02','PSS-02','SESSION MANAGEMENT','A suitable session management is used to protect confidentiality, availability, integrity and authenticity during interactions with the cloud service.','PENDING',0.0,20),
- (118,'PSS-03','PSS-03','SOFTWARE DEFINED NETWORKING','Software-defined networking is only used if the cloud user data is protected by appropriate measures','PENDING',0.0,20),
- (119,'PSS-04','PSS-04','IMAGES FOR VIRTUAL MACHINES AND CONTAINERS','Services for providing and managing virtual machines and containers to customers include appropriate protection measures.','PENDING',0.0,20),
- (120,'PSS-05','PSS-05','LOCATIONS OF DATA PROCESSING AND STORAGE','Provide users with choices about the location of the data and of its processing.','PENDING',0.0,20);
+ (1,'OIS-01','OIS-01','INFORMATION SECURITY MANAGEMENT SYSTEM','The CSP operates an information security management system (ISMS). The scope of the ISMS covers the CSPs organisational units, locations and processes for providing the cloud service.',1),
+ (2,'OIS-02','OIS-02','SEGREGATION OF DUTIES','Conflicting tasks and responsibilities are separated based on an RM-01 risk assessment to reduce the risk of unauthorised or unintended changes or misuse of cloud customer data processed, stored or transmitted in the cloud service.',1),
+ (3,'OIS-03','OIS-03','CONTACT WITH AUTHORITIES AND INTEREST GROUPS','The CSP stays informed about current threats and vulnerabilities by maintaining the cooperation and coordination of security-related aspects with relevant authorities and special interest groups. The information flows into the procedures for handling risks (cf. RM-01) and vulnerabilities (cf. OPS-17).',1),
+ (4,'OIS-04','OIS-04','INFORMATION SECURITY IN PROJECT MANAGEMENT','Information security is considered in project management, regardless of the nature of the project.',1),
+ (5,'ISP-01','ISP-01','GLOBAL INFORMATION SECURITY POLICY','The top management of the CSP has adopted an information security policy, communicated and made available to employees of the CSP as well as CSCs.',2),
+ (6,'ISP-02','ISP-02','SECURITY POLICIES AND PROCEDURES','Policies and procedures are derived from the information security policy, documented according to a uniform structure, communicated and made available to all internal and external employees of the Cloud Service Provider in an appropriate manner.',2),
+ (7,'ISP-03','ISP-03','EXCEPTIONS','Exceptions to the policies and procedures for information security as well as respective controls are explicitly listed.',2),
+ (8,'RM-01','RM-01','RISK MANAGEMENT POLICY','Risk management policies and procedures are documented and communicated to stakeholders ',3),
+ (9,'RM-02','RM-02','RISK ASSESSMENT IMPLEMENTATION','Risk assessment-related policies and procedures are implemented on the entire cloud service.',3),
+ (10,'RM-03','RM-03','RISK TREATMENT IMPLEMENTATION','Identified risks are prioritized according to their criticality and treated according to the risk policies and procedures by reducing or avoiding them through security controls, by sharing them, or by retaining them. Residual risks are accepted by the risk owners',3),
+ (11,'HR-01','HR-01','HUMAN RESOURCE POLICIES','The policies applicable to the management of employees include provisions that cover a risk classification of all information security-sensitive positions, a code of ethics, and a disciplinary procedure that applies to all of the employees involved in supplying the service who have breached the security policy.',4),
+ (12,'HR-02','HR-02','VERIFICATION OF QUALIFICATION AND TRUSTWORTHINESS','The competency and integrity of all employees in a position classified in objective HR-01 are verified prior to commencement of employment in accordance with local legislation and regulation.',4),
+ (13,'HR-03','HR-03','EMPLOYEE TERMS AND CONDITIONS','The CSPs employees are required by the employment terms and conditions to comply with applicable policies and procedures relating to information security, and to the CSP’s code of ethics, before being granted access to any CSC data or system components under the responsibility of the CSP used to provide the cloud service in the production environment.',4),
+ (14,'HR-04','HR-04','SECURITY AWARENESS AND TRAINING','The CSP operates a target group-oriented security awareness and training program, which is completed by all employees of the CSP on a regular basis.',4),
+ (15,'HR-05','HR-05','TERMINATION OR CHANGE IN EMPLOYMENT','Internal and external employees have been informed about which responsibilities, arising from the guidelines and instructions relating to information security, will remain in place when their employment is terminated or changed and for how long. Upon termination or change in employment, all the access rights of the employee are revoked or appropriately modified, and all accounts and assets are processed appropriately.',4),
+ (16,'HR-06','HR-06','CONFIDENTIALITY AGREEMENTS','Non-disclosure or confidentiality agreements are in place with employees, external service providers and suppliers of the CSP to protect the confidentiality of the information exchanged between them, in accordance with local legislation and regulation.',4),
+ (17,'AM-01','AM-01','ASSET INVENTORY','The CSP has established procedures for inventorying assets, including all IT to ensure complete, accurate, valid and consistent inventory throughout the asset lifecycle.',5),
+ (18,'AM-02','AM-02','ACCEPTABLE USE AND SAFE HANDLING OF ASSETS POLICY','Policies and procedures for acceptable use and safe handling of assets are documented, communicated and provided in accordance with SP-01, including in particular customer-owned assets and removable media.',5),
+ (19,'AM-03','AM-03','COMMISSIONING AND DECOMMISSIONING','Procedures for the commissioning and decommissioning of hardware assets used in the provision of the cloud service are documented, communicated and implemented, ensuring the proper configuration before commissioning and the proper deletion of data during decommissioning.',5),
+ (20,'AM-04','AM-04','ACCEPTABLE USE, SAFE HANDLING AND RETURN OF ASSETS','The CSPs employees are provably committed to the policies and instructions for acceptable use and safe handling of assets before they can be used if the CSP has determined in a risk assessment that loss or unauthorised access could compromise the information security of the Cloud Service. Any assets handed over are returned upon termination of employment.',5),
+ (21,'AM-05','AM-05','ASSET CLASSIFICATION AND LABELLING','Assets are classified and, if possible, labelled. Classification and labelling of an asset reflect the protection needs of the information it processes, stores, or transmits.',5),
+ (22,'PS-01','PS-01','PHYSICAL SECURITY PERIMETERS','The buildings and premises related to the cloud service provided are divided into zones by security perimeters, depending on the level on information security risk associated to the activities performed and assets stored in these buildings and premises.',6),
+ (23,'PS-02','PS-02','PHYSICAL SITE ACCESS CONTROL','Physical access through the security perimeters are subject to access control measures that match each security area’s requirements and that are supported by an access control system.',6),
+ (24,'PS-03','PS-03','WORKING IN NON-PUBLIC AREAS','There are specific rules regarding work in non-public areas, to be applied by all employees who have access to these security areas.',6),
+ (25,'PS-04','PS-04','EQUIPMENT PROTECTION','The equipment used in the CSP’s premises and buildings are protected physically against damage and unauthorized access by specific measures.',6),
+ (26,'PS-05','PS-05','PROTECTION AGAINST EXTERNAL AND ENVIRONMENTAL THREATS','The premises from which the cloud service operated, and in particular its data centres, are protected against external and environmental threats.',6),
+ (27,'OPS-01','OPS-01','CAPACITY MANAGEMENT – PLANNING','The capacities of critical resources such as personnel and IT resources are planned in order to avoid possible capacity bottlenecks.',7),
+ (28,'OPS-02','OPS-02','CAPACITY MANAGEMENT – MONITORING','Staffing numbers and the capacities of critical resources such as IT resources are monitored.',7),
+ (29,'OPS-03','OPS-03','CAPACITY MANAGEMENT – CONTROLLING OF RESOURCES','The CSCs have the ability to manage the IT resources allocated to them in order to avoid overcrowding of resources and to achieve sufficient performance.',7),
+ (30,'OPS-04','OPS-04','PROTECTION AGAINST MALWARE – POLICIES','Policies are defined that ensure the protection against malware of IT equipment related to the cloud service',7),
+ (31,'OPS-05','OPS-05','PROTECTION AGAINST MALWARE – IMPLEMENTATION','Malware protection is deployed and maintained on systems that provide the cloud service.',7),
+ (32,'OPS-06','OPS-06','DATA BACKUP AND RECOVERY – POLICIES','Policies define how measure for data backups and recovery that guarantee the availability of data while protecting its confidentiality and integrity.',7),
+ (33,'OPS-07','OPS-07','DATA BACKUP AND RECOVERY – MONITORING','The proper execution of data backups is monitored.',7),
+ (34,'OPS-08','OPS-08','DATA BACKUP AND RECOVERY – REGULAR TESTING','The proper restoration of data backups is regularly tested.',7),
+ (35,'OPS-09','OPS-09','DATA BACKUP AND RECOVERY – STORAGE','Backup data is stored at an appropriately remote location.',7),
+ (36,'OPS-10','OPS-10','LOGGING AND MONITORING – POLICIES','Policies are defined to govern logging and monitoring events on system components under the CSP’s responsibility.',7),
+ (37,'OPS-11','OPS-11','LOGGING AND MONITORING – DERIVED DATA MANAGEMENT','Policies are defined to govern the management of derived data by the CSP.',7),
+ (38,'OPS-12','OPS-12','LOGGING AND MONITORING – IDENTIFICATION OF EVENTS','Logs are monitored to identify events that may lead to security incidents.',7),
+ (39,'OPS-13','OPS-13','LOGGING AND MONITORING – ACCESS, STORAGE AND DELETION','The confidentiality, integrity and availability of logging and monitoring data are protected with measures adapted to their specific use.',7),
+ (40,'OPS-14','OPS-14','LOGGING AND MONITORING – ATTRIBUTION','Log data can be unambiguously attributed to a CSC',7),
+ (41,'OPS-15','OPS-15','LOGGING AND MONITORING – CONFIGURATION','Access to the logging and monitoring system components and to their configuration is strictly restricted.',7),
+ (42,'OPS-16','OPS-16','LOGGING AND MONITORING – AVAILABILITY','Systems for logging and monitoring are themselves monitored for availability.',7),
+ (43,'OPS-17','OPS-17','MANAGING VULNERABILITIES, MALFUNCTIONS AND ERRORS – POLICIES','Vulnerabilities in the system components used to provide the cloud service are identified and addressed in a timely manner.',7),
+ (44,'OPS-18','OPS-18','MANAGING VULNERABILITIES, MALFUNCTIONS AND ERRORS – ONLINE REGISTERS','Online registers are used to identify and publish known vulnerabilities.',7),
+ (45,'OPS-19','OPS-19','MANAGING VULNERABILITIES, MALFUNCTIONS AND ERRORS – VULNERABILITY IDENTIFICATION','Tests are performed on a regular basis to identify vulnerabilities.',7),
+ (46,'OPS-20','OPS-20','MANAGING VULNERABILITIES, MALFUNCTIONS AND ERRORS – MEASUREMENTS, ANALYSES AND ASSESSMENTS OF PROCEDURES','The vulnerability and incident handling measures are regularly evaluated and improved.',7),
+ (47,'OPS-21','OPS-21','MANAGING VULNERABILITIES, MALFUNCTIONS AND ERRORS – SYSTEM HARDENING','System components are hardened to reduce their attack surface and eliminate potential attack vectors',7),
+ (48,'OPS-22','OPS-22','SEPARATION OF DATASETS IN THE CLOUD INFRASTRUCTURE','System components are hardened to reduce their attack surface and eliminate potential attack vectors.',7),
+ (49,'IAM-01','IAM-01','POLICIES FOR ACCESS CONTROL TO INFORMATION','Policies and procedures for controlling the access to information resources are documented, communicated and made available in order to ensure that that all accesses to information have been duly authorized.',8),
+ (50,'IAM-02','IAM-02','MANAGEMENT OF USER ACCOUNTS','Policies and procedures for managing the different types of user accounts are documented, communicated and made available in order to ensure that that all accesses to information have been duly authorized.',8),
+ (51,'IAM-03','IAM-03','LOCKING, UNLOCKING AND REVOCATION OF USER ACCOUNTS','Accounts that are inactive for a long period of time or that are subject to suspicious activity are appropriately protected to reduce opportunities for abuse.',8),
+ (52,'IAM-04','IAM-04','MANAGEMENT OF ACCESS RIGHTS','Policies and procedures are defined for managing and controlling the assignment of access rights to accounts and to users.',8),
+ (53,'IAM-05','IAM-05','REGULAR REVIEW OF ACCESS RIGHTS','The fitness for purpose of the accounts of all types and their associated access rights are reviewed regularly.',8),
+ (54,'IAM-06','IAM-06','PRIVILEGED ACCESS RIGHTS','Privileged access rights and the user accounts of all types to which they are granted are subject to additional scrutiny.',8),
+ (55,'IAM-07','IAM-07','AUTHENTICATION MECHANISMS','Adequate authentication mechanisms are used in to be granted access to any environment and when needed within an environment.',8),
+ (56,'IAM-08','IAM-08','PROTECTION AND STRENGTH OF CREDENTIALS','Throughout their lifecycle, authentication credentials are protected to ensure that their use provides a sufficient level of confidence that the user of a specific account has been authenticated.',8),
+ (57,'IAM-09','IAM-09','GENERAL ACCESS RESTRICTIONS','The assets in and around the cloud service are managed in a way that ensure that access restrictions are enforced between different categories of assets.',8),
+ (58,'CKM-01','CKM-01','POLICIES FOR THE USE OF ENCRYPTION MECHANISMS AND KEY MANAGEMENT','Policies and procedures for cryptography and key management including technical and organisational safeguards are documented, communicated, and implemented, in order to ensure the confidentiality, authenticity and integrity of the information.',9),
+ (59,'CKM-02','CKM-02','ENCRYPTION OF DATA IN TRANSIT','CCSC data communicated over public networks is protected in confidentiality, integrity, and authenticity.',9),
+ (60,'CKM-03','CKM-03','ENCRYPTION OF DATA AT REST','The CSP has established procedures and technical safeguards to prevent the disclosure of cloud customers’ data during storage.',9),
+ (61,'CKM-04','CKM-04','SECURE KEY MANAGEMENT','Appropriate mechanisms for key management are in place to protect the confidentiality, authenticity or integrity of cryptographic keys.',9),
+ (62,'CS-01','CS-01','TECHNICAL SAFEGUARDS','The CSP has implemented appropriate technical safeguards in order to detect and respond to network-based attacks as well as to ensure the protection of information and information processing systems',10),
+ (63,'CS-02','CS-02','SECURITY REQUIREMENTS TO CONNECT WITHIN THE CSP’S NETWORK','The establishment of connections within the CSP’s network is subject to specific security requirements.',10),
+ (64,'CS-03','CS-03','MONITORING OF CONNECTIONS WITHIN THE CSP’S NETWORK','The communication flows within the cloud, internal and external, are monitored according to the regulations to respond appropriately and timely to threats',10),
+ (65,'CS-04','CS-04','NETWORKS FOR ADMINISTRATION','Administrative and operational management duties are performed on networks segregated from other networks to prevent unauthorized traffics and to maintain separation of duties.',10),
+ (66,'CS-05','CS-05','Traffic Separation in Shared Network Environments','The confidentiality and integrity of CSC data is protected by separation measures when communicated over shared networks.',10),
+ (67,'CS-06','CS-06','NETWORK TOPOLOGY DOCUMENTATION','A map of the information system is kept up and maintained, in order to avoid administrative errors during live operation and to ensure timely recovery in the event of malfunctions.',10),
+ (68,'CS-07','CS-07','SOFTWARE DEFINED NETWORKING','Software-defined networking is only used if the CSC data is protected by appropriate measures.',10),
+ (69,'CS-08','CS-08','DATA TRANSMISSION POLICIES','Policies are defined to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction.',10),
+ (70,'PI-01','PI-01','DOCUMENTATION AND SECURITY OF INPUT AND OUTPUT INTERFACES','Inbound and outbound interfaces to/from the cloud service are documented for access from other cloud services or IT systems.',11),
+ (71,'PI-02','PI-02','CONTRACTUAL AGREEMENTS FOR THE PROVISION OF DATA','Contractual agreements define adequate information with regard to the migration of data following the termination of the contractual relationship.',11),
+ (72,'PI-03','PI-03','SECURE DELETION OF DATA','CSC data is securely deleted upon termination of the contract.',11),
+ (73,'CCM-01','CCM-01','POLICIES FOR CHANGES TO INFORMATION SYSTEMS','Policies and procedures are documented, communicated and implemented to control changes to information systems.',12),
+ (74,'CCM-02','CCM-02','RISK ASSESSMENT, CATEGORISATION AND PRIORITISATION OF CHANGES','Changes are categorised and prioritised according to potential security effects',12),
+ (75,'CCM-03','CCM-03','TESTING CHANGES','Changes to the cloud services are tested before deployment to minimize the risks of failure upon implementation.',12),
+ (76,'CCM-04','CCM-04','APPROVALS FOR PROVISION IN THE PRODUCTION ENVIRONMENT','Changes to the cloud services are approved before being deployed in the production environment.',12),
+ (77,'CCM-05','CCM-05','PERFORMING AND LOGGING CHANGES','Changes to the cloud services are performed through authorized accounts and traceable to the person or system component who initiated them.',12),
+ (78,'CCM-06','CCM-06','VERSION CONTROL','Version control is used to track individual changes and enable restoration of a previous version if required.',12),
+ (79,'DEV-01','DEV-01','POLICIES FOR THE DEVELOPMENT AND PROCUREMENT OF INFORMATION SYSTEMS','Policies are defined to define technical and organisational measures for the development of the cloud service throughout its lifecycle',13),
+ (80,'DEV-02','DEV-02','DEVELOPMENT SUPPLY CHAIN SECURITY','The supply chain of system components is considered in development security.',13),
+ (81,'DEV-03','DEV-03','SECURE DEVELOPMENT ENVIRONMENT','The development environment takes information security in consideration.',13),
+ (82,'DEV-04','DEV-04','SEPARATION OF ENVIRONMENTS','The development environment takes information security in consideration.',13),
+ (83,'DEV-05','DEV-05','DEVELOPMENT OF SECURITY FEATURES','The development environment takes information security in consideration for the implementation of technical measures or safeguards.',13),
+ (84,'DEV-06','DEV-06','IDENTIFICATION OF VULNERABILITIES OF THE CLOUD SERVICE','Appropriate measures are taken to identify vulnerabilities introduced in the cloud service during the development process.',13),
+ (85,'DEV-07','DEV-07','OUTSOURCING OF THE DEVELOPMENT','Outsourced developments provide similar security guarantees than in-house developments.',13),
+ (86,'DEV-08','DEV-08','Controlling exchanges with suppliers of functional components','The exchanges with suppliers of functional components are limited and controlled by the CSP',13),
+ (87,'PM-01','PM-01','POLICIES AND PROCEDURES FOR CONTROLLING AND MONITORING THIRD PARTIES','Policies and procedures are defined to supervise the activities of third parties who contribute to the provision of the cloud service.',14),
+ (88,'PM-02','PM-02','RISK ASSESSMENT OF SUPPLIERS','Suppliers of the CSP undergo a risk assessment to determine the security needs related to the product or service they provide.',14),
+ (89,'PM-03','PM-03','DIRECTORY OF SUPPLIERS','A centralized directory of suppliers is available to facilitate their control and monitoring.',14),
+ (90,'PM-04','PM-04','MONITORING OF COMPLIANCE WITH REQUIREMENTS','Monitoring mechanisms are in place to ensure that third-parties comply with their regulatory and contractual obligations.',14),
+ (91,'PM-05','PM-05','EXIT STRATEGY','Strategies are documented that ensure minimum business disruption if the relationship with a supplier is terminated.',14),
+ (92,'IM-01','IM-01','POLICY FOR SECURITY INCIDENT MANAGEMENT','A policy is defined to respond to security incidents in a fast, efficient and orderly manner.',15),
+ (93,'IM-02','IM-02','PROCESSING OF SECURITY INCIDENTS','A methodology is defined and applied to process security incidents in a fast, efficient and orderly manner.',15),
+ (94,'IM-03','IM-03','DOCUMENTATION AND REPORTING OF SECURITY INCIDENTS','Security incidents are documented to and reported in a timely manner to customers.',15),
+ (95,'IM-04','IM-04','USER’S DUTY TO REPORT SECURITY INCIDENTS','Users are aware of their obligations to report security incidents.',15),
+ (96,'IM-05','IM-05','INVOLVEMENT OF CLOUD CUSTOMERS IN THE EVENT OF INCIDENTS','Customers are kept regularly informed of the status incidents that concern them.',15),
+ (97,'IM-06','IM-06','EVALUATION AND LEARNING PROCESS','Measures are in place to continuously improve the service from experience learned in incidents',15),
+ (98,'IM-07','IM-07','INCIDENT EVIDENCE PRESERVATION','Measures are in place to preserve information related to security incidents.',15),
+ (99,'BC-01','BC-01','BUSINESS CONTINUITY POLICIES AND TOP MANAGEMENT RESPONSIBILITY','Responsibilities are assigned inside the CSP organisation to ensure that sufficient resources can be assigned to define and execute the business continuity plan and that business continuity-related activities are supported.',16),
+ (100,'BC-02','BC-02','BUSINESS IMPACT ANALYSIS PROCEDURES','Business continuity policies and procedures cover the determination of the impact of any malfunction or interruption to the cloud service or enterprise.',16),
+ (101,'BC-03','BC-03','BUSINESS CONTINUITY AND CONTINGENCY PLANNING','A business continuity framework including a business continuity plan and associated contingency plans is available.',16),
+ (102,'BC-04','BC-04','BUSINESS CONTINUITY TESTS AND EXERCISES','The business continuity framework is tested on a regular basis.',16),
+ (103,'CO-01','CO-01','IDENTIFICATION OF APPLICABLE COMPLIANCE REQUIREMENTS','The legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service are defined and documented.',17),
+ (104,'CO-02','CO-02','POLICY FOR PLANNING AND CONDUCTING AUDITS','Conditions are defined that allow audits to be conducted in a way that facilitates the gathering of evidence while minimizing interference with the delivery of the cloud service.',17),
+ (105,'CO-03','CO-03','INTERNAL AUDITS OF THE INTERNAL CONTROL SYSTEM','Subject matter experts regularly check the compliance of the Information Security Management System (ISMS) to relevant and applicable legal, regulatory, self-imposed or contractual requirements.',17),
+ (106,'CO-04','CO-04','INFORMATION ON INTERNAL CONTROL SYSTEM ASSESSMENT','The top management of the CSP is kept informed of the performance of the internal control system in order to ensure its continued suitability, adequacy and effectiveness',17),
+ (107,'DOC-01','DOC-01','GUIDELINES AND RECOMMENDATIONS FOR CLOUD CUSTOMERS','Provide information to assist the cloud customer in the secure configuration, installation and use of the cloud service.',18),
+ (108,'DOC-02','DOC-02','LOCATIONS OF DATA PROCESSING AND STORAGE','The CSP provides transparent information about the location of the data and of its processing.',18),
+ (109,'DOC-03','DOC-03','JUSTIFICATION OF THE TARGETED EVALUATION LEVEL','Provide a rationale for the assurance level target by the cloud service.',18),
+ (110,'DOC-04','DOC-04','GUIDELINES AND RECOMENDATIONS FOR COMPOSITION','Provide the information needed by customers that want to use the cloud service as a secondary cloud service for their own certified cloud service.',18),
+ (111,'DOC-05','DOC-05','CONTRIBUTION TO THE FULFILMENT OF REQUIREMENTS FOR COMPOSITION','Provide the information required by customers that want to use the cloud service as a base service f certified cloud service.',18),
+ (112,'INQ-01','INQ-01','LEGAL ASSESSMENT OF INVESTIGATIVE INQUIRIES','Investigative inquiries are assessed before determining further steps to be taken.',19),
+ (113,'INQ-02','INQ-02','INFORMING CLOUD CUSTOMERS ABOUT INVESTIGATION REQUESTS','Cloud customers are kept informed of ongoing investigations if legally permitted.',19),
+ (114,'INQ-03','INQ-03','CONDITIONS FOR ACCESS TO OR DISCLOSURE OF DATA IN INVESTIGATION REQUESTS','Investigators only have access to the data required for their investigation after validation of the legality of their request',19),
+ (115,'PSS-01','PSS-01','ERROR HANDLING AND LOGGING MECHANISMS','Cloud customers have access to sufficient information about the cloud service through error handling and logging mechanisms.',20),
+ (116,'PSS-02','PSS-02','SESSION MANAGEMENT','A suitable session management is used to protect confidentiality, availability, integrity and authenticity during interactions with the cloud service.',20),
+ (117,'PSS-03','PSS-03','SOFTWARE DEFINED NETWORKING','Software-defined networking is only used if the cloud user data is protected by appropriate measures',20),
+ (118,'PSS-04','PSS-04','IMAGES FOR VIRTUAL MACHINES AND CONTAINERS','Services for providing and managing virtual machines and containers to customers include appropriate protection measures.',20),
+ (119,'PSS-05','PSS-05','LOCATIONS OF DATA PROCESSING AND STORAGE','Provide users with choices about the location of the data and of its processing.',20);
/*!40000 ALTER TABLE `security_control` ENABLE KEYS */;
-/*!40000 ALTER TABLE `tom` DISABLE KEYS */;
+
-- ----------------------------------
-- Table: `tom`
-- ----------------------------------
+/*!40000 ALTER TABLE `tom` DISABLE KEYS */;
INSERT INTO cocbackend.tom (id,code,name,description,assurance_level,`type`,security_control_id) VALUES
- (1,'OIS-01.1B','OIS-01.1B','The CSP shall establish, implement, maintain and continually improve an information security management system (ISMS), covering at least the operational units, locations and processes for providing the cloud service.','BASIC','ORGANIZATIONAL',1),
- (2,'OIS-01.2','OIS-01.2','The ISMS shall be in accordance to ISO/IEC 27001','SUBSTANTIAL','ORGANIZATIONAL',1),
- (3,'OIS-01.3','OIS-01.3','The ISMS shall have a valid certification according to ISO/IEC 27001 or to national schemes based on ISO 27001','HIGH','ORGANIZATIONAL',1),
- (4,'OIS-01.4','OIS-01.4','The CSP shall document the measures for documenting, implementing, maintaining and continuously improving the ISMS','BASIC','ORGANIZATIONAL',1),
- (5,'OIS-01.5','OIS-01.5','The documentation shall include at least:
-- Scope of the ISMS (Section 4.3 of ISO/IEC 27001);
-- Declaration of applicability (Section 6.1.3), and
-- Results of the last management review (Section 9.3).','SUBSTANTIAL','ORGANIZATIONAL',1),
- (6,'OIS-02.1','OIS-02.1','The CSP shall perform a risk assessment as defined in RM-01 about the accumulation of responsibilities or tasks on roles or individuals, regarding the provision of the cloud service','BASIC','ORGANIZATIONAL',2),
- (7,'OIS-02.2','OIS-02.2','The risk assessment shall cover at least the following areas, insofar as these are applicable to the provision of the cloud service and are in the area of responsibility of the CSP:
-- Administration of rights profiles, approval and assignment of access and access authorisations (cf. IAM-01);
-- Development, testing and release of changes (cf. DEV-01, CCM-01); and
-- Operation of the system components.','BASIC','ORGANIZATIONAL',2),
- (8,'OIS-02.3','OIS-02.3','The CSP shall implement the mitigating measures defined in the risk assessment, privileging separation of duties, unless impossible for organisational or technical reasons, in which case the measures shall include the monitoring of activities in order to detect unauthorised or unintended changes as well as misuse and the subsequent appropriate actions','BASIC','ORGANIZATIONAL',2),
- (9,'OIS-02.4','OIS-02.4','The CSP shall automatically monitor the assignment of responsibilities and tasks to ensure that measures related to segregation of duties are enforced.','HIGH','ORGANIZATIONAL',2),
- (10,'OIS-03.1','OIS-03.1','The CSP shall stay informed about current threats and vulnerabilities','BASIC','ORGANIZATIONAL',3),
- (11,'OIS-03.2','OIS-03.2','The CSP shall maintain contacts with the competent authorities in terms of information security and relevant technical groups to stay informed about current threats and vulnerabilities','SUBSTANTIAL','ORGANIZATIONAL',3),
- (12,'OIS-03.3','OIS-03.3','The CSP shall maintain regular contact with its CAB and NCCA to stay informed about current threats and vulnerabilities','HIGH','ORGANIZATIONAL',3),
- (13,'OIS-04.1','OIS-04.1','The CSP shall include information security in the project management of all projects that may affect the service, regardless of the nature of the project','BASIC','ORGANIZATIONAL',4),
- (14,'OIS-04.2','OIS-04.2','The CSP shall perform a risk assessment according to RM-01 to assess and treat the risks on any project that may affect the provision of the cloud service, regardless of the nature of the project','SUBSTANTIAL','ORGANIZATIONAL',4),
- (15,'ISP-01.1','ISP-01.1','The CSP shall document a global information security policy covering at least the following aspects:
-- the importance of information security, based on the requirements of cloud customers in relation to information security, as well as on the need to ensure the security of the information processed and stored by the CSP and the assets that support the services provided
-- the security objectives and the desired security level, based on the business goals and tasks of the Cloud Service Provider;
-- the commitment of the CSP to implement the security measures required to achieve the established security objectives.
-- the most important aspects of the security strategy to achieve the security objectives set; and
-- the organisational structure for information security in the ISMS application area.','BASIC','ORGANIZATIONAL',5),
- (16,'ISP-01.2','ISP-01.2','The CSP’s top management shall approve and endorse the global information security policy','BASIC','ORGANIZATIONAL',5),
- (17,'ISP-01.3','ISP-01.3','The CSP shall review the global information security policy at least following any significant organizational change susceptible to affect the principles defined in the policy, including the approval and endorsement by top management','SUBSTANTIAL','ORGANIZATIONAL',5),
- (18,'ISP-01.4','ISP-01.4','The CSP shall review the global information security policy at least annually','HIGH','ORGANIZATIONAL',5),
- (19,'ISP-01.5','ISP-01.5','The CSP shall communicate and make available the global information security policy to internal and external employees and to cloud service customers','BASIC','ORGANIZATIONAL',5),
- (20,'ISP-02.1','ISP-02.1','The CSP shall derive policies and procedures from the global information security policy for all relevant subject matters, documented according to a uniform structure, including at least the following aspects:
-- Objectives;
-- Scope;
-- Roles and responsibilities within the organization;
-- Roles and dependencies on other organisations (especially cloud customers and subservice organisations);
-- Steps for the execution of the security strategy; and
-- Applicable legal and regulatory requirements.','BASIC','ORGANIZATIONAL',6),
- (21,'ISP-02.2','ISP-02.2','The policies and procedures shall include staff qualification requirements and the establishment of substitution rules in their description of roles and responsibilities within the organization','SUBSTANTIAL','ORGANIZATIONAL',6),
- (22,'ISP-02.3','ISP-02.3','The CSP shall communicate and make available the policies and procedures to all internal and external employees','BASIC','ORGANIZATIONAL',6),
- (23,'ISP-02.4','ISP-02.4','The CSP’s top management shall approve the security policies and procedures or delegate this responsibility to authorized bodies','BASIC','ORGANIZATIONAL',6),
- (24,'ISP-02.5','ISP-02.5','In case of a delegation, the authorized bodies shall report at least annually to the top management on the security policies and their implementation','HIGH','ORGANIZATIONAL',6),
- (25,'ISP-02.6','ISP-02.6','The CSP’s subject matter experts shall review the policies and procedures for adequacy at least annually, when the global information security policy is updated, and when major changes may affect the security of the cloud service','BASIC','ORGANIZATIONAL',6),
- (26,'ISP-02.7','ISP-02.7','After an update of procedures and policies, they shall be approved before they become effective, and then communicated and made available to internal and external employees','BASIC','ORGANIZATIONAL',6),
- (27,'ISP-03.1','ISP-03.1','The CSP shall maintain a list of exceptions to the security policies and procedures, including associated controls.','BASIC','ORGANIZATIONAL',7),
- (28,'ISP-03.2','ISP-03.2','The exceptions are limited in time','BASIC','ORGANIZATIONAL',7),
- (29,'ISP-03.3','ISP-03.3','The exceptions shall be subjected to the RM-01 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners','SUBSTANTIAL','ORGANIZATIONAL',7),
- (30,'ISP-03.4','ISP-03.4','The exceptions to a security policy or procedure shall be approved by the top management or authorized body who approved the security policy or procedure','HIGH','ORGANIZATIONAL',7),
- (31,'ISP-03.5','ISP-03.5','The list of exceptions shall be reviewed at least annually','BASIC','ORGANIZATIONAL',7),
- (32,'ISP-03.6','ISP-03.6','The approvals of the list of exceptions shall be reiterated at least annually, even if the list has not been updated','SUBSTANTIAL','ORGANIZATIONAL',7),
- (33,'ISP-03.7','ISP-03.7','The list of exceptions shall be automatically monitored to ensure that the validity of approved exceptions has not expired and that all reviews and approvals are up-to-date','HIGH','ORGANIZATIONAL',7),
- (34,'RM-01.1','RM-01.1','The CSP shall document policies and procedures in accordance with ISP-02 for the following aspects:
-- Identification of risks associated with the loss of confidentiality, integrity, availability and authenticity of information within the scope of the ISMS and assigning risk owners;
-- Analysis of the probability and impact of occurrence and determination of the level of risk;
-- Evaluation of the risk analysis based on defined criteria for risk acceptance and prioritisation of handling;
-- Handling of risks through measures, including approval of authorisation and acceptance of residual risks by risk owners; and
-- Documentation of the activities implemented to enable consistent, valid and comparable results.','BASIC','ORGANIZATIONAL',8),
- (35,'RM-01.2','RM-01.2','The CSP shall use a documented risk analysis method that guarantees reproducibility and comparability of the approach','SUBSTANTIAL','ORGANIZATIONAL',8),
- (36,'RM-02.1','RM-02.1','The CSP shall implement the policies and procedures covering risk assessment on the entire perimeter of the cloud service.','BASIC','ORGANIZATIONAL',9),
- (37,'RM-02.2','RM-02.2','The CSP shall make the results of the risk assessment available to relevant stakeholders','BASIC','ORGANIZATIONAL',9),
- (38,'RM-02.3','RM-02.3','The CSP shall review and revise the risk assessment at least annually, and after each major change that may affect the security of the cloud service.','BASIC','ORGANIZATIONAL',9),
- (39,'RM-02.4','RM-02.4','The CSP shall monitor the evolution of the risk factors and revise the risk assessment results accordingly','HIGH','ORGANIZATIONAL',9),
- (40,'RM-03.1','RM-03.1','The CSP shall prioritize risks according to their criticality','BASIC','ORGANIZATIONAL',10),
- (41,'RM-03.2','RM-03.2','The CSP shall define and implement a plan to treat risks according to their priority level by reducing or avoiding them through security controls, by sharing them, or by retaining them.','BASIC','ORGANIZATIONAL',10),
- (42,'RM-03.3','RM-03.3','The risk treatment plan shall reduce the risk level to a threshold that the risk owners deem acceptable (Residual Risk).','BASIC','ORGANIZATIONAL',10),
- (43,'RM-03.4','RM-03.4','The risk owners shall formally approve the treatment plan and in particular accept the residual risk','SUBSTANTIAL','ORGANIZATIONAL',10),
- (44,'RM-03.5','RM-03.5','The CSP shall make the risk treatment plan available to relevant stakeholders','BASIC','ORGANIZATIONAL',10),
- (45,'RM-03.6','RM-03.6','If the CSP shares risks with the CSC, the shared risks shall be associated to Complementary Customer Controls (CCCs) and described in the user documentation','BASIC','ORGANIZATIONAL',10),
- (46,'RM-03.7','RM-03.7','The CSP shall revise the risk treatment plan every time the risk assessment is revised.','BASIC','ORGANIZATIONAL',10),
- (47,'RM-03.8','RM-03.8','The risk owners shall review for adequacy the analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, after each revision of the risk assessment and treatment plans.','SUBSTANTIAL','ORGANIZATIONAL',10),
- (48,'HR-01.1','HR-01.1','The CSP shall classify information security-sensitive positions according to their level of risk, including positions related to IT administration and to the provisioning of the cloud service in the production environment, and all positions with access to cloud customer data or system components.','BASIC','ORGANIZATIONAL',11),
- (49,'HR-01.2','HR-01.2','The CSP shall include in its employment contracts or on a dedicated code of conduct or ethics an overarching agreement from internal and external employees to act ethically in their professional duties.','BASIC','ORGANIZATIONAL',11),
- (50,'HR-01.3','HR-01.3','The CSP shall document, communicate and implement a policy that describes actions to take in the event of violations of policies and instructions or applicable legal and regulatory requirements, including at least the following aspects:
-- Verifying whether a violation has occurred; and
-- Consideration of the nature and severity of the violation and its impact','BASIC','ORGANIZATIONAL',11),
- (51,'HR-01.4','HR-01.4','If disciplinary measures are defined in the policy mentioned in HR-01.3, then the internal and external employees of the CSP shall be informed about possible disciplinary measures and the use of these disciplinary measures shall be appropriately documented.','BASIC','ORGANIZATIONAL',11),
- (52,'HR-02.1','HR-02.1','The competency and integrity of all internal and external employees of the CSP with access to cloud customer data or system components under the CSP’s responsibility, or who are responsible to provide the cloud service in the production environment shall be reviewed before commencement of employment in a position classified in objective HR-01. The extent of the review shall be proportional to the business context, the sensitivity of the information that will be accessed by the employee, and the associated risks.','BASIC','ORGANIZATIONAL',12),
- (53,'HR-02.2','HR-02.2','The competency and integrity of internal and external employees of the CSP shall be reviewed before commencement of employment in a position with a higher risk classification that their previous position','SUBSTANTIAL','ORGANIZATIONAL',12),
- (54,'HR-02.3','HR-02.3','The competency and integrity of internal and external employees of the CSP shall be reviewed annually for the employees in positions with the highest levels of risk classification, starting at a level to be defined in the human resource policy','HIGH','ORGANIZATIONAL',12),
- (55,'HR-03.1','HR-03.1','The CSP shall ensure that all internal and external employees are required by their employment terms and conditions to comply with all applicable information security policies and procedures','BASIC','ORGANIZATIONAL',13),
- (56,'HR-03.2','HR-03.2','The CSP shall ensure that the employment terms for all internal and external employees include a non-disclosure provision, which shall cover any information that has been obtained or generated as part of the cloud service, even if anonymised and decontextualized.','BASIC','ORGANIZATIONAL',13),
- (57,'HR-03.3','HR-03.3','The CSP shall give a presentation of all applicable information security policies and procedures to internal and external employees before granting them any access to customer data, the production environment, or any component thereof','BASIC','ORGANIZATIONAL',13),
- (58,'HR-03.4','HR-03.4','All internal and external employees shall acknowledge in a documented form the information security policies and procedures presented to them before they are granted any access to customer data, the production environment, or any component thereof','SUBSTANTIAL','ORGANIZATIONAL',13),
- (59,'HR-03.5','HR-03.5','The verification of the acknowledgement defined in HR-03.4 shall be automatically monitored in the processes and automated systems used to grant access rights to employees.','HIGH','ORGANIZATIONAL',13),
- (60,'HR-04.1','HR-04.1','The CSP shall define a security awareness and training program that covers the following aspects:
-- Handling system components used to provide the cloud service in the production environment in accordance with applicable policies and procedures;
-- Handling cloud customer data in accordance with applicable policies and instructions and applicable legal and regulatory requirements;
-- Information about the current threat situation; and
-- Correct behaviour in the event of security incidents.','BASIC','ORGANIZATIONAL',14),
- (61,'HR-04.2','HR-04.2','The CSP shall define an awareness and training program on a target group-oriented manner, taking into consideration at least the position’s risk classification and technical duties','SUBSTANTIAL','ORGANIZATIONAL',14),
- (62,'HR-04.3','HR-04.3','The CSP shall review their security awareness and training program based on changes to policies and instructions and the current threat situation','BASIC','ORGANIZATIONAL',14),
- (63,'HR-04.4','HR-04.4','The CSP shall update their security awareness and training program at least annually','SUBSTANTIAL','ORGANIZATIONAL',14),
- (64,'HR-04.5','HR-04.5','The CSP shall ensure that all employees complete the security awareness and training program defined for them','BASIC','ORGANIZATIONAL',14),
- (65,'HR-04.6','HR-04.6','The CSP shall ensure that all employees complete the security awareness and training program on a regular basis, and when changing target group','SUBSTANTIAL','ORGANIZATIONAL',14),
- (66,'HR-04.7','HR-04.7','The CSP shall automatically monitor the completion of the security awareness and training program','HIGH','ORGANIZATIONAL',14),
- (67,'HR-04.8','HR-04.8','The CSP shall measure and evaluate the learning outcomes achieved through the awareness and training programme','SUBSTANTIAL','ORGANIZATIONAL',14),
- (68,'HR-04.9','HR-04.9','The CSP shall measure and evaluate in a target group-oriented manner the learning outcomes achieved through the awareness and training programme. The measurements shall cover quantitative and qualitative aspects, and the results shall be used to improve the awareness and training programme.','HIGH','ORGANIZATIONAL',14),
- (69,'HR-04.10','HR-04.10','The CSP shall verify the effectiveness of the security awareness and training program using practical exercises in security awareness training that simulate actual cyber-attacks','SUBSTANTIAL','ORGANIZATIONAL',14),
- (70,'HR-05.1','HR-05.1','The CSP shall communicate to internal and external employees their ongoing responsibilities relating to information security when their employment is terminated or changed.','BASIC','ORGANIZATIONAL',15),
- (71,'HR-05.2','HR-05.2','The CSP shall apply a specific procedure to revoke the access rights and process appropriately the accounts and assets of internal and external employees when their employment is terminated or changed','BASIC','ORGANIZATIONAL',15),
- (72,'HR-05.3','HR-05.3','The procedure mentioned in HR-05.2 shall define specific roles and responsibilities and include a documented checklist of all required steps','SUBSTANTIAL','ORGANIZATIONAL',15),
- (73,'HR-05.4','HR-05.4','The CSP shall automatically monitor the application of the procedure mentioned in HR-05.2','HIGH','ORGANIZATIONAL',15),
- (74,'HR-06.1','HR-06.1','The CSP shall ensure that non-disclosure or confidentiality agreements are agreed with internal employees, external service providers and suppliers','BASIC','ORGANIZATIONAL',16),
- (75,'HR-06.2','HR-06.2','The non-disclosure or confidentiality agreements shall be based on the requirements identified by the CSP for the protection of confidential information and operational details','SUBSTANTIAL','ORGANIZATIONAL',16),
- (76,'HR-06.3','HR-06.3','The agreements shall be accepted by external service providers and suppliers when the contract is agreed','SUBSTANTIAL','ORGANIZATIONAL',16),
- (77,'HR-06.4','HR-06.4','The agreements shall be accepted by internal employees of the CSP before authorisation to access data of cloud customers is granted','SUBSTANTIAL','ORGANIZATIONAL',16),
- (78,'HR-06.5','HR-06.5','The requirements on which the agreements are based shall be documented and reviewed at regular intervals, at least annually; if the review shows that the requirements need to be adapted, the non-disclosure or confidentiality agreements shall be updated accordingly.','SUBSTANTIAL','ORGANIZATIONAL',16),
- (79,'HR-06.6','HR-06.6','The CSP shall inform its internal employees, external service providers and suppliers and obtain confirmation of the updated confidentiality or non-disclosure agreement.','SUBSTANTIAL','ORGANIZATIONAL',16),
- (80,'HR-06.7','HR-06.7','The CSP shall automatically monitor the confirmation of non-disclosure or confidentiality agreements by internal employees, external service providers and suppliers','HIGH','ORGANIZATIONAL',16),
- (81,'AM-01.1','AM-01.1','The CSP shall document and implement policies and procedures for maintaining an inventory of assets','BASIC','ORGANIZATIONAL',17),
- (82,'AM-01.2','AM-01.2','The inventory shall be performed automatically and/or by the people or teams responsible for the assets to ensure complete, accurate, valid and consistent inventory throughout the asset life cycle','SUBSTANTIAL','ORGANIZATIONAL',17),
- (83,'AM-01.3','AM-01.3','The CSP shall record for each asset the information needed to apply the risk management procedure defined in RM-01.','BASIC','ORGANIZATIONAL',17),
- (84,'AM-01.4','AM-01.4','The information recorded with assets shall include the measures taken to manage the risks associated to the asset through its life cycle','SUBSTANTIAL','ORGANIZATIONAL',17),
- (85,'AM-01.5','AM-01.5','The information about assets shall be considered by monitoring applications to identify the impact on cloud services and functions in case of events that could lead to a breach of protection objectives, and to support information provided to affected cloud customers in accordance with contractual agreements','HIGH','ORGANIZATIONAL',17),
- (86,'AM-01.6','AM-01.6','The CSP shall automatically monitor the inventory of assets to guarantee it is up-to-date','HIGH','ORGANIZATIONAL',17),
- (87,'AM-02.1','AM-02.1','The CSP shall document, communicate and implement policies and procedures for acceptable use and safe handling of assets (reference to ISP-01)','BASIC','ORGANIZATIONAL',18),
- (88,'AM-02.2','AM-02.2','The policies and procedures for acceptable use and safe handling of assets shall address at least the following aspects of the asset lifecycle as applicable to the asset (reference to ISP-01) [list in the guidance]Substantial','SUBSTANTIAL','ORGANIZATIONAL',18),
- (89,'AM-02.3','AM-02.3','When removable media is used in the technical infrastructure or for IT administration tasks, this media shall be dedicated to a single use','HIGH','ORGANIZATIONAL',18),
- (90,'AM-03.1','AM-03.1','The CSP shall document, communicate and implement a procedure for the commissioning of hardware that is used to provide the cloud service in the production environment, based on applicable policies and procedures','BASIC','ORGANIZATIONAL',19),
- (91,'AM-03.2','AM-03.2','The procedure mentioned in AM-03.1 shall ensure that the risks arising from the commissioning are identified, analysed and mitigated.','SUBSTANTIAL','ORGANIZATIONAL',19),
- (92,'AM-03.3','AM-03.3','The procedure mentioned in AM-03.1 shall include verification of the secure configuration of the mechanisms for error handling, logging, encryption, authentication and authorisation according to the intended use and based on the applicable policies, before authorization to commission the asset can be granted.','SUBSTANTIAL','ORGANIZATIONAL',19),
- (93,'AM-03.4','AM-03.4','The CSP shall document, communicate and implement a procedure for the decommissioning of hardware that is used to provide the cloud service in the production environment, requiring approval based on applicable policies.','BASIC','ORGANIZATIONAL',19),
- (94,'AM-03.5','AM-03.5','The procedure mentioned in AM.03-4 shall include the complete and permanent deletion of the data or the proper destruction of the media.','BASIC','ORGANIZATIONAL',19),
- (95,'AM-03.6','AM-03.6','The approval of the commissioning and decommissioning of hardware shall be digitally documented and automatically monitored.','HIGH','ORGANIZATIONAL',19),
- (96,'AM-04.1','AM-04.1','The CSP shall ensure and document that all internal and external employees are committed to the policies and procedures for acceptable use and safe handling of assets in the situations described in AM-03','BASIC','ORGANIZATIONAL',20),
- (97,'AM-04.2','AM-04.2','The procedure mentioned in HR-06.2 shall include steps to ensure that all assets under custody of an employee are returned upon termination of employment.','BASIC','ORGANIZATIONAL',20),
- (98,'AM-04.3','AM-04.3','The CSP shall centrally manage the assets under the custody of internal and external employees, including at least software, data, and policy distribution, as well as remote deactivation, deletion or locking, as available on the asset.','HIGH','ORGANIZATIONAL',20),
- (99,'AM-04.4','AM-04.4','The verification of the commitment defined in AM-04.1 shall be automatically monitored','HIGH','ORGANIZATIONAL',20),
- (100,'AM-05.1','AM-05.1','The CSP shall define an asset classification schema that reflects for each asset the protection needs of the information it processes, stores, or transmits','BASIC','ORGANIZATIONAL',21),
- (101,'AM-05.2','AM-05.2','The asset classification schema shall provide levels of protection for the confidentiality, integrity, availability, and authenticity protection objectives','SUBSTANTIAL','ORGANIZATIONAL',21),
- (102,'AM-05.3','AM-05.3','When applicable, the CSP shall label all assets according to their classification in the asset classification schema','BASIC','ORGANIZATIONAL',21),
- (103,'AM-05.4','AM-05.4','The need for protection shall be determined by the individuals or groups responsible for the assets','SUBSTANTIAL','ORGANIZATIONAL',21),
- (104,'PS-01.1','PS-01.1','The CSP shall define security perimeters in the buildings and premises related to the cloud service provided','BASIC','ORGANIZATIONAL',22),
- (105,'PS-01.2','PS-01.2','The CSP shall define at least two security areas, with one covering all buildings and premises and one covering sensitive activities such as the buildings and premises hosting the information system for the production of the service','BASIC','ORGANIZATIONAL',22),
- (106,'PS-01.3','PS-01.3','The CSP shall define at least an additional private area that may host development activities and administration, supervision and operation workstations','HIGH','ORGANIZATIONAL',22),
- (107,'PS-01.4','PS-01.4','The CSP shall ensure that no direct access exists between a public area and a sensitive area','HIGH','ORGANIZATIONAL',22),
- (108,'PS-01.5','PS-01.5','The CSP shall ensure that all delivery, loading areas, and other points through which unauthorised persons can penetrate into the premises without being accompanied are part of the public area','HIGH','ORGANIZATIONAL',22),
- (109,'PS-01.6','PS-01.6','The CSP shall define and communicate a set of security requirements for each security area in a policy according to SP-02','BASIC','ORGANIZATIONAL',22),
- (110,'PS-01.7','PS-01.7','The security requirements in PS-01.5 shall be based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security','SUBSTANTIAL','ORGANIZATIONAL',22),
- (111,'PS-02.1','PS-02.1','The CSP shall document, communicate and implement policies and procedures related to the physical access control to the security areas matching the requirements defined in PS-01 and based on the principles defined in IAM-01','BASIC','ORGANIZATIONAL',23),
- (112,'PS-02.2','PS-02.2','The access control policy shall require at least one authentication factor for accessing any non-public area','BASIC','ORGANIZATIONAL',23),
- (113,'PS-02.3','PS-02.3','The access control policy shall require at least two authentication factors are used for access to sensitive areas and to areas hosting system components that process cloud customer data','SUBSTANTIAL','ORGANIZATIONAL',23),
- (114,'PS-02.4','PS-02.4','The access control policy shall include measures to individually track visitors and third-party personnel during their work in the premises and buildings, identified as such and supervised during their stay','SUBSTANTIAL','ORGANIZATIONAL',23),
- (115,'PS-02.5','PS-02.5','The access control policy shall describe the physical access control derogations in case of emergency','BASIC','ORGANIZATIONAL',23),
- (116,'PS-02.6','PS-02.6','The access control policy shall describe the time slots and conditions for accessing each area according to the profiles of the users','HIGH','ORGANIZATIONAL',23),
- (117,'PS-02.7','PS-02.7','The CSP shall display at the entrance of all non-public perimeters a warning concerning the limits and access conditions to these perimeters','BASIC','ORGANIZATIONAL',23),
- (118,'PS-02.8','PS-02.8','The CSP shall protect security perimeters with security measures to detect and prevent unauthorised access in a timely manner so that it does not compromise the information security of the cloud service','BASIC','ORGANIZATIONAL',23),
- (119,'PS-02.9','PS-02.9','The access control policy shall include logging of all accesses to non-public areas that enables the CSP to check whether only defined personnel have entered these zones','SUBSTANTIAL','ORGANIZATIONAL',23),
- (120,'PS-02.10','PS-02.10','The logging of accesses shall be automatically monitored to guarantee fulfilment of PS-02.9','HIGH','ORGANIZATIONAL',23),
- (121,'PS-03.1','PS-03.1','The CSP shall document, communicate, and implement policies and procedures concerning work in non-public areas','BASIC','ORGANIZATIONAL',24),
- (122,'PS-03.2','PS-03.2','The policies and procedures in PS-02.1 shall include a clear screen policy and a clear desk policy for documents and removable media','SUBSTANTIAL','ORGANIZATIONAL',24),
- (123,'PS-03.3','PS-03.3','The CSP shall define a mapping between activities and zones that indicates which activities may/shall not/shall be performed in every security area','HIGH','ORGANIZATIONAL',24),
- (124,'PS-03.4','PS-03.4','The CSP shall define a mapping between assets and zones that indicates which assets may/shall not/shall be used in every security area','HIGH','ORGANIZATIONAL',24),
- (125,'PS-04.1','PS-04.1','The CSP shall document, communicate, and implement policies and procedures concerning the protection of equipment and including at least the following aspects:
-- Protecting power and communications cabling from interception, interference or damage;
-- Protecting equipment during maintenance operations;
-- Protecting equipment holding customer data during transport.','BASIC','ORGANIZATIONAL',25),
- (126,'PS-04.2','PS-04.2','The procedures defined in PS-04.1 shall include a procedure to check the protection of power and communications cabling, to be performed regularly, at least every two years, as well as in case of suspected manipulation by qualified personnel','SUBSTANTIAL','ORGANIZATIONAL',25),
- (127,'PS-04.3','PS-04.3','The policies and procedures in PS-04.1 shall include a procedure for transferring any equipment containing customer data off-site for disposal that guarantees that the level of protection in terms of confidentiality and integrity of the assets during their transport is equivalent to that on the site','SUBSTANTIAL','ORGANIZATIONAL',25),
- (128,'PS-04.4','PS-04.4','The procedure mentioned in PS-04.3 shall include a formal validation by top management of the CSP or by the authorized body that validated this procedure','HIGH','ORGANIZATIONAL',25),
- (129,'PS-04.4','PS-04.4a','The CSP shall establish a wiring scheme and keep it up-to-date','HIGH','ORGANIZATIONAL',25),
- (130,'PS-04.5','PS-04.5','The CSP shall ensure that the maintenance agreements for equipment used to host the cloud service make it possible to have security updates installed timely on this equipment','HIGH','ORGANIZATIONAL',25),
- (131,'PS-04.6','PS-04.6','The policies and procedures in PS-04.1 shall include measures to ensure that the conditions for installation, maintenance and servicing of the related technical equipment (e.g., electrical power, air conditioning, fire protection) are compatible with the cloud service’s availability and security requirements','HIGH','ORGANIZATIONAL',25),
- (132,'PS-04.7','PS-04.7','The CSP shall ensure that an equipment containing a media with customer data can be returned to a third party only if the customer data stored on it is encrypted in accordance with CKM-03 or has been destroyed beforehand using a secure deletion mechanism','HIGH','ORGANIZATIONAL',25),
- (133,'PS-04.8','PS-04.8','The CSP shall use encryption on the removable media and the backup media intended to move between security areas according to the sensitivity of the data stored on the media','BASIC','ORGANIZATIONAL',25),
- (134,'PS-05.1','PS-05.1','The CSP shall document and communicate a set of security requirements related to external and environmental threats in a policy according to SP-02, addressing the following risks in accordance with the applicable legal and contractual requirements:
-- Faults in planning;
-- Unauthorised access;
-- Insufficient surveillance;
-- Insufficient air-conditioning;
-- Fire and smoke;
-- Water;
-- Power failure; and
-- Air ventilation and filtration.','BASIC','ORGANIZATIONAL',26),
- (135,'PS-05.2','PS-05.2','The security requirements defined in PS-05.1 for datacentres shall be based on criteria which comply with established rules of technology','SUBSTANTIAL','ORGANIZATIONAL',26),
- (136,'PS-05.3','PS-05.3','The security requirements defined in PS-05.1 for datacentres shall include time constraints for self-sufficient operation in the event of exceptional events and maximum tolerable utility downtime','HIGH','ORGANIZATIONAL',26),
- (137,'PS-05.4','PS-05.4','The security requirements defined in PS-05.1 for datacentres shall include tests of physical protection and detection equipment, to be performed at least annually','HIGH','ORGANIZATIONAL',26),
- (138,'PS-05.5','PS-05.5','The CSP shall provide the cloud service from at least two locations that are separated by an adequate distance and that provide each other with operational redundancy or resilience','SUBSTANTIAL','ORGANIZATIONAL',26),
- (139,'PS-05.6','PS-05.6','The CSP shall check the effectiveness of the redundancy at least once a year by suitable tests and exercises (cf. BCM-04)','SUBSTANTIAL','ORGANIZATIONAL',26),
- (140,'OPS-01.1','OPS-01.1','The CSP shall document and implement procedures to plan for capacities and resources (personnel and IT resources), which shall include forecasting future capacity requirements in order to identify usage trends and manage system overload','BASIC','ORGANIZATIONAL',27),
- (141,'OPS-01.2','OPS-01.2','The CSP shall meet the requirements included in contractual agreements with cloud customers regarding the provision of the cloud service in case of capacity bottlenecks or personnel and IT resources outages','BASIC','ORGANIZATIONAL',27),
- (142,'OPS-01.3','OPS-01.3','The capacity projections shall be considered in accordance with the service level agreement for planning and preparing the provisioning','HIGH','ORGANIZATIONAL',27),
- (143,'OPS-02.1','OPS-02.1','The CSP shall define and implement technical and organizational safeguards for the monitoring of provisioning and de-provisioning of cloud services to ensure compliance with the service level agreement','BASIC','ORGANIZATIONAL',28),
- (144,'OPS-02.2','OPS-02.2','The CSP shall make available to the cloud customer the relevant information regarding capacity and availability on a self-service portal','HIGH','ORGANIZATIONAL',28),
- (145,'OPS-02.3','OPS-02.3','The provisioning and de-provisioning of cloud services shall be automatically monitored to guarantee fulfilment of OPS-02.1','HIGH','ORGANIZATIONAL',28),
- (146,'OPS-03.1','OPS-03.1','The CSP shall enable CSCs to control and monitor the allocation of the system resources assigned to them, if the corresponding cloud capabilities are exposed to the CSCs','BASIC','ORGANIZATIONAL',29),
- (147,'OPS-04.1','OPS-04.1','The CSP shall document, communicate and implement policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering at least the following aspects:
-- Use of system-specific protection mechanisms;
-- Operating protection programs on system components under the responsibility of the CSP that are used to provide the cloud service in the production environment; and
-- Operation of protection programs for employees'' terminal equipment.','BASIC','ORGANIZATIONAL',30),
- (148,'OPS-04.2','OPS-04.2','The CSP shall create regular reports on the malware checks performed, which shall be reviewed and analysed by authorized bodies in the reviews of the policies related to malware','SUBSTANTIAL','ORGANIZATIONAL',30),
- (149,'OPS-04.3','OPS-04.3','The policies and instructions related to malware shall include the technical measures taken to securely configure, protect from malware, and monitor the administration interfaces (both the customer''s self-service and the CSP''s administration)','HIGH','ORGANIZATIONAL',30),
- (150,'OPS-04.4','OPS-04.4','The CSP shall update the anti-malware products at the highest frequency that the vendors actually offer','HIGH','ORGANIZATIONAL',30),
- (151,'OPS-05.1','OPS-05.1','The CSP shall deploy malware protection, if technically feasible, on all systems that support delivery of the cloud service in the production environment, according to policies and procedures','BASIC','ORGANIZATIONAL',31),
- (152,'OPS-05.2','OPS-05.2','Signature-based and behaviour-based malware protection tools shall be updated at least daily','SUBSTANTIAL','ORGANIZATIONAL',31),
- (153,'OPS-05.3','OPS-05.3','The CSP shall automatically monitor the systems covered by the malware protection and the configuration of the corresponding mechanisms to guarantee fulfilment of OPS-05.1','HIGH','ORGANIZATIONAL',31),
- (154,'OPS-05.4','OPS-05.4','The CSP shall automatically monitor the antimalware scans to track detected malware or irregularities','HIGH','ORGANIZATIONAL',31),
- (155,'OPS-06.1','OPS-06.1','The CSP shall document, communicate and implement policies and procedures according to ISP-02 for data backup and recovery','BASIC','ORGANIZATIONAL',32),
- (156,'OPS-06.2','OPS-06.2','The policies and procedures for backup and recovery shall cover at least the following aspects:
-- The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the cloud customers and the Cloud Service Provider''s operational continuity requirements for Recovery Time Objective (RTO) and Recovery Point Objective (RPO);
-- Data is backed up in encrypted, state-of-the-art form;
-- Access to the backed-up data and the execution of restores is performed only by authorised persons; and
-- Tests of recovery procedures (cf. OPS-08).','SUBSTANTIAL','ORGANIZATIONAL',32),
- (157,'OPS-07.1','OPS-07.1','The CSP shall document and implement technical and organizational measures to monitor the execution of data backups in accordance to the policies and procedures defined in OPS- 06','BASIC','ORGANIZATIONAL',33),
- (158,'OPS-07.2','OPS-07.2','The CSP shall make available to its customers a self-service portal for automatically monitoring their data backup to guarantee fulfilment with OPS-07.1','HIGH','ORGANIZATIONAL',33),
- (159,'OPS-07.3','OPS-07.3','The CSP shall automatically monitor their data backups to guarantee fulfilment of OPS-07.1','HIGH','ORGANIZATIONAL',33),
- (160,'OPS-08.1','OPS-08.1','The CSP shall test the restore procedures at least annually','BASIC','ORGANIZATIONAL',34),
- (161,'OPS-08.2','OPS-08.2','The restore tests shall assess if the specifications for the RTO and RPO agreed with the customers are met','SUBSTANTIAL','ORGANIZATIONAL',34),
- (162,'OPS-08.3','OPS-08.3','Any deviation from the specification during the restore test shall be reported to the CSP''s responsible person for assessment and remediation','SUBSTANTIAL','ORGANIZATIONAL',34),
- (163,'OPS-08.4','OPS-08.4','The CSP shall inform CSCs, at their request, of the results of the recovery tests','HIGH','ORGANIZATIONAL',34),
- (164,'OPS-08.5','OPS-08.5','Recovery tests shall be included in the CSP´s business continuity management','HIGH','ORGANIZATIONAL',34),
- (165,'OPS-09.1','OPS-09.1','The CSP shall transfer backup data to a remote location or transport them on backup media to a remote location','BASIC','ORGANIZATIONAL',35),
- (166,'OPS-09.2','OPS-09.2','When the backup data is transmitted to a remote location via a network, the transmission of the data takes place in an encrypted form that corresponds to the sate-of-the-art (cf. CKM- 02).','BASIC','ORGANIZATIONAL',35),
- (167,'OPS-09.3','OPS-09.3','The CSP shall select a remote location to store its backups concerning the distance, recovery times and the impact of disasters of both sites','SUBSTANTIAL','ORGANIZATIONAL',35),
- (168,'OPS-09.4','OPS-09.4','The physical and environmental security measures at the remote site shall have the same level as at the main site','SUBSTANTIAL','ORGANIZATIONAL',35),
- (169,'OPS-09.5','OPS-09.5','When the backup data is transmitted to a remote location via a network, the CSP shall automatically monitor the transmission to guarantee fulfilment of OPS-09.1','HIGH','ORGANIZATIONAL',35),
- (170,'OPS-10.1','OPS-10.1','The CSP shall document, communicate and implement policies and procedures according to ISP-02 that govern the logging and monitoring of events on system components under its responsibility','BASIC','ORGANIZATIONAL',36),
- (171,'OPS-10.2','OPS-10.2','The policies and procedures shall cover at least the following aspects:
-- Definition of events that could lead to a violation of the protection goals;
-- Specifications for activating, stopping and pausing the various logs;
-- Information regarding the purpose and retention period of the logs;
-- Define roles and responsibilities for setting up and monitoring logging;
-- Time synchronisation of system components; and
-- Compliance with legal and regulatory frameworks.','SUBSTANTIAL','ORGANIZATIONAL',36),
- (172,'OPS-11.1','OPS-11.1','The CSP shall document, communicate and implement policies and procedures according to ISP-02 that govern the secure handling of derived data','BASIC','ORGANIZATIONAL',37),
- (173,'OPS-11.2','OPS-11.2','The policies and procedures on derived data shall cover at least the following aspects:
-- Purpose for the collection and use of derived data beyond the operation of the cloud service, including purposes related to the implementation of security controls;
-- Anonymisation of the data whenever used in a context that goes beyond a single CSC;
-- Period of storage reasonably related to the purposes of the collection;
-- Guarantees of deletion when the purposes of the collection are fulfilled and further storage is no longer necessary; and
-- Provision of the derived data to CSCs according to contractual agreements.','SUBSTANTIAL','ORGANIZATIONAL',37),
- (174,'OPS-11.3','OPS-11.3','The CSP shall list in the contractual agreement with the CSC all purposes for the collection of use of derived data that are not related to the implementation of security controls or to billing','SUBSTANTIAL','ORGANIZATIONAL',37),
- (175,'OPS-11.4','OPS-11.4','Derived data, including log data, shall be taken into consideration in regulatory compliance assessments.','HIGH','ORGANIZATIONAL',37),
- (176,'OPS-12.1','OPS-12.1','The CSP shall monitor log data in order to identify events that might lead to security incidents, in accordance with the logging and monitoring requirements','BASIC','ORGANIZATIONAL',38),
- (177,'OPS-12.2','OPS-12.2','Identified events shall be reported to the appropriate departments for timely assessment and remediation.','BASIC','ORGANIZATIONAL',38),
- (178,'OPS-12.3','OPS-12.3','The monitoring of events mentioned in OPS-12.1 shall be automated','SUBSTANTIAL','ORGANIZATIONAL',38),
- (179,'OPS-12.4','OPS-12.4','The CSP shall automatically monitor that event detection is effective on the list of critical assets in fulfilment of OPS-12.1','HIGH','ORGANIZATIONAL',38),
- (180,'OPS-13.1','OPS-13.1','The CSP shall store all log data in an integrity-protected and aggregated form that allow its centralized evaluation','BASIC','ORGANIZATIONAL',39),
- (181,'OPS-13.2','OPS-13.2','Log data shall be deleted when it is no longer required for the purpose for which they were collected','BASIC','ORGANIZATIONAL',39),
- (182,'OPS-13.3','OPS-13.3','The communication between the assets to be logged and the logging servers shall be authenticated and protected in integrity and confidentiality','BASIC','ORGANIZATIONAL',39),
- (183,'OPS-13.4','OPS-13.4','The communication between the assets to be logged and the logging servers shall be encrypted using state-of-the-art encryption or shall take place on a dedicated administration network','SUBSTANTIAL','ORGANIZATIONAL',39),
- (184,'OPS-13.5','OPS-13.5','The CSP shall implement technically supported procedures to fulfil requirements related to the access, storage and deletion related to the following restrictions:
-- Access only to authorised users and systems;
-- Retention for the specified period; and
-- Deletion when further retention is no longer necessary for the purpose of collection.','SUBSTANTIAL','ORGANIZATIONAL',39),
- (185,'OPS-13.6','OPS-13.6','The CSP shall provide CSCs, upon request, access to customer-specific logging through an API. The logging shall comply with the CSP´s protection requirements, including logical or physical separation of log and customer data','HIGH','ORGANIZATIONAL',39),
- (186,'OPS-13.7','OPS-13.7','The CSP shall automatically monitor the aggregation and deletion of logging and monitoring data to fulfil OPS-13.2','HIGH','ORGANIZATIONAL',39),
- (187,'OPS-14.1','OPS-14.1','The log data generated allows an unambiguous identification of user accesses at the CSC level to support analysis in the event of an incident','BASIC','ORGANIZATIONAL',40),
- (188,'OPS-14.2','OPS-14.2','The CSP shall make available interfaces to conduct forensic analysis and perform backups of infrastructure components and their network communication','SUBSTANTIAL','ORGANIZATIONAL',40),
- (189,'OPS-14.3','OPS-14.3','In the context of an investigation of an incident concerning a CSC, the CSP shall have the ability to provide to the CSC the logs related to its cloud service','HIGH','ORGANIZATIONAL',40),
- (190,'OPS-15.1','OPS-15.1','The CSP shall restrict to authorized users only the access to system components used for logging and monitoring under their responsibility','BASIC','ORGANIZATIONAL',41),
- (191,'OPS-15.2','OPS-15.2','Changes to the logging and monitoring configuration are made in accordance with applicable policies (cf. CCM-01)','BASIC','ORGANIZATIONAL',41),
- (192,'OPS-15.3','OPS-15.3','The access to system components for logging and monitoring shall require strong authentication','SUBSTANTIAL','ORGANIZATIONAL',41),
- (193,'OPS-16.1','OPS-16.1','The CSP shall monitor the system components for logging and monitoring under its responsibility, and shall automatically report failures to the responsible departments for assessment and remediation','BASIC','ORGANIZATIONAL',42),
- (194,'OPS-16.2','OPS-16.2','The CSP shall design the system components for logging and monitoring in such a way that the overall functionality is not restricted if individual components fail','HIGH','ORGANIZATIONAL',42),
- (195,'OPS-17.1','OPS-17.1','The CSP shall document, communicated and implement in accordance to ISP-02 policies and procedures with technical and organisational measures to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service','BASIC','ORGANIZATIONAL',43),
- (196,'OPS-17.2','OPS-17.2','The policies and procedures shall describe measures regarding at least the following aspects:
-- Regular identification of vulnerabilities;
-- Assessment of the severity of identified vulnerabilities;
-- Prioritisation and implementation of actions to promptly remediate or mitigate identified vulnerabilities based on severity and according to defined timelines; and
-- Handling of system components for which no measures are initiated for the timely remediation or mitigation of vulnerabilities.','SUBSTANTIAL','ORGANIZATIONAL',43),
- (197,'OPS-17.3','OPS-17.3','The CSP shall use a scoring system for the assessment of vulnerabilities that includes at least “critical” and “high” classes of vulnerabilities','BASIC','ORGANIZATIONAL',43),
- (198,'OPS-17.4','OPS-17.4','The CSP shall mandate in its policies and procedures the immediate handling of “critical” vulnerabilities and the handling of “high” vulnerabilities within a day, with a follow-up of the vulnerability until it has been remediated','SUBSTANTIAL','ORGANIZATIONAL',43),
- (199,'OPS-18.1','OPS-18.1','The CSP shall publish and maintain a publicly and easily accessible online register of known vulnerabilities that affect the cloud service and assets provided by the CSP that the CSCs have to install or operate under their own responsibility','BASIC','ORGANIZATIONAL',44),
- (200,'OPS-18.2','OPS-18.2','The online register shall indicate at least the following information for every vulnerability:
-- A presentation of the vulnerability following an industry-accepted scoring system;
-- A description of the remediation options for that vulnerability;
-- Information on the availability of updates or patches for that vulnerability;
-- Information about the remediation or deployment of patches or updates by the CSP or CSC, including detailed instructions for operations to be performed by the CSC.','BASIC','ORGANIZATIONAL',44),
- (201,'OPS-18.3','OPS-18.3','The CSP shall publish and maintain a list of pointers to online registers published by its subservice providers and suppliers, or integrate regularly the content of these online registers relevant to the cloud service into its own online register (cf. OPS-18.1)','BASIC','ORGANIZATIONAL',44),
- (202,'OPS-18.4','OPS-18.4','The CSP shall consult regularly the online registers published by its subservice providers and suppliers, analyse the potential impact of the published vulnerabilities on the cloud service, and handle them according to the vulnerability handling process (cf. OPS-17)','BASIC','ORGANIZATIONAL',44),
- (203,'OPS-18.5','OPS-18.5','The CSP shall consult the online registers published by its subservice providers and suppliers at least daily, and update accordingly its own online register','SUBSTANTIAL','ORGANIZATIONAL',44),
- (204,'OPS-18.6','OPS-18.6','The CSP shall equip with automatic update mechanisms the assets provided by the CSP that the CSCs have to install or operate under their own responsibility, to ease the rollout of patches and updates after an initial approval from the CSC','HIGH','ORGANIZATIONAL',44),
- (205,'OPS-19.1','OPS-19.1','The CSP shall perform on a regular basis tests to detect publicly known vulnerabilities on the system components used to provide the cloud service, in accordance with policies for handling vulnerabilities (cf. OPS-17)','BASIC','ORGANIZATIONAL',45),
- (206,'OPS-19.2','OPS-19.2','The CSP shall perform the tests defined in OPS-18.1 at least once a month','SUBSTANTIAL','ORGANIZATIONAL',45),
- (207,'OPS-19.2','OPS-19.2a','The CSP shall have penetration tests carried out by qualified internal personnel or external service providers, according to a documented test methodology and including in their scope the system components relevant to the provision of the cloud service in the area of responsibility of the CSP, as identified in a risk analysis','SUBSTANTIAL','ORGANIZATIONAL',45),
- (208,'OPS-19.3','OPS-19.3','The CSP shall assess the penetration test findings and handle each identified vulnerability according to defined policies and procedures (cf. OPS-18).','SUBSTANTIAL','ORGANIZATIONAL',45),
- (209,'OPS-19.4','OPS-19.4','The tests are performed following a multi-annual work program, reviewed annually, that covers system components and security controls according to the evolution of the cloud service and of the threat landscape.','HIGH','ORGANIZATIONAL',45),
- (210,'OPS-19.5','OPS-19.5','Some of the penetration tests performed each year shall be performed by external service providers','HIGH','ORGANIZATIONAL',45),
- (211,'OPS-19.6','OPS-19.6','The CSP shall perform a root cause analysis on the vulnerabilities discovered through penetration testing in order to assess to which extent similar vulnerabilities may be present in the cloud system','HIGH','ORGANIZATIONAL',45),
- (212,'OPS-19.7','OPS-19.7','The CSP shall correlate the possible exploits of discovered vulnerabilities with previous incidents to identify if the vulnerability may have been exploited before its discovery','HIGH','ORGANIZATIONAL',45),
- (213,'OPS-20.1','OPS-20.1','The CSP shall regularly measure, analyse and assess the procedures with which vulnerabilities and incidents are handled to verify their continued suitability, appropriateness and effectiveness','BASIC','ORGANIZATIONAL',46),
- (214,'OPS-20.2','OPS-20.2','The CSP shall organize a quarterly review of the results of the assessment defined in OPS-','SUBSTANTIAL','ORGANIZATIONAL',46),
- (215,'OPS-21.1','OPS-21.1','The CSP shall harden all the system components under its responsibility that are used to provide the cloud service, according to accepted industry standards','BASIC','ORGANIZATIONAL',47),
- (216,'OPS-21.2','OPS-21.2','The hardening requirements for each system component shall be documented','BASIC','ORGANIZATIONAL',47),
- (217,'OPS-21.3','OPS-21.3','The CSP shall automatically monitor the service components under its responsibility for compliance with hardening specifications','HIGH','ORGANIZATIONAL',47),
- (218,'OPS-21.1','OPS-22.1','The CSP shall segregate the CSC data stored and processed on shared virtual and physical resources to ensure the confidentiality and integrity of this data, according to the results of a risk analysis (cf. RM-01)','BASIC','ORGANIZATIONAL',47),
- (219,'IAM-01.1','IAM-01.1','The CSP shall document, communicate and make available role and rights policies and procedures for controlling access to information resources, according to ISP-02 and based on the business and security requirements of the CSP, in which at least the following aspects are covered:
-- Parameters to be considered for making access control decisions
-- Granting and modifying access rights based on the “least-privilege” principle and on the “need-to-know” principle.
-- Use of a role-based mechanism for the assignment of access rights
-- Segregation of duties between managing, approving and assigning access rights
-- Dedicated rules for users with privileged access
-- Requirements for the approval and documentation of the management of access rights','BASIC','ORGANIZATIONAL',49),
- (220,'IAM-01.2','IAM-01.2','The CSP shall link the access control policy defined in IAM-01.1 with the physical access control policy defined in PS-02.1, to guarantee that the access to the premises where information is located is also controlled.','BASIC','ORGANIZATIONAL',49),
- (221,'IAM-01.3','IAM-01.3','The CSP shall base its access control policy on the use of role-based access control.','SUBSTANTIAL','ORGANIZATIONAL',49),
- (222,'IAM-02.1','IAM-02.1','The CSP shall document policies for managing accounts, according to ISP-02, in which at least the following aspects are described:
-- Assignment of unique usernames
-- Definition of the different types of accounts supported, and assignment of access control parameters and roles to be considered for each type
-- Events leading to blocking and revoking accounts','BASIC','ORGANIZATIONAL',50),
- (223,'IAM-02.2','IAM-02.2','"The CSP shall document, communicate and make available policies for managing accounts of users under the responsibility of the CSP, according to ISP-02 and extending the policies defined in IAM-02.1, in which at least the following aspects are described:
-- Segregation of duties between managing, approving and assigning user accounts
-- Regular review of assigned user accounts and associated access rights"
-- Blocking and revoking accounts in the event of inactivity or potential account compromise
-- Requirements for the approval and documentation of the management of user accounts','SUBSTANTIAL','ORGANIZATIONAL',50),
- (224,'IAM-02.3','IAM-02.3','The CSP shall document, communicate and make available policies for managing accounts of users under the responsibility of the CSCs, according to ISP-02 and extending the policies defined in IAM-02.1, in which at least the following aspects are described:
-- Access control mechanisms available to CSCs
-- Access control parameters that the CSC is allowed to configure','SUBSTANTIAL','ORGANIZATIONAL',50),
- (225,'IAM-02.4','IAM-02.4','The CSP shall document and implement procedures for managing personal user accounts and access rights to internal and external employees that comply with the role and rights concept and with the policies for managing accounts','BASIC','ORGANIZATIONAL',50),
- (226,'IAM-02.5','IAM-02.5','The CSP shall document and implement procedures for managing non-personal shared accounts and associated access rights that comply with the role and rights concept and with the policies for managing accounts','BASIC','ORGANIZATIONAL',50),
- (227,'IAM-02.6','IAM-02.6','The CSP shall document and implement procedures for managing technical accounts and associated access rights to system components involved in the operation of the cloud service that comply with the role and rights concept and with the policies for managing accounts','BASIC','ORGANIZATIONAL',50),
- (228,'IAM-02.7','IAM-02.7','The CSP shall offer CSCs a self-service with which they can independently manage user accounts for all users under their responsibility.','SUBSTANTIAL','ORGANIZATIONAL',50),
- (229,'IAM-02.8','IAM-02.8','The CSP shall be able to provide, for a given user account, whether it falls under the responsibility of the CSP or of the CSC, as well as the list of the access rights granted to that account.','HIGH','ORGANIZATIONAL',50),
- (230,'IAM-03.1','IAM-03.1','The CSP shall define and implement an automated mechanism to block user accounts after a certain period of time','BASIC','ORGANIZATIONAL',51),
- (231,'IAM-03.2','IAM-03.2','The automated mechanism in IAM-03.1 shall block personal user accounts under the responsibility of the CSP after two (2) months of inactivity.','SUBSTANTIAL','ORGANIZATIONAL',51),
- (232,'IAM-03.3','IAM-03.3','The CSP shall define and implement an automated mechanism to block user accounts after a certain number of failed authentication attempts','BASIC','ORGANIZATIONAL',51),
- (233,'IAM-03.4','IAM-03.4','The limits on authentication attempts used in mechanism IAM-03.3 for user accounts under the responsibility of the CSP shall be based on the risks on the accounts, associated access rights and authentication mechanisms','SUBSTANTIAL','ORGANIZATIONAL',51),
- (234,'IAM-03.5','IAM-03.5','The CSP shall document a process to monitor stolen and compromised credentials and lock any pending account for which an issue is identified, pending a review by an authorized person','SUBSTANTIAL','ORGANIZATIONAL',51),
- (235,'IAM-03.6','IAM-03.6','The CSP shall implement the process in IAM-03.5 on all user accounts under its responsibility to which privileged access rights are assigned','SUBSTANTIAL','ORGANIZATIONAL',51),
- (236,'IAM-03.7','IAM-03.7','The CSP shall implement the process in IAM-03.5 on all user accounts under its responsibility','HIGH','ORGANIZATIONAL',51),
- (237,'IAM-03.8','IAM-03.8','Approval from authorised personnel or system components is required to unlock accounts locked automatically','SUBSTANTIAL','ORGANIZATIONAL',51),
- (238,'IAM-03.9','IAM-03.9','The CSP shall define and implement an automated mechanism to revoke user accounts that have been blocked by another automatic mechanism after a certain period of time','SUBSTANTIAL','ORGANIZATIONAL',51),
- (239,'IAM-03.10','IAM-03.10','The automated mechanism in IAM-03.9 shall revoke user accounts under the responsibility of the CSP after they have been blocked for six (6) months.','SUBSTANTIAL','ORGANIZATIONAL',51),
- (240,'IAM-03.11','IAM-03.11','The CSP shall automatically monitor the implemented automated mechanisms to guarantee their compliance with IAM-03','HIGH','ORGANIZATIONAL',51),
- (241,'IAM-03.12','IAM-03.12','The CSP shall automatically monitor the environmental conditions of authentication attempts and flag suspicious events to the corresponding user or to authorized persons','HIGH','ORGANIZATIONAL',51),
- (242,'IAM-04.1','IAM-04.1','The CSP shall document and implement procedures to grant, update, and revoke to a user account under its responsibility access rights to resources of the information system of the cloud service, and these procedures shall be compliant with the role and rights concept and with the policies for managing access rights','BASIC','ORGANIZATIONAL',52),
- (243,'IAM-04.2','IAM-04.2','The CSP shall document and implement a procedure to timely update or revoke the access rights of an internal or external employee when the role and responsibilities of the employee change.','BASIC','ORGANIZATIONAL',52),
- (244,'IAM-04.3','IAM-04.3','The update or revocation of access rights procedure defined in IAM-04.2 shall be executed within 48 hours of the role change for privileged access rights and within 14 days for other access rights.','SUBSTANTIAL','ORGANIZATIONAL',52),
- (245,'IAM-04.4','IAM-04.4','The CSP shall document a procedure to provide, for a given resource subject to access control the list of all the user accounts that have access to it, whether they fall under the responsibility of the CSP or of a CSC, and for every such account the list of access rights currently granted to it','HIGH','ORGANIZATIONAL',52),
- (246,'IAM-04.5','IAM-04.5','The CSP shall document the incompatibility between access rights, and enforce these incompatibilities when access rights are granted or updated on a user account','HIGH','ORGANIZATIONAL',52),
- (247,'IAM-04.6','IAM-04.6','The access right management procedures shall follow a dynamic approach','HIGH','ORGANIZATIONAL',52),
- (248,'IAM-04.7','IAM-04.7','The CSP shall offer CSCs a self-service with which they can independently manage access rights for all user accounts under their responsibility.','SUBSTANTIAL','ORGANIZATIONAL',52),
- (249,'IAM-05.1','IAM-05.1','The CSP shall review the access rights of all the user accounts under its responsibility at least once a year to ensure that they still correspond to the current needs','BASIC','ORGANIZATIONAL',53),
- (250,'IAM-05.2','IAM-05.2','The review defined in IAM-05.1 shall be performed by authorised persons under the responsibility of the authorised body that has approved the access rights policies.','SUBSTANTIAL','ORGANIZATIONAL',53),
- (251,'IAM-05.3','IAM-05.3','The CSP handles identified deviations timely, but no later than 7 days after their detection, by appropriately revoking or updating access rights.','SUBSTANTIAL','ORGANIZATIONAL',53),
- (252,'IAM-05.4','IAM-05.4','The CSP shall provide CSCs with a tool that facilitates the review of the access rights of user accounts under their responsibility','SUBSTANTIAL','ORGANIZATIONAL',53),
- (253,'IAM-05.5','IAM-05.5','The CSP shall perform the review defined in IAM-05.1 at least every six (6) months','HIGH','ORGANIZATIONAL',53),
- (254,'IAM-06.1','IAM-06.1','Privileged access rights shall be personalised, limited in time according to a risk assessment and assigned as necessary for the execution of tasks (need-to-know principle)','SUBSTANTIAL','ORGANIZATIONAL',54),
- (255,'IAM-06.2','IAM-06.2','Activities of users with privileged access rights shall be logged in order to detect any misuse of privileged access or function in suspicious cases, and the logged information shall be automatically monitored for defined events that may indicate misuse','SUBSTANTIAL','ORGANIZATIONAL',54),
- (256,'IAM-06.3','IAM-06.3','The CSP shall document and implement a procedure that, upon detection of potential misuse by the monitoring defined in IAM-06.2, informs the responsible personnel so that they can promptly assess whether misuse has occurred and take corresponding action.','SUBSTANTIAL','ORGANIZATIONAL',54),
- (257,'IAM-06.4','IAM-06.4','Shared accounts under the responsibility of the CSP shall be assigned only to internal or external employees','BASIC','ORGANIZATIONAL',54),
- (258,'IAM-06.5','IAM-06.5','The CSP must revise every three (3) months the list of employees who are responsible for a technical account within its scope of responsibility','HIGH','ORGANIZATIONAL',54),
- (259,'IAM-06.6','IAM-06.6','The CSP shall maintain an up-to-date inventory of the user accounts under its responsibility that have privileged access rights','HIGH','ORGANIZATIONAL',54),
- (260,'IAM-06.7','IAM-06.7','The CSP shall require strong authentication for accessing the administration interfaces used by the CSP','SUBSTANTIAL','ORGANIZATIONAL',54),
- (261,'IAM-06.8','IAM-06.8','The CSP shall require strong authentication for accessing the administration interfaces offered to the CSC','HIGH','ORGANIZATIONAL',54),
- (262,'IAM-07.1','IAM-07.1','The CSP shall document and implement a policy and procedures about authentication mechanisms, covering at least the following aspects:
-- The selection of mechanisms suitable for every type of account and each level of risk;
-- The protection of credentials used by the authentication mechanism;
-- The generation and distribution of credentials for new accounts;
-- Rules for the renewal of credentials, including periodic renewals, renewals in case of loss or compromise; and
-- Rules on the required strength of credentials, together with mechanisms to communicate and enforce the rules;','BASIC','ORGANIZATIONAL',55),
- (263,'IAM-07.2','IAM-07.2','The access to all environments of the CSP shall be authenticated, including non-production environments','SUBSTANTIAL','ORGANIZATIONAL',55),
- (264,'IAM-07.3','IAM-07.3','The access to the production environment of the CSP shall require strong authentication','HIGH','ORGANIZATIONAL',55),
- (265,'IAM-07.4','IAM-07.4','The access to all environments of the CSP containing CSC data shall require strong authentication','HIGH','ORGANIZATIONAL',55),
- (266,'IAM-07.5','IAM-07.5','Within an environment, user authentication shall be performed through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security','SUBSTANTIAL','ORGANIZATIONAL',55),
- (267,'IAM-07.6','IAM-07.6','For access to non-personal shared accounts, the CSP shall implement measures that require the users to be authenticated with their personal account before being able to access these technical accounts','SUBSTANTIAL','ORGANIZATIONAL',55),
- (268,'IAM-07.7','IAM-07.7','All authentication mechanisms shall include a mechanism to block an account after a predefined number of unsuccessful attempts','BASIC','ORGANIZATIONAL',55),
- (269,'IAM-07.8','IAM-07.8','The CSP shall offer strong authentication methods to the CSC for use with the accounts under their responsibility','SUBSTANTIAL','ORGANIZATIONAL',55),
- (270,'IAM-08.1','IAM-08.1','The CSP shall document, communicate and make available to all users under its responsibility rules and recommendations for the management of credentials, including at least:
-- Non-reuse of credentials
-- Trade-offs between entropy and ability to memorize
-- Recommendations for renewal of passwords
-- Rules on storage of passwords','BASIC','ORGANIZATIONAL',56),
- (271,'IAM-08.2','IAM-08.2','The CSP rules and recommendations defined in IAM-08.1 shall address at least the following aspects:
-- Recommendations on password managers
-- Recommendation to specifically address classical attacks, including phishing, social attacks, and whaling','SUBSTANTIAL','ORGANIZATIONAL',56),
- (272,'IAM-08.3','IAM-08.3','The CSP shall require users to whom authentication credentials are provided to sign a declaration in which they assure that they treat personal (or shared) authentication confidentially and keep it exclusively for themselves','HIGH','ORGANIZATIONAL',56),
- (273,'IAM-08.4','IAM-08.4','Passwords shall be only stored using cryptographically strong hash functions (cf. CKM-01)','BASIC','ORGANIZATIONAL',56),
- (274,'IAM-08.5','IAM-08.5','If cryptographic authentication mechanisms are used, they shall follow the policies and procedures from CKM-01.','BASIC','ORGANIZATIONAL',56),
- (275,'IAM-08.6','IAM-08.6','When creating credentials, compliance with specifications is enforced automatically as far as technically possible','SUBSTANTIAL','ORGANIZATIONAL',56),
- (276,'IAM-08.7','IAM-08.7','When a credential associated to a personal account is changed or renewed, the person associated to that account shall be notified','SUBSTANTIAL','ORGANIZATIONAL',56),
- (277,'IAM-08.8','IAM-08.8','Any password communicated to a user through e-mail, message or similar shall be changed by the user after its first use, and its validity shall not exceed 14 days after communication to the user','SUBSTANTIAL','ORGANIZATIONAL',56),
- (278,'IAM-08.9','IAM-08.9','The CSP shall make available to the CSC the rules and recommendations that shall or may apply to the users under their responsibility, and provide the CSC with tools to manage and enforce these rules','SUBSTANTIAL','ORGANIZATIONAL',56),
- (279,'IAM-09.1','IAM-09.1','The CSP shall implement sufficient partitioning measures between the information system providing the cloud service and its other information systems','BASIC','ORGANIZATIONAL',57),
- (280,'IAM-09.2','IAM-09.2','The CSP shall design, develop, configure and deploy the information system providing the cloud service to include a partitioning between the technical infrastructure and the equipment required for the administration of the cloud service and the assets it hosts','SUBSTANTIAL','ORGANIZATIONAL',57),
- (281,'IAM-09.3','IAM-09.3','The CSP shall separate the administration interfaces made available to CSCs from those made available to its internal and external employees, and in particular:
-- The administration accounts under the responsibility of the CSP shall be managed using tools and directories that are separate from those used for the management of user accounts under the responsibility of the CSCs;
-- The administration interfaces made available to CSCs shall not allow for any connection from accounts under the responsibility of the CSP;
-- The administration interfaces used by the CSP shall not be accessible from the public network and as such shall not allow for any connection from accounts under the responsibility of the CSC.','HIGH','ORGANIZATIONAL',57),
- (282,'IAM-09.4','IAM-09.4','The CSP shall implement suitable measures for partitioning between the CSCs','BASIC','ORGANIZATIONAL',57),
- (283,'IAM-09.5','IAM-09.5','The CSP shall timely inform a CSC whenever internal or external employees of the CSP access in a non-encrypted form to the CSC''s data processed, stored or transmitted in the cloud service without the prior consent of the CSC, including at least:
-- Cause, time, duration, type and scope of the access;
-- Enough details to enable subject matters experts of the CSC to assess the risks of the access.','SUBSTANTIAL','ORGANIZATIONAL',57),
- (284,'IAM-09.6','IAM-09.6','The CSP shall require prior consent from a CSC before any access in a non-encrypted form to the CSC''s data processed, stored or transmitted in the cloud service, providing meaningful information as defined in IAM-09.5.','HIGH','ORGANIZATIONAL',57),
- (285,'IAM-09.7','IAM-09.7','If the CSP offers to its CSCs interfaces for administrators and for end users, these interfaces shall be separated','SUBSTANTIAL','ORGANIZATIONAL',57),
- (286,'CKM-01.1','CKM-01.1','The CSP shall document, communicate, make available and implement policies with technical and organizational safeguards for encryption and key management, according to ISP-02, in which at least the following aspects are described:
-- Usage of strong encryption procedures and secure network protocols
-- Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys
-- Consideration of relevant legal and regulatory obligations and requirements','BASIC','ORGANIZATIONAL',58),
- (287,'CKM-01.2','CKM-01.2','Cryptography policies and procedures shall include risk-based provisions for the use of encryption aligned with the data classification schemes and considering the communication channel, type, strength and quality of the encryption','SUBSTANTIAL','ORGANIZATIONAL',58),
- (288,'CKM-01.3','CKM-01.3','The strong encryption procedures and secure network protocols mentioned in the cryptography policies and procedures shall correspond to the state-of-the-art','SUBSTANTIAL','ORGANIZATIONAL',58),
- (289,'CKM-02.1','CKM-02.1','The CSP shall define and implement strong encryption mechanisms for the transmission of cloud customer data over public networks','BASIC','ORGANIZATIONAL',59),
- (290,'CKM-02.2','CKM-02.2','The CSP shall define, and implement strong encryption mechanisms for the transmission of all data over public networks','HIGH','ORGANIZATIONAL',59),
- (291,'CKM-03.1','CKM-03.1','The CSP shall document and implement procedures and technical safeguards to encrypt cloud customers'' data during storage','BASIC','ORGANIZATIONAL',60),
- (292,'CKM-03.2','CKM-03.2','The private and secret keys used for encryption shall be known only to the cloud customer in accordance with applicable legal and regulatory obligations and requirements, with the possibility of exceptions','SUBSTANTIAL','ORGANIZATIONAL',60),
- (293,'CKM-03.3','CKM-03.3','The procedures for the use of private and secret keys, including a specific procedure for any exceptions, shall be contractually agreed with the cloud customer','SUBSTANTIAL','ORGANIZATIONAL',60),
- (294,'CKM-03.4','CKM-03.4','The private and secret keys used for encryption shall be known exclusively by the cloud customer and without exceptions in accordance with applicable legal and regulatory obligations and requirements','HIGH','ORGANIZATIONAL',60),
- (295,'CKM-04.1','CKM-04.1','Procedures and technical safeguards for secure key management in the area of responsibility of the CSP shall include at least the following aspects:
-- Generation of keys for different cryptographic systems and applications;
-- Issuing and obtaining public-key certificates;
-- Provisioning and activation of the keys;
-- Secure storage of keys including description of how authorised users get access;
-- Changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised;
-- Handling of compromised keys; and
-- Withdrawal and deletion of keys;','BASIC','ORGANIZATIONAL',61),
- (296,'CKM-04.2','CKM-04.2','For the secure storage of keys, the key management system shall be separated from the application and middleware levels','SUBSTANTIAL','ORGANIZATIONAL',61),
- (297,'CKM-04.3','CKM-04.3','For the secure storage of keys and other secrets used for the administration tasks, the CSP shall use a suitable security container, software or hardware','HIGH','ORGANIZATIONAL',61),
- (298,'CKM-04.4','CKM-04.4','If pre-shared keys are used, the specific provisions relating to the secure use of this procedure shall be specified separately.','SUBSTANTIAL','ORGANIZATIONAL',61),
- (299,'CS-01.1','CS-01.1','The CSP shall document, communicate and implement technical safeguards that are suitable to promptly detect and respond to network-based attacks and to ensure the protection of information and information processing systems, in accordance with ISP-02','BASIC','ORGANIZATIONAL',62),
- (300,'CS-01.2','CS-01.2','The technical safeguards in CS-01.1 shall be based on the results of a risk analysis carried out according to RM-01.','SUBSTANTIAL','ORGANIZATIONAL',62),
- (301,'CS-01.3','CS-01.3','The CSP shall feed into a SIEM (Security Information and Event Management) system, all data from the technical safeguards implemented so that automatic countermeasures regarding correlating events are initiated','SUBSTANTIAL','ORGANIZATIONAL',62),
- (302,'CS-01.4','CS-01.4','The CSP shall implement technical safeguards to ensure that no unknown (physical or virtual) devices join its (physical or virtual) network','HIGH','ORGANIZATIONAL',62),
- (303,'CS-01.5','CS-01.5','The CSP shall use different technologies on its technical safeguards to prevent that a single vulnerability leads to the simultaneous breach of several defence lines','HIGH','ORGANIZATIONAL',62),
- (304,'CS-02.1','CS-02.1','The CSP shall document, communicate, make available and implement specific security requirements to connect within its network, including at least:
-- when the security zones are to be separated and when the cloud customers are to be logically or physically segregated;
-- what communication relationships and what network and application protocols are permitted in each case;
-- how the data traffic for administration and monitoring are segregated from each other at the network level;
-- what internal, cross-location communication is permitted; and
-- what cross-network communication is allowed.','BASIC','ORGANIZATIONAL',63),
- (305,'CS-03.1','CS-03.1','The CSP shall distinguish between trusted and untrusted networks, based on a risk assessment','BASIC','ORGANIZATIONAL',64),
- (306,'CS-03.2','CS-03.2','The CSP shall separate trusted and untrusted networks into different security zones for internal and external network areas (and DMZ, if applicable)','BASIC','ORGANIZATIONAL',64),
- (307,'CS-03.3','CS-03.3','The CSP shall design and configure both physical and virtualized network environments to restrict and monitor the connection to trusted or untrusted networks according to the defined security requirements (cf. CS-02)','BASIC','ORGANIZATIONAL',64),
- (308,'CS-03.4','CS-03.4','The CSP shall review at specified intervals the business justification for using all services, protocols, and ports. This review shall also include the compensatory measures used for protocols that are considered insecure','BASIC','ORGANIZATIONAL',64),
- (309,'CS-03.5','CS-03.5','The CSP shall review at least annually the design and implementation and configuration undertaken to monitor the connections in a risk-oriented manner, with regard to the defined security requirements','SUBSTANTIAL','ORGANIZATIONAL',64),
- (310,'CS-03.6','CS-03.6','The CSP shall assess the risks of identified vulnerabilities in accordance with the risk management procedure (cf. RM-01) and follow-up measures shall be defined and tracked (cf.OPS-17)','SUBSTANTIAL','ORGANIZATIONAL',64),
- (311,'CS-03.7','CS-03.7','The CSP shall protect all SIEM logs to avoid tampering','SUBSTANTIAL','ORGANIZATIONAL',64),
- (312,'CS-04.1','CS-04.1','Each network perimeter shall be controlled by security gateways','BASIC','ORGANIZATIONAL',65),
- (313,'CS-04.2','CS-04.2','Security gateways shall only allow legitimate connections identified in a matrix of authorized flows','SUBSTANTIAL','ORGANIZATIONAL',65),
- (314,'CS-04.3','CS-04.3','The system access authorisation for cross-network access shall be based on a security assessment based on the requirements of the cloud customers.','SUBSTANTIAL','ORGANIZATIONAL',65),
- (315,'CS-04.4','CS-04.4','Each network perimeter shall be controlled by redundant and highly available security gateways','HIGH','ORGANIZATIONAL',65),
- (316,'CS-04.5','CS-04.5','The CSP shall automatically monitor the control of the network perimeters to guarantee fulfilment of CS-04.1','HIGH','ORGANIZATIONAL',65),
- (317,'CS-05.1','CS-05.1','The CSP shall define and implement separate networks for the administrative management of the infrastructure and the operation of management consoles','BASIC','ORGANIZATIONAL',66),
- (318,'CS-05.2','CS-05.2','The CSP shall logically or physically separate the networks for administration from the CSCs’ networks','BASIC','ORGANIZATIONAL',66),
- (319,'CS-05.3','CS-05.3','The CSP shall segregate physically or logically the networks used to migrate or create virtual machines','BASIC','ORGANIZATIONAL',66),
- (320,'CS-05.4','CS-05.4','When the administration networks are not physically segregated from other networks, the administration flows must be conveyed in a strongly encrypted tunnel.','HIGH','ORGANIZATIONAL',66),
- (321,'CS-05.5','CS-05.5','The CSP shall set up and configure an application firewall in order to protect the administration interfaces intended for CSCs and exposed over a public network','HIGH','ORGANIZATIONAL',66),
- (322,'CS-06.1','CS-06.1','The CSP shall define, document and implement segregation mechanisms at network level the data traffic of different cloud customers','BASIC','ORGANIZATIONAL',67),
- (323,'CS-06.2','CS-06.2','When implementing of infrastructure capabilities, the secure segregation shall be ensured by physically separated networks or by strongly encrypted VLANs','HIGH','ORGANIZATIONAL',67),
- (324,'CS-07.1','CS-07.1','The CSP shall maintain up-to-date all documentation of the logical structure of the network used to provision or operate the cloud service','BASIC','ORGANIZATIONAL',68),
- (325,'CS-07.2','CS-07.2','The documentation shall cover, at least, how the subnets are allocated, how the network is zoned and segmented, how it connects with third-party and public networks, and the geographical locations in which the cloud customers'' data are stored','BASIC','ORGANIZATIONAL',68),
- (326,'CS-07.3','CS-07.3','In liaison with the inventory of assets (cf. AM-01), the documentation shall include the equipment that provides security functions and the servers that host the data or provide sensitive functions.','SUBSTANTIAL','ORGANIZATIONAL',68),
- (327,'CS-07.4','CS-07.4','The CSP shall perform a full review of the network topology documentation at least once a year','SUBSTANTIAL','ORGANIZATIONAL',68),
- (328,'CS-08.1','CS-08.1','The CSP shall ensure the confidentiality of the cloud user data by suitable procedures when offering functions for software-defined networking (SDN)','BASIC','ORGANIZATIONAL',69),
- (329,'CS-08.2','CS-08.2','The CSP shall validate the functionality of the SDN functions before providing new SDN features to CSCs or modifying existing SDN features','BASIC','ORGANIZATIONAL',69),
- (330,'CS-08.3','CS-08.3','The CSP shall ensure that the configuration of networks matches network security policies regardless of the means used to create the configuration','SUBSTANTIAL','ORGANIZATIONAL',69),
- (331,'CS-09.1','CS-09.1','The CSP shall document, communicate and implement policies and procedures with technical and organisational safeguards to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction, according to ISP-02','BASIC','ORGANIZATIONAL',70),
- (332,'CS-09.2','CS-09.2','The policy and procedures shall include references to the classification of assets (cf. AM-05)','SUBSTANTIAL','ORGANIZATIONAL',70),
- (333,'PI-01.1','PI-01.1','The cloud service shall be accessible by cloud services from other CSPs or cloud customers’ IT systems through documented inbound and outbound interfaces','BASIC','ORGANIZATIONAL',71),
- (334,'PI-01.2','PI-01.2','The interfaces shall be clearly documented for subject matter experts to understand how they can be used to retrieve the data','BASIC','ORGANIZATIONAL',71),
- (335,'PI-01.3','PI-01.3','Communication on these interfaces shall use standardised communication protocols that ensure the confidentiality and integrity of the transmitted information according to its protection requirements','BASIC','ORGANIZATIONAL',71),
- (336,'PI-01.4','PI-01.4','Communication over untrusted networks shall be encrypted according to CKM-02','BASIC','ORGANIZATIONAL',71),
- (337,'PI-01.5','PI-01.5','The CSP shall allow its customers to verify the interfaces provided (and their security) are adequate for its protection requirements before the start of the use of the cloud service, and each time the interfaces are changed','HIGH','ORGANIZATIONAL',71),
- (338,'PI-02.1','PI-02.1','The CSP shall include in cloud service contractual agreements, at least, the following aspects concerning the termination of the contractual relationship:
-- Type, scope and format of the data the CSP provides to the CSC;
-- Delivery methods of the data to the cloud customer;
-- Definition of the timeframe, within which the CSP makes the data available to the CSC;
-- Definition of the point in time as of which the CSP makes the data inaccessible to the CSC and deletes these; and
-- The CSC''s responsibilities and obligations to cooperate for the provision of the data.','BASIC','ORGANIZATIONAL',72),
- (339,'PI-02.2','PI-02.2','The definitions in PI-02.1 shall be based on the needs of subject matter experts of potential customers who assess the suitability of the cloud service with regard to a dependency on the CSP as well as legal and regulatory requirements','SUBSTANTIAL','ORGANIZATIONAL',72),
- (340,'PI-02.3','PI-02.3','The CSP shall identify, at least once a year, legal and regulatory requirements that may apply to these aspects and adjust the contractual agreements accordingly','HIGH','ORGANIZATIONAL',72),
- (341,'PI-03.1','PI-03.1','The CSP shall implement procedures for deleting its customers'' data upon termination of their contract in compliance with the contractual agreements between them','BASIC','ORGANIZATIONAL',73),
- (342,'PI-03.2','PI-03.2','The CSC''s data deletion shall include metadata and data stored in the data backups as well','BASIC','ORGANIZATIONAL',73),
- (343,'PI-03.3','PI-03.3','The cloud customer''s data deletion procedures shall prevent recovery by forensic means','SUBSTANTIAL','ORGANIZATIONAL',73),
- (344,'PI-03.4','PI-03.4','The CSP shall document the deletion of the customer’s data, including metadata and data stored in the data backups, in a way allowing the cloud customer to track the deletion of its data','SUBSTANTIAL','ORGANIZATIONAL',73),
- (345,'PI-03.5','PI-03.5','At the end of the contract, the CSP shall delete the technical data concerning the client','SUBSTANTIAL','ORGANIZATIONAL',73),
- (346,'CCM-01.1','CCM-01.1','The CSP shall document, implement, and communicate policies and procedures for change management of the IT systems supporting the cloud service according to ISP-02','BASIC','ORGANIZATIONAL',74),
- (347,'CCM-01.2','CCM-01.2','The change management policies and procedures shall cover at least the following aspects:
-- Criteria for risk assessment, categorization and prioritization of changes and related requirements for the type and scope of testing to be performed, and necessary approvals;
-- Requirements for the performance and documentation of tests;
-- Requirements for segregation of duties during planning, testing, and release of changes;
-- Requirements for the proper information of cloud customers about the type and scope of the change as well as the resulting obligations to cooperate in accordance with the contractual agreements;
-- Requirements for the documentation of changes in the system, operational and user documentation; and
-- Requirements for the implementation and documentation of emergency changes that must comply with the same level of security as normal changes.','SUBSTANTIAL','ORGANIZATIONAL',74),
- (348,'CCM-02.1','CCM-02.1','The CSP shall categorize and prioritize changes considering the potential security effects on the system components concerned','BASIC','ORGANIZATIONAL',75),
- (349,'CCM-02.2','CCM-02.2','The CSP shall base the decision on classification and prioritization on a risk assessment performed in accordance with RM-01 with regard to potential effects on the system components concerned','SUBSTANTIAL','ORGANIZATIONAL',75),
- (350,'CCM-02.3','CCM-02.3','If the risk associated to a planned change is high, then appropriate mitigation measures shall be taken before deploying the service','HIGH','ORGANIZATIONAL',75),
- (351,'CCM-02.4','CCM-02.4','In accordance with contractual agreements, the CSP shall submit to authorised bodies of the CSC meaningful information about the occasion, time, duration, type and scope of the change so that they can carry out their own risk assessment before the change is made available in the production environment','HIGH','ORGANIZATIONAL',75),
- (352,'CCM-02.5','CCM-02.5','Regardless of contractual agreements, the CSP shall inform the CSC as mentioned in CCM-02.3 for changes that have the highest risk category based on their risk assessment','HIGH','ORGANIZATIONAL',75),
- (353,'CCM-03.1','CCM-03.1','The CSP shall test proposed changes before deployment','BASIC','ORGANIZATIONAL',76),
- (354,'CCM-03.2','CCM-03.2','The type and scope of the tests shall correspond to the risk assessment','SUBSTANTIAL','ORGANIZATIONAL',76),
- (355,'CCM-03.3','CCM-03.3','The tests shall be carried out by appropriately qualified employees or by automated test procedures that comply with the state-of-the-art','SUBSTANTIAL','ORGANIZATIONAL',76),
- (356,'CCM-03.4','CCM-03.4','In accordance with contractual requirements, the CSP shall involve CSCs into the tests.','SUBSTANTIAL','ORGANIZATIONAL',76),
- (357,'CCM-03.5','CCM-03.5','The CSP shall first obtain approval from CSC and anonymise customer data before using it for tests, and shall guarantee the confidentiality of the data during the whole process','SUBSTANTIAL','ORGANIZATIONAL',76),
- (358,'CCM-03.6','CCM-03.6','The CSP shall determine the severity of the errors and vulnerabilities identified in the tests that are relevant for the deployment decision according to defined criteria, and shall initiate actions for timely remediation or mitigation','SUBSTANTIAL','ORGANIZATIONAL',76),
- (359,'CCM-03.7','CCM-03.7','The tests performed on a change before its deployment shall include tests on the service performed on a pre-production environment','HIGH','ORGANIZATIONAL',76),
- (360,'CCM-03.8','CCM-03.8','The CSP shall document and implement a procedure that ensures the integrity of the test data used in pre-production','HIGH','ORGANIZATIONAL',76),
- (361,'CCM-03.9','CCM-03.9','Before deploying changes on a system component, the CSP shall perform regression testing on other components of the cloud service that depend on that system component to verify the absence of undesirable effects','HIGH','ORGANIZATIONAL',76),
- (362,'CCM-03.10','CCM-03.10','The CSP shall automatically monitor the definition and execution of the tests relative to a change, as well as the remediation or mitigation of issues','HIGH','ORGANIZATIONAL',76),
- (363,'CCM-04.1','CCM-04.1','The CSP shall approve any change to the cloud service, based on defined criteria, before they are made available to CSCs in the production environment','BASIC','ORGANIZATIONAL',77),
- (364,'CCM-04.2','CCM-04.2','The CSP shall involve CSCs in the approval process according to contractual requirements','SUBSTANTIAL','ORGANIZATIONAL',77),
- (365,'CCM-04.3','CCM-04.3','The CSP shall automatically monitor the approvals of changes deployed in the production environment to guarantee fulfilment of CCM-04.1','HIGH','ORGANIZATIONAL',77),
- (366,'CCM-05.1','CCM-05.1','The CSP shall define roles and rights according to IAM-01 for the authorised personnel or system components who are allowed to make changes to the cloud service in the production environment.','BASIC','ORGANIZATIONAL',78),
- (367,'CCM-05.2','CCM-05.2','All changes to the cloud service in the production environment shall be logged and shall be traceable back to the individual or system component that initiated the change','BASIC','ORGANIZATIONAL',78),
- (368,'CCM-05.3','CCM-05.3','The CSP shall automatically monitor changes in the production environment to guarantee fulfilment of CCM-05.1','HIGH','ORGANIZATIONAL',78),
- (369,'CCM-06.1','CCM-06.1','The CSP shall implement version control procedures to track the dependencies of individual changes and to restore affected system components back to their previous state as a result of errors or identified vulnerabilities.','BASIC','ORGANIZATIONAL',79),
- (370,'CCM-06.2','CCM-06.2','The version control procedures shall provide appropriate safeguards to ensure that the confidentiality, integrity and availability of cloud customer data is not compromised when system components are restored back to their previous state','HIGH','ORGANIZATIONAL',79),
- (371,'CCM-06.3','CCM-06.3','The CSP shall retain a history of the software versions and of the systems that are implemented in order to be able to reconstitute, where applicable in a test environment, a complete environment such as was implemented on a given date; the retention time for this history shall be at least the same as that for backups (cf. OPS-06)','HIGH','ORGANIZATIONAL',79),
- (372,'DEV-01.1','DEV-01.1','The CSP shall document, communicate and implement policies and procedures according to ISP-02 with technical and organisational measures for the secure development of the cloud service.','BASIC','ORGANIZATIONAL',80),
- (373,'DEV-01.2','DEV-01.2','The policies and procedures for secure development shall consider information security from the earliest phases of design','BASIC','ORGANIZATIONAL',80),
- (374,'DEV-01.3','DEV-01.3','The policies and procedures for secure development shall be based on recognised standards and methods with regard to the following aspects:
-- Security in Software Development (Requirements, Design, Implementation, Testing and Verification);
-- Security in software deployment (including continuous delivery);
-- Security in operation (reaction to identified faults and vulnerabilities); and
-- Secure coding standards and practices (avoiding the introduction of vulnerabilities in code).','SUBSTANTIAL','ORGANIZATIONAL',80),
- (375,'DEV-01.4','DEV-01.4','The policies and procedures for development shall include measures for the enforcement of specified standards and guidelines, including automated tools','SUBSTANTIAL','ORGANIZATIONAL',80),
- (376,'DEV-02.1','DEV-02.1','The CSP shall maintain a list of dependencies to hardware and software products used in the development of its cloud service','BASIC','ORGANIZATIONAL',81),
- (377,'DEV-02.2','DEV-02.2','The CSP shall document and implement policies for the use of third-party and open source software','SUBSTANTIAL','ORGANIZATIONAL',81),
- (378,'DEV-02.3','DEV-02.3','The CSP makes its list of dependencies available to customers upon request','SUBSTANTIAL','ORGANIZATIONAL',81),
- (379,'DEV-02.4','DEV-02.4','In procurement for the development of the cloud service, the CSP shall perform a risk assessment in accordance to RM-01 for every product','HIGH','ORGANIZATIONAL',81),
- (380,'DEV-03.1','DEV-03.1','The CSP shall ensure that the confidentiality and integrity of the source code is adequately protected at all stages of development','BASIC','ORGANIZATIONAL',82),
- (381,'DEV-03.2','DEV-03.2','The CSP shall use version control to keep a history of the changes in source code with an attribution of changes to individual developers','BASIC','ORGANIZATIONAL',82),
- (382,'DEV-03.3','DEV-03.3','The CSP shall implement a secure development and test environments that makes it possible to manage the entire development cycle of the information system of the cloud service','SUBSTANTIAL','ORGANIZATIONAL',82),
- (383,'DEV-03.4','DEV-03.4','The CSP shall consider the development and test environments when performing risk assessment','SUBSTANTIAL','ORGANIZATIONAL',82),
- (384,'DEV-03.5','DEV-03.5','The CSP shall include development resources as part of the backup policy','SUBSTANTIAL','ORGANIZATIONAL',82),
- (385,'DEV-04.1','DEV-04.1','The CSP shall ensure that production environments are physically or logically separated from development, test or pre-production environments','BASIC','ORGANIZATIONAL',83),
- (386,'DEV-04.2','DEV-04.2','Data contained in the production environments shall not be used in development, test or pre- production environments in order not to compromise their confidentiality','BASIC','ORGANIZATIONAL',83),
- (387,'DEV-04.3','DEV-04.3','When non-production environments are exposed through public networks, security requirements shall be equivalent to those defined for production environment','HIGH','ORGANIZATIONAL',83),
- (388,'DEV-05.1','DEV-05.1','The CSP shall document, communicate, make available and implement specific procedures for the development of functions that implement technical mechanisms or safeguards required by the EUCS scheme, with increased testing requirements.','BASIC','ORGANIZATIONAL',84),
- (389,'DEV-05.2','DEV-05.2','Design documentation for security features shall include a specification of expected inputs, outputs and possible errors, as well as a security analysis of the adequacy and planned effectiveness of the feature','SUBSTANTIAL','ORGANIZATIONAL',84),
- (390,'DEV-05.3','DEV-05.3','The tests of the security features shall cover all the specified inputs and all specified outcomes, including all specified error conditions.','SUBSTANTIAL','ORGANIZATIONAL',84),
- (391,'DEV-05.4','DEV-05.4','The documentation of the tests for security features shall include at least a description of the test, the initial conditions, the expected outcome and instructions for running the test.','SUBSTANTIAL','ORGANIZATIONAL',84),
- (392,'DEV-05.5','DEV-05.5','The documentation of the tests shall include a demonstration of the coverage of the source code, including branch coverage for security-critical code.','HIGH','ORGANIZATIONAL',84),
- (393,'DEV-06.1','DEV-06.1','The CSP shall apply appropriate measures to check the cloud service for vulnerabilities that may have been integrated into the cloud service during the development process.','BASIC','ORGANIZATIONAL',85),
- (394,'DEV-06.2','DEV-06.2','The procedures for identifying vulnerabilities shall be integrated in the development process.','BASIC','ORGANIZATIONAL',85),
- (395,'DEV-06.3','DEV-06.3','The procedures shall include the following activities, depending on the risk assessment:
-- Static Application Security Testing;
-- Dynamic Application Security Testing;
-- Code reviews by subject matter experts; and
-- Obtaining information about confirmed vulnerabilities in software libraries provided by third parties and used in their own cloud service.','SUBSTANTIAL','ORGANIZATIONAL',85),
- (396,'DEV-06.4','DEV-06.4','Code reviews shall be regularly performed by qualified personnel or contractors','HIGH','ORGANIZATIONAL',85),
- (397,'DEV-06.5','DEV-06.5','The CSP shall assess the severity of identified vulnerabilities according to the criteria defined in OPS-17 and measures are taken to immediately eliminate or mitigate them.','SUBSTANTIAL','ORGANIZATIONAL',85),
- (398,'DEV-06.6','DEV-06.6','The procedures for identifying such vulnerabilities also shall include annual code reviews and security penetration tests by subject matter experts, as part of the annual programme defined in OPS-19','HIGH','ORGANIZATIONAL',85),
- (399,'DEV-07.1','DEV-07.1','When outsourcing development of the cloud service or components thereof to a contractor, the CSP and the contractor shall contractually agree on specifications regarding at least the following aspects:
-- Security in software development (requirements, design, implementation, tests and verifications) in accordance with recognised standards and methods;
-- Acceptance testing of the quality of the services provided in accordance with the agreed functional and non-functional requirements; and
-- Providing evidence that sufficient verifications have been carried out to rule out the existence of known vulnerabilities.','BASIC','ORGANIZATIONAL',86),
- (400,'DEV-07.2','DEV-07.2','Before subcontracting the development of the cloud service or components thereof, the CSP shall conduct a risk assessment according to RM-01 that considers at least the following aspects
-- Management of source code by the subcontractor;
-- Human resource procedures implemented by the subcontractor; and
-- Required access to the CSP’s development, testing and pre-production environments.','SUBSTANTIAL','ORGANIZATIONAL',86),
- (401,'DEV-07.3','DEV-07.3','The CSP shall document and implement a procedure that makes it possible to supervise and control the outsourced development activity, in order to ensure that the outsourced development activity is compliant with the secure development policy of the service provider and makes it possible to achieve a level of security of the external development that is equivalent to that of internal development','HIGH','ORGANIZATIONAL',86),
- (402,'DEV-07.4','DEV-07.4','Internal or external employees of the CSP shall run the tests that are relevant for the deployment decision when a change includes the result of outsourced development.','HIGH','ORGANIZATIONAL',86),
- (403,'PM-01.1','PM-01.1','The CSP shall document, communicate and implement policies and procedures according to ISP-02 for controlling and monitoring third parties whose products or services contribute to the provision of the cloud service:','BASIC','ORGANIZATIONAL',87),
- (404,'PM-01.2','PM-01.2','The policies and procedures defined in PM-01.1 shall cover at least the following aspects:
-- Requirements for the assessment of risks resulting from the procurement of third-party services;
-- Requirements for the classification of third parties based on the risk assessment by the CSP;
-- Information security requirements for the processing, storage, or transmission of information by third parties based on recognized industry standards;
-- Information security awareness and training requirements for staff;
-- Applicable legal and regulatory requirements;
-- Requirements for dealing with vulnerabilities, security incidents, and malfunctions;
-- Specifications for the contractual agreement of these requirements;
-- Specifications for the monitoring of these requirements; and
-- Specifications for applying these requirements also to service providers used by the third parties, insofar as the services provided by these service providers, also contribute to the provision of the cloud service.','SUBSTANTIAL','ORGANIZATIONAL',87),
- (405,'PM-01.3','PM-01.3','The CSP shall contractually require its subservice organizations to provide regular reports by independent auditors on the suitability of the design and operating effectiveness of their service-related internal control system with respect to the EUCS requirements.','HIGH','ORGANIZATIONAL',87),
- (406,'PM-01.4','PM-01.4','The reports shall include the complementary subservice organisation controls that are required, together with the controls of the Cloud Service Provider, to meet the applicable EUCS requirements with reasonable assurance','HIGH','ORGANIZATIONAL',87),
- (407,'PM-01.5','PM-01.5','In case the supplier organizations are not able to provide an EUCS compliance report, the CSP shall reserve the right to audit them to assess the suitability and effectiveness of the service-related internal and complementary controls by qualified personnel','HIGH','ORGANIZATIONAL',87),
- (408,'PM-02.1','PM-02.1','The CSP shall perform a risk assessment of its suppliers in accordance with the policies and procedures for the control and monitoring of third parties before they start contributing to the provision of the cloud service:','BASIC','ORGANIZATIONAL',88),
- (409,'PM-02.2','PM-02.2','The risk assessment shall include the identification, analysis, evaluation, handling, and documentation of risks concerning the following aspects:
-- Protection needs regarding the confidentiality, integrity, availability, and authenticity of information processed, stored, or transmitted by the third party;
-- Impact of a protection breach on the provision of the cloud service;
-- The CSP''s dependence on the service provider or supplier for the scope, complexity, and uniqueness of the purchased service, including the consideration of possible alternatives.','SUBSTANTIAL','ORGANIZATIONAL',88),
- (410,'PM-02.3','PM-02.3','Following the risk assessment of a subservice provider, the CSP shall define for every applicable EUCS requirement a list of Complementary Subservice Organization Controls (CSOC) to be implemented by the subservice provider','BASIC','ORGANIZATIONAL',88),
- (411,'PM-02.4','PM-02.4','The CSP shall ensure that the subservice provider has implemented the CSOCs, and that the subservice provider has made available evidence supporting the assessment of their effectiveness to the targeted evaluation level','BASIC','ORGANIZATIONAL',88),
- (412,'PM-02.5','PM-02.5','The adequacy of the risk assessment and of the definition of CSOCs shall be reviewed regularly, at least annually','BASIC','ORGANIZATIONAL',88),
- (413,'PM-03.1','PM-03.1','The CSP shall maintain a directory for controlling and monitoring the suppliers who contribute to the delivery of the cloud service','BASIC','ORGANIZATIONAL',89),
- (414,'PM-03.2','PM-03.2','The directory shall contain the following information:
-- Company name;
-- Address;
-- Locations of data processing and storage;
-- Responsible contact person at the service provider/supplier;
-- Responsible contact person at the cloud service provider;
-- Description of the service;
-- Classification based on the risk assessment;
-- Beginning of service usage; and
-- Proof of compliance with contractually agreed requirements.','SUBSTANTIAL','ORGANIZATIONAL',89),
- (415,'PM-03.3','PM-03.3','The CSP shall verify the directory for completeness, accuracy and validity at least annually','BASIC','ORGANIZATIONAL',89),
- (416,'PM-04.1','PM-04.1','The CSP shall monitor the compliance of its suppliers with information security requirements and applicable legal and regulatory requirements in accordance with policies and procedures concerning controlling and monitoring of third-parties','BASIC','ORGANIZATIONAL',90),
- (417,'PM-04.2','PM-04.2','Monitoring activities shall include at least a regular review of the following evidence, as provided by suppliers under contractual agreements:
-- reports on the quality of the service provided;
-- certificates of the management systems'' compliance with international standards;
-- independent third-party reports on the suitability and operating effectiveness of their service-related internal control systems; and
-- Records of the third parties on the handling of vulnerabilities, security incidents, and malfunctions.','SUBSTANTIAL','ORGANIZATIONAL',90),
- (418,'PM-04.3','PM-04.3','The frequency of the monitoring shall correspond to the classification of the third party based on the risk assessment conducted by the Cloud Service Provider (cf. PM-02), and the results of the monitoring shall be included in the review of the third party''s risk assessment.','BASIC','ORGANIZATIONAL',90),
- (419,'PM-04.4','PM-04.4','Identified violations and deviations shall be analysed, evaluated and treated in accordance with the risk management procedure (cf. RM-01)','BASIC','ORGANIZATIONAL',90),
- (420,'PM-04.5','PM-04.5','When a change in a third-party contributing to the delivery of the cloud service affects its level of security, the CSP shall inform all of its CSCs without delay','BASIC','ORGANIZATIONAL',90),
- (421,'PM-04.6','PM-04.6','The CSP shall document and implement a procedure to review and update, at least once a year, non-disclosure or confidentiality requirements regarding suppliers contributing to the delivery of the service','SUBSTANTIAL','ORGANIZATIONAL',90),
- (422,'PM-04.7','PM-04.7','The CSP shall supplement procedures for monitoring compliance with automatic monitoring, by leveraging automatic procedures relating to the following aspects:
-- Configuration of system components;
-- Performance and availability of system components;
-- Response time to malfunctions and security incidents; and
-- Recovery time (time until completion of error handling).','HIGH','ORGANIZATIONAL',90),
- (423,'PM-04.8','PM-04.8','The CSP shall automatically monitor Identified violations and discrepancies, and these shall be automatically reported to the responsible personnel or system components of the Cloud Service Provider for prompt assessment and action','HIGH','ORGANIZATIONAL',90),
- (424,'PM-05.1','PM-05.1','The CSP shall define exit strategies for the purchase of services where the risk assessment of the suppliers identified a very high dependency','BASIC','ORGANIZATIONAL',91),
- (425,'PM-05.2','PM-05.2','The exit strategies shall be aligned with operational continuity plans and include the following aspects:
-- Analysis of the potential costs, impacts, resources, and timing of the transition of a purchased service to an alternative service provider or supplier;
-- Definition and allocation of roles, responsibilities, and sufficient resources to perform the activities for a transition;
-- Definition of success criteria for the transition;
-- Definition of indicators for service performance monitoring, which should initiate the withdrawal from the service if the results are unacceptable.','SUBSTANTIAL','ORGANIZATIONAL',91),
- (426,'IM-01.1','IM-01.1','The CSP shall document, communicate and implement policies and procedures according to ISP-02 containing technical and organisational safeguards to ensure a fast, effective and proper response to all known security incidents:','BASIC','ORGANIZATIONAL',92),
- (427,'IM-01.2','IM-01.2','The policies and procedures shall include guidelines for the classification, prioritization, and escalation of security incidents and creates interfaces for incident management and business continuity management','BASIC','ORGANIZATIONAL',92),
- (428,'IM-01.3','IM-01.3','The CSP shall establish a Computer Emergency Response Team (CERT), which contributes to the coordinated resolution of security incidents','BASIC','ORGANIZATIONAL',92),
- (429,'IM-01.4','IM-01.4','The CSP shall inform the customers affected by security incidents in a timely and appropriate manner','SUBSTANTIAL','ORGANIZATIONAL',92),
- (430,'IM-01.5','IM-01.5','The incident management policy shall include procedures as to how the data of a suspicious system can be collected in a conclusive manner in the event of a security incident','SUBSTANTIAL','ORGANIZATIONAL',92),
- (431,'IM-01.6','IM-01.6','The incident management policy shall include analysis plans for typical security incidents','HIGH','ORGANIZATIONAL',92),
- (432,'IM-01.7','IM-01.7','The incident management policy shall include an evaluation methodology so that the collected information does not lose its evidential value in any subsequent legal assessment','HIGH','ORGANIZATIONAL',92),
- (433,'IM-01.8','IM-01.8','The incident management policy shall include provisions for the regular testing of the incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential deficiencies','HIGH','ORGANIZATIONAL',92),
- (434,'IM-02.1','IM-02.1','The CSP shall classify, prioritize, and perform root-cause analyses for events that could constitute a security incident, using their subject matter experts and external security providers where appropriate','BASIC','ORGANIZATIONAL',93),
- (435,'IM-02.2','IM-02.2','The CSP shall maintain a catalogue that clearly identifies the security incidents that affect customer data, and use that catalogue to classify incidents','SUBSTANTIAL','ORGANIZATIONAL',93),
- (436,'IM-02.3','IM-02.3','The incident classification mechanism shall include provisions to correlate events. In addition, these correlated events shall themselves be assessed and classified according to their criticality','SUBSTANTIAL','ORGANIZATIONAL',93),
- (437,'IM-02.4','IM-02.4','The CSP shall simulate the identification, analysis, and defence of security incidents and attacks at least once a year through appropriate tests and exercises','HIGH','ORGANIZATIONAL',93),
- (438,'IM-02.5','IM-02.5','The CSP shall monitor the processing of incident to verify the application of incident management policies and procedures','HIGH','ORGANIZATIONAL',93),
- (439,'IM-03.1','IM-03.1','The CSP shall document the implemented measures after a security incident has been processed and, following the contractual agreements, the document shall be sent to the affected customers for final acknowledgment or, if applicable, as confirmation.','BASIC','ORGANIZATIONAL',94),
- (440,'IM-03.2','IM-03.2','The CSP shall make information on security incidents or confirmed security breaches available to all affected customers','BASIC','ORGANIZATIONAL',94),
- (441,'IM-03.3','IM-03.3','The CSP shall continuously report on security incidents to affected customers until the security incident is closed and a solution is applied and documented, in accordance to the defined SLA and contractual agreements','SUBSTANTIAL','ORGANIZATIONAL',94),
- (442,'IM-03.4','IM-03.4','The CSP shall allow customers to actively approve the solution before automatically approving it after a certain period','HIGH','ORGANIZATIONAL',94),
- (443,'IM-04.1','IM-04.1','The CSP shall inform employees and external business partners of their contractual obligations to report all security events that become known to them and are directly related to the cloud service','BASIC','ORGANIZATIONAL',95),
- (444,'IM-04.2','IM-04.2','The CSP shall not take any negative action against those who communicate "false reports" of events that do not subsequently turn out to be incidents, and shall make that policy known as part of its communication to employees and external business partners','BASIC','ORGANIZATIONAL',95),
- (445,'IM-04.3','IM-04.3','The CSP shall define, make public and implement a single point of contact to report security events and vulnerabilities','BASIC','ORGANIZATIONAL',95),
- (446,'IM-05.1','IM-05.1','The CSP shall periodically inform its customers on the status of the incidents affecting the CSC, or, where appropriate and necessary, involve them in the resolution, according to the contractual agreements','BASIC','ORGANIZATIONAL',96),
- (447,'IM-05.2','IM-05.2','As soon as an incident has been closed, The CSP shall inform its customers about the actions taken, according to the contractual agreements','BASIC','ORGANIZATIONAL',96),
- (448,'IM-06.1','IM-06.1','The CSP shall perform an analysis of security incidents to identify recurrent or significant incidents and to identify the need for further protection, if needed with the support of external bodies','BASIC','ORGANIZATIONAL',97),
- (449,'IM-06.2','IM-06.2','The CSP shall only contract supporting external bodies that are qualified incident response service providers or government agencies','BASIC','ORGANIZATIONAL',97),
- (450,'IM-06.3','IM-06.3','The CSP shall define, implement and maintain a knowledge repository of security incidents and the measures taken to solve them, as well as information related to the assets that these incidents affected, and use that information to enrich the classification catalogue','SUBSTANTIAL','ORGANIZATIONAL',97),
- (451,'IM-06.4','IM-06.4','The intelligence gained from the incident management and gathered in the knowledge repository shall be used to identify recurring incidents or potential significant incidents and to determine the need for advanced safeguards and implement them','SUBSTANTIAL','ORGANIZATIONAL',97),
- (452,'IM-07.1','IM-07.1','The CSP shall document and implement a procedure to archive all documents and evidence that provide details on security incidents','BASIC','ORGANIZATIONAL',98),
- (453,'IM-07.2','IM-07.2','The documents and evidence shall be archived in a way that could be used as evidence in court','SUBSTANTIAL','ORGANIZATIONAL',98),
- (454,'IM-07.3','IM-07.3','When the CSP requires additional expertise in order to preserve the evidences and secure the chain of custody on a security incident, the CSP shall contract a qualified incident response service provider only','SUBSTANTIAL','ORGANIZATIONAL',98),
- (455,'IM-07.4','IM-07.4','The CSP shall implement security mechanisms and processes for protecting all the information related to security incidents in accordance with criticality levels and legal requirements in effect','BASIC','ORGANIZATIONAL',98),
- (456,'IM-07.5','IM-07.5','The service provider shall establish an integrated team of forensic/incident responder personnel specifically trained on evidence preservation and chain of custody management','HIGH','ORGANIZATIONAL',98),
- (457,'BC-01.1','BC-01.1','The CSP shall document, communicate and make available policies and procedures establishing the strategy and guidelines to ensure business continuity and contingency management','BASIC','ORGANIZATIONAL',99),
- (458,'BC-01.2','BC-01.2','The CSP shall name (a member of) top management as the process owner of business continuity and emergency management, and responsible for establishing the process within the company following the strategy as well as ensuring compliance with the guidelines, and for ensuring that sufficient resources are made available for an effective process','SUBSTANTIAL','ORGANIZATIONAL',99),
- (459,'BC-01.3','BC-01.3','The business continuity and contingency management process owner shall ensure that sufficient resources are made available for an effective process','SUBSTANTIAL','ORGANIZATIONAL',99),
- (460,'BC-02.1','BC-02.1','The policies and procedures for business continuity and contingency management shall include the need to perform a business impact analysis to determine the impact of any malfunction to the cloud service or enterprise.','BASIC','ORGANIZATIONAL',100),
- (461,'BC-02.2','BC-02.2','The business impact analysis policies and procedures shall consider at least the following aspects:
-- Possible scenarios based on a risk analysis;
-- Identification of critical products and services;
-- Identification of dependencies, including processes (including resources required), applications, business partners and third parties;
-- Identification of threats to critical products and services;
-- Identification of effects resulting from planned and unplanned malfunctions and changes over time;
-- Determination of the maximum acceptable duration of malfunctions;
-- Identification of restoration priorities;
-- Determination of time targets for the resumption of critical products and services within the maximum acceptable time period (RTO);
-- Determination of time targets for the maximum reasonable period during which data can be lost and not recovered (RPO); and
-- Estimation of the resources needed for resumption.','SUBSTANTIAL','ORGANIZATIONAL',100),
- (462,'BC-02.3','BC-02.3','The business impact analysis resulting from these policies and procedures shall be reviewed at regular intervals, at least once a year, or after significant organisational or environment- related changes.','SUBSTANTIAL','ORGANIZATIONAL',100),
- (463,'BC-03.1','BC-03.1','The CSP shall document and implement a business continuity plan and contingency plans to ensure continuity of the services, taking into account information security constraints and the results of the business impact analysis','BASIC','ORGANIZATIONAL',101),
- (464,'BC-03.2','BC-03.2','The business continuity plan and contingency plans shall be based on industry-accepted standards and shall document which standards are being used','SUBSTANTIAL','ORGANIZATIONAL',101),
- (465,'BC-03.3','BC-03.3','The business continuity plan and contingency plans shall cover at least the following aspects:
-- Defined purpose and scope, including relevant business processes and dependencies;
-- Accessibility and comprehensibility of the plans for persons who are to act accordingly;
-- Ownership by at least one designated person responsible for review, updating and approval;
-- Defined communication channels, roles and responsibilities including notification of the customer;
-- Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers);
-- Methods for putting the plans into effect;
-- Continuous process improvement; and
-- Interfaces to Security Incident Management.','SUBSTANTIAL','ORGANIZATIONAL',101),
- (466,'BC-03.4','BC-03.4','The business continuity plan shall be reviewed at regular intervals, at least once a year, or after significant organisational or environment-related changes.','SUBSTANTIAL','ORGANIZATIONAL',101),
- (467,'BC-04.1','BC-04.1','The business impact analysis, business continuity plan and contingency plans shall be tested at regular intervals (at least once a year) or after an update','SUBSTANTIAL','ORGANIZATIONAL',102),
- (468,'BC-04.2','BC-04.2','The tests shall be documented and the results considered to update the business continuity plan and to define future operational continuity measures','SUBSTANTIAL','ORGANIZATIONAL',102),
- (469,'BC-04.3','BC-04.3','The tests shall involve CSCs and relevant third parties, such as external service providers and suppliers','SUBSTANTIAL','ORGANIZATIONAL',102),
- (470,'BC-04.4','BC-04.4','In addition to the tests, exercises shall also be carried out, which are, among other things, based on scenarios resulting from security incidents that have already occurred in the past','HIGH','ORGANIZATIONAL',102),
- (471,'CO-01.1','CO-01.1','The CSP shall document the legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service','BASIC','ORGANIZATIONAL',103),
- (472,'CO-01.2','CO-01.2','The CSP shall document and implement procedures for complying to these contractual requirements','SUBSTANTIAL','ORGANIZATIONAL',103),
- (473,'CO-01.3','CO-01.3','The CSP shall provide these procedures when requested by a CSC','HIGH','ORGANIZATIONAL',103),
- (474,'CO-01.4','CO-01.4','The CSP shall document and implement an active monitoring of the legal, regulatory and contractual requirements that affect the service','HIGH','ORGANIZATIONAL',103),
- (475,'CO-02.1','CO-02.1','The CSP shall document, communicate, make available and implement policies and procedures for planning and conducting audits, made in accordance with ISP-02 and addressing at least the following aspects:
-- Restriction to read-only access to system components in accordance with the agreed audit plan and as necessary to perform the activities;
-- Activities that may result in malfunctions to the cloud service or breaches of contractual requirements are performed during scheduled maintenance windows or outside peak periods; and
-- Logging and monitoring of activities','BASIC','ORGANIZATIONAL',104),
- (476,'CO-02.2','CO-02.2','The CSP shall document and implement an audit programme over three years that defines the scope and the frequency of the audits in accordance with the management of change, policies, and the results of the risk assessment','SUBSTANTIAL','ORGANIZATIONAL',104),
- (477,'CO-02.3','CO-02.3','The CSP shall grant its CSCs contractually guaranteed information and define their audit rights','HIGH','ORGANIZATIONAL',104),
- (478,'CO-03.1','CO-03.1','The CSP shall perform at regular intervals and at least annually internal audits by subject matter experts to check the compliance of their internal security control system to the requirements defined in CO-01.','BASIC','ORGANIZATIONAL',105),
- (479,'CO-03.2','CO-03.2','The internal audit shall check the compliance with the requirements of the scheme at the targeted EUCS assurance level.','BASIC','ORGANIZATIONAL',105),
- (480,'CO-03.3','CO-03.3','Identified vulnerabilities and deviations shall be subject to risk assessment in accordance with the risk management procedure (cf. RM-01) and follow-up measures are defined and tracked (cf. OPS-17).','SUBSTANTIAL','ORGANIZATIONAL',105),
- (481,'CO-03.4','CO-03.4','Internal audits shall be supplemented by procedures to automatically monitor compliance with applicable requirements of policies and instructions','HIGH','ORGANIZATIONAL',105),
- (482,'CO-03.5','CO-03.5','The CSP shall implement automated monitoring to identify vulnerabilities and deviations, which shall be automatically reported to the appropriate CSP’s subject matter experts for immediate assessment and action','HIGH','ORGANIZATIONAL',105),
- (483,'CO-03.6','CO-03.6','The CSP shall document specifically deviations that are nonconformities from the EUCS requirements, including an assessment of their severity, and keep track of their remediation','BASIC','ORGANIZATIONAL',105),
- (484,'CO-03.7','CO-03.7','The CSP shall inform CSCs who operate an EUCS-certified cloud service of nonconformities relatively to EUCS requirements','SUBSTANTIAL','ORGANIZATIONAL',105),
- (485,'CO-04.1','CO-04.1','The CSP shall regular inform its top management about the information security performance within the scope of the internal control system.','BASIC','ORGANIZATIONAL',106),
- (486,'CO-04.2','CO-04.2','This information shall be included in the management review of the internal control system that is performed at least once a year','SUBSTANTIAL','ORGANIZATIONAL',106),
- (487,'DOC-01.1','DOC-01.1','The CSP shall make publicly available guidelines and recommendations to assist CSCs with the secure configuration, installation, deployment, operation and maintenance of the cloud service provided','BASIC','ORGANIZATIONAL',107),
- (488,'DOC-01.2','DOC-01.2','The guidelines and recommendations for the secure use of the cloud service shall cover at least the following aspects, where applicable to the cloud service:
-- Instructions for secure configuration;
-- Information sources on known vulnerabilities and update mechanisms;
-- Error handling and logging mechanisms;
-- Authentication mechanisms;
-- Roles and rights concept including combinations that result in an elevated risk;
-- Services and functions for administration of the cloud service by privileged users, and
-- Complementary Customer Controls (CCCs).','SUBSTANTIAL','ORGANIZATIONAL',107),
- (489,'DOC-01.3','DOC-01.3','The CSP shall maintain guidelines and recommendations applicable to the cloud service in the version intended for productive use','BASIC','ORGANIZATIONAL',107),
- (490,'DOC-01.4','DOC-01.4','The CSP shall describe in the user documentation all risks shared with the customer','SUBSTANTIAL','ORGANIZATIONAL',107),
- (491,'DOC-01.5','DOC-01.5','The CSP shall regularly analyse how the CSCs apply the security recommendations and CCCs, and take measure to encourage compliance based on the defined shared responsibility model','HIGH','ORGANIZATIONAL',107),
- (492,'DOC-02.1','DOC-02.1','The CSP shall operate or refer to a publicly available and daily updated online register of known vulnerabilities that affect the provided cloud service','BASIC','ORGANIZATIONAL',108),
- (493,'DOC-02.2','DOC-02.2','The online register of vulnerabilities shall also include known vulnerabilities that affect assets provided by the CSP that the cloud customers have to install, provide or operate themselves under the customers responsibility','SUBSTANTIAL','ORGANIZATIONAL',108),
- (494,'DOC-02.3','DOC-02.3','The presentation of the vulnerabilities shall follow an industry-accepted scoring system for the description of vulnerabilities','SUBSTANTIAL','ORGANIZATIONAL',108),
- (495,'DOC-02.4','DOC-02.4','The information contained in the online register shall include sufficient information to form a suitable basis for risk assessment and possible follow-up measures on the part of cloud users','SUBSTANTIAL','ORGANIZATIONAL',108),
- (496,'DOC-02.5','DOC-02.5','For each vulnerability, the online register shall indicate whether software updates are available, when they will be rolled out and whether they will be deployed by the CSP, the CSC or both','SUBSTANTIAL','ORGANIZATIONAL',108),
- (497,'DOC-03.1','DOC-03.1','The CSP shall provide comprehensible and transparent information on:
-- Its jurisdiction; and
-- System component locations, including its subcontractors, where the cloud customer''s data is processed, stored and backed up.','BASIC','ORGANIZATIONAL',109),
- (498,'DOC-03.2','DOC-03.2','The CSP shall provide sufficient information for subject matter experts of the CSC to determine to assess the suitability of the cloud service’s jurisdiction and locations from a legal and regulatory perspective','BASIC','ORGANIZATIONAL',109),
- (499,'DOC-03.3','DOC-03.3','The CSP shall provide information about
-- The locations from administration and supervision may be carried out on the cloud service;
-- The locations to which any cloud customer data, meta-data or derived data may be transferred, processed or stored.','SUBSTANTIAL','ORGANIZATIONAL',109),
- (500,'DOC-03.4','DOC-03.4','The CSP shall document the locations from which it conducts support operations for clients, and it shall document the list of operations that can be carried by client support in each location','HIGH','ORGANIZATIONAL',109),
- (501,'DOC-04.1','DOC-04.1','The CSP shall provide a justification for the assurance level targeted in the certification, based on the risks associated to the cloud service’s targeted users and use cases','BASIC','ORGANIZATIONAL',110),
- (502,'DOC-04.2','DOC-04.2','If the CSP claims compliance to security profiles for its cloud service, the justification shall cover the security profiles.','BASIC','ORGANIZATIONAL',110),
- (503,'DOC-04.3','DOC-04.3','A summary of the justification shall be made publicly available as part of the certification package, which shall allow CSCs to perform a high-level analysis about their own use cases','BASIC','ORGANIZATIONAL',110),
- (504,'DOC-04.4','DOC-04.4','The justification shall be based on a risk analysis according to RM-01','SUBSTANTIAL','ORGANIZATIONAL',110),
- (505,'DOC-05.1','DOC-05.1','If the CSP expects CSCs to certify with EUCS their own services based on its cloud service using composition, it shall provide specific documentation for them, based on the Complementary Customer Controls (CCCs) that they have defined','BASIC','ORGANIZATIONAL',111),
- (506,'DOC-05.2','DOC-05.2','The CSP shall include in the description provided for each CCC a list of actionable requirements for the CSC, and it shall associate each CCC to an EUCS requirement','BASIC','ORGANIZATIONAL',111),
- (507,'DOC-05.3','DOC-05.3','The CSP shall make the documentation defined in DOC-05.1 available to cloud customers upon request','BASIC','ORGANIZATIONAL',111),
- (508,'DOC-05.4','DOC-05.4','The CSP shall label each requirement associated to a CCC with the lowest EUCS assurance level for which it is required','SUBSTANTIAL','ORGANIZATIONAL',111),
- (509,'DOC-06.1','DOC-06.1','If the CSP expects CSCs to certify with EUCS their own services based on its cloud service using composition, it shall document for each EUCS requirement how its cloud service will contribute (if any) to the fulfilment of the requirement by the cloud service developed by the CSC using the CSP as subservice organization.','BASIC','ORGANIZATIONAL',112),
- (510,'DOC-06.2','DOC-06.2','The CSP shall make the documentation defined in DOC-06.1 available to cloud customers upon request','BASIC','ORGANIZATIONAL',112),
- (511,'DOC-06.3','DOC-06.3','The CSP shall justify the contributions in a companion document','SUBSTANTIAL','ORGANIZATIONAL',112),
- (512,'INQ-01.1','INQ-01.1','The CSP shall subject investigation requests from government agencies to a legal assessment by subject matter experts','BASIC','ORGANIZATIONAL',113),
- (513,'INQ-01.2','INQ-01.2','The legal assessment shall determine whether the government agency has an applicable and legally valid basis and what further steps need to be taken','BASIC','ORGANIZATIONAL',113),
- (514,'INQ-02.1','INQ-02.1','The CSP shall inform the affected CSC(s) without undue delay, unless the applicable legal basis on which the government agency is based prohibits this or there are clear indications of illegal actions in connection with the use of the cloud service','BASIC','ORGANIZATIONAL',114),
- (515,'INQ-03.1','INQ-03.1','The CSP shall only provide access to or disclose cloud customer data in the context of government investigation requests after the CSP’s legal assessment (cf. INQ-01) has shown that an applicable and valid legal basis exists and that the investigation request must be granted on that basis.','BASIC','ORGANIZATIONAL',115),
- (516,'INQ-03.2','INQ-03.2','The CSP shall document and implement procedures to ensure that government agencies only have access to the data they need to investigate','BASIC','ORGANIZATIONAL',115),
- (517,'INQ-03.3','INQ-03.3','When no clear limitation of the data is possible, the CSP shall anonymise or pseudonymise the data so that government agencies can only assign it to those cloud customers who are subject of the investigation request','SUBSTANTIAL','ORGANIZATIONAL',115),
- (518,'INQ-03.4','INQ-03.4','The CSP shall automatically monitor the accesses performed by or on behalf of investigators to ensure that they correspond to the determined legal basis','HIGH','ORGANIZATIONAL',115),
- (519,'PSS-01.1','PSS-01.1','The CSP shall offer to their CSCs error handling and logging mechanisms that allow them to obtain security-related information about the security status of the cloud service as well as the data, services or functions it provides','BASIC','ORGANIZATIONAL',116),
- (520,'PSS-01.2','PSS-01.2','The information provided shall be detailed enough to allow cloud users to check the following aspects, insofar as they are applicable to the cloud service:
-- Which data, services or functions available to the cloud user within the cloud service, have been accessed by whom and when (Audit Logs);
-- Malfunctions during processing of automatic or manual actions; and
-- Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security.','SUBSTANTIAL','ORGANIZATIONAL',116),
- (521,'PSS-01.3','PSS-01.3','The logged information shall be protected from unauthorised access and modification and can be deleted by the CSC','SUBSTANTIAL','ORGANIZATIONAL',116),
- (522,'PSS-01.4','PSS-01.4','When the CSC is responsible for the activation or type and scope of logging, the CSP shall provide appropriate logging capabilities','SUBSTANTIAL','ORGANIZATIONAL',116),
- (523,'PSS-01.5','PSS-01.5','The CSP shall make the information available to CSCs via documented interfaces that are suitable for further processing this information as part of their Security Information and Event Management (SIEM).','HIGH','ORGANIZATIONAL',116),
- (524,'PSS-02.1','PSS-02.1','A suitable session management system shall be used that at least corresponds to the state- of-the-art and is protected against known attacks','BASIC','ORGANIZATIONAL',117),
- (525,'PSS-02.2','PSS-02.2','The session management system shall include mechanisms that invalidate a session after it has been detected as inactive.','SUBSTANTIAL','ORGANIZATIONAL',117),
- (526,'PSS-02.3','PSS-02.3','If inactivity is detected by time measurement, the time interval shall be configurable by the CSP or - if technically possible - by the CSC','SUBSTANTIAL','ORGANIZATIONAL',117),
- (527,'PSS-03.1','PSS-03.1','The CSP shall ensure the confidentiality of the cloud user data by suitable procedures when offering functions for software-defined networking (SDN)','BASIC','ORGANIZATIONAL',118),
- (528,'PSS-03.2','PSS-03.2','The CSP shall validate the functionality of the SDN functions before providing new SDN features to CSCs or modifying existing SDN features','BASIC','ORGANIZATIONAL',118),
- (529,'PSS-03.3','PSS-03.3','The CSP shall ensure that the configuration of networks matches network security policies regardless of the means used to create the configuration','SUBSTANTIAL','ORGANIZATIONAL',118),
- (530,'PSS-04.1','PSS-04.1','The CSP shall ensure the following aspects if CSCs operate virtual machines or containers with the cloud service:
-- The CSC can restrict the selection of images of virtual machines or containers according to his specifications, so that users of this CSC can only launch the images or containers released according to these restrictions.
-- In addition, these images provided by the CSP are hardened according to generally accepted industry standards.','BASIC','ORGANIZATIONAL',119),
- (531,'PSS-04.2','PSS-04.2','The CSP shall ensure the following aspects if CSCs operate virtual machines or containers with the cloud service:
-- If the CSP provides images of virtual machines or containers to the CSC, the CSP appropriately inform the CSC of the changes made to the previous version','SUBSTANTIAL','ORGANIZATIONAL',119),
- (532,'PSS-04.3','PSS-04.3','An integrity check shall be performed and automatically monitored to detect image manipulations and reported to the CSC at start-up and runtime of virtual machine or container images','HIGH','ORGANIZATIONAL',119),
- (533,'PSS-05.1','PSS-05.1','The CSP shall allow the CSC to specify the locations (location/country) of the data processing and storage including data backups according to the contractually available options','SUBSTANTIAL','ORGANIZATIONAL',120),
- (534,'PSS-05.2','PSS-05.2','All CSP commitments regarding locations of data processing and storage shall be enforced by the cloud service architecture','SUBSTANTIAL','ORGANIZATIONAL',120);
-/*!40000 ALTER TABLE `tom` ENABLE KEYS */;
+
+(1,'OIS-01.1B','OIS-01.1B','The CSP shall have an information security management system (ISMS), covering at least the operational units, locations, people and processes for providing the cloud service.','Basic', 'ORGANIZATIONAL' ,1),
+(2,'OIS-01.2B','OIS-01.2B','The CSP shall provide documented information of the ISMS applied to the cloud service.','Basic', 'ORGANIZATIONAL' ,1),
+(3,'OIS-01.1S','OIS-01.1S','The CSP shall have an information security management system (ISMS), covering at least the operational units, locations, people and processes for providing the cloud service, in accordance with EN ISO/IEC 27001.
+Where the controls referred to in ISO/IEC 27001 6.1.3 shall be the controls in this TS on level Substantial.','Substantial', 'ORGANIZATIONAL' ,1),
+(4,'OIS-01.2S','OIS-01.2S','The CSP shall provide documented information of the ISMS applied to the cloud service, including at least:
+(1) ISO/IEC 27001 requirement 6.1.3 item c) shall be used for the cloud service using the controls in this document for comparison, with the restriction that all controls shall
+apply.
+(2) ISO/IEC 27001 requirement 6.1.3 item d) producing a Statement of Applicability may be used referring to the controls in this document for the cloud service but is not required.','Substantial', 'ORGANIZATIONAL' ,1),
+(5,'OIS-01.1H','OIS-01.1H','The CSP shall have an information security management system (ISMS), covering at least the operational units, locations, people and processes for providing the cloud service, with a valid certification of compliance with the requirements of EN ISO/IEC 27001 or with national schemes based on ISO 27001, issued by an accredited CAB covering the cloud service.','High', 'ORGANIZATIONAL' ,1),
+(6,'OIS-01.2H','OIS-01.2H','The CSP shall provide documented information of the ISMS applied to the cloud service, including at least:
+(1) ISO/IEC 27001 requirement 6.1.3 item c) shall be used for the cloud service using the controls in this document for comparison, with the restriction that all controls shall apply.
+(2) ISO/IEC 27001 requirement 6.1.3 item d) producing a Statement of Applicability referring to the controls in this document for the cloud service','High', 'ORGANIZATIONAL' ,1),
+(7,'OIS-02.1B','OIS-02.1B','The CSP shall perform a risk assessment as defined in RM-01 about the accumulation of responsibilities or tasks on roles or individuals, regarding the provision of the CSC, covering at least the following areas, insofar as these are applicable to the provision of the cloud service and are in the area of responsibility of the CSP:
+(1) Administration of rights profiles, approval and assignment of access and access authorisations (cf. IAM-01);
+(2) Development, testing and release of changes (cf. DEV-01, CCM-01); and
+(3) Operation of the system components.','Basic', 'ORGANIZATIONAL' ,2),
+(8,'OIS-02.2B','OIS-02.2B','The CSP shall implement the mitigating measures defined in the risk treatment plan, privileging separation of duties, unless impossible for organisational or technical reasons, in which case the measures shall include the monitoring of activities in order to detect unauthorised or unintended changes as well as misuse and the subsequent appropriate actions.','Basic', 'ORGANIZATIONAL' ,2),
+(9,'OIS-02.1S','OIS-02.1S','The CSP shall perform a risk assessment as defined in RM-01 about the accumulation of responsibilities or tasks on roles or individuals, regarding the provision of the cloud service, covering at least the following areas, insofar as these are applicable to the provision of the cloud service and are in the area of responsibility of the CSP:
+(1) Administration of rights profiles, approval and assignment of access and access authorisations (cf. IAM-01);
+(2) Development, testing and release of changes (cf. DEV-01, CCM-01); and
+(3) Operation of the system components.','Substantial', 'ORGANIZATIONAL' ,2),
+(10,'OIS-02.2S','OIS-02.2S','The CSP shall implement the mitigating measures defined in the risk treatment plan, privileging separation of duties, unless impossible for organisational or technical reasons, in which case the measures shall include the monitoring of activities in order to detect unauthorised or unintended changes as well as misuse and the subsequent appropriate actions.','Substantial', 'ORGANIZATIONAL' ,2),
+(11,'OIS-02.3S','OIS-02.3S','The CSP introduces and maintains an inventory of conflicting roles and enforces the segregation of duties during the assignment or modification of roles as part of the role
+management process.','Substantial', 'ORGANIZATIONAL' ,2),
+(12,'OIS-02.1H','OIS-02.1H','The CSP shall perform a risk assessment as defined in RM-01 about the accumulation of responsibilities or tasks on roles or individuals, regarding the provision of the cloud service, covering at least the following areas, insofar as these are applicable to the provision of the cloud service and are in the area of responsibility of the CSP:
+(1) Administration of rights profiles, approval and assignment of access and access authorisations (cf. IAM-01);
+(2) Development, testing and release of changes (cf. DEV-01, CCM-01); and
+(3) Operation of the system components.','High', 'ORGANIZATIONAL' ,2),
+(13,'OIS-02.2H','OIS-02.2H','The CSP shall implement the mitigating measures defined in the risk treatment plan, privileging separation of duties, unless impossible for organisational or technical reasons, in which case the measures shall include the monitoring of activities in order to detect unauthorised or unintended changes as well as misuse and the subsequent appropriate actions.','High', 'ORGANIZATIONAL' ,2),
+(14,'OIS-02.3H','OIS-02.3H','The CSP introduces and maintains an inventory of conflicting roles and enforces the segregation of duties during the assignment or modification of roles as part of the role management process.','High', 'ORGANIZATIONAL' ,2),
+(15,'OIS-02.4H','OIS-02.4H','The CSP shall automatically monitor the assignment of responsibilities and tasks to ensure that measures related to segregation of duties are enforced.','High', 'ORGANIZATIONAL' ,2),
+(16,'OIS-03.1B','OIS-03.1B','The CSP shall stay informed about current threats and vulnerabilities','Basic', 'ORGANIZATIONAL' ,3),
+(17,'OIS-03.1S','OIS-03.1S','The CSP shall maintain contacts with relevant authorities in terms of information security and relevant technical groups to stay informed about current threats and vulnerabilities.','Substantial', 'ORGANIZATIONAL' ,3),
+(18,'OIS-03.1H','OIS-03.1H','The CSP shall maintain regular contacts with relevant authorities in terms of information security and relevant technical groups to stay informed about current threats and vulnerabilities.','High', 'ORGANIZATIONAL' ,3),
+(19,'OIS-04.1B','OIS-04.1B','The CSP shall include information security in the project management throughout the project lifecycle of all projects that may affect the provision of the cloud service, regardless of the nature of the project.','Basic', 'ORGANIZATIONAL' ,4),
+(20,'OIS-04.1S','OIS-04.1S','The CSP shall perform a risk assessment according to RM-01 to assess and treat the risks on all projects that may affect the provision of the cloud service, regardless of the nature of the project.','Substantial', 'ORGANIZATIONAL' ,4),
+(21,'OIS-04.1H','OIS-04.1H','The CSP shall perform a risk assessment according to RM-01 to assess and treat the risks on all projects that may affect the provision of the cloud service, regardless of the nature of the project.','High', 'ORGANIZATIONAL' ,4),
--- ----------------------------------
--- Table: `question_assurance_level`
--- ----------------------------------
-/*!40000 ALTER TABLE `question_assurance_level` DISABLE KEYS */;
-INSERT INTO cocbackend.question_assurance_level (id, assurance_level) VALUES
- (1, 'BASIC'),
- (2, 'SUBSTANTIAL'),
- (3, 'HIGH');
-/*!40000 ALTER TABLE `question_assurance_level` ENABLE KEYS */;
+(22,'ISP-01.1B','ISP-01.1B','The CSP shall document a global information security policy covering at least the following aspects:
+(1) the importance of information security, based on the requirements of CSCs in relation to information security, as well as on the need to ensure the security of the information processed and stored by the CSP and the assets that support the services provided
+(2) the security objectives and the desired security level, based on the business goals and tasks of the CSP
+(3) the commitment of the CSP to implement the security measures required to achieve the established security objectives;
+(4) the most important aspects of the security strategy to achieve the security objectives
+(5) the organisational structure for information security in the ISMS application area. ','Basic', 'ORGANIZATIONAL' ,5),
+(23,'ISP-01.2B','ISP-01.2B','The CSP’s top management shall approve and endorse the global information security policy.','Basic', 'ORGANIZATIONAL' ,5),
+(24,'ISP-01.3B','ISP-01.3B','The CSP shall communicate and make available the global information security policy to employees and to CSCs.','Basic', 'ORGANIZATIONAL' ,5),
+(25,'ISP-01.1S','ISP-01.1S','The CSP shall document a global information security policy covering at least the following aspects:
+(1) the importance of information security, based on the requirements of CSCs in relation to information security, as well as on the need to ensure the security of the information processed and stored by the CSP and the assets that support the services provided
+(2) the security objectives and the desired security level, based on the business goals and tasks of the CSP
+(3) the commitment of the CSP to implement the security measures required to achieve the established security objectives;
+(4) the most important aspects of the security strategy to achieve the security objectives
+(5) the organisational structure for information security in the ISMS application area. ','Substantial', 'ORGANIZATIONAL' ,5),
+(26,'ISP-01.2S','ISP-01.2S','The CSP’s top management shall approve and endorse the global information security policy.','Substantial', 'ORGANIZATIONAL' ,5),
+(27,'ISP-01.4S','ISP-01.4S','The CSP shall review the global information security policy on a regular basis and at least following any significant organisational change that is likely to affect the principles defined in the policy, including the approval and endorsement by top management.','Substantial', 'ORGANIZATIONAL' ,5),
+(28,'ISP-01.3S','ISP-01.3S','The CSP shall communicate and make available the global information security policy to employees and to CSCs.','Substantial', 'ORGANIZATIONAL' ,5),
+(29,'ISP-01.1H','ISP-01.1H','The CSP shall document a global information security policy covering at least the following aspects:
+(1) the importance of information security, based on the requirements of CSCs in relation to information security, as well as on the need to ensure the security of the information processed and stored by the CSP and the assets that support the services provided
+(2) the security objectives and the desired security level, based on the business goals and tasks of the CSP
+(3) the commitment of the CSP to implement the security measures required to achieve the established security objectives;
+(4) the most important aspects of the security strategy to achieve the security objectives
+(5) the organisational structure for information security in the ISMS application area. ','High', 'ORGANIZATIONAL' ,5),
+(30,'ISP-01.2H','ISP-01.2H','The CSP’s top management shall approve and endorse the global information security policy.','High', 'ORGANIZATIONAL' ,5),
+(31,'ISP-01.4H','ISP-01.4H','The CSP shall review the global information security policy at least annually and at least following any significant organizational change that is likely to affect the principles defined in the policy, including the approval and endorsement by top management.','High', 'ORGANIZATIONAL' ,5),
+(32,'ISP-01.3H','ISP-01.3H','The CSP shall communicate and make available the global information security policy to employees and to CSCs.','High', 'ORGANIZATIONAL' ,5),
+(33,'ISP-02.1B','ISP-02.1B','The CSP shall derive policies and procedures from the global information security policy for all relevant subject matters, and document them according to a uniform structure, including at least the following aspects:
+(1) Objectives
+(2) Scope
+(3) Roles and responsibilities within the organization
+(4) Roles and dependencies on other organisations (especially CSCs and subservice providers)
+(5) Steps for the execution of the security strategy
+(6) Applicable legal and regulatory requirements.','Basic', 'ORGANIZATIONAL' ,6),
+(34,'ISP-02.2B','ISP-02.2B','The CSP shall communicate and make available the policies and procedures to all employees.','Basic', 'ORGANIZATIONAL' ,6),
+(35,'ISP-02.3B','ISP-02.3B','The CSP’s top management shall approve the security policies and procedures or delegate this responsibility to authorized bodies.','Basic', 'ORGANIZATIONAL' ,6),
+(36,'ISP-02.4B','ISP-02.4B','The CSP’s subject matter experts shall review the policies and procedures for adequacy at least annually, when the global information security policy is modified, and when major changes may affect the security of the cloud service.','Basic', 'ORGANIZATIONAL' ,6),
+(37,'ISP-02.5B','ISP-02.5B','After a modification of procedures and policies, they shall be approved before they become effective, and then communicated and made available to employees.','Basic', 'ORGANIZATIONAL' ,6),
+(38,'ISP-02.1S','ISP-02.1S','The CSP shall derive policies and procedures from the global information security policy for all relevant subject matters, and document them according to a uniform structure, including at least the following aspects:
+(1) Objectives
+(2) Scope
+(3) Roles and responsibilities within the organization, including staff competence requirements and the establishment of substitution rules
+(4) Roles and dependencies on other organisations (especially CSCs and subservice providers)
+(5) Steps for the execution of the security strategy
+(6) Applicable legal and regulatory requirements.','Substantial', 'ORGANIZATIONAL' ,6),
+(39,'ISP-02.2S','ISP-02.2S','The CSP shall communicate and make available the policies and procedures to all employees.','Substantial', 'ORGANIZATIONAL' ,6),
+(40,'ISP-02.3S','ISP-02.3S','The CSP’s top management shall approve the security policies and procedures or delegate this responsibility to authorized bodies.','Substantial', 'ORGANIZATIONAL' ,6),
+(41,'ISP-02.6S','ISP-02.6S','In case of a delegation to authorized bodies, the authorized bodies shall report at least annually to the top management on the security policies and their implementation.','Substantial', 'ORGANIZATIONAL' ,6),
+(42,'ISP-02.4S','ISP-02.4S','The CSP’s subject matter experts shall review the policies and procedures for adequacy at least annually, when the global information security policy is modified, and when major changes may affect the security of the cloud service.','Substantial', 'ORGANIZATIONAL' ,6),
+(43,'ISP-02.5S','ISP-02.5S','After a modification of procedures and policies, they shall be approved before they become effective, and then communicated and made available to employees.','Substantial', 'ORGANIZATIONAL' ,6),
+(44,'ISP-02.1H','ISP-02.1H','The CSP shall derive policies and procedures from the global information security policy for all relevant subject matters, and document them according to a uniform structure, including at least the following aspects:
+(1) Objectives
+(2) Scope
+(3) Roles and responsibilities within the organization, including staff competence requirements and the establishment of substitution rules
+(4) Roles and dependencies on other organisations (especially CSCs and subservice providers)
+(5) Steps for the execution of the security strategy
+(6) Applicable legal and regulatory requirements.','High', 'ORGANIZATIONAL' ,6),
+(45,'ISP-02.2H','ISP-02.2H','The CSP shall communicate and make available the policies and procedures to all employees.','High', 'ORGANIZATIONAL' ,6),
+(46,'ISP-02.3H','ISP-02.3H','The CSP’s top management shall approve the security policies and procedures or delegate this responsibility to authorized bodies.','High', 'ORGANIZATIONAL' ,6),
+(47,'ISP-02.6H','ISP-02.6H','In case of a delegation to authorized bodies, the authorized bodies shall report at least annually to the top management on the security policies and their implementation.','High', 'ORGANIZATIONAL' ,6),
+(48,'ISP-02.4H','ISP-02.4H','The CSP’s subject matter experts shall review the policies and procedures for adequacy at least annually, when the global information security policy is modified, and when major changes may affect the security of the cloud service.','High', 'ORGANIZATIONAL' ,6),
+(49,'ISP-02.5H','ISP-02.5H','After a modification of procedures and policies, they shall be approved before they become effective, and then communicated and made available to employees.','High', 'ORGANIZATIONAL' ,6),
+(50,'ISP-03.1B','ISP-03.1B','The CSP shall maintain a list of exceptions, limited in time, to the security policies and procedures, including associated controls.','Basic', 'ORGANIZATIONAL' ,7),
+(51,'ISP-03.2B','ISP-03.2B','The list of exceptions shall be reviewed at least annually.','Basic', 'ORGANIZATIONAL' ,7),
+(52,'ISP-03.1S','ISP-03.1S','The CSP shall maintain a list of exceptions, limited in time, to the security policies and procedures, including associated controls.','Substantial', 'ORGANIZATIONAL' ,7),
+(53,'ISP-03.3S','ISP-03.3S','The exceptions shall be subjected to the RM-01 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners.','Substantial', 'ORGANIZATIONAL' ,7),
+(54,'ISP-03.2S','ISP-03.2S','The list of exceptions shall be reviewed at least annually, and their approval shall be reiterated at least annually, even if the list has not been modified.','Substantial', 'ORGANIZATIONAL' ,7),
+(55,'ISP-03.1H','ISP-03.1H','The CSP shall maintain a list of exceptions, limited in time, to the security policies and procedures, including associated controls.','High', 'ORGANIZATIONAL' ,7),
+(56,'ISP-03.3H','ISP-03.3H','The exceptions shall be subjected to the RM-01 risk management process, including approval of these exceptions and acceptance of the associated risks by the risk owners.','High', 'ORGANIZATIONAL' ,7),
+(57,'ISP-03.4H','ISP-03.4H','The exceptions to a security policy or procedure shall be approved by the top management or authorized body who approved the security policy or procedure.','High', 'ORGANIZATIONAL' ,7),
+(58,'ISP-03.2H','ISP-03.2H','The list of exceptions shall be reviewed at least annually, and their approval shall be reiterated at least annually, even if the list has not been modified.','High', 'ORGANIZATIONAL' ,7),
+(59,'ISP-03.5H','ISP-03.5H','The list of exceptions shall be automatically monitored to ensure that the validity of approved exceptions has not expired and that all reviews and approvals are up-to-date.','High', 'ORGANIZATIONAL' ,7),
--- ----------------------------------
--- Table: `question_answer`
--- ----------------------------------
-/*!40000 ALTER TABLE `question_answer` DISABLE KEYS */;
-INSERT INTO cocbackend.question_answer (id, answer, value, visible) VALUES
- (1, 'Fully supported.', 100, true),
- (2, 'Partially supported.', 50, true),
- (3, 'Not supported at all.', 0, true),
- (4, 'Not applicable.', -1, true),
- (5, 'Not answered', -1, false);
-/*!40000 ALTER TABLE `question_answer` ENABLE KEYS */;
+(60,'RM-01.1B','RM-01.1B','The CSP shall define policies and procedures for the cloud service in accordance with ISP-02 and OIS-01.1B for the following aspects:
+(1) Identification of risks associated with the loss of confidentiality, integrity, availability and authenticity of information within the scope of the ISMS and assigning risk owners
+(2) Analysis of the probability and impact of occurrence and determination of the level of (3) Evaluation of the risk analysis based on defined criteria for risk acceptance and prioritisation of handling
+(4) Handling of risks through measures, including approval of authorisation and acceptance of residual risks by risk owners
+(5) Retain documented information of the activities to enable consistent, valid and comparable results.','Basic', 'ORGANIZATIONAL' ,8),
+(61,'RM-01.1S','RM-01.1S','The CSP shall define policies and procedures in accordance with ISP-02 for information security risk assessment and treatment for the cloud service according to OIS-01.1S and ISO/IEC 27001:
+(1) 6.1.2 Information security risk assessment
+(2) 6.1.3 Information security risk treatment, except for bullet c) and d)
+(3) 8.2 Information security risk assessment
+(4) 8.3 Information security risk treatment
+(5) 9.3 bullet e)','Substantial', 'ORGANIZATIONAL' ,8),
+(62,'RM-01.1H','RM-01.1H','The CSP shall define policies and procedures in accordance with ISP-02 for information security risk assessment and treatment for the cloud service according to OIS-01.1H and ISO/IEC 27001:
+(1) 6.1.2 Information security risk assessment
+(2) 6.1.3 Information security risk treatment, with adaptation of bullet c) and d) according to OIS-01.1H
+(3) 8.2 Information security risk assessment
+(4) 8.3 Information security risk treatment
+(5) 9.3 bullet e)','High', 'ORGANIZATIONAL' ,8),
+(63,'RM-02.1B','RM-02.1B','The CSP shall implement the policies and procedures covering risk assessment on the entire cloud service.','Basic', 'ORGANIZATIONAL' ,9),
+(64,'RM-02.2B','RM-02.2B','The CSP shall make the results of the risk assessment available to relevant internal parties and relevant information shall be made available to defined external parties.','Basic', 'ORGANIZATIONAL' ,9),
+(65,'RM-02.3B','RM-02.3B','The CSP shall review and revise the risk assessment at least annually, and after each major change that may affect the security of the cloud service.','Basic', 'ORGANIZATIONAL' ,9),
+(66,'RM-02.1S','RM-02.1S','The CSP shall implement the policies and procedures covering risk assessment on the entire cloud service.','Substantial', 'ORGANIZATIONAL' ,9),
+(67,'RM-02.2S','RM-02.2S','The CSP shall make the results of the risk assessment available to relevant internal parties and relevant information shall be made available to defined external parties.','Substantial', 'ORGANIZATIONAL' ,9),
+(68,'RM-02.3S','RM-02.3S','The CSP shall review and revise the risk assessment at least annually, and after each major change that may affect the security of the cloud service.','Substantial', 'ORGANIZATIONAL' ,9),
+(69,'RM-02.1H','RM-02.1H','The CSP shall implement the policies and procedures covering risk assessment on the entire cloud service.','High', 'ORGANIZATIONAL' ,9),
+(70,'RM-02.2H','RM-02.2H','The CSP shall make the results of the risk assessment available to relevant internal parties and relevant information shall be made available to defined external parties.','High', 'ORGANIZATIONAL' ,9),
+(71,'RM-02.3H','RM-02.3H','The CSP shall review and revise the risk assessment at least annually, and after each major change that may affect the security of the cloud service.','High', 'ORGANIZATIONAL' ,9),
+(72,'RM-02.4H','RM-02.4H','The CSP shall monitor the evolution of the risk factors and revise the risk assessment, accordingly.','High', 'ORGANIZATIONAL' ,9),
+(73,'RM-03.1B','RM-03.1B','The CSP shall prioritize risks according to their criticality.','Basic', 'ORGANIZATIONAL' ,10),
+(74,'RM-03.2B','RM-03.2B','The CSP shall document and implement a plan to treat risks according to their priority level by reducing or avoiding them through security controls, by sharing them, or by retaining them.','Basic', 'ORGANIZATIONAL' ,10),
+(75,'RM-03.3B','RM-03.3B','The risk treatment plan shall reduce the risk level to a threshold that the risk owners deem acceptable (Residual Risk). ','Basic', 'ORGANIZATIONAL' ,10),
+(76,'RM-03.4B','RM-03.4B','The CSP shall make the risk treatment plan available to relevant internal parties with appropriately summarised and abstracted versions made available both internally and to
+authorized external parties.','Basic', 'ORGANIZATIONAL' ,10),
+(77,'RM-03.5B','RM-03.5B','If the CSP shares risks with the CSC, the shared risks shall be associated to Complementary User Entity Controls (CUECs) and described in the user documentation.','Basic', 'ORGANIZATIONAL' ,10),
+(78,'RM-03.6B','RM-03.6B','The CSP shall revise the risk treatment plan every time the risk assessment is modified.','Basic', 'ORGANIZATIONAL' ,10),
+(79,'RM-03.1S','RM-03.1S','The CSP shall prioritize risks according to their criticality.','Substantial', 'ORGANIZATIONAL' ,10),
+(80,'RM-03.2S','RM-03.2S','The CSP shall document and implement a plan to treat risks according to their priority level by reducing or avoiding them through security controls, by sharing them, or by retaining them.','Substantial', 'ORGANIZATIONAL' ,10),
+(81,'RM-03.3S','RM-03.3S','The risk owners shall formally accept the risk treatment plan, which shall reduce the risk level to a residual risk acceptable to the risk owners. ','Substantial', 'ORGANIZATIONAL' ,10),
+(82,'RM-03.4S','RM-03.4S','The CSP shall make the risk treatment plan available to relevant internal parties with appropriately summarised and abstracted versions made available both internally and to
+authorized external parties.','Substantial', 'ORGANIZATIONAL' ,10),
+(83,'RM-03.5S','RM-03.5S','If the CSP shares risks with the CSC, the shared risks shall be associated to Complementary User Entity Controls (CUECs) and described in the user documentation.','Substantial', 'ORGANIZATIONAL' ,10),
+(84,'RM-03.6S','RM-03.6S','The CSP shall revise the risk treatment plan every time the risk assessment is modified.','Substantial', 'ORGANIZATIONAL' ,10),
+(85,'RM-03.7S','RM-03.7S','The risk owners shall review for adequacy the analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, after each modification of the risk assessment and treatment plans.','Substantial', 'ORGANIZATIONAL' ,10),
+(86,'RM-03.1H','RM-03.1H','The CSP shall prioritize risks according to their criticality.','High', 'ORGANIZATIONAL' ,10),
+(87,'RM-03.2H','RM-03.2H','The CSP shall document and implement a plan to treat risks according to their priority level by reducing or avoiding them through security controls, by sharing them, or by retaining them.','High', 'ORGANIZATIONAL' ,10),
+(88,'RM-03.3H','RM-03.3H','The risk owners shall formally accept the risk treatment plan, which shall reduce the risk level to a residual risk acceptable to the risk owners. ','High', 'ORGANIZATIONAL' ,10),
+(89,'RM-03.4H','RM-03.4H','The CSP shall make the risk treatment plan available to relevant internal parties with appropriately summarised and abstracted versions made available both internally and to
+authorized external parties.','High', 'ORGANIZATIONAL' ,10),
+(90,'RM-03.5H','RM-03.5H','If the CSP shares risks with the CSC, the shared risks shall be associated to Complementary User Entity Controls (CUECs) and described in the user documentation.','High', 'ORGANIZATIONAL' ,10),
+(91,'RM-03.6H','RM-03.6H','The CSP shall revise the risk treatment plan every time the risk assessment is modified.','High', 'ORGANIZATIONAL' ,10),
+(92,'RM-03.7H','RM-03.7H','The risk owners shall review for adequacy the analysis, evaluation and treatment of risks, including the approval of actions and acceptance of residual risks, after each modification of the risk assessment and treatment plans.','High', 'ORGANIZATIONAL' ,10),
--- ----------------------------------
--- Table: `question`
--- ----------------------------------
-/*!40000 ALTER TABLE `question` DISABLE KEYS */;
-INSERT INTO cocbackend.question (id, code, question, evidence, assurance_level_id, control_id, tom_id, framework_id) VALUES
- (1, 'Q1-OIS-01.1B', 'Has the CSP an information security management system (ISMS) documented?', '- Documented Information Security Management System (ISMS)', 1, 1, 1, 1),
- (2, 'Q2-OIS-01.1B', 'Does the CSP implement an information security management system (ISMS)?', '- Quality records derived from the implementation of the defined ISMS ', 1, 1, 1, 1),
- (3, 'Q3-OIS-01.1B', 'Does the CSP maintain an information security management system (ISMS)?', '- Documented updates and changes to the ISMS', 1, 1, 1, 1),
- (4, 'Q4-OIS-01.1B', 'Does the CSP continually improve the information security management system (ISMS)?', '- Documented improvement actions to the ISMS - Documented ISMS improvement plan - Documented improvemens to the ISMS', 1, 1, 1, 1),
- (5, 'Q5-OIS-01.1B', 'Does the information security management system cover the operational units?', '- ISMS scope (operational units)', 1, 1, 1, 1),
- (6, 'Q6-OIS-01.1B', 'Does the information security management system (ISMS), cover locations?', '- ISMS scope (locations)', 1, 1, 1, 1),
- (7, 'Q7-OIS-01.1B', 'Does the CSP cover processes for providing the cloud service?', '- ISMS scope (processes for providing the cloud service)', 1, 1, 1, 1),
- (8, 'Q1-OIS-01.2B', 'Does the CSP document the measures for documenting the ISMS? These measures shall include at least the scope of measures, the security baseline, objectives of the maintenance of the ISMS (e.g. frequency).', '- ISMS: Documented measures', 1, 1, 2, 1),
- (9, 'Q2-OIS-01.2B', 'Does the CSP document the measures for implementing the ISMS? Among other aspects the following aspects shall be included: roles and responsibilities, security objectives, risk register (see next), awareness activities (internal and external), implementation team, monitoring and review process.', '- ISMS: Documented measures', 1, 1, 2, 1),
- (10, 'Q3-OIS-01.2B', 'Does the CSP document the measures for continuously improving the ISMS? This shall include the at least the definition, implementation, collection and assessment of metrics to be able to improve the ISMS.', '- ISMS: Documented measures', 1, 1, 2, 1),
- (11, 'Q1-OIS-01.1S', 'Does the ISMS cover at least the operational units, locations and processes for providing the cloud service, in accordance to ISO/IEC 27001?', '- ISMS ( operational units, locations and processes)', 2, 1, 2, 1),
- (12, 'Q1-OIS-01.1H', 'Does the ISMS, cover at least the operational units, locations and processes for providing the cloud service, with a valid certification according to ISO/IEC 27001 or to national schemes based on ISO 27001, issued by an accredited CAB?', '', 3, 1, 3, 1),
- (13, 'Q1-OIS-02.1B', 'Does the CSP perform a risk assessment as defined in RM-01?', '- Documented risk assessment', 1, 2, 4, 1),
- (14, 'Q2-OIS-02.1B', 'Does the risk assessment address the accumulation of responsibilities or tasks in roles or individuals, with respect to the provision of the cloud service?', '- Documented risk assessment (information related with the accumulation of responsibilities or tasks in roles or individuals, with respect to the provision of the cloud service)', 1, 2, 4, 1),
- (15, 'Q3-OIS-02.1B', 'Does the risk assessment cover administration of rights profiles, approval and assignment of access and access authorisations (cf. IAM-01)?', '- Documented risk assessment (information related with the administration of rights profiles, approval and assignment of access and access authorisations) - Documented risk assessment review record', 1, 2, 4, 1);
-/*!40000 ALTER TABLE `question` ENABLE KEYS */;
+(93,'HR-01.1B','HR-01.1B','The CSP shall classify information security-sensitive positions according to their level of risk, including positions related to IT administration and to the provisioning of the cloud service in the production environment, and all positions with access to CSC data or system components. ','Basic', 'ORGANIZATIONAL' ,11),
+(94,'HR-01.2B','HR-01.2B','The CSP shall include in its employment contracts or on a dedicated code of conduct or ethics an overarching agreement by employees to act ethically in their professional duties. ','Basic', 'ORGANIZATIONAL' ,11),
+(95,'HR-01.3B','HR-01.3B','The CSP shall define and implement a policy that describes actions to take in the event of violations of policies and procedures or applicable legal and regulatory requirements, including at least the following aspects:
+(1) Verifying whether a violation has occurred; and
+(2) Consideration of the nature and severity of the violation and its impact ','Basic', 'ORGANIZATIONAL' ,11),
+(96,'HR-01.4B','HR-01.4B','If disciplinary measures are defined in this policy, then the employees of the CSP shall be informed about possible disciplinary measures and the use of these disciplinary measures shall be appropriately documented.','Basic', 'ORGANIZATIONAL' ,11),
+(97,'HR-01.1S','HR-01.1S','The CSP shall classify information security-sensitive positions according to their level of risk, including positions related to IT administration and to the provisioning of the cloud service in the production environment, and all positions with access to CSC data or system components. ','Substantial', 'ORGANIZATIONAL' ,11),
+(98,'HR-01.2S','HR-01.2S','The CSP shall include in its employment contracts or on a dedicated code of conduct or ethics an overarching agreement by employees to act ethically in their professional duties. ','Substantial', 'ORGANIZATIONAL' ,11),
+(99,'HR-01.3S','HR-01.3S','The CSP shall define and implement a policy that describes actions to take in the event of violations of policies and procedures or applicable legal and regulatory requirements, including at least the following aspects:
+(1) Verifying whether a violation has occurred; and
+(2) Consideration of the nature and severity of the violation and its impact ','Substantial', 'ORGANIZATIONAL' ,11),
+(100,'HR-01.4S','HR-01.4S','If disciplinary measures are defined in this policy, then the employees of the CSP shall be informed about possible disciplinary measures and the use of these disciplinary measures shall be appropriately documented.','Substantial', 'ORGANIZATIONAL' ,11),
+(101,'HR-01.1H','HR-01.1H','The CSP shall classify information security-sensitive positions according to their level of risk, including positions related to IT administration and to the provisioning of the cloud service in the production environment, and all positions with access to CSC data or system components. ','High', 'ORGANIZATIONAL' ,11),
+(102,'HR-01.2H','HR-01.2H','The CSP shall include in its employment contracts or on a dedicated code of conduct or ethics an overarching agreement by employees to act ethically in their professional duties. ','High', 'ORGANIZATIONAL' ,11),
+(103,'HR-01.3H','HR-01.3H','The CSP shall define and implement a policy that describes actions to take in the event of violations of policies and procedures or applicable legal and regulatory requirements, including at least the following aspects:
+(1) Verifying whether a violation has occurred; and
+(2) Consideration of the nature and severity of the violation and its impact ','High', 'ORGANIZATIONAL' ,11),
+(104,'HR-01.4H','HR-01.4H','If disciplinary measures are defined in this policy, then the employees of the CSP shall be informed about possible disciplinary measures and the use of these disciplinary measures shall be appropriately documented.','High', 'ORGANIZATIONAL' ,11),
+(105,'HR-02.1B','HR-02.1B','The CSP shall assess the competence and integrity of all its employees with access to CSC data or system components under the CSP’s responsibility, or who are responsible to provide the cloud service in the production environment before commencement of employment in a position classified in objective HR-01.','Basic', 'ORGANIZATIONAL' ,12),
+(106,'HR-02.2B','HR-02.2B','The CSP shall assess the competence and integrity of its employees of the CSP before commencement of employment in a position with a higher risk classification that their previous position within the company.','Basic', 'ORGANIZATIONAL' ,12),
+(107,'HR-02.3B','HR-02.3B','The extent of the assessment shall be proportional to the business context, the sensitivity of the information that will be accessed by the employee, and the associated risks.','Basic', 'ORGANIZATIONAL' ,12),
+(108,'HR-02.1S','HR-02.1S','The CSP shall assess the competence and integrity of all its employees with access to CSC data or system components under the CSP’s responsibility, or who are responsible to provide the cloud service in the production environment before commencement of employment in a position classified in objective HR-01. The extent of the review shall be proportional to the business context, the sensitivity of the information that will be accessed by the employee, and the associated risks.','Substantial', 'ORGANIZATIONAL' ,12),
+(109,'HR-02.2S','HR-02.2S','The CSP shall assess the competence and integrity of its employees of the CSP before commencement of employment in a position with a higher risk classification that their previous position within the company.','Substantial', 'ORGANIZATIONAL' ,12),
+(110,'HR-02.3S','HR-02.3S','The extent of the assessment shall be proportional to the business context, the sensitivity of the information that will be accessed by the employee, and the associated risks.','Substantial', 'ORGANIZATIONAL' ,12),
+(111,'HR-02.1H','HR-02.1H','The CSP shall assess the competence and integrity of all its employees with access to CSC data or system components under the CSP’s responsibility, or who are responsible to provide the cloud service in the production environment before commencement of employment in a position classified in objective HR-01. The extent of the review shall be proportional to the business context, the sensitivity of the information that will be accessed by the employee, and the associated risks.','High', 'ORGANIZATIONAL' ,12),
+(112,'HR-02.2H','HR-02.2H','The CSP shall assess the competence and integrity of its employees of the CSP before commencement of employment in a position with a higher risk classification that their previous position within the company.','High', 'ORGANIZATIONAL' ,12),
+(113,'HR-02.3H','HR-02.3H','The extent of the assessment shall be proportional to the business context, the sensitivity of the information that will be accessed by the employee, and the associated risks.','High', 'ORGANIZATIONAL' ,12),
+(114,'HR-02.4H','HR-02.4H','The CSP shall review annually their assessment of the competence and integrity of its employees for the employees in positions with the highest levels of risk classification, starting at a level to be defined in the human resource policy.','High', 'ORGANIZATIONAL' ,12),
+(115,'HR-03.1B','HR-03.1B','The CSP shall ensure that all employees are required by their employment terms and conditions to comply with all applicable information security policies and procedures.','Basic', 'ORGANIZATIONAL' ,13),
+(116,'HR-03.2B','HR-03.2B','The CSP shall ensure that the employment terms for all employees include a non-disclosure provision, which shall cover any information that has been obtained or generated as part of the cloud service, even if anonymised and decontextualized.','Basic', 'ORGANIZATIONAL' ,13),
+(117,'HR-03.3B','HR-03.3B','The CSP shall give a presentation of all applicable information security policies and procedures to employees before granting them any access to CSC data, the production environment, or any functional component thereof.','Basic', 'ORGANIZATIONAL' ,13),
+(118,'HR-03.1S','HR-03.1S','The CSP shall ensure that all employees are required by their employment terms and conditions to comply with all applicable information security policies and procedures.','Substantial', 'ORGANIZATIONAL' ,13),
+(119,'HR-03.2S','HR-03.2S','The CSP shall ensure that the employment terms for all employees include a non-disclosure provision, which shall cover any information that has been obtained or generated as part of the cloud service, even if anonymised and decontextualized.','Substantial', 'ORGANIZATIONAL' ,13),
+(120,'HR-03.3S','HR-03.3S','The CSP shall give a presentation of all applicable information security policies and procedures to employees before granting them any access to CSC data, the production environment, or any functional component thereof.','Substantial', 'ORGANIZATIONAL' ,13),
+(121,'HR-03.4S','HR-03.4S','All employees shall acknowledge in a documented form the information security policies and procedures presented to them before they are granted any access to CSC data, the production environment, or any functional component thereof','Substantial', 'ORGANIZATIONAL' ,13),
+(122,'HR-03.1H','HR-03.1H','The CSP shall ensure that all employees are required by their employment terms and conditions to comply with all applicable information security policies and procedures.','High', 'ORGANIZATIONAL' ,13),
+(123,'HR-03.2H','HR-03.2H','The CSP shall ensure that the employment terms for all employees include a non-disclosure provision, which shall cover any information that has been obtained or generated as part of the cloud service, even if anonymised and decontextualized.','High', 'ORGANIZATIONAL' ,13),
+(124,'HR-03.3H','HR-03.3H','The CSP shall give a presentation of all applicable information security policies and procedures to employees before granting them any access to CSC data, the production environment, or any functional component thereof.','High', 'ORGANIZATIONAL' ,13),
+(125,'HR-03.4H','HR-03.4H','All employees shall acknowledge in a documented form the information security policies and procedures presented to them before they are granted any access to CSC data, the production environment, or any functional component thereof, and the verification of this acknowledgement shall be automatically monitored in the processes and automated systems used to grant access rights to employees.','High', 'ORGANIZATIONAL' ,13),
+(126,'HR-04.1B','HR-04.1B','The CSP shall define a security awareness and training program that covers the following aspects:
+(1) Handling system components used to provide the cloud service in the production environment in accordance with applicable policies and procedures;
+(2) Handling CSC data in accordance with applicable policies and instructions and applicable legal and regulatory requirements;
+(3) Information about the current threat situation; and
+(4) Correct behaviour in the event of security incidents.','Basic', 'ORGANIZATIONAL' ,14),
+(127,'HR-04.2B','HR-04.2B','The CSP shall review their security awareness and training program based on changes to policies and procedures and the current threat situation.','Basic', 'ORGANIZATIONAL' ,14),
+(128,'HR-04.3B','HR-04.3B','The CSP shall ensure that all employees complete the security awareness and training program defined for them.','Basic', 'ORGANIZATIONAL' ,14),
+(129,'HR-04.1S','HR-04.1S','The CSP shall define a security awareness and training program on a target group oriented manner, taking into consideration at least the position’s risk classification and technical duties, and that covers the following aspects:
+(1) Handling system components used to provide the cloud service in the production environment in accordance with applicable policies and procedures;
+(2) Handling CSC data in accordance with applicable policies and instructions and applicable legal and regulatory requirements;
+(3) Information about the current threat situation; and
+(4) Correct behaviour in the event of security incidents.','Substantial', 'ORGANIZATIONAL' ,14),
+(130,'HR-04.2S','HR-04.2S','The CSP shall review their security awareness and training program at least annually, and based on changes to policies and instructions and the current threat situation.','Substantial', 'ORGANIZATIONAL' ,14),
+(131,'HR-04.3S','HR-04.3S','The CSP shall ensure that all employees complete the security awareness and training program defined for them on a regular basis, and when changing target group.','Substantial', 'ORGANIZATIONAL' ,14),
+(132,'HR-04.4S','HR-04.4S','The CSP shall measure and evaluate the learning outcomes achieved through the awareness and training programme.','Substantial', 'ORGANIZATIONAL' ,14),
+(133,'HR-04.1H','HR-04.1H','The CSP shall define a security awareness and training program on a target group oriented manner, taking into consideration at least the position’s risk classification and technical duties, and that covers the following aspects:
+(1) Handling system components used to provide the cloud service in the production environment in accordance with applicable policies and procedures;
+(2) Handling CSC data in accordance with applicable policies and instructions and applicable legal and regulatory requirements;
+(3) Information about the current threat situation; and
+(4) Correct behaviour in the event of security incidents.','High', 'ORGANIZATIONAL' ,14),
+(134,'HR-04.2H','HR-04.2H','The CSP shall review their security awareness and training program based on changes to policies and procedures and the current threat situation.','High', 'ORGANIZATIONAL' ,14),
+(135,'HR-04.3H','HR-04.3H','The CSP shall ensure that all employees complete the security awareness and training program defined for them on a regular basis, and when changing target group, and shall automatically monitor the completion of the security awareness and training program.','High', 'ORGANIZATIONAL' ,14),
+(136,'HR-04.4H','HR-04.4H','The CSP shall measure and evaluate in a target group-oriented manner the learning outcomes achieved through the awareness and training programme; the measurements shall cover quantitative and qualitative aspects, and the results shall be used to improve the awareness and training programme.','High', 'ORGANIZATIONAL' ,14),
+(137,'HR-05.1B','HR-05.1B','The CSP shall communicate to employees their ongoing responsibilities relating to information security when their employment is terminated or changed. ','Basic', 'ORGANIZATIONAL' ,15),
+(138,'HR-05.2B','HR-05.2B','The CSP shall apply a specific procedure to revoke the access rights and process appropriately the accounts and assets of employees when their employment is terminated or changed.','Basic', 'ORGANIZATIONAL' ,15),
+(139,'HR-05.1S','HR-05.1S','The CSP shall communicate to employees their ongoing responsibilities relating to information security when their employment is terminated or changed. ','Substantial', 'ORGANIZATIONAL' ,15),
+(140,'HR-05.2S','HR-05.2S','The CSP shall apply a specific procedure to revoke the access rights and process appropriately the accounts and assets of employees when their employment is terminated or changed, defining specific roles and responsibilities and including a documented checklist of all required steps.','Substantial', 'ORGANIZATIONAL' ,15),
+(141,'HR-05.1H','HR-05.1H','The CSP shall communicate to employees their ongoing responsibilities relating to information security when their employment is terminated or changed. ','High', 'ORGANIZATIONAL' ,15),
+(142,'HR-05.2H','HR-05.2H','The CSP shall apply a specific procedure to revoke the access rights and process appropriately the accounts and assets of employees when their employment is terminated or changed, defining specific roles and responsibilities and including a documented checklist of all required steps; the CSP shall automatically monitor the application of this procedure.','High', 'ORGANIZATIONAL' ,15),
+(143,'HR-06.1B','HR-06.1B','The CSP shall ensure that non-disclosure or confidentiality agreements are agreed with internal employees, external service providers and suppliers.','Basic', 'ORGANIZATIONAL' ,16),
+(144,'HR-06.1S','HR-06.1S','The CSP shall ensure that non-disclosure or confidentiality agreements are agreed with internal employees, external service providers and suppliers, based on the requirements identified by the CSP for the protection of confidential information and operational details.','Substantial', 'ORGANIZATIONAL' ,16),
+(145,'HR-06.2S','HR-06.2S','The agreements shall be accepted by external service providers and suppliers when the contract is agreed.','Substantial', 'ORGANIZATIONAL' ,16),
+(146,'HR-06.3S','HR-06.3S','The agreements shall be accepted by internal employees of the CSP before authorisation to access CSC data is granted.','Substantial', 'ORGANIZATIONAL' ,16),
+(147,'HR-06.4S','HR-06.4S','The requirements on which the agreements are based shall be documented and reviewed at regular intervals, at least annually; if the review shows that the requirements need to be modified, then the non-disclosure or confidentiality agreements shall be modified accordingly.','Substantial', 'ORGANIZATIONAL' ,16),
+(148,'HR-06.5S','HR-06.5S','The CSP shall inform its internal employees, external service providers and suppliers and obtain confirmation of their acceptance of the updated confidentiality or non-disclosure agreement.','Substantial', 'ORGANIZATIONAL' ,16),
+(149,'HR-06.1H','HR-06.1H','The CSP shall ensure that non-disclosure or confidentiality agreements are agreed with internal employees, external service providers and suppliers, based on the requirements identified by the CSP for the protection of confidential information and operational details.','High', 'ORGANIZATIONAL' ,16),
+(150,'HR-06.2H','HR-06.2H','The agreements shall be accepted by external service providers and suppliers when the contract is agreed, and this acceptation shall be automatically monitored.','High', 'ORGANIZATIONAL' ,16),
+(151,'HR-06.3H','HR-06.3H','The agreements shall be accepted by internal employees of the CSP before authorisation to access CSC data is granted, and this acceptation shall be automatically monitored.','High', 'ORGANIZATIONAL' ,16),
+(152,'HR-06.4H','HR-06.4H','The requirements on which the agreements are based shall be documented and reviewed at regular intervals, at least annually; if the review shows that the requirements need to be modified, then the non-disclosure or confidentiality agreements shall be modified accordingly.','High', 'ORGANIZATIONAL' ,16),
+(153,'HR-06.5H','HR-06.5H','The CSP shall inform its internal employees, external service providers and suppliers and obtain confirmation of the updated confidentiality or non-disclosure agreement, and this acceptation shall be automatically monitored.','High', 'ORGANIZATIONAL' ,16),
--- ----------------------------------
--- Table: `questionnaire_purpose`
--- ----------------------------------
-/*!40000 ALTER TABLE `questionnaire_purpose` DISABLE KEYS */;
-INSERT INTO cocbackend.questionnaire_purpose (id, purpose) VALUES
- (1, 'Self evaluation'),
- (2, 'External audit');
-/*!40000 ALTER TABLE `questionnaire_purpose` ENABLE KEYS */;
+(154,'AM-01.1B','AM-01.1B','The CSP shall define and implement policies and procedures for maintaining an inventory of assets. ','Basic', 'ORGANIZATIONAL' ,17),
+(155,'AM-01.2B','AM-01.2B','The CSP shall record for each asset the information needed to apply the risk management procedure defined in RM-01.','Basic', 'ORGANIZATIONAL' ,17),
+(156,'AM-01.1S','AM-01.1S','The CSP shall define and implement policies and procedures for maintaining an inventory of assets, which shall be performed automatically or by the people or teams responsible for the assets to ensure complete, accurate, valid and consistent inventory throughout the asset life cycle.','Substantial', 'ORGANIZATIONAL' ,17),
+(157,'AM-01.2S','AM-01.2S','The CSP shall record for each asset the information needed to apply the risk management procedure defined in RM-01 and the measures taken to manage the risks associated to the asset through its life cycle.','Substantial', 'ORGANIZATIONAL' ,17),
+(158,'AM-01.1H','AM-01.1H','The CSP shall define and implement policies and procedures for maintaining an inventory of assets, which shall be performed automatically and/or by the people or teams responsible for the assets to ensure complete, accurate, valid and consistent inventory throughout the asset life cycle.','High', 'ORGANIZATIONAL' ,17),
+(159,'AM-01.2H','AM-01.2H','The CSP shall record for each asset the information needed to apply the risk management procedure defined in RM-01 and the measures taken to manage the risks associated to the asset through its life cycle.','High', 'ORGANIZATIONAL' ,17),
+(160,'AM-01.3H','AM-01.3H','The information about assets shall be considered by monitoring applications to identify the impact on cloud services in case of events that could lead to a breach of information security objectives, and to support information provided to affected cloud customers in accordance with contractual agreements.','High', 'ORGANIZATIONAL' ,17),
+(161,'AM-01.4H','AM-01.4H','The CSP shall automatically monitor the process performing the inventory of assets to guarantee it is up-to-date.','High', 'ORGANIZATIONAL' ,17),
+(162,'AM-02.1B','AM-02.1B','The CSP shall define and implement policies and procedures as defined in ISP-02 for acceptable use and safe handling of assets. When removable media is used in the technical infrastructure or for IT administration tasks, this media shall be dedicated to a single use.','Basic', 'ORGANIZATIONAL' ,18),
+(163,'AM-02.1S','AM-02.1S','The CSP shall define and implement policies and procedures as defined in ISP-02 for acceptable use and safe handling of assets. When removable media is used in the technical infrastructure or for IT administration tasks, this media shall be dedicated to a single use.','Substantial', 'ORGANIZATIONAL' ,18),
+(164,'AM-02.1H','AM-02.1H','The CSP shall define and implement policies and procedures as defined in ISP-02 for acceptable use and safe handling of assets. When removable media is used in the technical infrastructure or for IT administration tasks, this media shall be dedicated to a single use.','High', 'ORGANIZATIONAL' ,18),
+(165,'AM-03.1B','AM-03.1B','The CSP shall define and implement a procedure for the commissioning of hardware that is used to provide the cloud service in the production environment, based on applicable policies and procedures.','Basic', 'ORGANIZATIONAL' ,19),
+(166,'AM-03.2B','AM-03.2B','The CSP shall define and implement a procedure for the decommissioning of hardware that is used to provide the cloud service in the production environment, including the complete and permanent deletion of the data or the proper destruction of the media and requiring approval based on applicable policies.','Basic', 'ORGANIZATIONAL' ,19),
+(167,'AM-03.1S','AM-03.1S','The CSP shall define and implement a procedure for the commissioning of hardware that is used to provide the cloud service in the production environment, based on applicable policies and procedures, including those defined in RM-01, to ensure that the risks arising from the commissioning are identified, analysed and mitigated.','Substantial', 'ORGANIZATIONAL' ,19),
+(168,'AM-03.2S','AM-03.2S','The CSP shall define and implement a procedure for the decommissioning of hardware that is used to provide the cloud service in the production environment, including the complete and permanent deletion of the data or the proper destruction of the media and requiring approval based on applicable policies.','Substantial', 'ORGANIZATIONAL' ,19),
+(169,'AM-03.3S','AM-03.3S','The commissioning procedure shall include verification of the secure configuration of the mechanisms for error handling, logging, encryption, authentication and authorisation according to the intended use and based on the applicable policies, before authorization to commission the asset can be granted.','Substantial', 'ORGANIZATIONAL' ,19),
+(170,'AM-03.1H','AM-03.1H','The CSP shall define and implement a procedure for the commissioning of hardware that is used to provide the cloud service in the production environment, based on applicable policies and procedures, including those defined in RM-01, to ensure that the risks arising from the commissioning are identified, analysed and mitigated.','High', 'ORGANIZATIONAL' ,19),
+(171,'AM-03.3H','AM-03.3H','The commissioning procedure shall include verification of the secure configuration of the mechanisms for error handling, logging, encryption, authentication and authorisation according to the intended use and based on the applicable policies, before authorization to commission the asset can be granted.','High', 'ORGANIZATIONAL' ,19),
+(172,'AM-03.2H','AM-03.2H','The CSP shall define and implement a procedure for the decommissioning of hardware that is used to provide the cloud service in the production environment, including the complete and permanent deletion of the data or the proper destruction of the media and requiring approval based on applicable policies.','High', 'ORGANIZATIONAL' ,19),
+(173,'AM-03.4H','AM-03.4H','The approval of the commissioning and decommissioning of hardware shall be digitally documented and automatically monitored.','High', 'ORGANIZATIONAL' ,19),
+(174,'AM-04.1B','AM-04.1B','The CSP shall ensure and document that all employees are committed to the policies and procedures for acceptable use and safe handling of assets in the situations described in AM-02.','Basic', 'ORGANIZATIONAL' ,20),
+(175,'AM-04.2B','AM-04.2B','The procedure mentioned in HR-06.2 shall include steps to ensure that all assets under custody of an employee are returned upon termination of employment.','Basic', 'ORGANIZATIONAL' ,20),
+(176,'AM-04.1S','AM-04.1S','The CSP shall ensure and document that all employees are committed to the policies and procedures for acceptable use and safe handling of assets in the situations described in AM-02.','Substantial', 'ORGANIZATIONAL' ,20),
+(177,'AM-04.2S','AM-04.2S','The procedure mentioned in HR-06.2 shall include steps to ensure that all assets under custody of an employee are returned upon termination of employment.','Substantial', 'ORGANIZATIONAL' ,20),
+(178,'AM-04.1H','AM-04.1H','The CSP shall ensure and document that all employees are committed to the policies and procedures for acceptable use and safe handling of assets in the situations described in AM-02, and this commitment shall be automatically monitored.','High', 'ORGANIZATIONAL' ,20),
+(179,'AM-04.2H','AM-04.2H','The procedure mentioned in HR-06.2 shall include steps to ensure that all assets under custody of an employee are returned upon termination of employment.','High', 'ORGANIZATIONAL' ,20),
+(180,'AM-04.3H','AM-04.3H','The CSP shall centrally manage the assets under the custody of employees, including asset distribution, data and software licences, appropriately using remote deactivation, deletion or locking of related hardware and software.','High', 'ORGANIZATIONAL' ,20),
+(181,'AM-05.1B','AM-05.1B','The CSP shall document an asset classification schema that reflects for each asset the protection needs of the categories of information it may process, store, or transmit.','Basic', 'ORGANIZATIONAL' ,21),
+(182,'AM-05.2B','AM-05.2B','When applicable, the CSP shall label all assets according to their classification in the asset classification schema.','Basic', 'ORGANIZATIONAL' ,21),
+(183,'AM-05.1S','AM-05.1S','The CSP shall document an asset classification schema that reflects for each asset the protection needs of the categories of information it may process, store, or transmit, and provide levels of protection for the confidentiality, integrity, availability, and authenticity protection objectives.','Substantial', 'ORGANIZATIONAL' ,21),
+(184,'AM-05.2S','AM-05.2S','Where applicable, the CSP shall label all assets according to their classification in the asset classification schema.','Substantial', 'ORGANIZATIONAL' ,21),
+(185,'AM-05.3S','AM-05.3S','The need for protection shall be determined by the individuals or groups responsible for the assets.','Substantial', 'ORGANIZATIONAL' ,21),
+(186,'AM-05.1H','AM-05.1H','The CSP shall document an asset classification schema that reflects for each asset the protection needs of the categories of information it may process, store, or transmit, and provide levels of protection for the confidentiality, integrity, availability, and authenticity protection objectives.','High', 'ORGANIZATIONAL' ,21),
+(187,'AM-05.2H','AM-05.2H','When applicable, the CSP shall label all assets according to their classification in the asset classification schema.','High', 'ORGANIZATIONAL' ,21),
+(188,'AM-05.3H','AM-05.3H','The need for protection shall be determined by the individuals or groups responsible for the assets.','High', 'ORGANIZATIONAL' ,21),
+
+(189,'PS-01.1B','PS-01.1B','The CSP shall define security perimeters in the buildings and premises related to the cloud service provided.','Basic', 'ORGANIZATIONAL' ,22),
+(190,'PS-01.2B','PS-01.2B','The CSP shall define at least two security areas, with at least one sensitive area covering sensitive activities such as the buildings and premises hosting the information system for the provision of the cloud service, and at least one public area covering at least all remaining buildings and premises.','Basic', 'ORGANIZATIONAL' ,22),
+(191,'PS-01.3B','PS-01.3B','The CSP shall define and implement a set of security requirements for each security area in a policy and procedures according to ISP-02.','Basic', 'ORGANIZATIONAL' ,22),
+(192,'PS-01.1S','PS-01.1S','The CSP shall define security perimeters in the buildings and premises related to the cloud service provided.','Substantial', 'ORGANIZATIONAL' ,22),
+(193,'PS-01.2S','PS-01.2S','The CSP shall define at least two security areas, with at least one sensitive area covering sensitive activities such as the buildings and premises hosting the information system for the provision of the cloud service, and at least one public area covering at least all remaining buildings and premises.','Substantial', 'ORGANIZATIONAL' ,22),
+(194,'PS-01.3S','PS-01.3S','The CSP shall define and implement a set of security requirements for each security area in a policy and procedures according to ISP-02, based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security.','Substantial', 'ORGANIZATIONAL' ,22),
+(195,'PS-01.1H','PS-01.1H','The CSP shall define security perimeters in the buildings and premises related to the cloud service provided.','High', 'ORGANIZATIONAL' ,22),
+(196,'PS-01.2H','PS-01.2H','The CSP shall define at least three security areas, with at least one sensitive area covering sensitive activities such as the buildings and premises hosting the information system for the provision of the cloud service, one or more additional private area that may host development activities and administration, supervision and operation workstations, and at least one public area covering at least all remaining buildings and premises.','High', 'ORGANIZATIONAL' ,22),
+(197,'PS-01.4H','PS-01.4H','The CSP shall ensure that no direct access exists between a public area and a sensitive area, without going through a private area.','High', 'ORGANIZATIONAL' ,22),
+(198,'PS-01.5H','PS-01.5H','The CSP shall ensure that all delivery, loading areas, and other points through which unauthorised persons can penetrate into the premises without being accompanied are part of the public area.','High', 'ORGANIZATIONAL' ,22),
+(199,'PS-01.3H','PS-01.3H','The CSP shall define and implement a set of security requirements for each security area in a policy and procedures according to ISP-02, based on the security objectives of the information security policy, identified protection requirements for the cloud service and the assessment of risks to physical and environmental security.','High', 'ORGANIZATIONAL' ,22),
+(200,'PS-02.1B','PS-02.1B','The CSP shall define and implement policies and procedures according to ISP-02 related to the physical access control to the security areas matching the requirements defined in PS-01 and based on the principles defined in IAM-01.','Basic', 'ORGANIZATIONAL' ,23),
+(201,'PS-02.2B','PS-02.2B','The access control policy shall require at least one authentication factor for accessing any non-public area.','Basic', 'ORGANIZATIONAL' ,23),
+(202,'PS-02.3B','PS-02.3B','The access control policy shall describe the physical access control derogations in case of emergency.','Basic', 'ORGANIZATIONAL' ,23),
+(203,'PS-02.4B','PS-02.4B','The CSP shall display at the entrance of all non-public perimeters a warning concerning the limits and access conditions to the corresponding areas.','Basic', 'ORGANIZATIONAL' ,23),
+(204,'PS-02.5B','PS-02.5B','The CSP shall protect security perimeters with security measures to detect and prevent unauthorised access in a timely manner so that it does not compromise the information security of the cloud service.','Basic', 'ORGANIZATIONAL' ,23),
+(205,'PS-02.1S','PS-02.1S','The CSP shall define and implement policies and procedures according to ISP-02 related to the physical access control to the security areas matching the requirements defined in PS-01 and based on the principles defined in IAM-01, including requirements on the physical access control measures to be implemented.','Substantial', 'ORGANIZATIONAL' ,23),
+(206,'PS-02.2S','PS-02.2S','The access control policy shall require at least one authentication factor for accessing any non-public area, and at least two distinct kinds of authentication factors for accessing any sensitive area and areas hosting system components that process CSC data.','Substantial', 'ORGANIZATIONAL' ,23),
+(207,'PS-02.3S','PS-02.3S','The access control policy shall describe the physical access control derogations in case of emergency.','Substantial', 'ORGANIZATIONAL' ,23),
+(208,'PS-02.4S','PS-02.4S','The CSP shall display at the entrance of all non-public perimeters a warning concerning the limits and access conditions to the corresponding areas.','Substantial', 'ORGANIZATIONAL' ,23),
+(209,'PS-02.5S','PS-02.5S','The CSP shall protect security perimeters with security measures to detect and prevent unauthorised access in a timely manner so that it does not compromise the information security of the cloud service. ','Substantial', 'ORGANIZATIONAL' ,23),
+(210,'PS-02.6S','PS-02.6S','The access control policy shall include requirements concerning preventive and detective physical access control.','Substantial', 'ORGANIZATIONAL' ,23),
+(211,'PS-02.7S','PS-02.7S','The access control policy shall include measures to identify individual visitors and third-party personnel, incorporating them into the access policy system, thereby monitoring and escorting the building access during their stay.','Substantial', 'ORGANIZATIONAL' ,23),
+(212,'PS-02.8S','PS-02.8S','The access control policy shall include logging of all accesses to non-public areas that enables the CSP to check whether only defined personnel have entered these areas.','Substantial', 'ORGANIZATIONAL' ,23),
+(213,'PS-02.1H','PS-02.1H','The CSP shall define and implement policies and procedures according to ISP-02 related to the physical access control to the security areas matching the requirements defined in PS-01 and based on the principles defined in IAM-01, including requirements on the physical access control measures to be implemented.','High', 'ORGANIZATIONAL' ,23),
+(214,'PS-02.2H','PS-02.2H','The access control policy shall require at least one authentication factor for accessing any non-public area, and at least two distinct kinds of authentication factors for accessing any sensitive area and areas hosting system components that process CSC data.','High', 'ORGANIZATIONAL' ,23),
+(215,'PS-02.9H','PS-02.9H','The access control policy shall describe the time slots and conditions for accessing each security area according to the profiles of the users.','High', 'ORGANIZATIONAL' ,23),
+(216,'PS-02.3H','PS-02.3H','The access control policy shall describe the physical access control derogations in case of emergency.','High', 'ORGANIZATIONAL' ,23),
+(217,'PS-02.4H','PS-02.4H','The CSP shall display at the entrance of all non-public perimeters a warning concerning the limits and access conditions to the corresponding areas.','High', 'ORGANIZATIONAL' ,23),
+(218,'PS-02.5H','PS-02.5H','The CSP shall protect security perimeters with security measures to detect and prevent unauthorised access in a demonstrated timely manner so that it does not compromise the information security of the cloud service. ','High', 'ORGANIZATIONAL' ,23),
+(219,'PS-02.6H','PS-02.6H','The access control policy shall include requirements concerning preventive and detective physical access control.','High', 'ORGANIZATIONAL' ,23),
+(220,'PS-02.7H','PS-02.7H','The access control policy shall include measures to identify individual visitors and third-party personnel, incorporating them into the access policy system, thereby monitoring and escorting the building access during their stay.','High', 'ORGANIZATIONAL' ,23),
+(221,'PS-02.8H','PS-02.8H','The access control policy shall include logging of all accesses to non-public areas that enables the CSP to check whether only defined personnel have entered these areas, and this logging shall be automatically monitored.','High', 'ORGANIZATIONAL' ,23),
+(222,'PS-03.1B','PS-03.1B','The CSP shall define and implement policies and procedures according to ISP-02 concerning work in non-public areas.','Basic', 'ORGANIZATIONAL' ,24),
+(223,'PS-03.1S','PS-03.1S','The CSP shall define and implement policies and procedures according to ISP-02 concerning work in non-public areas, including at least a clear screen policy and a clear desk policy for sensitive information and removable media.','Substantial', 'ORGANIZATIONAL' ,24),
+(224,'PS-03.2S','PS-03.2S','If visitors need to access a non-public area, the CSP shall ensure that they are supervised by an employee who has been authorised (cf. HR-02.1S), who will accompany the visitors, authorise or deny their actions, and question them if needed about their actions.','Substantial', 'ORGANIZATIONAL' ,24),
+(225,'PS-03.1H','PS-03.1H','The CSP shall define and implement policies and procedures according to ISP-02 concerning work in non-public areas, including at least a clear screen policy and a clear desk policy for sensitive information and removable media.','High', 'ORGANIZATIONAL' ,24),
+(226,'PS-03.2H','PS-03.2H','If visitors need to access a non-public area, the CSP shall ensure that they are supervised by an employee who has been authorised (cf. HR-02.1H), who will accompany the visitors, authorise or deny their actions, and question them if needed about their actions.','High', 'ORGANIZATIONAL' ,24),
+(227,'PS-03.3H','PS-03.3H','The CSP shall define a mapping between activities and security areas that indicates which activities are allowed to be performed in every security area.','High', 'ORGANIZATIONAL' ,24),
+(228,'PS-03.4H','PS-03.4H','The CSP shall define a mapping between assets and security areas that indicates which assets are allowed to be used in every security area.','High', 'ORGANIZATIONAL' ,24),
+(229,'PS-04.1B','PS-04.1B','The CSP shall define and implement policies and procedures according to ISP-02 concerning the protection of equipment and including at least the following aspects:
+(1) Protecting power and communications cabling from interception, interference or damage;
+(2) Protecting equipment during maintenance operations;
+(3) Protecting equipment holding CSC data during transport.','Basic', 'ORGANIZATIONAL' ,25),
+(230,'PS-04.2B','PS-04.2B','The CSP shall use encryption on the removable media and the backup media intended to move between security areas according to the sensitivity of the data stored on the media','Basic', 'ORGANIZATIONAL' ,25),
+(231,'PS-04.1S','PS-04.1S','The CSP shall define and implement policies and procedures according to ISP-02 concerning the protection of equipment and including at least the following aspects:
+(1) Protecting power and communications cabling from interception, interference or damage;
+(2) Protecting equipment during maintenance operations;
+(3) Protecting equipment holding CSC data during transport.','Substantial', 'ORGANIZATIONAL' ,25),
+(232,'PS-04.2S','PS-04.2S','The CSP shall use encryption on the removable media and the backup media intended to move between security areas according to the sensitivity of the data stored on the media. ','Substantial', 'ORGANIZATIONAL' ,25),
+(233,'PS-04.3S','PS-04.3S','These procedures shall include at least:
+(1) a procedure to check the protection of power and communications cabling, to be performed regularly by qualified personnel, at least every two years, as well as in case of suspected manipulation;
+(2) a procedure for transferring any equipment containing CSC data off-site for disposal that guarantees that the level of protection in terms of confidentiality and integrity of the assets during their transport is equivalent to that on the site.','Substantial', 'ORGANIZATIONAL' ,25),
+(234,'PS-04.4S','PS-04.4S','The CSP shall ensure that an equipment containing a media with CSC data can be returned to a third party only if the CSC data stored on it is encrypted in accordance with CKM-03 or has been destroyed beforehand using a secure deletion mechanism.','Substantial', 'ORGANIZATIONAL' ,25),
+(235,'PS-04.1H','PS-04.1H','The CSP shall define and implement policies and procedures according to ISP-02 concerning the protection of equipment and including at least the following aspects:
+(1) Protecting power and communications cabling from interception, interference or damage;
+(2) Protecting equipment during maintenance operations;
+(3) Protecting equipment holding CSC data during transport.','High', 'ORGANIZATIONAL' ,25),
+(236,'PS-04.2H','PS-04.2H','The CSP shall use encryption on all removable media intended to move between security areas','High', 'ORGANIZATIONAL' ,25),
+(237,'PS-04.3H','PS-04.3H','These policies and procedures shall include at least:
+(a) a procedure to check the protection of power and communications cabling, to be performed regularly by qualified personnel, at least every two years, as well as in case of suspected manipulation;
+(b) a procedure for transferring any equipment containing CSC data off-site for disposal that guarantees that the level of protection in terms of confidentiality and integrity of the assets during their transport is equivalent to that on the site, including approval by top management of the CSP or by the authorised body that is responsible for this procedure;
+(c) a procedure to maintain and keep up-to-date a wiring scheme;
+(d) measures to ensure that the conditions for installation, maintenance and servicing of the related technical equipment (e.g., electrical power, air conditioning, fire protection) are compatible with the cloud service’s availability and security requirements.','High', 'ORGANIZATIONAL' ,25),
+(238,'PS-04.4H','PS-04.4H','The CSP shall ensure that an equipment containing a media with CSC data can be returned to a third party only if the CSC data stored on it is encrypted in accordance with CKM-03 or has been destroyed beforehand using a secure deletion mechanism.','High', 'ORGANIZATIONAL' ,25),
+(239,'PS-04.5H','PS-04.5H','The CSP shall ensure that the maintenance agreements for equipment used to host the cloud service make it possible to have security updates installed in timely fashion on this equipment.','High', 'ORGANIZATIONAL' ,25),
+(240,'PS-05.1B','PS-05.1B','The CSP shall define and implement a set of requirements related to external and environmental threats in a policy according to ISP-02, addressing the following risks in accordance with the applicable legal and contractual requirements:
+(1) Faults in planning;
+(2) Unauthorised access;
+(3) Force majeure, including epidemiological risks;
+(4) Insufficient surveillance;
+(5) Insufficient air-conditioning;
+(6) Fire and smoke;
+(7) Water;
+(8) Power failure; and
+(9) Air ventilation and filtration.','Basic', 'ORGANIZATIONAL' ,26),
+(241,'PS-05.1S','PS-05.1S','The CSP shall define and implement a set of requirements related to external and environmental threats in a policy according to ISP-02, addressing the following risks in accordance with the applicable legal and contractual requirements:
+(1) Faults in planning;
+(2) Unauthorised access;
+(3) Force majeure, including epidemiological risks;
+(4) Insufficient surveillance;
+(5) Insufficient air-conditioning;
+(6) Fire and smoke;
+(7) Water;
+(8) Power failure; and
+(9) Air ventilation and filtration.','Substantial', 'ORGANIZATIONAL' ,26),
+(242,'PS-05.2S','PS-05.2S','For data centres, these requirements shall be based on criteria which comply with established rules of technology.','Substantial', 'ORGANIZATIONAL' ,26),
+(243,'PS-05.3S','PS-05.3S','The CSP shall provide the cloud service from at least two locations that are separated by an adequate distance and that provide each other with operational redundancy or resilience.','Substantial', 'ORGANIZATIONAL' ,26),
+(244,'PS-05.4S','PS-05.4S','The CSP shall check the effectiveness of the redundancy at least once a year by suitable tests and exercises (cf. BCM-04).','Substantial', 'ORGANIZATIONAL' ,26),
+(245,'PS-05.1H','PS-05.1H','The CSP shall define and implement a set of requirements related to external and environmental threats in a policy according to ISP-02, addressing the following risks in accordance with the applicable legal and contractual requirements:
+(1) Faults in planning;
+(2) Unauthorised access;
+(3) Force majeure, including epidemiological risks;
+(4) Insufficient surveillance;
+(5) Insufficient air-conditioning;
+(6) Fire and smoke;
+(7) Water;
+(8) Power failure; and
+(9) Air ventilation and filtration.','High', 'ORGANIZATIONAL' ,26),
+(246,'PS-05.2H','PS-05.2H','For datacentres, these requirements shall be based on criteria which comply with established rules of technology, and shall at least include:
+(1) time constraints for self-sufficient operation in the event of exceptional events and maximum tolerable utility downtime;
+(2) tests of physical protection and detection equipment, to be performed at least annually.','High', 'ORGANIZATIONAL' ,26),
+(247,'PS-05.3H','PS-05.3H','The CSP shall provide the cloud service from at least two locations that are separated by an adequate distance and that provide each other with operational redundancy or resilience.','High', 'ORGANIZATIONAL' ,26),
+(248,'PS-05.4H','PS-05.4H','The CSP shall check the effectiveness of the redundancy at least once a year by suitable tests and exercises (cf. BCM-04).','High', 'ORGANIZATIONAL' ,26),
+
+(249,'OPS-01.1B','OPS-01.1B','The CSP shall define and implement procedures to plan for capacities and resources (personnel and IT resources), which shall include forecasting future capacity requirements in order to identify usage trends and manage system overload.','Basic', 'ORGANIZATIONAL' ,27),
+(250,'OPS-01.2B','OPS-01.2B','The CSP shall meet the requirements included in contractual agreements with CSCs regarding the provision of the cloud service in case of capacity bottlenecks or personnel and IT resources outages.','Basic', 'ORGANIZATIONAL' ,27),
+(251,'OPS-01.1S','OPS-01.1S','The CSP shall define and implement procedures to plan for capacities and resources (personnel and IT resources), which shall include forecasting future capacity requirements in order to identify usage trends and manage system overload.','Substantial', 'ORGANIZATIONAL' ,27),
+(252,'OPS-01.2S','OPS-01.2S','The CSP shall meet the requirements included in contractual agreements with CSCs regarding the provision of the cloud service in case of capacity bottlenecks or personnel and IT resources outages.','Substantial', 'ORGANIZATIONAL' ,27),
+(253,'OPS-01.1H','OPS-01.1H','The CSP shall define and implement procedures to plan for capacities and resources (personnel and IT resources), which shall include forecasting future capacity requirements in order to identify usage trends and manage system overload.','High', 'ORGANIZATIONAL' ,27),
+(254,'OPS-01.2H','OPS-01.2H','The CSP shall meet the requirements included in contractual agreements with CSCs regarding the provision of the cloud service in case of capacity bottlenecks or personnel and IT resources outages.','High', 'ORGANIZATIONAL' ,27),
+(255,'OPS-01.3H','OPS-01.3H','The capacity projections shall be considered in accordance with the service level agreement for planning and preparing the provisioning.','High', 'ORGANIZATIONAL' ,28),
+(256,'OPS-02.1B','OPS-02.1B','The CSP shall document and implement technical and organizational safeguards for the monitoring of provisioning and de-provisioning of cloud services to ensure compliance with the service level agreement.','Basic', 'ORGANIZATIONAL' ,28),
+(257,'OPS-02.1S','OPS-02.1S','The CSP shall document and implement technical and organizational safeguards for the monitoring of provisioning and de-provisioning of cloud services to ensure compliance with the service level agreement.','Substantial', 'ORGANIZATIONAL' ,28),
+(258,'OPS-02.1H','OPS-02.1H','The CSP shall define and implement technical and organizational safeguards for the monitoring of provisioning and de-provisioning of cloud services to ensure compliance with the service level agreement. ','High', 'ORGANIZATIONAL' ,28),
+(259,'OPS-02.2H','OPS-02.2H','The provisioning and de-provisioning of cloud services shall be automatically monitored to guarantee fulfilment of these safeguards.','High', 'ORGANIZATIONAL' ,28),
+(260,'OPS-02.3H','OPS-02.3H','The CSP shall make available to the CSC the relevant information regarding capacity and availability on a self-service portal.','High', 'ORGANIZATIONAL' ,28),
+(261,'OPS-03.1B','OPS-03.1B','The CSP shall enable CSCs to control and monitor the allocation of the system resources assigned to them, if the corresponding cloud capabilities are exposed to the CSCs.','Basic', 'ORGANIZATIONAL' ,29),
+(262,'OPS-03.1S','OPS-03.1S','The CSP shall enable CSCs to control and monitor the allocation of the system resources assigned to them, if the corresponding cloud capabilities are exposed to the CSCs.','Substantial', 'ORGANIZATIONAL' ,29),
+(263,'OPS-03.1H','OPS-03.1H','The CSP shall enable CSCs to control and monitor the allocation of the system resources assigned to them, if the corresponding cloud capabilities are exposed to the CSCs.','High', 'ORGANIZATIONAL' ,29),
+(264,'OPS-04.1B','OPS-04.1B','The CSP shall define and implement policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering at least the following aspects:
+(1) Use of system-specific protection mechanisms;
+(2) Operating protection programs on system components under the responsibility of the CSP that are used to provide the cloud service in the production environment; and
+(3) Operation of protection programs for employees’ terminal equipment','Basic', 'ORGANIZATIONAL' ,30),
+(265,'OPS-04.1S','OPS-04.1S','The CSP shall define and implement policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering at least the following aspects:
+(1) Use of system-specific protection mechanisms;
+(2) Operating protection programs on system components under the responsibility of the CSP that are used to provide the cloud service in the production environment; and
+(3) Operation of protection programs for employees’ terminal equipment','Substantial', 'ORGANIZATIONAL' ,30),
+(266,'OPS-04.2S','OPS-04.2S','The CSP shall create regular reports on the malware checks performed, which shall be assessed and analysed in the reviews of the policies related to malware.','Substantial', 'ORGANIZATIONAL' ,30),
+(267,'OPS-04.3S','OPS-04.3S','The CSP shall update the anti-malware products according to established policies and procedures ensuring a timely update.','Substantial', 'ORGANIZATIONAL' ,30),
+(268,'OPS-04.1H','OPS-04.1H','The CSP shall define and implement policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering at least the following aspects:
+(1) Use of system-specific protection mechanisms;
+(2) Operating protection programs on system components under the responsibility of the CSP that are used to provide the cloud service in the production environment; and
+(3) Operation of protection programs for employees’ terminal equipment','High', 'ORGANIZATIONAL' ,30),
+(269,'OPS-04.2H','OPS-04.2H','The CSP shall create regular reports on the malware checks performed, which shall be assessed and analysed in the reviews of the policies related to malware.','High', 'ORGANIZATIONAL' ,30),
+(270,'OPS-04.3H','OPS-04.3H','The CSP shall update the anti-malware products according to established policies and procedures ensuring a timely update at the highest appropriate frequency consistent with the risk assessment.','High', 'ORGANIZATIONAL' ,30),
+(271,'OPS-05.1B','OPS-05.1B','The CSP shall deploy malware protection, if technically feasible, on all systems that support delivery of the cloud service in the production environment, according to policies and procedures.','Basic', 'ORGANIZATIONAL' ,31),
+(272,'OPS-05.1S','OPS-05.1S','The CSP shall deploy malware protection, if technically feasible, on all systems that support delivery of the cloud service in the production environment, according to policies and procedures.','Substantial', 'ORGANIZATIONAL' ,31),
+(273,'OPS-05.2S','OPS-05.2S','Signature-based and behaviour-based malware protection tools shall be updated at least daily.','Substantial', 'ORGANIZATIONAL' ,31),
+(274,'OPS-05.1H','OPS-05.1H','The CSP shall deploy malware protection, if technically feasible, on all systems that support delivery of the cloud service in the production environment, according to policies and procedures.','High', 'ORGANIZATIONAL' ,31),
+(275,'OPS-05.2H','OPS-05.2H','Signature-based and behaviour-based malware protection tools shall be updated at least daily.','High', 'ORGANIZATIONAL' ,31),
+(276,'OPS-05.3H','OPS-05.3H','The CSP shall automatically monitor the systems covered by the malware protection and the configuration of the corresponding mechanisms to guarantee fulfilment of above requirements, and the antimalware scans to track detected malware or irregularities.','High', 'ORGANIZATIONAL' ,31),
+(277,'OPS-06.1B','OPS-06.1B','The CSP shall document, communicate and implement policies and procedures according to ISP-02 for data backup and recovery.','Basic', 'ORGANIZATIONAL' ,32),
+(278,'OPS-06.1S','OPS-06.1S','The CSP shall define and implement policies and procedures according to ISP-02 for data backup and recovery, covering at least the following aspects:
+(1)The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the CSCs and the CSP’s operational continuity requirements for recovery time objective (RTO) and recovery point objective (RPO);
+(2) How data is backed up in encrypted, state-of-the-art form;
+(3) How backup data is stored, moved, managed, and disposed of;
+(4) How a CSC-initiated recovery or recovery test is performed;
+(5) Restricted access to the backed-up data and the execution of restores only by authorised persons; and
+(6) Tests of recovery procedures (cf. OPS-08).','Substantial', 'ORGANIZATIONAL' ,32),
+(279,'OPS-06.1H','OPS-06.1H','The CSP shall define and implement policies and procedures according to ISP-02 for data backup and recovery, covering at least the following aspects:
+(1)The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the CSCs and the CSP’s operational continuity requirements for recovery time objective (RTO) and recovery point objective (RPO);
+(2) How data is backed up in encrypted, state-of-the-art form;
+(3) How backup data is stored, moved, managed, and disposed of;
+(4) How a CSC-initiated recovery or recovery test is performed;
+(5) Restricted access to the backed-up data and the execution of restores only by authorised persons; and
+(6) Tests of recovery procedures (cf. OPS-08).','High', 'ORGANIZATIONAL' ,32),
+(280,'OPS-07.1B','OPS-07.1B','The CSP shall document and implement technical and organizational measures to monitor the execution of data backups in accordance to the policies and procedures defined in OPS-06.','Basic', 'ORGANIZATIONAL' ,33),
+(281,'OPS-07.1S','OPS-07.1S','The CSP shall document and implement technical and organizational measures to monitor the execution of data backups in accordance to the policies and procedures defined in OPS-06.','Substantial', 'ORGANIZATIONAL' ,33),
+(282,'OPS-07.1H','OPS-07.1H','The CSP shall document and implement technical and organizational measures to monitor the execution of data backups in accordance to the policies and procedures defined in OPS-06.','High', 'ORGANIZATIONAL' ,33),
+(283,'OPS-07.2H','OPS-07.2H','In order to check the proper application of these measures, the CSP shall automatically monitor the execution of data backups, and make available to the CSCs a service portal for monitoring the execution of backups when the CSC uses backup services with the CSP.','High', 'ORGANIZATIONAL' ,33),
+(284,'OPS-08.1B','OPS-08.1B','The CSP shall test the restore procedures at least annually.','Basic', 'ORGANIZATIONAL' ,34),
+(285,'OPS-08.2B','OPS-08.2B','The CSP shall not use CSC data, but only data in test accounts controlled by CSP staff for testing purposes.','Basic', 'ORGANIZATIONAL' ,34),
+(286,'OPS-08.1S','OPS-08.1S','The CSP shall test the restore procedures at least annually, including tests assessing if the specifications for the RTO and RPO agreed with the CSCs are met ','Substantial', 'ORGANIZATIONAL' ,34),
+(287,'OPS-08.2S','OPS-08.2S','The CSP shall not use CSC data, but only data in test accounts controlled by CSP staff for testing purposes.','Substantial', 'ORGANIZATIONAL' ,34),
+(288,'OPS-08.3S','OPS-08.3S','The CSP shall thoroughly document restore tests, including the safe disposal of restored data.','Substantial', 'ORGANIZATIONAL' ,34),
+(289,'OPS-08.4S','OPS-08.4S','Any deviation from the specification during the restore test shall be reported to the CSP''s responsible person for assessment and remediation.','Substantial', 'ORGANIZATIONAL' ,34),
+(290,'OPS-08.1H','OPS-08.1H','The CSP shall test the restore procedures at least annually, embedded in the CSP''s business continuity management, including tests assessing if the specifications for the RTO and RPO agreed with the customers are met ','High', 'ORGANIZATIONAL' ,34),
+(291,'OPS-08.2H','OPS-08.2H','The CSP shall not use CSC data, but only data in test accounts controlled by CSP staff for testing purposes.','High', 'ORGANIZATIONAL' ,34),
+(292,'OPS-08.3H','OPS-08.3H','The CSP shall thoroughly document restore tests, including the safe disposal of restored data.','High', 'ORGANIZATIONAL' ,34),
+(293,'OPS-08.4H','OPS-08.4H','Any deviation from the specification during the restore test shall be reported to the CSP''s responsible person for assessment and remediation.','High', 'ORGANIZATIONAL' ,34),
+(294,'OPS-08.5H','OPS-08.5H','The CSP shall inform CSCs, at their request, of the results of the recovery tests.','High', 'ORGANIZATIONAL' ,34),
+(295,'OPS-09.1B','OPS-09.1B','The CSP shall transfer backup data to a remote location or transport them on backup media to a remote location.','Basic', 'ORGANIZATIONAL' ,35),
+(296,'OPS-09.2B','OPS-09.2B','When the backup data is transmitted to a remote location via a network, the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art (cf. CKM-02).','Basic', 'ORGANIZATIONAL' ,35),
+(297,'OPS-09.1S','OPS-09.1S','The CSP shall transfer backup data to a remote location or transport them on backup media to a remote location, selected upon criteria of distance, recovery times and impact of disasters on backup and main sites','Substantial', 'ORGANIZATIONAL' ,35),
+(298,'OPS-09.2S','OPS-09.2S','When the backup data is transmitted to a remote location via a network, the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art (cf. CKM-02).','Substantial', 'ORGANIZATIONAL' ,35),
+(299,'OPS-09.3S','OPS-09.3S','The data classification of the original data is applied automatically to backups.','Substantial', 'ORGANIZATIONAL' ,35),
+(300,'OPS-09.4S','OPS-09.4S','The security measures at the remote site shall have at least the same level as at the main site.','Substantial', 'ORGANIZATIONAL' ,35),
+(301,'OPS-09.1H','OPS-09.1H','The CSP shall transfer backup data to a remote location or transport them on backup media to a remote location, selected upon criteria of distance, recovery times and impact of disasters on backup and main sites.','High', 'ORGANIZATIONAL' ,35),
+(302,'OPS-09.2H','OPS-09.2H','When the backup data is transmitted to a remote location via a network, the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art (cf. CKM-02), and shall be automatically monitored by the CSP to verify the execution of the backup.','High', 'ORGANIZATIONAL' ,35),
+(303,'OPS-09.3H','OPS-09.3H','The data classification of the original data is applied automatically to backups.','High', 'ORGANIZATIONAL' ,35),
+(304,'OPS-09.4H','OPS-09.4H','The security measures at the remote site shall have at least the same level as at the main site.','High', 'ORGANIZATIONAL' ,35),
+(305,'OPS-10.1B','OPS-10.1B','The CSP shall define and implement policies and procedures according to ISP-02 that govern the logging and monitoring of events on system components under its responsibility.','Basic', 'ORGANIZATIONAL' ,36),
+(306,'OPS-10.1S','OPS-10.1S','The CSP shall define and implement policies and procedures according to ISP-02 that govern the logging and monitoring of events on system components under its responsibility, covering at least the following aspects:
+(1) Definition of events that could lead to a violation of the protection goals;
+(2) Specifications for activating, stopping and pausing the various logs;
+(3) Information regarding the purpose and retention period of the logs;
+(4) Definition of roles and responsibilities for setting up and monitoring logging;
+(5) Definition of log data that may be transferred to CSCs and technical requirements of such log forwarding;
+(6) Information about timestamps in event creation;
+(7) Time synchronisation of system components; and
+(8) Compliance with legal and regulatory frameworks.','Substantial', 'ORGANIZATIONAL' ,36),
+(307,'OPS-10.1H','OPS-10.1H','The CSP shall define and implement policies and procedures according to ISP-02 that govern the logging and monitoring of events on system components under its responsibility, covering at least the following aspects:
+(1) Definition of events that could lead to a violation of the protection goals;
+(2) Specifications for activating, stopping and pausing the various logs;
+(3) Information regarding the purpose and retention period of the logs;
+(4) Definition of roles and responsibilities for setting up and monitoring logging;
+(5) Definition of log data that may be transferred to CSCs and technical requirements of such log forwarding;
+(6) Information about timestamps in event creation;
+(7) Time synchronisation of system components; and
+(8) Compliance with legal and regulatory frameworks.','High', 'ORGANIZATIONAL' ,36),
+(308,'OPS-11.1B','OPS-11.1B','The CSP shall define and implement policies and procedures according to ISP-02 that govern the secure handling of cloud service derived data.','Basic', 'ORGANIZATIONAL' ,37),
+(309,'OPS-11.1S','OPS-11.1S','The CSP shall define and implement policies and procedures according to ISP-02 that govern the secure handling of cloud service derived data, covering at least the following aspects:
+(1) Purpose for the collection and use of cloud service derived data beyond the operation of the cloud service, including purposes related to the implementation of security controls;
+(2) In the contexts that go beyond a single CSC, anonymisation of the data, or failing that deidentification of the data, should be used wherever feasible;
+(3) Period of storage reasonably related to the purposes of the collection;
+(4) Guarantees of deletion when the purposes of the collection are fulfilled and further storage is no longer necessary; and
+(5) As defined in contractual agreements, the provision of the specified cloud service derived data to CSCs, in accordance with regulatory requirements.','Substantial', 'ORGANIZATIONAL' ,37),
+(310,'OPS-11.2S','OPS-11.2S','The CSP shall list in the contractual agreement with the CSC all purposes for the collection of use of cloud service derived data that are not related to the implementation of security controls or to billing.','Substantial', 'ORGANIZATIONAL' ,37),
+(311,'OPS-11.1H','OPS-11.1H','The CSP shall define and implement policies and procedures according to ISP-02 that govern the secure handling of cloud service derived data, covering at least the following aspects:
+(1) Purpose for the collection and use of cloud service derived data beyond the operation of the cloud service, including purposes related to the implementation of security controls;
+(2) In the contexts that go beyond a single CSC, anonymisation of the data, or failing that deidentification of the data, should be used wherever feasible;
+(3) Period of storage reasonably related to the purposes of the collection;
+(4) Guarantees of deletion when the purposes of the collection are fulfilled and further storage is no longer necessary; and
+(5) As defined in contractual agreements, the provision of the specified cloud service derived data to CSCs, in accordance with regulatory requirements.','High', 'ORGANIZATIONAL' ,37),
+(312,'OPS-11.2H','OPS-11.2H','The CSP shall list in the contractual agreement with the CSC all purposes for the collection of use of cloud service derived data that are not related to the implementation of security controls or to billing.','High', 'ORGANIZATIONAL' ,37),
+(313,'OPS-11.3H','OPS-11.3H','Cloud service derived data, including log data, shall be taken into consideration in regulatory compliance assessments.','High', 'ORGANIZATIONAL' ,37),
+(314,'OPS-12.1B','OPS-12.1B','The CSP shall monitor log data in order to identify security events that might lead to security incidents, in accordance with the logging and monitoring requirements, and the identified events shall be reported to the appropriate departments for timely assessment and remediation.','Basic', 'ORGANIZATIONAL' ,38),
+(315,'OPS-12.1S','OPS-12.1S','The CSP shall automatically monitor log data in order to identify security events that might lead to security incidents, in accordance with the logging and monitoring requirements, and the identified events shall be reported to the appropriate departments for timely assessment and remediation.','Substantial', 'ORGANIZATIONAL' ,38),
+(316,'OPS-12.1H','OPS-12.1H','The CSP shall automatically monitor log data in order to identify security events that might lead to security incidents, in accordance with the logging and monitoring requirements, and the identified events shall be reported to the appropriate departments for timely assessment and remediation.','High', 'ORGANIZATIONAL' ,38),
+(317,'OPS-12.2H','OPS-12.2H','The CSP shall automatically monitor that event detection processes operate as intended on appropriate assets as identified in the asset classification catalogue (cf AM-05-1H).','High', 'ORGANIZATIONAL' ,38),
+(318,'OPS-13.1B','OPS-13.1B','The CSP shall store all log data in an integrity-protected and aggregated form that allow its evaluation.','Basic', 'ORGANIZATIONAL' ,39),
+(319,'OPS-13.2B','OPS-13.2B','The communication between the assets to be logged and the logging servers shall be authenticated and protected in integrity and confidentiality whenever possible.','Basic', 'ORGANIZATIONAL' ,39),
+(320,'OPS-13.3B','OPS-13.3B','Log data shall be deleted when no longer required for the purpose for which it was collected.','Basic', 'ORGANIZATIONAL' ,39),
+(321,'OPS-13.1S','OPS-13.1S','The CSP shall store all log data in an integrity-protected and aggregated form that allow its evaluation.','Substantial', 'ORGANIZATIONAL' ,39),
+(322,'OPS-13.2S','OPS-13.2S','The communication between the assets to be logged and the logging servers shall be authenticated, encrypted using state-of-the-art encryption and, when encryption is not feasible, shall be accessible only by authorised personnel.','Substantial', 'ORGANIZATIONAL' ,39),
+(323,'OPS-13.3S','OPS-13.3S','Log data shall be deleted when no longer required for the purpose for which it was collected.','Substantial', 'ORGANIZATIONAL' ,39),
+(324,'OPS-13.4S','OPS-13.4S','The CSP shall implement technically supported procedures to fulfil requirements for log data access, storage and deletion restrictions, including access only for authorized users and systems and the enforcement of data retention periods.','Substantial', 'ORGANIZATIONAL' ,39),
+(325,'OPS-13.5S','OPS-13.5S','The CSP shall provide CSCs, upon request, access to customer specific logging through an API. The logging shall comply with the CSP’s protection requirements, including logical or physical separation of log and customer data.','Substantial', 'ORGANIZATIONAL' ,39),
+(326,'OPS-13.1H','OPS-13.1H','The CSP shall store all log data in an integrity-protected and aggregated form that allow its centralized evaluation, and shall automatically monitor the aggregation and deletion of logging and monitoring data.','High', 'ORGANIZATIONAL' ,39),
+(327,'OPS-13.2H','OPS-13.2H','The communication between the assets to be logged and the logging servers shall be authenticated, encrypted using state-of-the-art encryption and, when encryption is not feasible, shall be accessible only by authorised personnel.','High', 'ORGANIZATIONAL' ,39),
+(328,'OPS-13.3H','OPS-13.3H','Log data shall be deleted when it is no longer required for the purpose for which they were collected.','High', 'ORGANIZATIONAL' ,39),
+(329,'OPS-13.4H','OPS-13.4H','The CSP shall implement technically supported procedures to fulfil requirements for log data access, storage and deletion restrictions, including access only for authorized users and systems and the enforcement of data retention periods.','High', 'ORGANIZATIONAL' ,39),
+(330,'OPS-13.5H','OPS-13.5H','The CSP shall provide CSCs, upon request, access to customer specific logging through an API. The logging shall comply with the CSP’s protection requirements, including logical or physical separation of log and customer data.','High', 'ORGANIZATIONAL' ,39),
+(331,'OPS-14.1B','OPS-14.1B','The log data generated allows an unambiguous identification of user accesses at the CSC level to support analysis during and following a security incident.','Basic', 'ORGANIZATIONAL' ,40),
+(332,'OPS-14.1S','OPS-14.1S','The log data generated allows an unambiguous identification of user accesses at the CSC level to support analysis during and following a security incident.','Substantial', 'ORGANIZATIONAL' ,40),
+(333,'OPS-14.2S','OPS-14.2S','The CSP shall make available interfaces to enable CSCs to conduct forensic analysis and perform backups related to their usage of the systems.','Substantial', 'ORGANIZATIONAL' ,40),
+(334,'OPS-14.1H','OPS-14.1H','The log data generated allows an unambiguous identification of user accesses at the CSC level to support analysis during and following a security incident.','High', 'ORGANIZATIONAL' ,40),
+(335,'OPS-14.2H','OPS-14.2H','The CSP shall make available interfaces to enable CSCs to conduct forensic analysis and perform backups related to their usage of the system.','High', 'ORGANIZATIONAL' ,40),
+(336,'OPS-14.3H','OPS-14.3H','In the context of an investigation of a security incident concerning a CSC, the CSP shall have the ability to provide to the CSC, log data relevant and limited to the CSCS’s use of the cloud service.','High', 'ORGANIZATIONAL' ,40),
+(337,'OPS-15.1B','OPS-15.1B','The CSP shall restrict access to system components under its responsibility, that are used for logging and monitoring, with strong authentication (for example multi-factor authentication).','Basic', 'ORGANIZATIONAL' ,41),
+(338,'OPS-15.2B','OPS-15.2B','Changes to the logging and monitoring configuration are made in accordance with applicable policies (cf. CCM-01).','Basic', 'ORGANIZATIONAL' ,41),
+(339,'OPS-15.1S','OPS-15.1S','The CSP shall restrict access to system components under its responsibility, that are used for logging and monitoring, with strong authentication (for example multi-factor authentication).','Substantial', 'ORGANIZATIONAL' ,41),
+(340,'OPS-15.2S','OPS-15.2S','Changes to the logging and monitoring configuration are made in accordance with applicable policies (cf. CCM-01).','Substantial', 'ORGANIZATIONAL' ,41),
+(341,'OPS-15.1H','OPS-15.1H','The CSP shall restrict access to system components under its responsibility, that are used for logging and monitoring, with strong authentication (for example multi-factor authentication).','High', 'ORGANIZATIONAL' ,41),
+(342,'OPS-15.2H','OPS-15.2H','Changes to the logging and monitoring configuration are made in accordance with applicable policies (cf. CCM-01).','High', 'ORGANIZATIONAL' ,41),
+(343,'OPS-16.1B','OPS-16.1B','The CSP shall monitor the system components for logging and monitoring under its responsibility, and shall automatically report failures to the responsible departments for assessment and remediation.','Basic', 'ORGANIZATIONAL' ,42),
+(344,'OPS-16.1S','OPS-16.1S','The CSP shall monitor the system components for logging and monitoring under its responsibility, and shall automatically report failures to the responsible departments for assessment and remediation.','Substantial', 'ORGANIZATIONAL' ,42),
+(345,'OPS-16.1H','OPS-16.1H','The CSP shall monitor the system components for logging and monitoring under its responsibility, and shall automatically report failures to the responsible departments for assessment and remediation.','High', 'ORGANIZATIONAL' ,42),
+(346,'OPS-16.2H','OPS-16.2H','The CSP shall design the system components for logging and monitoring in such a way that the overall functionality is not restricted if individual components fail.','High', 'ORGANIZATIONAL' ,42),
+(347,'OPS-17.1B','OPS-17.1B','The CSP shall define and implement, in accordance with ISP-02, policies and procedures, including technical and organisational measures to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service.','Basic', 'ORGANIZATIONAL' ,43),
+(348,'OPS-17.2B','OPS-17.2B','The CSP shall use a scoring system for the assessment of vulnerabilities that includes at least “critical” and “high” classes of vulnerabilities.','Basic', 'ORGANIZATIONAL' ,43),
+(349,'OPS-17.1S','OPS-17.1S','The CSP shall define and implement, in accordance with ISP-02, policies and procedures, including technical and organisational measures to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service, covering at least the following aspects:
+(1) Regular identification of vulnerabilities;
+(2) Assessment of the severity of identified vulnerabilities;
+(3) Prioritisation and implementation of actions to promptly remediate or mitigate identified vulnerabilities based on severity and according to defined case specific timelines; and
+(4) Handling of system components for which no measures are initiated for the timely remediation or mitigation of vulnerabilities.','Substantial', 'ORGANIZATIONAL' ,43),
+(350,'OPS-17.2S','OPS-17.2S','The CSP shall use a scoring system for the assessment of vulnerabilities that includes at least “critical” and “high” classes of vulnerabilities.','Substantial', 'ORGANIZATIONAL' ,43),
+(351,'OPS-17.3S','OPS-17.3S','The CSP shall mandate in its policies and procedures that “critical” vulnerabilities are to be immediately engaged after identification of the critical vulnerability, even outside the working day, and that work on “high” vulnerabilities must begin within one working day, with a regular follow-up of the vulnerability until it has been remediated.','Substantial', 'ORGANIZATIONAL' ,43),
+(352,'OPS-17.1H','OPS-17.1H','The CSP shall define and implement, in accordance with ISP-02, policies and procedures, including technical and organisational measures to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service, covering at least the following aspects:
+(1) Regular identification of vulnerabilities;
+(2) Assessment of the severity of identified vulnerabilities;
+(3) Prioritisation and implementation of actions to promptly remediate or mitigate identified vulnerabilities based on severity and according to defined case specific timelines; and
+(4) Handling of system components for which no measures are initiated for the timely remediation or mitigation of vulnerabilities.','High', 'ORGANIZATIONAL' ,43),
+(353,'OPS-17.2H','OPS-17.2H','The CSP shall use a scoring system for the assessment of vulnerabilities that includes at least “critical” and “high” classes of vulnerabilities.','High', 'ORGANIZATIONAL' ,43),
+(354,'OPS-17.3H','OPS-17.3H','The CSP shall mandate in its policies and procedures that “critical” vulnerabilities are to be immediately engaged after identification of the critical vulnerability, even outside the working day, and that work on “high” vulnerabilities must begin within one working day, with a regular follow-up of the vulnerability until it has been remediated.','High', 'ORGANIZATIONAL' ,43),
+(355,'OPS-17.4H','OPS-17.4H','The CSP, based on its asset inventory (cf. AM-01), shall identify vulnerabilities of components accessing CSC data or components critical to providing cloud service, and shall remediate as quickly as possible the vulnerabilities affecting these components, including those whose criticality has been assessed lower than “high” by the component vendor.','High', 'ORGANIZATIONAL' ,43),
+(356,'OPS-18.1B','OPS-18.1B','The CSP shall publish and maintain a publicly and easily accessible online register of vulnerabilities that affect the cloud service and assets provided by the CSP that the CSCs have to install or operate under their own responsibility.','Basic', 'ORGANIZATIONAL' ,44),
+(357,'OPS-18.2B','OPS-18.2B','The online register shall indicate at least the following information for every vulnerability:
+(1) A presentation of the vulnerability following an industry-accepted scoring system;
+(2) A description of the remediation options for that vulnerability;
+(3) Information on the availability of updates or patches for that vulnerability;
+(4) Information about the remediation or deployment of patches or updates by the CSP or CSC, including detailed instructions for operations to be performed by the CSC.','Basic', 'ORGANIZATIONAL' ,44),
+(358,'OPS-18.3B','OPS-18.3B','The CSP shall publish and maintain a publicly and easily accessible online register of vulnerabilities that affect the cloud service and assets provided by the CSP that the CSCs have to install, provide or operate under their own responsibility.','Basic', 'ORGANIZATIONAL' ,44),
+(359,'OPS-18.4B','OPS-18.4B','The CSP shall consult regularly the online registers published by its subservice providers and suppliers, analyse the potential impact of the published vulnerabilities on the cloud service, and handle them according to the vulnerability handling process (cf.OPS-17).','Basic', 'ORGANIZATIONAL' ,44),
+(360,'OPS-18.1S','OPS-18.1S','The CSP shall publish and maintain at least daily a publicly and easily accessible online register of vulnerabilities that affect the cloud service and assets provided by the CSP that the CSCs have to install or operate under their own responsibility.','Substantial', 'ORGANIZATIONAL' ,44),
+(361,'OPS-18.2S','OPS-18.2S','The online register shall indicate at least the following information for every vulnerability:
+(1) A presentation of the vulnerability following an industry-accepted scoring system;
+(2) A description of the remediation options for that vulnerability;
+(3) Information on the availability of updates or patches for that vulnerability;
+(4) Information about the remediation or deployment of patches or updates by the CSP or CSC, including detailed instructions for operations to be performed by the CSC.','Substantial', 'ORGANIZATIONAL' ,44),
+(362,'OPS-18.3S','OPS-18.3S','The CSP shall publish and maintain a publicly and easily accessible online register of vulnerabilities that affect the cloud service and assets provided by the CSP that the CSCs have to install, provide or operate under their own responsibility.','Substantial', 'ORGANIZATIONAL' ,44),
+(363,'OPS-18.4S','OPS-18.4S','The CSP shall consult at least daily the online registers published by its subservice providers and suppliers, analyse the potential impact of the published vulnerabilities on the cloud service, and handle them according to the vulnerability handling process (cf.OPS-17).','Substantial', 'ORGANIZATIONAL' ,44),
+(364,'OPS-18.5S','OPS-18.5S','The information contained in the online register shall include sufficient information to form a suitable basis for risk assessment and possible follow-up measures on the part of CSCs','Substantial', 'ORGANIZATIONAL' ,44),
+(365,'OPS-18.1H','OPS-18.1H','The CSP shall publish and maintain at least daily a publicly and easily accessible online register of vulnerabilities that affect the cloud service and assets provided by the CSP that the CSCs have to install or operate under their own responsibility.','High', 'ORGANIZATIONAL' ,44),
+(366,'OPS-18.2H','OPS-18.2H','The online register shall indicate at least the following information for every vulnerability:
+(1) A presentation of the vulnerability following an industry-accepted scoring system;
+(2) A description of the remediation options for that vulnerability;
+(3) Information on the availability of updates or patches for that vulnerability;
+(4) Information about the remediation or deployment of patches or updates by the CSP or CSC, including detailed instructions for operations to be performed by the CSC.','High', 'ORGANIZATIONAL' ,44),
+(367,'OPS-18.3H','OPS-18.3H','The CSP shall publish and maintain a publicly and easily accessible online register of vulnerabilities that affect the cloud service and assets provided by the CSP that the CSCs have to install, provide or operate under their own responsibility.','High', 'ORGANIZATIONAL' ,44),
+(368,'OPS-18.4H','OPS-18.4H','The CSP shall consult at least daily the online registers published by its subservice providers and suppliers, analyse the potential impact of the published vulnerabilities on the cloud service, and handle them according to the vulnerability handling process (cf.OPS-17).','High', 'ORGANIZATIONAL' ,44),
+(369,'OPS-18.5H','OPS-18.5H','The information contained in the online register shall include sufficient information to form a suitable basis for risk assessment and possible follow-up measures on the part of CSCs','High', 'ORGANIZATIONAL' ,44),
+(370,'OPS-18.6H','OPS-18.6H','The CSP shall provide and promote, where appropriate, automatic update mechanisms for the assets provided by the CSP that the CSCs have to install or operate under their own responsibility, to ease the rollout of patches and updates after an initial approval from the CSC.','High', 'ORGANIZATIONAL' ,44),
+(371,'OPS-19.1B','OPS-19.1B','The CSP shall perform on a regular basis tests to detect publicly known vulnerabilities on the system components used to provide the cloud service, in accordance with policies for handling vulnerabilities (cf. OPS-17).','Basic', 'ORGANIZATIONAL' ,45),
+(372,'OPS-19.1S','OPS-19.1S','The CSP shall perform at least monthly tests to detect publicly known vulnerabilities on the system components used to provide the cloud service, in accordance with policies for handling vulnerabilities (cf. OPS-17).','Substantial', 'ORGANIZATIONAL' ,45),
+(373,'OPS-19.2S','OPS-19.2S','The CSP shall have penetration tests carried out by qualified employees or external service providers, according to a documented test methodology and including in their scope the system components relevant to the provision of the cloud service in the area of responsibility of the CSP, as identified in a risk assessment.','Substantial', 'ORGANIZATIONAL' ,45),
+(374,'OPS-19.3S','OPS-19.3S','The CSP shall perform such penetration tests at least annually, and in case of significant changes to the cloud service.','Substantial', 'ORGANIZATIONAL' ,45),
+(375,'OPS-19.4S','OPS-19.4S','The CSP shall assess the penetration test findings and handle each identified vulnerability according to defined policies and procedures (cf. OPS-18).','Substantial', 'ORGANIZATIONAL' ,45),
+(376,'OPS-19.5S','OPS-19.5S','The CSP shall perform a root cause analysis on the vulnerabilities discovered through penetration testing in order to assess to which extent similar vulnerabilities may be present in the cloud system.','Substantial', 'ORGANIZATIONAL' ,45),
+(377,'OPS-19.6S','OPS-19.6S','The CSP shall correlate the possible exploits of discovered vulnerabilities with previous security incidents to identify if the vulnerability may have been exploited before its discovery.','Substantial', 'ORGANIZATIONAL' ,45),
+(378,'OPS-19.1H','OPS-19.1H','The CSP shall perform at least monthly tests to detect publicly known vulnerabilities on the system components used to provide the cloud service, in accordance with policies for handling vulnerabilities (cf. OPS-17).','High', 'ORGANIZATIONAL' ,45),
+(379,'OPS-19.2H','OPS-19.2H','The CSP shall perform a threat and vulnerability analysis, including in its scope the system components relevant to the provision of the cloud service in the area of responsibility of the CSP, based on reviews of the architecture and configuration of these system components, and of the CSP’s source code, and on the performance of penetration tests by a qualified and independent team, including employees and external service providers, according to a documented test methodology.','High', 'ORGANIZATIONAL' ,45),
+(380,'OPS-19.3H','OPS-19.3H','The CSP shall review this threat and vulnerability analysis at least annually, and in case of significant changes to the cloud service, including the performance of reviews and penetration tests on system components, as deemed necessary.','High', 'ORGANIZATIONAL' ,45),
+(381,'OPS-19.4H','OPS-19.4H','The CSP shall assess the findings from the threat and vulnerability analysis and handle each identified vulnerability according to defined policies and procedures (cf. OPS-18).','High', 'ORGANIZATIONAL' ,45),
+(382,'OPS-19.5H','OPS-19.5H','The CSP shall perform a root cause analysis on the vulnerabilities discovered during the threat and vulnerability analysis in order to assess to which extent similar vulnerabilities may be present in the cloud service.','High', 'ORGANIZATIONAL' ,45),
+(383,'OPS-19.6H','OPS-19.6H','The CSP shall correlate the possible exploits of discovered vulnerabilities with previous security incidents to identify if the vulnerability may have been exploited before its discovery.','High', 'ORGANIZATIONAL' ,45),
+(384,'OPS-19.7H','OPS-19.7H','The CSP shall plan the activities of the threat and vulnerability analysis, including system component reviews and penetration testing, in a multi-annual work programme.','High', 'ORGANIZATIONAL' ,45),
+(385,'OPS-20.1B','OPS-20.1B','The CSP shall regularly measure, analyse and assess the procedures with which vulnerabilities and security incidents are handled to verify their continued suitability, appropriateness and effectiveness.','Basic', 'ORGANIZATIONAL' ,46),
+(386,'OPS-20.1S','OPS-20.1S','The CSP shall regularly measure, analyse and assess the procedures with which vulnerabilities and security incidents are handled to verify their continued suitability, appropriateness and effectiveness.','Substantial', 'ORGANIZATIONAL' ,46),
+(387,'OPS-20.2S','OPS-20.2S','The CSP shall organize a quarterly review of the results of this assessment by accountable departments to initiate continuous improvement actions and verify their effectiveness.','Substantial', 'ORGANIZATIONAL' ,46),
+(388,'OPS-20.1H','OPS-20.1H','The CSP shall regularly measure, analyse and assess the procedures with which vulnerabilities and security incidents are handled to verify their continued suitability, appropriateness and effectiveness.','High', 'ORGANIZATIONAL' ,46),
+(389,'OPS-20.2H','OPS-20.2H','The CSP shall organize a quarterly review of the results of this assessment by accountable departments to initiate continuous improvement actions and verify their effectiveness.','High', 'ORGANIZATIONAL' ,46),
+(390,'OPS-21.1B','OPS-21.1B','The CSP shall harden all the system components under its responsibility that are used to provide the cloud service, according to accepted industry standards.','Basic', 'ORGANIZATIONAL' ,47),
+(391,'OPS-21.2B','OPS-21.2B','The hardening requirements for each system component shall be documented.','Basic', 'ORGANIZATIONAL' ,47),
+(392,'OPS-21.1S','OPS-21.1S','The CSP shall harden all the system components under its responsibility that are used to provide the cloud service, according to accepted industry standards.','Substantial', 'ORGANIZATIONAL' ,47),
+(393,'OPS-21.2S','OPS-21.2S','The hardening requirements for each system component shall be documented.','Substantial', 'ORGANIZATIONAL' ,47),
+(394,'OPS-21.1H','OPS-21.1H','The CSP shall harden all the system components under its responsibility that are used to provide the cloud service, according to accepted industry standards, and automatically monitor these system components for conformity with hardening requirements.','High', 'ORGANIZATIONAL' ,47),
+(395,'OPS-21.2H','OPS-21.2H','The hardening requirements for each system component shall be documented.','High', 'ORGANIZATIONAL' ,47),
+(396,'OPS-22.1B','OPS-22.1B','The CSP shall segregate from other CSCs the data stored and processed on shared virtual and physical resources on behalf of a CSC to ensure the confidentiality and integrity of this data.','Basic', 'ORGANIZATIONAL' ,48),
+(397,'OPS-22.1S','OPS-22.1S','The CSP shall segregate the CSC data stored and processed on shared virtual and physical resources to ensure the confidentiality and integrity of this data, according to the results of a risk assessment (cf. RM-01) and following policies on cryptography (cf. CKM-01) when relevant.','Substantial', 'ORGANIZATIONAL' ,48),
+(398,'OPS-22.1H','OPS-22.1H','The CSP shall segregate the CSC data stored and processed on shared virtual and physical resources to ensure the confidentiality and integrity of this data, according to the results of a risk assessment (cf. RM-01) and following policies on cryptography (cf. CKM-01) when relevant.','High', 'ORGANIZATIONAL' ,48),
+
+(399,'IAM-01.1B','IAM-01.1B','The CSP shall define role and rights policies and procedures for controlling access to information resources, according to ISP-02 and based on the business and security requirements of the CSP, in which at least the following aspects are covered:
+(1) Parameters to be considered for making access control decisions;
+(2) Granting and modifying access rights based on the “least-privilege” principle and on the “need to-know” principle;
+(3) Segregation of duties between managing, approving and assigning access rights;
+(4) Dedicated rules for users with privileged access;
+(5) Requirements for the approval and documentation of the management of access rights.','Basic', 'ORGANIZATIONAL' ,49),
+(400,'IAM-01.2B','IAM-01.2B','The CSP shall link the access control policy defined in IAM-01.1 with the physical access control policy defined in PS-02.1, to guarantee that the access to the premises where information is located is also controlled.','Basic', 'ORGANIZATIONAL' ,49),
+(401,'IAM-01.1S','IAM-01.1S','The CSP shall define role and rights policies and procedures for controlling access to information resources, according to ISP-02 and based on role-based access control and based on the business and security requirements of the CSP, in which at least the following aspects are covered:
+(1) Parameters to be considered for making access control decisions;
+(2) Granting and modifying access rights based on the “least-privilege” principle and on the “need to-know” principle;
+(3) Use of a role-based mechanism for the assignment of access rights;
+(4) Segregation of duties between managing, approving and assigning access rights;
+(5) Dedicated rules for users with privileged access;
+(6) Requirements for the approval and documentation of the management of access rights.','Substantial', 'ORGANIZATIONAL' ,49),
+(402,'IAM-01.2S','IAM-01.2S','The CSP shall link the access control policy defined in IAM-01.1 with the physical access control policy defined in PS-02.1, to guarantee that the access to the premises where information is located is also controlled.','Substantial', 'ORGANIZATIONAL' ,49),
+(403,'IAM-01.1H','IAM-01.1H','The CSP shall define role and rights policies and procedures for controlling access to information resources, according to ISP-02 and based on role-based access control and based on the business and security requirements of the CSP, in which at least the following aspects are covered:
+(1) Parameters to be considered for making access control decisions;
+(2) Granting and modifying access rights based on the “least-privilege” principle and on the “need to-know” principle;
+(3) Use of a role-based mechanism for the assignment of access rights;
+(4) Segregation of duties between managing, approving and assigning access rights;
+(5) Dedicated rules for users with privileged access;
+(6) Requirements for the approval and documentation of the management of access rights.','High', 'ORGANIZATIONAL' ,49),
+(404,'IAM-01.2H','IAM-01.2H','The CSP shall link the access control policy defined in IAM-01.1 with the physical access control policy defined in PS-02.1, to guarantee that the access to the premises where information is located is also controlled.','High', 'ORGANIZATIONAL' ,49),
+(405,'IAM-01.3H','IAM-01.3H','The CSP shall document any potential conflicts between access rights, for segregation of duties or other reasons, and enforce that these conflicts of access rights do not occur.','High', 'ORGANIZATIONAL' ,49),
+(406,'IAM-02.1B','IAM-02.1B','The CSP shall define policies for managing accounts, according to ISP-02, in which at least the following aspects are described:
+(1) Parameters to be considered for making access control decisions;
+(2) Assignment of unique usernames;
+(3) Definition of the different types of accounts supported, and assignment of access control parameters and roles to be considered for each type;
+(4) Events and periods of inactivity leading to blocking and revoking accounts.','Basic', 'ORGANIZATIONAL' ,50),
+(407,'IAM-02.2B','IAM-02.2B','The CSP shall define and implement according to ISP-02 procedures for managing user accounts and access rights to employees that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.','Basic', 'ORGANIZATIONAL' ,50),
+(408,'IAM-02.3B','IAM-02.3B','The CSP shall define and implement according to ISP-02 procedures for managing shared accounts and associated access rights that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.','Basic', 'ORGANIZATIONAL' ,50),
+(409,'IAM-02.4B','IAM-02.4B','The CSP shall define and implement according to ISP-02 procedures for managing non-human accounts and associated access rights to system components involved in the operation of the cloud service that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.','Basic', 'ORGANIZATIONAL' ,50),
+(410,'IAM-02.5B','IAM-02.5B','The CSP shall be able to provide, for a given user account, whether it falls under the responsibility of the CSP or of the CSC, as well as the list of the access rights currently granted to that account','Basic', 'ORGANIZATIONAL' ,50),
+(411,'IAM-02.1S','IAM-02.1S','The CSP shall define policies for managing accounts, according to ISP-02, in which at least the following aspects are described:
+(1) Parameters to be considered for making access control decisions;
+(2) Assignment of unique usernames;
+(3) Definition of the different types of accounts supported, and assignment of access control parameters and roles to be considered for each type;
+(4) Events and periods of inactivity leading to blocking and revoking accounts.','Substantial', 'ORGANIZATIONAL' ,50),
+(412,'IAM-02.2S','IAM-02.2S','The CSP shall define and implement according to ISP-02 procedures for managing user accounts and access rights to employees that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.','Substantial', 'ORGANIZATIONAL' ,50),
+(413,'IAM-02.3S','IAM-02.3S','The CSP shall define and implement according to ISP-02 procedures for managing shared accounts and associated access rights that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.','Substantial', 'ORGANIZATIONAL' ,50),
+(414,'IAM-02.4S','IAM-02.4S','The CSP shall define and implement according to ISP-02 procedures for managing non-human accounts and associated access rights to system components involved in the operation of the cloud service that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.','Substantial', 'ORGANIZATIONAL' ,50),
+(415,'IAM-02.5S','IAM-02.5S','The CSP shall be able to provide, for a given user account, whether it falls under the responsibility of the CSP or of the CSC, as well as the list of the access rights currently granted to that account','Substantial', 'ORGANIZATIONAL' ,50),
+(416,'IAM-02.6S','IAM-02.6S','The CSP shall extend these policies for accounts under their responsibility with the following aspects:
+(1) Segregation of duties between managing, approving and assigning access rights to accounts;
+(2) Regular review of assigned accounts and associated access rights;
+(3) Blocking and revoking accounts in the event of inactivity or potential account compromise;
+(4) Requirements for the approval and documentation of the management of accounts.','Substantial', 'ORGANIZATIONAL' ,50),
+(417,'IAM-02.7S','IAM-02.7S','The CSP shall extend these policies for accounts under the responsibility of the CSCs with the following aspects:
+(1) Access control mechanisms available to CSCs;
+(2) Access control parameters that the CSC is allowed to configure.','Substantial', 'ORGANIZATIONAL' ,50),
+(418,'IAM-02.8S','IAM-02.8S','The CSP shall offer CSCs a self-service mechanism with which they can independently manage the accounts under their responsibility.','Substantial', 'ORGANIZATIONAL' ,50),
+(419,'IAM-02.1H','IAM-02.1H','The CSP shall define policies for managing accounts, according to ISP-02, in which at least the following aspects are described:
+(1) Parameters to be considered for making access control decisions;
+(2) Assignment of unique usernames;
+(3) Definition of the different types of accounts supported, and assignment of access control parameters and roles to be considered for each type;
+(4) Events and periods of inactivity leading to blocking and revoking accounts.','High', 'ORGANIZATIONAL' ,50),
+(420,'IAM-02.2H','IAM-02.2H','The CSP shall define and implement according to ISP-02 procedures for managing user accounts and access rights to employees that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.','High', 'ORGANIZATIONAL' ,50),
+(421,'IAM-02.3H','IAM-02.3H','The CSP shall define and implement according to ISP-02 procedures for managing shared accounts and associated access rights that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.','Substantial', 'ORGANIZATIONAL' ,50),
+(422,'IAM-02.4H','IAM-02.4H','The CSP shall define and implement according to ISP-02 procedures for managing non-human accounts and associated access rights to system components involved in the operation of the cloud service that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.','High', 'ORGANIZATIONAL' ,50),
+(423,'IAM-02.5H','IAM-02.5H','The CSP shall be able to provide, for a given user account, whether it falls under the responsibility of the CSP or of the CSC, as well as the list of the access rights currently granted to that account','High', 'ORGANIZATIONAL' ,50),
+(424,'IAM-02.6H','IAM-02.6H','The CSP shall extend these policies for accounts under their responsibility with the following aspects:
+(1) Segregation of duties between managing, approving and assigning access rights to accounts;
+(2) Regular review of assigned accounts and associated access rights;
+(3) Blocking and revoking accounts in the event of inactivity or potential account compromise;
+(4) Requirements for the approval and documentation of the management of accounts.','High', 'ORGANIZATIONAL' ,50),
+(425,'IAM-02.7H','IAM-02.7H','The CSP shall extend these policies for accounts under the responsibility of the CSCs with the following aspects:
+(1) Access control mechanisms available to CSCs;
+(2) Access control parameters that the CSC is allowed to configure.','High', 'ORGANIZATIONAL' ,50),
+(426,'IAM-02.8H','IAM-02.8H','The CSP shall offer CSCs a self-service with which they can independently manage user accounts for all users under their responsibility.','High', 'ORGANIZATIONAL' ,50),
+(427,'IAM-03.1B','IAM-03.1B','The CSP shall document and implement an automated mechanism to block user accounts after a certain period of inactivity.','Basic', 'ORGANIZATIONAL' ,51),
+(428,'IAM-03.2B','IAM-03.2B','The CSP shall document and implement an automated mechanism to block accounts after a certain number of failed authentication attempts.','Basic', 'ORGANIZATIONAL' ,51),
+(429,'IAM-03.1S','IAM-03.1S','The CSP shall document and implement an automated mechanism to block user accounts after a certain period of inactivity, as defined in the policy of AIM-02. Such user accounts are:
+(1) Of employees of the CSP as well as for system components involved in automated authorisation processes; and
+(2) Associated with identities assigned to persons, identities assigned to non-human entities and identities assigned to multiple persons.','Substantial', 'ORGANIZATIONAL' ,51),
+(430,'IAM-03.2S','IAM-03.2S','The CSP shall document and implement an automated mechanism to block accounts after a certain number of failed authentication attempts, as defined in the policy of AIM-02, based on the risks of the accounts, associated access rights and authentication mechanisms.','Substantial', 'ORGANIZATIONAL' ,51),
+(431,'IAM-03.3S','IAM-03.3S','The CSP shall document and implement a process to monitor stolen and compromised credentials and lock any pending account for which an issue is identified, pending a review by an authorized person, and implement it on all user accounts to which privileged access rights are assigned.','Substantial', 'ORGANIZATIONAL' ,51),
+(432,'IAM-03.4S','IAM-03.4S','Approval from authorised personnel or system components is required to unlock accounts locked automatically.','Substantial', 'ORGANIZATIONAL' ,51),
+(433,'IAM-03.5S','IAM-03.5S','The CSP shall document and implement an automated mechanism to revoke accounts that have been blocked by another automatic mechanism after a certain period of inactivity, as defined in the policy of AIM-02 for user accounts.','Substantial', 'ORGANIZATIONAL' ,51),
+(434,'IAM-03.1H','IAM-03.1H','The CSP shall document and implement an automated mechanism to block user accounts after a certain period of inactivity, as defined in the policy of AIM-02, for user accounts, and automatically monitor its application. Such user accounts are:
+(1) Of employees of the CSP as well as for system components involved in automated authorisation processes; and
+(2) Associated with identities assigned to persons, identities assigned to non-human entities and identities assigned to multiple persons.','High', 'ORGANIZATIONAL' ,51),
+(435,'IAM-03.2H','IAM-03.2H','The CSP shall document and implement an automated mechanism to block accounts after a certain number of failed authentication attempts, as defined in the policy of AIM-02, based on the risks of the accounts, associated access rights and authentication mechanisms, and automatically monitor its application','High', 'ORGANIZATIONAL' ,51),
+(436,'IAM-03.3H','IAM-03.3H','The CSP shall document and implement a process to monitor stolen and compromised credentials and lock any pending user account for which an issue is identified, pending a review by an authorized person, and implement it on all user accounts.','High', 'ORGANIZATIONAL' ,51),
+(437,'IAM-03.4H','IAM-03.4H','Approval from authorised personnel or system components is required to unlock accounts locked automatically.','High', 'ORGANIZATIONAL' ,51),
+(438,'IAM-03.5H','IAM-03.5H','The CSP shall document and implement an automated mechanism to revoke accounts that have been blocked by another automatic mechanism after a certain period of inactivity, as defined in the policy of AIM-02 for user accounts, and automatically monitor its application.','High', 'ORGANIZATIONAL' ,51),
+(439,'IAM-03.6H','IAM-03.6H','The CSP shall automatically monitor the context of authentication attempts and flag suspicious events to authorized persons, as relevant.','High', 'ORGANIZATIONAL' ,51),
+(440,'IAM-04.1B','IAM-04.1B','The CSP shall document and implement procedures to grant, update, and revoke to an account under its responsibility access rights to resources of the information system of the cloud service, and these procedures shall be in conformity with the role and rights policies and with the policies for managing access rights.','Basic', 'ORGANIZATIONAL' ,52),
+(441,'IAM-04.2B','IAM-04.2B','The CSP shall document and implement a procedure to timely update or revoke the access rights of an internal or external employee when the role and responsibilities of the employee change.','Basic', 'ORGANIZATIONAL' ,52),
+(442,'IAM-04.1S','IAM-04.1S','The CSP shall document and implement procedures to grant, update, and revoke to an account under its responsibility access rights to resources of the information system of the cloud service, and these procedures shall be in conformity with the role and rights policies and with the policies for managing access rights.','Substantial', 'ORGANIZATIONAL' ,52),
+(443,'IAM-04.2S','IAM-04.2S','The CSP shall document and implement a procedure to update or revoke the access rights of an internal or external employee when the role and responsibilities of the employee change, within 48 hours of the role change for privileged access rights and within 14 days for other access rights.','Substantial', 'ORGANIZATIONAL' ,52),
+(444,'IAM-04.3S','IAM-04.3S','If the CSP defines emergency accounts to be used when the main authentication technology is not available, then the CSP shall define and enforce specific requirements related to these accounts.','Substantial', 'ORGANIZATIONAL' ,52),
+(445,'IAM-04.4S','IAM-04.4S','The CSP shall offer CSCs a self-service with which they can independently manage access rights for all accounts under their responsibility.','Substantial', 'ORGANIZATIONAL' ,52),
+(446,'IAM-04.1H','IAM-04.1H','The CSP shall document and implement procedures to grant, update, and revoke to an account under its responsibility access rights to resources of the information system of the cloud service, and these procedures shall be in conformity with the role and rights policies and with the policies for managing access rights.','High', 'ORGANIZATIONAL' ,52),
+(447,'IAM-04.2H','IAM-04.2H','The CSP shall document and implement a procedure to update or revoke the access rights of an internal or external employee when the role and responsibilities of the employee change, within 48 hours of the role change for privileged access rights and within 14 days for other access rights.','High', 'ORGANIZATIONAL' ,52),
+(448,'IAM-04.3H','IAM-04.3H','If the CSP defines emergency accounts to be used when the main authentication technology is not available, then the CSP shall define and enforce specific requirements related to these accounts.','High', 'ORGANIZATIONAL' ,52),
+(449,'IAM-04.4H','IAM-04.4H','The CSP shall offer CSCs a self-service with which they can independently manage access rights for all accounts under their responsibility.','High', 'ORGANIZATIONAL' ,52),
+(450,'IAM-04.5H','IAM-04.5H','The CSP shall document and implement a procedure to provide, for a given resource subject to access control the list of all the accounts that have access to it, whether they fall under the
+responsibility of the CSP or of a CSC, and for every such account the list of access rights currently granted to it.','High', 'ORGANIZATIONAL' ,52),
+(451,'IAM-04.6H','IAM-04.6H','The access right management procedures shall follow a dynamic approach.','High', 'ORGANIZATIONAL' ,52),
+(452,'IAM-05.1B','IAM-05.1B','The CSP shall review the access rights of all the accounts under its responsibility at least once a year to ensure that they still correspond to the current needs.','Basic', 'ORGANIZATIONAL' ,53),
+(453,'IAM-05.1S','IAM-05.1S','The CSP shall review the access rights of all the accounts under its responsibility at least once a year to ensure that they still correspond to the current needs, which shall be performed by authorised persons under the responsibility of the authorised body that has approved the access rights policies.','Substantial', 'ORGANIZATIONAL' ,53),
+(454,'IAM-05.2S','IAM-05.2S','The CSP handles identified deviations timely, but no later than 7 days after their detection, by appropriately revoking or updating access rights.','Substantial', 'ORGANIZATIONAL' ,53),
+(455,'IAM-05.3S','IAM-05.3S','The CSP shall provide CSCs with a tool that facilitates reviewing of the access rights of accounts under their responsibility.','Substantial', 'ORGANIZATIONAL' ,53),
+(456,'IAM-05.1H','IAM-05.1H','The CSP shall review the access rights of all the accounts under its responsibility at least every six (6) months to ensure that they still correspond to the current needs, which shall be performed by authorised persons under the responsibility of the authorised body that has approved the access rights policies.','High', 'ORGANIZATIONAL' ,53),
+(457,'IAM-05.2H','IAM-05.2H','The CSP handles identified deviations timely, but no later than 7 days after their detection, by appropriately revoking or updating access rights.','High', 'ORGANIZATIONAL' ,53),
+(458,'IAM-05.3H','IAM-05.3H','The CSP shall provide CSCs with a tool that facilitates reviewing of the access rights of accounts under their responsibility.','High', 'ORGANIZATIONAL' ,53),
+(459,'IAM-06.1B','IAM-06.1B','Shared accounts under the responsibility of the CSP shall be assigned only to employees.','Basic', 'ORGANIZATIONAL' ,54),
+(460,'IAM-06.2S','IAM-06.2S','Privileged access rights shall be personalised, limited in time according to a risk assessment and assigned as necessary for the execution of tasks (need-to-know principle).','Substantial', 'ORGANIZATIONAL' ,54),
+(461,'IAM-06.3S','IAM-06.3S','Activities of accounts with privileged access rights shall be logged in order to detect any misuse of privileged access or function in suspicious cases, and the logged information shall be automatically monitored for defined events that may indicate misuse.','Substantial', 'ORGANIZATIONAL' ,54),
+(462,'IAM-06.4S','IAM-06.4S','The CSP shall document and implement a procedure that, upon detection of potential misuse by this monitoring, informs the responsible personnel so that they can promptly assess whether misuse has occurred and take corresponding action.','Substantial', 'ORGANIZATIONAL' ,54),
+(463,'IAM-06.1S','IAM-06.1S','Shared accounts under the responsibility of the CSP shall be assigned only to employees.','Substantial', 'ORGANIZATIONAL' ,54),
+(464,'IAM-06.5S','IAM-06.5S','The CSP shall require strong authentication (for example: multi-factor authentication) for accessing the administration interfaces used by the CSP.','Substantial', 'ORGANIZATIONAL' ,54),
+(465,'IAM-06.1H','IAM-06.1H','Shared accounts under the responsibility of the CSP shall be assigned only to employees.','High', 'ORGANIZATIONAL' ,54),
+(466,'IAM-06.2H','IAM-06.2H','Privileged access rights shall be personalised, limited in time according to a risk assessment and assigned as necessary for the execution of tasks (need-to-know principle).','High', 'ORGANIZATIONAL' ,54),
+(467,'IAM-06.3H','IAM-06.3H','Activities of accounts with privileged access rights shall be logged in order to detect any misuse of privileged access or function in suspicious cases, and the logged information shall be automatically monitored for defined events that may indicate misuse.','High', 'ORGANIZATIONAL' ,54),
+(468,'IAM-06.4H','IAM-06.4H','The CSP shall document and implement a procedure that, upon detection of potential misuse by this monitoring, informs the responsible personnel so that they can promptly assess whether misuse has occurred and take corresponding action.','High', 'ORGANIZATIONAL' ,54),
+(469,'IAM-06.5H','IAM-06.5H','The CSP shall require strong authentication (for example: multi-factor authentication) for accessing the administration interfaces used by the CSP and those offered to the CSCs.','High', 'ORGANIZATIONAL' ,54),
+(470,'IAM-06.6H','IAM-06.6H','The CSP must review every three (3) months the list of employees who are responsible for a technical account within its scope of responsibility ','High', 'ORGANIZATIONAL' ,54),
+(471,'IAM-06.7H','IAM-06.7H','The CSP shall maintain an up-to-date inventory of the accounts under its responsibility that have privileged access rights ','High', 'ORGANIZATIONAL' ,54),
+(472,'IAM-07.1B','IAM-07.1B','The CSP shall define and implement according to ISP-02 policies and procedures about authentication mechanisms, covering at least the following aspects:
+(1) The selection of mechanisms suitable for every type of account and each level of risk;
+(2)The protection of credentials used by the authentication mechanism;
+(3) The generation and distribution of credentials for new accounts;
+(4) Rules for the renewal of credentials, including periodic renewals, renewals in case of loss or compromise; and
+(5) Rules on the required strength of credentials, together with mechanisms to communicate and enforce the rules.','Basic', 'ORGANIZATIONAL' ,55),
+(473,'IAM-07.2B','IAM-07.2B','The access to all environments of the CSP shall be authenticated, including non-production environments.','Basic', 'ORGANIZATIONAL' ,55),
+(474,'IAM-07.3B','IAM-07.3B','All authentication mechanisms shall include a mechanism to block an account after a predefined number of unsuccessful attempts.','Basic', 'ORGANIZATIONAL' ,55),
+(475,'IAM-07.1S','IAM-07.1S','The CSP shall define and implement according to ISP-02 policies and procedures about authentication mechanisms, covering at least the following aspects:
+(1) The selection of mechanisms suitable for every type of account and each level of risk;
+(2)The protection of credentials used by the authentication mechanism;
+(3) The generation and distribution of credentials for new accounts;
+(4) Rules for the renewal of credentials, including periodic renewals, renewals in case of loss or compromise; and
+(5) Rules on the required strength of credentials, together with mechanisms to communicate and enforce the rules.','Substantial', 'ORGANIZATIONAL' ,55),
+(476,'IAM-07.2S','IAM-07.2S','The access to all environments of the CSP shall be authenticated, including non-production environments.','Substantial', 'ORGANIZATIONAL' ,55),
+(477,'IAM-07.3S','IAM-07.3S','All authentication mechanisms shall include a mechanism to block an account after a predefined number of unsuccessful attempts.','Substantial', 'ORGANIZATIONAL' ,55),
+(478,'IAM-07.4S','IAM-07.4S','The access to all environments containing CSC data, including the production environment of the CSP shall require strong authentication (for example multi-factor authentication).','Substantial', 'ORGANIZATIONAL' ,55),
+(479,'IAM-07.5S','IAM-07.5S','Within an environment, user authentication shall be performed through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security ','Substantial', 'ORGANIZATIONAL' ,55),
+(480,'IAM-07.6S','IAM-07.6S','For access to non-personal shared accounts, the CSP shall implement measures that require the users to be authenticated with their personal account before being able to access these shared accounts ','Substantial', 'ORGANIZATIONAL' ,55),
+(481,'IAM-07.7S','IAM-07.7S','The CSP shall offer strong authentication methods (for example multi-factor authentication) to the CSC for use with the accounts under their responsibility.','Substantial', 'ORGANIZATIONAL' ,55),
+(482,'IAM-07.8S','IAM-07.8S','The CSP shall distribute credentials using out-of-band communication means.','Substantial', 'ORGANIZATIONAL' ,55),
+(483,'IAM-07.1H','IAM-07.1H','The CSP shall define and implement according to ISP-02 policies and procedures about authentication mechanisms, covering at least the following aspects:
+(1) The selection of mechanisms suitable for every type of account and each level of risk;
+(2)The protection of credentials used by the authentication mechanism;
+(3) The generation and distribution of credentials for new accounts;
+(4) Rules for the renewal of credentials, including periodic renewals, renewals in case of loss or compromise; and
+(5) Rules on the required strength of credentials, together with mechanisms to communicate and enforce the rules.','High', 'ORGANIZATIONAL' ,55),
+(484,'IAM-07.2H','IAM-07.2H','The access to all environments of the CSP shall be authenticated, including non-production environments.','High', 'ORGANIZATIONAL' ,55),
+(485,'IAM-07.3H','IAM-07.3H','All authentication mechanisms shall include a mechanism to block an account after a predefined number of unsuccessful attempts.','High', 'ORGANIZATIONAL' ,55),
+(486,'IAM-07.4H','IAM-07.4H','The access to all environments containing CSC data, including the production environment of the CSP shall require strong authentication (for example multi-factor authentication).','High', 'ORGANIZATIONAL' ,55),
+(487,'IAM-07.5H','IAM-07.5H','Within an environment, user authentication shall be performed through passwords, digitally signed certificates or procedures that achieve at least an equivalent level of security ','High', 'ORGANIZATIONAL' ,55),
+(488,'IAM-07.6H','IAM-07.6H','For access to non-personal shared accounts, the CSP shall implement measures that require the users to be authenticated with their personal account before being able to access these shared accounts ','High', 'ORGANIZATIONAL' ,55),
+(489,'IAM-07.7H','IAM-07.7H','The CSP shall offer strong authentication methods (for example multi-factor authentication) to the CSC for use with the accounts under their responsibility.','High', 'ORGANIZATIONAL' ,55),
+(490,'IAM-07.8H','IAM-07.8H','The CSP shall distribute credentials using out-of-band communication means.','High', 'ORGANIZATIONAL' ,55),
+(491,'IAM-08.1B','IAM-08.1B','The CSP shall document, communicate and make available to all users under its responsibility rules and recommendations for the management of credentials, including at least:
+(1) Non-reuse of credentials;
+(2) Trade-offs between entropy and ability to memorize;
+(3) Recommendations for renewal of passwords;
+(4) Rules on storage of passwords.','Basic', 'ORGANIZATIONAL' ,56),
+(492,'IAM-08.2B','IAM-08.2B','Passwords shall be only stored using cryptographically strong hash functions (cf. CKM-01) ','Basic', 'ORGANIZATIONAL' ,56),
+(493,'IAM-08.3B','IAM-08.3B','If cryptographic authentication mechanisms are used, they shall follow the policies and procedures from CKM-01.','Basic', 'ORGANIZATIONAL' ,56),
+(494,'IAM-08.1S','IAM-08.1S','The CSP shall document, communicate and make available to all users under its responsibility rules and recommendations for the management of credentials, including at least:
+(1) Non-reuse of credentials;
+(2) Trade-offs between entropy and ability to memorize;
+(3) Recommendations for renewal of passwords;
+(4) Rules on storage of passwords.
+(5) Recommendations on password managers
+(6) Recommendation to specifically address classical attacks, including phishing, social attacks, and whaling','Substantial', 'ORGANIZATIONAL' ,56),
+(495,'IAM-08.2S','IAM-08.2S','Passwords shall be only stored using cryptographically strong hash functions (cf. CKM-01) ','Substantial', 'ORGANIZATIONAL' ,56),
+(496,'IAM-08.3S','IAM-08.3S','If cryptographic authentication mechanisms are used, they shall follow the policies and procedures from CKM-01.','Substantial', 'ORGANIZATIONAL' ,56),
+(497,'IAM-08.4S','IAM-08.4S','When creating credentials, compliance with policies is enforced automatically as far as technically possible.','Substantial', 'ORGANIZATIONAL' ,56),
+(498,'IAM-08.5S','IAM-08.5S','When a credential associated to a personal account is changed or renewed, the person associated to that account shall be notified.','Substantial', 'ORGANIZATIONAL' ,56),
+(499,'IAM-08.6S','IAM-08.6S','Any password communicated to a user through e-mail, message or similar shall be changed by the user after its first use, and its validity shall not exceed 14 days after communication to the user.','Substantial', 'ORGANIZATIONAL' ,56),
+(500,'IAM-08.7S','IAM-08.7S','The CSP shall make available to the CSC the rules and recommendations that shall or may apply to the users under their responsibility, and provide the CSC with tools to manage and enforce these rules.','Substantial', 'ORGANIZATIONAL' ,56),
+(501,'IAM-08.1H','IAM-08.1H','The CSP shall document, communicate and make available to all users under its responsibility rules and recommendations for the management of credentials, including at least:
+(1) Non-reuse of credentials;
+(2) Trade-offs between entropy and ability to memorize;
+(3) Recommendations for renewal of passwords;
+(4) Rules on storage of passwords.
+(5) Recommendations on password managers
+(6) Recommendation to specifically address classical attacks, including phishing, social attacks, and whaling','High', 'ORGANIZATIONAL' ,56),
+(502,'IAM-08.2H','IAM-08.2H','Passwords shall be only stored using cryptographically strong hash functions (cf. CKM-01) ','High', 'ORGANIZATIONAL' ,56),
+(503,'IAM-08.3H','IAM-08.3H','If cryptographic authentication mechanisms are used, they shall follow the policies and procedures from CKM-01.','High', 'ORGANIZATIONAL' ,56),
+(504,'IAM-08.4H','IAM-08.4H','When creating credentials, compliance with policies is enforced automatically as far as technically possible.','High', 'ORGANIZATIONAL' ,56),
+(505,'IAM-08.5H','IAM-08.5H','When a credential associated to a personal account is changed or renewed, the person associated to that account shall be notified.','High', 'ORGANIZATIONAL' ,56),
+(506,'IAM-08.6H','IAM-08.6H','Any password communicated to a user through e-mail, message or similar shall be changed by the user after its first use, and its validity shall not exceed 14 days after communication to the user.','High', 'ORGANIZATIONAL' ,56),
+(507,'IAM-08.7H','IAM-08.7H','The CSP shall make available to the CSC the rules and recommendations that shall or may apply to the users under their responsibility, and provide the CSC with tools to manage and enforce these rules.','High', 'ORGANIZATIONAL' ,56),
+(508,'IAM-08.8H','IAM-08.8H','The CSP shall require users under its responsibility to whom authentication credentials are provided to acknowledge that they treat personal (or shared) authentication confidentially and will not share the credentials with other persons.','High', 'ORGANIZATIONAL' ,56),
+(509,'IAM-09.1B','IAM-09.1B','The CSP shall implement sufficient partitioning measures between the information system providing the cloud service and its other information systems.','Basic', 'ORGANIZATIONAL' ,57),
+(510,'IAM-09.2B','IAM-09.2B','The CSP shall implement suitable measures for partitioning between the CSCs.','Basic', 'ORGANIZATIONAL' ,57),
+(511,'IAM-09.1S','IAM-09.1S','The CSP shall implement sufficient partitioning measures between the information system providing the cloud service and its other information systems.','Substantial', 'ORGANIZATIONAL' ,57),
+(512,'IAM-09.2S','IAM-09.2S','The CSP shall implement suitable measures for partitioning between the CSCs.','Substantial', 'ORGANIZATIONAL' ,57),
+(513,'IAM-09.3S','IAM-09.3S','The CSP shall design, develop, configure and deploy the information system providing the cloud service to include a partitioning between the technical infrastructure and the equipment required for the administration of the cloud service and the assets it hosts.','Substantial', 'ORGANIZATIONAL' ,57),
+(514,'IAM-09.4S','IAM-09.4S','The CSP shall timely inform a CSC, whenever employees of the CSP access to the CSC''s CSC data processed, stored or transmitted in the cloud service without the prior consent of the CSC, including at least:
+(1) Cause, time, duration, type and scope of the access;
+(2) Enough details to enable subject matters experts of the CSC to assess the risks of the access.','Substantial', 'ORGANIZATIONAL' ,57),
+(515,'IAM-09.5S','IAM-09.5S','The CSP shall inform the CSC, through contractual agreements, prior to offering its services, all instances where CSP access in a non-encrypted form to the CSC''s data processed, stored or transmitted in the cloud service may occur.','Substantial', 'ORGANIZATIONAL' ,57),
+(516,'IAM-09.6S','IAM-09.6S','If the CSP offers to its CSCs interfaces for administrators and for end users, these interfaces shall be separated.','Substantial', 'ORGANIZATIONAL' ,57),
+(517,'IAM-09.1H','IAM-09.1H','The CSP shall implement sufficient partitioning measures between the information system providing the cloud service and its other information systems.','High', 'ORGANIZATIONAL' ,57),
+(518,'IAM-09.2H','IAM-09.2H','The CSP shall implement suitable measures for partitioning between the CSCs.','High', 'ORGANIZATIONAL' ,57),
+(519,'IAM-09.3H','IAM-09.3H','The CSP shall design, develop, configure and deploy the information system providing the cloud service to include a partitioning between the technical infrastructure and the equipment required for the administration of the cloud service and the assets it hosts.','High', 'ORGANIZATIONAL' ,57),
+(520,'IAM-09.4H','IAM-09.4H','The CSP shall require prior consent from a CSC before any access to the CSC''s CSC data processed, stored or transmitted in the cloud service, with enforcement using technical means, and providing meaningful information, including at least:
+(1) Cause, time, duration, type and scope of the access;
+(2) Enough details to enable subject matters experts of the CSC to assess the risks of the access.','High', 'ORGANIZATIONAL' ,57),
+(521,'IAM-09.5H','IAM-09.5H','The CSP may agree with the CSC, through contractual agreements, instances where CSP access in a non-encrypted form to the CSC''s data processed, stored or transmitted in the cloud service may occur where requiring prior consent is not feasible. For example, where troubleshooting the service is necessary to ensure that the CSC’s data remains confidential, available and its integrity preserved.','High', 'ORGANIZATIONAL' ,57),
+(522,'IAM-09.6H','IAM-09.6H','The CSP shall separate the administration interfaces made available to CSCs from those made available to its employees, and in particular:
+(1) The accounts under the responsibility of the CSP shall be managed using instances of tools and directories that are different from those used for the management of accounts under the responsibility of the CSCs;
+(2) The administration interfaces made available to CSCs shall not allow for any connection from accounts under the responsibility of the CSP;
+(3) The administration interfaces used by the CSP shall not be accessible from the public network and as such shall not allow for any connection from accounts under the responsibility of the CSC.','High', 'ORGANIZATIONAL' ,57),
+(523,'IAM-09.7H','IAM-09.7H','Before granting to an employee direct or indirect access to CSC data, including in support operations, the CSP shall verify that the employee performing the action has passed an appropriate assessment or is supervised by an employee who has passed an appropriate assessment (cf. HR-02.1S).','High', 'ORGANIZATIONAL' ,57),
+(524,'IAM-09.8H','IAM-09.8H','In the case of supervised access, the CSP shall ensure that:
+(1) the access is performed using mechanisms that allow the supervising employee to authorize or deny individual actions, ask for explanations, in real time;
+(2) the access rights are revoked at the end of the operation;
+(3) the operations performed are logged as administrative actions.
+(4) In the case of supervised access, the CSP shall ensure that the supervision solution:
+(4a) includes the authentication the supervised employee and the device from which the supervised access is performed;
+(4b) logs the operations proposed by the supervised employee and the actions of the supervisor, including the operations denied by the supervisor;
+(4c) prevents information flows toward the supervised employee’s device.','High', 'ORGANIZATIONAL' ,57),
+
+(525,'CKM-01.1B','CKM-01.1B','The CSP shall define and implement policies with technical and organizational safeguards for cryptography and key management, according to ISP-02, in which at least the following aspects are described:
+(1) Usage of strong cryptographic mechanisms and secure network protocols;
+(2) Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys;
+(3) Consideration of relevant legal and regulatory obligations and requirements.','Basic', 'ORGANIZATIONAL' ,58),
+(526,'CKM-01.1S','CKM-01.1S','The CSP shall define and implement policies with technical and organizational safeguards for cryptography and key management, according to ISP-02, in which at least the following aspects are described:
+(1) Usage of strong cryptographic mechanisms and secure network protocols, corresponding to the state of the art;
+(2) Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys;
+(3) Consideration of relevant legal and regulatory obligations and requirements;
+(4) Risk-based provisions for the use of encryption aligned with the data classification schemes and considering the communication channel, type, strength and quality of the encryption','Substantial', 'ORGANIZATIONAL' ,58),
+(527,'CKM-01.1H','CKM-01.1H','The CSP shall define and implement policies with technical and organizational safeguards for cryptography and key management, according to ISP-02, in which at least the following aspects are described:
+(1) Usage of strong cryptographic mechanisms and secure network protocols, corresponding to the state of the art;
+(2) Requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys;
+(3) Consideration of relevant legal and regulatory obligations and requirements;
+(4) Risk-based provisions for the use of encryption aligned with the data classification schemes and considering the communication channel, type, strength and quality of the encryption','High', 'ORGANIZATIONAL' ,58),
+(528,'CKM-02.1B','CKM-02.1B','The CSP shall define and implement strong cryptographic mechanisms for the transmission of CSC data over public networks, in order to protect the confidentiality, integrity and authenticity of data.','Basic', 'ORGANIZATIONAL' ,59),
+(529,'CKM-02.1S','CKM-02.1S','The CSP shall define and implement strong cryptographic mechanisms for the transmission of CSC data over public networks, in order to protect the confidentiality, integrity and authenticity of data.','Substantial', 'ORGANIZATIONAL' ,59),
+(530,'CKM-02.2S','CKM-02.2S','The CSP shall use strong cryptographic mechanisms to protect the communication during remote access to the production environment, including employee authentication.','Substantial', 'ORGANIZATIONAL' ,59),
+(531,'CKM-02.1H','CKM-02.1H','The CSP shall define and implement strong cryptographic mechanisms for the transmission of all data over public networks, in order to protect the confidentiality, integrity and authenticity of data.','High', 'ORGANIZATIONAL' ,59),
+(532,'CKM-02.2H','CKM-02.2H','The CSP shall use strong cryptographic mechanisms to protect the communication during remote access to the production environment, including employee authentication.','High', 'ORGANIZATIONAL' ,59),
+(533,'CKM-03.1B','CKM-03.1B','The CSP shall define and implement procedures and technical safeguards to protect the confidentiality of CSC data during storage, according to ISP-02.','Basic', 'ORGANIZATIONAL' ,60),
+(534,'CKM-03.2B','CKM-03.2B','The CSP shall notify CSCs of updates of these procedures and technical safeguards and to changes in the storage of CSC data that may affect the confidentiality of the data.','Basic', 'ORGANIZATIONAL' ,60),
+(535,'CKM-03.1S','CKM-03.1S','The CSP shall define and implement procedures and technical safeguards to protect the confidentiality of CSC data during storage, according to ISP-02.','Substantial', 'ORGANIZATIONAL' ,60),
+(536,'CKM-03.2S','CKM-03.2S','The CSP shall notify CSCs of updates of these procedures and technical safeguards and to changes in the storage of CSC data that may affect the confidentiality of the data.','Substantial', 'ORGANIZATIONAL' ,60),
+(537,'CKM-03.3S','CKM-03.3S','The procedures for the use of private and secret keys, including a specific procedure for any exceptions, shall be established in accordance with applicable legal and regulatory obligations and requirements and contractually agreed with the CSC.','Substantial', 'ORGANIZATIONAL' ,60),
+(538,'CKM-03.1H','CKM-03.1H','The CSP shall define and implement procedures and technical safeguards to protect the confidentiality of CSC data during storage, according to ISP-02.','High', 'ORGANIZATIONAL' ,60),
+(539,'CKM-03.2H','CKM-03.2H','The CSP shall notify CSCs of updates of these procedures and technical safeguards and to changes in the storage of CSC data that may affect the confidentiality of the data.','High', 'ORGANIZATIONAL' ,60),
+(540,'CKM-03.3H','CKM-03.3H','The procedures for the use of private and secret keys, including a specific procedure for any exceptions, shall be established in accordance with applicable legal and regulatory obligations and requirements and contractually agreed with the CSC.','High', 'ORGANIZATIONAL' ,60),
+(541,'CKM-04.1B','CKM-04.1B','Procedures and technical safeguards for secure key management in the area of responsibility of the CSP shall include at least the following aspects:
+(1) Generation of keys for different cryptographic systems and applications;
+(2) Issuing and obtaining public-key certificates;
+(3) Provisioning and activation of the keys;
+(4) Secure storage of keys including description of how authorised users get access;
+(5) Changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised;
+(6) Handling of compromised keys; and
+(7) Withdrawal and deletion of keys;','Basic', 'ORGANIZATIONAL' ,61),
+(542,'CKM-04.1S','CKM-04.1S','Procedures and technical safeguards for secure key management in the area of responsibility of the CSP shall include at least the following aspects:
+(1) Generation of keys for different cryptographic systems and applications;
+(2) Issuing and obtaining public-key certificates;
+(3) Provisioning and activation of the keys;
+(4) Secure storage of keys including description of how authorised users get access;
+(5) Changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised;
+(6) Handling of compromised keys; and
+(7) Withdrawal and deletion of keys;','Substantial', 'ORGANIZATIONAL' ,61),
+(543,'CKM-04.2S','CKM-04.2S','For the secure storage of keys, the key management system shall be separated from the application and middleware levels.','Substantial', 'ORGANIZATIONAL' ,61),
+(544,'CKM-04.3S','CKM-04.3S','If pre-shared keys are used, the specific provisions relating to the secure use of this procedure shall be specified separately.','Substantial', 'ORGANIZATIONAL' ,61),
+(545,'CKM-04.1H','CKM-04.1H','Procedures and technical safeguards for secure key management in the area of responsibility of the CSP shall include at least the following aspects:
+(1) Generation of keys for different cryptographic systems and applications;
+(2) Issuing and obtaining public-key certificates;
+(3) Provisioning and activation of the keys;
+(4) Secure storage of keys including description of how authorised users get access;
+(5) Changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised;
+(6) Handling of compromised keys; and
+(7) Withdrawal and deletion of keys;','High', 'ORGANIZATIONAL' ,61),
+(546,'CKM-04.2H','CKM-04.2H','For the secure storage of keys, the key management system shall be separated from the application and middleware levels.','High', 'ORGANIZATIONAL' ,61),
+(547,'CKM-04.3H','CKM-04.3H','If pre-shared keys are used, the specific provisions relating to the secure use of this procedure shall be specified separately.','High', 'ORGANIZATIONAL' ,61),
+(548,'CKM-04.4H','CKM-04.4H','For the secure storage of keys and other secrets used for the administration tasks, the CSP shall use a suitable security container , software or hardware.','High', 'ORGANIZATIONAL' ,61),
+
+(549,'CS-01.1B','CS-01.1B','The CSP shall define and implement technical safeguards that are suitable to promptly detect and respond to network-based attacks and to ensure the protection of information and information processing systems, in accordance with ISP-02.','Basic', 'ORGANIZATIONAL' ,62),
+(550,'CS-01.1S','CS-01.1S','The CSP shall document, communicate and implement technical safeguards that are suitable to promptly detect and respond to network-based attacks and to ensure the protection of information and information processing systems, in accordance with ISP-02, and based on the results of a risk analysis carried out according to RM-01.','Substantial', 'ORGANIZATIONAL' ,62),
+(551,'CS-01.2S','CS-01.2S','The CSP shall feed into a SIEM (Security Information and Event Management) system, all data from these technical safeguards implemented so that automatic countermeasures regarding correlating security events are initiated.','Substantial', 'ORGANIZATIONAL' ,62),
+(552,'CS-01.1H','CS-01.1H','The CSP shall document, communicate and implement technical safeguards that are suitable to promptly detect and respond to network-based attacks and to ensure the protection of information and information processing systems, in accordance with ISP-02, and based on the results of a risk analysis carried out according to RM-01.','High', 'ORGANIZATIONAL' ,62),
+(553,'CS-01.2H','CS-01.2H','The CSP shall feed into a SIEM (Security Information and Event Management) system, all data from these technical safeguards implemented so that automatic countermeasures regarding correlating security events are initiated.','High', 'ORGANIZATIONAL' ,62),
+(554,'CS-01.3H','CS-01.3H','The CSP shall implement technical safeguards to ensure that only authorized (physical or virtual) devices join its (physical or virtual) network.','High', 'ORGANIZATIONAL' ,62),
+(555,'CS-01.4H','CS-01.4H','The CSP shall use technologies for its technical safeguards that provide automated protection and prevention at multiple tiers within the cloud service(s). Thus, mitigating the risk of a vulnerability or bypass technique being able to effectively breach the deployed defensive line.','High', 'ORGANIZATIONAL' ,62),
+(556,'CS-02.1B','CS-02.1B','The CSP shall define and implement according to ISP-02 specific security requirements to connect within its network, including at least:
+(1) When the security zones are to be separated and when the CSCs are to be logically or physically segregated;
+(2) What communication relationships and what network and application protocols are permitted in each case;
+(3) How the data traffic for administration and monitoring are segregated from each other at the network level;
+(4) What internal, cross-location communication is permitted; and
+(5) what cross-network communication is allowed.','Basic', 'ORGANIZATIONAL' ,63),
+(557,'CS-02.1S','CS-02.1S','The CSP shall define and implement according to ISP-02 specific security requirements to connect within its network, including at least:
+(1) When the security zones are to be separated and when the CSCs are to be logically or physically segregated;
+(2) What communication relationships and what network and application protocols are permitted in each case;
+(3) How the data traffic for administration and monitoring are segregated from each other at the network level;
+(4) What internal, cross-location communication is permitted; and
+(5) what cross-network communication is allowed.','Substantial', 'ORGANIZATIONAL' ,63),
+(558,'CS-02.1H','CS-02.1H','The CSP shall define and implement according to ISP-02 specific security requirements to connect within its network, including at least:
+(1) When the security zones are to be separated and when the CSCs are to be logically or physically segregated;
+(2) What communication relationships and what network and application protocols are permitted in each case;
+(3) How the data traffic for administration and monitoring are segregated from each other at the network level;
+(4) What internal, cross-location communication is permitted; and
+(5) what cross-network communication is allowed.','High', 'ORGANIZATIONAL' ,63),
+(559,'CS-03.1B','CS-03.1B','The CSP shall distinguish between trusted and untrusted networks, based on a risk assessment.','Basic', 'ORGANIZATIONAL' ,64),
+(560,'CS-03.2B','CS-03.2B','The CSP shall separate trusted and untrusted networks into different security zones for internal and external network areas (and DMZ, if applicable).','Basic', 'ORGANIZATIONAL' ,64),
+(561,'CS-03.3B','CS-03.3B','The CSP shall design and configure both physical and virtualized network environments to restrict and monitor the connection to trusted or untrusted networks according to the defined security requirements (cf. CS-02).','Basic', 'ORGANIZATIONAL' ,64),
+(562,'CS-03.4B','CS-03.4B','The CSP shall review at specified intervals the business justification for using all services, protocols, and ports. This review shall also include the compensatory measures used for protocols that are considered insecure.','Basic', 'ORGANIZATIONAL' ,64),
+(563,'CS-03.1S','CS-03.1S','The CSP shall distinguish between trusted and untrusted networks, based on a risk assessment according to RM-01.','Substantial', 'ORGANIZATIONAL' ,64),
+(564,'CS-03.2S','CS-03.2S','The CSP shall separate trusted and untrusted networks into different security zones for internal and external network areas (and DMZ, if applicable).','Substantial', 'ORGANIZATIONAL' ,64),
+(565,'CS-03.3S','CS-03.3S','The CSP shall design and configure both physical and virtualized network environments to restrict and monitor the connection to trusted or untrusted networks according to the defined security requirements (cf. CS-02).','Substantial', 'ORGANIZATIONAL' ,64),
+(566,'CS-03.4S','CS-03.4S','The CSP shall review at least annually the design and implementation and configuration undertaken to monitor the connections in a risk-oriented manner, with regard to the defined security requirements.','Substantial', 'ORGANIZATIONAL' ,64),
+(567,'CS-03.5S','CS-03.5S','The CSP shall assess the risks of identified vulnerabilities in accordance with the risk management procedure (cf. RM-01) and follow-up measures shall be defined and tracked (cf.OPS-17).','Substantial', 'ORGANIZATIONAL' ,64),
+(568,'CS-03.6S','CS-03.6S','The CSP shall protect all SIEM logs to avoid tampering.','Substantial', 'ORGANIZATIONAL' ,64),
+(569,'CS-03.1H','CS-03.1H','The CSP shall distinguish between trusted and untrusted networks, based on a risk assessment.','High', 'ORGANIZATIONAL' ,64),
+(570,'CS-03.2H','CS-03.2H','The CSP shall separate trusted and untrusted networks into different security zones for internal and external network areas (and DMZ, if applicable).','High', 'ORGANIZATIONAL' ,64),
+(571,'CS-03.3H','CS-03.3H','The CSP shall design and configure both physical and virtualized network environments to restrict and monitor the connection to trusted or untrusted networks according to the defined security requirements (cf. CS-02).','High', 'ORGANIZATIONAL' ,64),
+(572,'CS-03.4H','CS-03.4H','The CSP shall review at least annually the design and implementation and configuration undertaken to monitor the connections in a risk-oriented manner, with regard to the defined security requirements.','High', 'ORGANIZATIONAL' ,64),
+(573,'CS-03.5H','CS-03.5H','The CSP shall assess the risks of identified vulnerabilities in accordance with the risk management procedure (cf. RM-01) and follow-up measures shall be defined and tracked (cf.OPS-17).','High', 'ORGANIZATIONAL' ,64),
+(574,'CS-03.6H','CS-03.6H','The CSP shall protect all SIEM logs to avoid tampering.','High', 'ORGANIZATIONAL' ,64),
+(575,'CS-04.1B','CS-04.1B','The CSP shall define and implement separate networks for the administrative management of the infrastructure and the operation of management consoles.','Basic', 'ORGANIZATIONAL' ,65),
+(576,'CS-04.2B','CS-04.2B','The CSP shall logically or physically separate the networks for administration from the CSCs’ networks.','Basic', 'ORGANIZATIONAL' ,65),
+(577,'CS-04.3B','CS-04.3B','The CSP shall segregate physically or logically the networks used to migrate or create virtual machines.','Basic', 'ORGANIZATIONAL' ,65),
+(578,'CS-04.1S','CS-04.1S','The CSP shall define and implement separate networks for the administrative management of the infrastructure and the operation of management consoles.','Substantial', 'ORGANIZATIONAL' ,65),
+(579,'CS-04.2S','CS-04.2S','The CSP shall logically or physically separate the networks for administration from the CSCs’ networks.','Substantial', 'ORGANIZATIONAL' ,65),
+(580,'CS-04.3S','CS-04.3S','The CSP shall segregate physically or logically the networks used to migrate or create virtual machines.','Substantial', 'ORGANIZATIONAL' ,65),
+(581,'CS-04.1H','CS-04.1H','The CSP shall define and implement separate networks for the administrative management of the infrastructure and the operation of management consoles.','High', 'ORGANIZATIONAL' ,65),
+(582,'CS-04.2H','CS-04.2H','The CSP shall logically or physically separate the networks for administration from the CSCs’ networks.','High', 'ORGANIZATIONAL' ,65),
+(583,'CS-04.3H','CS-04.3H','The CSP shall segregate physically or logically the networks used to migrate or create virtual machines.','High', 'ORGANIZATIONAL' ,65),
+(584,'CS-04.4H','CS-04.4H','When the administration networks are not physically segregated from other networks, the administration flows must be conveyed in a strongly encrypted tunnel.','High', 'ORGANIZATIONAL' ,65),
+(585,'CS-04.5H','CS-04.5H','The CSP shall protect against application interference the administration interfaces intended for CSCs and exposed over a public network','High', 'ORGANIZATIONAL' ,65),
+(586,'CS-05.1B','CS-05.1B','The CSP shall document and implement separation mechanisms at network level the data traffic of different CSCs.','Basic', 'ORGANIZATIONAL' ,66),
+(587,'CS-05.1S','CS-05.1S','The CSP shall document and implement separation mechanisms at network level for the data traffic of different CSCs.','Substantial', 'ORGANIZATIONAL' ,66),
+(588,'CS-05.1H','CS-05.1H','The CSP shall document and implement separation mechanisms at network level for the data traffic of different CSCs.','High', 'ORGANIZATIONAL' ,66),
+(589,'CS-05.2H','CS-05.2H','When implementing infrastructure capabilities, the secure separation shall be ensured by physically separated networks or by strongly encrypted VLANs.','High', 'ORGANIZATIONAL' ,66),
+(590,'CS-06.1B','CS-06.1B','The CSP shall maintain up-to-date all documentation of the logical structure of the network used to provision or operate the cloud service.','Basic', 'ORGANIZATIONAL' ,67),
+(591,'CS-06.2B','CS-06.2B','The documentation shall cover, at least, how the subnets are allocated, how the network is zoned and segmented, how it connects with third-party and public networks, and the geographical locations in which the CSC data is stored.','Basic', 'ORGANIZATIONAL' ,67),
+(592,'CS-06.1S','CS-06.1S','The CSP shall maintain up-to-date all documentation of the logical structure of the network used to provision or operate the cloud service.','Substantial', 'ORGANIZATIONAL' ,67),
+(593,'CS-06.2S','CS-06.2S','The documentation shall cover, at least, how the subnets are allocated, how the network is zoned and segmented, how it connects with third-party and public networks, and the geographical locations in which the CSC data is stored.','Substantial', 'ORGANIZATIONAL' ,67),
+(594,'CS-06.3S','CS-06.3S','In liaison with the inventory of assets (cf. AM-01), the documentation shall include the equipment that provides security functions and the servers that host the data or provide sensitive functions.','Substantial', 'ORGANIZATIONAL' ,67),
+(595,'CS-06.4S','CS-06.4S','The CSP shall perform a full review of the network topology documentation at least once a year.','Substantial', 'ORGANIZATIONAL' ,67),
+(596,'CS-06.1H','CS-06.1H','The CSP shall maintain up-to-date all documentation of the logical structure of the network used to provision or operate the cloud service.','High', 'ORGANIZATIONAL' ,67),
+(597,'CS-06.2H','CS-06.2H','The documentation shall cover, at least, how the subnets are allocated, how the network is zoned and segmented, how it connects with third-party and public networks, and the geographical locations in which the CSC data is stored.','High', 'ORGANIZATIONAL' ,67),
+(598,'CS-06.3H','CS-06.3H','In liaison with the inventory of assets (cf. AM-01), the documentation shall include the equipment that provides security functions and the servers that host the data or provide sensitive functions.','High', 'ORGANIZATIONAL' ,67),
+(599,'CS-06.4H','CS-06.4H','The CSP shall perform a full review of the network topology documentation at least once a year.','High', 'ORGANIZATIONAL' ,67),
+(600,'CS-07.1B','CS-07.1B','The CSP shall ensure the confidentiality of CSC data by suitable procedures when offering functions to CSCs for software-defined networking (SDN).','Basic', 'ORGANIZATIONAL' ,68),
+(601,'CS-07.2B','CS-07.2B','The CSP shall validate the functionality of the SDN functions before providing new SDN features to CSCs or modifying existing SDN features.','Basic', 'ORGANIZATIONAL' ,68),
+(602,'CS-07.1S','CS-07.1S','The CSP shall ensure the confidentiality of CSC data by suitable procedures when offering functions to CSCs for software-defined networking (SDN).','Substantial', 'ORGANIZATIONAL' ,68),
+(603,'CS-07.2S','CS-07.2S','The CSP shall validate the functionality of the SDN functions before providing new SDN features to CSCs or modifying existing SDN features.','Substantial', 'ORGANIZATIONAL' ,68),
+(604,'CS-07.3S','CS-07.3S','The CSP shall ensure that the configuration of networks matches network security policies regardless of the means used to create the configuration.','Substantial', 'ORGANIZATIONAL' ,68),
+(605,'CS-07.1H','CS-07.1H','The CSP shall ensure the confidentiality of CSC data by suitable procedures when offering functions to CSCs for software-defined networking (SDN).','High', 'ORGANIZATIONAL' ,68),
+(606,'CS-07.2H','CS-07.2H','The CSP shall validate the functionality of the SDN functions before providing new SDN features to CSCs or modifying existing SDN features.','High', 'ORGANIZATIONAL' ,68),
+(607,'CS-07.3H','CS-07.3H','The CSP shall ensure that the configuration of networks matches network security policies regardless of the means used to create the configuration.','High', 'ORGANIZATIONAL' ,68),
+(608,'CS-08.1B','CS-08.1B','The CSP shall define and implement policies and procedures with technical and organisational safeguards to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction, according to ISP-02.','Basic', 'ORGANIZATIONAL' ,69),
+(609,'CS-08.1S','CS-08.1S','The CSP shall define and implement policies and procedures with technical and organisational safeguards to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction, according to ISP-02, and including references to the classification of assets (cf. AM-05).','Substantial', 'ORGANIZATIONAL' ,69),
+(610,'CS-08.1H','CS-08.1H','The CSP shall define and implement policies and procedures with technical and organisational safeguards to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction, according to ISP-02, and including references to the classification of assets (cf. AM-05).','High', 'ORGANIZATIONAL' ,69),
+
+(611,'PI-01.1B','PI-01.1B','Inbound and outbound interfaces that are made accessible for use by cloud services from other CSPs or CSCs’ IT systems shall be documented.','Basic', 'ORGANIZATIONAL' ,70),
+(612,'PI-01.2B','PI-01.2B','The interfaces shall be clearly documented for subject matter experts to understand how they can be used to retrieve the data.','Basic', 'ORGANIZATIONAL' ,70),
+(613,'PI-01.3B','PI-01.3B','Communication on these interfaces shall use documented communication protocols that ensure the confidentiality and integrity of the transmitted information according to its protection requirements, and the adequate authentication of the user.','Basic', 'ORGANIZATIONAL' ,70),
+(614,'PI-01.4B','PI-01.4B','Communication over untrusted networks shall be protected in confidentiality, integrity and authenticity according to CKM-02.','Basic', 'ORGANIZATIONAL' ,70),
+(615,'PI-01.1S','PI-01.1S','Inbound and outbound interfaces that are made accessible for use by cloud services from other CSPs or CSCs’ IT systems shall be documented.','Substantial', 'ORGANIZATIONAL' ,70),
+(616,'PI-01.2S','PI-01.2S','The interfaces shall be clearly documented for subject matter experts to understand how they can be used to retrieve the data.','Substantial', 'ORGANIZATIONAL' ,70),
+(617,'PI-01.3S','PI-01.3S','Communication on these interfaces shall use documented communication protocols that ensure the confidentiality and integrity of the transmitted information according to its protection requirements, and the adequate authentication of the user.','Substantial', 'ORGANIZATIONAL' ,70),
+(618,'PI-01.4S','PI-01.4S','Communication over untrusted networks shall be protected in confidentiality, integrity and authenticity according to CKM-02.','Substantial', 'ORGANIZATIONAL' ,70),
+(619,'PI-01.1H','PI-01.1H','Inbound and outbound interfaces that are made accessible for use by cloud services from other CSPs or CSCs’ IT systems shall be documented.','High', 'ORGANIZATIONAL' ,70),
+(620,'PI-01.2H','PI-01.2H','The interfaces shall be clearly documented for subject matter experts to understand how they can be used to retrieve the data.','High', 'ORGANIZATIONAL' ,70),
+(621,'PI-01.3H','PI-01.3H','Communication on these interfaces shall use documented communication protocols that ensure the confidentiality and integrity of the transmitted information according to its protection requirements, and the adequate authentication of the user.','High', 'ORGANIZATIONAL' ,70),
+(622,'PI-01.4H','PI-01.4H','Communication over untrusted networks shall be protected in confidentiality, integrity and authenticity according to CKM-02.','High', 'ORGANIZATIONAL' ,70),
+(623,'PI-01.5H','PI-01.5H','The CSP shall allow its CSCs to verify the interfaces provided (and their security) are adequate for its protection requirements before the start of the use of the cloud service, and each time the interfaces are changed.','High', 'ORGANIZATIONAL' ,70),
+(624,'PI-02.1B','PI-02.1B','The CSP shall include in cloud service contractual agreements, at least, the following aspects concerning the termination of the contractual relationship:
+(1) Type, scope and format of the data the CSP provides to the CSC;
+(2) Delivery methods of the data to the CSC;
+(3) Definition of the timeframe, within which the CSP makes the data available to the CSC;
+(4) Definition of the point in time as of which the CSP makes the data inaccessible to the CSC and deletes these; and
+(5) The CSC''s responsibilities and obligations to cooperate for the provision of the data.','Basic', 'ORGANIZATIONAL' ,71),
+(625,'PI-02.1S','PI-02.1S','The CSP shall include in cloud service contractual agreements, at least, the following aspects concerning the termination of the contractual relationship:
+(1) Type, scope and format of the data the CSP provides to the CSC;
+(2) Delivery methods of the data to the CSC;
+(3) Definition of the timeframe, within which the CSP makes the data available to the CSC;
+(4) Definition of the point in time as of which the CSP makes the data inaccessible to the CSC and deletes these; and
+(5) The CSC''s responsibilities and obligations to cooperate for the provision of the data.','Substantial', 'ORGANIZATIONAL' ,71),
+(626,'PI-02.2S','PI-02.2S','These definitions shall be based on the needs of subject matter experts of potential customers who assess the suitability of the cloud service with regard to a dependency on the CSP as well as legal and regulatory requirements.','Substantial', 'ORGANIZATIONAL' ,71),
+(627,'PI-02.1H','PI-02.1H','The CSP shall include in cloud service contractual agreements, at least, the following aspects concerning the termination of the contractual relationship:
+(1) Type, scope and format of the data the CSP provides to the CSC;
+(2) Delivery methods of the data to the CSC;
+(3) Definition of the timeframe, within which the CSP makes the data available to the CSC;
+(4) Definition of the point in time as of which the CSP makes the data inaccessible to the CSC and deletes these; and
+(5) The CSC''s responsibilities and obligations to cooperate for the provision of the data.','High', 'ORGANIZATIONAL' ,71),
+(628,'PI-02.2H','PI-02.2H','These definitions shall be based on the needs of subject matter experts of potential customers who assess the suitability of the cloud service with regard to a dependency on the CSP as well as legal and regulatory requirements.','High', 'ORGANIZATIONAL' ,71),
+(629,'PI-02.3H','PI-02.3H','The CSP shall identify, at least once a year, legal and regulatory requirements that may apply to these aspects and review the contractual agreements accordingly.','High', 'ORGANIZATIONAL' ,71),
+(630,'PI-03.1B','PI-03.1B','The CSP shall implement procedures for deleting its customers'' data upon termination of their contract in compliance with the contractual agreements between them.','Basic', 'ORGANIZATIONAL' ,72),
+(631,'PI-03.2B','PI-03.2B','The CSC''s data deletion shall include all CSC data, as well as related metadata and cloud service derived data, such as data stored in data backups.','Basic', 'ORGANIZATIONAL' ,72),
+(632,'PI-03.3B','PI-03.3B','At the end of the contract, the CSP shall delete the technical data concerning the CSC.','Basic', 'ORGANIZATIONAL' ,72),
+(633,'PI-03.1S','PI-03.1S','The CSP shall implement procedures for deleting its customers'' data upon termination of their contract in compliance with the contractual agreements between them.','Substantial', 'ORGANIZATIONAL' ,72),
+(634,'PI-03.2S','PI-03.2S','The CSC''s data deletion shall include all CSC data, as well as related metadata and cloud service derived data, such as data stored in data backups.','Substantial', 'ORGANIZATIONAL' ,72),
+(635,'PI-03.3S','PI-03.3S','At the end of the contract, the CSP shall delete the technical data concerning the client.','Substantial', 'ORGANIZATIONAL' ,72),
+(636,'PI-03.4S','PI-03.4S','The CSC''s data deletion procedures shall prevent recovery by forensic means.','Substantial', 'ORGANIZATIONAL' ,72),
+(637,'PI-03.5S','PI-03.5S','The CSP shall document the deletion of the CSC’s data, including metadata and cloud service derived data, in a way allowing the CSC to track the deletion of its data.','Substantial', 'ORGANIZATIONAL' ,72),
+(638,'PI-03.1H','PI-03.1H','The CSP shall implement procedures for deleting its customers'' data upon termination of their contract in compliance with the contractual agreements between them.','High', 'ORGANIZATIONAL' ,72),
+(639,'PI-03.2H','PI-03.2H','The CSC''s data deletion shall include all CSC data, as well as related metadata and cloud service derived data, such as data stored in data backups.','High', 'ORGANIZATIONAL' ,72),
+(640,'PI-03.3H','PI-03.3H','At the end of the contract, the CSP shall delete the technical data concerning the client.','High', 'ORGANIZATIONAL' ,72),
+(641,'PI-03.4H','PI-03.4H','The cloud customer''s data deletion procedures shall prevent recovery by forensic means.','High', 'ORGANIZATIONAL' ,72),
+(642,'PI-03.5H','PI-03.5H','The CSP shall document the deletion of the CSC’s data, including metadata and cloud service derived data, in a way allowing the CSC to track the deletion of its data.','High', 'ORGANIZATIONAL' ,72),
+
+(643,'CCM-01.1B','CCM-01.1B','The CSP shall define and implement policies and procedures for change management of the IT systems supporting the cloud service according to ISP-02.','Basic', 'ORGANIZATIONAL' ,73),
+(644,'CCM-01.1S','CCM-01.1S','The CSP shall define and implement policies and procedures for change management of the IT systems supporting the cloud service according to ISP-02, covering at least the following aspects:
+(1) Criteria for risk assessment, categorization and prioritization of changes and related requirements for the type and scope of testing to be performed, and necessary approvals;
+(2) Requirements for the performance and documentation of tests;
+(3) Requirements for segregation of duties during planning, testing, and release of changes;
+(4) Requirements for the proper information of CSCs about the type and scope of the change as well as the resulting obligations to cooperate in accordance with the contractual agreements;
+(5) Requirements for the documentation of changes in the system, operational and user documentation; and
+(6) Requirements for the implementation and documentation of emergency changes, which must comply with the same level of security as normal changes.
+(7) Requirements for the handling of a change’s unexpected effects, including corrective actions.','Substantial', 'ORGANIZATIONAL' ,73),
+(645,'CCM-01.1H','CCM-01.1H','The CSP shall define and implement policies and procedures for change management of the IT systems supporting the cloud service according to ISP-02, covering at least the following aspects:
+(1) Criteria for risk assessment, categorization and prioritization of changes and related requirements for the type and scope of testing to be performed, and necessary approvals;
+(2) Requirements for the performance and documentation of tests;
+(3) Requirements for segregation of duties during planning, testing, and release of changes;
+(4) Requirements for the proper information of CSCs about the type and scope of the change as well as the resulting obligations to cooperate in accordance with the contractual agreements;
+(5) Requirements for the documentation of changes in the system, operational and user documentation; and
+(6) Requirements for the implementation and documentation of emergency changes, which must
+comply with the same level of security as normal changes.
+(7) Requirements for the handling of a change’s unexpected effects, including corrective actions.','High', 'ORGANIZATIONAL' ,73),
+(646,'CCM-02.1B','CCM-02.1B','The CS shall categorise and prioritise changes considering the potential security effects on the system components concerned.','Basic', 'ORGANIZATIONAL' ,74),
+(647,'CCM-02.1S','CCM-02.1S','The CSP shall categorize and prioritize changes considering the potential security effects on the system components concerned, based on a risk assessment performed in accordance with RM-01 with regard to potential effects on the system components concerned.','Substantial', 'ORGANIZATIONAL' ,74),
+(648,'CCM-02.2S','CCM-02.2S','If the risk associated to a planned change is high, then appropriate mitigation measures shall be taken before deploying the change in the cloud service’s production environment.','Substantial', 'ORGANIZATIONAL' ,74),
+(649,'CCM-02.1H','CCM-02.1H','The CSP shall categorize and prioritize changes considering the potential security effects on the system components concerned, based on a risk assessment performed in accordance with RM-01 with regard to potential effects on the system components concerned.','High', 'ORGANIZATIONAL' ,74),
+(650,'CCM-02.2H','CCM-02.2H','If the risk associated to a planned change is high, then appropriate mitigation measures shall be taken before deploying the change in the cloud service’s production environment.','High', 'ORGANIZATIONAL' ,74),
+(651,'CCM-02.3H','CCM-02.3H','In accordance with contractual agreements, the CSP shall submit to authorised bodies of the CSC meaningful information about the occasion, time, duration, type and scope of the change so that they can carry out their own risk assessment before the change is made available in the production environment.','High', 'ORGANIZATIONAL' ,74),
+(652,'CCM-02.4H','CCM-02.4H','Regardless of contractual agreements, the CSP shall inform the CSC as mentioned in CCM-02.3 for changes that have the highest risk category based on their risk assessment.','High', 'ORGANIZATIONAL' ,74),
+(653,'CCM-03.1B','CCM-03.1B','The CSP shall test proposed changes before deployment to the production environment.','Basic', 'ORGANIZATIONAL' ,75),
+(654,'CCM-03.2B','CCM-03.2B','Before using CSC data for tests, the CSP shall first obtain approval from CSC and anonymise CSC data, and the CSP shall guarantee the confidentiality of the data during the whole process.','Basic', 'ORGANIZATIONAL' ,75),
+(655,'CCM-03.1S','CCM-03.1S','The CSP shall test proposed changes before deployment to the production environment, with tests whose type and scope shall correspond to the risk assessment (cf. CCM-02), and that shall be carried out by appropriately qualified employees or by automated, state-of-the-art test procedures.','Substantial', 'ORGANIZATIONAL' ,75),
+(656,'CCM-03.3S','CCM-03.3S','In accordance with contractual requirements, the CSP shall involve CSCs into the tests.','Substantial', 'ORGANIZATIONAL' ,75),
+(657,'CCM-03.2S','CCM-03.2S','Before using CSC data for tests, the CSP shall first obtain approval from CSC and anonymise CSC data, and the CSP shall guarantee the confidentiality of the data during the whole process.','Substantial', 'ORGANIZATIONAL' ,75),
+(658,'CCM-03.4S','CCM-03.4S','The CSP shall determine the severity of the errors and vulnerabilities identified in the tests that are relevant for the deployment decision according to defined criteria, and shall initiate actions for timely remediation or mitigation.','Substantial', 'ORGANIZATIONAL' ,75),
+(659,'CCM-03.1H','CCM-03.1H','The CSP shall test proposed changes before deployment to the production environment, with tests whose type and scope shall correspond to the risk assessment (cf. CCM-02), and that shall be carried out by appropriately qualified employees or by automated, state-of-the-art test procedures.','High', 'ORGANIZATIONAL' ,75),
+(660,'CCM-03.2H','CCM-03.2H','Before using CSC data for tests, the CSP shall first obtain approval from CSC and anonymise CSC data, and the CSP shall guarantee the confidentiality of the data during the whole process.','High', 'ORGANIZATIONAL' ,75),
+(661,'CCM-03.3H','CCM-03.3H','In accordance with contractual requirements, the CSP shall involve CSCs into the tests.','High', 'ORGANIZATIONAL' ,75),
+(662,'CCM-03.4H','CCM-03.4H','The CSP shall determine the severity of the errors and vulnerabilities identified in the tests that are relevant for the deployment decision according to defined criteria, and shall initiate actions for timely remediation or mitigation.','High', 'ORGANIZATIONAL' ,75),
+(663,'CCM-03.5H','CCM-03.5H','The tests performed on a change before its deployment to the production environment shall include tests on the service performed on a pre-production environment.','High', 'ORGANIZATIONAL' ,75),
+(664,'CCM-03.6H','CCM-03.6H','Before deploying changes on a system component, the CSP shall perform testing on other components of the cloud service that depend on that system component to verify the absence of undesirable effects.','High', 'ORGANIZATIONAL' ,75),
+(665,'CCM-03.7H','CCM-03.7H','The CSP shall document and implement a procedure that ensures the integrity of the test data used in the pre-production environment.','High', 'ORGANIZATIONAL' ,75),
+(666,'CCM-04.1B','CCM-04.1B','The CSP shall approve any change to the cloud service, based on defined criteria, before they are made available to CSCs in the production environment.','Basic', 'ORGANIZATIONAL' ,76),
+(667,'CCM-04.1S','CCM-04.1S','The CSP shall approve any change to the cloud service, based on defined criteria and involving CSCs in the approval process according to contractual requirements, before they are made available to CSCs in the production environment.','Substantial', 'ORGANIZATIONAL' ,76),
+(668,'CCM-04.1H','CCM-04.1H','The CSP shall approve any change to the cloud service, based on defined criteria and involving CSCs in the approval process according to contractual requirements, before they are made available to CSCs in the production environment, and the approval processes shall be automatically monitored.','High', 'ORGANIZATIONAL_TECHNICAL' ,76),
+(669,'CCM-05.1B','CCM-05.1B','The CSP shall define roles and rights according to IAM-01 for the authorised personnel or system components who are allowed to make changes to the cloud service in the production environment.','Basic', 'ORGANIZATIONAL' ,77),
+(670,'CCM-05.2B','CCM-05.2B','All changes to the cloud service in the production environment shall be logged and shall be traceable back to the individual or system component that initiated the change.','Basic', 'ORGANIZATIONAL' ,77),
+(671,'CCM-05.1S','CCM-05.1S','The CSP shall define roles and rights according to IAM-01 for the authorised personnel or system components who are allowed to make changes to the cloud service in the production environment.','Substantial', 'ORGANIZATIONAL' ,77),
+(672,'CCM-05.2S','CCM-05.2S','All changes to the cloud service in the production environment shall be logged and shall be traceable back to the individual or system component that initiated the change.','Substantial', 'ORGANIZATIONAL' ,77),
+(673,'CCM-05.1H','CCM-05.1H','The CSP shall define roles and rights according to IAM-01 for the authorised personnel or system components who are allowed to make changes to the cloud service in the production environment, and the changes in the production environment shall be automatically monitored to enforce these roles and rights.','High', 'ORGANIZATIONAL' ,77),
+(674,'CCM-05.2H','CCM-05.2H','All changes to the cloud service in the production environment shall be logged and shall be traceable back to the individual or system component that initiated the change.','High', 'ORGANIZATIONAL' ,77),
+(675,'CCM-06.1B','CCM-06.1B','The CSP shall implement version control procedures to track the dependencies of individual changes and to be able to restore affected system components back to their previous state as a result of errors or identified vulnerabilities.','Basic', 'ORGANIZATIONAL' ,78),
+(676,'CCM-06.1S','CCM-06.1S','The CSP shall implement version control procedures to track the dependencies of individual changes and to be able to restore affected system components back to their previous state as a result of errors or identified vulnerabilities.','Substantial', 'ORGANIZATIONAL' ,78),
+(677,'CCM-06.1H','CCM-06.1H','The CSP shall implement version control procedures to track the dependencies of individual changes and to be able to restore affected system components back to their previous state as a result of errors or identified vulnerabilities.','High', 'ORGANIZATIONAL' ,78),
+(678,'CCM-06.2H','CCM-06.2H','The version control procedures shall provide appropriate safeguards to ensure that the confidentiality, integrity and availability of CSC data is not compromised when system components are restored back to their previous state.','High', 'ORGANIZATIONAL' ,78),
+(679,'CCM-06.3H','CCM-06.3H','The CSP shall retain a history of the software versions and of the systems that are implemented in order to be able to reconstitute, where applicable in a test environment, a complete environment such as was implemented on a given date; the retention time for this history shall be at least the same as that for backups (cf. OPS-06).','High', 'ORGANIZATIONAL' ,78),
+
+(680,'DEV-01.1B','DEV-01.1B','The CSP shall define and implement policies and procedures according to ISP-02 with technical and organisational measures for the secure development of the cloud service.','Basic', 'ORGANIZATIONAL' ,79),
+(681,'DEV-01.2B','DEV-01.2B','The policies and procedures for secure development shall consider information security from the earliest phases of design.','Basic', 'ORGANIZATIONAL' ,79),
+(682,'DEV-01.1S','DEV-01.1S','The CSP shall define and implement policies and procedures according to ISP-02 with technical and organisational measures for the secure development of the cloud service.','Substantial', 'ORGANIZATIONAL' ,79),
+(683,'DEV-01.2S','DEV-01.2S','The policies and procedures for secure development shall consider information security from the earliest phases of design and they shall be based on published standards and established methods with regard to the following aspects:
+(1) Security in software development (Requirements, Design, Implementation, Testing and Verification);
+(2) Security in software deployment (including continuous delivery);
+(3) Security in operation (reaction to identified faults and vulnerabilities); and
+(4) Secure coding standards and practices (avoiding the introduction of vulnerabilities in code).','Substantial', 'ORGANIZATIONAL' ,79),
+(684,'DEV-01.3S','DEV-01.3S','The policies and procedures for development shall include measures for the enforcement of specified standards and guidelines, including automated tools.','Substantial', 'ORGANIZATIONAL' ,79),
+(685,'DEV-01.1H','DEV-01.1H','The CSP shall define and implement policies and procedures according to ISP-02 with technical and organisational measures for the secure development of the cloud service.','High', 'ORGANIZATIONAL' ,79),
+(686,'DEV-01.2H','DEV-01.2H','The policies and procedures for secure development shall consider information security from the earliest phases of design and they shall be based on published standards and established methods with regard to the following aspects:
+(1) Security in software development (Requirements, Design, Implementation, Testing and Verification);
+(2) Security in software deployment (including continuous delivery);
+(3) Security in operation (reaction to identified faults and vulnerabilities); and
+(4) Secure coding standards and practices (avoiding the introduction of vulnerabilities in code).','High', 'ORGANIZATIONAL' ,79),
+(687,'DEV-01.3H','DEV-01.3H','The policies and procedures for development shall include measures for the enforcement of specified standards and guidelines, including automated tools.','High', 'ORGANIZATIONAL' ,79),
+(688,'DEV-02.1B','DEV-02.1B','The CSP shall maintain a list of dependencies to hardware and software products used in the development of its cloud service.','Basic', 'ORGANIZATIONAL' ,80),
+(689,'DEV-02.1S','DEV-02.1S','The CSP shall maintain a list of dependencies to hardware and software products used in the development of its cloud service.','Substantial', 'ORGANIZATIONAL' ,80),
+(690,'DEV-02.2S','DEV-02.2S','The CSP shall define and implement policies and procedures according to ISP-02 for the use of third-party and open source software.','Substantial', 'ORGANIZATIONAL' ,80),
+(691,'DEV-02.3S','DEV-02.3S','The CSP shall retrieve third-party software only from trusted sources, and shall verify authenticity when possible.','Substantial', 'ORGANIZATIONAL' ,80),
+(692,'DEV-02.1H','DEV-02.1H','The CSP shall maintain a list of dependencies to hardware and software products used in the development of its cloud service.','High', 'ORGANIZATIONAL' ,80),
+(693,'DEV-02.2H','DEV-02.2H','The CSP shall define and implement policies and procedures according to ISP-02 for the use of third-party and open source software.','High', 'ORGANIZATIONAL' ,80),
+(694,'DEV-02.3H','DEV-02.3H','The CSP shall retrieve third-party software only from trusted sources, and shall verify authenticity when possible.','High', 'ORGANIZATIONAL' ,80),
+(695,'DEV-02.4H','DEV-02.4H','In procurement for the development of the cloud service, the CSP shall perform a risk assessment in accordance to RM-01 for every product.','High', 'ORGANIZATIONAL' ,80),
+(696,'DEV-03.1B','DEV-03.1B','The CSP shall ensure that the confidentiality and integrity of the source code is adequately protected at all stages of development.','Basic', 'ORGANIZATIONAL' ,81),
+(697,'DEV-03.2B','DEV-03.2B','The CSP shall use version control to keep a history of the changes in source code with an attribution of changes to individual developers.','Basic', 'ORGANIZATIONAL' ,81),
+(698,'DEV-03.1S','DEV-03.1S','The CSP shall ensure that the confidentiality, integrity and authenticity of the source code is adequately protected at all stages of development.','Substantial', 'ORGANIZATIONAL' ,81),
+(699,'DEV-03.2S','DEV-03.2S','The CSP shall use version control to keep a history of the changes in source code with an attribution of changes to individual developers.','Substantial', 'ORGANIZATIONAL' ,81),
+(700,'DEV-03.3S','DEV-03.3S','The CSP shall implement a secure development and test environments that make it possible to manage the entire development cycle of the information system of the cloud service.','Substantial', 'ORGANIZATIONAL' ,81),
+(701,'DEV-03.4S','DEV-03.4S','The CSP shall consider the development and test environments when performing risk assessment.','Substantial', 'ORGANIZATIONAL' ,81),
+(702,'DEV-03.5S','DEV-03.5S','The CSP shall include development resources as part of the backup policy.','Substantial', 'ORGANIZATIONAL' ,81),
+(703,'DEV-03.1H','DEV-03.1H','The CSP shall ensure that the confidentiality, integrity and authenticity of the source code is adequately protected at all stages of development.','High', 'ORGANIZATIONAL' ,81),
+(704,'DEV-03.2H','DEV-03.2H','The CSP shall use version control to keep a history of the changes in source code with an attribution of changes to individual developers.','High', 'ORGANIZATIONAL' ,81),
+(705,'DEV-03.3H','DEV-03.3H','The CSP shall implement a secure development and test environments that makes it possible to manage the entire development cycle of the information system of the cloud service.','High', 'ORGANIZATIONAL' ,81),
+(706,'DEV-03.4H','DEV-03.4H','The CSP shall consider the development and test environments when performing risk assessment.','High', 'ORGANIZATIONAL' ,81),
+(707,'DEV-03.5H','DEV-03.5H','The CSP shall include development resources as part of the backup policy.','High', 'ORGANIZATIONAL' ,81),
+(708,'DEV-04.1B','DEV-04.1B','The CSP shall ensure that production environments are physically or logically separated from development, test or pre-production environments','Basic', 'ORGANIZATIONAL' ,82),
+(709,'DEV-04.2B','DEV-04.2B','CSC data contained in the production environments shall not be used in development, test or pre-production environments in order not to compromise their confidentiality.','Basic', 'ORGANIZATIONAL' ,82),
+(710,'DEV-04.1S','DEV-04.1S','The CSP shall ensure that production environments are physically or logically separated from development, test or pre-production environments','Substantial', 'ORGANIZATIONAL' ,82),
+(711,'DEV-04.2S','DEV-04.2S','CSC data contained in the production environments shall not be used in development, test or pre-production environments in order not to compromise their confidentiality.','Substantial', 'ORGANIZATIONAL' ,82),
+(712,'DEV-04.3S','DEV-04.3S','The CSP shall not reuse the cryptographic secret and private keys and other secrets used in the production environments with other non-production environments. Such reuse of the materials shall be documented.','Substantial', 'ORGANIZATIONAL' ,82),
+(713,'DEV-04.1H','DEV-04.1H','The CSP shall ensure that production environments are physically or logically separated from development, test or pre-production environments','High', 'ORGANIZATIONAL' ,82),
+(714,'DEV-04.2H','DEV-04.2H','CSC data contained in the production environments shall not be used in development, test or pre-production environments in order not to compromise their confidentiality.','High', 'ORGANIZATIONAL' ,82),
+(715,'DEV-04.3H','DEV-04.3H','The CSP shall not reuse the cryptographic secret and private keys and other secrets used in the production environments with other non-production environments. Such reuse of the materials shall be documented.','High', 'ORGANIZATIONAL' ,82),
+(716,'DEV-04.4H','DEV-04.4H','When non-production environments are exposed through public networks, security requirements shall be equivalent to those defined for production environment.','High', 'ORGANIZATIONAL' ,82),
+(717,'DEV-05.1B','DEV-05.1B','The CSP shall define and implement according to ISP-02 specific procedures for the development of security features that implement technical mechanisms or safeguards required by the EUCS, with increased testing requirements.','Basic', 'ORGANIZATIONAL' ,83),
+(718,'DEV-05.1S','DEV-05.1S','The CSP shall define and implement according to ISP-02 specific procedures for the development of security features that implement technical mechanisms or safeguards required by the EUCS, with increased testing requirements.','Substantial', 'ORGANIZATIONAL' ,83),
+(719,'DEV-05.2S','DEV-05.2S','Design documentation for security features shall include a specification of expected inputs, outputs and possible errors, as well as a security analysis of the adequacy and planned effectiveness of the feature','Substantial', 'ORGANIZATIONAL' ,83),
+(720,'DEV-05.3S','DEV-05.3S','The tests of the security features shall provide full coverage of the specification, including all specified error conditions.','Substantial', 'ORGANIZATIONAL' ,83),
+(721,'DEV-05.4S','DEV-05.4S','The documentation of the tests for security features shall include at least a description of the test, the initial conditions, the expected outcome and instructions for running the test.','Substantial', 'ORGANIZATIONAL' ,83),
+(722,'DEV-05.1H','DEV-05.1H','The CSP shall define and implement according to ISP-02 specific procedures for the development of security features that implement technical mechanisms or safeguards required by the EUCS, with increased testing requirements.','High', 'ORGANIZATIONAL' ,83),
+(723,'DEV-05.2H','DEV-05.2H','Design documentation for security features shall include a specification of expected inputs, outputs and possible errors, as well as a security analysis of the adequacy and planned effectiveness of the feature','High', 'ORGANIZATIONAL' ,83),
+(724,'DEV-05.3H','DEV-05.3H','The tests of the security features shall provide full coverage of the specification, including all specified error conditions.','High', 'ORGANIZATIONAL' ,83),
+(725,'DEV-05.4H','DEV-05.4H','The documentation of the tests for security features shall include at least a description of the test, the initial conditions, the expected outcome and instructions for running the test.','High', 'ORGANIZATIONAL' ,83),
+(726,'DEV-05.5H','DEV-05.5H','The documentation of the tests shall include a demonstration of the coverage of the source code, including branch coverage for security-critical code.','High', 'ORGANIZATIONAL' ,83),
+(727,'DEV-06.1B','DEV-06.1B','The CSP shall apply appropriate measures to check the cloud service for vulnerabilities that may have been integrated into the cloud service during the development process.','Basic', 'ORGANIZATIONAL' ,84),
+(728,'DEV-06.2B','DEV-06.2B','The procedures for identifying vulnerabilities shall be integrated in the development process.','Basic', 'ORGANIZATIONAL' ,84),
+(729,'DEV-06.1S','DEV-06.1S','The CSP shall apply appropriate measures to check the cloud service for vulnerabilities that may have been integrated into the cloud service during the development process.','Substantial', 'ORGANIZATIONAL' ,84),
+(730,'DEV-06.2S','DEV-06.2S','The procedures for identifying vulnerabilities shall be integrated in the development process, and they shall include the following activities, depending on the risk assessment:
+(1) Static Application Security Testing;
+(2) Dynamic Application Security Testing;
+(3) Code reviews by subject matter experts; and
+(4) Obtaining information about confirmed vulnerabilities in software libraries provided by third parties and used in their own cloud service.','Substantial', 'ORGANIZATIONAL' ,84),
+(731,'DEV-06.3S','DEV-06.3S','The CSP shall assess the severity of identified vulnerabilities according to the criteria defined in OPS-17 and measures are taken to immediately eliminate or mitigate them.','Substantial', 'ORGANIZATIONAL' ,84),
+(732,'DEV-06.1H','DEV-06.1H','The CSP shall apply appropriate measures to check the cloud service for vulnerabilities that may have been integrated into the cloud service during the development process.','High', 'ORGANIZATIONAL' ,84),
+(733,'DEV-06.2H','DEV-06.2H','The procedures for identifying vulnerabilities shall be integrated in the development process, and they shall include the following activities, depending on the risk assessment:
+(1) Static Application Security Testing;
+(2) Dynamic Application Security Testing;
+(3) Code reviews and security penetration tests by subject matter experts, as part of the annual programme defined in OPS-19 and prior to making new features available in the production environment; and
+(4) Obtaining information about confirmed vulnerabilities in software libraries provided by third parties and used in their own cloud service.','High', 'ORGANIZATIONAL' ,84),
+(734,'DEV-06.3H','DEV-06.3H','The CSP shall assess the severity of identified vulnerabilities according to the criteria defined in OPS-17 and measures are taken to immediately eliminate or mitigate them.','High', 'ORGANIZATIONAL' ,84),
+(735,'DEV-07.1B','DEV-07.1B','When outsourcing development of the cloud service or components thereof to a contractor, the CSP and the contractor shall contractually agree on specifications regarding at least the following aspects:
+(1) Security in software development (requirements, design, implementation, tests and verifications) in accordance with published standards and established methods;
+(2) Acceptance testing of the quality of the services provided in accordance with the agreed functional and nonfunctional requirements; and
+(3) Providing evidence that sufficient verifications have been carried out to rule out the existence of known vulnerabilities.','Basic', 'ORGANIZATIONAL' ,85),
+(736,'DEV-07.1S','DEV-07.1S','When outsourcing development of the cloud service or components thereof to a contractor, the CSP and the contractor shall contractually agree on specifications regarding at least the following aspects:
+(1) Security in software development (requirements, design, implementation, tests and verifications) in accordance with published standards and established methods;
+(2) Acceptance testing of the quality of the services provided in accordance with the agreed functional and nonfunctional requirements; and
+(3) Providing evidence that sufficient verifications have been carried out to rule out the existence of known vulnerabilities.','Substantial', 'ORGANIZATIONAL' ,85),
+(737,'DEV-07.2S','DEV-07.2S','Before subcontracting the development of the cloud service or components thereof, the CSP shall conduct a risk assessment according to RM-01 that considers at least the following aspects:
+(1) Management of source code by the subcontractor;
+(2) Availability of source code to the CSP;
+(3) Human resource procedures implemented by the subcontractor; and
+(4) Required access to the CSP’s development, test and preproduction environments;
+(5) Security procedures related to the management of the subcontractor’s supply chain.','Substantial', 'ORGANIZATIONAL' ,85),
+(738,'DEV-07.1H','DEV-07.1H','When outsourcing development of the cloud service or components thereof to a contractor, the CSP and the contractor shall contractually agree on specifications regarding at least the following aspects:
+(1) Security in software development (requirements, design, implementation, tests and verifications) in accordance with published standards and established methods;
+(2) Acceptance testing of the quality of the services provided in accordance with the agreed functional and nonfunctional requirements; and
+(3) Providing evidence that sufficient verifications have been carried out to rule out the existence of known vulnerabilities.','High', 'ORGANIZATIONAL' ,85),
+(739,'DEV-07.2H','DEV-07.2H','Before subcontracting the development of the cloud service or components thereof, the CSP shall conduct a risk assessment according to RM-01 that considers at least the following aspects:
+(1) Management of source code by the subcontractor;
+(2) Availability of source code to the CSP;
+(3) Human resource procedures implemented by the subcontractor; and
+(4) Required access to the CSP’s development, test and preproduction environments;
+(5) Security procedures related to the management of the subcontractor’s supply chain.','High', 'ORGANIZATIONAL' ,85),
+(740,'DEV-07.3H','DEV-07.3H','The CSP shall document and implement a procedure that makes it possible to supervise and control the outsourced development activity, in order to ensure that the outsourced development activity is compliant with the secure development policy of the CSP and makes it possible to achieve a level of security of the external development that matches that of internal development.','High', 'ORGANIZATIONAL' ,85),
+(741,'DEV-07.4H','DEV-07.4H','Employees of the CSP shall run the tests that are relevant for the deployment decision when a change includes the result of outsourced development.','High', 'ORGANIZATIONAL' ,85),
+(742,'DEV-08.1S','DEV-08.1S','When a functional component is used in the provision of the cloud service, and may have access, directly or indirectly, to CSC data, the CSP shall define and implement a policy according to ISP-02 that does not allow such a component to exchange directly with its supplier.','Substantial', 'ORGANIZATIONAL' ,86),
+(743,'DEV-08.2S','DEV-08.2S','When a functional component is used in the provision of the cloud service, and may have access, directly or indirectly, to CSC data, the CSP shall define and implement procedures according to ISP-02 to authorize any content provided by the supplier for its functional components before transferring the content to the functional components.','Substantial', 'ORGANIZATIONAL' ,86),
+(744,'DEV-08.3S','DEV-08.3S','When a functional component is used in the provision of the cloud service, and may have access, directly or indirectly, to CSC data, the CSP shall define and implement procedures according to ISP-02 to authorize any content to be sent from a functional component to its supplier before transferring the content to the supplier.','Substantial', 'ORGANIZATIONAL' ,86),
+(745,'DEV-08.4S','DEV-08.4S','When a procedure to authorize content is automated, then the CSP shall implement this procedure using a solution that keeps traces of the operations proposed by the suppliers, of the verification performed to authorize the content and of the incoming and outgoing transfers effectively performed.','Substantial', 'ORGANIZATIONAL' ,86),
+(746,'DEV-08.1H','DEV-08.1H','When a functional component is used in the provision of the cloud service, and may have access, directly or indirectly, to CSC data, the CSP shall define and implement a policy according to ISP-02 that does not allow such a component to exchange directly with its supplier.','High', 'ORGANIZATIONAL' ,86),
+(747,'DEV-08.2H','DEV-08.2H','When a functional component is used in the provision of the cloud service, and may have access, directly or indirectly, to CSC data, the CSP shall define and implement procedures according to ISP-02 to authorize any content provided by the supplier for its functional components before transferring the content to the functional components.','High', 'ORGANIZATIONAL' ,86),
+(748,'DEV-08.3H','DEV-08.3H','When a functional component is used in the provision of the cloud service, and may have access, directly or indirectly, to CSC data, the CSP shall define and implement procedures according to ISP-02 to authorize any content to be sent from a functional component to its supplier before transferring the content to the supplier.','High', 'ORGANIZATIONAL' ,86),
+(749,'DEV-08.4H','DEV-08.4H','When a procedure to authorize content is automated, then the CSP shall implement this procedure using a solution that keeps traces of the operations proposed by the suppliers, of the verification performed to authorize the content and of the incoming and outgoing transfers effectively performed.','High', 'ORGANIZATIONAL' ,86),
+
+(750,'PM-01.1B','PM-01.1B','The CSP shall define and implement policies and procedures according to ISP-02 for controlling and monitoring third-parties whose products or services contribute to the provision of the cloud service.','Basic', 'ORGANIZATIONAL' ,87),
+(751,'PM-01.1S','PM-01.1S','The CSP shall define and implement policies and procedures according to ISP-02 for controlling and monitoring third-parties whose products or services contribute to the provision of the cloud service, covering at least the following aspects:
+(1) Requirements for the assessment of risks resulting from the procurement of third-party products and services;
+(2) Requirements for the classification of third-parties based on the risk assessment by the CSP;
+(3) Information security requirements for the processing, storage, or transmission of information by third parties based on recognized industry standards;
+(4) Information security awareness and training requirements for third-party staff;
+(5) Applicable legal and regulatory requirements;
+(6) Requirements for dealing with vulnerabilities, security incidents, and malfunctions;
+(7) Specifications for the contractual agreement of these requirements;
+(8) Specifications for the monitoring of these requirements; and
+(9) Specifications for applying these requirements also to service providers used by the third-parties, insofar as the services provided by these service providers also contribute to the provision of the cloud service.','Substantial', 'ORGANIZATIONAL' ,87),
+(752,'PM-01.1H','PM-01.1H','The CSP shall define and implement policies and procedures according to ISP-02 for controlling and monitoring third-parties whose products or services contribute to the provision of the cloud service, covering at least the following aspects:
+(1) Requirements for the assessment of risks resulting from the procurement of third-party products and services;
+(2) Requirements for the classification of third-parties based on the risk assessment by the CSP;
+(3) Information security requirements for the processing, storage, or transmission of information by third parties based on recognized industry standards;
+(4) Information security awareness and training requirements for third-party staff;
+(5) Applicable legal and regulatory requirements;
+(6) Requirements for dealing with vulnerabilities, security incidents, and malfunctions;
+(7) Specifications for the contractual agreement of these requirements;
+(8) Specifications for the monitoring of these requirements; and
+(9) Specifications for applying these requirements also to service providers used by the third-parties, insofar as the services provided by these service providers also contribute to the provision of the cloud service.','High', 'ORGANIZATIONAL' ,87),
+(753,'PM-01.2H','PM-01.2H','The CSP shall contractually require its subservice providers to provide regular assurance information by independent auditors or CABs on the suitability of the design and operating effectiveness of their service-related internal control system with respect to the EUCS requirements.','High', 'ORGANIZATIONAL' ,87),
+(754,'PM-01.3H','PM-01.3H','The assurance information shall include the complementary subservice organisation controls that are required, together with the controls of the CSP, to meet the applicable EUCS requirements with reasonable assurance.','High', 'ORGANIZATIONAL' ,87),
+(755,'PM-01.4H','PM-01.4H','In case the subservice providers are not able to provide an EUCS compliance assurance information, the CSP shall reserve the right to audit them to assess the suitability and effectiveness of the service-related internal and complementary controls by qualified personnel.','High', 'ORGANIZATIONAL' ,87),
+(756,'PM-02.1B','PM-02.1B','The CSP shall perform a risk assessment of its suppliers in accordance with the policies and procedures for the control and monitoring of third parties before they start contributing to the provision of the cloud service.','Basic', 'ORGANIZATIONAL' ,88),
+(757,'PM-02.2B','PM-02.2B','Following the risk assessment of a subservice provider, the CSP shall define for every applicable EUCS requirement a list of Complementary Subservice Organization Controls (CSOC) to be implemented by the subservice provider','Basic', 'ORGANIZATIONAL' ,88),
+(758,'PM-02.3B','PM-02.3B','The CSP shall ensure that the subservice provider has implemented the CSOCs, and that the subservice provider has made available to the CSP assurance information supporting the assessment of their suitability for the targeted evaluation level.','Basic', 'ORGANIZATIONAL' ,88),
+(759,'PM-02.4B','PM-02.4B','The adequacy of the risk assessment and of the definition of CSOCs shall be reviewed regularly, at least annually','Basic', 'ORGANIZATIONAL' ,88),
+(760,'PM-02.1S','PM-02.1S','The CSP shall perform a risk assessment of its suppliers in accordance with the policies and procedures for the control and monitoring of third-parties before they start contributing to the provision of the cloud service, including the identification, analysis, evaluation, handling, and documentation of risks concerning the following aspects:
+(1) Protection needs regarding the confidentiality, integrity, availability, and authenticity of information processed, stored, or transmitted by the third-party;
+(2) Impact of a protection breach on the provision of the cloud service;
+(3) The CSP''s dependence on the supplier or service provider for the scope, complexity, and uniqueness of the purchased product or service, including the consideration of possible alternatives.','Substantial', 'ORGANIZATIONAL' ,88),
+(761,'PM-02.2S','PM-02.2S','Following the risk assessment of a subservice provider, the CSP shall define for every applicable EUCS requirement a list of Complementary Subservice Organization Controls (CSOC) to be implemented by the subservice provider','Substantial', 'ORGANIZATIONAL' ,88),
+(762,'PM-02.3S','PM-02.3S','The CSP shall ensure that the subservice provider has implemented the CSOCs, and that the subservice provider has made available to the CSP assurance information supporting the assessment of their suitability and operating effectiveness for the targeted evaluation level.','Substantial', 'ORGANIZATIONAL' ,88),
+(763,'PM-02.4S','PM-02.4S','The adequacy of the risk assessment and of the definition of CSOCs shall be reviewed regularly, at least annually','Substantial', 'ORGANIZATIONAL' ,88),
+(764,'PM-02.1H','PM-02.1H','The CSP shall perform a risk assessment of its suppliers in accordance with the policies and procedures for the control and monitoring of third-parties before they start contributing to the provision of the cloud service, including the identification, analysis, evaluation, handling, and documentation of risks concerning the following aspects:
+(1) Protection needs regarding the confidentiality, integrity, availability, and authenticity of information processed, stored, or transmitted by the third-party;
+(2) Impact of a protection breach on the provision of the cloud service;
+(3) The CSP''s dependence on the supplier or service provider for the scope, complexity, and uniqueness of the purchased product or service, including the consideration of possible alternatives.','High', 'ORGANIZATIONAL' ,88),
+(765,'PM-02.2H','PM-02.2H','Following the risk assessment of a subservice provider, the CSP shall define for every applicable EUCS requirement a list of Complementary Subservice Organization Controls (CSOC) to be implemented by the subservice provider','High', 'ORGANIZATIONAL' ,88),
+(766,'PM-02.3H','PM-02.3H','The CSP shall ensure that the subservice provider has implemented the CSOCs, and that the subservice provider has made available to the CSP assurance information supporting the assessment of their suitability and operating effectiveness for the targeted evaluation level.','High', 'ORGANIZATIONAL' ,88),
+(767,'PM-02.4H','PM-02.4H','The adequacy of the risk assessment and of the definition of CSOCs shall be reviewed regularly, at least annually','High', 'ORGANIZATIONAL' ,88),
+(768,'PM-02.5H','PM-02.5H','When the CSP relies on products from a supplier to operate the cloud service, the CSP shall not allow this supplier to access any CSC data, cloud service derived data or CSC account data, unless they:
+(1)perform a risk assessment according to RM-01 on the possible exposure of CSC data, cloud service derived data or CSC account data;
+(2) inform their CSCs of these possible accesses in contractual documentation;
+(3) ensure that all operations requiring access to CSC data, cloud service derived data or CSC account data are performed or supervised by an employee who has passed an appropriate assessment (cf. HR-02.1H).','High', 'ORGANIZATIONAL' ,88),
+(769,'PM-03.1B','PM-03.1B','The CSP shall maintain a directory for controlling and monitoring the suppliers who contribute to the delivery of the cloud service.','Basic', 'ORGANIZATIONAL' ,89),
+(770,'PM-03.2B','PM-03.2B','The CSP shall verify the directory for completeness, accuracy and validity at least annually.','Basic', 'ORGANIZATIONAL' ,89),
+(771,'PM-03.1S','PM-03.1S','The CSP shall maintain a directory for controlling and monitoring the suppliers who contribute to the delivery of the cloud service, containing at least the following information:
+(1) Company name;
+(2) Address;
+(3) Locations of data processing and storage;
+(4) Responsible contact person at the supplier;
+(5) Responsible contact person at the CSP;
+(6) Description of the product or service;
+(7) Classification based on the risk assessment;
+(8) Beginning of service usage; and
+(9) Proof of compliance with contractually agreed requirements.','Substantial', 'ORGANIZATIONAL' ,89),
+(772,'PM-03.2S','PM-03.2S','The CSP shall verify the directory for completeness, accuracy and validity at least annually.','Substantial', 'ORGANIZATIONAL' ,89),
+(773,'PM-03.1H','PM-03.1H','The CSP shall maintain a directory for controlling and monitoring the suppliers who contribute to the delivery of the cloud service, containing at least the following information:
+(1) Company name;
+(2) Address;
+(3) Locations of data processing and storage;
+(4) Responsible contact person at the supplier;
+(5) Responsible contact person at the CSP;
+(6) Description of the product or service;
+(7) Classification based on the risk assessment;
+(8) Beginning of service usage; and
+(9) Proof of compliance with contractually agreed requirements.','High', 'ORGANIZATIONAL' ,89),
+(774,'PM-03.2H','PM-03.2H','The CSP shall verify the directory for completeness, accuracy and validity at least annually.','High', 'ORGANIZATIONAL' ,89),
+(775,'PM-04.1B','PM-04.1B','The CSP shall monitor the compliance of its suppliers with information security requirements and applicable legal and regulatory requirements in accordance with policies and procedures concerning controlling and monitoring of third-parties.','Basic', 'ORGANIZATIONAL' ,90),
+(776,'PM-04.2B','PM-04.2B','The CSP shall monitor the compliance of its subservice providers with the CSOCs applicable to them following the risk assessment (cf. PM-02).','Basic', 'ORGANIZATIONAL' ,90),
+(777,'PM-04.3B','PM-04.3B','The frequency of the monitoring shall correspond to the classification of the third party based on the risk assessment conducted by the CSP (cf. PM-02), and the results of the monitoring shall be considered in the review of the third party’s risk assessment.','Basic', 'ORGANIZATIONAL' ,90),
+(778,'PM-04.4B','PM-04.4B','Identified violations and deviations shall be analysed, evaluated and treated in accordance with the risk management procedure (cf. RM-01).','Basic', 'ORGANIZATIONAL' ,90),
+(779,'PM-04.5B','PM-04.5B','When a change in a third-party contributing to the provision of the cloud service affects its level of security, the CSP shall inform all of its CSCs without undue delay.','Basic', 'ORGANIZATIONAL' ,90),
+(780,'PM-04.1S','PM-04.1S','The CSP shall monitor the compliance of its suppliers with information security requirements and applicable legal and regulatory requirements in accordance with policies and procedures concerning controlling and monitoring of third-parties, including at least a regular review of the following assurance information, as provided by suppliers under contractual agreements:
+(1) Reports on the quality of the service provided;
+(2) Certificates of the management systems'' compliance with international standards;
+(3) Independent third-party reports on the suitability and operating effectiveness of their service related internal control systems; and
+(4) Records of the third-parties on the handling of vulnerabilities, security incidents and malfunctions.','Substantial', 'ORGANIZATIONAL' ,90),
+(781,'PM-04.2S','PM-04.2S','The CSP shall monitor the compliance of its subservice providers with the CSOCs applicable to them following the risk assessment (cf. PM-02).','Substantial', 'ORGANIZATIONAL' ,90),
+(782,'PM-04.3S','PM-04.3S','The frequency of the monitoring shall correspond to the classification of the third party based on the risk assessment conducted by the CSP (cf. PM-02), and the results of the monitoring shall be considered in the review of the third party’s risk assessment.','Substantial', 'ORGANIZATIONAL' ,90),
+(783,'PM-04.4S','PM-04.4S','Identified violations and deviations shall be analysed, evaluated and treated in accordance with the risk management procedure (cf. RM-01).','Substantial', 'ORGANIZATIONAL' ,90),
+(784,'PM-04.5S','PM-04.5S','When a change in a third-party contributing to the provision of the cloud service affects its level of security, the CSP shall inform all of its CSCs without undue delay.','Substantial', 'ORGANIZATIONAL' ,90),
+(785,'PM-04.6S','PM-04.6S','The CSP shall document and implement a procedure to review, at least once a year, non disclosure or confidentiality requirements regarding suppliers contributing to the provision of the cloud service.','Substantial', 'ORGANIZATIONAL' ,90),
+(786,'PM-04.1H','PM-04.1H','The CSP shall monitor the compliance of its suppliers with information security requirements and applicable legal and regulatory requirements in accordance with policies and procedures concerning controlling and monitoring of third-parties, including at least a regular review of the following assurance information, as provided by suppliers under contractual agreements:
+(1) Reports on the quality of the service provided;
+(2) Certificates of the management systems'' compliance with international standards;
+(3) Independent third-party reports on the suitability and operating effectiveness of their service related internal control systems; and
+(4) Records of the third-parties on the handling of vulnerabilities, security incidents and malfunctions.','High', 'ORGANIZATIONAL' ,90),
+(787,'PM-04.2H','PM-04.2H','The CSP shall monitor the compliance of its subservice providers with the CSOCs applicable to them following the risk assessment (cf. PM-02).','High', 'ORGANIZATIONAL' ,90),
+(788,'PM-04.3H','PM-04.3H','The frequency of the monitoring shall correspond to the classification of the third party based on the risk assessment conducted by the CSP (cf. PM-02), and the results of the monitoring shall be considered in the review of the third party’s risk assessment.','High', 'ORGANIZATIONAL' ,90),
+(789,'PM-04.4H','PM-04.4H','Identified violations and deviations shall be analysed, evaluated and treated in accordance with the risk management procedure (cf. RM-01).','High', 'ORGANIZATIONAL' ,90),
+(790,'PM-04.5H','PM-04.5H','When a change in a third-party contributing to the provision of the cloud service affects its level of security, the CSP shall inform all of its CSCs without undue delay.','High', 'ORGANIZATIONAL' ,90),
+(791,'PM-04.6H','PM-04.6H','The CSP shall document and implement a procedure to review, at least once a year, non disclosure or confidentiality requirements regarding suppliers contributing to the provision of the cloud service.','High', 'ORGANIZATIONAL' ,90),
+(792,'PM-04.7H','PM-04.7H','The CSP shall supplement procedures for monitoring compliance with automatic monitoring, by leveraging automatic procedures, when possible, relating to the following aspects:
+(1) Configuration of system components;
+(2) Performance and availability of system components;
+(3) Response time to malfunctions and security incidents; and
+(4) Recovery time (time until completion of error handling).','High', 'ORGANIZATIONAL' ,90),
+(793,'PM-04.8H','PM-04.8H','The CSP shall automatically monitor Identified violations and discrepancies, and these shall be automatically reported to the responsible personnel or system components of the CSP for prompt assessment and action.','High', 'ORGANIZATIONAL' ,90),
+(794,'PM-05.1B','PM-05.1B','The CSP shall define exit strategies for the purchase of products or services where the risk assessment of the suppliers identified a very high dependency.','Basic', 'ORGANIZATIONAL' ,91),
+(795,'PM-05.1S','PM-05.1S','The CSP shall define exit strategies for the purchase of products or services where the risk assessment of the suppliers identified a very high dependency, which shall be aligned with operational continuity plans and include the following aspects:
+(1) Analysis of the potential costs, impacts, resources, and timing of the transition of a purchased service to an alternative service provider or supplier;
+(2) Definition and allocation of roles, responsibilities, and sufficient resources to perform the activities for a transition;
+(3) Definition of success criteria for the transition;
+(4) Definition of indicators for product or service performance monitoring, which should trigger the
+withdrawal from the product or service if the results are unacceptable.','Substantial', 'ORGANIZATIONAL' ,91),
+(796,'PM-05.1H','PM-05.1H','The CSP shall define exit strategies for the purchase of products or services where the risk assessment of the suppliers identified a very high dependency, which shall be aligned with operational continuity plans and include the following aspects:
+(1) Analysis of the potential costs, impacts, resources, and timing of the transition of a purchased service to an alternative service provider or supplier;
+(2) Definition and allocation of roles, responsibilities, and sufficient resources to perform the activities for a transition;
+(3) Definition of success criteria for the transition;
+(4) Definition of indicators for product or service performance monitoring, which should trigger the withdrawal from the product or service if the results are unacceptable.','High', 'ORGANIZATIONAL' ,91),
+(797,'PM-05.2H','PM-05.2H','When the CSP relies for the provision of the cloud service on products or services from a supplier for which the CSP has identified a very high dependency (cf. PM-05.1H), then in case of contract termination, the CSP shall be guaranteed contractually by its supplier the ability to maintain the operation of its cloud service under normal conditions for a specified period of time, and the CSP shall indicate this period of time in contractual agreements with CSCs.','High', 'ORGANIZATIONAL' ,91),
+
+(798,'IM-01.1B','IM-01.1B','The CSP shall define and implement policies and procedures according to ISP-02 containing technical and organisational safeguards to ensure a fast, effective and proper response to all known security incidents, including:
+(1) Guidelines for the classification, prioritization, and escalation of security incidents;
+(2) Description of interfaces for incident management and business continuity management.','Basic', 'ORGANIZATIONAL' ,92),
+(799,'IM-01.2B','IM-01.2B','The CSP shall establish a point of contact, which contributes to the coordinated resolution of security incidents.','Basic', 'ORGANIZATIONAL' ,92),
+(800,'IM-01.1S','IM-01.1S','The CSP shall define and implement policies and procedures according to ISP-02 containing technical and organisational safeguards to ensure a fast, effective and proper response to all known security incidents, including:
+(1) Guidelines for the classification, prioritization, and escalation of security incidents;
+(2) Description of interfaces for incident management and business continuity management.
+(3) Procedures as to how the data of a potentially impacted system can be collected in a conclusive manner in the event of a security incident.','Substantial', 'ORGANIZATIONAL' ,92),
+(801,'IM-01.2S','IM-01.2S','The CSP shall establish a Cyber Security Incident Response Team (CSIRT), which contributes to the coordinated resolution of security incidents.','Substantial', 'ORGANIZATIONAL' ,92),
+(802,'IM-01.3S','IM-01.3S','The CSP shall inform the CSCs affected by security incidents in a timely and appropriate manner.','Substantial', 'ORGANIZATIONAL' ,92),
+(803,'IM-01.1H','IM-01.1H','The CSP shall define and implement policies and procedures according to ISP-02 containing technical and organisational safeguards to ensure a fast, effective and proper response to all known security incidents, including:
+(1) Guidelines for the classification, prioritization, and escalation of security incidents;
+(2) Description of interfaces for incident management and business continuity management.
+(3) Procedures as to how the data of a potentially impacted system can be collected in a conclusive manner in the event of a security incident;
+(4) Analysis plans for typical security incidents;
+(5) An evaluation methodology so that the collected information does not lose its evidential value in any subsequent legal assessment;
+(6) Provisions for the regular testing of the incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential deficiencies.','High', 'ORGANIZATIONAL' ,92),
+(804,'IM-01.2H','IM-01.2H','The CSP shall establish a Cyber Security Incident Response Team (CSIRT), which contributes to the coordinated resolution of security incidents.','High', 'ORGANIZATIONAL' ,92),
+(805,'IM-01.3H','IM-01.3H','The CSP shall inform the customers affected by security incidents in a timely and appropriate manner.','High', 'ORGANIZATIONAL' ,92),
+(806,'IM-02.1B','IM-02.1B','The CSP shall classify and prioritize security events that could constitute a security incident, and perform root-cause analyses for these events, using their subject matter experts and external security providers where appropriate.','Basic', 'ORGANIZATIONAL' ,93),
+(807,'IM-02.1S','IM-02.1S','The CSP shall classify and prioritize security events that could constitute a security incident, and perform root-cause analyses for these events, using their subject matter experts and external security providers where appropriate.','Substantial', 'ORGANIZATIONAL' ,93),
+(808,'IM-02.2S','IM-02.2S','The CSP shall maintain a catalogue that clearly identifies the security incidents that affect CSC data, and use that catalogue to classify security incidents.','Substantial', 'ORGANIZATIONAL' ,93),
+(809,'IM-02.3S','IM-02.3S','The incident classification mechanism shall include provisions to correlate events. In addition, these correlated events shall themselves be assessed and classified according to their criticality.','Substantial', 'ORGANIZATIONAL' ,93),
+(810,'IM-02.1H','IM-02.1H','The CSP shall classify and prioritize security events that could constitute a security incident, and perform root-cause analyses for these events, using their subject matter experts and external security providers where appropriate.','High', 'ORGANIZATIONAL' ,93),
+(811,'IM-02.2H','IM-02.2H','The CSP shall maintain a catalogue that clearly identifies the security incidents that affect CSC data, and use that catalogue to classify security incidents.','High', 'ORGANIZATIONAL' ,93),
+(812,'IM-02.3H','IM-02.3H','The incident classification mechanism shall include provisions to correlate events. In addition, these correlated events shall themselves be assessed and classified according to their criticality.','High', 'ORGANIZATIONAL' ,93),
+(813,'IM-02.4H','IM-02.4H','The CSP shall simulate the identification, analysis, and defence of security incidents and attacks at least once a year through appropriate tests and exercises.','High', 'ORGANIZATIONAL' ,93),
+(814,'IM-02.5H','IM-02.5H','The CSP shall automatically monitor the processing of security incidents to verify the application of incident management policies and procedures.','High', 'ORGANIZATIONAL' ,94),
+(815,'IM-03.1B','IM-03.1B','The CSP shall document the implemented measures after a security incident has been processed and, in accordance with contractual agreements between CSC and CSP, information shall be made available to the affected CSCs for final acknowledgment or, if applicable, as confirmation.','Basic', 'ORGANIZATIONAL' ,94),
+(816,'IM-03.2B','IM-03.2B','The CSP shall make information on security incidents or confirmed security breaches available to all affected CSCs.','Basic', 'ORGANIZATIONAL' ,94),
+(817,'IM-03.1S','IM-03.1S','The CSP shall document the implemented measures after a security incident has been processed and, following the contractual agreements, the document shall be sent to the affected customers for final acknowledgment or, if applicable, as confirmation.','Substantial', 'ORGANIZATIONAL' ,94),
+(818,'IM-03.2S','IM-03.2S','The CSP shall make information on security incidents or confirmed security breaches available to all affected customers.','Substantial', 'ORGANIZATIONAL' ,94),
+(819,'IM-03.1H','IM-03.1H','The CSP shall document the implemented measures after a security incident has been processed and, following the contractual agreements, the document shall be sent to the affected customers for final acknowledgment or, if applicable, as confirmation.','High', 'ORGANIZATIONAL' ,94),
+(820,'IM-03.2H','IM-03.2H','The CSP shall make information on security incidents or confirmed security breaches available to all affected customers.','High', 'ORGANIZATIONAL' ,94),
+(821,'IM-04.1B','IM-04.1B','The CSP shall inform employees and external business partners of their contractual obligations to report all security events that become known to them and are directly related to the cloud service','Basic', 'ORGANIZATIONAL' ,95),
+(822,'IM-04.2B','IM-04.2B','The CSP shall not take any negative action against those who report in good faith events that do not subsequently turn out to be incidents, and shall make that policy known as part of its communication to employees and external business partners','Basic', 'ORGANIZATIONAL' ,95),
+(823,'IM-04.3B','IM-04.3B','The CSP shall define, publish and implement a single point of contact to report security events and vulnerabilities.','Basic', 'ORGANIZATIONAL' ,95),
+(824,'IM-04.1S','IM-04.1S','The CSP shall inform employees and external business partners of their contractual obligations to report all security events that become known to them and are directly related to the cloud service','Substantial', 'ORGANIZATIONAL' ,95),
+(825,'IM-04.2S','IM-04.2S','The CSP shall not take any negative action against those who report in good faith events that do not subsequently turn out to be incidents, and shall make that policy known as part of its communication to employees and external business partners','Substantial', 'ORGANIZATIONAL' ,95),
+(826,'IM-04.3S','IM-04.3S','The CSP shall define, publish and implement a single point of contact to report security events and vulnerabilities.','Substantial', 'ORGANIZATIONAL' ,95),
+(827,'IM-04.1H','IM-04.1H','The CSP shall inform employees and external business partners of their contractual obligations to report all security events that become known to them and are directly related to the cloud service','High', 'ORGANIZATIONAL' ,95),
+(828,'IM-04.2H','IM-04.2H','The CSP shall not take any negative action against those who report in good faith events that do not subsequently turn out to be incidents, and shall make that policy known as part of its communication to employees and external business partners','High', 'ORGANIZATIONAL' ,95),
+(829,'IM-04.3H','IM-04.3H','The CSP shall define, publish and implement a single point of contact to report security events and vulnerabilities.','High', 'ORGANIZATIONAL' ,95),
+(830,'IM-05.1B','IM-05.1B','The CSP shall periodically inform its CSCs on the status of the security incidents affecting the CSC, or, where appropriate and necessary, involve them in the resolution, according to the contractual agreements','Basic', 'ORGANIZATIONAL' ,96),
+(831,'IM-05.2B','IM-05.2B','As soon as a security incident has been closed, the CSP shall inform the affected CSCs about the actions taken, according to the contractual agreements.','Basic', 'ORGANIZATIONAL' ,96),
+(832,'IM-05.1S','IM-05.1S','The CSP shall periodically inform its CSCs on the status of the security incidents affecting the CSC, or, where appropriate and necessary, involve them in the resolution, according to the contractual agreements','Substantial', 'ORGANIZATIONAL' ,96),
+(833,'IM-05.2S','IM-05.2S','As soon as a security incident has been closed, the CSP shall inform the affected CSCs about the actions taken, according to the contractual agreements.','Substantial', 'ORGANIZATIONAL' ,96),
+(834,'IM-05.1H','IM-05.1H','The CSP shall periodically inform its CSCs on the status of the security incidents affecting the CSC, or, where appropriate and necessary, involve them in the resolution, according to the contractual agreements','High', 'ORGANIZATIONAL' ,96),
+(835,'IM-05.2H','IM-05.2H','As soon as a security incident has been closed, the CSP shall inform the affected CSCs about the actions taken, according to the contractual agreements.','High', 'ORGANIZATIONAL' ,96),
+(836,'IM-05.3H','IM-05.3H','The CSP shall define procedures, to be described in CSC’s contractual agreements, defining and describing the involvement of the CSC in the approval of a solution to an incident’s root cause over a specified period.','High', 'ORGANIZATIONAL' ,96),
+(837,'IM-06.1B','IM-06.1B','The CSP shall perform an analysis of security incidents to identify recurrent or significant security events or incidents and to identify the need for further protection, if needed with the support of external bodies.','Basic', 'ORGANIZATIONAL' ,97),
+(838,'IM-06.2B','IM-06.2B','If the CSP determines the need for external assistance, it shall select a competent and trustworthy incident response service provider or one that is recommended by its NCCA.','Basic', 'ORGANIZATIONAL' ,97),
+(839,'IM-06.1S','IM-06.1S','The CSP shall perform an analysis of security incidents to identify recurrent or significant security events or incidents and to identify the need for further protection, if needed with the support of external bodies.','Substantial', 'ORGANIZATIONAL' ,97),
+(840,'IM-06.2S','IM-06.2S','If the CSP determines the need for external assistance, it shall select a competent and trustworthy incident response service provider or one that is recommended by its NCCA.','Substantial', 'ORGANIZATIONAL' ,97),
+(841,'IM-06.3S','IM-06.3S','The CSP shall define, implement and maintain a knowledge repository of security incidents and the measures taken to solve them, as well as information related to the assets that these security incidents affected, and the CSP shall use that information to enrich the classification catalogue of incidents (cf. IM-02).','Substantial', 'ORGANIZATIONAL' ,97),
+(842,'IM-06.4S','IM-06.4S','The intelligence gained from the incident management and gathered in the knowledge repository shall be used to identify recurring security events or incidents, or potential significant security incidents, to determine the need for advanced safeguards, and implement them.','Substantial', 'ORGANIZATIONAL' ,97),
+(843,'IM-06.1H','IM-06.1H','The CSP shall perform an analysis of security incidents to identify recurrent or significant security events or incidents and to identify the need for further protection, if needed with the support of external bodies.','High', 'ORGANIZATIONAL' ,97),
+(844,'IM-06.2H','IM-06.2H','If the CSP determines the need for external assistance, it shall select a competent and trustworthy incident response service provider or one that is recommended by its NCCA.','High', 'ORGANIZATIONAL' ,97),
+(845,'IM-06.3H','IM-06.3H','The CSP shall define, implement and maintain a knowledge repository of security incidents and the measures taken to solve them, as well as information related to the assets that these security incidents affected, and the CSP shall use that information to enrich the classification catalogue of incidents (cf. IM-02).','High', 'ORGANIZATIONAL' ,97),
+(846,'IM-06.4H','IM-06.4H','The intelligence gained from the incident management and gathered in the knowledge repository shall be used to identify recurring security events or incidents, or potential significant security incidents, to determine the need for advanced safeguards, and implement them.','High', 'ORGANIZATIONAL' ,97),
+(847,'IM-07.1B','IM-07.1B','The CSP shall document and implement a procedure to archive all documents and evidence that provide details on security incidents.','Basic', 'ORGANIZATIONAL' ,98),
+(848,'IM-07.2B','IM-07.2B','The CSP shall implement security mechanisms and processes for protecting all the information related to security incidents in accordance with criticality levels and legal requirements in effect.','Basic', 'ORGANIZATIONAL' ,98),
+(849,'IM-07.1S','IM-07.1S','The CSP shall document and implement a procedure to archive all documents and evidence that provide details on security incidents, in a way that could be used as evidence in court.','Substantial', 'ORGANIZATIONAL' ,98),
+(850,'IM-07.2S','IM-07.2S','The CSP shall implement security mechanisms and processes for protecting all the information related to security incidents in accordance with criticality levels and legal requirements in effect.','Substantial', 'ORGANIZATIONAL' ,98),
+(851,'IM-07.3S','IM-07.3S','When the CSP requires additional expertise in order to preserve the evidences and secure the chain of custody on a security incident, the CSP shall contract a qualified incident response service provider only','Substantial', 'ORGANIZATIONAL' ,98),
+(852,'IM-07.1H','IM-07.1H','The CSP shall document and implement a procedure to archive all documents and evidence that provide details on security incidents, in a way that could be used as evidence in court.','High', 'ORGANIZATIONAL' ,98),
+(853,'IM-07.2H','IM-07.2H','The CSP shall implement security mechanisms and processes for protecting all the information related to security incidents in accordance with criticality levels and legal requirements in effect.','High', 'ORGANIZATIONAL' ,98),
+(854,'IM-07.3H','IM-07.3H','When the CSP requires additional expertise in order to preserve the evidences and secure the chain of custody on a security incident, the CSP shall contract a qualified incident response service provider only','High', 'ORGANIZATIONAL' ,98),
+(855,'IM-07.4H','IM-07.4H','The CSP shall establish an integrated team of forensic/incident responder employees specifically trained on evidence preservation and chain of custody management.','High', 'ORGANIZATIONAL' ,98),
+
+(856,'BC-01.1B','BC-01.1B','The CSP shall define policies and procedures according to ISP-02 establishing the strategy and guidelines to ensure business continuity and contingency management.','Basic', 'ORGANIZATIONAL' ,99),
+(857,'BC-01.1S','BC-01.1S','The CSP shall define policies and procedures according to ISP-02 establishing the strategy and guidelines to ensure business continuity and contingency management.','Substantial', 'ORGANIZATIONAL' ,99),
+(858,'BC-01.2S','BC-01.2S','The CSP shall name (a member of) top management as the process owner of business continuity and emergency management, and responsible for establishing the process within the company following the strategy as well as ensuring compliance with the guidelines, and for ensuring that sufficient resources are made available for an effective process.','Substantial', 'ORGANIZATIONAL' ,99),
+(859,'BC-01.1H','BC-01.1H','The CSP shall define policies and procedures according to ISP-02 establishing the strategy and guidelines to ensure business continuity and contingency management.','High', 'ORGANIZATIONAL' ,99),
+(860,'BC-01.2H','BC-01.2H','The CSP shall name (a member of) top management as the process owner of business continuity and emergency management, and responsible for establishing the process within the company following the strategy as well as ensuring compliance with the guidelines, and for ensuring that sufficient resources are made available for an effective process.','High', 'ORGANIZATIONAL' ,99),
+(861,'BC-02.1B','BC-02.1B','The policies and procedures for business continuity and contingency management shall include the need to perform a business impact analysis to determine the impact of any malfunction to the cloud service or enterprise.','Basic', 'ORGANIZATIONAL' ,100),
+(862,'BC-02.1S','BC-02.1S','The policies and procedures for business continuity and contingency management shall include the need to perform a business impact analysis to determine the impact of any malfunction to the cloud service or enterprise, considering at least the following aspects:
+(1) Possible scenarios based on a risk assessment;
+(2) Identification of critical products and services;
+(3) Identification of dependencies, including processes (including resources required), applications, business partners and third-parties;
+(4) Identification of threats to critical products and services;
+(5) Identification of effects resulting from planned and unplanned malfunctions and changes over time;
+(6) Determination of the maximum acceptable duration of malfunctions;
+(7) Identification of restoration priorities;
+(8) Determination of time targets for the resumption of critical products and services within the maximum acceptable time period (RTO);
+(9) Determination of time targets for the maximum reasonable period during which data can be lost and not recovered (RPO); and
+(10) Estimation of the resources needed for resumption.','Substantial', 'ORGANIZATIONAL' ,100),
+(863,'BC-02.2S','BC-02.2S','The business impact analysis resulting from these policies and procedures shall be reviewed at regular intervals, at least once a year, or after significant organisational or environment-related changes.','Substantial', 'ORGANIZATIONAL' ,100),
+(864,'BC-02.1H','BC-02.1H','The policies and procedures for business continuity and contingency management shall include the need to perform a business impact analysis to determine the impact of any malfunction to the cloud service or enterprise, considering at least the following aspects:
+(1) Possible scenarios based on a risk assessment;
+(2) Identification of critical products and services;
+(3) Identification of dependencies, including processes (including resources required), applications, business partners and third-parties;
+(4) Identification of threats to critical products and services;
+(5) Identification of effects resulting from planned and unplanned malfunctions and changes over time;
+(6) Determination of the maximum acceptable duration of malfunctions;
+(7) Identification of restoration priorities;
+(8) Determination of time targets for the resumption of critical products and services within the maximum acceptable time period (RTO);
+(9) Determination of time targets for the maximum reasonable period during which data can be lost and not recovered (RPO); and
+(10) Estimation of the resources needed for resumption.','High', 'ORGANIZATIONAL' ,100),
+(865,'BC-02.2H','BC-02.2H','The business impact analysis resulting from these policies and procedures shall be reviewed at regular intervals, at least once a year, or after significant organisational or environment-related changes.','High', 'ORGANIZATIONAL' ,100),
+(866,'BC-03.1B','BC-03.1B','The CSP shall document and implement a business continuity plan and contingency plans to ensure continuity of the services, taking into account information security constraints and the results of the business impact analysis.','Basic', 'ORGANIZATIONAL' ,101),
+(867,'BC-03.1S','BC-03.1S','The CSP shall document and implement a business continuity plan and contingency plans to ensure continuity of the services, taking into account information security constraints and the results of the business impact analysis, based on industry accepted standards, and covering at least the following aspects:
+(1) Defined purpose and scope, including relevant business processes and dependencies;
+(2) Accessibility and comprehensibility of the plans for persons who are to act accordingly;
+(3) Ownership by at least one designated person responsible for review and approval;
+(4) Defined communication channels, roles and responsibilities including notification of the customers;
+(5) Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers);
+(6) List of standards being used;
+(7) Methods for putting the plans into effect;
+(8) Continuous process improvement; and
+(9) Interfaces to Security Incident Management.','Substantial', 'ORGANIZATIONAL' ,101),
+(868,'BC-03.2S','BC-03.2S','The business continuity plan shall be reviewed at regular intervals, at least once a year, or after significant organisational or environment-related changes.','Substantial', 'ORGANIZATIONAL' ,101),
+(869,'BC-03.1H','BC-03.1H','TThe CSP shall document and implement a business continuity plan and contingency plans to ensure continuity of the services, taking into account information security constraints and the results of the business impact analysis, based on industry accepted standards, and covering at least the following aspects:
+(1) Defined purpose and scope, including relevant business processes and dependencies;
+(2) Accessibility and comprehensibility of the plans for persons who are to act accordingly;
+(3) Ownership by at least one designated person responsible for review and approval;
+(4) Defined communication channels, roles and responsibilities including notification of the customers;
+(5) Recovery procedures, manual interim solutions and reference information (taking into account prioritisation in the recovery of cloud infrastructure components and services and alignment with customers);
+(6) List of standards being used;
+(7) Methods for putting the plans into effect;
+(8) Continuous process improvement; and
+(9) Interfaces to Security Incident Management.','High', 'ORGANIZATIONAL' ,101),
+(870,'BC-03.2H','BC-03.2H','The business continuity plan shall be reviewed at regular intervals, at least once a year, or after significant organisational or environment-related changes.','High', 'ORGANIZATIONAL' ,101),
+(871,'BC-04.1S','BC-04.1S','The business impact analysis, business continuity plan and contingency plans shall be tested at regular intervals (at least once a year) or after an update ','Substantial', 'ORGANIZATIONAL' ,102),
+(872,'BC-04.2S','BC-04.2S','The tests shall be documented, and the results considered to review the business continuity plan and to define future operational continuity measures','Substantial', 'ORGANIZATIONAL' ,102),
+(873,'BC-04.3S','BC-04.3S','The tests shall involve CSCs and relevant third parties, such as subservice providers and suppliers.','Substantial', 'ORGANIZATIONAL' ,102),
+(874,'BC-04.1H','BC-04.1H','The business impact analysis, business continuity plan and contingency plans shall be tested at regular intervals (at least once a year) or after an update ','High', 'ORGANIZATIONAL' ,102),
+(875,'BC-04.2H','BC-04.2H','The tests shall be documented, and the results considered to review the business continuity plan and to define future operational continuity measures','High', 'ORGANIZATIONAL' ,102),
+(876,'BC-04.3H','BC-04.3H','The tests shall involve CSCs and relevant third parties, such as subservice providers and suppliers.','High', 'ORGANIZATIONAL' ,102),
+(877,'BC-04.4H','BC-04.4H','In addition to the tests, exercises shall also be carried out, which are, among other things, based on scenarios resulting from security incidents that have already occurred in the past.','High', 'ORGANIZATIONAL' ,102),
+
+(878,'CO-01.1B','CO-01.1B','The CSP shall document the legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service.','Basic', 'ORGANIZATIONAL' ,103),
+(879,'CO-01.1S','CO-01.1S','The CSP shall document the legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service.','Substantial', 'ORGANIZATIONAL' ,103),
+(880,'CO-01.2S','CO-01.2S','The CSP shall document and implement procedures for complying to these contractual requirements.','Substantial', 'ORGANIZATIONAL' ,103),
+(881,'CO-01.1H','CO-01.1H','The CSP shall document the legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service.','High', 'ORGANIZATIONAL' ,103),
+(882,'CO-01.2H','CO-01.2H','The CSP shall document and implement procedures for complying to these contractual requirements.','High', 'ORGANIZATIONAL' ,103),
+(883,'CO-01.3H','CO-01.3H','The CSP shall provide these procedures when requested by a CSC.','High', 'ORGANIZATIONAL' ,103),
+(884,'CO-01.4H','CO-01.4H','The CSP shall document and implement a proactive approach for receiving up-to-date legal, regulatory and contractual requirements that affect the cloud service.','High', 'ORGANIZATIONAL' ,103),
+(885,'CO-02.1B','CO-02.1B','The CSP shall define and implement policies and procedures for planning and conducting audits, made in accordance with ISP-02 and that would not interfere with the operation of the cloud service.','Basic', 'ORGANIZATIONAL' ,104),
+(886,'CO-02.1S','CO-02.1S','The CSP shall define and implement policies and procedures for planning and conducting audits, made in accordance with ISP-02 and that would not interfere with the operation of the cloud service, addressing at least the following aspects:
+(1) Restriction to read-only access to system components in accordance with the agreed audit plan and as necessary to perform the audit activities;
+(2) Activities that may result in malfunctions to the cloud service or breaches of contractual requirements are performed during scheduled maintenance windows or outside peak periods; and
+(3) Logging and monitoring of activities.','Substantial', 'ORGANIZATIONAL' ,104),
+(887,'CO-02.2S','CO-02.2S','The CSP shall document and implement an audit programme over three years that defines the scope and the frequency of the audits in accordance with the management of change, policies, and the results of the risk assessment.','Substantial', 'ORGANIZATIONAL' ,104),
+(888,'CO-02.1H','CO-02.1H','The CSP shall define and implement policies and procedures for planning and conducting audits, made in accordance with ISP-02 and that would not interfere with the operation of the cloud service, addressing at least the following aspects:
+(1) Restriction to read-only access to system components in accordance with the agreed audit plan and as necessary to perform the audit activities;
+(2) Activities that may result in malfunctions to the cloud service or breaches of contractual requirements are performed during scheduled maintenance windows or outside peak periods; and
+(3) Logging and monitoring of activities.','High', 'ORGANIZATIONAL' ,104),
+(889,'CO-02.2H','CO-02.2H','The CSP shall document and implement an audit programme over three years that defines the scope and the frequency of the audits in accordance with the management of change, policies, and the results of the risk assessment.','High', 'ORGANIZATIONAL' ,104),
+(890,'CO-02.3H','CO-02.3H','The CSP shall grant its CSCs contractually guaranteed information and define their audit rights.','High', 'ORGANIZATIONAL' ,104),
+(891,'CO-03.1B','CO-03.1B','The CSP shall perform at regular intervals and at least annually internal audits by subject matter experts to check the compliance of their internal security control system to the requirements defined in CO-01, and to the requirements of the EUCS scheme at the targeted evaluation level.','Basic', 'ORGANIZATIONAL' ,105),
+(892,'CO-03.2B','CO-03.2B','The CSP shall document specifically deviations that are nonconformities from the EUCS requirements, including an assessment of their severity, and keep track of their remediation.','Basic', 'ORGANIZATIONAL' ,105),
+(893,'CO-03.1S','CO-03.1S','The CSP shall perform at regular intervals and at least annually internal audits by subject matter experts to check the compliance of their internal security control system to the requirements defined in CO-01, and to the requirements of the EUCS scheme at the targeted evaluation level.','Substantial', 'ORGANIZATIONAL' ,105),
+(894,'CO-03.2S','CO-03.2S','The CSP shall document specifically deviations that are nonconformities from the EUCS requirements, including an assessment of their severity, and keep track of their remediation.','Substantial', 'ORGANIZATIONAL' ,105),
+(895,'CO-03.3S','CO-03.3S','Identified vulnerabilities and deviations shall be subject to risk assessment in accordance with the risk management procedure (cf. RM-01) and follow-up measures are defined and tracked (cf. OPS-17).','Substantial', 'ORGANIZATIONAL' ,105),
+(896,'CO-03.4S','CO-03.4S','The CSP shall inform CSCs who operate an certified cloud service of nonconformities relatively to EUCS requirements.','Substantial', 'ORGANIZATIONAL' ,105),
+(897,'CO-03.1H','CO-03.1H','The CSP shall perform at regular intervals and at least annually internal audits by subject matter experts to check the compliance of their internal security control system to the requirements defined in CO-01, and to the requirements of the EUCS scheme at the targeted evaluation level.','High', 'ORGANIZATIONAL' ,105),
+(898,'CO-03.2H','CO-03.2H','The CSP shall document specifically deviations that are nonconformities from the EUCS requirements, including an assessment of their severity, and keep track of their remediation.','High', 'ORGANIZATIONAL' ,105),
+(899,'CO-03.3H','CO-03.3H','Identified vulnerabilities and deviations shall be subject to risk assessment in accordance with the risk management procedure (cf. RM-01) and follow-up measures are defined and tracked (cf. OPS-17).','High', 'ORGANIZATIONAL' ,105),
+(900,'CO-03.4H','CO-03.4H','The CSP shall inform CSCs who operate an certified cloud service of nonconformities relatively to EUCS requirements.','High', 'ORGANIZATIONAL' ,105),
+(901,'CO-03.5H','CO-03.5H','Internal audits shall be supplemented by procedures to automatically monitor compliance with applicable requirements of policies and instructions.','High', 'ORGANIZATIONAL' ,105),
+(902,'CO-03.6H','CO-03.6H','The CSP shall implement automated monitoring to identify vulnerabilities and deviations, which shall be automatically reported to the appropriate CSP’s subject matter experts for immediate assessment and action.','High', 'ORGANIZATIONAL' ,105),
+(903,'CO-04.1B','CO-04.1B','The CSP shall regular inform its top management about the information security performance within the scope of the internal control system.','Basic', 'ORGANIZATIONAL' ,106),
+(904,'CO-04.1S','CO-04.1S','The CSP shall regular inform its top management about the information security performance within the scope of the internal control system.','Substantial', 'ORGANIZATIONAL' ,106),
+(905,'CO-04.2S','CO-04.2S','This information shall be included in the management review of the internal control system that is performed at least once a year.','Substantial', 'ORGANIZATIONAL' ,106),
+(906,'CO-04.1H','CO-04.1H','The CSP shall regular inform its top management about the information security performance within the scope of the internal control system.','High', 'ORGANIZATIONAL' ,106),
+(907,'CO-04.2H','CO-04.2H','This information shall be included in the management review of the internal control system that is performed at least once a year.+H2:H31','High', 'ORGANIZATIONAL' ,106),
+
+(908,'DOC-01.1B','DOC-01.1B','The CSP shall make publicly available guidelines and recommendations to assist the cloud service users with the secure configuration, installation, deployment, operation and maintenance of the cloud service provided.','Basic', 'ORGANIZATIONAL' ,107),
+(909,'DOC-01.2B','DOC-01.2B','The CSP shall maintain guidelines and recommendations applicable to the cloud service in the version intended for productive use.','Basic', 'ORGANIZATIONAL' ,107),
+(910,'DOC-01.1S','DOC-01.1S','The CSP shall make publicly available guidelines and recommendations to assist the cloud service users with the secure configuration, installation, deployment, operation and maintenance of the cloud service provided, covering at least the following aspects, where applicable to the cloud service:
+(1) Instructions for secure configuration;
+(2) Information sources on known vulnerabilities and update mechanisms;
+(3) Error handling and logging mechanisms;
+(4) Authentication mechanisms;
+(5) Roles and rights policies including combinations that result in an elevated risk;
+(6) Services and functions for administration of the cloud service by privileged users, and
+(7) Complementary User Entity Controls (CUECs).','Substantial', 'ORGANIZATIONAL' ,107),
+(911,'DOC-01.2S','DOC-01.2S','The CSP shall maintain guidelines and recommendations applicable to the cloud service in the version intended for productive use.','Substantial', 'ORGANIZATIONAL' ,107),
+(912,'DOC-01.3S','DOC-01.3S','The CSP shall describe in the user documentation all risks shared with the customer.','Substantial', 'ORGANIZATIONAL' ,107),
+(913,'DOC-01.1H','DOC-01.1H','The CSP shall make publicly available guidelines and recommendations to assist the cloud service users with the secure configuration, installation, deployment, operation and maintenance of the cloud service provided, covering at least the following aspects, where applicable to the cloud service:
+(1) Instructions for secure configuration;
+(2) Information sources on known vulnerabilities and update mechanisms;
+(3) Error handling and logging mechanisms;
+(4) Authentication mechanisms;
+(5) Roles and rights policies including combinations that result in an elevated risk;
+(6) Services and functions for administration of the cloud service by privileged users, and
+(7) Complementary User Entity Controls (CUECs).','High', 'ORGANIZATIONAL' ,107),
+(914,'DOC-01.2H','DOC-01.2H','The CSP shall maintain guidelines and recommendations applicable to the cloud service in the version intended for productive use.','High', 'ORGANIZATIONAL' ,107),
+(915,'DOC-01.3H','DOC-01.3H','The CSP shall describe in the user documentation all risks shared with the customer.','High', 'ORGANIZATIONAL' ,107),
+(916,'DOC-01.4H','DOC-01.4H','The CSP shall regularly analyse how the CSCs apply the security recommendations and CUECs, and take measure to encourage compliance based on the defined shared responsibility model.','High', 'ORGANIZATIONAL' ,107),
+(917,'DOC-02.1B','DOC-02.1B','The CSP shall provide comprehensible and transparent information on:
+(1) Its jurisdiction; and
+(2) System component locations, including its subservice providers, where CSC data is processed, stored and backed up.','Basic', 'ORGANIZATIONAL' ,108),
+(918,'DOC-02.2B','DOC-02.2B','The CSP shall provide sufficient information for subject matter experts of the CSC to determine and to assess the suitability of the cloud service’s jurisdiction and locations from a legal and regulatory perspective.','Basic', 'ORGANIZATIONAL' ,108),
+(919,'DOC-02.1S','DOC-02.1S','The CSP shall provide comprehensible and transparent information on:
+(1) Its jurisdiction; and
+(2) System component locations, including its subservice providers, where CSC data , meta-data, cloud service derived data and CSC account data is processed, stored and backed up;
+(3) The locations from which administration and supervision may be carried out on the cloud service.','Substantial', 'ORGANIZATIONAL' ,108),
+(920,'DOC-02.2S','DOC-02.2S','The CSP shall provide sufficient information for subject matter experts of the CSC to determine and to assess the suitability of the cloud service’s jurisdiction and locations from a legal and regulatory perspective.','Substantial', 'ORGANIZATIONAL' ,108),
+(921,'DOC-02.1H','DOC-02.1H','The CSP shall provide comprehensible and transparent information on:
+(1) Its jurisdiction; and
+(2) System component locations, including its subservice providers, where CSC data , meta-data, cloud service derived data and CSC account data is processed, stored and backed up;
+(3) System component locations, including for its subservice providers, where any CSP data is processed, stored, and backed up;
+(4) The locations from which administration and supervision may be carried out on the cloud service.
+(5) The locations from which the CSP conducts support operations for CSCs, including the list of operations that can be carried by support teams in each location.','High', 'ORGANIZATIONAL' ,108),
+(922,'DOC-02.2H','DOC-02.2H','The CSP shall provide sufficient information for subject matter experts of the CSC to determine and to assess the suitability of the cloud service’s jurisdiction and locations from a legal and regulatory perspective.','High', 'ORGANIZATIONAL' ,108),
+(923,'DOC-03.1B','DOC-03.1B','The CSP shall provide a justification for the evaluation level targeted for certification, based on the risks associated to the cloud service’s targeted customers and use cases.','Basic', 'ORGANIZATIONAL' ,109),
+(924,'DOC-03.2B','DOC-03.2B','If the CSP claims compliance to extension profiles for its cloud service, the justification shall cover these extension profiles.','Basic', 'ORGANIZATIONAL' ,109),
+(925,'DOC-03.3B','DOC-03.3B','A summary of the justification shall be made publicly available as part of the certification package, which shall allow CSCs to perform a high-level analysis about their own use cases.','Basic', 'ORGANIZATIONAL' ,109),
+(926,'DOC-03.1S','DOC-03.1S','The CSP shall provide a justification, based on a risk assessment according to RM-01, for the evaluation level targeted for certification, based on the risks associated to the cloud service’s targeted customers and use cases.','Substantial', 'ORGANIZATIONAL' ,109),
+(927,'DOC-03.2S','DOC-03.2S','If the CSP claims compliance to extension profiles for its cloud service, the justification shall cover these extension profiles.','Substantial', 'ORGANIZATIONAL' ,109),
+(928,'DOC-03.3S','DOC-03.3S','A summary of the justification shall be made publicly available as part of the certification package, which shall allow CSCs to perform a high-level analysis about their own use cases.','Substantial', 'ORGANIZATIONAL' ,109),
+(929,'DOC-03.1H','DOC-03.1H','The CSP shall provide a justification, based on a risk assessment according to RM-01, for the evaluation level targeted for certification, based on the risks associated to the cloud service’s targeted customers and use cases.','High', 'ORGANIZATIONAL' ,109),
+(930,'DOC-03.2H','DOC-03.2H','If the CSP claims compliance to extension profiles for its cloud service, the justification shall cover these extension profiles.','High', 'ORGANIZATIONAL' ,109),
+(931,'DOC-03.3H','DOC-03.3H','A summary of the justification shall be made publicly available as part of the certification package, which shall allow CSCs to perform a high-level analysis about their own use cases.','High', 'ORGANIZATIONAL' ,109),
+(932,'DOC-04.1B','DOC-04.1B','If a CSP wants to allow CSCs to certify with EUCS their own cloud services based on the CSP’s cloud service using composition, the CSP shall develop specific documentation and make it available to CSCs upon request, based on the complementary user entity controls (CUECs) that they have defined.','Basic', 'ORGANIZATIONAL' ,110),
+(933,'DOC-04.2B','DOC-04.2B','The CSP shall include in the description provided for each CUEC a list of actionable requirements for the CSC, and it shall associate each CUEC to an EUCS requirement.','Basic', 'ORGANIZATIONAL' ,110),
+(934,'DOC-04.1S','DOC-04.1S','If a CSP wants to allow CSCs to certify with EUCS their own cloud services based on the CSP’s cloud service using composition, the CSP shall develop specific documentation and make it available to CSCs upon request, based on the complementary user entity controls (CUECs) that they have defined.','Substantial', 'ORGANIZATIONAL' ,110),
+(935,'DOC-04.2S','DOC-04.2S','The CSP shall include in the description provided for each CUEC a list of actionable requirements for the CSC, and it shall associate each CUEC to an EUCS requirement.','Substantial', 'ORGANIZATIONAL' ,110),
+(936,'DOC-04.3S','DOC-04.3S','The CSP shall label each requirement associated to a CUEC with the lowest EUCS evaluation level for which the CUEC is required.','Substantial', 'ORGANIZATIONAL' ,110),
+(937,'DOC-04.1H','DOC-04.1H','If a CSP wants to allow CSCs to certify with EUCS their own cloud services based on the CSP’s cloud service using composition, the CSP shall develop specific documentation and make it available to CSCs upon request, based on the complementary user entity controls (CUECs) that they have defined.','High', 'ORGANIZATIONAL' ,110),
+(938,'DOC-04.2H','DOC-04.2H','The CSP shall include in the description provided for each CUEC a list of actionable requirements for the CSC, and it shall associate each CUEC to an EUCS requirement.','High', 'ORGANIZATIONAL' ,110),
+(939,'DOC-04.3H','DOC-04.3H','The CSP shall label each requirement associated to a CUEC with the lowest EUCS evaluation level for which the CUEC is required.','High', 'ORGANIZATIONAL' ,110),
+(940,'DOC-05.1B','DOC-05.1B','If a CSP wants to allow CSCs to certify with EUCS their own services based on the CSP’s cloud service using composition, it shall document for each EUCS requirement how its cloud service will contribute (if any) to the fulfilment of this requirement by the cloud service developed by the CSC using the CSP as subservice provider.','Basic', 'ORGANIZATIONAL' ,111),
+(941,'DOC-05.2B','DOC-05.2B','The CSP shall make this documentation available to CSCs upon request.','Basic', 'ORGANIZATIONAL' ,111),
+(942,'DOC-05.1S','DOC-05.1S','If a CSP wants to allow CSCs to certify with EUCS their own services based on the CSP’s cloud service using composition, it shall document for each EUCS requirement how its cloud service will contribute (if any) to the fulfilment of this requirement by the cloud service developed by the CSC using the CSP as subservice provider.','Substantial', 'ORGANIZATIONAL' ,111),
+(943,'DOC-05.2S','DOC-05.2S','The CSP shall make this documentation available to CSCs upon request.','Substantial', 'ORGANIZATIONAL' ,111),
+(944,'DOC-05.3S','DOC-05.3S','The CSP shall justify the contributions in an accompanying document.','Substantial', 'ORGANIZATIONAL' ,111),
+(945,'DOC-05.1H','DOC-05.1H','If a CSP wants to allow CSCs to certify with EUCS their own services based on the CSP’s cloud service using composition, it shall document for each EUCS requirement how its cloud service will contribute (if any) to the fulfilment of this requirement by the cloud service developed by the CSC using the CSP as subservice provider.','High', 'ORGANIZATIONAL' ,111),
+(946,'DOC-05.2H','DOC-05.2H','The CSP shall make this documentation available to CSCs upon request.','High', 'ORGANIZATIONAL' ,111),
+(947,'DOC-05.3H','DOC-05.3H','The CSP shall justify the contributions in an accompanying document.','High', 'ORGANIZATIONAL' ,111),
+
+(948,'INQ-01.1B','INQ-01.1B','The CSP shall subject investigation requests from government agencies to a legal assessment by subject matter experts.','Basic', 'ORGANIZATIONAL' ,112),
+(949,'INQ-01.2B','INQ-01.2B','The legal assessment shall determine whether the government agency has an applicable and legally valid basis and what further steps need to be taken.','Basic', 'ORGANIZATIONAL' ,112),
+(950,'INQ-01.1S','INQ-01.1S','The CSP shall subject investigation requests from government agencies to a legal assessment by subject matter experts.','Substantial', 'ORGANIZATIONAL' ,112),
+(951,'INQ-01.2S','INQ-01.2S','The legal assessment shall determine whether the government agency has an applicable and legally valid basis and what further steps need to be taken.','Substantial', 'ORGANIZATIONAL' ,112),
+(952,'INQ-01.1H','INQ-01.1H','The CSP shall subject investigation requests from government agencies to a legal assessment by subject matter experts.','High', 'ORGANIZATIONAL' ,112),
+(953,'INQ-01.2H','INQ-01.2H','The legal assessment shall determine whether the government agency has an applicable and legally valid basis and what further steps need to be taken.','High', 'ORGANIZATIONAL' ,112),
+(954,'INQ-02.1B','INQ-02.1B','The CSP shall inform the affected CSC(s) about investigation requests without undue delay, unless the applicable legal basis on which the government agency is based prohibits this or there are clear indications of illegal actions in connection with the use of the cloud service.','Basic', 'ORGANIZATIONAL' ,113),
+(955,'INQ-02.1S','INQ-02.1S','The CSP shall inform the affected CSC(s) about investigation requests without undue delay, unless the applicable legal basis on which the government agency is based prohibits this or there are clear indications of illegal actions in connection with the use of the cloud service.','Substantial', 'ORGANIZATIONAL' ,113),
+(956,'INQ-02.1H','INQ-02.1H','The CSP shall inform the affected CSC(s) about investigation requests without undue delay, unless the applicable legal basis on which the government agency is based prohibits this or there are clear indications of illegal actions in connection with the use of the cloud service.','High', 'ORGANIZATIONAL' ,113),
+(957,'INQ-03.1B','INQ-03.1B','The CSP shall only provide access to or disclose CSC data in the context of government investigation requests after the CSP’s legal assessment (cf. INQ-01) has shown that an applicable and valid legal basis exists and that the investigation request must be granted on that basis.','Basic', 'ORGANIZATIONAL' ,114),
+(958,'INQ-03.2B','INQ-03.2B','The CSP shall document and implement procedures to ensure that government agencies only have access to the data they need to investigate.','Basic', 'ORGANIZATIONAL' ,114),
+(959,'INQ-03.1S','INQ-03.1S','The CSP shall only provide access to or disclose CSC data in the context of government investigation requests after the CSP’s legal assessment (cf. INQ-01) has shown that an applicable and valid legal basis exists and that the investigation request must be granted on that basis.','Substantial', 'ORGANIZATIONAL' ,114),
+(960,'INQ-03.2S','INQ-03.2S','The CSP shall document and implement procedures to ensure that government agencies only have access to the data they need to investigate.','Substantial', 'ORGANIZATIONAL' ,114),
+(961,'INQ-03.3S','INQ-03.3S','When no clear limitation of the data is possible, the CSP shall anonymise or pseudonymise the data so that government agencies can only assign it to those CSCs who are subject of the investigation request.','Substantial', 'ORGANIZATIONAL' ,114),
+(962,'INQ-03.1H','INQ-03.1H','The CSP shall only provide access to or disclose CSC data in the context of government investigation requests after the CSP’s legal assessment (cf. INQ-01) has shown that an applicable and valid legal basis exists and that the investigation request must be granted on that basis.','High', 'ORGANIZATIONAL' ,114),
+(963,'INQ-03.2H','INQ-03.2H','The CSP shall document and implement procedures to ensure that government agencies only have access to the data they need to investigate.','High', 'ORGANIZATIONAL' ,114),
+(964,'INQ-03.3H','INQ-03.3H','When no clear limitation of the data is possible, the CSP shall anonymise or pseudonymise the data so that government agencies can only assign it to those CSCs who are subject of the investigation request.','High', 'ORGANIZATIONAL' ,114),
+(965,'INQ-03.4H','INQ-03.4H','The CSP shall automatically monitor the accesses performed by or on behalf of investigators as determined by the process described in INQ-01.','High', 'ORGANIZATIONAL' ,114),
+
+(966,'PSS-01.1B','PSS-01.1B','The CSP shall offer to their CSCs error handling and logging mechanisms that allow them to obtain security-related information about the status of the cloud service as well as the data, services or functions it provides.','Basic', 'ORGANIZATIONAL' ,115),
+(967,'PSS-01.1S','PSS-01.1S','The CSP shall offer to their CSCs error handling and logging mechanisms that allow them to obtain security-related information about the status of the cloud service as well as the data, services or functions it provides.','Substantial', 'ORGANIZATIONAL' ,115),
+(968,'PSS-01.2S','PSS-01.2S','The information provided shall be detailed enough to allow CSCs to check the following aspects, insofar as they are applicable to the cloud service:
+(1) Which data, services or functions available to the CSCs within the cloud service, have been accessed by whom and when (Audit Logs);
+(2) Malfunctions during processing of automatic or manual actions; and
+(3) Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security.','Substantial', 'ORGANIZATIONAL' ,115),
+(969,'PSS-01.3S','PSS-01.3S','The logged information shall be protected from unauthorised access and modification and can be deleted by the CSC.','Substantial', 'ORGANIZATIONAL' ,115),
+(970,'PSS-01.4S','PSS-01.4S','When the CSC is responsible for the activation or type and scope of logging, the CSP shall provide appropriate logging capabilities.','Substantial', 'ORGANIZATIONAL' ,115),
+(971,'PSS-01.1H','PSS-01.1H','The CSP shall offer to their CSCs error handling and logging mechanisms that allow them to obtain security-related information about the status of the cloud service as well as the data, services or functions it provides.','High', 'ORGANIZATIONAL' ,115),
+(972,'PSS-01.2H','PSS-01.2H','The information provided shall be detailed enough to allow CSCs to check the following aspects, insofar as they are applicable to the cloud service:
+(1) Which data, services or functions available to the CSCs within the cloud service, have been accessed by whom and when (Audit Logs);
+(2) Malfunctions during processing of automatic or manual actions; and
+(3) Changes to security-relevant configuration parameters, error handling and logging mechanisms, user authentication, action authorisation, cryptography, and communication security.','High', 'ORGANIZATIONAL' ,115),
+(973,'PSS-01.3H','PSS-01.3H','The logged information shall be protected from unauthorised access and modification and can be deleted by the CSC.','High', 'ORGANIZATIONAL' ,115),
+(974,'PSS-01.4H','PSS-01.4H','When the CSC is responsible for the activation or type and scope of logging, the CSP shall provide appropriate logging capabilities.','High', 'ORGANIZATIONAL' ,115),
+(975,'PSS-01.5H','PSS-01.5H','The CSP shall make the information available to CSCs via documented interfaces that are suitable for further processing this information as part of the CSC’s Security Information and Event Management (SIEM).','High', 'ORGANIZATIONAL' ,115),
+(976,'PSS-02.1B','PSS-02.1B','A state-of-the-art session management system shall be used that is suitably protected against known attacks.','Basic', 'ORGANIZATIONAL' ,116),
+(977,'PSS-02.1S','PSS-02.1S','A state-of-the-art session management system shall be used that is suitably protected against known attacks.','Substantial', 'ORGANIZATIONAL' ,116),
+(978,'PSS-02.2S','PSS-02.2S','The session management system shall include mechanisms that invalidate a session after it has been detected as inactive.','Substantial', 'ORGANIZATIONAL' ,116),
+(979,'PSS-02.3S','PSS-02.3S','If inactivity is detected by time measurement, the time interval shall be configurable by the CSP or – if technically possible – by the CSC','Substantial', 'ORGANIZATIONAL' ,116),
+(980,'PSS-02.1H','PSS-02.1H','A state-of-the-art session management system shall be used that is suitably protected against known attacks.','High', 'ORGANIZATIONAL' ,116),
+(981,'PSS-02.2H','PSS-02.2H','The session management system shall include mechanisms that invalidate a session after it has been detected as inactive.','High', 'ORGANIZATIONAL' ,116),
+(982,'PSS-02.3H','PSS-02.3H','If inactivity is detected by time measurement, the time interval shall be configurable by the CSP or – if technically possible – by the CSC','High', 'ORGANIZATIONAL' ,116),
+(983,'PSS-03.1B','PSS-03.1B','The CSP shall document and implement procedures to ensure the confidentiality of CSC data when offering functions for software-defined networking (SDN).','Basic', 'ORGANIZATIONAL' ,117),
+(984,'PSS-03.2B','PSS-03.2B','The CSP shall validate the functionality of the SDN functions before providing new SDN features to CSCs or modifying existing SDN features.','Basic', 'ORGANIZATIONAL' ,117),
+(985,'PSS-03.1S','PSS-03.1S','The CSP shall document and implement procedures to ensure the confidentiality of CSC data when offering functions for software-defined networking (SDN).','Substantial', 'ORGANIZATIONAL' ,117),
+(986,'PSS-03.2S','PSS-03.2S','The CSP shall validate the functionality of the SDN functions before providing new SDN features to CSCs or modifying existing SDN features.','Substantial', 'ORGANIZATIONAL' ,117),
+(987,'PSS-03.3S','PSS-03.3S','The CSP shall ensure that the configuration of networks matches network security policies regardless of the means used to create the configuration.','Substantial', 'ORGANIZATIONAL' ,117),
+(988,'PSS-03.1H','PSS-03.1H','The CSP shall document and implement procedures to ensure the confidentiality of CSC data when offering functions for software-defined networking (SDN).','High', 'ORGANIZATIONAL' ,117),
+(989,'PSS-03.2H','PSS-03.2H','The CSP shall validate the functionality of the SDN functions before providing new SDN features to CSCs or modifying existing SDN features.','High', 'ORGANIZATIONAL' ,117),
+(990,'PSS-03.3H','PSS-03.3H','The CSP shall ensure that the configuration of networks matches network security policies regardless of the means used to create the configuration.','High', 'ORGANIZATIONAL' ,117),
+(991,'PSS-04.1B','PSS-04.1B','The CSP shall ensure the following aspects if CSCs operate virtual machines or containers with the cloud service:
+The CSC can restrict the selection of images of virtual machines or containers, so that users of this CSC can only launch the images or containers released according to these restrictions.
+Images made available by the CSP to the CSC are labelled with information about their origin (CSP or third-party) and about their security, and those provided by the CSP are hardened according to generally accepted industry standards.','Basic', 'ORGANIZATIONAL' ,118),
+(992,'PSS-04.1S','PSS-04.1S','The CSP shall ensure the following aspects if CSCs operate virtual machines or containers with the cloud service:
+The CSC can restrict the selection of images of virtual machines or containers, so that users of this CSC can only launch the images or containers released according to these restrictions.
+Images made available by the CSP to the CSC are labelled with information about their origin (CSP or third-party) and about their security, and those provided by the CSP are hardened according to generally accepted industry standards.','Substantial', 'ORGANIZATIONAL' ,118),
+(993,'PSS-04.1H','PSS-04.1H','The CSP shall ensure the following aspects if CSCs operate virtual machines or containers with the cloud service:
+- The CSC can restrict the selection of images of virtual machines or containers, so that users of this CSC can only launch the images or containers released according to these restrictions.
+- Images made available by the CSP to the CSC are labelled with information about their origin (CSP or third-party) and about their security, and those provided by the CSP are hardened according to generally accepted industry standards.','High', 'ORGANIZATIONAL' ,118),
+(994,'PSS-04.2H','PSS-04.2H','An integrity check shall be performed, automatically monitored and reported to the CSC if the integrity check fails.','High', 'ORGANIZATIONAL' ,118),
+(995,'PSS-05.1S','PSS-05.1S','The CSP shall allow the CSC to specify the locations (location/country) of the CSC data processing and storage including data backups according to the contractually available options','Substantial', 'ORGANIZATIONAL' ,119),
+(996,'PSS-05.2S','PSS-05.2S','All CSP commitments regarding locations of CSC data processing and storage shall be supported by technical measures in the cloud service architecture.','Substantial', 'ORGANIZATIONAL' ,119),
+(997,'PSS-05.1H','PSS-05.1H','The CSP shall allow the CSC to specify the locations (location/country) of the CSC data processing and storage including data backups according to the contractually available options','High', 'ORGANIZATIONAL' ,119),
+(998,'PSS-05.2H','PSS-05.2H','All CSP commitments regarding locations of CSC data processing and storage shall be supported by technical measures in the cloud service architecture.','High', 'ORGANIZATIONAL' ,119);
+/*!40000 ALTER TABLE `tom` ENABLE KEYS */;
--- ----------------------------------
--- Table: `questionnaire`
--- ----------------------------------
-/*!40000 ALTER TABLE `questionnaire` DISABLE KEYS */;
-INSERT INTO cocbackend.questionnaire (id, framework_id, purpose_id, question_id, answer_id, user_id) VALUES
- (1, 1, 1, 1, 1, 'admin'),
- (2, 1, 1, 2, 2, 'admin'),
- (3, 1, 1, 3, 1, 'admin');
-/*!40000 ALTER TABLE `questionnaire` ENABLE KEYS */;
/*!40101 SET SQL_MODE=IFNULL(@OLD_SQL_MODE, '') */;
/*!40014 SET FOREIGN_KEY_CHECKS=IF(@OLD_FOREIGN_KEY_CHECKS IS NULL, 1, @OLD_FOREIGN_KEY_CHECKS) */;
diff --git a/git/cocMysql/startupscripts/04_initialDataMetrics.sql b/git/cocMysql/startupscripts/04_initialDataMetrics.sql
index 9c73010216c54e8af5ca2e40ffdf4ca1de62ef43..71458317061951959098b2266ae36974353b36d3 100755
--- a/git/cocMysql/startupscripts/04_initialDataMetrics.sql
+++ b/git/cocMysql/startupscripts/04_initialDataMetrics.sql
@@ -15,148 +15,178 @@ SET FOREIGN_KEY_CHECKS=0;
-- -----------------------------------
/*!40000 ALTER TABLE `security_metric` DISABLE KEYS */;
INSERT INTO cocbackend.security_metric (id, metric_id, category, name, source, description, scale, operator, target_value, target_value_datatype, jhi_interval, target_resource_type, security_feature, keywords, reference_tom_id) VALUES
-(1,'1','Operational Security','MalwareProtectionEnabled','EUCS','This metric is used to assess if the antimalware solution is enabled on the respective resource.','[true, false]','==','true','Boolean','1','VirtualMachine','malwareProtection.enabled',NULL,NULL),
-(2,'2','Operational Security','NumberOfThreatsFound','EUCS','This metric is used to assess if the antimalware solution reports no irregularities.','[0, …]','==','0','Integer','1','VirtualMachine','malwareProtection.numberOfThreatsFound',NULL,NULL),
-(3,'3','Operational Security','BackupEnabled','EUCS','This metric is used to assess if backups are enabled for a cloud service/asset','[true, false]','==','true','Boolean','1','Storage','backup.enabled',NULL,NULL),
-(4,'4','Operational Security','BackupRetentionSet','EUCS','This metric is used to assess the configured backup retention (days) on a cloud service/asset','[0, …]','>','35','Integer','24','Storage','backup.retentionPeriod',NULL,NULL),
-(5,'5','Operational Security','AnomalyDetectionEnabled','EUCS','This metric is used to assess if Anomaly Detection is enabled for the cloud service/asset','[true, false]','==','true','Boolean','1','NetworkService','anomalyDetection.enabled',NULL,NULL),
-(6,'6','Operational Security','ActivityLoggingEnabled','EUCS','This metric is used to assess if activity logs are enabled for the cloud service/asset.','[true, false]','==','true','Boolean','1','VirtualMachine','activityLogging.enabled',NULL,NULL),
-(7,'7','Operational Security','ApplicationLoggingEnabled','EUCS','This metric is used to assess if Application logs are enabled for the cloud service/asset.','[true, false]','==','true','Boolean','1','VirtualMachine','applicationLogging.enabled',NULL,NULL),
-(8,'8','Operational Security','BootLoggingEnabled','EUCS','This metric is used to assess if Boot logs are enabled for the cloud service/asset.','[true, false]','==','true','Boolean','1','VirtualMachine','bootLogging.enabled',NULL,NULL),
-(9,'9','Operational Security','OSLoggingEnabled','EUCS','This metric is used to assess if OS logs are enabled for the cloud service/asset.','[true, false]','==','true','Boolean','1','VirtualMachine','oSLogging.enabled',NULL,NULL),
-(10,'10','Operational Security','BootLoggingRetention','EUCS','This metric is used to assess the configured log retention (days) on a cloud service/asset','[0, …, 99]','>','7','Integer','1','VirtualMachine','bootLogging.retentionPeriod',NULL,NULL),
-(11,'11','Operational Security','OSLoggingRetention','EUCS','This metric is used to assess the configured log retention (days) on a cloud service/asset','[0, …, 99]','>','7','Integer','1','VirtualMachine','oSLogging.retentionPeriod',NULL,NULL),
-(12,'12','Operational Security','AutomaticUpdatesEnabled','EUCS','This metric is used to assess if automatic updates are enabled for the cloud service/asset','[true, false]','==','true','Boolean','24','VirtualMachine','automaticUpdates.enabled',NULL,NULL),
-(13,'13','Operational Security','AutomaticUpdatesInterval','EUCS','This metric is used to assess the update interval of automatic updates for the cloud service/asset','[1, …, 365]','<=','7','Integer','24','VirtualMachine','automaticUpdates.interval',NULL,NULL),
-(14,'14','Operational Security','TLSVersion','EUCS','This metric is used to assess if state-of-the-art encryption protocols are used for traffic served from public networks.','[1.0, 1.1, 1.2, 1.3]','>','1.2','String','1','NetworkService','transportEncryption.tlsVersion',NULL,NULL),
-(15,'15','Operational Security','WebApplicationFirewallEnabled','EUCS','This metric is used to assess if a cloud service/asset has enabled WAF functionalities','[true, false]','==','true','Boolean','1','LoadBalancer','accessRestrictions.webApplicationFirewall.enabled',NULL,NULL),
-(16,'16','Cryptography and key management','TransportEncryptionEnabled','EUCS','This metric is used to assess if the cloud service/asset accepts encrypted connections','[true, false]','==','true','Boolean','1','StorageService','httpEndpoint.transportEncryption.enabled',NULL,NULL),
-(17,'17','Cryptography and key management','TransportEncryptionEnforced','EUCS','This metric is used to assess if the cloud service/asset enforces encrypted connections ','[true, false]','==','true','Boolean','1','StorageService','httpEndpoint.transportEncryption.enforced',NULL,NULL),
-(18,'18','Operational Security','L3FirewallEnabled','EUCS','This metric is used to assess if a service-level ACL has been enabled on a cloud service/asset','[true, false]','==','true','Boolean','1','StorageService','l3Firewall.enabled',NULL,NULL),
-(19,'19','Operational Security','JavaVersion','EUCS','This metric is used to assess the Java Runtime version used by the cloud service/asset','[< 11, 11]','==','11','String','24','Function','',NULL,NULL),
-(20,'20','Operational Security','PHPVersion','EUCS','This metric is used to assess the PHP version used by the cloud service/asset','[< 7.4, 7.4]','==','7.4','String','24','Function','',NULL,NULL),
-(21,'21','Operational Security','PythonVersion','EUCS','This metric is used to assess the Python version used by the cloud service/asset','[< 3.8, 3.8]','==','3.8','String','24','Function','',NULL,NULL),
-(22,'22','Operational Security','MalwareProtectionOutput','EUCS','This metric states whether automatic notifications are enabled (e.g. e-mail) about malware threats. This relates to EUCS’ definition of “continuous monitoring”.','[true, false]','==','true','Boolean','1','VirtualMachine','malwareProtection.applicationLogging.loggingService',NULL,NULL),
-(23,'23','Operational Security','AtRestEncryptionEnabled','EUCS','This metric is used to assess if encryption at rest has been enabled on a cloud service / asset','[true, false]','==','true','Boolean','1','Storage','atRestEncryption.enabled',NULL,NULL),
-(24,'24','Operational Security','BackupEncryptionEnabled','EUCS','Check if data is backed up in encrypted, state-of-the-art form.','[true, false]','==','true','Boolean','1','Storage','atRestEncryption.enabled',NULL,NULL),
-(25,'25','Operational Security','TlsCipherSuites','EUCS','This metric is used to assess if state-of-the-art encryption protocols are used for traffic served from public networks.','[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CCM, TLS_DHE_RSA_WITH_AES_256_CCM, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DH_DSS_WITH_AES_128_CBC_SHA256, TLS_DH_DSS_WITH_AES_256_CBC_SHA256, TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_DSS_WITH_AES_256_GCM_SHA384, TLS_DH_RSA_WITH_AES_128_CBC_SHA256, TLS_DH_RSA_WITH_AES_256_CBC_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384, TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256, TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, TLS_DHE_PSK_WITH_AES_128_CCM, TLS_DHE_PSK_WITH_AES_256_CCM, TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, TLS_RSA_PSK_WITH_AES_256_GCM_SHA384]','<=','[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CCM, TLS_DHE_RSA_WITH_AES_256_CCM, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DH_DSS_WITH_AES_128_CBC_SHA256, TLS_DH_DSS_WITH_AES_256_CBC_SHA256, TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_DSS_WITH_AES_256_GCM_SHA384, TLS_DH_RSA_WITH_AES_128_CBC_SHA256, TLS_DH_RSA_WITH_AES_256_CBC_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384, TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256, TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, TLS_DHE_PSK_WITH_AES_128_CCM, TLS_DHE_PSK_WITH_AES_256_CCM, TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_AES_128_CCM_SHA256]','ArrayOfString','','Application','',NULL,NULL),
-(26,'26','Operational Security','TlsDHGroups','EUCS','This metric is used to assess if state-of-the-art encryption protocols are used for traffic served from public networks.','[secp256r1, secp384r1, secp521r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, ffdhe2048, ffdhe3072, ffdhe4096, brainpoolP256r1tls13, brainpoolP384r1tls13, brainpoolP512r1tls13]','<=','[secp256r1, secp384r1, secp521r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, ffdhe2048, ffdhe3072, ffdhe4096, brainpoolP256r1tls13, brainpoolP384r1tls13, brainpoolP512r1tls13]','ArrayOfString','','Application','',NULL,NULL),
-(27,'27','Operational Security','TlsSignatureAlgorithms','EUCS','This metric is used to assess if state-of-the-art encryption protocols are used for traffic served from public networks.','[RSA+SHA256, RSA+SHA384, RSA+SHA512, DSA+SHA256, DSA+SHA384, DSA+SHA512, ECDSA+SHA256, ECDSA+SHA384, ECDSA+SHA512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_brainpoolP256r1tls13_sha256, ecdsa_brainpoolP384r1tls13_sha384, ecdsa_brainpoolP512r1tls13_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512]','<=','[RSA+SHA256, RSA+SHA384, RSA+SHA512, DSA+SHA256, DSA+SHA384, DSA+SHA512, ECDSA+SHA256, ECDSA+SHA384, ECDSA+SHA512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_brainpoolP256r1tls13_sha256, ecdsa_brainpoolP384r1tls13_sha384, ecdsa_brainpoolP512r1tls13_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512]','ArrayOfString','','Application','',NULL,NULL);
+(1,'1','Operational security','MalwareProtectionEnabled','Technical','This metric is used to assess if the antimalware solution is enabled on the respective resource.','[true, false]','==','true','Boolean','1','VirtualMachine','malwareProtection.enabled',NULL,NULL),
+(2,'2','Operational security','NumberOfThreatsFound','Technical','This metric is used to assess if the antimalware solution reports no irregularities.','[0, …]','==','0','Integer','1','VirtualMachine','malwareProtection.numberOfThreatsFound',NULL,NULL),
+(3,'3','Operational security','BackupEnabled','Technical','This metric is used to assess if backups are enabled for a cloud service/asset','[true, false]','==','true','Boolean','1','Storage','backup.enabled',NULL,NULL),
+(4,'4','Operational security','BackupRetentionSet','Technical','This metric is used to assess the configured backup retention (days) on a cloud service/asset','[0, …]','>','35','Integer','24','Storage','backup.retentionPeriod',NULL,NULL),
+(5,'5','Operational security','AnomalyDetectionEnabled','Technical','This metric is used to assess if Anomaly Detection is enabled for the cloud service/asset','[true, false]','==','true','Boolean','1','NetworkService','anomalyDetection.enabled',NULL,NULL),
+(6,'6','Operational security','ActivityLoggingEnabled','Technical','This metric is used to assess if activity logs are enabled for the cloud service/asset.','[true, false]','==','true','Boolean','1','VirtualMachine','activityLogging.enabled',NULL,NULL),
+(7,'7','Operational security','ApplicationLoggingEnabled','Technical','This metric is used to assess if Application logs are enabled for the cloud service/asset.','[true, false]','==','true','Boolean','1','VirtualMachine','applicationLogging.enabled',NULL,NULL),
+(8,'8','Operational security','BootLoggingEnabled','Technical','This metric is used to assess if Boot logs are enabled for the cloud service/asset.','[true, false]','==','true','Boolean','1','VirtualMachine','bootLogging.enabled',NULL,NULL),
+(9,'9','Operational security','OSLoggingEnabled','Technical','This metric is used to assess if OS logs are enabled for the cloud service/asset.','[true, false]','==','true','Boolean','1','VirtualMachine','oSLogging.enabled',NULL,NULL),
+(10,'10','Operational security','BootLoggingRetention','Technical','This metric is used to assess the configured log retention (days) on a cloud service/asset','[0, …, 99]','>','7','Integer','1','VirtualMachine','bootLogging.retentionPeriod',NULL,NULL),
+(11,'11','Operational security','OSLoggingRetention','Technical','This metric is used to assess the configured log retention (days) on a cloud service/asset','[0, …, 99]','>','7','Integer','1','VirtualMachine','oSLogging.retentionPeriod',NULL,NULL),
+(12,'12','Operational security','AutomaticUpdatesEnabled','Technical','This metric is used to assess if automatic updates are enabled for the cloud service/asset','[true, false]','==','true','Boolean','24','VirtualMachine','automaticUpdates.enabled',NULL,NULL),
+(13,'13','Operational security','AutomaticUpdatesInterval','Technical','This metric is used to assess the update interval of automatic updates for the cloud service/asset','[1, …, 365]','<=','7','Integer','24','VirtualMachine','automaticUpdates.interval',NULL,NULL),
+(14,'14','Operational security','TLSVersion','Technical','This metric is used to assess if state-of-the-art encryption protocols are used for traffic served from public networks.','[1.0, 1.1, 1.2, 1.3]','>','1.2','String','1','NetworkService','transportEncryption.tlsVersion',NULL,NULL),
+(15,'15','Operational security','WebApplicationFirewallEnabled','Technical','This metric is used to assess if a cloud service/asset has enabled WAF functionalities','[true, false]','==','true','Boolean','1','LoadBalancer','accessRestrictions.enabled',NULL,NULL),
+(16,'16','Cryptography and key management','TransportEncryptionEnabled','Technical','This metric is used to assess if the cloud service/asset accepts encrypted connections','[true, false]','==','true','Boolean','1','StorageService','httpEndpoint.transportEncryption.enabled',NULL,NULL),
+(17,'17','Cryptography and key management','TransportEncryptionEnforced','Technical','This metric is used to assess if the cloud service/asset enforces encrypted connections ','[true, false]','==','true','Boolean','1','StorageService','httpEndpoint.transportEncryption.enforced',NULL,NULL),
+(18,'18','Operational security','L3FirewallEnabled','Technical','This metric is used to assess if a service-level ACL has been enabled on a cloud service/asset','[true, false]','==','true','Boolean','1','NetworkInterface','accessRestrictions.enabled',NULL,NULL),
+(19,'19','Operational security','JavaVersion','Technical','This metric is used to assess the Java Runtime version used by the cloud service/asset','[< 11, 11]','==','11','String','24','Function','runtimeLanguage runtimeVersion',NULL,NULL),
+(20,'20','Operational security','PHPVersion','Technical','This metric is used to assess the PHP version used by the cloud service/asset','[< 7.4, 7.4]','==','7.4','String','24','Function','runtimeLanguage runtimeVersion',NULL,NULL),
+(21,'21','Operational security','PythonVersion','Technical','This metric is used to assess the Python version used by the cloud service/asset','[< 3.8, 3.8]','==','3.8','String','24','Function','runtimeLanguage runtimeVersion',NULL,NULL),
+(22,'22','Operational security','MalwareProtectionOutput','Technical','This metric states whether automatic notifications are enabled (e.g. e-mail) about malware threats. This relates to EUCS’ definition of “continuous monitoring”.','[true, false]','==','true','Boolean','1','VirtualMachine','malwareProtection.applicationLogging.loggingService',NULL,NULL),
+(23,'23','Operational security','AtRestEncryptionEnabled','Technical','This metric is used to assess if encryption at rest has been enabled on a cloud service / asset','[true, false]','==','true','Boolean','1','Storage','transportEncryption.enabled',NULL,NULL),
+(24,'24','Operational security','BackupEncryptionEnabled','Technical','Check if data is backed up in encrypted, state-of-the-art form.','[true, false]','==','true','Boolean','1','Storage','atRestEncryption.enabled',NULL,NULL),
+(25,'25','Operational security','TlsCipherSuites','Technical','This metric is used to assess if state-of-the-art encryption protocols are used for traffic served from public networks.','[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CCM, TLS_DHE_RSA_WITH_AES_256_CCM, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DH_DSS_WITH_AES_128_CBC_SHA256, TLS_DH_DSS_WITH_AES_256_CBC_SHA256, TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_DSS_WITH_AES_256_GCM_SHA384, TLS_DH_RSA_WITH_AES_128_CBC_SHA256, TLS_DH_RSA_WITH_AES_256_CBC_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384, TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256, TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, TLS_DHE_PSK_WITH_AES_128_CCM, TLS_DHE_PSK_WITH_AES_256_CCM, TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, TLS_RSA_PSK_WITH_AES_256_GCM_SHA384]','<=','[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLS_ECDHE_ECDSA_WITH_AES_256_CCM, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CCM, TLS_DHE_RSA_WITH_AES_256_CCM, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DH_DSS_WITH_AES_128_CBC_SHA256, TLS_DH_DSS_WITH_AES_256_CBC_SHA256, TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_DSS_WITH_AES_256_GCM_SHA384, TLS_DH_RSA_WITH_AES_128_CBC_SHA256, TLS_DH_RSA_WITH_AES_256_CBC_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256, TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384, TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256, TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, TLS_DHE_PSK_WITH_AES_128_CCM, TLS_DHE_PSK_WITH_AES_256_CCM, TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_AES_128_CCM_SHA256]','ArrayOfString','','Application','',NULL,NULL),
+(26,'26','Operational security','TlsDHGroups','Technical','This metric is used to assess if state-of-the-art encryption protocols are used for traffic served from public networks.','[secp256r1, secp384r1, secp521r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, ffdhe2048, ffdhe3072, ffdhe4096, brainpoolP256r1tls13, brainpoolP384r1tls13, brainpoolP512r1tls13]','<=','[secp256r1, secp384r1, secp521r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, ffdhe2048, ffdhe3072, ffdhe4096, brainpoolP256r1tls13, brainpoolP384r1tls13, brainpoolP512r1tls13]','ArrayOfString','','Application','',NULL,NULL),
+(27,'27','Operational security','TlsSignatureAlgorithms','Technical','This metric is used to assess if state-of-the-art encryption protocols are used for traffic served from public networks.','[RSA+SHA256, RSA+SHA384, RSA+SHA512, DSA+SHA256, DSA+SHA384, DSA+SHA512, ECDSA+SHA256, ECDSA+SHA384, ECDSA+SHA512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_brainpoolP256r1tls13_sha256, ecdsa_brainpoolP384r1tls13_sha384, ecdsa_brainpoolP512r1tls13_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512]','<=','[RSA+SHA256, RSA+SHA384, RSA+SHA512, DSA+SHA256, DSA+SHA384, DSA+SHA512, ECDSA+SHA256, ECDSA+SHA384, ECDSA+SHA512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_brainpoolP256r1tls13_sha256, ecdsa_brainpoolP384r1tls13_sha384, ecdsa_brainpoolP512r1tls13_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512]','ArrayOfString','','Application','',NULL,NULL),
+(28,'28','Identity, authentication, and access control management','DeactivateInactiveUsers','Technical','This metric is used to assess if inactive user accounts are deactivated within a reasonable time frame.','[0, …]','<=','90','Integer','24','Identity','',NULL,NULL),
+(29,'29','Operational security','BootLoggingImmutability','Technical','','[true, false]','==','true','Boolean','1','ObjectStorage','immutability.enabled',NULL,NULL),
+(30,'30','Organisation of information security','MixedDuties','Technical','This metric is used to assess if permissions are sufficiently separated between users','[0, …, 1]','<=','0.1','Float','24','Identity','',NULL,NULL),
+(31,'31','Compliance','SecureCryptographicPrimitives','Technical','This metric is used to assess whether an application uses state-of-the-art cryptographic primitives when performing cryptographic operations.','[true, false]','==','true','Boolean','1','Application','',NULL,NULL),
+(32,'32','Compliance','NumberOfVulnerabilitiesFound','Technical','This metric is used to assess if there are vulnerabilities above a certain severity treshold','[0, …]','==','0','Integer','1','VirtualMachine','',NULL,NULL),
+(33,'33','Change and configuration management','CodeSignoff','Technical & Organizational','This metric is used to assess whether additions to the source code of a cloud service contains a signoff in the Git commit message.','[true, false]','==','true','Boolean','1','Application','',NULL,NULL),
+(34,'34','Change and configuration management','SignedCommits','Technical & Organizational','This metric is used to assess whether additions to the source code of a cloud service contains a valid signature.','[true, false]','==','true','Boolean','1','Application','',NULL,NULL),
+(35,'35','Identity, authentication, and access control management','UnsuccessfulLoginAttemptLogged','Technical','This metrix is used to assess whether an application reports unsuccessful logging attempts','[true, false]','==','true','Boolean','1','Application','',NULL,NULL),
+(36,'36','Human resources','TaggedWithOwner','Technical','This metric is used to assess if the resource is labeled with an owner tag.','[Owner, owner, environment, operated by, ...]','isIn','[Owner, owner]','String','1','Resource','labels',NULL,NULL),
+(37,'37','Human resources','IdentityRecentActivity','Technical','This metric used to assess when an identity last accessed the resources. ','[0, …]','<=','90','Integer','24','Identity','lastActivity',NULL,NULL),
+(38,'38','Operational security','CustomerKeyEncryption','Technical','This metric is used to assess if a customer key is used for encrypted data in rest. ','[true, false]','==','true','Boolean','1','Storage','atRestEncryption.keyUrl',NULL,NULL),
+(39,'39','Operational security','ObjectStoragePublicAccess','Technical','This metric is used to assess if object storages are publicl accessible. ','[true, false]','==','false','Boolean','1','ObjectStorage','publicAccess',NULL,NULL),
+(40,'40','Operational security','MonitoringLogDataEnabled','Technical','This metric is used to assess if log data is automatically monitored.','[true, false]','==','true','Boolean','1','Storage','resourceLogging.monitoringLogDataEnabled',NULL,NULL),
+(41,'41','Operational security','SecurityAlertsEnabled','Technical','This metric is used to assess if security alerts are enabled.','[true, false]','==','true','Boolean','1','Storage','resourceLogging.securityAlertsEnabled',NULL,NULL),
+(42,'42','Change and configuration management','SignedSignoff','Technical & Organizational','This metric is used to assess whether commits are signed and contain a signoff.','[true, false]','==','true','Boolean','1','Application','',NULL,NULL),
+(43,'43','Change and configuration management','ApprovedCommitAuthor','Technical & Organizational','This metric is used to assess whether only approved authors have committed new code to the project''s repository.','[true, false]','==','true','Boolean','1','Application','',NULL,NULL),
+(44,'44','Cryptography and key management','CertificateValidUntil01','Technical','This metric assesses whether the certificates ares still valid for a certain period','[0, …, 9999]','>=','30','Integer','1','VirtualMachine','',NULL,NULL),
+(45,'45','Cryptography and key management','SSLEnabled','Technical','This metric assesses whether SSL is enabled on the target service.','[true, false]','==','true','Boolean','1','VirtualMachine','',NULL,NULL);
/*!40000 ALTER TABLE `security_metric` ENABLE KEYS */;
-- Organizational Metrics
/*!40000 ALTER TABLE `security_metric` DISABLE KEYS */;
INSERT INTO cocbackend.security_metric (id, metric_id, category, name, source, description, scale, operator, target_value, target_value_datatype, jhi_interval, target_resource_type, security_feature, keywords, reference_tom_id) VALUES
-(28,'28','Operational security','DataRestoreTestFrequencyQ1','Medina Organizational Metrics','How frequently is the data restore process tested?','[0, …, 99]','<=','100','Float','','PolicyDocument','','data, restore',NULL),
-(29,'29','Operational security','LoggingMonitoringPolicyQ1','Medina Organizational Metrics','Which security monitoring data is continuously assessed?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','logging, monitoring, policy',NULL),
-(30,'30','Operational security','LoggingMonitoringPolicyQ2','Medina Organizational Metrics','How are security events stored?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','logging, monitoring, policy',NULL),
-(31,'31','Operational security','LoggingMonitoringDerivedPolicyQ1','Medina Organizational Metrics','Which security events of derived data are stored?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','logging, monitoring, policy, derived data, customer data, PII',NULL),
-(32,'32','Operational security','LogDataRetentionTimeQ1','Medina Organizational Metrics','How long is log data stored?','[0, …, 99]','<=','100','Float','','PolicyDocument','','logging, retention',NULL),
-(33,'33','Operational security','LogDataRetentionTimeQ2','Medina Organizational Metrics','When is log data deleted?','[0, …, 99]','<=','100','Float','','PolicyDocument','','logging, deletion',NULL),
-(34,'34','Operational security','PatchManagementPolicyCheckQ1','Medina Organizational Metrics','What is the coverage of the patch management process?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','','partial, full, every, none',NULL),
-(35,'35','Operational security','PatchManagementPolicyCheckQ2','Medina Organizational Metrics','Which vulnerabilities are prioritized for systems that cannot be patched?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','','none, critical, all',NULL),
-(36,'36','Operational security','EventMonitoringPolicyCheckQ1','Medina Organizational Metrics','Which functional events are monitored by the SIEM?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','','logging, monitoring, metrics, events, availability, performance',NULL),
-(37,'37','Operational security','EventMonitoringPolicyCheckQ2','Medina Organizational Metrics','How does the SIEM stores security events?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','','logging, monitoring, SIEM, central',NULL),
-(38,'38','Operational security','EventMonitoringPolicyCheckQ3','Medina Organizational Metrics','Which actions are taken with detected security events?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','','logging, monitoring, SIEM, CERT, incident, forensic',NULL),
-(39,'39','Operational security','BackupMonitoringPolicyCheckQ1','Medina Organizational Metrics','What measures are used to monitor the execution of data backups?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','backup',NULL),
-(40,'40','Operational security','IncidentPolicyCheckQ1','Medina Organizational Metrics','How are vulnerabilities managed by the corresponding team?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','incident, vulnerability management, central',NULL),
-(41,'41','Operational security','IncidentAnalysisFrequencyQ1','Medina Organizational Metrics','How often are procedures for vulnerabilities and incidents analyzed?','[0, …, 99]','<=','30','Float','','PolicyDocument','','incident, vulnerability, frequency',NULL),
-(42,'42','Operational security','VulnerabilityScanQ1','Medina Organizational Metrics','Which is the coverage of defined web vulnerability scans?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','','whitelisted, all, URLs, none',NULL),
-(43,'43','Operational security','VulnerabilityManagementPolicyQ1','Medina Organizational Metrics','How does the vulnerability management process takes place?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','','vulnerability management, manual, automated, semi-automated',NULL),
-(44,'44','Operational security','VulnerabilityManagementPolicyQ2','Medina Organizational Metrics','Which sources of infomration apply to vulnerability management?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','','vulnerability management, policy, CERT, PSIRT, security advisories, third party, OWASP',NULL),
-(45,'45','Operational security','SystemHardeningPolicyQ1','Medina Organizational Metrics','Which sources shall we used to guarantee the hardening of software?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','hardening, operating system, server, component, trusted sources',NULL),
-(46,'46','Operational security','SystemHardeningPolicyQ2','Medina Organizational Metrics','Which systems are covered by the system hardening?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','hardening, scan, coverage, full, partial',NULL),
-(47,'47','Operational security','SystemHardeningPolicyQ3','Medina Organizational Metrics','What is the penetration test frequency?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','Annual, monthly, quarterly',NULL),
-(48,'48','Cryptography and key management','EncryptionPolicyCheckQ1','Medina Organizational Metrics','How are passwords or keys encrypted?','[0, …, 99]','in','[MD5, SHA256]','String','','PolicyDocument','','password',NULL),
-(49,'49','Cryptography and key management','EncryptionPolicyCheckQ2','Medina Organizational Metrics','How are APIs encrypted?','[0, …, 99]','in','[TSL/SSL]','String','','PolicyDocument','','encryption',NULL),
-(50,'50','Cryptography and key management','EncryptionPolicyCheckQ3','Medina Organizational Metrics','What encryption type is used?','[0, …, 99]','in','[TSL/SSL]','String','','PolicyDocument','','encryption',NULL),
-(51,'51','Operational security','ProvisioningPolicyCheckQ1','Medina Organizational Metrics','How is the provisioning of cloud services handled?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','cloud service documentation',NULL),
-(52,'52','Operational security','ProvisioningPolicyCheckQ2','Medina Organizational Metrics','How is the provisioning documented?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','cloud service documentation',NULL),
-(53,'53','Operational security','MalwareProtectionCheckQ1','Medina Organizational Metrics','Which core CSP services are covered by malware protection?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','malware, protection, antivirus, documentation',NULL),
-(54,'54','Operational security','MalwareProtectionCheckQ2','Medina Organizational Metrics','How are malware-related events managed?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','malware, protection, antivirus, logs, management, central',NULL),
-(55,'55','Operational security','MalwareProtectionCheckQ3','Medina Organizational Metrics','What antivirus system is used?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','malware, protection, antivirus, documentation',NULL),
-(56,'56','Operational security','AntimalwareScanFrequencyQ1','Medina Organizational Metrics','How frequent are antimalware scans done?','[0, …, 99]','<=','10','Float','','PolicyDocument','','antimalware, scans, irregularities',NULL),
-(57,'57','Operational security','MalwareProtectionCheckQ4','Medina Organizational Metrics','Which malware-related events are communicated to the customer?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','malware, protection, antivirus, logs, management, malware events, customer, consumer',NULL),
-(58,'58','Operational security','BackupPolicyQ1','Medina Organizational Metrics','Which backup procedures apply to CSP systems','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','backup, restore, automation, periodical',NULL),
-(59,'59','Operational security','BackupPolicyQ2','Medina Organizational Metrics','How is managed the backup service?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','backup, centralized',NULL),
-(60,'60','Operational security','BackupPolicyQ3','Medina Organizational Metrics','Which backup services exist for cloud customers?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','backup, customer, consumer',NULL),
-(61,'61','Operational security','BackupMonitoringPolicyCheckQ2','Medina Organizational Metrics','How is backup data transmitted?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','backup, data, transmission',NULL),
-(62,'62','Operational security','BackupMonitoringPolicyCheckQ3','Medina Organizational Metrics','How is the transmission of backup data verified?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','backup, data, transmission',NULL),
-(63,'63','Operational security','BackupMonitoringPolicyCheckQ4','Medina Organizational Metrics','How often is the transmission of backups done?','[0, …, 99]','<=','1','Float','','PolicyDocument','','backup, data, transmission',NULL),
-(64,'64','Operational security','BackupMonitoringPolicyCheckQ5','Medina Organizational Metrics','How are backup transmissions documented?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','backup, data, transmission',NULL),
-(65,'65','Operational security','UpdatePolicyCheckQ1','Medina Organizational Metrics','Which update mechanisms are there?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','update, patch',NULL),
-(66,'66','Operational security','UpdatePolicyCheckQ2','Medina Organizational Metrics','How are systems and patches updated?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','update, patch',NULL),
-(67,'67','Security policies and procedures','RoleDefinitionQ1','Medina Organizational Metrics','Which roles and responsibilities are defined by the security policy?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','roles, stakeholders, provider, consumer, costumer',NULL),
-(68,'68','Security policies and procedures','RoleDefinitionQ2','Medina Organizational Metrics','Which responsibilities are defined for the Cloud Platform Provider?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','roles, platform, hyperscaler',NULL),
-(69,'69','Security policies and procedures','RoleDefinitionQ3','Medina Organizational Metrics','Which responsibilities are defined for the Cloud Service Provider?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','roles, provider, CSP',NULL),
-(70,'70','Security policies and procedures','RoleDefinitionQ4','Medina Organizational Metrics','Which responsibilities are defined for the Cloud Service Consumer?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','roles, consumer, customer, CSC',NULL),
-(71,'71','Identity, authentication, and access control management','PoliciesForAccessControlQ1','Medina Organizational Metrics','Which processes are documented for users with privileged access?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','authorization, access, privilege, PAM, AIM, IdM, management',NULL),
-(72,'72','Identity, authentication, and access control management','PoliciesForAccessControlQ2','Medina Organizational Metrics','Which documentation is defined for the management of access rights?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','authorization, access, directive, regulation, AIM, IdM',NULL),
-(73,'73','Identity, authentication, and access control management','PasswordPolicyQ1','Medina Organizational Metrics','Which parameters define the password policy?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','password, complexity,rotation, entropy, renewak, credentials ',NULL),
-(74,'74','Identity, authentication, and access control management','PasswordPolicyQ2','Medina Organizational Metrics','What is the passwords maximum age according to the password policy?','[0, …, 99]','<=','90','Integer','720','PolicyDocument','?','password, age, maximum',NULL),
-(75,'75','Identity, authentication, and access control management','PasswordPolicyQ3','Medina Organizational Metrics','What is the passwords rotation frequency?','[0, …, 99]','<=','4','Integer','720','PolicyDocument','?','password, rotation, renewal',NULL),
-(76,'76','Identity, authentication, and access control management','PasswordPolicyQ4','Medina Organizational Metrics','Which defined recommendations exist for password managers?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','password, storage, manager, cryptographic',NULL),
-(77,'77','User documentation','GuidelinesCloudCustomersQ1','Medina Organizational Metrics','Which customer guidelines are defined for password management?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','password, storage, manager, cryptographic, customer, consumer, responsibility, complexity',NULL),
-(78,'78','User documentation','GuidelinesCloudCustomersQ2','Medina Organizational Metrics','Which customer guidelines are defined for identity management?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','identity management, customer, consumer, responsibility, authentication',NULL),
-(79,'79','User documentation','GuidelinesCloudCustomersQ3','Medina Organizational Metrics','Which customer guidelines are defined for asset management?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','asset management, customer, consumer, responsibility, inventory, software license',NULL),
-(80,'80','Asset management','AssetManagementPolicy01','Medina Organizational Metrics','Which asset management policy is defined?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','asset management, inventory management, asset, ',NULL),
-(81,'81','Asset management','AssetManagementPolicy02','Medina Organizational Metrics','Which physical asset inventory policy is defined?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','asset management, inventory management, asset, physical assets, disk, server, components',NULL),
-(82,'82','Asset management','AssetManagementPolicy03','Medina Organizational Metrics','Which asset information is kept in the inventory?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','services, IP address, databases, inventory, assets, VM, application',NULL),
-(83,'83','Cryptography and key management','EncryptionDataRestPolicyQ1','Medina Organizational Metrics','Which encryption policy is defined for data at rest?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','encryption, cryptography, data at rest, protection, PKI',NULL),
-(84,'84','Cryptography and key management','EncryptionDataTransitPolicyQ1','Medina Organizational Metrics','Which endpoint protection mechanism is defined for data in transit?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','encryption, cryptography, data in transit, protection, PKI, payload, SSL, TLS',NULL),
-(85,'85','Cryptography and key management','EncryptionPolicyCheckQ4','Medina Organizational Metrics','Which TLS features are defined in the policy?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','encryption, best practice, TLS, secure configuration',NULL),
-(86,'86','Cryptography and key management','EncryptionKeyPolicy01','Medina Organizational Metrics','Which standards apply for the management of encryption keys?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','encryption, key management, key lenght, standards',NULL),
-(87,'87','Cryptography and key management','EncryptionDataTransitPolicyQ2','Medina Organizational Metrics','Which encryption mechanisms are not explicitly supported for data in transit?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','encryption, cryptography, data in transit,not supported',NULL),
-(88,'88','Cryptography and key management','DigitalCertPolicy01','Medina Organizational Metrics','Which policies apply for the management of digital certificates?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','digital certificates, PKI, CA, x509',NULL),
-(89,'89','Cryptography and key management','DigitalCertPolicy02','Medina Organizational Metrics','Which digital certificates are allowed for user facing services?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','digital certificates, PKI, CA, x509, wildcard, user facing certificates',NULL),
-(90,'90','Cryptography and key management','DigitalCertPolicy03','Medina Organizational Metrics','What is the validity period of wildcard digital certificates?','[0, …, 99]','<=','3','Integer','720','PolicyDocument','?','digital certificates, validity period, duration, wildcard, user facing certificates',NULL),
-(91,'91','Communication security','NetworkAccessPolicy01','Medina Organizational Metrics','Which security mechanism protecs access to administrative networks?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','VPN, network access, virtual private network, RAS, segmentation',NULL),
-(92,'92','Communication security','NetworkSecurityPolicy01','Medina Organizational Metrics','Which network-level attacks are mitigated by the implemented mechanisms?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','network security, DoS, DDoS, proxy, IDS',NULL),
-(93,'93','Change and configuration management','ChangeManagementPolicy01','Medina Organizational Metrics','Which change management policies need to be reviewed by cloud customers?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','change management, SLA',NULL),
-(94,'94','Communication security','TrafficSegregationPolicy01','Medina Organizational Metrics','Which traffic segreation policy is defined?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','network, security layer, micro segmentation',NULL),
-(95,'95','Identity, authentication, and access control management','PasswordLengthQ1','Medina Organizational Metrics','How long should passwords be?','[0, …, 99]','>=','5','Integer','','PolicyDocument','','password',NULL),
-(96,'96','Identity, authentication, and access control management','PasswordPolicyQ5','Medina Organizational Metrics','What measures are to be taken if a password is leaked?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','password',NULL),
-(97,'97','Identity, authentication, and access control management','PasswordLoginAttemptsQ1','Medina Organizational Metrics','How many consecutive login attempts are allowed?','[0, …, 99]','<=','50','Integer','','PolicyDocument','','password',NULL),
-(98,'98','Identity, authentication, and access control management','PasswordReuseQ1','Medina Organizational Metrics','What measures are taken to prohibit password reuse?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','password',NULL),
-(99,'99','Operational security','SystemBackUpPolicyQ01','Medina Organizational Metrics','Which algorithm is used to encrypt the backup data?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','backup, encryption',NULL),
-(100,'100','Operational security','SystemBackUpPolicyQ02','Medina Organizational Metrics','Who is allowed to access the backed up data?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','backup, access',NULL),
-(101,'101','Operational security','SystemBackUpPolicyQ03','Medina Organizational Metrics','Who is allowed to restore backups?','[0, …, 99]','=','administrative users','String','','PolicyDocument','','backup, access, restore',NULL),
-(102,'102','Operational security','SystemBackUpPolicyQ05','Medina Organizational Metrics','How often are backups made?','[0, …, 99]','=','1','Integer','','PolicyDocument','','backup, schedule',NULL),
-(103,'103','Operational security','SystemBackUpMonitoringQ01','Medina Organizational Metrics','What is the automatic backup procedure?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','','backup, procedure',NULL),
-(104,'104','Operational security','SystemBackUpTesting01','Medina Organizational Metrics','How often is the procedure checked?','[0, …, 99]','=','annually','String','','PolicyDocument','','backup, restore procedure',NULL),
-(105,'105','Operational security','SystemBackUpTesting02','Medina Organizational Metrics','How are restore mistakes dealt with?','[0, …, 99]','=','by the administrator','String','','PolicyDocument','','backup, monitoring',NULL),
-(106,'106','Operational security','SystemBackUpStorage01','Medina Organizational Metrics','Where are backups stored?','[0, …, 99]','=','second SSD disk','String','','PolicyDocument','','backup, storage',NULL),
-(107,'107','Operational security','SystemBackUpStorage03','Medina Organizational Metrics','How is the storage process monitored?','[0, …, 99]','=','manually by the admin','String','','PolicyDocument','','backup, storage',NULL),
-(108,'108','Cryptography and key management','EncryptionPolicyQ4','Medina Organizational Metrics','What minimum key length must the Advanced Encryption Algorithm (AES) standard have? ','[0, …, 99]','=','256-bit','String','','PolicyDocument','','AES, encryption mechanisms,mobile devices, portable devices',NULL),
-(109,'109','Cryptography and key management','EncryptionPolicyQ5','Medina Organizational Metrics','What Advanced Encryption Algorithm (AES) standard should be used? ','[0, …, 99]','=','AES256','String','','PolicyDocument','','AES, encryption mechanisms,mobile devices, portable devices',NULL),
-(110,'110','Cryptography and key management','EncryptionPolicyQ6','Medina Organizational Metrics','How must mobile and portable devices be encrypted? ','[0, …, 99]','in','[password, passcode, Touch-ID, Face-ID]','n/a','','PolicyDocument','','encryption mechanisms, mobile devices, portable devices',NULL),
-(111,'111','Cryptography and key management','EncryptionPolicyQ7','Medina Organizational Metrics','What TSL version is accepted?','[0, …, 99]','in','[TLS 1.1,TLS 1.2,TLS 1.3]','','','PolicyDocument','','encryption mechanisms, protocols ',NULL),
-(112,'112','Cryptography and key management','EncryptionPolicyQ8','Medina Organizational Metrics','What minimum certificate key length is required?','[0, …, 99]','>=','2048','Integer','','PolicyDocument','','encryption mechanisms , certificate',NULL),
-(113,'113','Cryptography and key management','EncryptionPolicyQ9','Medina Organizational Metrics','What hash type is required?','[0, …, 99]','in','[SHA256,SHA-384, SHA-512,SHA-512/256]','n/a','','PolicyDocument','','encryption mechanisms, hash',NULL),
-(114,'114','Cryptography and key management','EncryptionPolicyQ11','Medina Organizational Metrics','What type of web services must encrypt data in transit? ','[0, …, 99]','in ','[storage of sensitive or confidential information,transaction of sensitive or confidential information,user logons]','n/a','','PolicyDocument','','encryption mechanisms, web services , data in transit',NULL),
-(115,'115','Cryptography and key management','EncryptionPolicyQ12','Medina Organizational Metrics','Which policy is to be used for browsers?','[0, …, 99]','=','HSTS','String','','PolicyDocument','','encryption mechanisms, security policy, browser, data in transit',NULL),
-(116,'116','Incident management','IncidentManagementPolicy8','Medina Organizational Metrics','How often must the Incident Management plan be tested?','[0, …, 99]','<=','1','Integer','','PolicyDocument','','Incident Management, CERT',NULL),
-(117,'117','Incident management','IncidentManagementPolicy5','Medina Organizational Metrics','To whom must staff report potential security and privacy issues?','[0, …, 99]','in','[CERT,single point of contact]','n/a','','PolicyDocument','','Incident Management, Incident Management general information',NULL),
-(118,'118','Incident management','IncidentManagementPolicy6','Medina Organizational Metrics','When must staff report potential security and privacy issues?','[0, …, 99]','=','immediatly','String','','PolicyDocument','','Incident Management, Incident Management general information',NULL),
-(119,'119','Communication security','TrustedNetworkPolicy01','Medina Organizational Metrics','Which process exists for determining the trustworthiness of network connections?','[0, …, 99]','n/a','n/a','n/a','720','PolicyDocument','?','whitelisting, trusted networks, filtering',NULL),
-(120,'120','Incident management','IncidentManagementPolicy01','Medina Organizational Metrics','Which team is in charge of handling security incidents?','[0, …, 99]','in','[CERT]','String','','PolicyDocument','?','Incident Management, CERT',NULL),
-(121,'121','Incident management','IncidentManagementPolicy02','Medina Organizational Metrics','Which approach is used for reporting incidents to the CSP?','[0, …, 99]','in','[Single Point of Contact, Single Point of Information]','String','','PolicyDocument','?','Single Point of Contact, Single Point of Information',NULL),
-(122,'122','Incident management','IncidentManagementPolicy03','Medina Organizational Metrics','Which entity maintains the evidence related to cyberincidents?','[0, …, 99]','in','[CSP, customer, shared responsibility]','String','','PolicyDocument','?','CSP, customer, shared, evidence collection',NULL),
-(123,'123','Incident management','IncidentManagementPolicy09','Medina Organizational Metrics','How are sources of information considered for identifying incidents?','[0, …, 99]','in','[multi-phase, internal, external]','String','','PolicyDocument','?','incident identification, sources, security-relevant',NULL),
-(124,'124','Incident management','IncidentManagementPolicy10','Medina Organizational Metrics','Which process is in place to analyze a potential incident?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','?','incident management, triage, analysis',NULL),
-(125,'125','Incident management','IncidentManagementPolicy11','Medina Organizational Metrics','Which policy is defined to guarantee user involvement for incident management?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','?','customer involvement, incident management, customer cooperation',NULL),
-(126,'126','Incident management','IncidentManagementPolicy12','Medina Organizational Metrics','When are users notified of relevant incidents?','[0, …, 99]','=','timely','String','','PolicyDocument','?','customer, notifications, incident',NULL),
-(127,'127','Incident management','IncidentManagementPolicy13','Medina Organizational Metrics','Which entity coordinates the forensic investigation?','[0, …, 99]','in','[CERT]','String','','PolicyDocument','?','forensic, incident management',NULL),
-(128,'128','Business continuity','BusinessContinuityPolicy01','Medina Organizational Metrics','Which policies are defined for business continuity?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','?','bcm, business continuity, recovery',NULL),
-(129,'129','Business continuity','BusinessContinuityPolicy02','Medina Organizational Metrics','For which risks are defined business continuity plans?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','?','bcm, business continuity, risks, plans',NULL),
-(130,'130','Business continuity','BusinessContinuityPolicy03','Medina Organizational Metrics','Which aspects and measures are covered by the business continuity plan?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','?','bcm, business continuity, redundancy, availability',NULL),
-(131,'131','Compliance','CompliancePolicy01','Medina Organizational Metrics','How are compliance requirements elicited?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','?','compliance, planning, requirements',NULL),
-(132,'132','User documentation','DataLocationPolicy01','Medina Organizational Metrics','Which data location regions are defined for compliance?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','?','data location, compliance, geographical',NULL),
-(133,'133','Portability and interoperability','IOInterfacesPolicy01','Medina Organizational Metrics','Which functionalities are defined for output interfaces?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','?','customer data, capabilities',NULL),
-(134,'134','Compliance','CompliancePolicy02','Medina Organizational Metrics','Which mechanisms are implemented to periodically monitor compliance requirements?','[0, …, 99]','in','[audits]','String','','PolicyDocument','?','audits, reviews, compliance',NULL),
-(135,'135','Compliance','CompliancePolicy03','Medina Organizational Metrics','Which additional certifications are in scope of the compliance requirements?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','?','certification, compliance',NULL),
-(136,'136','Compliance','CompliancePolicy04','Medina Organizational Metrics','Which audit rights are defined for customers?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','?','audit right, customer',NULL),
-(137,'137','User documentation','RecommendationCustomer01','Medina Organizational Metrics','Which aspects are covered in the security recommendations for customers?','[0, …, 99]','n/a','n/a','n/a','','PolicyDocument','?','guidelines, best practices, cloud customer',NULL);
+(46,'46','Asset management','AssetManagementPolicy01','Technical & Organizational','Which topics are comprised by the defined asset management policy?','n/a','isIn','[inventory, ownership, decommissioning, none]','String','720','PolicyDocument','','asset management, inventory management, asset, inventory, ownership, decomissioning',NULL),
+(47,'47','Asset management','AssetManagementPolicy02','Technical & Organizational','Which topics are defined for the secure management of physical assets?','n/a','isIn','[procurement, destruction, none]','String','720','PolicyDocument','','asset management, inventory management, asset, physical assets, disk, server, components, destruction',NULL),
+(48,'48','Asset management','AssetManagementPolicy03','Technical & Organizational','Which asset information is kept in the inventory?','n/a','isIn','[services, IP addresses, databases, VM, application, service plan instances, database instances]','String','720','PolicyDocument','','services, IP address, databases, inventory, assets, VM, application, asset management',NULL),
+(49,'49','Asset management','AssetMonitoringQ1','Technical & Organizational','Where are the assets registered and managed?','n/a','n/a','n/a','n/a','720','PolicyDocument','','inventory, assets, management',NULL),
+(50,'50','Business continuity','BusinessContinuityPolicy01','Technical & Organizational','Which external policies are referrenced for business continuity?','n/a','n/a','n/a','n/a','720','PolicyDocument','','bcm, business continuity, recovery',NULL),
+(51,'51','Business continuity','BusinessContinuityPolicy02','Technical & Organizational','For which risks are defined business continuity plans?','n/a','n/a','n/a','n/a','720','PolicyDocument','','bcm, business continuity, risks, plans',NULL),
+(52,'52','Business continuity','BusinessContinuityPolicy03','Technical & Organizational','Which architectural aspects are defined in the business continuity plan?','n/a','isIn','[multi-datacenter architecture, other, none]','String','720','PolicyDocument','','bcm, business continuity, redundancy, availability, multi-datacenter architecture',NULL),
+(53,'53','Change and configuration management','ChangeManagementPolicy01','Technical & Organizational','Which change management policies need to be reviewed by cloud customers?','n/a','n/a','n/a','n/a','720','PolicyDocument','','change management, SLA',NULL),
+(54,'54','Cryptography and key management','EncryptionPolicyQ7','Technical & Organizational','What TSL version is accepted?','n/a','isIn','[TLS 1.1,TLS 1.2,TLS 1.3, tls v1.1 and v1.2, tls version 1.2e]','String','720','PolicyDocument','','encryption mechanisms, protocols, default domains and their TLS-profiles',NULL),
+(55,'55','Cryptography and key management','EncryptionPolicyQ8','Technical & Organizational','What minimum certificate key length is required?','n/a','>=','2048','Integer','720','PolicyDocument','','encryption mechanisms , certificate',NULL),
+(56,'56','Cryptography and key management','EncryptionPolicyQ4','Technical & Organizational','What minimum key length must the Advanced Encryption Algorithm (AES) standard have? ','n/a','==','256-bit','String','720','PolicyDocument','','AES, encryption mechanisms,mobile devices, portable devices',NULL),
+(57,'57','Cryptography and key management','EncryptionPolicyQ5','Technical & Organizational','What Advanced Encryption Algorithm (AES) standard should be used? ','n/a','==','AES256','String','720','PolicyDocument','','AES, encryption mechanisms,mobile devices, portable devices',NULL),
+(58,'58','Cryptography and key management','EncryptionPolicyQ9','Technical & Organizational','What hash type is required?','n/a','isIn','[SHA256,SHA-384, SHA-512,SHA-512/256]','String','720','PolicyDocument','','encryption mechanisms, hash',NULL),
+(59,'59','Cryptography and key management','EncryptionPolicyQ12','Technical & Organizational','Which policy is to be used for browsers?','n/a','==','HSTS','String','720','PolicyDocument','','encryption mechanisms, security policy, browser, data in transit',NULL),
+(60,'60','Cryptography and key management','EncryptionPolicyCheckQ1','Technical & Organizational','How are passwords or keys encrypted?','','isIn','[MD5, SHA256]','String','720','PolicyDocument','','password, cryptography, data at rest protection',NULL),
+(61,'61','Cryptography and key management','EncryptionPolicyCheckQ2','Technical & Organizational','How are APIs encrypted?','','isIn','[TSL, SSL]','String','720','PolicyDocument','','encryption, cryptography, data at rest protection',NULL),
+(62,'62','Cryptography and key management','EncryptionPolicyCheckQ3','Technical & Organizational','What encryption type is used?','','isIn','[TSL, SSL]','String','720','PolicyDocument','','encryptioncryptography, data at rest protection',NULL),
+(63,'63','Cryptography and key management','EncryptionPolicyCheckQ4','Technical & Organizational','Which TLS features are defined in the policy?','n/a','isIn','[TLS profiles]','String','720','PolicyDocument','','encryption, best practice, TLS, secure configuration.transport layer encryption',NULL),
+(64,'64','Cryptography and key management','EncryptionPolicyQ6','Technical & Organizational','How must mobile and portable devices be encrypted? ','n/a','isIn','[password, passcode, Touch-ID, Face-ID]','String','720','PolicyDocument','','encryption mechanisms, mobile devices, portable devices',NULL),
+(65,'65','Cryptography and key management','EncryptionPolicyQ11','Technical & Organizational','What type of web services must encrypt data in transit? ','n/a','isIn','[storage of sensitive or confidential information,transaction of sensitive or confidential information,user logons]','String','720','PolicyDocument','','encryption mechanisms, web services , data in transit',NULL),
+(66,'66','Cryptography and key management','EncryptionDataTransitPolicyQ1','Technical & Organizational','Which endpoint protection mechanism is defined for data in transit?','n/a','isIn','[encrypted endpoints, none]','String','720','PolicyDocument','','encryption, cryptography, data in transit, protection, PKI, payload, SSL, TLS, transport layer encryption, encrypted endpoints',NULL),
+(67,'67','Cryptography and key management','EncryptionDataTransitPolicyQ2','Technical & Organizational','Which encryption mechanisms are not explicitly supported for data in transit?','n/a','isIn','[TLS - HPKP, HPKP, HTTP Public Key Pinning]','String','720','PolicyDocument','','encryption, cryptography, data in transit,not supported, TLS - HPKP - HTTP Public Key Pinning',NULL),
+(68,'68','Cryptography and key management','EncryptionDataRestPolicyQ1','Technical & Organizational','Which up-front data encryption mechamism is defined?','n/a','isIn','[PKI, public key infrastructure, none]','String','720','PolicyDocument','','encryption, cryptography, data at rest, protection, PKI, data at rest protection',NULL),
+(69,'69','Cryptography and key management','EncryptionKeyPolicy01','Technical & Organizational','Which encryption key parameters are in the scope of the management policy?','n/a','isIn','[key lengths, cipher suites, CRL checks, none]','String','720','PolicyDocument','','encryption, key management, key lenght, standards',NULL),
+(70,'70','Cryptography and key management','DigitalCertPolicy01','Technical & Organizational','Which verifiable certificated are supported for Certificaiton Authorities?','n/a','isIn','[publicly verifiable certificates]','String','720','PolicyDocument','','digital certificates, PKI, CA, x509, certificate authorities, publicly verifiable',NULL),
+(71,'71','Cryptography and key management','DigitalCertPolicy02','Technical & Organizational','Which digital certificates are allowed for user facing services?','n/a','n/a','n/a','n/a','720','PolicyDocument','','digital certificates, PKI, CA, x509, wildcard, user facing certificates',NULL),
+(72,'72','Cryptography and key management','DigitalCertPolicy03','Technical & Organizational','What is the validity period of wildcard digital certificates?','years','<=','3','Integer','720','PolicyDocument','','digital certificates, validity period, duration, wildcard, user facing certificates',NULL),
+(73,'73','Compliance','CompliancePolicy01','Technical & Organizational','How are compliance policies revised for updates?','n/a','n/a','n/a','n/a','720','PolicyDocument','','compliance, planning, requirements',NULL),
+(74,'74','Compliance','CompliancePolicy02','Technical & Organizational','Which mechanisms are implemented to periodically monitor compliance requirements?','n/a','isIn','[audits]','String','720','PolicyDocument','','audits, reviews, compliance',NULL),
+(75,'75','Compliance','CompliancePolicy03','Technical & Organizational','Which additional certifications are in scope of the compliance requirements?','n/a','isIn','[iso 27001, bsi c5, secnumcloud, fedramp, pci, hippa]','String','720','PolicyDocument','','certification, compliance, security review and audit, iso 27001',NULL),
+(76,'76','Compliance','CompliancePolicy04','Technical & Organizational','Which customer-side security checks are defined?','n/a','isIn','[penetration tests, audits, none]','String','720','PolicyDocument','','audit right, customer, penetration testing by customers',NULL),
+(77,'77','Compliance','ComplianceQ2','Technical & Organizational','How is the internal compliance procedure defined?','n/a','n/a','n/a','n/a','720','PolicyDocument','','compliance, monitoring, vulnerabilities, report, expert, assessment',NULL),
+(78,'78','Compliance','ComplianceQ1','Technical','How are vulnerabilities monitored and reported?','n/a','n/a','n/a','n/a','720','PolicyDocument','','compliance, monitoring, vulnerabilities, report, expert, assessment',NULL),
+(79,'79','Communication security','NetworkSecurityPolicy01','Technical & Organizational','Which network-level attacks are mitigated by the implemented mechanisms?','n/a','isIn','[dos, denial of service]','String','720','PolicyDocument','','network security, DoS, DDoS, proxy, IDS, Denial of service protection',NULL),
+(80,'80','Communication security','NetworkAccessPolicy01','Technical & Organizational','Which security mechanism protecs access to administrative networks?','n/a','n/a','n/a','n/a','720','PolicyDocument','','VPN, network access, virtual private network, RAS, segmentation',NULL),
+(81,'81','Communication security','TrustedNetworkPolicy01','Technical & Organizational','Which process exists for determining the trustworthiness of network connections?','n/a','n/a','n/a','n/a','720','PolicyDocument','','whitelisting, trusted networks, filtering',NULL),
+(82,'82','Communication security','TrafficSegregationPolicy01','Technical & Organizational','Which traffic segreation policy is defined?','n/a','n/a','n/a','n/a','720','PolicyDocument','','network, security layer, micro segmentation',NULL),
+(83,'83','User documentation','RecommendationCustomer01','Technical & Organizational','Which aspects are covered in the security recommendations for customers?','n/a','isIn','[secure devops, secdevops, devopssec, security controls in the development life-cycle]','String','720','PolicyDocument','','guidelines, best practices, cloud customer, references to secure coding guidelines',NULL),
+(84,'84','User documentation','GuidelinesCloudCustomersQ1','Technical & Organizational','Which customer guidelines are defined for password management?','n/a','n/a','n/a','n/a','720','PolicyDocument','','password, storage, manager, cryptographic, customer, consumer, responsibility, complexity',NULL),
+(85,'85','User documentation','GuidelinesCloudCustomersQ2','Technical & Organizational','Which customer guidelines are defined for identity management?','n/a','n/a','n/a','n/a','720','PolicyDocument','','identity management, customer, consumer, responsibility, authentication, identity management services',NULL),
+(86,'86','User documentation','GuidelinesCloudCustomersQ3','Technical & Organizational','Which customer guidelines are defined for asset management?','n/a','n/a','n/a','n/a','720','PolicyDocument','','asset management, customer, consumer, responsibility, inventory, software license, asset management',NULL),
+(87,'87','User documentation','DataLocationPolicy01','Technical & Organizational','Which data location regions are defined for compliance?','n/a','n/a','n/a','n/a','720','PolicyDocument','','data location, compliance, geographical',NULL),
+(88,'88','Human resources','InformationSecurityPolicyAcknowledgementQ1','Technical & Organizational','Which system monitors the acknowledgement of the information security policy?','n/a','n/a','n/a','n/a','720','PolicyDocument','','information security policy, acknowledge, employee',NULL),
+(89,'89','Human resources','AccessRightManagementQ1','Technical','Which system monitors the access rights?','n/a','n/a','n/a','n/a','720','PolicyDocument','','access rights, account management',NULL),
+(90,'90','Human resources','NDAQ1','Technical & Organizational','How are non-disclosure agreements monitored?','n/a','n/a','n/a','n/a','720','PolicyDocument','','nda, non-disclosure, agreeent,',NULL),
+(91,'91','Identity, authentication, and access control management','PoliciesForAccessControlQ1','Technical & Organizational','Which processes are documented for users with privileged access?','n/a','n/a','n/a','n/a','720','PolicyDocument','','authorization, access, privilege, PAM, AIM, IdM, management',NULL),
+(92,'92','Identity, authentication, and access control management','PoliciesForAccessControlQ2','Technical & Organizational','Which regulation mandates the management of access rights?','n/a','n/a','n/a','n/a','720','PolicyDocument','','authorization, access, directive, regulation, AIM, IdM, access control, secure credentials management',NULL),
+(93,'93','Identity, authentication, and access control management','PasswordLoginAttemptsQ1','Technical & Organizational','How many consecutive login attempts are allowed?','n/a','<=','50','Integer','720','PolicyDocument','','password',NULL),
+(94,'94','Identity, authentication, and access control management','PasswordLoginBlockDurationQ1','Technical & Organizational','How long is an account blocked after failed logins?','n/a','>=','1','Integer','720','PolicyDocument','','login, block, lock, management, password, authenfication, access',NULL),
+(95,'95','Identity, authentication, and access control management','PasswordPolicyQ1','Technical & Organizational','Which parameters define the password policy?','n/a','n/a','n/a','n/a','720','PolicyDocument','','password, complexity,rotation, entropy, renewak, credentials ',NULL),
+(96,'96','Identity, authentication, and access control management','PasswordPolicyQ2','Technical & Organizational','What is the passwords maximum age according to the password policy?','days','<=','90','Integer','720','PolicyDocument','','password, age, maximum',NULL),
+(97,'97','Identity, authentication, and access control management','PasswordPolicyQ3','Technical & Organizational','What is the passwords rotation frequency?','n/a','<=','4','Integer','720','PolicyDocument','','password, rotation, renewal',NULL),
+(98,'98','Identity, authentication, and access control management','PasswordPolicyQ4','Technical & Organizational','Which requirements exist for password managers?','n/a','n/a','n/a','n/a','720','PolicyDocument','','password, storage, manager, cryptographic, password policy',NULL),
+(99,'99','Identity, authentication, and access control management','PasswordLengthQ1','Technical & Organizational','How long should passwords be?','characters','>=','5','Integer','720','PolicyDocument','','password',NULL),
+(100,'100','Identity, authentication, and access control management','PasswordReuseQ1','Technical & Organizational','What measures are taken to prohibit password reuse?','n/a','n/a','n/a','n/a','720','PolicyDocument','','password',NULL),
+(101,'101','Incident management','IncidentManagementPolicy01','Technical & Organizational','Which team is in charge of handling security incidents?','n/a','isIn','[CERT]','String','720','PolicyDocument','','Incident Management, CERT',NULL),
+(102,'102','Incident management','IncidentManagementPolicy09','Technical & Organizational','How are sources of information considered for identifying incidents?','n/a','isIn','[multi-phase, internal, external]','String','720','PolicyDocument','','incident identification, sources, security-relevant',NULL),
+(103,'103','Incident management','IncidentManagementPolicy10','Technical & Organizational','Which process is in place to analyze a potential incident?','n/a','isIn','[triage, other, none]','String','720','PolicyDocument','','incident management, triage, analysis',NULL),
+(104,'104','Incident management','IncidentManagementPolicy8','Technical & Organizational','How often must the Incident Management plan be tested?','year','<=','1','Integer','720','PolicyDocument','','Incident Management, CERT',NULL),
+(105,'105','Incident management','IncidentManagementPolicy6','Technical & Organizational','When must staff report potential security and privacy issues?','n/a','==','immediatly','String','720','PolicyDocument','','Incident Management, Incident Management general information',NULL),
+(106,'106','Incident management','IncidentManagementPolicy5','Technical & Organizational','To whom must staff report potential security and privacy issues?','n/a','isIn','[CERT, single point of contact]','String','720','PolicyDocument','','Incident Management, Incident Management general information',NULL),
+(107,'107','Incident management','IncidentManagementPolicy02','Technical & Organizational','Which approach is used for reporting incidents to the CSP?','n/a','isIn','[Single Point of Contact, Single Point of Information]','String','720','PolicyDocument','','Single Point of Contact, Single Point of Information (SPoI)',NULL),
+(108,'108','Incident management','IncidentManagementPolicy11','Technical & Organizational','How is guaranteed the user involvement for incident management?','n/a','n/a','n/a','n/a','720','PolicyDocument','','customer involvement, incident management, customer cooperation',NULL),
+(109,'109','Incident management','IncidentManagementPolicy12','Technical & Organizational','When are users notified of relevant incidents?','n/a','==','timely','String','720','PolicyDocument','','customer, notifications, incident',NULL),
+(110,'110','Incident management','IncidentManagementPolicy03','Technical & Organizational','Which entity maintains the evidence related to cyberincidents?','n/a','isIn','[CSP, customer, shared responsibility]','String','720','PolicyDocument','','CSP, customer, shared, evidence collection',NULL),
+(111,'111','Incident management','IncidentManagementPolicy13','Technical & Organizational','Which entity coordinates the forensic investigation?','n/a','isIn','[CERT]','String','720','PolicyDocument','','forensic, incident management',NULL),
+(112,'112',' Information Security Policies','RoleDefinitionQ1','Technical & Organizational','Which roles and responsibilities are defined by the security policy?','n/a','n/a','n/a','n/a','720','PolicyDocument','','roles, stakeholders, provider, consumer, costumer, shared responsibility model, stakeholders and roles',NULL),
+(113,'113',' Information Security Policies','RoleDefinitionQ2','Technical & Organizational','Which responsibilities are defined for the Cloud Platform Provider?','n/a','n/a','n/a','n/a','720','PolicyDocument','','roles, platform, hyperscaler, stakeholders and roles, cloud platform provider',NULL),
+(114,'114',' Information Security Policies','RoleDefinitionQ3','Technical & Organizational','Which responsibilities are defined for the Cloud Service Provider?','n/a','n/a','n/a','n/a','720','PolicyDocument','','roles, provider, CSP, stakeholders and roles, cloud service provider',NULL),
+(115,'115',' Information Security Policies','RoleDefinitionQ4','Technical & Organizational','Which responsibilities are defined for the Cloud Service Consumer?','n/a','n/a','n/a','n/a','720','PolicyDocument','','roles, consumer, customer, CSC, stakeholders and roles, cloud (service) consumer / customer',NULL),
+(116,'116','Operational security','ProvisioningPolicyCheckQ1','Technical & Organizational','How is the provisioning of cloud services handled?','n/a','n/a','n/a','n/a','720','PolicyDocument','','cloud service documentation',NULL),
+(117,'117','Operational security','ProvisioningPolicyCheckQ2','Technical & Organizational','How is the provisioning documented?','n/a','n/a','n/a','n/a','720','PolicyDocument','','cloud service documentation',NULL),
+(118,'118','Operational security','MalwareProtectionCheckQ1','Technical & Organizational','Which core CSP services are covered by malware protection?','n/a','n/a','n/a','n/a','720','PolicyDocument','','malware, protection, antivirus, documentation',NULL),
+(119,'119','Operational security','MalwareProtectionCheckQ2','Technical & Organizational','How are malware-related events stored?','n/a','isIn','[centrally, descentral, distributed, central]','String','720','PolicyDocument','','malware, protection, antivirus, logs, management, central, malware protection',NULL),
+(120,'120','Operational security','MalwareProtectionCheckQ4','Technical & Organizational','Which malware-related events are communicated to the customer?','n/a','n/a','n/a','n/a','720','PolicyDocument','','malware, protection, antivirus, logs, management, malware events, customer, consumer',NULL),
+(121,'121','Operational security','MalwareProtectionCheckQ3','Technical','What antivirus system is used?','n/a','n/a','n/a','n/a','720','PolicyDocument','','malware, protection, antivirus, documentation, malware protection',NULL),
+(122,'122','Operational security','AntimalwareScanFrequencyQ1','Technical','How frequent are antimalware scans done?','days','<=','10','Float','720','PolicyDocument','','antimalware, scans, irregularities',NULL),
+(123,'123','Operational security','SystemBackUpPolicyQ01','Technical & Organizational','Which algorithm is used to encrypt the backup data?','n/a','n/a','n/a','n/a','720','PolicyDocument','','backup, encryption',NULL),
+(124,'124','Operational security','SystemBackUpPolicyQ02','Technical & Organizational','Who is allowed to access the backed up data?','n/a','n/a','n/a','n/a','720','PolicyDocument','','backup, access',NULL),
+(125,'125','Operational security','SystemBackUpPolicyQ03','Technical & Organizational','Who is allowed to restore backups?','n/a','==','administrative users','String','720','PolicyDocument','','backup, access, restore',NULL),
+(126,'126','Operational security','SystemBackUpPolicyQ05','Technical & Organizational','How often are backups made?','days','==','1','Integer','720','PolicyDocument','','backup, schedule',NULL),
+(127,'127','Operational security','BackupPolicyQ1','Technical & Organizational','Which backup procedures apply to CSP systems','n/a','n/a','n/a','n/a','720','PolicyDocument','','backup, restore, automation, periodical',NULL),
+(128,'128','Operational security','BackupPolicyQ2','Technical & Organizational','How is managed the backup service?','n/a','n/a','n/a','n/a','720','PolicyDocument','','backup, centralized',NULL),
+(129,'129','Operational security','BackupPolicyQ3','Technical & Organizational','Are there backup services for cloud customers?','n/a','isIn','[no, yes]','String','720','PolicyDocument','','backup, customer, consumer, backup and restore process',NULL),
+(130,'130','Operational security','SystemBackUpMonitoringQ01','Technical & Organizational','What is the automatic backup procedure?','n/a','n/a','n/a','n/a','720','PolicyDocument','','backup, procedure',NULL),
+(131,'131','Operational security','BackupMonitoringPolicyCheckQ1','Technical','What measures are used to monitor the execution of data backups?','n/a','n/a','n/a','n/a','720','PolicyDocument','','backup',NULL),
+(132,'132','Operational security','DataRestoreTestFrequencyQ1','Technical & Organizational','How frequently is the data restore process tested?','days','<=','100','Float','720','PolicyDocument','','data, restore',NULL),
+(133,'133','Operational security','SystemBackUpTesting01','Technical & Organizational','How often is the procedure checked?','n/a','==','annually','String','720','PolicyDocument','','backup, restore procedure',NULL),
+(134,'134','Operational security','SystemBackUpTesting02','Technical & Organizational','How are restore mistakes dealt with?','n/a','==','by the administrator','String','720','PolicyDocument','','backup, monitoring',NULL),
+(135,'135','Operational security','SystemBackUpStorage01','Technical & Organizational','Where are backups stored?','n/a','==','second SSD disk','String','720','PolicyDocument','','backup, storage',NULL),
+(136,'136','Operational security','BackupMonitoringPolicyCheckQ2','Technical','How is backup data transmitted?','n/a','n/a','n/a','n/a','720','PolicyDocument','','backup, data, transmission',NULL),
+(137,'137','Operational security','BackupMonitoringPolicyCheckQ3','Technical','How is the transmission of backup data verified?','n/a','n/a','n/a','n/a','720','PolicyDocument','','backup, data, transmission',NULL),
+(138,'138','Operational security','BackupMonitoringPolicyCheckQ4','Technical','How often is the transmission of backups done?','days','<=','1','Float','720','PolicyDocument','','backup, data, transmission',NULL),
+(139,'139','Operational security','BackupMonitoringPolicyCheckQ5','Technical','How are backup transmissions documented?','n/a','n/a','n/a','n/a','720','PolicyDocument','','backup, data, transmission, backup and restore process',NULL),
+(140,'140','Operational security','SystemBackUpStorage03','Technical','How is the storage process monitored?','n/a','==','manually by the admin','String','720','PolicyDocument','','backup, storage',NULL),
+(141,'141','Operational security','LoggingMonitoringPolicyQ1','Technical & Organizational','Which security monitoring data is continuously assessed?','n/a','n/a','n/a','n/a','720','PolicyDocument','','logging, monitoring, policy',NULL),
+(142,'142','Operational security','LoggingMonitoringPolicyQ2','Technical & Organizational','In which type of facility are security event logged?','n/a','isIn','[central logging facility, descentralized logging facility]','String','720','PolicyDocument','','logging, monitoring, policy, monitoring and logging',NULL),
+(143,'143','Operational security','LoggingMonitoringDerivedPolicyQ1','Technical & Organizational','Are security events stored for derived data?','n/a','isIn','[yes, no, does not]','String','720','PolicyDocument','','logging, monitoring, policy, derived data, customer data, PII, monitoring and logging',NULL),
+(144,'144','Operational security','EventMonitoringPolicyCheckQ1','Technical','Which functional events are monitored by the SIEM?','n/a','isIn','[availability, performance, all, none]','String','720','PolicyDocument','','logging, monitoring, metrics, events, availability, performance',NULL),
+(145,'145','Operational security','EventMonitoringPolicyCheckQ2','Technical','In which type of facility are SIEM events stored?','n/a','isIn','[centrally, descentral, distributed, central]','String','720','PolicyDocument','','logging, monitoring, SIEM, central, Security Information and Event Management',NULL),
+(146,'146','Operational security','EventMonitoringPolicyCheckQ3','Technical','Which actions are taken with detected security events?','n/a','n/a','n/a','n/a','720','PolicyDocument','','logging, monitoring, SIEM, CERT, incident, forensic',NULL),
+(147,'147','Operational security','LogDataRetentionTimeQ1','Technical & Organizational','How long is log data stored?','days','<=','100','Float','720','PolicyDocument','','logging, retention',NULL),
+(148,'148','Operational security','LogDataRetentionTimeQ2','Technical & Organizational','When is log data deleted?','days','<=','100','Float','720','PolicyDocument','','logging, deletion',NULL),
+(149,'149','Operational security','IncidentPolicyCheckQ1','Technical & Organizational','How are vulnerabilities managed by the corresponding team?','n/a','isIn','[centrally, descentral, distributed, central]','String','720','PolicyDocument','','incident, vulnerability management, central, technical vulnerability management',NULL),
+(150,'150','Operational security','IncidentAnalysisFrequencyQ1','Technical & Organizational','How often are procedures for vulnerabilities and incidents analyzed?','months','<=','30','Float','720','PolicyDocument','','incident, vulnerability, frequency',NULL),
+(151,'151','Operational security','VulnerabilityScanQ1','Technical & Organizational','Which is the coverage of defined web vulnerability scans?','n/a','n/a','n/a','n/a','720','PolicyDocument','','whitelisted, all, URLs, none',NULL),
+(152,'152','Operational security','PatchManagementPolicyCheckQ1','Technical','Which subsystems are covered by the patch management process?','n/a','isIn','[every, none, partial]','String','720','PolicyDocument','','partial, full, every, none, patch management',NULL),
+(153,'153','Operational security','PatchManagementPolicyCheckQ2','Technical','Which vulnerabilities are prioritized for systems that cannot be patched?','n/a','isIn','[critical, none, all, medium, severe]','String','720','PolicyDocument','','none, critical, all, "no-patch"-approach',NULL),
+(154,'154','Operational security','UpdatePolicyCheckQ1','Technical','Which update mechanisms are there?','n/a','n/a','n/a','n/a','720','PolicyDocument','','update, patch',NULL),
+(155,'155','Operational security','UpdatePolicyCheckQ2','Technical','How are systems and patches updated?','n/a','n/a','n/a','n/a','720','PolicyDocument','','update, patch, patch management',NULL),
+(156,'156','Operational security','VulnerabilityManagementPolicyQ1','Technical & Organizational','How does vulnerability information is gathered and forwarded?','n/a','isIn','[automated, manual, semi-automated]','String','720','PolicyDocument','','vulnerability management, manual, automated, semi-automated, technical vulnerability management',NULL),
+(157,'157','Operational security','VulnerabilityManagementPolicyQ2','Technical & Organizational','Which sources of information are used for web vulnerability scans?','n/a','isIn','[OWASP-Top-Ten, OWASP-Top10, other, none]','String','720','PolicyDocument','','vulnerability management, policy, CERT, PSIRT, security advisories, third party, OWASP, web vulnerability scanning, vulnerability scans',NULL),
+(158,'158','Operational security','SystemHardeningPolicyQ1','Technical','Which sources shall we used to guarantee the hardening of software?','n/a','n/a','n/a','n/a','720','PolicyDocument','','hardening, operating system, server, component, trusted sources',NULL),
+(159,'159','Operational security','SystemHardeningPolicyQ2','Technical','Which systems are covered by the system hardening?','n/a','n/a','n/a','n/a','720','PolicyDocument','','hardening, scan, coverage, full, partial',NULL),
+(160,'160','Operational security','SystemHardeningPolicyQ3','Technical','What is the penetration test frequency?','n/a','isIn','[yearly, annual, periodic, monthly, quarterly]','String','720','PolicyDocument','','Annual, monthly, quarterly, hardening verification, server hardening, server and component hardening',NULL),
+(161,'161','Portability and interoperability','IOInterfacesPolicy01','Technical & Organizational','Which functionalities are defined for output interfaces?','n/a','isIn','[secure data export, none]','String','720','PolicyDocument','','customer data, capabilities, base services',NULL),
+(162,'162','Procurement management','ProcurementManagementQ1','Technical','How is the availability of system components documented?','n/a','n/a','n/a','n/a','720','PolicyDocument','','monitoring, configuration, availability, component',NULL),
+(163,'163','Physical security','AccessControlQ1','Technical & Organizational','Where is access control monitored and regulated?','n/a','n/a','n/a','n/a','720','PolicyDocument','','access control',NULL),
+(164,'164',' Information Security Policies','ApprovedExeptionMonitoringQ1','Technical','Which tool is used for monitoring the list of approved exceptions?','n/a','n/a','n/a','n/a','720','PolicyDocument','','approved exceptions, policies, ',NULL),
+(165,'165','Operational security','EventLogMonitoringQ1','Technical','Which processes are in place for event detection on assets?','n/a','n/a','n/a','n/a','720','PolicyDocument','','event detection, processes, asset classification catalogue',NULL),
+(166,'166','Change and configuration management','LogChangesQ1','Technical & Organizational','How are changes in role and right management for logging handled?','n/a','n/a','n/a','n/a','720','PolicyDocument','','roles and rights, authorized personnel, system configuration, production environment, logging changes',NULL),
+(167,'167',' Information Security Policies','PolicyUpToDateCheck','Technical & Organizational','This metric checks whether the policy document is up-to-date. It measures the time since creation/last modification up to the point of time during assessment. This time shall be smaller then a given threshold.','days','<=','365','Integer','720','PolicyDocument','','',NULL);
/*!40000 ALTER TABLE `security_metric` ENABLE KEYS */;
-- -----------------------------------
@@ -164,153 +194,175 @@ INSERT INTO cocbackend.security_metric (id, metric_id, category, name, source, d
-- -----------------------------------
/*!40000 ALTER TABLE `rel_tom__security_metric` DISABLE KEYS */;
INSERT INTO cocbackend.rel_tom__security_metric (tom_id, security_metric_id) VALUES
-(153, 1),
-(154, 1),
-(154, 2),
-(159, 3),
-(159, 4),
-(179, 5),
-(179, 6),
-(186, 6),
-(179, 7),
-(186, 7),
-(179, 8),
-(186, 8),
-(179, 9),
-(186, 9),
-(179, 10),
-(179, 11),
-(204, 12),
-(204, 13),
-(217, 14),
-(217, 15),
-(59, 16),
-(59, 17),
-(182, 17),
-(217, 18),
-(217, 19),
-(217, 20),
-(217, 21),
-(153, 22),
-(154, 22),
-(217, 23),
-(156, 24),
-(217, 24),
-(217, 25),
-(217, 26),
-(217, 27),
+(276,1),
+(276,2),
+(283,3), (302,3),
+(283,4),
+(326,5),
+(326,6),
+(326,7),
+(326,8),
+(326,9),
+(326,10),
+(326,11),
+(370,12),
+(370,13),
+(394,14), (302,14),
+(394,15),
+(528,16), (529,16), (531,16), (302,16), (394,16),
+(528,17), (529,17), (531,17), (302,17), (394,17),
+(394,18),
+(394,19),
+(394,20),
+(394,21),
+(276,22),
+(394,23), (302,23),
+(394,24), (278,24), (302,24),
+(394,25),
+(394,26),
+(394,27),
+(434,28),
+(326,29),
+(15,30),
+(902,31),
+(902,32),
+(668,33),
+(668,34),
+(439,35),
+(142,36),
+(142,37),
+(302,38),
+(302,39),
+(316,40),
+(316,41),
+(668,42),
+(668,43),
+(531,44), (529,44), (528,44),
+(531,45), (529,45), (528,45),
-(160, 28),
-(170, 29),
-(170, 30),
-(170, 31),
-(181, 32),
-(181, 33),
-(204, 34),
-(204, 35),
-(176, 36),
-(176, 37),
-(176, 38),
-(157, 39),
-(213, 40),
-(213, 41),
-(213, 42),
-(205, 43),
-(205, 44),
-(215, 45),
-(215, 46),
-(215, 47),
-(286, 48),
-(286, 49),
-(286, 50),
-(145, 51),
-(145, 52),
-(147, 53),
-(147, 54),
-(151, 55),
-(151, 56),
-(147, 57),
-(155, 58),
-(155, 59),
-(155, 60),
-(169, 61),
-(169, 62),
-(169, 63),
-(169, 64),
-(204, 65),
-(204, 66),
-(20, 67),
-(20, 68),
-(20, 69),
-(20, 70),
-(219, 71),
-(219, 72),
-(270, 73),
-(270, 74),
-(270, 75),
-(270, 76),
-(487, 77),
-(487, 78),
-(487, 79),
-(81, 80),
-(81, 81),
-(81, 82),
-(291, 83),
-(290, 84),
-(286, 85),
-(295, 86),
-(291, 87),
-(295, 88),
-(295, 89),
-(295, 90),
-(304, 91),
-(299, 92),
-(346, 93),
-(317, 94),
-(270,95),
-(270,96),
-(270,97),
-(270,98),
-(156,99),
-(156,100),
-(156,101),
-(156,102),
-(157,103),
-(160,104),
-(162,105),
-(165,106),
-(169,107),
-(288,108),
-(288,109),
-(286,110),
-(290,111),
-(290,112),
-(288,113),
-(290,114),
-(288,115),
-(433,116),
-(445,117),
-(443,118),
-(305,119),
-(428,120),
-(445,121),
-(452,122),
-(434,123),
-(434,124),
-(446,125),
-(447,126),
-(456,127),
-(457,128),
-(461,129),
-(465,130),
-(471,131),
-(497,132),
-(333,133),
-(474,134),
-(474,135),
-(477,136),
-(488,137);
+(158,46),
+(158,47),
+(158,48),
+(161,49),
+(856,50),
+(864,51),
+(869,52),
+(645,53),
+(527,54),
+(527,55),
+(527,56),
+(527,57),
+(527,58),
+(527,59),
+(527,60),
+(527,61),
+(527,62),
+(527,63),
+(527,64),
+(531,65),
+(532,66),
+(532,67),
+(538,68),
+(545,69),
+(545,70),
+(545,71),
+(545,72),
+(881,73),
+(884,74),
+(884,75),
+(888,76),
+(901,77),
+(902,78),
+(552,79),
+(558,80),
+(569,81),
+(588,82),
+(913,83),
+(913,84),
+(913,85),
+(913,86),
+(921,87),
+(125,88),
+(142,89),
+(153,90),
+(403,91),
+(403,92),
+(435,93),
+(438,94),
+(501,95),
+(501,96),
+(501,97),
+(501,98),
+(501,99),
+(501,100),
+(804,101),
+(810,102),
+(810,103),
+(813,104),
+(827,105),
+(829,106),
+(829,107),
+(834,108),
+(835,109),
+(852,110),
+(855,111),
+(44,112),
+(44,113),
+(44,114),
+(44,115),
+(259,116),
+(259,117),
+(268,118),
+(268,119),
+(268,120),
+(276,121),
+(276,122),
+(279,123),
+(279,124),
+(279,125),
+(279,126),
+(279,127),
+(279,128),
+(279,129),
+(282,130),
+(283,131),
+(290,132),
+(290,133),
+(292,134),
+(301,135),
+(302,136),
+(302,137),
+(302,138),
+(302,139),
+(302,140),
+(307,141),
+(307,142),
+(307,143),
+(316,144),
+(316,145),
+(316,146),
+(328,147),
+(328,148),
+(347,149),
+(347,150),
+(347,151),
+(370,152),
+(370,153),
+(370,154),
+(370,155),
+(378,156),
+(378,157),
+(394,158),
+(394,159),
+(394,160),
+(612,161),
+(792,162),
+(221,163),
+(59,164),
+(317,165),
+(673,166),
+(48,167);
/*!40000 ALTER TABLE `rel_tom__security_metric` ENABLE KEYS */;
@@ -319,16 +371,17 @@ INSERT INTO cocbackend.rel_tom__security_metric (tom_id, security_metric_id) VAL
-- -----------------------------------
/*!40000 ALTER TABLE `similar_control` DISABLE KEYS */;
INSERT INTO cocbackend.similar_control (code,name,security_control_framework_name,security_control_id) VALUES
+ -- C5.2020 GERMANY --
('OIS-01','Information Security Management System (ISMS)','C5.2020 GERMANY',1),
('OIS-04','Segregation of Duties','C5.2020 GERMANY',2),
('OIS-05','Contact with Relevant Government Agencies and Interest Groups','C5.2020 GERMANY',3),
('OIS-05','Contact with Relevant Government Agencies and Interest Groups','C5.2020 GERMANY',4),
('OIS-02','Information Security Policy','C5.2020 GERMANY',5),
('SP-01','Documentation, communication and provision of policies and instructions','C5.2020 GERMANY',6),
- ('SP-02','Review and Approval of Policies and Instructions','C5.2020 GERMANY',7),
- ('SP-03','Exceptions from Existing Policies and Instructions','C5.2020 GERMANY',8),
- ('OIS-06','Risk Management Policy','C5.2020 GERMANY',9),
- ('OIS-07','Application of the Risk Management Policy','C5.2020 GERMANY',10),
+ ('SP-02','Review and Approval of Policies and Instructions','C5.2020 GERMANY',6),
+ ('SP-03','Exceptions from Existing Policies and Instructions','C5.2020 GERMANY',7),
+ ('OIS-06','Risk Management Policy','C5.2020 GERMANY',8),
+ ('OIS-07','Application of the Risk Management Policy','C5.2020 GERMANY',9),
('HR-01','Verification of qualification and trustworthiness','C5.2020 GERMANY',11),
('HR-01','Verification of qualification and trustworthiness','C5.2020 GERMANY',12),
('HR-02','Employment terms and conditions','C5.2020 GERMANY',13),
@@ -438,8 +491,11 @@ INSERT INTO cocbackend.similar_control (code,name,security_control_framework_nam
('INQ-03','Conditions for Access to or Disclosure of Data in Investigation Requests','C5.2020 GERMANY',116),
('PSS-04','Error handling and Logging Mechanisms','C5.2020 GERMANY',117),
('PSS-06','Session Management','C5.2020 GERMANY',118),
- ('PSS-10','Software Defined Networking','C5.2020 GERMANY',119),
- ('PSS-11','Images for Virtual Machines and Containers','C5.2020 GERMANY',120),
+ ('PSS-10','Software Defined Networking','C5.2020 GERMANY',119);
+ /*('PSS-11','Images for Virtual Machines and Containers','C5.2020 GERMANY',120),*/
+
+INSERT INTO cocbackend.similar_control (code,name,security_control_framework_name,security_control_id) VALUES
+ -- SecNumCloud FRANCE --
('6.1','Functions and responsibilities linked to information security','SecNumCloud FRANCE',2),
('6.2','Segregation of tasks','SecNumCloud FRANCE',2),
('6.3','Relations with the authorities','SecNumCloud FRANCE',3),
@@ -540,207 +596,205 @@ INSERT INTO cocbackend.similar_control (code,name,security_control_framework_nam
('17.3','Check, review and evaluate the continuity of activity','SecNumCloud FRANCE',103),
('18.1','Identification of the legislation and of the contractual requirements that apply','SecNumCloud FRANCE',104),
('18.2','Independent review of information security','SecNumCloud FRANCE',105),
- ('19.2','Location of data','SecNumCloud FRANCE',109),
- ('5.1','Management direction for information security','ISO 27002',1),
- ('6.1.2','Segregation of duties','ISO 27002',2),
- ('6.1.3','Contact with authorities','ISO 27002',3),
- ('6.1.4','Contact with special interest groups','ISO 27002',3),
- ('6.1.5','Information security in project management','ISO 27002',4),
- ('6.2','Mobile devices and teleworking','ISO 27002',5),
- ('5.1.1','Policies for information security','ISO 27002',5),
- ('6.1.1','Information security roles and responsibilities','ISO 27002',5),
- ('5.1.1','Policies for information security','ISO 27002',6),
- ('5.1.2','Review of the policies for information security','ISO 27002',6),
- ('6.1.1','Information security roles and responsibilities','ISO 27002',8),
- ('6.1.1','Information security roles and responsibilities','ISO 27002',9),
- ('6.1.1','Information security roles and responsibilities','ISO 27002',10),
- ('7.1.1','Screening','ISO 27002',11),
- ('7.2.1','Management responsibilities','ISO 27002',11),
- ('7.1.1','Screening','ISO 27002',12),
- ('7.1.2','Terms and conditions of employment','ISO 27002',13),
- ('7.2.2','Information security awareness, education and training','ISO 27002',14),
- ('7.3.1','Termination or change of employment responsibilities','ISO 27002',15),
- ('7.1.2','Terms and conditions of employment','ISO 27002',16),
- ('13.2.4','Confidentiality or non-disclosure agreements','ISO 27002',16),
- ('8.1.1','Inventory of assets','ISO 27002',17),
- ('8.1.3','Acceptable use of assets','ISO 27002',18),
- ('8.3.1','Management of removable media','ISO 27002',19),
- ('8.3.2','Disposal of media','ISO 27002',19),
- ('8.1.4','Return of assets','ISO 27002',20),
- ('8.2.1','Classification of information','ISO 27002',20),
- ('8.2.2','Labelling of information','ISO 27002',21),
- ('8.2.3','Handling of assets','ISO 27002',21),
- ('9.2.1','User registration and de-registration','ISO 27002',23),
- ('9.2.2','User access provisioning','ISO 27002',23),
- ('9.2.3','Management of privileged access rights','ISO 27002',23),
- ('11.1.1','Physical security perimeter','ISO 27002',23),
- ('11.1.2','Physical entry controls','ISO 27002',23),
- ('11.1.3','Securing offices, rooms and facilities','ISO 27002',23),
- ('11.1.6','Delivery and loading areas','ISO 27002',23),
- ('17.2.1','Availability of information processing facilities','ISO 27002',26),
- ('12.1.3','Capacity management','ISO 27002',27),
- ('12.1.3','Capacity management','ISO 27002',27),
- ('12.2.1','Controls against malware','ISO 27002',31),
- ('12.3.1','Information backup','ISO 27002',32),
- ('12.3.1','Information backup','ISO 27002',34),
- ('12.4.1','Event logging','ISO 27002',36),
- ('12.4.2','Protection of log information','ISO 27002',36),
- ('12.4.3','Administrator and operator logs','ISO 27002',36),
- ('12.4.1','Event logging','ISO 27002',37),
- ('12.4.2','Protection of log information','ISO 27002',37),
- ('12.4.3','Administrator and operator logs','ISO 27002',37),
- ('12.4.1','Event logging','ISO 27002',39),
- ('12.4.2','Protection of log information','ISO 27002',39),
- ('12.4.3','Administrator and operator logs','ISO 27002',39),
- ('9.4.4','Use of privileged utility programs','ISO 27002',41),
- ('12.4.2','Protection of log information','ISO 27002',41),
- ('17.2.1','Availability of information processing facilities','ISO 27002',42),
- ('12.1.2','Change management','ISO 27002',43),
- ('12.6.1','Management of technical vulnerabilities','ISO 27002',43),
- ('14.2.2','System change control procedures','ISO 27002',43),
- ('12.1.2','Change management','ISO 27002',45),
- ('12.6.1','Management of technical vulnerabilities','ISO 27002',45),
- ('13.1.1','Network controls','ISO 27002',45),
- ('14.2.2','System change control procedures','ISO 27002',45),
- ('18.2.3','Technical compliance review','ISO 27002',45),
- ('12.6.1','Management of technical vulnerabilities','ISO 27002',46),
- ('13.1.3','Segregation in networks','ISO 27002',48),
- ('9.1.1','Access control policy','ISO 27002',49),
- ('9.1.1','Access control policy','ISO 27002',50),
- ('9.4.1','Information access restriction','ISO 27002',50),
- ('9.4.2','Secure log-on procedures','ISO 27002',50),
- ('9.2.2','User access provisioning','ISO 27002',51),
- ('9.2.6','Removal or adjustment of access rights','ISO 27002',51),
- ('9.2.2','User access provisioning','ISO 27002',52),
- ('9.2.3','Management of privileged access rights','ISO 27002',52),
- ('9.2.6','Removal or adjustment of access rights','ISO 27002',52),
- ('9.2.5','Review of user access rights','ISO 27002',53),
- ('6.1.2','Segregation of duties','ISO 27002',54),
- ('9.2.3','Management of privileged access rights','ISO 27002',54),
- ('12.4.3','Administrator and operator logs','ISO 27002',54),
- ('9.4.3','Password management system','ISO 27002',55),
- ('9.2.4','Management of secret authentication information of users','ISO 27002',56),
- ('9.3.1','Use of secret authentication information','ISO 27002',56),
- ('10.1.1','Policy on the use of cryptographic controls','ISO 27002',58),
- ('10.1.2','Key management','ISO 27002',58),
- ('13.2.1','Information transfer policies and procedures','ISO 27002',58),
- ('13.2.2','Agreements on information transfer','ISO 27002',58),
- ('18.1.5','Regulation of cryptographic controls','ISO 27002',58),
- ('10.1.1','Policy on the use of cryptographic controls','ISO 27002',59),
- ('13.1.1','Network controls','ISO 27002',59),
- ('13.2.3','Electronic messaging','ISO 27002',59),
- ('14.1.2','Securing application services on public networks','ISO 27002',59),
- ('14.1.3','Protecting application services transactions','ISO 27002',59),
- ('18.1.5','Regulation of cryptographic controls','ISO 27002',59),
- ('10.1.1','Policy on the use of cryptographic controls','ISO 27002',60),
- ('10.1.2','Key management','ISO 27002',60),
- ('18.1.4','Privacy and protection of personally identifiable information','ISO 27002',60),
- ('10.1.2','Key management','ISO 27002',61),
- ('13.1.1','Network controls','ISO 27002',62),
- ('13.1.2','Security of network services','ISO 27002',62),
- ('13.1.1','Network controls','ISO 27002',63),
- ('13.1.2','Security of network services','ISO 27002',63),
- ('13.1.3','Segregation in networks','ISO 27002',63),
- ('13.2.1','Information transfer policies and procedures','ISO 27002',63),
- ('13.1.1','Network controls','ISO 27002',64),
- ('13.1.2','Security of network services','ISO 27002',64),
- ('13.2.1','Information transfer policies and procedures','ISO 27002',64),
- ('13.1.3','Segregation in networks','ISO 27002',65),
- ('13.1.3','Segregation in networks','ISO 27002',66),
- ('13.2.2','Agreements on information transfer','ISO 27002',68),
- ('12.5.1','Installation of software on operational systems','ISO 27002',68),
- ('14.1.3','Protecting application services transactions','ISO 27002',68),
- ('13.2.1','Information transfer policies and procedures','ISO 27002',69),
- ('13.2.2','Agreements on information transfer','ISO 27002',69),
- ('13.2.3','Electronic messaging','ISO 27002',69),
- ('14.1.1','Information security requirements analysis and specification','ISO 27002',69),
- ('11.2.5','Removal of assets','ISO 27002',72),
- ('11.2.7','Secure disposal or re-use of equipment','ISO 27002',73),
- ('8.1','Responsibility for assets','ISO 27002',74),
- ('14.2.2','System change control procedures','ISO 27002',74),
- ('14.2.3','Technical review of applications after operating platform changes','ISO 27002',74),
- ('14.2.4','Restrictions on changes to software packages','ISO 27002',74),
- ('8.1','Responsibility for assets','ISO 27002',75),
- ('14.2.2','System change control procedures','ISO 27002',75),
- ('12.1.2','Change management','ISO 27002',76),
- ('14.2.2','System change control procedures','ISO 27002',76),
- ('14.2.8','System security testing','ISO 27002',76),
- ('14.2.9','System acceptance testing','ISO 27002',76),
- ('9.4.5','Access control to program source code','ISO 27002',78),
- ('12.1.2','Change management','ISO 27002',78),
- ('14.2.2','System change control procedures','ISO 27002',78),
- ('14.2.8','System security testing','ISO 27002',78),
- ('14.2.9','System acceptance testing','ISO 27002',78),
- ('9.4.5','Access control to program source code','ISO 27002',79),
- ('12.1.2','Change management','ISO 27002',79),
- ('14.2.2','System change control procedures','ISO 27002',79),
- ('14.2.8','System security testing','ISO 27002',79),
- ('14.2.9','System acceptance testing','ISO 27002',79),
- ('14.1.1','Information security requirements analysis and specification','ISO 27002',80),
- ('14.1.2','Securing application services on public networks','ISO 27002',80),
- ('14.2.1','Secure development policy','ISO 27002',80),
- ('14.2.5','Secure system engineering principles','ISO 27002',80),
- ('12.1.4','Separation of development, testing and operational environments','ISO 27002',80),
- ('14.2.1 ','Secure development policy','ISO 27002',82),
- ('12.1.4','Separation of development, testing and operational environments','ISO 27002',83),
- ('12.6.1','Management of technical vulnerabilities','ISO 27002',85),
- ('14.2.7','Outsourced development','ISO 27002',86),
- ('14.2.8','System security testing','ISO 27002',86),
- ('14.2.9','System acceptance testing','ISO 27002',86),
- ('15.1.1','Information security policy for supplier relationships','ISO 27002',87),
- ('15.1.2','Addressing security within supplier agreements','ISO 27002',87),
- ('15.1.3','Information and communication technology supply chain','ISO 27002',87),
- ('7.2.2','Information security awareness, education and training','ISO 27002',87),
- ('15.1.1','Information security policy for supplier relationships','ISO 27002',88),
- ('15.1.2','Addressing security within supplier agreements','ISO 27002',88),
- ('15.1.3','Information and communication technology supply chain','ISO 27002',88),
- ('15.2.2','Managing changes to supplier services','ISO 27002',88),
- ('15.2.1','Monitoring and review of supplier services','ISO 27002',90),
- ('15.1.1','Information security policy for supplier relationships','ISO 27002',93),
- ('15.1.2','Addressing security within supplier agreements','ISO 27002',93),
- ('15.1.3','Information and communication technology supply chain','ISO 27002',93),
- ('16.1.1','Responsibilities and procedures','ISO 27002',93),
- ('16.1.2','Reporting information security events','ISO 27002',93),
- ('16.1.4','Assessment of and decision on information security events','ISO 27002',93),
- ('16.1.5','Response to information security incidents','ISO 27002',93),
- ('16.1.6','Learning from information security incidents','ISO 27002',93),
- ('16.1.1','Responsibilities and procedures','ISO 27002',95),
- ('16.1.2','Reporting information security events','ISO 27002',95),
- ('16.1.7','Collection of evidence','ISO 27002',95),
- ('16.1.2','Reporting information security events','ISO 27002',96),
- ('16.1.3','Reporting information security weaknesses','ISO 27002',96),
- ('12.6.1','Management of technical vulnerabilities','ISO 27002',97),
- ('16.1.3','Reporting information security weaknesses','ISO 27002',98),
- ('16.1.4','Assessment of and decision on information security events','ISO 27002',98),
- ('16.1.5','Response to information security incidents','ISO 27002',98),
- ('16.1.6','Learning from information security incidents','ISO 27002',98),
- ('16.1.3','Reporting information security weaknesses','ISO 27002',99),
- ('16.1.4','Assessment of and decision on information security events','ISO 27002',99),
- ('16.1.5','Response to information security incidents','ISO 27002',99),
- ('16.1.6','Learning from information security incidents','ISO 27002',99),
- ('17.1.1','Planning information security continuity','ISO 27002',100),
- ('17.1.1','Planning information security continuity','ISO 27002',101),
- ('17.1.3','Verify, review and evaluate information security continuity','ISO 27002',101),
- ('17.1.1','Planning information security continuity','ISO 27002',102),
- ('17.1.3','Verify, review and evaluate information security continuity','ISO 27002',102),
- ('17.1.1','Planning information security continuity','ISO 27002',103),
- ('17.1.3','Verify, review and evaluate information security continuity','ISO 27002',103),
- ('18.1.1','Identification of applicable legislation and contractual requirements','ISO 27002',104),
- ('9.2','User access management','ISO 27002',105),
- ('12.7.1','Information systems audit controls','ISO 27002',105),
- ('9.2','User access management','ISO 27002',106),
- ('9.3','User responsibilities','ISO 27002',106),
- ('12.7.1','Information systems audit controls','ISO 27002',106),
- ('18.2.2','Compliance with security policies and standards','ISO 27002',106),
- ('9.3','User responsibilities','ISO 27002',107),
- ('10.1.1','Policy on the use of cryptographic controls','ISO 27002',118),
- ('18.1.5','Regulation of cryptographic controls','ISO 27002',118),
+ ('19.2','Location of data','SecNumCloud FRANCE',109);
+
+INSERT INTO cocbackend.similar_control (code,name,security_control_framework_name,security_control_id) VALUES
+ -- ISO 27002 --
+ ('5.4','Management responsibilities','ISO 27002 '1,),
+ ('5.21','Managing information security in the ICT supply chain','ISO 27002 ',1),
+ ('5.3','Segregation of duties','ISO 27002 ',2),
+ ('5.5','Contact with authorities','ISO 27002 ',3),
+ ('5.6','Contact with special interest groups','ISO 27002 ',3),
+ ('5.8','Information security in project management','ISO 27002 ',4),
+ ('5.1','Policies for information security','ISO 27002 ',5),
+ ('5.2','Information security roles and responsibilities','ISO 27002 ',6),
+ ('5.2','Information security roles and responsibilities','ISO 27002 ',8),
+ ('5.2','Information security roles and responsibilities','ISO 27002 ',9),
+ ('5.2','Information security roles and responsibilities','ISO 27002 ',10),
+ ('6.1','Screening','ISO 27002 ',11),
+ ('6.1','Screening','ISO 27002 ',12),
+ ('6.2','Terms and conditions of employment','ISO 27002 ',13),
+ ('6.3','Information security awareness, education and training','ISO 27002 ',14),
+ ('6.5','Responsibilities after termination or change of employment','ISO 27002 ',15),
+ ('6.2','Terms and conditions of employment','ISO 27002 ',16),
+ ('6.6','Confidentiality or non-disclosure agreements','ISO 27002 ',16),
+ ('5.9','Inventory of information and other associated assets','ISO 27002 ',17),
+ ('5.1','Policies for information security','ISO 27002 ',18),
+ ('7.10','Storage media','ISO 27002 ',19),
+ ('5.12','Classification of information','ISO 27002 ',20),
+ ('5.12','Classification of information','ISO 27002 ',21),
+ ('5.13','Labelling of information','ISO 27002 ',21),
+ ('5.1','Policies for information security','ISO 27002 ',23),
+ ('5.15','Access control','ISO 27002 ',23),
+ ('7.2','Physical entry','ISO 27002 ',23),
+ ('7.8','Equipment siting and protection','ISO 27002 ',25),
+ ('7.12','Cabling security','ISO 27002 ',25),
+ ('7.5','Protecting against physical and environmental threats','ISO 27002 ',26),
+ ('8.6','Capacity management','ISO 27002 ',27),
+ ('8.6','Capacity management','ISO 27002 ',28),
+ ('8.6','Capacity management','ISO 27002 ',29),
+ ('5.1','Policies for information security','ISO 27002 ',30),
+ ('5.37','Documented operating procedures','ISO 27002 ',30),
+ ('8.7','Protection against malware','ISO 27002 ',31),
+ ('5.1','Policies for information security','ISO 27002 ',32),
+ ('5.37','Documented operating procedures','ISO 27002 ',32),
+ ('8.13','Information backup','ISO 27002 ',33),
+ ('8.13','Information backup','ISO 27002 ',34),
+ ('8.13','Information backup','ISO 27002 ',35),
+ ('5.1','Policies for information security','ISO 27002 ',36),
+ ('5.37','Documented operating procedures','ISO 27002 ',36),
+ ('8.15','Logging','ISO 27002 ',37),
+ ('8.16','Monitoring activities','ISO 27002 ',37),
+ ('8.16','Monitoring activities','ISO 27002 ',38),
+ ('8.15','Logging','ISO 27002 ',39),
+ ('8.15','Logging','ISO 27002 ',41),
+ ('8.18','Use of privileged utility programs','ISO 27002 ',41),
+ ('5.7','Threat intelligence','ISO 27002 ',42),
+ ('8.14','Redundancy of information processing facilities','ISO 27002 ',42),
+ ('5.22','Monitoring, review and change management of supplier services','ISO 27002 ',43),
+ ('5.24','Information security incident management planning and preparation','ISO 27002 ',43),
+ ('8.32','Change management','ISO 27002 ',43),
+ ('8.32','Change management','ISO 27002 ',45),
+ ('8.25','Secure development life cycle','ISO 27002 ',45),
+ ('8.28','Secure coding','ISO 27002 ',45),
+ ('5.24','Information security incident management planning and preparation','ISO 27002 ',46),
+ ('5.25','Assessment and decision on information security events','ISO 27002 ',46),
+ ('8.22','Segregation of networks','ISO 27002 ',48),
+ ('5.1','Policies for information security','ISO 27002 ',49),
+ ('5.15','Access control','ISO 27002 ',49),
+ ('5.15','Access control','ISO 27002 ',50),
+ ('5.16','Identity management','ISO 27002 ',50),
+ ('5.17','Authentication information','ISO 27002 ',50),
+ ('5.18','Access rights','ISO 27002 ',50),
+ ('5.18','Access rights','ISO 27002 ',51),
+ ('5.18','Access rights','ISO 27002 ',52),
+ ('8.3','Information access restriction','ISO 27002 ',52),
+ ('5.18','Access rights','ISO 27002 ',53),
+ ('5.18','Access rights','ISO 27002 ',54),
+ ('8.2','Privileged access rights','ISO 27002 ',54),
+ ('8.5','Secure authentication','ISO 27002 ',55),
+ ('5.17','Authentication information','ISO 27002 ',56),
+ ('8.5','Secure authentication','ISO 27002 ',56),
+ ('8.24','Use of cryptography','ISO 27002 ',56),
+ ('5.23','Information security for use of cloud services','ISO 27002 ',57),
+ ('8.24','Use of cryptography','ISO 27002 ',58),
+ ('5.14','Information transfer','ISO 27002 ',59),
+ ('6.7','Remote working','ISO 27002 ',59),
+ ('7.10','Storage media','ISO 27002 ',60),
+ ('8.24','Use of cryptography','ISO 27002 ',60),
+ ('8.24','Use of cryptography','ISO 27002 ',61),
+ ('8.7','Protection against malware','ISO 27002 ',1),
+ ('8.20','Networks security','ISO 27002 ',62),
+ ('8.20','Networks security','ISO 27002 ',63),
+ ('8.22','Segregation of networks','ISO 27002 ',63),
+ ('8.20','Networks security','ISO 27002 ',64),
+ ('8.21','Security of network services','ISO 27002 ',64),
+ ('8.22','Segregation of networks','ISO 27002 ',64),
+ ('8.20','Networks security','ISO 27002 ',65),
+ ('8.22','Segregation of networks','ISO 27002 ',65),
+ ('8.22','Segregation of networks','ISO 27002 ',66),
+ ('5.23','Information security for use of cloud services','ISO 27002 ',68),
+ ('8.19','Installation of software on operational systems','ISO 27002 ',68),
+ ('5.14','Information transfer','ISO 27002 ',69),
+ ('5.34','Privacy and protection of PII','ISO 27002 ',69),
+ ('5.14','Information transfer','ISO 27002 ',70),
+ ('5.14','Information transfer','ISO 27002 ',71),
+ ('5.15','Access control','ISO 27002 ',71),
+ ('5.19','Information security in supplier relationships','ISO 27002 ',71),
+ ('5.20','Addressing information security within supplier agreements','ISO 27002 ',71),
+ ('5.31','Legal, statutory, regulatory and contractual requirements','ISO 27002 ',71),
+ ('8.10','Information deletion','ISO 27002 ',72),
+ ('8.32','Change management','ISO 27002 ',73),
+ ('5.1','Policies for information security','ISO 27002 ',73),
+ ('5.37','Documented operating procedures','ISO 27002 ',73),
+ ('8.32','Change management','ISO 27002 ',74),
+ ('8.29','Security testing in development and acceptance','ISO 27002 ',75),
+ ('8.32','Change management','ISO 27002 ',75),
+ ('8.31','Separation of development, test and production environments','ISO 27002 ',76),
+ ('8.32','Change management','ISO 27002 ',76),
+ ('8.33','Test information','ISO 27002 ',77),
+ ('8.32','Change management','ISO 27002 ',78),
+ ('5.30','ICT readiness for business continuity','ISO 27002 ',78),
+ ('5.1','Policies for information security','ISO 27002 ',79),
+ ('5.37','Documented operating procedures','ISO 27002 ',79),
+ ('8.25','Secure development life cycle','ISO 27002 ',79),
+ ('5.19','Information security in supplier relationships','ISO 27002 ',80),
+ ('5.20','Addressing information security within supplier agreements','ISO 27002 ',80),
+ ('5.21','Managing information security in the ICT supply chain','ISO 27002 ',80),
+ ('8.25','Secure development life cycle','ISO 27002 ',81),
+ ('8.28','Secure coding','ISO 27002 ',81),
+ ('8.31','Separation of development, test and production environments','ISO 27002 ',82),
+ ('8.8','Management of technical vulnerabilities','ISO 27002 ',84),
+ ('8.3','Information access restriction','ISO 27002 ',85),
+ ('5.8','Information security in project management','ISO 27002 ',87),
+ ('5.19','Information security in supplier relationships','ISO 27002 ',87),
+ ('5.19','Information security in supplier relationships','ISO 27002 ',88),
+ ('5.21','Managing information security in the ICT supply chain','ISO 27002 ',88),
+ ('5.22','Monitoring, review and change management of supplier services','ISO 27002 ',90),
+ ('5.24','Information security incident management planning and preparation','ISO 27002 ',92),
+ ('5.25','Assessment and decision on information security events','ISO 27002 ',92),
+ ('5.25','Assessment and decision on information security events','ISO 27002 ',93),
+ ('8.8','Management of technical vulnerabilities','ISO 27002 ',93),
+ ('5.26','Response to information security incidents','ISO 27002 ',94),
+ ('5.24','Information security incident management planning and preparation','ISO 27002 ',95),
+ ('5.27','Learning from information security incidents','ISO 27002 ',96),
+ ('8.8','Management of technical vulnerabilities','ISO 27002 ',96),
+ ('5.27','Learning from information security incidents','ISO 27002 ',97),
+ ('5.28','Collection of evidence','ISO 27002 ',98),
+ ('5.1','Policies for information security','ISO 27002 ',99),
+ ('5.29','Information security during disruption','ISO 27002 ',99),
+ ('5.30','ICT readiness for business continuity','ISO 27002 ',100),
+ ('5.30','ICT readiness for business continuity','ISO 27002 ',101),
+ ('5.30','ICT readiness for business continuity','ISO 27002 ',102),
+ ('5.31','Legal, statutory, regulatory and contractual requirements','ISO 27002 ',103),
+ ('8.34','Protection of information systems during audit testing','ISO 27002 ',104),
+ ('5.35','Independent review of information security','ISO 27002 ',105),
+ ('8.34','Protection of information systems during audit testing','ISO 27002 ',106),
+ ('8.15','Logging','ISO 27002 ',115),
+ ('8.16','Monitoring activities','ISO 27002 ',116),
+ ('8.20','Networks security','ISO 27002 ',117),
+ ('8.21','Security of network services','ISO 27002 ',117),
+ ('5.23','Information security for use of cloud services','ISO 27002 ',119);
+
+INSERT INTO cocbackend.similar_control (code,name,security_control_framework_name,security_control_id) VALUES
+ -- ISO 27017 --
('CLD.6.3.1','Shared roles and responsibilities within a cloud computing environment','ISO 27017',2),
('CLD.6.3.1','Shared roles and responsibilities within a cloud computing environment','ISO 27017',3),
('CLD.6.3.1','Shared roles and responsibilities within a cloud computing environment','ISO 27017',4),
('CLD 8.1.5','Removal of cloud service customer assets','ISO 27017',20),
('CLD.12.4.5','Monitoring of Cloud Services','ISO 27017',29),
('CLD.13.1.4','Alignment of security management for virtual and physical networks','ISO 27017',67);
+
+INSERT INTO cocbackend.similar_control (code,name,security_control_framework_name,security_control_id) VALUES
+ -- CCF Mapping
+ ('CCF 91','Roles and Responsibilities over Security and Control Environment','Cisco CCF',2),
+ ('CCF 108','Policy and Standard Exceptions','Cisco CCF',7),
+ ('CCF 120','Code of Conduct','Cisco CCF',13),
+ ('CCF 123','Mobile Device Management','Cisco CCF',14),
+ ('CCF 120','Code of Conduct','Cisco CCF',15),
+ ('CCF 165','Full Time Worker Termination','Cisco CCF',15),
+ ('CCF 118','Confidential Information Agreement','Cisco CCF',16),
+ ('CCF 119','Non-Disclosure Agreement','Cisco CCF',16),
+ ('CCF 52','Production Asset Inventory','Cisco CCF',17),
+ ('CCF 48','Asset Maintenance','Cisco CCF',19),
+ ('CCF 48','Asset Maintenance','Cisco CCF',20),
+ ('CCF 35','Building Perimeter Physical Access','Cisco CCF',23),
+ ('CCF 254','Availability Monitoring','Cisco CCF',28),
+ ('CCF 262','BU Anti-Malware Technology','Cisco CCF',31),
+ ('CCF 18','Customer Data Backup','Cisco CCF',33),
+ ('CCF 19','Customer Data Replication','Cisco CCF',35),
+ ('CCF 109','Policies and Standards over Metadata','Cisco CCF',38),
+ ('CCF 239','Security Incident & Event Logging','Cisco CCF',39),
+ ('CCF 87','Security Management System Risk Assessment Methodology','Cisco CCF',44),
+ ('CCF 272','Security Management System Risk Assessment Methodology','Cisco CCF',47),
+ ('CCF 148','User account disablement','Cisco CCF',51),
+ ('CCF 30','Change Migrations','Cisco CCF',76),
+ ('CCF 25','Change Approval and Testing Documentation','Cisco CCF',77),
+ ('CCF 247','Supplier Management Program','Cisco CCF',90),
+ ('CCF 236','Security & Privacy Incident Response','Cisco CCF',93),
+ ('CCF 1','Control Self-Assessments','Cisco CCF',105),
+ ('CCF 279','Legal Assessments','Cisco CCF',114),
+ ('CCF 173','Virtual Machine Integrity Check','Cisco CCF',118);
/*!40000 ALTER TABLE `similar_control` ENABLE KEYS */;
SET FOREIGN_KEY_CHECKS=1;
diff --git a/git/cocMysql/startupscripts/05_initialDataCocGateway.sql b/git/cocMysql/startupscripts/05_initialDataCocGateway.sql
deleted file mode 100755
index 1aec2774e9e1376fa82aa788f26598a67d649e10..0000000000000000000000000000000000000000
--- a/git/cocMysql/startupscripts/05_initialDataCocGateway.sql
+++ /dev/null
@@ -1,32 +0,0 @@
---
--- Database: `cocgateway`
---
-USE `cocgateway`;
-SET FOREIGN_KEY_CHECKS=0;
-
--- -----------------------------------
--- Table: `jhi_authority`
--- -----------------------------------
-/*!40000 ALTER TABLE `jhi_authority` DISABLE KEYS */;
-INSERT INTO cocgateway.jhi_authority (name) VALUES ('ROLE_ADMIN'), ('ROLE_USER');
-/*!40000 ALTER TABLE `jhi_authority` ENABLE KEYS */;
-
--- -----------------------------------
--- Table: `jhi_user`
--- -----------------------------------
-/*!40000 ALTER TABLE `jhi_user` DISABLE KEYS */;
-INSERT INTO cocgateway.jhi_user (id,login,first_name,last_name,email,image_url,activated,lang_key,created_by,created_date,last_modified_by,last_modified_date) VALUES
- ('4c973896-5761-41fc-8217-07c5d13a004b','admin','Admin','Administrator','admin@localhost',NULL,1,'en','admin','2021-10-08 13:30:37','admin','2021-10-08 13:30:37');
-/*!40000 ALTER TABLE `jhi_user` ENABLE KEYS */;
-
--- -----------------------------------
--- Table: `jhi_user_authority`
--- -----------------------------------
-/*!40000 ALTER TABLE `jhi_user_authority` DISABLE KEYS */;
-INSERT INTO cocgateway.jhi_user_authority (user_id,authority_name) VALUES
- ('4c973896-5761-41fc-8217-07c5d13a004b','ROLE_ADMIN'),
- ('4c973896-5761-41fc-8217-07c5d13a004b','ROLE_USER');
-/*!40000 ALTER TABLE `jhi_user_authority` ENABLE KEYS */;
-
-SET FOREIGN_KEY_CHECKS=1;
-COMMIT;
diff --git a/git/cocMysql/startupscripts/05_initialDataRefToms.sql b/git/cocMysql/startupscripts/05_initialDataRefToms.sql
new file mode 100644
index 0000000000000000000000000000000000000000..4309ccee8ece80e1b0c0c44ebcbfb65421e0dbab
--- /dev/null
+++ b/git/cocMysql/startupscripts/05_initialDataRefToms.sql
@@ -0,0 +1,56 @@
+--
+-- Database: `cocbackend`
+--
+USE `cocbackend`;
+SET FOREIGN_KEY_CHECKS=0;
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET NAMES utf8 */;
+/*!50503 SET NAMES utf8mb4 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+
+-- -----------------------------------
+-- Table: `reference_tom`
+-- -----------------------------------
+/*!40000 ALTER TABLE `reference_tom` DISABLE KEYS */;
+INSERT INTO cocbackend.reference_tom (id,reference_tom_impl,tom_id) VALUES
+ (1,'<p>The EUCS requirement OIS-02.4H states:</p><p>“<strong>The CSP shall automatically monitor the assignment of responsibilities and tasks to ensure that measures related to segregation of duties are enforced</strong>”.</p><p>and references as “measures” the following requirement also from OIS-02 Segregation of Duties:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>OIS-02.1H</p></td><td width="491"><p>"The CSP shall perform a risk assessment as defined in RM-01 about the accumulation of responsibilities or tasks on roles or individuals, regarding the provision of the cloud service, covering at least the following areas, insofar as these are applicable to the provision of the cloud service and are in the area of responsibility of the CSP:</p><p>(1) Administration of rights profiles, approval and assignment of access and access authorisations (cf. IAM-01);</p><p>(2) Development, testing and release of changes (cf. DEV-01, CCM-01); and</p><p>(3) Operation of the system components."</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><thead><tr><th width="56" style="background: rgb(0, 153, 160)"><p><span style="color:white;">Code</span></p></th><th width="143" style="background: rgb(0, 153, 160)"><p><span style="color:white;">Name</span></p></th><th width="367" style="background: rgb(0, 153, 160)"><p><span style="color:white;">Objective</span></p></th></tr></thead><tbody><tr><td width="56"><p>OIS-02</p></td><td width="143"><p>Segregation of Duties</p></td><td width="367"><p>“Conflicting tasks and responsibilities are separated based on an RM-01 risk assessment to reduce the risk of unauthorised or unintended changes or misuse of CSC data processed, stored or transmitted in the cloud service.”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - RM-01: Risk Management Policy</li><li>EUCS - IAM-01: Policies for Access Control to Information</li><li>EUCS - DEV-01: Policies for the Development and Procurement of Information Systems</li><li>EUCS - CCM-01: Policies for Changes to Information Systems</li></ul><p>External references:</p><ul><li>2020 GERMANY - OIS-04: Segregation of Duties</li><li>SecNumCloud FRANCE - 6.1: Functions and responsibilities linked to information security</li><li>SecNumCloud FRANCE - 6.2: Segregation of tasks</li><li>ISO 27002 – 5.3: Segregation of duties</li><li>ISO 27017 - CLD.6.3.1: Shared roles and responsibilities within a cloud computing environment</li><li>Cisco CCF - CCF 91: Roles and Responsibilities over Security and Control Environment</li></ul><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Management System</p></td><td width="464"><p>Framework of policies, procedures, and processes used to ensure that an organization is operating effectively and efficiently. Management systems are used to guide the activities of an organization and to help achieve its goals and objectives.</p></td></tr><tr><td width="102"><p>Information Security Management system (ISMS)</p></td><td width="464"><p>An information security management system (ISMS) is a framework of policies, processes, and controls that organizations use to manage and reduce their information security risks. Generally, an ISMS is designed to protect the confidentiality, integrity, and availability of the organization''s information assets, and can include both technical and non-technical measures</p></td></tr><tr><td width="102"><p>Risk Management</p></td><td width="464"><p>Overall process of risk identification, risk analysis and risk evaluation. An ISMS includes a process for identifying and assessing the organization''s information security risks, and for developing plans to mitigate those risks.</p></td></tr><tr><td width="102"><p>Segregation/ Separation of Duties</p></td><td width="464"><p>The goal of segregation of duties is to ensure that no single individual has complete control over a process or activity, which can help to prevent unauthorized actions and mistakes. Also, it allows to separate conflicting duties between different individuals. So, it is a principle that is used in ISMS to reduce among others the risk of fraud and errors.</p></td></tr><tr><td width="102"><p>Cloud RBAC</p></td><td width="464"><p>Cloud role-based access control is an authorization system provided by the CSP that provides fine-grained access management of Cloud resources to ensure that measures related to segregation of duties are enforced.</p></td></tr><tr><td width="102"><p>Role assignment</p></td><td width="464"><p>It is the process (grant, change, revoke) of attaching a role definition to a security principal at a particular scope.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Typically, managing access to cloud resources is a critical function and is performed by the CSP by implementing a cloud RBAC (e.g., Azure RBAC, AWS RBAC) to manage who has access to specific cloud resources, what they can do with those resources, and what areas they have access to. The assignment of tasks to roles will allow a separation of duties as part of the role management process. The role assignment is monitored by the CSP.</p><p>A defined team shall be defined that is responsible for overseeing the security and control environments at the organization. It will verify the roles of each member and validate that security and control environments are being reviewed and followed up upon. Managers will check with each member to review responsibilities and roles at least annually.</p><p>Roles and responsibilities of the users are defined and agreed on in a risk assessment performed by the CSP. The risk assessment should cover administrative and user rights, and should include definitions related to data ownership, information security accountability, access provisioning and approval responsibilities, development, testing and release of changes, data backup and recovery responsibilities, and operation of the system components. Some mitigation measures should be introduced to monitor the activities in order to detect unauthorised or unintended changes as well as misuse.</p><p>A risk assessment for administrative user rights should consider the potential risks associated with granting certain users the ability to modify or delete logs or log analysis of their actions. This could include risks such as:</p><ul><li>Tampering with logs to cover up malicious or inappropriate activity.</li><li>Accidentally or intentionally deleting important logs that may be needed for later analysis or investigation.</li><li>Disrupting the integrity and reliability of log data, which could hinder incident response and forensics efforts.</li></ul><p>To mitigate these risks, it is important to carefully consider which users should be granted administrative rights and to establish strict policies and procedures for the use of these rights. This might include requiring users to provide a justification for modifying or deleting logs, requiring multiple approvals before such actions can be taken, and implementing strict auditing and monitoring to detect any inappropriate use of these rights.</p><p>This risk assessment should also consider that a same user could have several roles which gives him different right and duties.</p>',15),
+ (2,'<p>The EUCS requirement ISP-03.5H states:</p><p>“<strong><em>The list of exceptions shall be automatically monitored to ensure that the validity of approved exceptions has not expired and that all reviews and approvals are up-to-date</em></strong>”.</p><p>and references the following requirement also from ISP-03 Exceptions:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>ISP-03.1H</p></td><td width="491"><p>"The CSP shall maintain a list of exceptions, limited in time, to the security policies and procedures, including associated controls."</p></td></tr></tbody></table><p> </p><h5 style="color:#0099A8">EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><th width="56"><p>Code</p></th><th width="94"><p>Name</p></th><th width="416"><p>Objective</p></th></tr><tr><td width="56"><p>ISP-03</p></td><td width="94"><p>Exceptions</p></td><td width="416"><p>“Exceptions to the policies and procedures for information security as well as respective controls are explicitly listed”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - RM-01: Risk Management Policy</li></ul><p>External references:</p><ul><li>2020 GERMANY - SP-03: Exceptions from Existing Policies and Instructions</li><li>Cisco CCF - CCF 108: Policy and Standard Exceptions</li></ul><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="113"><p>Term</p></td><td colspan="2" width="454"><p>Definition</p></td></tr><tr><td width="113"><p>Information security</p></td><td colspan="2" width="454"><p>Preservation of confidentiality, integrity and availability of information</p></td></tr><tr><td width="113"><p>Information Security Management system (ISMS)</p></td><td width="453"><p>An information security management system (ISMS) is a framework of policies, processes, and controls that organizations use to manage and reduce their information security risks. Generally, an ISMS is designed to protect the confidentiality, integrity, and availability of the organization''s information assets, and can include both technical and non-technical measures</p></td></tr><tr><td><p>Exception</p></td><td colspan="2" width="454"><p>Exceptions to information security policies, standards, guidelines, and procedures</p></td></tr><tr><td width="113"><p>Risk Management</p></td><td colspan="2" width="454"><p>Risk management is the identification, evaluation, and prioritization of risks. An ISMS includes a process for identifying and assessing the organization''s information security risks, and for developing plans to mitigate those risks.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>This security control ensures that exceptions to the policies and procedures for information security as well as respective controls are explicitly listed. Deviation from the Information Security policy implemented by the CSP is discouraged. However, exception may be considered if a presentation of a reasonable and justifiable reason is provided. The expression, “there is an exception to every rule” is also true in information security policies context. There are often legitimate reasons why an exception to a policy is needed. In these cases, the policy should define how approval for the exception to the policy is obtained, and management should be aware of exceptions to security policies as the exception to the policy could introduce risks that need to be mitigated in another way.</p><p>In the context of EUCS requirements exceptions can have organizational or technical causes, such as:</p><ul><li>An organizational unit deviating from the intended processes and procedures in order to meet the requirements of a cloud customer.</li><li>A system component lacking technical properties to be configured according to the applicable requirements.</li></ul><p>Cloud customers can use appropriate controls to ensure that they obtain information from the Cloud Service Provider about deviations from information security policies and instructions in order to assess and appropriately manage the associated risks to their own information security.</p><p>While at basic assurance level, maintaining a list of exceptions is sufficient, at substantial level, those exceptions are required to be approved and taken into account by the risk management. Therefore, the exceptions need to be collected and approved, as part of the risk management process. A complete description of the exception shall be maintained including relevant information such as exception description, exception duration, compensating controls for managing the risk associated with the exception, proposed review date, or others. The approvals of exceptions may be documented, limited in time and reviewed for appropriateness at least annually by the risk owners.</p><p>At the high assurance level, the list of the exception must also be automatically monitored. The continuous monitoring of the exceptions list should be automated to ensure that they do not exceed their “lifespan” in the system and that exceptions do not remain active after approval has been revoked. Such a monitoring tool should be capable of issuing notifications and regular status updates when an exception expires, has been approved or has been revoked by the risk owner. This could be achieved through languages similar to the one defined in the OSCAL (Open Security Controls Assessment Language).</p>',59),
+ (3,'<p>The EUCS requirement HR-03.4H states :</p><p>“All employees shall acknowledge in a documented form the information security policies and procedures presented to them before they are granted any access to CSC data, the production environment, or any functional component thereof, <strong>and the verification of this acknowledgement shall be automatically monitored in the processes and automated systems used to grant access rights to employees</strong>”.</p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="113"><p>Name</p></td><td width="397"><p>Objective</p></td></tr><tr><td width="56"><p>HR-03</p></td><td width="113"><p>Employee terms and conditions</p></td><td width="397"><p>“The CSP''s internal and external employees are required by the employment terms and conditions to comply with applicable policies and procedures relating to information security, and to the CSP’s code of ethics, before being granted access to any CSC data or system components under the responsibility of the CSP used to provide the cloud service in the production environment”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - HR-02: Employment terms and conditions</li><li>SecNumCloud FRANCE - 7.2: Conditions for hire</li><li>ISO 27002 – 6.2: Terms and conditions of employment</li><li>Cisco CCF - CCF 120: Code of Conduct</li></ul><p> </p><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="113"><p>Term</p></td><td width="454"><p>Definition</p></td></tr><tr><td width="113"><p>Information security policies</p></td><td width="454"><p>Information security policies refer to policies, processes, and tools designed and deployed to protect sensitive business information and data assets from unauthorised access.</p></td></tr><tr><td width="113"><p>Code of Ethics</p></td><td width="454"><p>A code of ethics sets out an organization''s ethical guidelines and best practices to follow for honesty, integrity, and professionalism.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Typically, a CSP defines information security policies and procedures to determine the organisation’s approach to manage its security objectives. These policies should be communicated to the internal and external employees in a relevant and understandable form.</p><p>In order to track who has been informed of these policies and procedures, the CSP should prepare a simple acknowledgement form for employees to sign, preferably digitally so it can be automatically monitored and tracked. Every time a change is introduced in the information security policies, procedures and practices, the same form should be digitally signed again to make sure that all employees are aware of the changes. The signed form serves as evidence that the employees who signed it have been informed about the recent approach of the organisation to manage cyber security.</p><p>A typical acknowledgement form includes the name of the party which should read the policy and procedure, states which document is to be acknowledged, describes what is expected from the party regarding the implementation of the policy, the date when the form is signed and the signature.</p><p>In addition to the digital signature, the process of collecting and accounting of acknowledgement forms must be automated to ensure a quick update and report of the status of informed employees about the information security policies, identification of those who have not yet signed it, and defining further steps for ensuring that all employees get up-to-date information about the policies.</p>',125),
+ (4,'<p>The EUCS requirement HR-04.3H states:</p><p>“The CSP shall ensure that all employees complete the security awareness and training program defined for them on a regular basis, and when changing target group, <strong>and shall automatically monitor the completion of the security awareness and training program</strong>”.</p><p>and references the following requirement also from HR-04 Security awareness and training:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>HR-04.1H</p></td><td width="491"><p>"The CSP shall define a security awareness and training program on a target group oriented manner, taking into consideration at least the position’s risk classification and technical duties, and that covers the following aspects:</p><p>(1) Handling system components used to provide the cloud service in the production environment in accordance with applicable policies and procedures;</p><p>(2) Handling CSC data in accordance with applicable policies and instructions and applicable legal and regulatory requirements;</p><p>(3) Information about the current threat situation; and</p><p>(4) Correct behaviour in the event of security incidents."</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="143"><p>Name</p></td><td width="367"><p>Objective</p></td></tr><tr><td width="56"><p>HR-04</p></td><td width="143"><p>Security awareness and training</p></td><td width="367"><p>“The CSP operates a target group-oriented security awareness and training program, which is completed by all internal and external employees of the CSP on a regular basis”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - HR-03: Security training and awareness programme</li><li>ISO 27002 – 6.3: Information security awareness, education and training</li><li>Cisco CCF - CCF 123: Mobile Device Management</li></ul><p> </p><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="132"><p>Term</p></td><td width="435"><p>Definition</p></td></tr><tr><td width="132"><p>Security awareness</p></td><td width="435"><p>The capacity to be conscious and alert of the possible security threats.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Upstream of this requirement is the fact that the CSP employees must participate in training and refresher courses related to the functions to be performed in their employment. The CSP is required to ensure that the employees have taken these courses.</p><p>Thus, a possible way to implement this requirement could be as follows:</p><ul><li>the employee can attend a refresher course organized by the CSP online, and</li><li>the employee can digitally sign an exam taken after the course.</li></ul><p>The CSP training program shall include a security awareness sub-program and content specifications according to the different positions.</p>',135),
+ (5,'<p>The EUCS requirement HR-05.2H states:</p><p>“The CSP shall apply a specific procedure to revoke the access rights and process appropriately the accounts and assets of employees when their employment is terminated or changed, defining specific roles and responsibilities and including a documented checklist of all required steps; <strong>the CSP shall automatically monitor the application of this procedure</strong>”.</p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr style="height: 35.4688px;"><td style="height: 35.4688px;" width="56"><p>Code</p></td><td style="height: 35.4688px;" width="104"><p>Name</p></td><td style="height: 35.4688px;" width="406"><p>Objective</p></td></tr><tr style="height: 124px;"><td style="height: 124px;" width="56"><p>HR-04</p></td><td style="height: 124px;" width="104"><p>Termination or change in employment</p></td><td style="height: 124px;" width="406"><p>“Internal and external employees have been informed about which responsibilities, arising from the policies and procedures relating to information security, will remain in place when their employment is terminated or changed and for how long.</p><p>Upon termination or change in employment, all the access rights of the employee are revoked or appropriately modified, and all accounts and assets are processed appropriately”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - HR-05: Responsibilities in the event of termination or change of employment</li><li>SecNumCloud FRANCE - 7.5: Rupture, term or modification in the labour contract</li><li>ISO 27002 – 6.5: Responsibilities after termination or change of employment</li><li>Cisco CCF - CCF 120: Code of Conduct</li><li>Cisco CCF- CCF 165: Full Time Worker Termination</li></ul><p> </p><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="132"><p>Term</p></td><td width="435"><p>Definition</p></td></tr><tr><td width="132"><p>Access rights</p></td><td width="435"><p>The permissions that are granted to a user in this case to an employee to read, write, access or modify certain resources.</p></td></tr><tr><td width="132"><p>Account revocation</p></td><td width="435"><p>Account deletion.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>The CSP should specify in advance a procedure for defining which access rights should remain and which should be revoked immediately once a contract of an internal or external employee is terminated. This procedure should define specific roles and responsibilities and will include a documented checklist of the steps to be performed.</p><p>The defined procedures should be based on information security requirements, legal responsibilities, responsibilities with respect to relevant confidential agreements, and the terms and conditions of employment. In all cases, the employees should be communicated about the termination of their responsibilities. The accounts to be revoked shall be disabled in order to keep required audit trails.</p><p>For internal employees, the human resources department is typically responsible for the termination process together with the superior of the leaving employee. For external employees, the termination process is undertaken by the external party and should be executed in accordance with the contract between this party and the organisation.</p><p>This requirement could be implemented if the internal employee receives digital confirmation that s/he has been informed about the required topics, and this is requested again digitally at the termination process. By doing so, the auditor would be able to check each termination and identify any deviations.</p>',142),
+ (6,'<p>The EUCS requirement HR-06.2H states:</p><p>“The agreements shall be accepted by external service providers and suppliers when the contract is agreed, <strong>and this acceptation shall be automatically monitored</strong>”.</p><p>and references the following requirement also from HR-06 Confidentiality agreements:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>HR-06.1H</p></td><td width="491"><p>"The CSP shall ensure that non-disclosure or confidentiality agreements are agreed with internal employees, external service providers and suppliers, based on the requirements identified by the CSP for the protection of confidential information and operational details."</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr style="height: 35.4688px;"><td style="height: 35.4688px;" width="56"><p>Code</p></td><td style="height: 35.4688px;" width="104"><p>Name</p></td><td style="height: 35.4688px;" width="406"><p>Objective</p></td></tr><tr style="height: 74px;"><td style="height: 74px;" width="56"><p>HR-06</p></td><td style="height: 74px;" width="104"><p>Confidentiality agreements</p></td><td style="height: 74px;" width="406"><p>“Non-disclosure or confidentiality agreements are in place with internal employees, external service providers and suppliers of the CSP to protect the confidentiality of the information exchanged between them”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - HR-06: Confidentiality agreements</li><li>ISO 27002 - 6.2: Terms and conditions of employment</li><li>ISO 27002 – 6.6: Confidentiality or non-disclosure agreements</li><li>Cisco CCF - CCF 118: Confidential Information Agreement</li><li>Cisco CCF - CCF 119: Non-Disclosure Agreement</li></ul><p> </p><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Term</p></td><td width="501"><p>Definition</p></td></tr><tr><td width="66"><p>NDA</p></td><td width="501"><p>A non-disclosure agreement (NDA), also called a confidentiality agreement, is a legally binding contract which obliges one party to not disclose secret information without permission from another party.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>An NDA is required to ensure that external service providers and suppliers will not reveal CSP’s secrets or any confidential information they are working with. An NDA must be signed before the relationship with the external service providers or suppliers starts.</p><p>An NDA can be digitally signed, so that the signing of NDA can be easily monitored in an automatic way by the CSP. The digital signature process also allows the CSP to easily obtain up-to-date status of how many NDAs have been signed, identify those external service providers or suppliers who have not yet signed the document, and to ensure that those who did not sign have no access to secrete or confidential information. Such automatization requires tool support for the monitoring, e.g., Adaptive Non-Disclosure Agreement (NDA) Manager.</p>',150),
+ (7,'<p>The EUCS requirement HR-06.3H states:</p><p>“The agreements shall be accepted by internal employees of the CSP before authorisation to access CSC data is granted, <strong>and this acceptation shall be automatically monitored</strong>”.</p><p>and references the following requirement also from HR-06 Confidentiality agreements:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>HR-06.1H</p></td><td width="491"><p>"The CSP shall ensure that non-disclosure or confidentiality agreements are agreed with internal employees, external service providers and suppliers, based on the requirements identified by the CSP for the protection of confidential information and operational details."</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="113"><p>Name</p></td><td width="397"><p>Objective</p></td></tr><tr><td width="56"><p>HR-06</p></td><td width="113"><p>Confidentiality agreements</p></td><td width="397"><p>“Non-disclosure or confidentiality agreements are in place with internal employees, external service providers and suppliers of the CSP to protect the confidentiality of the information exchanged between them”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - HR-06: Confidentiality agreements</li><li>ISO 27002 - 6.2: Terms and conditions of employment</li><li>ISO 27002 - 6.6: Confidentiality or non-disclosure agreements</li><li>Cisco CCF - CCF 118: Confidential Information Agreement</li><li>Cisco CCF - CCF 119: Non-Disclosure Agreement</li></ul><p> </p><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Term</p></td><td width="501"><p>Definition</p></td></tr><tr><td width="66"><p>NDA</p></td><td width="501"><p>A non-disclosure agreement (NDA), also called a confidentiality agreement, is a legally binding contract which obliges one party to not disclose secret information without permission from another party.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>An NDA is required to ensure that internal employees will not reveal CSP’s secretes or any confidential information they are working with. An NDA must be signed before an employee is granted access to any confidential information. This is typically done before employment.</p><p>An NDA can be digitally signed, so that the signing of NDA can be easily monitored in an automatic way by the CSP. The digital signature process also allows the CSP to easily obtain up-to-date status of how many NDAs have been signed, identify those internal employees who have not yet signed the document, and to ensure that those who did not sign have no access to secrete or confidential information. Such automatization requires tool support for the monitoring, e.g., Adaptive Non-Disclosure Agreement (NDA) Manager.</p>',151),
+ (8,'<p>The EUCS requirement HR-06.5H states:</p><p>“The CSP shall inform its internal employees, external service providers and suppliers and obtain confirmation of the updated confidentiality or non-disclosure agreement, <strong>and this acceptation shall be automatically monitored</strong>”.</p><p>and references the following requirement also from HR-06 Confidentiality Agreements:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>HR-06.4H</p></td><td width="491"><p>"The requirements on which the agreements are based shall be documented and reviewed at regular intervals, at least annually; if the review shows that the requirements need to be modified, then the non-disclosure or confidentiality agreements shall be modified accordingly."</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="104"><p>Name</p></td><td width="406"><p>Objective</p></td></tr><tr><td width="56"><p>HR-06</p></td><td width="104"><p>Confidentiality agreements</p></td><td width="406"><p>“Non-disclosure or confidentiality agreements are in place with internal employees, external service providers and suppliers of the CSP to protect the confidentiality of the information exchanged between them”</p></td></tr></tbody></table><p> </p><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Term</p></td><td width="501"><p>Definition</p></td></tr><tr><td width="66"><p>NDA</p></td><td width="501"><p>A non-disclosure agreement (NDA), also called a confidentiality agreement, is a legally binding contract which obliges one party to not disclose secret information without permission from another party.</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - HR-06: Confidentiality agreements</li><li>ISO 27002 – 6.2: Terms and conditions of employment</li><li>ISO 27002 – 6.6: Confidentiality or non-disclosure agreements</li><li>Cisco CCF - CCF 118: Confidential Information Agreement</li><li>Cisco CCF - CCF 119: Non-Disclosure Agreement</li></ul><p> </p><h5>Guidelines</h5><p>An NDA is required to ensure that internal employees, external service providers and suppliers will not reveal CSP’s secrets or any confidential information they are working with. An NDA must be signed before an internal employee, external service provider or supplier is granted access to any confidential information.</p><p>The NDAs should be reviewed at regular intervals, at least annually. If the review shows that the requirements need to be modified, then the NDA shall be modified accordingly, and the internal employees, external service providers and suppliers must accept it, i.e., the updated NDA must be signed.</p><p>An NDA can be digitally signed, so that the signing of NDA can be easily monitored in an automatic way by the CSP. The digital signature process also allows the CSP to easily obtain up-to-date status of how many NDAs have been signed and whether the NDAs are up-to-date; identify those internal employees, external service providers and suppliers who have not yet signed the document; and to ensure that those who did not sign have no access to secret or confidential information. Such automatization requires tool support for the monitoring, e.g., Adaptive Non-Disclosure Agreement (NDA) Manager.</p>',153),
+ (9,'<p>The EUCS requirement OPS-02.2H states:</p><p>“<strong>The provisioning and de-provisioning of cloud services shall be automatically monitored to guarantee fulfilment of these safeguards</strong>”.</p><p>and references the following requirement also from OPS-02 Capacity Management – Monitoring:</p><table border="1" width="100%"><tbody><tr><td width="85"><p>OPS-02.1H</p></td><td width="482"><p>“The CSP shall define and implement technical and organizational safeguards for the monitoring of provisioning and de-provisioning of cloud services to ensure compliance with the service level agreement.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="151"><p>Name</p></td><td width="350"><p>Objective</p></td></tr><tr><td width="66"><p>­OPS-02</p></td><td width="151"><p>Capacity management – monitoring</p></td><td width="350"><p>“The capacities of critical resources such as personnel and IT resources are monitored”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - OPS-02: Capacity Management – Monitoring</li><li>ISO 27002 – 8.6: Capacity Management</li><li>Cisco CCF - CCF 254: Availability Monitoring</li></ul><p> </p><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Capacity management</p></td><td width="464"><p>Process for monitoring, analysis, reporting and improvement of capacity</p></td></tr><tr><td width="102"><p>SLA</p></td><td width="464"><p>Service Level Agreement</p></td></tr><tr><td width="102"><p>Provisioning</p></td><td width="464"><p>Cloud Services provisioning is the allocation of CSP’s resources to a CSC.</p></td></tr><tr><td width="102"><p>De-provisioning</p></td><td width="464"><p>Cloud Services de-provisioning is the process of removing CSC’s access to the CSP’s resources.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Technical and organizational safeguards related to monitoring the provisioning and de-provisioning of cloud services may cover topics such as the:</p><ul><li>definition and implementation of detective controls (mechanisms used to detect problems in due time)</li><li>system monitoring and tuning: number of transactions, number of users, number of new customers, availability of RAM (Random Access Memory) and disk in peak times, response times for some big queries, etc.)</li><li>identification and analysis of trends of usage.</li></ul><p>The CSP may use tools such as load balancers in order to automatically handle the provisioning and de-provisioning of cloud services. These tools may be provided to CSCs to receive relevant information related to capacity and availability that will allow them handling themselves the resources. Usually, the CSP provides a Cloud Resource Manager which enables the Cloud Service Customer to view the deployment history of all cloud services for which the CSP is responsible. The Cloud Service Customer can examine specific operations in past deployments and see which resources were provisioned and un-provisioned.</p><p>This information will be useful to react to unexpected events such as unprecedented traffic or to detect any unused resources that may sometimes be redirected or be ridden of, conducting to the provisioning or de-provisioning of cloud services when necessary, in order to maintain good resources levels without major losses of services’ quality.</p>',259),
+ (10,'<p>The EUCS requirement OPS-05.3H states:</p><p>“<strong>The CSP shall automatically monitor the systems covered by the malware protection and the configuration of the corresponding mechanisms to guarantee fulfilment of above requirements, and the antimalware scans to track detected malware or irregularities</strong>”.</p><p>and references the following requirements also from OPS-05 Protection Against Malware – Implementation:</p><table border="1" width="100%"><tbody><tr><td width="85"><p>OPS-05.1H</p></td><td width="482"><p>“The CSP shall deploy malware protection, if technically feasible, on all systems that support delivery of the cloud service in the production environment, according to policies and procedures”</p></td></tr><tr><td width="85"><p>OPS-05.2H</p></td><td width="482"><p>“Signature-based and behaviour-based malware protection tools shall be updated at least daily.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="180"><p>Name</p></td><td width="321"><p>Objective</p></td></tr><tr><td width="66"><p>OPS-05</p></td><td width="180"><p>Protection against malware – implementation</p></td><td width="321"><p>“Malware protection is deployed and maintained on systems that provide the cloud service”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - OPS-05: Protection Against Malware – Implementation</li><li>SecNumCloud FRANCE - 12.4: Measures against malicious code</li><li>ISO 27002 – 8.7: Protection against malware</li><li>Cisco CCF - CCF 262: Anti-Malware Technology</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Malware</p></td><td width="464"><p>Malicious software designed specifically to damage or disrupt a system, attacking confidentiality, integrity and/or availability. Viruses, spyware and Trojan horses are examples of malware.</p></td></tr><tr><td width="102"><p>Antimalware</p></td><td width="464"><p>Solutions, typically in the form of software, to identify and remove malicious software.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Typically, the CSP shall provide an antimalware solution to identify and remove viruses, spyware, and other malicious software. It shall periodically scan and monitor the activity in Cloud Services such as Virtual Machines to detect and block any malware execution. It shall automatically act on detected malware, such as deleting or quarantining malicious files and generating alerts. This enables the Cloud Service Customer to refine the service and enable troubleshooting.</p><p>Core features of the provided antimalware solution shall be, but are not limited to:</p><ul><li>Real-time protection</li><li>Scheduled scanning</li><li>Malware remediation</li><li>Signature updates</li><li>Active protection</li><li>Antimalware event collection</li></ul><p>According to ISO/IEC 27002, protection against malware should be based on malware detection and repair software, information security awareness and appropriate system access and change management controls. The following guidance should be considered to ensure a better security:</p><ul><li>Implementing controls that prevent or detect the use of unauthorized software.</li><li>Implementing controls that prevent or detect the use of known or suspected malicious websites.</li><li>Conducting regular reviews of the software and data content of systems supporting critical business processes. The presence of any unapproved files or unauthorized amendments should be formally investigated.</li><li>Installation and regular update of malware detection and repair software to scan computers and media as a precautionary control, or on a routine basis the scan carried should include: any files received over networks or via any form of storage medium, electronic mail attachments and downloads, and web pages.</li><li>Isolating environments where catastrophic impacts may result.</li></ul>',276),
+ (11,'<p>The EUCS requirement OPS-7.2H states:</p><p>“<strong>In order to check the proper application of these measures, the CSP shall automatically monitor the execution of data backups, and make available to the CSCs a service portal for monitoring the execution of backups when the CSC uses backup services with the CSP</strong>”.</p><p>and references as “measures” the following requirements also from OPS-Operational Security: </p><table border="1" width="100%"><tbody><tr><td width="85"><p>OPS-07.1H</p></td><td width="482"><p>“The CSP shall document and implement technical and organizational measures to monitor the execution of data backups in accordance to the policies and procedures defined in OPS-06”</p></td></tr><tr><td width="85"><p>OPS-06.1H</p></td><td width="482"><p>“The CSP shall define and implement policies and procedures according to ISP-02 for data backup and recovery, covering at least the following aspects:</p><p>(1) The extent and frequency of data backups and the duration of data retention are consistent with the contractual agreements with the CSCs and the CSP’s operational continuity requirements for recovery time objective (RTO) and recovery point objective (RPO);<br /> (2) How data is backed up in encrypted, state-of-the-art form;</p><p>(3) How backup data is stored, moved, managed, and disposed of;</p><p>(4) How a CSC-initiated recovery or recovery test is performed;</p><p>(5) Restricted access to the backed-up data and the execution of restores only by authorised persons; and</p><p>(6) Tests of recovery procedures (cf. OPS-08).”</p></td></tr><tr><td width="85"><p>OPS-08.1H</p></td><td width="482"><p>“The CSP shall test the restore procedures at least annually, embedded in the CSP’s business continuity management, including tests assessing if the specifications for the RTO and RPO agreed with the customers are met.”</p></td></tr><tr><td width="85"><p>OPS-08.2H</p></td><td width="482"><p>“The CSP shall not use CSC data, but only data in test accounts controlled by CSP staff for testing purposes.”</p></td></tr><tr><td width="85"><p>OPS-08.3H</p></td><td width="482"><p>“The CSP shall thoroughly document restore tests, including the safe disposal of restored data.”</p></td></tr><tr><td width="85"><p>OPS-08.4H</p></td><td width="482"><p>“Any deviation from the specification during the restore test shall be reported to the CSP''s responsible person for assessment and remediation.”</p></td></tr><tr><td width="85"><p>OPS-08.5H</p></td><td width="482"><p>“The CSP shall inform CSCs, at their request, of the results of the recovery tests.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="161"><p>Name</p></td><td width="340"><p>Objective</p></td></tr><tr><td width="66"><p>OPS-07</p></td><td width="161"><p>Data backup and recovery – monitoring</p></td><td width="340"><p>“The proper execution of data backups is monitored”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - OPS-06: Data Backup and Recovery – Policies</li><li>EUCS - OPS-08: Data Backup and Recovery – Regular Testing</li></ul><p> </p><p>External references:</p><ul><li>2020 GERMANY - OPS-07: Data Backup and Recovery – Monitoring</li><li>SecNumCloud FRANCE - 12.4: Measures against malicious code</li><li>ISO 27002 – 8.13: Information backup</li><li>Cisco CCF - CCF 18: Customer Data Backup</li></ul><p> </p><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Term</p></td><td width="510"><p>Definition</p></td></tr><tr><td width="56"><p>RTO</p></td><td width="510"><p>Recovery Time Objective, the maximum acceptable time that an application, computer, network, or system can be down after an unexpected disaster, failure, or comparable event takes place.</p></td></tr><tr><td width="56"><p>RPO</p></td><td width="510"><p>Recovery Point Objective, the maximum acceptable amount of data loss after an unplanned data-loss incident, expressed as an amount of time.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>CSPs should be capable of providing accesses for their CSCs to allow them to monitor their own backed-up data automatically. This could be done through usual interfaces used internally for monitoring or specific interfaces put in place specifically for customers. These provided accesses should be implemented in compliance with the IAM-09 requirements.</p><p>Native cloud backup services offered by most CSPs (e.g., Azure backup<a href="#_ftn1" name="_ftnref1">[1]</a> or AWS backup<a href="#_ftn2" name="_ftnref2">[2]</a> will offer out of the box the “portal” or API functionalities which implement data backup and recovery services (with exception of the organizational parts from these requirements). Continuous monitoring in this case implies assessing if those services are being deployed by the cloud customer, although the obvious limitation of this approach is that it does not guarantee that the actual configuration has been performed (e.g., data retention times).</p><p>Continuous monitoring of the data backup service offered by the CSP will assess the existence of technical configuration properties like those mentioned on OPS-06.1H, which have to do with retention time, backup frequency, RTO/RPO, encryption, and role management. It can be expected that these technical configuration properties can be assessed directly from the data backup service’s configuration offered by the CSP<a href="#_ftn3" name="_ftnref3">[3]</a>. However, it must be noticed that automated assessment can be limited (out of the box) to the data backup services native to the CSP, but not to 3<sup>rd</sup> party services which are deployed by the cloud customer.</p><p>Also, to be noticed is the referenced OPS-08 (recovery procedures), which mostly consists in organizational requirements (e.g., OPS-08.3H), which cannot be expected to be automatically monitored at the state of practice.</p><p> </p><p><a href="#_ftnref1" name="_ftn1">[1]</a> <a href="https://docs.microsoft.com/en-us/azure/backup/backup-center-overview">https://docs.microsoft.com/en-us/azure/backup/backup-center-overview</a></p><p><a href="#_ftnref2" name="_ftn2">[2]</a> <a href="https://docs.aws.amazon.com/aws-backup/?id=docs_gateway">https://docs.aws.amazon.com/aws-backup/?id=docs_gateway</a></p><p><a href="#_ftnref3" name="_ftn3">[3]</a> As an example, Azure Policies in the case of Azure backup (<a href="https://docs.microsoft.com/en-us/azure/backup/backup-center-overview">https://docs.microsoft.com/en-us/azure/backup/backup-center-overview</a>), or ConfigRules for AWS backup (<a href="https://docs.aws.amazon.com/aws-backup/?id=docs_gateway">https://docs.aws.amazon.com/aws-backup/?id=docs_gateway</a>)</p>',283),
+ (12,'<p>The EUCS requirement OPS-09.2H states:</p><p>“When the backup data is transmitted to a remote location via a network, the transmission of the data takes place in an encrypted form that corresponds to the state-of-the-art (cf. CKM-02), <strong>and shall be automatically monitored by the CSP to verify the execution of the backup</strong>”.</p><p>and references the following requirements:</p><table border="1" width="100%"><tbody><tr><td width="85"><p>OPS-09.1H</p></td><td width="482"><p>“The CSP shall transfer backup data to a remote location or transport them on backup media to a remote location, selected upon criteria of distance, recovery times and impact of disasters on backup and main sites.”</p></td></tr><tr><td width="85"><p>OPS-09.3H</p></td><td width="482"><p>“The data classification of the original data is applied automatically to backups.”</p></td></tr><tr><td width="85"><p>OPS-09.4H</p></td><td width="482"><p>“The security measures at the remote site shall have the same level as at the main site”</p></td></tr><tr><td width="85"><p>CKM-02.1H</p></td><td width="482"><p>“The CSP shall define and implement strong cryptographic mechanisms for the transmission of CSC data over public networks, in order to protect the confidentiality, integrity and authenticity of data.”</p></td></tr><tr><td width="85"><p>CKM-02.2H</p></td><td width="482"><p>“The CSP shall use strong cryptographic mechanisms to protect the communication during remote access to the production environment, including employee authentication.”</p></td></tr><tr><td width="85"><p>OPS-08.1H</p></td><td width="482"><p>“The CSP shall test the restore procedures at least annually, embedded in the CSP’s business continuity management, including tests assessing if the specifications for the RTO and RPO agreed with the customers are met.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="576"><tbody><tr><td width="66"><p>Code</p></td><td width="170"><p>Name</p></td><td width="340"><p>Objective</p></td></tr><tr><td width="66"><p>OPS-09</p></td><td width="170"><p>Data backup and recovery – storage</p></td><td width="340"><p>Backup data is stored at an appropriate remote location</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>CKM-02: Encryption of Data in Transit</li><li>OPS-08: Data Backup and Recovery – Regular Testing</li></ul><p>External references:</p><ul><li>2020 GERMANY - OPS-03: Capacity Management - Controlling of Resources</li><li>SecNumCloud FRANCE - 12.4: Measures against malicious code</li><li>ISO 27002 – 8.13: Information backup</li><li>ISO 27002 – 8.14: Redundancy of information processing facilities</li><li>Cisco CCF - CCF 19: Customer Data Replication</li></ul><p> </p><h5>Key concepts</h5><table border="1" width="576"><tbody><tr><td width="66"><p>Term</p></td><td width="510"><p>Definition</p></td></tr><tr><td width="66"><p>RTO</p></td><td width="510"><p>Recovery Time Objective, the maximum acceptable time that an application, computer, network, or system can be down after an unexpected disaster, failure, or comparable event takes place.</p></td></tr><tr><td width="66"><p>RPO</p></td><td width="510"><p>Recovery Point Objective, the maximum acceptable amount of data loss after an unplanned data-loss incident, expressed as an amount of time.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Requirement OPS-09.2H targets the automatic monitoring of the backup transmission to remote locations. While the automatic monitoring of transporting backups via backup media, like physical disks, is usually not possible, backups transmitted to remote locations can be monitored automatically. Moreover, since this media could be subject to theft for example, the backup data may be stored in a encrypted form in compliance with the state-of-the-art of CKM-02.</p><p>For example, cloud providers like Azure and AWS provide redundancy options which also include automatic backups to remote locations, e.g., different regions for Azure Storage Accounts. Depending on the cloud provider and the chosen tier, options include automatic redundancy within a certain region or zone, or replication across zones.</p><p>The monitoring of this requirement therefore may be conducted by checking if the configuration of geo-redundant backups in the respective storage services is active. If no such managed backup option is available, the monitoring may be performed by verifying the existence of the respective backup at the remote location.</p>',302),
+ (13,'<p>The EUCS requirement OPS-12.1H states:</p><p>“The CSP shall <strong>automatically</strong> monitor log data in order to identify security events that might lead to security incidents, in accordance with the logging and monitoring requirements, and the identified events shall be reported to the appropriate departments for timely assessment and remediation”.</p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="170"><p>Name</p></td><td width="331"><p>Objective</p></td></tr><tr><td width="66"><p>OPS-12</p></td><td width="170"><p>Logging and monitoring – identification of events</p></td><td width="331"><p>“Logs are monitored to identify security events that may lead to security incidents”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - OPS-13: Logging and Monitoring - Identification of Events</li><li>SecNumCloud FRANCE -12.1: Documented operating procedures</li><li>SecNumCloud FRANCE - 12.6: Logging of events</li><li>ISO 27002 – 8.16: Monitoring activities</li><li>Cisco CCF - CCF 109: Policies and Standards over Metadata</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Security Incident</p></td><td width="464"><p>A security event that requires action on the part of an entity to protect information assets and resources. </p></td></tr><tr><td width="102"><p>Security event</p></td><td width="464"><p>An occurrence, arising from actual or attempted unauthorized access or use of the cloud service, that impairs or could impair the availability, integrity, or confidentiality of information or systems</p></td></tr><tr><td width="102"><p>Events log</p></td><td width="464"><p>Log which records audit trail data related to the system operations.</p></td></tr><tr><td width="102"><p>Logging data</p></td><td width="464"><p>The process of collecting and storing data over a period of time specific to the events that occur in a controlling application (or program) in different systems or environments.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>The CSP may produce a list of potential security incidents and identify the events that trigger those incidents. A risk analysis helps in the identification of critical assets and the results may be used as input for the monitoring of event detection. These events (or combination of events) should then be supervised in higher priority during monitoring of log data. The CSP should use tools that automate log monitoring and are able to trigger alerts to the persons responsible to take appropriate actions. These tools should help the CSP to track the effectiveness of event detection by recording the number of false positives and false negatives, thus improving the calibration of what constitutes suspicious events.</p>',316),
+ (14,'<p>The EUCS requirement OPS-12.2H states:</p><p>“<strong>The CSP shall automatically monitor that event detection processes operate as intended on appropriate assets as identified in the asset classification catalogue (cf. AM-05.1H)</strong>”.</p><p>and references the following requirements:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>OPS-12.1H</p></td><td width="491"><p>“The CSP shall automatically monitor log data in order to identify security events that might lead to security incidents, in accordance with the logging and monitoring requirements, and the identified events shall be reported to the appropriate departments for timely assessment and remediation.”</p></td></tr><tr><td width="75"><p>AM-05.1H</p></td><td width="491"><p>“The CSP shall document an asset classification schema that reflects for each asset the protection needs of the categories of information it may process, store, or transmit, and provide levels of protection for the confidentiality, integrity, availability, and authenticity protection objectives.”</p></td></tr><tr><td width="75"><p>AM-05.2H</p></td><td width="491"><p>“When applicable, the CSP shall label all assets according to their classification in the asset classification schema.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="180"><p>Name</p></td><td width="321"><p>Objective</p></td></tr><tr><td width="66"><p>OPS-12</p></td><td width="180"><p>Logging and monitoring – identification of events</p></td><td width="321"><p>“Logs are monitored to identify security events that may lead to security incidents”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - AM-05: Asset Classification and Labelling</li></ul><p> </p><p>External references:</p><ul><li>2020 GERMANY - OPS-13: Logging and Monitoring - Identification of Events</li><li>SecNumCloud FRANCE -12.1: Documented operating procedures</li><li>SecNumCloud FRANCE - 12.6: Logging of events</li><li>ISO 27002 – 8.16: Monitoring activities</li><li>Cisco CCF - CCF 109: Policies and Standards over Metadata</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Security Incident</p></td><td width="464"><p>A security event that requires action on the part of an entity to protect information assets and resources. </p></td></tr><tr><td width="102"><p>Security event</p></td><td width="464"><p>An occurrence, arising from actual or attempted unauthorized access or use of the cloud service, that impairs or could impair the availability, integrity, or confidentiality of information or systems</p></td></tr><tr><td width="102"><p>Events log</p></td><td width="464"><p>Log which records audit trail data related to the system operations</p></td></tr><tr><td width="102"><p>Logging data</p></td><td width="464"><p>It is the process of collecting and storing data over a period of time specific to the events that occur in a controlling application (or program) in different systems or environments.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>To identify events that can lead to security incidents, the CSP may use different means: one possibility is to install agents on computing resources, which can analyse log data on the resource, for instance on a virtual machine. The logs can then be centrally collected and analysed.</p><p>Also, the log data created by the cloud system on the management plane of a cloud system may be used to identify security-relevant events, like the creation or modification of certain resources. This is possible to enable in cloud systems, like Azure and AWS, where such events can be stored and analysed in dedicated analytics services.</p><p>To automatically ensure that this monitoring is effective, the CSP therefore needs to ensure that the resource-level monitoring is enabled (e.g., installed agents), and/or that management-level monitoring is enabled (e.g., Azure activity logs).</p><p>Note also that the retention time for such logs needs to be configured appropriately.</p>',317),
+ (15,'<p>The EUCS requirement OPS-13.1H states:</p><p>“The CSP shall store all log data in an integrity-protected and aggregated form that allow its centralized evaluation, <strong>and shall automatically monitor the aggregation and deletion of logging and monitoring data</strong>”.</p><p>and references the following requirements:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>OPS-13.3H</p></td><td width="491"><p>“Log data shall be deleted when it is no longer required for the purpose for which they were collected.”</p></td></tr><tr><td width="75"><p>OPS-13.4H</p></td><td width="491"><p>“The CSP shall implement technically supported procedures to fulfil requirements for log data access, storage and deletion restrictions, including access only for authorized users and systems and the enforcement of data retention periods.”</p></td></tr><tr><td width="75"><p>OPS-10.1H</p></td><td width="491"><p>“The CSP shall define and implement policies and procedures according to ISP-02 that govern the logging and monitoring of events on system components under its responsibility, covering at least the following aspects:</p><p>(1) Definition of events that could lead to a violation of the protection goals;</p><p>(2) Specifications for activating, stopping and pausing the various logs;</p><p>(3) Information regarding the purpose and retention period of the logs;</p><p>(4) Definition of roles and responsibilities for setting up and monitoring logging;</p><p>(5) Definition of log data that may be transferred to CSCs and technical requirements of such log forwarding;</p><p>(6) Information about timestamps in event creation;</p><p>(7) Time synchronisation of system components; and</p><p>(8) Compliance with legal and regulatory frameworks.”</p></td></tr><tr><td width="75"><p>OPS-15.2H</p></td><td width="491"><p>“Changes to the logging and monitoring configuration are made in accordance with applicable policies (cf. CCM-01)”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="161"><p>Name</p></td><td width="340"><p>Objective</p></td></tr><tr><td width="66"><p>OPS-13</p></td><td width="161"><p>Logging and Monitoring – Access, Storage and Deletion</p></td><td width="340"><p>“The confidentiality, integrity and availability of logging and monitoring data are protected with measures adapted to their specific use”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - OPS-10: Logging and Monitoring – Policies</li><li>EUCS - OPS-15: Logging and Monitoring – Configuration</li></ul><p>External references:</p><ul><li>2020 GERMANY - OPS-12: Logging and Monitoring - Access, Storage and Deletion</li><li>2020 GERMANY - OPS-14: Logging and Monitoring – Storage of the Logging Data</li><li>SecNumCloud FRANCE - 12.1: Documented operating procedures</li><li>SecNumCloud FRANCE - 12.6: Logging of events</li><li>ISO 27002 – 8.15: Logging</li><li>Cisco CCF - CCF 239: Security Incident & Event Logging</li></ul><p> </p><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="94"><p>Term</p></td><td width="472"><p>Definition</p></td></tr><tr><td width="94"><p>Events log</p></td><td width="472"><p>Log which records audit trail data related to the system operations</p></td></tr><tr><td width="94"><p>Logging data</p></td><td width="472"><p>It is the process of collecting and storing data over a period of time specific to the events that occur in a controlling application (or program) in different systems or environments.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>The data produced by the logging and monitoring processes must be stored in order to facilitate access and analysis for monitoring or other purposes. The data is usually stored in a way that allows centralized evaluation, and can contain sensitive private information or information about the system and cloud service functioning such that a breach or unauthorized access is highly undesirable. In addition, storage space is finite, and the longer logs are stored, the greater the security risk to the environment. Thus, once logs have been used for their intended purpose or their legally required storage duration is passed, they should be immediately and safely deleted from the system.</p><p>Cloud providers like Azure offer managed logging services. In such services, e.g., Azure activity logs, a CSP can simply configure the retention time and monitor its correct settings to fulfil the requirement. For self-created logs, the agents or framework need to provide a way of checking the retention time. Alternatively, the storage that holds the logs needs to be monitored regarding its retention time / deletion mechanisms.</p><p>To fulfil this requirement, the CSP should automatically monitor the effectiveness of the respective logging and monitoring mechanisms as well as incorporate changes in the monitoring configuration based on applicable policies. The CSP should put in place mechanisms to monitor the consolidation process resulting from the aggregation of logging data from various origins, and to keep track of deletion of the logs.</p>',326),
+ (16,'<p>The EUCS requirement OPS-18.6H states:</p><p>“<strong>The CSP shall provide and promote, where appropriate, automatic update mechanisms for the assets provided by the CSP that the CSCs have to install or operate under their own responsibility, to ease the rollout of patches and updates after an initial approval from the CSC</strong>”.</p><p>and references the following requirements:</p><table border="1" width="100%"><tbody><tr><td width="75"><p> OPS-18.2H </p></td><td width="491"><p>“The online register shall indicate at least the following information for every vulnerability:</p><p>(1) A presentation of the vulnerability following an industry-accepted scoring system;</p><p>(2) A description of the remediation options for that vulnerability;</p><p>(3) Information on the availability of updates or patches for that vulnerability;</p><p>(4) Information about the remediation or deployment of patches or updates by the CSP or CSC, including detailed instructions for operations to be performed by the CSC”.</p></td></tr><tr><td width="75"><p> OPS-18.3H</p><p> </p></td><td width="491"><p>“The CSP shall publish and maintain a publicly and easily accessible online register of known vulnerabilities that affect the cloud service and assets provided by the CSP that the CSCs have to install or operate under their own responsibility.”</p></td></tr><tr><td width="75"><p> OPS-18.4H</p><p> </p></td><td width="491"><p>“The information contained in the online register shall include sufficient information to form a suitable basis for risk assessment and possible follow-up measures on the part of CSCs.” </p></td></tr><tr><td width="75"><p> OPS-18.5H </p><p> </p></td><td width="491"><p>“The CSP shall consult at least daily the online registers published by its subservice providers and suppliers, analyse the potential impact of the published vulnerabilities on the cloud service, and handle them according to the vulnerability handling process (cf. OPS-17).”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr style="height: 34.4688px;"><td style="height: 34.4688px;" width="66"><p>Code</p></td><td style="height: 34.4688px;" width="227"><p>Name</p></td><td style="height: 34.4688px;" width="274"><p>Objective</p></td></tr><tr style="height: 48px;"><td style="height: 48px;" width="66"><p>OPS-18</p></td><td style="height: 48px;" width="227"><p>Managing Vulnerabilities, Malfunctions and Errors – Online Registers</p></td><td style="height: 48px;" width="274"><p>“Online registers are used to identify and publish known vulnerabilities”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - OPS-17: Managing Vulnerabilities, Malfunctions and Errors – Policies</li></ul><p>External references:</p><ul><li>2020 GERMANY - PSS-03: Online Register of Known Vulnerabilities</li><li>Cisco CCF - CCF 87: Security Management System Risk Assessment Methodology</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Vulnerability</p></td><td width="464"><p>Weakness of an asset or control that can be exploited by one or more threats.</p></td></tr><tr><td width="102"><p>Rollout</p></td><td width="464"><p>Launch of new patches or updates when necessary.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>The CSP shall maintain an up-to-date online register of vulnerabilities that affect services and assets under its responsibility and also under CSCs’ responsibility. Whenever a vulnerability is identified, the CSP should address the vulnerability in parallel, retrieving related information and publishing it on its own online register in order to allow its CSCs understanding the vulnerability and its criticality and acknowledging the way how to handle it.</p><p>Unpatched assets are a major security issue in many cloud systems. OPS-18.6H moves the responsibility of providing a mechanism to automate patching by the CSP. It should be possible to distribute software updates to the affected users automatically (without human interaction) and to perform the updates only after explicit approval from the user, the approval should be recorded.</p><p>Cloud providers usually offer the possibility of enabling automatic patching for managed resources, like virtual machines. For example, Azure VMs can be patched automatically (or on demand)<a href="#_ftn1" name="_ftnref1">[1]</a>. In this case, a monitoring can simply check whether the respective configuration is enabled. </p><p>It depends, however, on the resource type if such a mechanism is available, or if more effort by the CSP is needed. For example, language runtimes in Azure Web Apps may be updated automatically or have to be switched by the user<a href="#_ftn2" name="_ftnref2">[2]</a>.</p><p>Note that this requirement concerns assets provided to the CSCs and the approval from the CSC should be recorded.</p><p> </p><p><a href="#_ftnref1" name="_ftn1">[1]</a> <a href="https://docs.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching">https://docs.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching</a></p><p><a href="#_ftnref2" name="_ftn2">[2]</a> <a href="https://docs.microsoft.com/en-us/azure/app-service/overview-patch-os-runtime">https://docs.microsoft.com/en-us/azure/app-service/overview-patch-os-runtime</a></p><p> </p><div id="gtx-anchor" style="position: absolute; visibility: hidden; left: 543.828px; top: 1088.88px; width: 6.73438px; height: 13px;"> </div><div class="jfk-bubble gtx-bubble" style="visibility: visible; left: 125px; top: 1112px; opacity: 1;"> </div>',370),
+ (17,'<p>The EUCS requirement OPS-21.1H states:</p><p>“The CSP shall harden all the system components under its responsibility that are used to provide the cloud service, according to accepted industry standards, <strong>and automatically monitor these system components for conformity with hardening requirements</strong>”.</p><p>and references the following requirement also from OPS-21:</p><table border="1" width="100%"><tbody><tr><td width="85"><p>OPS-21.2H</p></td><td width="482"><p>“The hardening requirements for each system component shall be documented.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="227"><p>Name</p></td><td width="283"><p>Objective</p></td></tr><tr><td width="56"><p>OPS-21</p></td><td width="227"><p>Managing Vulnerabilities, Malfunctions and Errors – System Hardening</p></td><td width="283"><p>“System components are hardened to reduce their attack surface and eliminate potential attack vectors”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - OPS-23: Managing Vulnerabilities, Malfunctions and Errors – System Hardening</li><li>SecNumCloud FRANCE - 12.9: Analysis and correlation of events</li><li>Cisco CCF - CCF 272: Threat and Vulnerability Management</li></ul><p> </p><h5>Key concepts</h5><table border="1" width="557"><tbody><tr><td width="85"><p>Term</p></td><td width="473"><p>Definition</p></td></tr><tr><td width="85"><p>Vulnerability</p></td><td width="473"><p>Weakness of an asset or control that can be exploited by one or more threats.</p></td></tr><tr><td width="85"><p>Hardening</p></td><td width="473"><p>The capacity to reinforce or strengthen a system by deleting or disabling needless system applications, permissions, ports, user accounts, and other features.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>The goal of hardening a system is to remove any unnecessary functionality to reduce their attack surfaces and to eliminate potential attack vectors. Part of the system hardening elimination process involves deleting or disabling needless system applications, permissions, ports, user accounts, and other features. This will allow to reduce attackers’ opportunities to gain access to a mission-critical or critical-infrastructure system’s sensitive information. The hardening process should then be updated to include new patches or software versions in the baseline configuration, so that the next time similar systems are deployed, old vulnerabilities are not re-introduced into environments.</p><p>To fulfil OPS-21.1H, first, a set of hardening specifications (and assets that should be hardened) needs to be defined and documented. The CSP then needs to monitor the fulfilment according to these specifications. The verification of compliance with the specifications for the hardening of system components can be automatically tested and subsequently documented (logs). For instance, a set of hardened virtual machine images may be defined, and then it can be monitored if the deployed images comply with this set. Further hardening specifications may target the existence of components with known Common Vulnerabilities and Exposures (CVEs) and open ports. If the CSP is using non-modifiable images, the hardening process should be done during the creation of those images. Configuration and log files regarding the continuous availability of the images should be retained.</p><p>Service components can be monitored as part of their secure development lifecycle. Regular checks should run on source repositories of service components. Scans should check for old and vulnerable software dependencies. In addition, regularly executed validation can ensure that newly identified vulnerabilities are discovered quickly.</p><p>Compliance with hardening specifications can be monitored with e.g., file integrity monitoring. The verification of compliance with the specifications for the hardening of system components can be automatically tested and subsequently documented (logs). The auditor can evaluate these logs automatically and continuously and thus carry out a continuous audit.</p>',394),
+ (18,'<p>The EUCS requirement AM-01.4H states:</p><p>“<strong><em>The CSP shall automatically monitor the process performing the inventory of assets to guarantee it is up-to-date</em></strong>”.</p><p>and references the following requirement also from AM-01 Asset Inventory:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>AM-01.1H</p></td><td width="491"><p>“The CSP shall define and implement policies and procedures for maintaining an inventory of assets, which shall be performed automatically and/or by the people or teams responsible for the assets to ensure complete, accurate, valid and consistent inventory throughout the asset life cycle.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="123"><p>Name</p></td><td width="387"><p>Objective</p></td></tr><tr><td width="56"><p>AM-01</p></td><td width="123"><p>Asset Inventory</p></td><td width="387"><p>“The CSP has established procedures for inventorying assets, including all IT to ensure complete, accurate, valid and consistent inventory throughout the asset lifecycle”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS – RM-01: Risk Management Policy</li></ul><p>External references:</p><ul><li>2020 GERMANY - AM-01: Asset Inventory</li><li>SecNumCloud FRANCE – 8.1.1: Inventory and property of assets</li><li>SecNumCloud FRANCE – 8.1.2: Inventory and property of assets</li><li>ISO 27002 – 5.9: Inventory of information and other associated assets</li><li>Cisco CCF - CCF 52: Production Asset Inventory</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="87"><p>Term</p></td><td width="479"><p>Definition</p></td></tr><tr><td width="87"><p>Asset</p></td><td width="479"><p>Item, thing or entity that has potential or actual value to an organization. The value can be tangible or intangible, financial or non-financial, and include consideration of risks and liabilities.</p></td></tr><tr><td width="87"><p>Asset Management</p></td><td width="479"><p>Process of identifying, classifying, and managing the assets of an organisation in order to ensure an appropriate level of protection throughout their life cycle.</p></td></tr><tr><td width="87"><p>Asset Lifecycle</p></td><td width="479"><p>Full range of activities that an asset goes through from its acquisition or creation to its disposal or decommissioning.</p></td></tr><tr><td width="87"><p>Asset Inventory</p></td><td width="479"><p>Process of identifying and tracking the various assets that make up an organization''s cloud environment.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Typically, the CSP sets a suitable framework for identifying, classifying and implementing an inventory of IT-processes, systems and components (assets). These assets include the physical and virtual objects required for the information security of the cloud service during the creation, processing, storage, transmission, deletion or destruction of the information in the CSP’s area of responsibility, e.g., firewalls, load balancers, web servers, application servers and database servers.</p><p>Asset management shall support the rollout of updates and patches. It also shall monitor that only authorized resources are provided access, and that unauthorized and unmanaged resources are identified and removed and where appropriate, determining which components are affected by new security issues.</p><p>An inventory of these Software and Hardware assets shall be maintained through automatic means to guarantee that all are up to date. Automation is preferable over a manual process due to efficiency and cost reasons.</p><p>Monitoring the process performing the inventory of Software assets means that:</p><ul><li>Assets are tagged.</li><li>All software on the network is actively managed, which means, all software is inventoried, tracked, and corrected, so that only authorized software is installed and executed. Unauthorized and unmanaged software shall be therefore ‘found’ and prevented from being installed or executed.</li><li>Software inventory tools are used throughout the whole organization and more specifically for the service under certification. These tools allow to keep a catalogue of all software, applications, patches, and versions functioning in the service or resource, as well as to keep track of the changes in the software, resource, or the network. It also allows to manage the licenses of the software assets installed on the service. Furthermore, they also aid in the documentation management.</li><li>Application whitelisting technology is used to ensure that only authorized software is executed, and that all unauthorized software is blocked from being executed on the service’s assets.</li></ul><p>Monitoring the process performing the inventory of Hardware assets means:</p><ul><li>To manage actively all hardware devices. This means to inventory, track and correct them so that only authorized devices are provided access, while unauthorized and unmanaged devices are found and prevented from gaining access.</li><li>To use an active discovery tool in order to identify devices that are connected and update the hardware asset inventory accordingly.</li><li>To maintain an up-to-date and accurate inventory of assets that have the potential to store or process information.</li></ul><p>In order to perform automated monitoring of the process performing the inventory of assets the following practices are often considered:</p><ul><li>Make an inventory of all the assets within the cloud service, such as the software, the network interfaces, etc. Large CSPs allow the retrieval of the Cloud inventory with services such as the Azure Resource Graph<a href="#_ftn1" name="_ftnref1">[1]</a> or AWS Config.</li><li>Ensure that all the appropriate permissions in the tenant are granted. Role-based Access control is an appropriate method for this as it allows segregation of duties.</li><li>Tag the assets and organize them so they can be accessible by different groups of users, also, if applicable, with different policies. For each asset, record its identification data, function, model and version and location.</li><li>Review the inventory on a regular basis to ensure that unauthorized resources are deleted.</li><li>Log at least all changes to the information related to risk management</li><li>Also, query regularly the assets and resources to make sure that they are present in the approved service.</li><li>Ensure appropriate (read) permissions in the tenant.</li><li>Automate the collection of information about all software on resources. Examples: software name, version, publisher, refresh time, install date and other information.</li></ul><p> </p><p><a href="#_ftnref1" name="_ftn1">[1]</a> <a href="https://docs.microsoft.com/en-us/azure/governance/resource-graph/first-query-portal">https://docs.microsoft.com/en-us/azure/governance/resource-graph/first-query-portal</a></p>',161),
+ (19,'<p>The EUCS requirement AM-03.4H states:</p><p>“<strong>The approval of the commissioning and decommissioning of hardware shall be digitally documented and automatically monitored</strong>”.</p><p>and references the following requirements also from AM-03 Commissioning and Decommissioning:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>AM-03.1H</p></td><td width="491"><p>"The CSP shall define and implement a procedure for the commissioning of hardware that is used to provide the cloud service in the production environment, based on applicable policies and procedures, including those defined in RM-01, to ensure that the risks arising from the commissioning are identified, analysed and mitigated."</p></td></tr><tr><td width="75"><p>AM-03.2H</p></td><td width="491"><p>“The CSP shall define and implement a procedure for the decommissioning of hardware that is used to provide the cloud service in the production environment, including the complete and permanent deletion of the data or the proper destruction of the media and requiring approval based on applicable policies.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="143"><p>Name</p></td><td width="367"><p>Objective</p></td></tr><tr><td width="56"><p>AM-03</p></td><td width="143"><p>Commissioning and decommissioning</p></td><td width="367"><p>“Procedures for the commissioning and decommissioning of hardware assets used in the provision of the cloud service are documented, communicated and implemented, ensuring the proper configuration before commissioning and the proper deletion of data during decommissioning”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - RM-01: Risk Management Policy</li></ul><p>External references:</p><ul><li>2020 GERMANY - AM-03: Commissioning of Hardware</li><li>2020 GERMANY - AM-04: Decommissioning of Hardware</li><li>SecNumCloud FRANCE – 8.1.4: Inventory and property of assets</li><li>ISO 27002 – 7.10: Storage media</li><li>Cisco CCF - CCF 48: Asset Maintenance</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="110"><p>Term</p></td><td width="456"><p>Definition</p></td></tr><tr><td width="110"><p>Asset</p></td><td width="456"><p>Item, thing or entity that has potential or actual value to an organization. The value can be tangible or intangible, financial or non-financial, and include consideration of risks and liabilities.</p></td></tr><tr><td width="110"><p>Commissioning</p></td><td width="456"><p>The process of ensuring that all the hardware components are designed, installed, tested, operated, and maintained according to the operational requirements of the owner and tenants.</p></td></tr><tr><td width="110"><p>Decommissioning</p></td><td width="456"><p>The process of removing hardware components from the active status ensuring that appropriate security measures are taken prior to reuse/disposal, including hard drive reformatting.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>A commissioning and decommissioning process shall be documented so that it can be properly apply and monitored. Whenever a server is removed from service or placed into service, the process shall be documented with decommissioning and commissioning documents. There shall also exist a digital log of the commissioning and decommissioning requests.</p><p>The commissioning hardware process should include the automatic monitoring and verification of the existence of a documented procedure accessible to all internal and external employees for the commissioning of hardware that is used to provide the cloud service in the production environment, based on applicable policies and procedures. The identification and management of the risks arising from the commissioning are included in that process. The commissioning procedure shall include verification of the secure configuration of the mechanisms for error handling, logging, encryption, authentication, and authorisation according to the intended use and based on the applicable policies before authorization to commission the asset can be granted.</p><p>The decommission of hardware process should include the automatic monitoring and verification of the existence of a documented procedure accessible to all internal and external employees for the decommissioning of hardware that is used to provide the cloud service in the production environment, requiring approval based on applicable policies. The decommissioning procedure shall include the complete and permanent deletion of the data or the proper destruction of the media, The process may differ from every hardware type or technology, but some basics steps include: identify and record the hardware assets that need to be decommissioned, create a log of all actions performed during the server decommissioning including the certificate of erasure/destruction, terminate the contracts, create backups, wipe data, unplug, cut power and remove, and destroy server.</p>',173),
+ (20,'<p>The EUCS requirement AM-04.1H states:</p><p>“The CSP shall ensure and document that all employees are committed to the policies and procedures for acceptable use and safe handling of assets in the situations described in AM-02, <strong>and this commitment shall be automatically monitored</strong>”.</p><p>and references the following requirement from AM-02 Acceptable Use and Safe Handling of Assets Policy:</p><table width="576"><tbody><tr><td width="75"><p>AM-02.1H</p></td><td width="501"><p>“The CSP shall define and implement policies and procedures as defined in ISP-02 for acceptable use and safe handling of assets. When removable media is used in the technical infrastructure or for IT administration tasks, this media shall be dedicated to a single use."</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="143"><p>Name</p></td><td width="367"><p>Objective</p></td></tr><tr><td width="56"><p>AM-04</p></td><td width="143"><p>Acceptable use, safe handling and return of assets</p></td><td width="367"><p>“The CSP''s internal and external employees are probably committed to the policies and procedures for acceptable use and safe handling of assets before they can be used if the CSP has determined in a risk assessment that loss or unauthorised access could compromise the information security of the cloud service”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - AM-02: Acceptable Use and Safe Handling of Assets Policy</li></ul><p>External references:</p><ul><li>2020 GERMANY - AM-05: Commitment to Permissible Use, Safe Handling and Return of Assets</li><li>ISO 27002 – 5.11: Return of assets</li><li>ISO 27002 – 5.12: Classification of information</li><li>ISO 27017 - CLD 8.1.5: Removal of cloud service customer assets</li><li>Cisco CCF - CCF 48: Asset Maintenance</li></ul><p> </p><h5>Key concepts</h5><table width="100%"><tbody><tr><td width="113"><p>Term</p></td><td width="454"><p>Definition</p></td></tr><tr><td width="113"><p>Asset</p></td><td width="454"><p>Item, thing or entity that has potential or actual value to an organization. The value can be tangible or intangible, financial or non-financial, and include consideration of risks and liabilities.</p></td></tr><tr><td width="113"><p>Removable media</p></td><td width="454"><p>Any type of data storage device that can be removed from a computer while the system is running. They are usually portable devices.</p></td></tr><tr><td width="113"><p>Acceptable use</p></td><td width="454"><p>Guidelines or rules that an organization establishes for the appropriate use of its assets. Acceptable use policies typically outline the permitted and prohibited activities that users are allowed to engage in when using the organization’s assets.</p></td></tr><tr><td width="113"><p>Safe handling</p></td><td width="454"><p>Practices and procedures that an organization establishes for the secure handling and management of its assets. This can include guidelines for the handling of sensitive or confidential information, as well as the use of security controls to prevent against specific threats.</p></td></tr><tr><td width="113"><p>Return of assets</p></td><td width="454"><p>Process of returning an asset to an organization when it is no longer needed or when it has reached the end of its useful life. This can include returning hardware assets such as computers and servers, as well as software assets such as licenses or subscriptions.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>The CSP needs to monitor the assurance that internal and external employees are committed to the policies and procedures for acceptable use and safe handling of assets, by automatically monitoring and verifying the following policies and procedures related to the asset lifecycle:</p><ul><li>Approval procedures for acquisition, commissioning, maintenance, decommissioning, and disposal by authorised personnel or system components</li><li>Inventory</li><li>Classification and labelling based on the need for protection of the information and measures for the level of protection identified</li><li>Secure configuration of mechanisms for error handling, logging, encryption, authentication and authorisation</li><li>Requirements for versions of software and images as well as application of patches</li><li>Handling software that is no longer supported and no longer has security patches</li><li>Restriction of software installations or use of services</li><li>Protection against malware</li><li>Remote deactivation, deletion or blocking</li><li>Physical delivery and transport</li><li>Dealing with incidents and vulnerabilities</li><li>Complete and irrevocable deletion of the data upon decommissioning.</li></ul><p> </p>',178),
+ (21,'<p>The EUCS requirement PS-02.8H states:</p><p>“The access control policy shall include logging of all accesses to non-public areas that enables the CSP to check whether only defined personnel have entered these areas<strong>, and this logging shall be automatically monitored</strong>”.</p><p>and references the following requirements also from PS-02 Physical Site Access Control:</p><table border="1" width="100%"><tbody><tr><td width="66"><p>PS-02.1H</p></td><td width="501"><p>“The CSP shall define and implement policies and procedures according to ISP-02 related to the physical access control to the security areas matching the requirements defined in PS-01 and based on the principles defined in IAM-01, including requirements on the physical access control measures to be implemented."</p></td></tr><tr><td width="66"><p>PS-02.7H</p></td><td width="501"><p>“The access control policy shall include measures to identify individual visitors and third-party personnel, incorporating them into the access policy system, thereby monitoring and escorting the building access during their stay.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="123"><p>Name</p></td><td width="387"><p>Objective</p></td></tr><tr><td width="56"><p>PS-02</p></td><td width="123"><p>Physical site access control</p></td><td width="387"><p>“Physical access through the security perimeters are subject to access control measures that match each security area’s requirements and that are supported by an access control system”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - PS-03: Perimeter Protection</li><li>2020 GERMANY - PS-04: Physical site access control</li><li>SecNumCloud FRANCE - 11.2: Physical access control</li><li>ISO 27002 - 5.1: Policies for information security</li><li>ISO 27002 – 5.15: Access control</li><li>ISO 27002 – 7.2: Physical entry</li><li>Cisco CCF - CCF 35: Building Perimeter Physical Access</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Access control</p></td><td width="464"><p>Means to ensure that physical and logical access to assets is authorised and restricted based on business and information security requirements</p></td></tr><tr><td width="102"><p>Asset</p></td><td width="464"><p>Anything that has value to the organization</p></td></tr><tr><td width="102"><p>Physical access control</p></td><td width="464"><p>Types of physical security measures designed to restrict or allow access to a certain area or building.</p></td></tr><tr><td width="102"><p>Physical perimeter</p></td><td width="464"><p>Physical border surrounding locations hosting CSP’s equipment and personnel, for which access is controlled.</p></td></tr><tr><td width="102"><p>Security perimeter</p></td><td width="464"><p>Perimeter defined and used to protect areas that contain information and other associated assets.</p></td></tr><tr><td width="102"><p>Security area</p></td><td width="464"><p>Area delimited by security perimeters, within which access is not controlled.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Physical security measures should be in place to restrict and monitor for unauthorized access to the buildings which contain sensitive or critical information, information systems, or other network infrastructure. A mix of prevention and detection measures must be defined for each level and confirmed incidents must be documented and tracked to resolution.</p><p>The maintenance of data centres must be performed by authorized personnel at designated intervals and targets recommended by the suppliers. Maintenance records are stored for the agreed upon time intervals and then properly and permanently destroyed thereafter. Physical access to data centres requires management approval and documented specification of but not limited to:</p><ul><li>account type (e.g., standard, visitor, or supplier)</li><li>access privileges granted</li><li>intended business purpose</li><li>visitor identification method, if applicable</li><li>temporary badge issued, if applicable</li><li>access start date</li><li>access duration (with end date)</li></ul><p>In order to perform the automated monitoring of access to non-public areas by unauthorized personnel a “loggable” access control must be implemented that allows to consider the following practices:</p><ul><li>Detect unauthorized access attempts by monitoring the use of deactivated entitlements (e.g., expired/revoked badges or permits, etc.) to access restricted non-public areas.</li><li>Detect suspicious accesses by inspecting any irregular/anomalous behaviours, such as a guard in day shifts that accesses at night-time, for instance.</li></ul><p>A nominative RFID card or a biometric access control could easily allow the automatic log of accesses.</p>',221),
+ (22,'<p>The EUCS requirement IAM-03.1H states:</p><p>“The CSP shall document and implement an automated mechanism to block user accounts after a certain period of inactivity, as defined in the policy of IAM-02, for user accounts, <strong>and automatically monitor </strong>its application. Such user accounts are:</p><p>(1) Of employees of the CSP as well as for system components involved in automated authorisation processes; and</p><p>(2) Associated with identities assigned to persons, identities assigned to non-human entities and identities assigned to multiple persons”.</p><p>And references the following requirements:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>IAM-02.1H</p></td><td width="491"><p>“The CSP shall define policies for managing accounts, according to ISP-02, in which at least the following aspects are described:</p><p>(1) Parameters to be considered for making access control decisions;</p><p>(2) Assignment of unique usernames;</p><p>(3) Definition of the different types of accounts supported, and assignment of access control parameters and roles to be considered for each type;</p><p>(4) Events and periods of inactivity leading to blocking and revoking accounts.”</p></td></tr><tr><td width="75"><p>IAM-02.2H</p></td><td width="491"><p>“The CSP shall define and implement according to ISP-02 procedures for managing user accounts and access rights to employees that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.”</p></td></tr><tr><td width="75"><p>IAM-02.3H</p></td><td width="491"><p>“The CSP shall define and implement according to ISP-02 procedures for managing shared accounts and associated access rights that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.”</p></td></tr><tr><td width="75"><p>IAM-02.4H</p></td><td width="491"><p>“The CSP shall define and implement according to ISP-02 procedures for managing non-human accounts and associated access rights to system components involved in the operation of the cloud service that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="143"><p>Name</p></td><td width="357"><p>Objective</p></td></tr><tr><td width="66"><p>IAM-03</p></td><td width="143"><p>Locking, Unlocking and revocation of User Accounts</p></td><td width="357"><p>“Accounts that are inactive for a long period of time or that are subject to suspicious activity are appropriately protected to reduce opportunities for abuse”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - IAM-02: Management of User Accounts</li></ul><p>External references:</p><ul><li>2020 GERMANY - IDM-03: Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins</li><li>SecNumCloud FRANCE - 9.3: Management of access rights</li><li>ISO 27002 – 5.18: Access rights</li><li>Cisco CCF - CCF 148: User account disablement</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Personal account</p></td><td width="464"><p>A personal account associated to a single human user</p></td></tr><tr><td width="102"><p>Shared account</p></td><td width="464"><p>A generic account, typically shared between several human users</p></td></tr><tr><td width="102"><p>Revocation of user accounts</p></td><td width="464"><p>This action implies the permanent disablement of the user account and prevents any user with the same name from being create.</p></td></tr><tr><td width="102"><p>Locking user accounts</p></td><td width="464"><p>The user account cannot be used during a specific period of time.</p></td></tr><tr><td width="102"><p>Unlocking user accounts</p></td><td width="464"><p>The user account can be used again after a period of inactivity.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>To ensure the security of the cloud service, identity, authentication, and access control management is needed. Specifically, accounts that are inactive for a long period of time or that are subject to suspicious activity are appropriately protected to reduce opportunities for abuse<a href="#_ftn1" name="_ftnref1">[1]</a>.</p><p>Locking an account implies that the user is denied access temporarily from the account, the privileges and access rights associated to the account are not modified, the user needs to follow a procedure involving an administrator or system component in order to get the account unlocked. Revoking an account is a stronger measure, which implies that the user is denied access from the account, the privileges and access rights associated to the account are revoked, and it may be possible to re-create an account with the same identifier, but the access rights then must be provisioned again to the account, following the normal procedure.</p><p>Hence, to be compliant with IAM-03 first it is important to set up a period of time in which it is allowed for an account to be inactive. Passed that time, the account shall be disabled, or an alert shall be sent to the user for an action to be taken in compliance with the policy and procedures defined under the ISP category. Secondly, the automated monitoring tool to be set up must verify that this alert was sent or that the disabling occurred on the interval of time specified. For this, the logs of the events produced by the automated mechanisms could be monitored.</p><p>All accounts should be automatically monitored to ensure that any account that has been inactive for more than the maximum period of inactivity associated to that account is indeed locked, and that the maximum period of inactivity associated to the account does not exceed two months. After this maximum period of inactivity is reached, the user account should be locked, so the user should be denied any attempt to authenticate. Typically, if a user attempts to connect to a locked account, they should be warned of the status of the account. Deviations should be detected and signalled to authorized personnel (e.g., administrator).</p><p> </p><p><a href="#_ftnref1" name="_ftn1">[1]</a> <a href="https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-identity-management#im-2-manage-application-identities-securely-and-automatically"><sup>https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v2-identity-management#im-2-manage-application-identities-securely-and-automatically</sup></a></p>',434),
+ (23,'<p>The EUCS requirement IAM-03.2H states:</p><p>“The CSP shall document and implement an automated mechanism to block accounts after a certain number of failed authentication attempts, as defined in the policy of IAM-02, based on the risks of the accounts, associated access rights and authentication mechanisms, <strong>and automatically monitor its application</strong>”.</p><p>and references the following requirements:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>IAM-02.1H</p></td><td width="491"><p>“The CSP shall define policies for managing accounts, according to ISP-02, in which at least the following aspects are described:</p><p>(1) Parameters to be considered for making access control decisions;</p><p>(2) Assignment of unique usernames;</p><p>(3) Definition of the different types of accounts supported, and assignment of access control parameters and roles to be considered for each type;</p><p>(4) Events and periods of inactivity leading to blocking and revoking accounts."</p></td></tr><tr><td width="75"><p>IAM-02.2H</p></td><td width="491"><p>“The CSP shall define and implement according to ISP-02 procedures for managing user accounts and access rights to employees that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.”</p></td></tr><tr><td width="75"><p>IAM-02.3H</p></td><td width="491"><p>“The CSP shall define and implement according to ISP-02 procedures for managing shared accounts and associated access rights that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.”</p></td></tr><tr><td width="75"><p>IAM-02.4H</p></td><td width="491"><p>“The CSP shall define and implement according to ISP-02 procedures for managing non-human accounts and associated access rights to system components involved in the operation of the cloud service that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr style="height: 35.4688px;"><td style="height: 35.4688px;" width="66"><p>Code</p></td><td style="height: 35.4688px;" width="143"><p>Name</p></td><td style="height: 35.4688px;" width="357"><p>Objective</p></td></tr><tr style="height: 61px;"><td style="height: 61px;" width="66"><p>IAM-03</p></td><td style="height: 61px;" width="143"><p>Locking, Unlocking and revocation of User Accounts</p></td><td style="height: 61px;" width="357"><p>“Accounts that are inactive for a long period of time or that are subject to suspicious activity are appropriately protected to reduce opportunities for abuse”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - IAM-02: Management of User Accounts</li></ul><p>External references:</p><ul><li>2020 GERMANY - IDM-03: Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins</li><li>SecNumCloud FRANCE - 9.3: Management of access rights</li><li>ISO 27002 – 5.18: Access rights</li><li>Cisco CCF - CCF 148: User account disablement</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Personal account</p></td><td width="464"><p>A personal account associated to a single human user</p></td></tr><tr><td width="102"><p>Shared account</p></td><td width="464"><p>A generic account, typically shared between several human users</p></td></tr><tr><td width="102"><p>Revocation of user accounts</p></td><td width="464"><p>This action implies the permanent disablement of the user account and prevents any user with the same name from being create.</p></td></tr><tr><td width="102"><p>Locking user accounts</p></td><td width="464"><p>The user account cannot be used during a specific period of time.</p></td></tr><tr><td width="102"><p>Unlocking user accounts</p></td><td width="464"><p>The user account can be used again after a period of inactivity.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>When a user fails to login after a specified number of tries, the user account should be “blocked”. The maximum number of tries should be defined and built into the service by default. To provide flexibility, configuration options should also include the possibility to further reduce this number of authentication attempts according to the threat environment, type of user’s account privilege and authentication type used. For example, an account with 2FA or a hardware MFA token may be allowed to attempt authentication a few more times than an account that authenticates using only a password.</p><p>All accounts should be automatically monitored to ensure that the number of failed authentication attempts has not been exceeded without incurring the blocking of an account. Deviations should be detected and signalled to authorized personnel (e.g., administrator).</p>',435),
+ (24,'<p>The EUCS requirement IAM-03.5H states:</p><p>“The CSP shall document and implement an automated mechanism to revoke accounts that have been blocked by another automatic mechanism after a certain period of inactivity, as defined in the policy of IAM-02 for user accounts, <strong>and automatically monitor its application”.</strong></p><p>and references the following requirements:</p><table border="1" width="100%"><tbody><tr><td width="85"><p>IAM-02.1H</p></td><td width="482"><p>“The CSP shall define policies for managing accounts, according to ISP-02, in which at least the following aspects are described:</p><p>(1) Parameters to be considered for making access control decisions;</p><p>(2) Assignment of unique usernames;</p><p>(3) Definition of the different types of accounts supported, and assignment of access control parameters and roles to be considered for each type;</p><p>(4) Events and periods of inactivity leading to blocking and revoking accounts."</p></td></tr><tr><td width="85"><p>IAM-02.2H</p></td><td width="482"><p>“The CSP shall define and implement according to ISP-02 procedures for managing user accounts and access rights to employees that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.”</p></td></tr><tr><td width="85"><p>IAM-02.3H</p></td><td width="482"><p>“The CSP shall define and implement according to ISP-02 procedures for managing shared accounts and associated access rights that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.”</p></td></tr><tr><td width="85"><p>IAM-02.4H</p></td><td width="482"><p>“The CSP shall define and implement according to ISP-02 procedures for managing non-human accounts and associated access rights to system components involved in the operation of the cloud service that comply with the role and rights policies (cf. IAM-01) and with the policies for managing accounts.”</p></td></tr></tbody></table><p><strong> </strong></p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="143"><p>Name</p></td><td width="357"><p>Objective</p></td></tr><tr><td width="66"><p>IAM-03</p></td><td width="143"><p>Locking, Unlocking and revocation of User Accounts</p></td><td width="357"><p>“Accounts that are inactive for a long period of time or that are subject to suspicious activity are appropriately protected to reduce opportunities for abuse”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - IAM-02: Management of User Accounts</li></ul><p>External references:</p><ul><li>2020 GERMANY - IDM-03: Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins</li><li>SecNumCloud FRANCE - 9.3: Management of access rights</li><li>ISO 27002 – 5.18: Access rights</li><li>Cisco CCF - CCF 148: User account disablement</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Personal account</p></td><td width="464"><p>A personal account associated to a single human user</p></td></tr><tr><td width="102"><p>Shared account</p></td><td width="464"><p>A generic account, typically shared between several human users</p></td></tr><tr><td width="102"><p>Revocation of user accounts</p></td><td width="464"><p>This action implies the permanent disablement of the user account and prevents any user with the same name from being create.</p></td></tr><tr><td width="102"><p>Locking user accounts</p></td><td width="464"><p>The user account cannot be used during a specific period of time.</p></td></tr><tr><td width="102"><p>Unlocking user accounts</p></td><td width="464"><p>The user account can be used again after a period of inactivity.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>If an account remains continuously blocked for a period of time, then the account should be automatically revoked. A revoked account is for all intents and purposes, the same as a “deleted” account. Its information should only serve as record for historical purposes.</p><p>A default duration should be defined by the CSP. For the accounts associated to users under the responsibility of the CSP (e.g., employees, contractors), this duration should not be set to more than 6 months. To provide flexibility, clients’ configuration may also include the option to modify this duration of maximum blocked status according to their threat environment.</p><p>All accounts should be automatically monitored to ensure that any account that has been blocked for more than the maximum period of continuously blocked state associated to that account is indeed revoked. Deviations should be detected and signalled to authorized personnel (e.g., administrator). The CSP should use applications that automate detection of deviations to the defined user account revocation<em>.</em></p>',438),
+ (25,'<p>The EUCS requirement IAM-03.6H states:</p><p>“<strong>The CSP shall automatically monitor the context of authentication attempts and flag suspicious events to authorized persons, as relevant</strong>”.</p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="143"><p>Name</p></td><td width="357"><p>Objective</p></td></tr><tr><td width="66"><p>IAM-03</p></td><td width="143"><p>Locking, Unlocking and revocation of User Accounts</p></td><td width="357"><p>“Accounts that are inactive for a long period of time or that are subject to suspicious activity are appropriately protected to reduce opportunities for abuse”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - IDM-03: Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins</li><li>SecNumCloud FRANCE - 9.3: Management of access rights</li><li>ISO 27002 – 5.18: Access rights</li><li>Cisco CCF - CCF 148: User account disablement</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Personal account</p></td><td width="464"><p>A personal account associated to a single human user</p></td></tr><tr><td width="102"><p>Shared account</p></td><td width="464"><p>A generic account, typically shared between several human users</p></td></tr><tr><td width="102"><p>Revocation of user accounts</p></td><td width="464"><p>This action implies the permanent disablement of the user account and prevents any user with the same name from being create.</p></td></tr><tr><td width="102"><p>Locking user accounts</p></td><td width="464"><p>The user account cannot be used during a specific period of time.</p></td></tr><tr><td width="102"><p>Unlocking user accounts</p></td><td width="464"><p>The user account can be used again after a period of inactivity.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>The CSP should use automated context-based security techniques during user authentication to flag events that are suspicious and notify the user or administrators. An example of such is “geolocation” where a user whose IP at last login shows s/he is logging in from Europe should not have an IP from East Asia when s/he attempts to login again two hours later.</p><p>In this requirement, the strength of the authentication mechanisms is very important as it builds on top of the authentication mechanisms strength of the previous IAM-03 control requirements. This includes among other aspects the protection level of the passwords, the use of a centrally managed authentication method, and so on.</p><p>Having strong authentication methods can reduce significantly suspicious events. However, other practices should be put in practice such as single sign on, multi-factor authentication, multi-factor authentication with conditional access policy, role-based access control (RBAC), to name a few.</p><p>The automated monitoring of authentication attempts should consider at least the following aspects:</p><ul><li>Number of authentication attempts, which can be seen in the logs.</li><li>Sign-ins of users, that is, who has logged in into the service and how the service and resources have been used. This can be seen by monitoring the logs.</li><li>Suspicious sign-in such as brute-force attacks, leaked credentials, unfamiliar locations, time schedule or devices. This can be seen by analysing the logs.</li><li>Enable alerts for these suspicious activities so that the customer is informed.</li></ul><p> </p><h5> </h5>',439),
+ (26,'<p>The EUCS requirement CCM-04.1H states:</p><p>“The CSP shall approve any change to the cloud service, based on defined criteria and involving CSCs in the approval process according to contractual requirements, <strong>before they are made available to CSCs in the production environment, and the approval processes shall be automatically monitored</strong>”.</p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="189"><p>Name</p></td><td width="312"><p>Objective</p></td></tr><tr><td width="66"><p>CCM-04</p></td><td width="189"><p>Approvals for Provision in the Production Environment</p></td><td width="312"><p>“Changes to the cloud services are approved before being deployed in the production environment”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - DEV-09: Approvals for provision in the production environment</li><li>ISO 27002 – 8.31: Separation of development, test and production environments</li><li>ISO 27002 – 8.32: Change management</li><li>Cisco CCF – 30: Change Control & Configuration Management</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Change management</p></td><td width="464"><p>Process for recording, coordination, approval and monitoring of all changes.</p></td></tr><tr><td width="102"><p>Configuration management</p></td><td width="464"><p>Process for logging and monitoring of configuration items.</p></td></tr><tr><td width="102"><p>Version control</p></td><td width="464"><p>Establishment and maintenance of baselines and the identification and control of changes to baselines that make it possible to return to the previous baseline.</p></td></tr><tr><td width="102"><p>Production environment<a href="#_ftn1" name="_ftnref1">[1]</a></p></td><td width="464"><p>Set of computing resources where finished, user-ready software is deployed and executed.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Typically, the CSP sets a secure baseline configuration to ensure the security of the delivered cloud service, described in the CSP’s Configuration Management Plan. Although the configuration of the service is in constant change, it cannot be deployed without being approved in order the minimize the risks of failure upon implementation. These modifications to the architecture configuration are often very frequent, so it is advisable to automatically monitor the approvals of these changes deployed in the production environment to ensure they are done before they are made available to CSCs in the production environment. The CSP’s approval may be provided by authorized personnel of the CSP or by an automated procedure enforcing defined criteria.</p><p>When changes impact CSC’s services, the CSP should make sure to involve the CSCs in the approval processes in accordance with the contractual agreements and before changes are made available in the production environment. In these situations, the cloud customers can ensure through suitable controls that authorized and qualified personnel receive the information made available, assesses the impact on the ISMS framework and decides on the approval in accordance with the conditions specified by the Cloud Service Provider. The CSCs involvement in approval process should be made available in the cloud customers guidance.</p><p>Tools can be used to provide the administrator with an overview of all the approvals<a href="#_ftn2" name="_ftnref2">[2]</a>. A checking process could be carried out to check actual results against estimates. If this process is successfully passed, an approval could be maintained. Verification that all tests have been completed, successful and approved by an authorized body can be automated by the Cloud Service Provider and documented through logs, which can then be automatically and continuously evaluated by the auditor.</p><p> </p><p><a href="#_ftnref1" name="_ftn1">[1]</a> <a href="https://www.suse.com/suse-defines/definition/production-environment/">https://www.suse.com/suse-defines/definition/production-environment/</a></p><p><a href="#_ftnref2" name="_ftn2">[2]</a> <a href="https://docs.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass">https://docs.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass</a> </p>',668),
+ (27,'<p>The EUCS requirement CCM-05.1H states:</p><p>“The CSP shall define roles and rights according to IAM-01 for the authorised personnel or system components who are allowed to make changes to the cloud service in the production environment, <strong>and the changes in the production environment shall be automatically monitored to enforce these roles and rights</strong>”.</p><p>and references the following requirement:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>IAM-01.1H</p></td><td width="491"><p>"The CSP shall define role and rights policies and procedures for controlling access to information resources, according to ISP-02 and based on role-based access control and based on the business and security requirements of the CSP, in which at least the following aspects are covered:</p><p>(1) Parameters to be considered for making access control decisions;</p><p>(2) Granting and modifying access rights based on the “least-privilege” principle and on the “need to-know” principle;</p><p>(3) Use of a role-based mechanism for the assignment of access rights;</p><p>(4) Segregation of duties between managing, approving and assigning access rights;</p><p>(5) Dedicated rules for users with privileged access;</p><p>(6) Requirements for the approval and documentation of the management of access rights."</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="123"><p>Name</p></td><td width="378"><p>Objective</p></td></tr><tr><td width="66"><p>CCM-05</p></td><td width="123"><p>Performing and Logging Changes</p></td><td width="378"><p>“Changes to the cloud service are performed through authorized accounts and traceable to the person or system component who initiated them”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - IAM-01: Policies for Access Control to Information</li></ul><p>External references:</p><ul><li>2020 GERMANY - DEV-07: Logging of changes</li><li>ISO 27002 – 8.33: Test Information</li><li>Cisco CCF - CCF 25: Threat and Vulnerability Management</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Change management</p></td><td width="464"><p>Process for recording, coordination, approval and monitoring of all changes.</p></td></tr><tr><td width="102"><p>Configuration management</p></td><td width="464"><p>Process for logging and monitoring of configuration items.</p></td></tr><tr><td width="102"><p>Production environment<a href="#_ftn1" name="_ftnref1">[1]</a></p></td><td width="464"><p>Set of computing resources where finished, user-ready software is deployed and executed.</p></td></tr><tr><td width="102"><p>Role based access control</p></td><td width="464"><p>Security technique for authentication that authorizes operations or allows access to resources based upon the user''s identity and his/her relationship to other users and entities.</p></td></tr><tr><td width="102"><p>Access right</p></td><td width="464"><p>Permission for a subject to access a particular asset for a specific type of operation.</p></td></tr><tr><td width="102"><p>Change log</p></td><td width="464"><p>Documentation that contains the list of changes that are made during the life-cycle of Cloud services.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Usually, the CSP sets a secure baseline configuration to ensure the security of the delivered cloud service, described in the CSP’s Configuration Management Plan. Although the configuration of the service is in constant change, the modifications in the configuration of the architecture needs to be authorised and traceable.</p><p>CSP personnel should receive authorization to make changes to the cloud service in the production environment in accordance with the requirements for access and access authorizations via a specified procedure (cf. IAM-01).</p><p>Once a change has been made in the production environment, its identifier must be stored and matched with the person responsible for the change for a late consultation if necessary (in particular to check permissions, authorisations, later on). These data could be stored in a stack<a href="#_ftn2" name="_ftnref2">[2]</a>, in a queue, or by other means.</p><p>The changes to the role and rights concept can be documented in logs by the CSP. Thus, an automatic and continuous evaluation of these logs can be carried out, where irregularities could be detected and logged. Subsequently, the auditor can perform a continuous audit by automatically evaluating the logs and logged irregularities.</p><p> </p><p><a href="#_ftnref1" name="_ftn1">[*]</a> <a href="https://www.suse.com/suse-defines/definition/production-environment/">https://www.suse.com/suse-defines/definition/production-environment/</a></p><p><a href="#_ftnref2" name="_ftn2">[2]</a> <a href="https://www.elastic.co/guide/en/kibana/master/production.html">https://www.elastic.co/guide/en/kibana/master/production.html</a></p>',673),
+ (28,'<p>The EUCS requirement PM-04.7H states:</p><p>“<strong>The CSP shall supplement procedures for monitoring compliance with automatic monitoring, by leveraging automatic procedures, when possible, relating to the following aspects:</strong></p><p><strong>(1) Configuration of system components;</strong></p><p><strong>(2) Performance and availability of system components;</strong></p><p><strong>(3) Response time to malfunctions and security incidents; and</strong></p><p><strong>(4) Recovery time (time until completion of error handling)</strong>”.</p><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="143"><p>Name</p></td><td width="367"><p>Objective</p></td></tr><tr><td width="56"><p>PM-04</p></td><td width="143"><p>Monitoring of Compliance with Requirements</p></td><td width="367"><p>“Monitoring mechanisms are in place to ensure that third-parties comply with their regulatory and contractual obligations”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - SSO-04: Monitoring of compliance with requirements</li><li>SecNumCloud FRANCE - 15.5: Confidentiality undertakings</li><li>ISO 27002 – 5.22: Monitoring, review and change management of supplier services</li><li>Cisco CCF - CCF 247: Supplier Management Program</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Procurement management</p></td><td width="464"><p>Process of acquiring goods, services, or works from an external source.</p></td></tr><tr><td width="102"><p>Controlling and monitoring suppliers</p></td><td width="464"><p>Implementation of specific controls in order to protect the information that suppliers of the CSP can access and monitor the agreed services and security requirements.</p></td></tr><tr><td width="102"><p>CSPM</p></td><td width="464"><p>Cloud Security Posture Management service automates the identification and remediation of risks across cloud infrastructures.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>At the state of practice, this requirement can be implemented by documenting the processes adopted by the CSP to leverage its Cloud Security Posture Management service (CSPM). Most commercial (and CSP-native) CSPMs will implement at least the automated monitoring aspects mentioned in the requirement, although some degree of customization might be needed to guarantee that new standard controls frameworks (e.g., EUCS) are integrated into the CSPM. Furthermore, the CSP should consider that integration with 3<sup>rd</sup> party tools (e.g., ITS) might be required to guarantee that aspects like response/recovery times are also properly monitored.</p><p>It has been observed that Gartner’s “magic quadrant” of CSPMs are still on its early days related to multi-cloud support, so it is still a common practice to rely on more than one CSPM tool (despite the evident cost of ownership issues).</p><p>Also, current CSPMs are limited in the sense that only in-cloud compliance can be monitored i.e., it is usually not possible to monitor compliance of non-cloud services like HR Training databases. In these cases, another sort of automated monitoring system/organizational process should be implemented by the CSP.</p><p>Finally, notwithstanding the underlying technology being leveraged by the CSP, it must be guaranteed that the corresponding procedures are documented and integrated into the operational processes of the CSP.</p>',792),
+ (29,'<p>The EUCS requirement PM-04.8H states:</p><p>“<strong>The CSP shall automatically monitor Identified violations and discrepancies, and these shall be automatically reported to the responsible personnel or system components of the CSP for prompt assessment and action</strong>”.</p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="161"><p>Name</p></td><td width="350"><p>Objective</p></td></tr><tr><td width="56"><p>PM-04</p></td><td width="161"><p>Monitoring of Compliance with Requirements</p></td><td width="350"><p>“Monitoring mechanisms are in place to ensure that third-parties comply with their regulatory and contractual obligations”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - SSO-04: Monitoring of compliance with requirements</li><li>SecNumCloud FRANCE - 15.5: Confidentiality undertakings</li><li>ISO 27002 – 5.22: Monitoring, review and change management of supplier services</li><li>Cisco CCF - CCF 247: Supplier Management Program</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr style="height: 35px;"><td style="height: 35px;" width="102"><p>Term</p></td><td style="height: 35px;" width="464"><p>Definition</p></td></tr><tr style="height: 48px;"><td style="height: 48px;" width="102"><p>Procurement management</p></td><td style="height: 48px;" width="464"><p>Process of acquiring goods, services, or works from an external source.</p></td></tr><tr style="height: 61px;"><td style="height: 61px;" width="102"><p>Controlling and monitoring suppliers</p></td><td style="height: 61px;" width="464"><p>Implementation of specific controls in order to protect the information that suppliers of the CSP can access and monitor the agreed services and security requirements.</p></td></tr><tr style="height: 48px;"><td style="height: 48px;" width="102"><p>Monitoring</p></td><td style="height: 48px;" width="464"><p>To keep track of the system state and behaviour with the aim to detect and notify nonconformities.</p></td></tr><tr style="height: 35px;"><td style="height: 35px;" width="102"><p>Violation</p></td><td style="height: 35px;" width="464"><p>A behaviour contrary to that required by a rule.</p></td></tr><tr style="height: 35.4062px;"><td style="height: 35.4062px;" width="102"><p>Discrepancy</p></td><td style="height: 35.4062px;" width="464"><p>Difference or mismatch between two or more things.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Discrepancies can occur for a variety of reasons, such as errors in communication, misunderstandings, or issues with the supplier. It''s important for CSPs to be capable of automatically monitoring identified discrepancies to resolve them as soon as possible in order to minimize among others any negative impacts on the CSP’s service provision. This automated monitoring may also lead to the identification of nonconformities, which may need to be reported to the CAB as part of the CSP’s continuous monitoring obligations.</p><p>As in the case of PM-04.7H, the deployment of a CSPM service can implement (at least partially) this PM-04.8H requirement. The vast majority of CSPMs implement some sort of notification mechanism to make responsible stakeholders aware of detected violations and discrepancies. CSPs should also look for CSPM features allowing ITS integration, which can greatly expand the notification/reporting capabilities of out-of-the-box CSPMs. This (automated) monitoring may also lead to the identification of nonconformities, which may need to be reported to the CAB as part of the CSP’s continuous monitoring obligations.</p><p>Challenges related to the implementation of PM-04.8H can be expected due to the heterogeneity of CSP’s implementations/platforms, where no single CSPM/ITS might be able to integrate all expected notifications/interoperability features. In analogy to PM-04.7H, CSPs are expected to rely on multiple technologies/products to integrate in their own IT systems for guaranteeing that related notifications are managed in accordance with EUCS.</p><p> </p>',793),
+ (30,'<p>The EUCS requirement IM-02.5H states:</p><p>“<strong>The CSP shall automatically monitor the processing of security incidents to verify the application of incident management policies and procedures</strong>”.</p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="143"><p>Name</p></td><td width="367"><p>Objective</p></td></tr><tr><td width="56"><p>IM-02</p></td><td width="143"><p>Processing of Security Incidents</p></td><td width="367"><p>“A methodology is defined and applied to process security incidents in a fast, efficient and orderly manner”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - SIM-02: Processing of security incidents</li><li>SecNumCloud FRANCE - 16.3: Assessment of events linked to information security and decision making</li><li>SecNumCloud FRANCE - 16.5: Learning from incidents linked to information security</li><li>ISO 27002 – 5.25: Assessment and decision on information security events</li><li>ISO 27002 – 8.8: Management of technical vulnerabilities</li><li>Cisco CCF - CCF 236: Security & Privacy Incident Response</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>Security incident</p></td><td width="464"><p>An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.<a href="#_ftn1" name="_ftnref1">[1]</a></p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>The objective of this control is ensuring a consistent and comprehensive approach to the capture, assessment, communication and escalation of security incidents.</p><p>Typical monitoring of security incidents could occur through analysis a ticket management or other business process management system. This monitoring shall ensure that all the activities of the methodology for the processing of security incidents are performed and fulfilled. i.e., incident detections, categorization, resolution, etc.</p><p> </p><p><a href="#_ftnref1" name="_ftn1">[1]</a> <a href="https://csrc.nist.gov/glossary/term/security_incident">https://csrc.nist.gov/glossary/term/security_incident</a></p>',814),
+ (31,'<p>The EUCS requirement CO-03.5H states:</p><p>“<strong>Internal audits shall be supplemented by procedures to automatically monitor compliance with applicable requirements of policies and instructions</strong>”.</p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="143"><p>Name</p></td><td width="367"><p>Objective</p></td></tr><tr><td width="56"><p>CO-03</p></td><td width="143"><p>Internal Audits of the Internal Control System</p></td><td width="367"><p>“Subject matter experts regularly check the compliance of the Information Security Management System (ISMS) to relevant and applicable legal, regulatory, self-imposed or contractual requirements”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - COM-03: Internal audits of the information security management system</li><li>ISO 27002 – 5.35: Independent review of information security</li><li>Cisco CCF - CCF 1: Control Self-Assessments</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>ISMS</p></td><td width="464"><p>Information Security Management System</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>This requirement is in the heart of continuous monitoring, as it is a requirement utilizing all the other requirements involving automatic monitoring. In practice, this requirement aims to ensure that the policy statements and requirements from policies and instructions are automatically monitored. What this means, is that the automated monitoring associated with internal audit for that specified scope shall cover all the requirements set in the organization’s ISMS. Therefore, this TOM must be adjusted for the internal audit scope. If the scope of the internal audit is the whole ISMS, the automated monitoring shall cover all the requirements set by policies and instructions in the ISMS scope.</p><p>The automatic evaluation of this requirement is twofold: firstly, the overall compliance is evaluated as a percentage of the automatically monitored requirements, where the target value is 100 %. Secondly, fulfilment of this requirement needs an evaluation of whether the assessed component is compliant or not.</p><p>The assessment can be made by comparing the requirements in scope to automated monitoring processes. Each requirement in scope shall have a functioning automated monitoring process. Each monitoring process shall be linked to monitored assets which define the scope for the specified requirement. If there are existing monitoring processes but they are not implemented to all assets in scope, it lowers the percentage of automated monitoring coverage. With this information, an example table can be created to illustrate the evaluation process for this requirement. In Table 10 imaginary assets and requirements are used for illustration purposes.</p><p>Table 10. Example of an evaluation process (source: MEDINA’s own contribution)</p><table border="1" width="563"><thead><tr><td width="87"><p><strong>Requirement</strong></p></td><td width="101"><p><strong>Percentage of target assets monitored </strong></p></td><td width="161"><p><strong>Monitoring process(es)</strong></p></td><td width="95"><p><strong>Compliance status in specified timeframe</strong></p></td><td width="119"><p><strong>Nonconforming measurements</strong></p></td></tr></thead><tbody><tr><td width="87"><p><strong>OIS-02.4H</strong></p></td><td width="101"><p>100 % (1/1)</p></td><td width="161"><p><link to measurement></p></td><td width="95"><p>OK</p></td><td width="119"><p>N/A</p></td></tr><tr><td width="87"><p><strong>HR-04.3H</strong></p></td><td width="101"><p>0% (0/0)</p></td><td width="161"><p><asset_X_measurement not defined></p></td><td width="95"><p>N/A</p></td><td width="119"><p>N/A</p></td></tr><tr><td width="87"><p><strong>OPS-07.2H</strong></p></td><td width="101"><p>66 % (2/3)</p></td><td width="161"><p><link to measurement_1></p><p><link to measurement_2></p><p><asset_Y_measurement not defined ></p></td><td width="95"><p>NOT OK</p></td><td width="119"><p><nonconformity in measurement 1></p></td></tr></tbody></table><p> </p><p>When calculating the results of the measurement, they can ultimately be presented in a more compact view with the following information:</p><table><tbody><tr><td width="312"><p>Percentage of compliance monitors in place for the scope</p></td><td width="283"><p>< calculated percentage of assets monitored for all requirements in scope></p></td></tr><tr><td width="312"><p>Compliance status (number of nonconformities)</p></td><td width="283"><p><sum of all nonconformities></p></td></tr></tbody></table>',901),
+ (32,'<p>The EUCS requirement CO-03.6H states:</p><p>“<strong>The CSP shall implement automated monitoring to identify vulnerabilities and deviations, which shall be automatically reported to the appropriate CSP’s subject matter experts for immediate assessment and action</strong>”.</p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="143"><p>Name</p></td><td width="367"><p>Objective</p></td></tr><tr><td width="56"><p>CO-03</p></td><td width="143"><p>Internal Audits of the Internal Control System</p></td><td width="367"><p>“Subject matter experts regularly check the compliance of the Information Security Management System (ISMS) to relevant and applicable legal, regulatory, self-imposed or contractual requirements”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - COM-02: Policy for planning and conducting audits</li><li>SecNumCloud FRANCE - 18.2: Independent review of information security</li><li>ISO 27002 – 5.35: Independent review of information security</li><li>Cisco CCF - CCF 1: Control Self-Assessments</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr><td width="102"><p>Term</p></td><td width="464"><p>Definition</p></td></tr><tr><td width="102"><p>ISMS</p></td><td width="464"><p>Information Security Management System</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>The conformity to this requirement consists of two sub-requirements which are applied to each monitored asset. First, it is monitored whether the asset in scope is identified to be vulnerable and secondly, it is monitored if the asset is deviating. Deviation could be challenging to define, but in this context, it is defined as a nonconformity to any measurement applied to that asset since the measurement requirements set a baseline for conformity.</p><p>The first part of this requirement is measured by checking whether the asset is vulnerable. There could be industrial tools for doing this, but the simple way of doing this is to compare if the target asset version is known to be vulnerable. For example, for software components it is relatively easy to see if the software is updated to the latest version. Alternatively, the measurement can be made against a list of known vulnerable versions since the latest software version can be vulnerable. The measurement can be supplemented with other information which is not mandatory but could be beneficial. Table 11 shows an example of vulnerable assets identifying version number and identified vulnerability. The provided information may vary depending on the measurement tool’s capabilities.</p><p>Table 11. Example of vulnerable assets (source: MEDINA’s own contribution)</p><table border="1"><tbody><tr><td width="123"><p>Target asset</p></td><td width="180"><p>Is vulnerable (TRUE/FALSE)</p></td><td width="121"><p>Version</p></td><td width="142"><p>Vulnerability</p></td></tr><tr><td width="123"><p>Asset_1</p></td><td width="180"><p>TRUE</p></td><td width="121"><p>1.1.2</p></td><td width="142"><p>CVE-2021-XXXX</p></td></tr><tr><td width="123"><p>Asset_2</p></td><td width="180"><p>FALSE</p></td><td width="121"><p>2.3.4</p></td><td width="142"><p>N/A</p></td></tr></tbody></table><p>The second part of this TOM is to measure whether the asset is deviating. This is measured by assessing if the target asset is nonconforming to any of the requirements applied to it. This can be done with a simple Boolean operation, where conformity is 0 and nonconformity is 1. By applying a simple logical OR-operation the overall status can be calculated: If there is a single nonconformity, the result for the assessment is 1, indicating a nonconformity, or deviation in this context. Table 12 presents the simplified output with two measurements.</p><p>Table 12. Example of a deviating asset (source: MEDINA’s own contribution)</p><table border="1" width="100%"><tbody><tr><td width="66"><p>Asset</p></td><td width="161"><p>Measurement result 1</p></td><td width="161"><p>Measurement result 2</p></td><td width="180"><p>Is deviating? (TRUE / FALSE)</p></td></tr><tr><td width="66"><p>A</p></td><td width="161"><p>0</p></td><td width="161"><p>1</p></td><td width="180"><p>TRUE</p></td></tr><tr><td width="66"><p>B</p></td><td width="161"><p>0</p></td><td width="161"><p>0</p></td><td width="180"><p>FALSE</p></td></tr></tbody></table><p>The final part of the requirement is to automatically report the findings to the CSP’s subject matter experts. The reporting functionality should be built into the system itself. Of course, there can be a metric to measure whether the automatic reporting is working or not, but it is not in the focus of this TOM as the reporting of nonconformities is built into the MEDINA framework itself.</p><p> </p>',902),
+ (33,'<p>The EUCS requirement INQ-03.4H states:</p><p>“<strong>The CSP shall automatically monitor the accesses performed by or on behalf of investigators as determined by the process described in INQ-01</strong>”.</p><p>and references the following requirements:</p><table border="1" width="100%"><tbody><tr><td width="85"><p>INQ-01.1H</p></td><td width="482"><p>“The CSP shall subject investigation requests from government agencies to a legal assessment by subject matter experts.”</p></td></tr><tr><td width="85"><p>INQ-01.2H</p></td><td width="482"><p>“The legal assessment shall determine whether the government agency has an applicable and legally valid basis and what further steps need to be taken.”</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="66"><p>Code</p></td><td width="161"><p>Name</p></td><td width="340"><p>Objective</p></td></tr><tr><td width="66"><p>INQ-03</p></td><td width="161"><p>Conditions for Access to or Disclosure of Data in Investigation Requests</p></td><td width="340"><p>“Investigators only have access to the data required for their investigation after validation of the legality of their request”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>Internal references:</p><ul><li>EUCS - INQ-01: Legal Assessment of Investigative Inquiries</li></ul><p>External references:</p><ul><li>2020 GERMANY - INQ-03: Conditions for Access to or Disclosure of Data in Investigation Requests</li><li>Cisco CCF – CCF 279: Threat and Vulnerability Management</li></ul><p> </p><h5>Key concepts</h5><table border="1" width="100%"><tbody><tr><td width="113"><p>Term</p></td><td width="454"><p>Definition</p></td></tr><tr><td width="113"><p>Investigation request</p></td><td width="454"><p>Official request for documents, data, information, or other evidence, made by a government agency, regulatory authority, law enforcement body, or other investigative entity.</p></td></tr><tr><td width="113"><p>Legal assessment</p></td><td width="454"><p>Comprehensive evaluation of a legal matter or issue, usually performed by a lawyer or a team of lawyers.</p></td></tr><tr><td width="113"><p>Disclosure of data</p></td><td width="454"><p>The process of granting the right to examine data and the right to create or retain a copy.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>Government agencies can request access to CSP’s systems to perform investigations. These requests need to be legally assessed by the legal department (or company) of the CSP in order to accept or reject them and to determine whether the government agency has an applicable and legally valid basis and what further steps need to be taken.</p><p>These are some steps that could be taken to automatically monitor the access performed by or on behalf of investigators:</p><ul><li>Implementing logging and auditing mechanisms to capture information about access to specific data and through specific tools.</li><li>Setting up automated notifications and alerts that are triggered for specific access or activities (e.g., when investigators access a sensitive data or attempted to access a restricted data).</li><li>Generating and monitoring regular access reports to detect among others unauthorized and unusual access.</li><li>Implementing role-based access control based on the investigator role and type of missions.</li></ul>',965),
+ (34,'<p>The EUCS requirement PSS-04.2H states:</p><p>“<strong>An integrity check shall be performed, automatically monitored and reported to the CSC if the integrity check fails</strong>”.</p><p>and references the following requirement also from PSS-04:</p><table border="1" width="100%"><tbody><tr><td width="75"><p>PSS-04.1H</p></td><td width="491"><p>"The CSP shall ensure the following aspects if CSCs operate virtual machines or containers with the cloud service:</p><p>- The CSC can restrict the selection of images of virtual machines or containers, so that users of this CSC can only launch the images or containers released according to these restrictions.</p><p>- Images made available by the CSP to the CSC are labelled with information about their origin (CSP or third-party) and about their security, and those provided by the CSP are hardened according to generally accepted industry standards."</p></td></tr></tbody></table><p> </p><h5>EUCS Security Control</h5><table border="1" width="100%"><tbody><tr><td width="56"><p>Code</p></td><td width="143"><p>Name</p></td><td width="367"><p>Objective</p></td></tr><tr><td width="56"><p>PSS-04</p></td><td width="143"><p>Images for Virtual Machines and Containers</p></td><td width="367"><p>“Services for providing and managing virtual machines and containers to customers include appropriate protection measures”</p></td></tr></tbody></table><p> </p><h5>References</h5><p>External references:</p><ul><li>2020 GERMANY - PSS-11: Images for Virtual Machines and Containers</li><li>Cisco CCF- CCF 173: Infrastructure & Virtualization Security</li></ul><p> </p><h5>Key concepts</h5><table border="1"><tbody><tr style="height: 35px;"><td style="height: 35px;" width="102"><p>Term</p></td><td style="height: 35px;" width="464"><p>Definition</p></td></tr><tr style="height: 48.4062px;"><td style="height: 48.4062px;" width="102"><p>Integrity check</p></td><td style="height: 48.4062px;" width="464"><p>The process to confirm that all the necessary measures to prevent any unauthorized access to the related systems and files have been taken.</p></td></tr><tr style="height: 61px;"><td style="height: 61px;" width="102"><p>Images of virtual machines</p></td><td style="height: 61px;" width="464"><p>A virtual machine image is a file which contains a virtual disk that has a bootable operating system installed on it. It is a compute resource that uses software instead of a physical computer to run programs and deploy applications.</p></td></tr></tbody></table><p> </p><h5>Guidelines</h5><p>If the CSP provides a service to manage virtual machines or containers to its customers, integrity checks of these virtual machines’ or containers’ images shall be performed automatically at start-up.</p><p>Data integrity checks are normally performed using a hash value calculation. The verified hash values for the images of virtual machines or containers shall be compared to a reference which is confirmed to be correct in order to ensure the images have not been tampered with. When a deviation is detected indicating a manipulation of the virtual machine or container image in question, the CSC shall be automatically notified. Starting the virtual machines or containers based on images with unconfirmed or deviated integrity values could also be automatically prevented.</p><p>Apart from notifying the CSC, the deviations detected shall also be reported to the responsive experts appointed by the CSP to analyse the deviation and its cause and prevent further damage. Security incident procedures shall be followed.</p>',994);
+
+/*!40000 ALTER TABLE `reference_tom` ENABLE KEYS */;
+
+SET FOREIGN_KEY_CHECKS=1;
+COMMIT;
\ No newline at end of file
diff --git a/git/cocMysql/startupscripts/06_initialDataQuestionnaireBasic.sql b/git/cocMysql/startupscripts/06_initialDataQuestionnaireBasic.sql
new file mode 100644
index 0000000000000000000000000000000000000000..fca53a158c5b5f4cc4713102b68780b3a8f908a8
--- /dev/null
+++ b/git/cocMysql/startupscripts/06_initialDataQuestionnaireBasic.sql
@@ -0,0 +1,1036 @@
+--
+
+ -- Database: `cocbackend`
+--
+USE `cocbackend`;
+SET FOREIGN_KEY_CHECKS=0;
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET NAMES utf8 */;
+/*!50503 SET NAMES utf8mb4 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+
+ -- ----------------------------------
+ -- Table: `question_assurance_level`
+ -- ----------------------------------
+/*!40000 ALTER TABLE `question_assurance_level` DISABLE KEYS */;
+INSERT INTO cocbackend.question_assurance_level (id, assurance_level) VALUES
+ (1, 'Basic'),
+ (2, 'Substantial'),
+ (3, 'High');
+/*!40000 ALTER TABLE `question_assurance_level` ENABLE KEYS */;
+
+ -- ----------------------------------
+ -- Table: `question_answer`
+ -- ----------------------------------
+/*!40000 ALTER TABLE `question_answer` DISABLE KEYS */;
+INSERT INTO cocbackend.question_answer (id, answer, value, visible) VALUES
+ (1, 'Fully supported.', 100, true),
+ (2, 'Partially supported.', 50, true),
+ (3, 'Not supported at all.', 0, true),
+ (4, 'Not applicable.', 0, true),
+ (5, 'Not answered', 0, false);
+/*!40000 ALTER TABLE `question_answer` ENABLE KEYS */;
+
+ -- ----------------------------------
+ -- Table: `question`
+ -- ----------------------------------
+/*!40000 ALTER TABLE `question` DISABLE KEYS */;
+
+
+ -- A1.OIS
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(1,'Q1-OIS-01.1B','Does the CSP have an information security management system (ISMS) documented?','- Documented Information Security Management System (ISMS)','',1,1,1,1),
+(2,'Q2-OIS-01.1B','Does the information security management system cover the operational units?','- ISMS scope (operational units)','',1,1,1,1),
+(3,'Q3-OIS-01.1B','Does the information security management system (ISMS), cover locations?','- ISMS scope (locations)','',1,1,1,1),
+(4,'Q4-OIS-01.1B','Does the CSP cover processes for providing the cloud service?','- ISMS scope (processes for providing the cloud service)','',1,1,1,1),
+(5,'Q1-OIS-01.2B','Does the CSP provide documented information of the ISMS applied to the cloud service?','- Documented information of the ISMS applied to the cloud service','',1,1,2,1),
+
+(24,'Q1-OIS-02.1B','Does the CSP perform a risk assessment as defined in RM-01?','- Documented risk assessment','',1,2,7,1),
+(25,'Q2-OIS-02.1B','Does the risk assessment address the accumulation of responsibilities or tasks in roles or individuals, with respect to the provision of the cloud service?','- Documented risk assessment (information related with the accumulation of responsibilities or tasks in roles or individuals, with respect to the provision of the cloud service)','',1,2,7,1),
+(26,'Q3-OIS-02.1B','Does the risk assessment cover administration of rights profiles, approval and assignment of access and access authorisations (cf. IAM-01)?','- Documented risk assessment (information related with the administration of rights profiles, approval and assignment of access and access authorisations)
+- Documented risk assessment review record','',1,2,7,1),
+(27,'Q4-OIS-02.1B','Does the risk assessment cover development, testing and release of changes (cf. DEV-01, CCM-01)?','- Documented risk assessment (information related with development, testing and release of changes)
+- Documented risk assessment review record','',1,2,7,1),
+(28,'Q5-OIS-02.1B','Does the risk assessment cover the operation of the system components / assets?','- Documented risk assessment (information related with operation of the system components)
+- Documented risk assessment review record','',1,2,7,1),
+(29,'Q1-OIS-02.2B','Does the CSP implement the mitigating measures defined in the risk treatment plan?','- Quality records derived from the implementation of the defined Risk Assessment. The records shall include at least the following information: mitigation measure applied, linked requirement id and by whom.','',1,2,8,1),
+(30,'Q2-OIS-02.2B','Do the mitigating measures privilege separation of duties, unless impossible for organisational or technical reasons?','- Quality records derived from the implementation of the defined Risk Assessment related with the privilege separation of duties','',1,2,8,1),
+(31,'Q3-OIS-02.2B','In case of organisational or technical reasons that prevent privileging separation of duties, do the measures include the monitoring of activities in order to detect unauthorised or unintended changes as well as misuse and the subsequent appropriate actions?','- Quality records derived from the implementation of the defined Risk Assessment related with the monitoring of activities in order to detect unauthorised or unintended changes as well as misuse and the subsequent appropriate actions','',1,2,8,1),
+
+(53,'Q1-OIS-03.1B','Does the CSP stay informed about current threats and vulnerabilities?','- Subscriptions to Industry Reports & Storm Casts
+- Online Threat Intelligence investigation records','',1,3,16,1),
+
+(59,'Q1-OIS-04.1B','Does the CSP include information security in the project management of all projects that may affect the service, regardless of the nature of the project?','- Project management documentation (information related with the information security)','',1,4,19,1);
+
+-- A2.ISP
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(64,'Q1-ISP-01.1B','Is there a document describing the global information security policy?','- Global information security policy document','',1,5,22,1),
+(65,'Q2-ISP-01.1B','Does the policy cover the importance of information security, as well as on the need to ensure the security of the information processed and stored by the CSP and the assets that support the services provided?','- Global information security policy document (includes the importance of information security, as well as on the need to ensure the security of the information processed and stored by the CSP and the assets that support the services provided)','',1,5,22,1),
+(66,'Q3-ISP-01.1B','Does the policy cover the security objectives and the desired assurance and security level, based on the business goals of the Cloud Service Provider?','- Global information security policy document (includes the security objectives and the desired security level, based on the business goals and tasks of the Cloud Service Provider)','',1,5,22,1),
+(67,'Q4-ISP-01.1B','Does the policy cover the commitment of the CSP to implement the security measures required to achieve the established security objectives?','- Global information security policy document (includes the commitment of the CSP to implement the security measures required to achieve the established security objectives)','',1,5,22,1),
+(68,'Q5-ISP-01.1B','Does the policy cover the most important aspects of the security strategy to achieve the security objectives set?','- Global information security policy document (includes the most important aspects of the security strategy to achieve the security objectives set)','',1,5,22,1),
+(69,'Q6-ISP-01.1B','Does the policy cover the organisational structure for information security in the cloud service application area?','- Global information security policy document (includes the organisational structure for information security in the ISMS application area)','',1,5,22,1),
+(70,'Q1-ISP-01.2B','Does the global information security policy or the organizational structure document establish who is the top management responsible for?','- Global information security policy document (establishes who is the top management responsible for)
+- Organizational structure','',1,5,23,1),
+(71,'Q2-ISP-01.2B','Does the top management approve and endorse the global information security policy?','- Top management signature of the global information security policy document','',1,5,23,1),
+(72,'Q1-ISP-01.3B','Does the CSP communicate and make available the global information security policy to all employees and CSCs?',' - Intranet
+- Wallchart
+- Specific meetings minutes
+- Etc.','In many cases, it is difficult to identify a single piece of documentary evidence (s)',1,5,24,1),
+(73,'Q2-ISP-01.3B','Does the CSP communicate and make available the global information security policy to all external employees ?','- Web
+- email
+- Etc.','',1,5,24,1),
+(74,'Q3-ISP-01.3B','Does the CSP communicate and make available the global information security policy to all cloud service customers?','- Service contract
+- Web
+- email
+- Etc.','',1,5,24,1),
+
+(102,'Q1-ISP-02.1B','Has the CSP identified all the relevant subject matters within the scheme?','- Specific document that includes information about the relevant subject matters within the scheme
+- Global information security policy
+- Etc.','',1,6,33,1),
+(103,'Q2-ISP-02.1B','Does the CSP derive policies and procedures from the global information security policy for all relevant subject matters?','- Policies and procedures for each subject matter','',1,6,33,1),
+(104,'Q3-ISP-02.1B','Does the CSP document the policies and procedures derived from the global one following a uniform structure, including at least the following aspects?:
+• Objectives;
+• Scope;
+• Roles and responsibilities within the organization;
+• Roles and dependencies on other organisations (especially cloud customers and subservice organisations);
+• Steps for the execution of the security strategy; and
+• Applicable legal and regulatory requirements.','- Policies and procedures template
+- Policies and procedures for each subject matter ','',1,6,33,1),
+(105,'Q1-ISP-02.2B','Does the CSP communicate and make available the policies and procedures to all internal employees?',' -Intranet
+- Wallchart
+- Specific meetings minutes
+- Etc.','',1,6,34,1),
+(106,'Q2-ISP-02.2B','Does the CSP communicate and make available the policies and procedures to all external employees?','- Web
+- email
+-Etc.','',1,6,34,1),
+(107,'Q1-ISP-02.3B','Has the CSP defined the authorized bodies and its composition?','- Specific document that includes information about the authorized bodies and its composition','',1,6,35,1),
+(108,'Q2-ISP-02.3B','Are the security policies and procedures approved by the CSP’s top management or by the authorized bodies?','- Top management or authorized bodies signature of the security policies and procedures','',1,6,35,1),
+(109,'Q1-ISP-02.4B','Does every subject matter have an expert identified?','- Global information security policy document
+- Organizational structure
+- Another specific document','',1,6,36,1),
+(110,'Q2-ISP-02.4B','Every policies and procedures have been reviewed by the related expert at least annually, or when the global information security policy is updated, or when major changes may affect the security of the cloud service?','- Policies and procedures version control and change history','',1,6,36,1),
+(111,'Q1-ISP-02.5B','After an update of procedures and policies, have they been approved before they become effective?','- Signature of the new procedures and policies version','',1,6,37,1),
+(112,'Q2-ISP-02.5B','After an update of procedures and policies, have they been communicated and made available to internal and external employees?',' -Intranet/WEB
+-email
+- Wallchart
+- Specific meetings minutes
+- Etc.','',1,6,37,1),
+
+(137,'Q1-ISP-03.1B','Does the CSP maintain a list of exceptions to the security policies and procedures?','- List of exceptions to the security policies and procedures
+- Records of updates of the list of exceptions','',1,7,50,1),
+(138,'Q2-ISP-03.1B','Does the list of exceptions include associated controls?','- Associated controls in the list of exceptions','',1,7,50,1),
+(139,'Q3-ISP-03.1B','Are the exceptions defined limited in time?','- Time limitation for each exception','',1,7,50,1),
+(140,'Q1-ISP-03.2B','Is the list of exceptions being reviewed at least annually?','- List of exceptions document version control and change history
+- List of exceptions document review record','',1,7,51,1);
+
+ -- A3.RM
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(155,'Q1-RM-01.1B','Does the CSP define the policies and procedures for Risk management?','- Risk policy document
+- Risk management procedures','',1,8,60,1),
+(156,'Q2-RM-01.1B','Does the CSP define policies and procedures that cover the identification of risks associated with the loss of confidentiality within the scope of the ISMS?','- Risk policy document (it includes the identification of risks associated with the loss of confidentiality within the scope of the ISMS)
+- Risk management procedures (includes the identification of risks associated with the loss of confidentiality within the scope of the ISMS)','',1,8,60,1),
+(157,'Q3-RM-01.1B','Does the CSP define policies and procedures that cover the identification of risks associated with the loss of integrity within the scope of the ISMS?','- Risk policy document (includes the identification of risks associated with the loss of integrity within the scope of the ISMS)
+- Risk management procedures (includes the identification of risks associated with the loss of integrity within the scope of the ISMS)','',1,8,60,1),
+(158,'Q4-RM-01.1B','Does the CSP define policies and procedures that cover the identification of risks associated with the loss of availability of information within the scope of the ISMS?','- Risk policy document (includes the identification of risks associated with the loss of availability of information within the scope of the ISMS)
+- Risk management procedures (includes the identification of risks associated with the loss of availability of information within the scope of the ISMS)','',1,8,60,1),
+(159,'Q5-RM-01.1B','Does the CSP document policies and procedures that cover the identification of risks associated with the loss of authenticity of information within the scope of the ISMS?','- Risk policy document (includes the identification of risks associated with the loss of authenticity of information within the scope of the ISMS)
+- Risk management procedures (includes the identification of risks associated with the loss of authenticity of information within the scope of the ISMS)','',1,8,60,1),
+(160,'Q6-RM-01.1B','Does the CSP document policies and procedures that cover the assignation of risk owners?','- Risk policy document (includes the assignation of risk owners)
+- Risk management procedures (includes the assignation of risk owners)','',1,8,60,1),
+(161,'Q7-RM-01.1B','Does the CSP define policies and procedures that cover the analysis of the probability and impact of occurrence and determination of the level of risk?','- Risk policy document (includes the analysis of the probability and impact of occurrence and determination of the level of risk)
+- Risk management procedures (includes the analysis of the probability and impact of occurrence and determination of the level of risk)','',1,8,60,1),
+(162,'Q8-RM-01.1B','Does the CSP define policies and procedures that cover the evaluation of the risk analysis based on defined criteria for risk acceptance and prioritisation of handling?','- Risk policy document (includes the evaluation of the risk analysis based on defined criteria for risk acceptance and prioritisation of handling)
+- Risk management procedures (includes the evaluation of the risk analysis based on defined criteria for risk acceptance and prioritisation of handling)','',1,8,60,1),
+(163,'Q9-RM-01.1B','Does the CSP define policies and procedures that cover the handling of risks through measures?','- Risk policy document (includes the handling of risks through measures)
+- Risk management procedures','',1,8,60,1),
+(164,'Q10-RM-01.1B','Does the handling of risks through measures include the approval of authorisation and acceptance of residual risks by risk owners?','- Risk policy document
+- Risk management procedures (includes the handling of risks through measures)','',1,8,60,1),
+(165,'Q11-RM-01.1B','Does the CSP define policies and procedures that cover the documentation of the activities implemented to enable consistent, valid and comparable results?','- Risk policy document (includes the documentation of the activities implemented to enable consistent, valid and comparable results)
+- Risk management procedures (includes the documentation of the activities implemented to enable consistent, valid and comparable results)','',1,8,60,1),
+
+(176,'Q1-RM-02.1B','Does the CSP implement the policies and procedures covering risk assessment on the entire perimeter of the cloud service?','- Records showing the implementation of the policies and procedures covering risk assessment on the entire perimeter of the cloud service','',1,9,63,1),
+(177,'Q1-RM-02.2B','Does the CSP make the results of the risk assessment available to relevant internal parties?','- Risk assessment results
+- Intranet/WEB
+- email
+- Wallchart
+- Specific meetings minutes
+- Etc.','',1,9,64,1),
+(178,'Q2-RM-02.2B','Relevant information is made available to defined external parties','- Risk assessment results
+- Intranet/WEB
+- email
+- Wallchart
+- Specific meetings minutes
+- Etc.','',1,9,64,1),
+(179,'Q1-RM-02.3B','Does the CSP review and revise the risk assessment at least annually?','- Top management or authorized bodies signature of the risk assessment at least annually
+- records of this review in logs with dates','',1,9,65,1),
+(180,'Q2-RM-02.3B','Does the CSP review and revise the risk assessment after each major change that may affect the security of the cloud service?','- List of major changes
+- Top management or authorized bodies signature of the risk assessment after major changes','',1,9,65,1),
+
+(193,'Q1-RM-03.1B','Does the CSP shall prioritize risks according to their criticality?','- List of prioritized risks according to their criticality','',1,10,73,1),
+(194,'Q1-RM-03.2B','Does the CSP document a risk treatment plan to treat risks according to their priority level?','- Risk treatment plan according to their priority level','',1,10,74,1),
+(195,'Q2-RM-03.2B','Does the risk treatment plan contemplates the reducing or avoiding the risks through security controls, by sharing them, or by retaining them?','- Risk treatment plan (contemplates the reducing or avoiding the risks through security controls, by sharing them, or by retaining them)','',1,10,74,1),
+(196,'Q3-RM-03.2B','Does the CSP implement the defined risk treatment plan?','Evidences of actions defined in the risk treatment plan','',1,10,74,1),
+(197,'Q1-RM-03.3B','Does the risk treatment plan reduce the risk level to a threshold that the risk owners deem acceptable (Residual Risk)?','- Risk threshold evolution through time. ','',1,10,75,1),
+(198,'Q2-RM-03.3B','Is it defined what a residual risk is?','- Formal and documented definition of Residual Risk','',1,10,75,1),
+(199,'Q1-RM-03.4B','Does the CSP make the risk treatment plan available to relevant internal parties with appropriately summarised and abstracted versions?','- Risk treatment plan
+-Intranet/WEB
+- email
+- Wallchart
+- Specific meetings minutes
+- Etc.','',1,10,76,1),
+(200,'Q2-RM-03.4B','Are abstracted versions made available both internally and to authorized external parties?','- Abstract of Risk treatment plan
+- email
+- Specific meetings minutes
+- Etc.','',1,10,76,1),
+(201,'Q1-RM-03.5B','If the CSP shares risks with the CSC, are the shared risks associated to Complementary User Entity Controls (CUECs)?','- List of Complementary User Entity Controls for the risks shared with the CSC
+- Tradability between risks shared by CSP and Complementary User Entity Controls (CUECs)
+','',1,10,77,1),
+(202,'Q2-RM-03.5B','If the CSP shares risks with the CSC, are the shared risks described in the user documentation?','- User documentation including the description of the shared risks','',1,10,77,1),
+(203,'Q1-RM-03.6B','Does the CSP review the risk treatment plan every time the risk assessment is revised?','- Risk treatment plan version control and change history
+- Risk treatment plan review record','',1,10,78,1);
+
+ -- A4.HR
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(238,'Q1-HR-01.1B','Are the security-sensitive positions classified according to their level of risk?','- Competence Position Document or similar
+- Policy document (roles section)','',1,11,93,1),
+(239,'Q2-HR-01.1B','Are the IT administration positions included in that classification?','- Competence Position Document or similar (includes the administration positions)','',1,11,93,1),
+(240,'Q3-HR-01.1B','Are the cloud service provisioning positions included in that classification?','- Competence Position Document or similar (includes the cloud service provisioning positions)','',1,11,93,1),
+(241,'Q4-HR-01.1B','Are all the positions with access to cloud customer data included in that classification?','- Competence Position Document or similar (includes all the positions with access to cloud customer data)','',1,11,93,1),
+(242,'Q5-HR-01.1B','Are all the positions with access to system components / assets included in that classification?','- Competence Position Document or similar (includes all the positions with access to system components)','',1,11,93,1),
+(243,'Q1-HR-01.2B','- Is there exist an overarching agreement containing rules to act ethically in professionals’ duties?','Overarching agreement with rules to act ethically','',1,11,94,1),
+(244,'Q2-HR-01.2B','- Is this overarching agreement included in the internal employees contract or in a dedicated code of conduct or ethics?','Internal employees contracts or dedicated Code of Conduct/Ethics document','',1,11,94,1),
+(245,'Q3-HR-01.2B','- Is this overarching agreement included in the external employees contract or in a dedicated code of conduct or ethics?','Internal employees contracts or dedicated Code of Conduct/Ethics document','',1,11,94,1),
+(246,'Q1-HR-01.3B','- Has the CSP documented a policy that describes actions to take in the event of violations of policies and procedures or applicable legal and regulatory requirements?','- Documented Policy, section dedicated to violations, instructions, applicable legal and regulatory requirements','',1,11,95,1),
+(247,'Q2-HR-01.3B','- Does the documented policy include at least the following aspects?
+• Verifying whether a violation has occurred; and
+• Consideration of the nature and severity of the violation and its impact','- Documented Policy (includes verifying whether a violation has occurred & Consideration of the nature and severity of the violation and its impact)','',1,11,95,1),
+(248,'Q3-HR-01.3B','Has the CSP communicated the policy that describes actions to take in the event of violations of policies and instructions or applicable legal and regulatory requirements?','- Evidences related to the policy communication:
+ - Intranet/WEB
+ - email
+ - Wallchart
+ - Specific meetings minutes
+ - Etc.','',1,11,95,1),
+(249,'Q4-HR-01.3B','Are there evidence that the policy that describes actions to take in the event of violations of policies and instructions or applicable legal and regulatory requirements has been implemented?','-Records related to the policy implementation such as warnings and signed documents in accordance to the what it is defined in the policy for the different levels of violations','',1,11,95,1),
+(250,'Q1-HR-01.4B','Does the policy that describes actions to take in the event of violations of policies and instructions or applicable legal and regulatory requirements contain disciplinary measures?','- HR-03 Policy document','',1,11,96,1),
+(251,'Q2-HR-01.4B','Does the policy that describes actions to take in the event of violations of policies and instructions or applicable legal and regulatory requirements contain disciplinary measures?','- HR-03 Policy document','',1,11,96,1),
+(252,'Q3-HR-01.4B','Have the internal employees been informed about possible disciplinary measures?','Mechanisms used to inform internal employees about disciplinary methods:
+ - Intranet/WEB
+ - email
+ - Wallchart
+ - Specific meetings minutes
+ - Etc.','',1,11,96,1),
+(253,'Q4-HR-01.4B','Have the external employees been informed about possible disciplinary measure?','- Mechanisms used to inform external employees about disciplinary methods
+ - email
+ - Wallchart
+ - Specific meetings minutes
+ - Etc.','',1,11,96,1),
+(254,'Q5-HR-01.4B','Have the use of the disciplinary measures been appropriately documented?','- Documented disciplinary measures way of use','',1,11,96,1),
+
+(289,'Q1-HR-02.1B','Does the CSP assess the competence and integrity of all its employees with access to CSC data or system components under the CSP’s responsibility, or who are responsible to provide the cloud service in the production environment before commencement of employment in a position classified in objective HR-01?','- Documented assess results','',1,12,105,1),
+(290,'Q1-HR-02.2B','Does the CSP assess the competence and integrity of its employees of the CSP before commencement of employment in a position with a higher risk classification that their previous position within the company?','- Documented assess results','',1,12,106,1),
+(291,'Q1-HR-02.3B','Is the extent of the assessment proportional to the business context, the sensitivity of the information that will be accessed by the employee, and the associated risks?','- Assessment compliance review record','',1,12,107,1),
+
+(301,'Q1-HR-03.1B','Does the CSP ensure that all employees comply with all applicable information security policies and procedures?','- Employment terms and conditions
+- Audit results of internal employees','',1,13,115,1),
+(302,'Q1-HR-03.2B','Does the employment terms for all internal employees include a non-disclosure provision?','- Non-disclosure provision document included in the employment terms and conditions for internal employees','',1,13,116,1),
+(303,'Q2-HR-03.2B','Does the employment terms for all external employees include a non-disclosure provision?','- Non-disclosure provision document included in the employment terms and conditions for external employees','',1,13,116,1),
+(304,'Q3-HR-03.2B','Does the non-disclosure provision cover any information that has been obtained or generated as part of the cloud service, even if anonymised and decontextualized?','- Non-disclosure provision document included in the employment terms and conditions','',1,13,116,1),
+(305,'Q1-HR-03.3B','Has the CSP given a presentation of all applicable information security policies and procedures to internal employees before granting them any access to customer data, the production environment, or any component thereof?','- Information security policies and procedure presentation + delivery evidence','',1,13,117,1),
+(306,'Q2-HR-03.3B','Has the CSP given a presentation of all applicable information security policies and procedures to external employees before granting them any access to customer data, the production environment, or any component thereof?','- Information security policies and procedure presentation + delivery evidence','',1,13,117,1),
+
+(322,'Q1-HR-04.1B','Has the CSP defined a security awareness and training program?','- Documented security awareness and training program','',1,14,126,1),
+(323,'Q2-HR-04.1B','Does the defined security awareness and training program contain at least the following topics?
+• Handling system components used to provide the cloud service in the production environment in accordance with applicable policies and procedures;
+• Handling cloud customer data in accordance with applicable policies and instructions and applicable legal and regulatory requirements;
+• Information about the current threat situation; and
+• Correct behaviour in the event of security incidents.','- Security awareness and training program (includes Handling system components, Handling cloud customer data, Information about the current threat situation and Correct behaviour in the event of security incidents)','',1,14,126,1),
+(324,'Q1-HR-04.2B','Is the security awareness and training program kept updated according to the changes to policies and instructions and the current threat situation?','- Documented history of the security and awareness training program with references to policies/instructions/threat situation','',1,14,127,1),
+(325,'Q1-HR-04.3B','Have all the CSP employees received the defined security awareness and training program?','- Training delivery records','',1,14,128,1),
+
+(344,'Q1-HR-05.1B','Does the CSP communicate to employees their ongoing responsibilities relating to information security when their employment is terminated or changed?','- Employee termination/position change document','',1,15,137,1),
+(345,'Q1-HR-05.2B','Have the CSP defined a specific procedure to revoke the access rights and process appropriately the accounts and assets of employees when their employment is terminated or changed?','- Documented specific procedure to revoke the access rights and process appropriately the accounts and assets of employees when their employment is terminated or changed','',1,15,138,1),
+(346,'Q2-HR-05.2B','Is this procedure applied to internal employees?','- Evidence of the new access rights and process appropriately the accounts and assets to internal employees','',1,15,138,1),
+(347,'Q3-HR-05.2B','Is this procedure applied to external employees?','- Evidence of the new access rights and process appropriately the accounts and assets to external employees','',1,15,138,1),
+
+(367,'Q1-HR-06.1B','Does the CSP have non-disclosure or confidentiality agreements to rule the relationship between internal employees and external service providers and suppliers','- Documented Non-disclosure or confidentiality agreements to rule the relationship between internal employees and external service providers and suppliers','',1,16,143,1),
+(368,'Q2-HR-06.1B','Does the CSP ensure the agreement between internal employees and external service providers and suppliers based on the defined non-disclosure agreement?','- Signed non-disclosure or confidentiality agreements to rule the relationship between internal employees and external service providers and suppliers','',1,16,143,1);
+
+ -- A5.AM
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(406,'Q1-AM-01.1B','Does the CSP define policies and procedures for maintaining an inventory of assets?','- Documented policies and procedures ','',1,17,154,1),
+(407,'Q2-AM-01.1B','Does the CSP implement the defined policies and procedures for maintaining an inventory of assets?','- Documented Inventory of assets','',1,17,154,1),
+(408,'Q1-AM-01.2B','Does the CSP record for each asset the information needed to apply the risk management procedure defined in RM-01?','- Documented Information needed for each asset to apply risk management in the inventory of assets','',1,17,155,1),
+
+(422,'Q1-AM-02.1B','Does the CSP define policies and procedures for acceptable use and safe handling of assets?','- Policies and procedures document
+- Global security policies','',1,18,162,1),
+(423,'Q2-AM-02.1B','When removable media is used in the technical infrastructure or for IT administration tasks, is this media dedicated to a single use?','- Policies and procedures document
+- Global security policies','NB. Difficult to provide an evidence (indeterminism of acceptable use)',1,18,162,1),
+
+(428,'Q1-AM-03.1B','Does the CSP define and implement a procedure for the commissioning of hardware that is used to provide the cloud service in the production environment, based on applicable policies and procedures?','- Documented Hardware commissioning procedure','',1,19,165,1),
+(429,'Q1-AM-03.2B','Does the CSP define a procedure for the decommissioning of hardware that is used to provide the cloud service in the production environment, based on applicable policies and procedures?','- Documented Hardware decommissioning procedure','',1,19,166,1),
+(430,'Q2-AM-03.2B','Does CSP implement a procedure for the decommissioning of hardware that is used to provide the cloud service in the production environment, based on applicable policies and procedures?','- Evidences related to procedure for the decommissioning of hardware implementation:
+ - HW decommissioning records / Implementation checklist or equivalent','',1,19,166,1),
+(431,'Q3-AM-03.2B','Does the decommissioning procedure include the complete and permanent deletion of the data or the proper destruction of the media and requiring approval based on applicable policies?','- Decommissioning Procedure
+-Evidences of procedure application in real cases','Where is it verified that the data has been permanently erased? In AM-03.4?',1,19,166,1),
+
+(446,'Q1-AM-04.1B','Does the CSP ensure that internal and external employees are committed to the established policy and procedures related to assets commissioning and decommissioning?','-Evidences of actions to ensure employees commitment','',1,20,174,1),
+(447,'Q2-AM-04.1B','Does the CSP document this commitment in some way?','- Employee Commitment Document','',1,20,174,1),
+(448,'Q1-AM-04.2B','Does the Confidentiality Agreement between the CSP and each employee include a clause related to the return of assets under custody of the employee a upon termination of employment?','- Specific clause in the Confidentiality Agreement signed with each employee','',1,20,175,1),
+
+(460,'Q1-AM-05.1B','For every asset included in the Asset Inventory, has the CSP documented an asset classification scheme that reflects the protection needs of the information it processes, stores, or transmits?','- Assets classification scheme in the Assets Inventory or in a separate document','',1,21,181,1),
+(461,'Q1-AM-05.2B','Has the CSP labelled (when applicable) each asset according to the assets classification scheme?','- List of assets linked to their labels / tags and other configuration information
+- Photograph (or other recording means) of the labelled assets
+- Asset classification Scheme','',1,21,182,1);
+
+ -- A6.PS
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(470,'Q1-PS-01.1B','Does the CSP define security perimeters in the buildings related to the cloud service provided?','- Building plans
+- Security perimeter plans
+- A CSP shall establish secure areas to protect valuable information and assets that only authorized people can access','',1,22,189,1),
+(471,'Q2-PS-01.1B','Does the CSP define security perimeters in the premises related to the cloud service provided?','- Building plans
+- Security perimeter plans, identifying which are the ones concerning the cloud service','',1,22,189,1),
+(472,'Q1-PS-01.2B','Does the CSP define a security area covering sensitive activities such as the buildings and premises hosting the information system for the provision of the cloud service?','-Documented security area plan, establishing the two security areas, as per the requirement and who has access to them and per which terms','',1,22,190,1),
+(473,'Q2-PS-01.2B','Does the CSP define a security public area covering at least all remaining buildings and premises?','-Documented security area plan','',1,22,190,1),
+(474,'Q1-PS-01.3B','Does the CSP define a set of security requirements for each security area in a policy according to ISP-02 (Information Security Policy)?','- Documented security requirements for each security area
+- Documented physical policy','',1,22,191,1),
+(475,'Q2-PS-01.3B','Does the CSP implement the set of security requirements?','- Evidences related to the set of security requirements implementation','',1,22,191,1),
+
+(493,'Q1-PS-02.1B','Does the CSP define policies and procedures related to the physical access control to the security areas?','-Documented policies and procedures ','',1,23,200,1),
+(494,'Q2-PS-02.1B','Does the CSP implement policies and procedures related to the physical access control to the security areas?','-Access control systems to prevent unauthorised access (i.e., EACS, intercoms, videophones, CCTV cameras, mechanical locking devices operated by keys or codes, etc.)','',1,23,200,1),
+(495,'Q1-PS-02.2B','Does the access control policy require at least one authentication factor for accessing any non-public area?','- Authentication factors (i.e.: Fingerprint, PIN, etc.)','',1,23,201,1),
+(496,'Q1-PS-02.3B','Does the access control policy describe the physical access control derogations in case of emergency?','- Documented description of the physical access control derogations in case of emergency','',1,23,202,1),
+(497,'Q1-PS-02.4B','Does the CSP display at the entrance of all non-public perimeters a warning concerning the limits and access conditions to the corresponding areas?','- Wallcharts
+- Specific warning signals
+- Etc.','',1,23,203,1),
+(498,'Q1-PS-02.5B','Does the CSP protect security perimeters with security measures to detect and prevent unauthorised access in a timely manner so that it does not compromise the information security of the cloud service?','- CCTV (closed circuit television) Security System.
+- Access control systems. Access control systems serve to restrict entry only to authorized personnel.
+- Motion sensors.
+- Fibber optic detection systems.
+- Ground Radar Systems.
+- Microwave barriers.
+- Electrified fences.
+- Microphone cable fence disturbance sensors.
+- Etc.','',1,23,204,1),
+
+(524,'Q1-PS-03.1B','Does the CSP define policies and procedures concerning work in non-public areas?','-Documented policies and procedures','',1,24,222,1),
+(525,'Q2-PS-03.1B','Does the CSP implement policies and procedures concerning work in non-public areas?','-Access control systems to prevent unauthorised access (i.e., EACS, intercoms, videophones, CCTV cameras, mechanical locking devices operated by keys or codes, etc.)','',1,24,222,1),
+
+(535,'Q1-PS-04.1B','Does the CSP define policies and procedures concerning the protection of equipment including protecting power and communications cabling from interception, interference or damage?','-Documented policies and procedures ','',1,25,229,1),
+(536,'Q2-PS-04.1B','Does the CSP implement policies and procedures concerning the protection of equipment including protecting power and communications cabling from interception, interference or damage?','- Power and telecommunications lines undergrounded
+- Power cables isolated
+- Installation of reinforced ducts and locked rooms or boxes at inspection and termination points
+- Electromagnetic shielding for cable protection
+- Access controlled to cable rooms and patch panels
+- Etc.
+','',1,25,229,1),
+(537,'Q3-PS-04.1B','Does the CSP define policies and procedures concerning the protection of equipment including protecting equipment during maintenance operations?','-Documented policies and procedures ','',1,25,229,1),
+(538,'Q4-PS-04.1B','Does the CSP implement policies and procedures concerning the protection of equipment including protecting equipment during maintenance operations?','- Service interval recommendations and supplier specifications
+- List of authorized maintenance personnel
+- Records of all failures, real or suspected, as well as all preventive and corrective maintenance
+- Maintenance requirements required by insurance policies','',1,25,229,1),
+(539,'Q5-PS-04.1B','Does the CSP define policies and procedures concerning the protection of equipment including protecting equipment holding CSC data during transport.','-Documented policies and procedures ','',1,25,229,1),
+(540,'Q6-PS-04.1B','Does the CSP implement policies and procedures concerning the protection of equipment including protecting equipment holding CSC data during transport.','- Reliable transport or courier. It can also be an approved transport or courier, in agreement with the polices and procedures (see below)
+- List of authorized couriers
+- Procedures to verify the identity of couriers;
+- Packaging protect specifications
+- Records identifying the content of the media, the protection applied, as well as reflecting the moments of transfer to custodians and reception at destination.','',1,25,229,1),
+(541,'Q1-PS-04.2B','Does the CSP use encryption on the removable media intended to move between security areas?','- Compliant encryption algorithms and tools (i.e., Self Encrypting USB Drives, Media Encryption Software, File Encryption Software)
+- Secure password management tool','',1,25,230,1),
+(542,'Q2-PS-04.2B','Does the CSP shall use encryption on the backup media intended to move between security areas?','- Backup software','',1,25,230,1),
+(543,'Q3-PS-04.2B','Is the level of encryption according to the sensitivity of the data stored on the media?','- Encrypted logs','',1,25,230,1),
+
+(571,'Q1-PS-05.1B','Does the CSP define a set of security requirements related to external and environmental threats in a policy according to Information Security Policies (SP-02)?','- Documented policy','',1,26,240,1),
+(572,'Q2-PS-05.1B','Does the policy address faults in planning?','- Documented Policy & security requirements encompasses (faults in planning)','',1,26,240,1),
+(573,'Q3-PS-05.1B','Does the policy address unauthorised access?','- Documented Policy & security requirements encompasses (unauthorised access)','',1,26,240,1),
+(574,'Q4-PS-05.1B','Does the policy address insufficient surveillance?','- Documented Policy & security requirements encompasses (insufficient surveillance)','',1,26,240,1),
+(575,'Q5-PS-05.1B','Does the policy address insufficient air-conditioning?','- Documented Policy & security requirements encompasses (what to do when there is a lack of insufficient air-conditioning - e.g. high temperature)','',1,26,240,1),
+(576,'Q6-PS-05.1B','Does the policy address fire and smoke?','- Documented Policy & security requirements encompasses (fire and smoke)','',1,26,240,1),
+(577,'Q7-PS-05.1B','Does the policy address water?','- Documented Policy & security requirements encompasses (water)','',1,26,240,1),
+(578,'Q8-PS-05.1B','Does the policy address power failure?','- Documented Policy & security requirements encompasses (power failure)','',1,26,240,1),
+(579,'Q9-PS-05.1B','Does the policy address air ventilation and filtration?','- Documented Policy & security requirements encompasses ( air ventilation and filtration)','',1,26,240,1);
+
+ -- A7.OPS
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(608,'Q1-OPS-01.1B','Does the CSP define procedures to plan for capacities and resources (personnel and IT resources)? ','- Capacity plan
+- Specific capacity procedures','',1,27,249,1),
+(609,'Q2-OPS-01.1B','Do procedures include forecasting future capacity requirements in order to identify usage trends and manage system overload?','- Capacity plan (encompasses future capacity requirements)
+- Specific capacity procedures','',1,27,249,1),
+(610,'Q3-OPS-01.1B','Does the CSP implement procedures to plan for capacities and resources (personnel and IT resources)?','- Capacity plan audit','',1,27,249,1),
+(611,'Q1-OPS-01.2B','Does the CSP meet the requirements included in contractual agreements with cloud customers regarding the provision of the cloud service in case of capacity bottlenecks?','- Monitoring reports
+- Contractual agreements
+- Non-conformities to the contract (if there are non-compliances)','',1,27,250,1),
+(612,'Q2-OPS-01.2B','Does the CSP meet the requirements included in contractual agreements with cloud customers regarding the provision of the cloud service in case of IT resources outages?','- Monitoring reports
+- Non-conformities to the contract/SLA (if there are non-compliances)
+- Contractual agreements','',1,27,250,1),
+
+(624,'Q1-OPS-02.1B','Does the CSP document technical safeguards for the monitoring of provisioning and de-provisioning of cloud services to ensure compliance with the service level agreement?','- Multidimensional QoS prediction methods','',1,28,256,1),
+(625,'Q2-OPS-02.1B','Does the CSP implement technical safeguards for the monitoring of provisioning and de-provisioning of cloud services to ensure compliance with the service level agreement?','- Service level agreement
+- SLA compliance report','',1,28,256,1),
+(626,'Q3-OPS-02.1B','Does the CSP define organizational safeguards for the monitoring of provisioning and de-provisioning of cloud services to ensure compliance with the service level agreement?','- Multi-dimensional QoS measures','',1,28,256,1),
+(627,'Q4-OPS-02.1B','Does the CSP implement organizational safeguards for the monitoring of provisioning and de-provisioning of cloud services to ensure compliance with the service level agreement?','- Service level agreement
+- SLA compliance report','',1,28,256,1),
+
+(638,'Q1-OPS-03.1B','Does the CSP enable CSCs to control and monitor the allocation of the system resources assigned to them, if the corresponding cloud capabilities are exposed to the CSCs?','- Contractual agreement
+- SLA
+- Privileges to use the monitoring and control tools','',1,29,261,1),
+
+(641,'Q1-OPS-04.1B','Does the CSP define policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering the use of system-specific protection mechanisms?','-Documented policies and procedures ','',1,30,264,1),
+(642,'Q2-OPS-04.1B','Does the CSP implement policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering the use of system-specific protection mechanisms?','- System-specific protection mechanisms
+- System-specific protection mechanism deployment report
+- Audit report
+- policies and procedures','',1,30,264,1),
+(643,'Q3-OPS-04.1B','Does the CSP document policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering operating protection programs on system components under the responsibility of the CSP that are used to provide the cloud service in the production environment?','-Documented policies and procedures ','',1,30,264,1),
+(644,'Q4-OPS-04.1B','Does the CSP communicate policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering operating protection programs on system components under the responsibility of the CSP that are used to provide the cloud service in the production environment?',' -Intranet/WEB
+- email
+- Wallchart
+- Specific meetings minutes
+- Etc.','',1,30,264,1),
+(645,'Q5-OPS-04.1B','Does the CSP implement policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering operating protection programs on system components under the responsibility of the CSP that are used to provide the cloud service in the production environment?','- Operating protection programs on system components under the responsibility of the CSP
+- Operating protection programs deployment report
+- Audit report','',1,30,264,1),
+(646,'Q6-OPS-04.1B','Does the CSP document policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering operation of protection programs for employees’ terminal equipment.','-Documented policies and procedures ','',1,30,264,1),
+(647,'Q7-OPS-04.1B','Does the CSP document, communicate and implement policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering operation of protection programs for employees’ terminal equipment.',' -Intranet/WEB
+- email
+- Wallchart
+- Specific meetings minutes
+- Etc.','',1,30,264,1),
+(648,'Q8-OPS-04.1B','Does the CSP implement policies and procedures according to ISP-02 to protect its systems and its customers from malware, covering the operation of protection programs for employees’ terminal equipment.','- Operation of protection programs for employees’ terminal equipment
+- Operation of protection programs for employees’ terminal equipment deployment report
+- Audit report','',1,30,264,1),
+
+(670,'Q1-OPS-05.1B','Does the CSP deploy malware protection, if technically feasible, on all systems that support delivery of the cloud service in the production environment?','- Malware protection programs deployed
+','',1,31,271,1),
+(671,'Q2-OPS-05.1B','Is the deploy of malware protection according to policies and procedures?','-Documented policies and procedures for malware protection
+- Malware deployment report ','',1,31,271,1),
+
+(681,'Q1-OPS-06.1B','Does the CSP document policies and procedures according to ISP-02 for data backup and recovery?','-Documented policies and procedures ','',1,32,277,1),
+(682,'Q2-OPS-06.1B','Does the CSP communicate the policies and procedures according to ISP-02 for data backup and recovery?','- Evidences related to the policy communication:
+ - Intranet/WEB
+ - email
+ - Wallchart
+ - Specific meetings minutes
+ - Etc.','',1,32,277,1),
+(683,'Q3-OPS-06.1B','Does the CSP implement policies and procedures according to ISP-02 for data backup and recovery?','- A filled form or screenshot identifying which information was requested to be backed up, the requester, the date of request, the date when the backup was performed, the result of the backup procedure (successful / fail) and where the backup was stored.
+- A general schedule of the backup to be performed, identifying which information is planned to be backed up, the requester, the dates planned for backup, and where the backup must be stored','',1,32,277,1),
+
+(700,'Q1-OPS-07.1B','Does the CSP document technical and organizational measures to monitor the execution of data backups?','- Documented technical and organizational measures','',1,33,280,1),
+(701,'Q2-OPS-07.1B','Does the CSP implement technical and organizational measures to monitor the execution of data backups?','- Documented technical and organizational measures report','',1,33,280,1),
+(702,'Q3-OPS-07.1B','Are the technical and organizational measures to monitor the execution of data backups in accordance to the policies and procedures defined in OPS- 06?','- Documented conformity report','',1,33,280,1),
+
+(711,'Q1-OPS-08.1B','Does the CSP test the restore procedures at least annually?','´- A filled form or screenshot identifying which information was requested to be restored, the requester, the date of request, the date when the restore was performed, and the result of the restore procedure (successful / fail)','',1,34,284,1),
+(712,'Q1-OPS-08.2B','Does the CSP use CSC data, except for data in test accounts controlled by CSP staff for testing purposes? --> NO','- Contractual agreements ','',1,34,285,1),
+
+(725,'Q1-OPS-09.1B','Does the CSP transfer backup data to a remote location or transport them on backup media to a remote location?','- Data transport report','',1,35,295,1),
+(726,'Q1-OPS-09.2B','When the backup data is transmitted to a remote location via a network, do the transmission of the data takes place in an encrypted form that corresponds to the sate-of-the-art (cf. CKM- 02)?','- Data transport report (encompasses an encrypted form that corresponds to the state-of-the-art (cf. CKM- 02))','',1,35,296,1),
+
+(738,'Q1-OPS-10.1B','Does the CSP define policies and procedures according to ISP-02 that govern the logging of events on system components under its responsibility?','- Documented policies and procedures','',1,36,305,1),
+(739,'Q2-OPS-10.1B','Does the CSP implement policies and procedures according to ISP-02 that govern the logging of events on system components under its responsibility?','- Documented Reports
+"-Logs"','',1,36,305,1),
+
+(760,'Q1-OPS-11.1B','Does the CSP define policies and procedures according to ISP-02 that govern the secure handling of derived data?','- Documented policies and procedures','',1,37,308,1),
+(761,'Q2-OPS-11.1B','Does the CSP implement policies and procedures according to ISP-02 that govern the secure handling of derived data?','- Records derived from the implementation of the policies and procedures covering the governance of the secure handling of derived data
+- Logs','',1,37,308,1),
+
+(779,'Q1-OPS-12.1B','Does the CSP monitor log data in order to identify events that might lead to security incidents, in accordance with the logging and monitoring requirements?','- Documented monitoring of log data (Logs)
+- Documented security incidents','',1,38,314,1),
+(780,'Q2-OPS-12.1B','Are identified events reported to the appropriate departments for timely assessment and remediation?','- Security incidents notification event report','',1,38,314,1),
+
+(788,'Q1-OPS-13.1B','Does the CSP store all log data in an integrity-protected and aggregated form that allow its centralized evaluation?','- Log data Database','',1,39,318,1),
+(789,'Q1-OPS-13.2B','Is the communication between the assets to be logged and the logging servers authenticated in integrity?','- Logs','',1,39,319,1),
+(790,'Q2-OPS-13.2B','Is the communication between the assets to be logged and the logging servers authenticated in confidentiality?','- Logs','',1,39,319,1),
+(791,'Q1-OPS-13.3B','Are log data deleted when it is no longer required for the purpose for which they were collected?','- Log data deletion record','',1,39,320,1),
+
+(817,'Q1-OPS-14.1B','Does the log data generated allows an unambiguous identification of user accesses at the CSC level to support analysis in the event of an incident?','- Logs','',1,40,331,1),
+
+(823,'Q1-OPS-15.1B','Does the CSP restrict access to system components under its responsibility, that are used for logging and monitoring with strong authentication?',' - Documented authorized access users list','',1,41,337,1),
+(824,'Q1-OPS-15.2B','Are changes to the logging and monitoring configuration made in accordance with applicable policies (cf. CCM-01)?','- Cross References between changes to the logging and monitoring configuration and policies for changes to information systems','',1,41,338,1),
+
+(829,'Q1-OPS-16.1B','Does the CSP monitor the system components for logging and monitoring under its responsibility?','- Documented system components monitor report','',1,42,343,1),
+(830,'Q2-OPS-16.1B','Does the CSP automatically report failures to the responsible departments for assessment and remediation?','- Automatized failures report','',1,42,343,1),
+
+(836,'Q1-OPS-17.1B','Does the CSP define in accordance to ISP-02 policies and procedures with technical and organisational measures to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service?','- Documented policies and procedures','',1,43,347,1),
+(837,'Q2-OPS-17.1B','Does the CSP implement in accordance to ISP-02 policies and procedures with technical and organisational measures to ensure the timely identification and addressing of vulnerabilities in the system components used to provide the cloud service?','- Documented list of vulnerabilities in the system components used to provide the cloud service
+- Vulnerabilities addressing report','',1,43,347,1),
+(838,'Q1-OPS-17.2B','Does the CSP use a scoring system for the assessment of vulnerabilities?','- Documented scoring system','',1,43,348,1),
+(839,'Q2-OPS-17.2B','Does the scoring system for the assessment of vulnerabilities includes at least “critical” and “high” classes of vulnerabilities?',' - Classes of vulnerabilities identified in the scoring system. (critical & high at least)','',1,43,348,1),
+
+(862,'Q1-OPS-18.1B','Does the CSP publish a publicly and easily accessible online register of vulnerabilities that affect the cloud service and assets provided by the CSP that the CSCs have to install or operate under their own responsibility?','- Direct links to CSP online repositories
+-WEB
+-email
+- etc.','',1,44,356,1),
+(863,'Q2-OPS-18.1B','Does the CSP maintain a publicly and easily accessible online register of vulnerabilities that affect the cloud service and assets provided by the CSP that the CSCs have to install or operate under their own responsibility?','- Register of vulnerabilities update date','',1,44,356,1),
+(864,'Q1-OPS-18.2B','Does the online register indicate for every vulnerability a presentation of the vulnerability following an industry-accepted scoring system?
+','- Vulnerability online register','an industry-accepted scoring system may be ambiguous',1,44,357,1),
+(865,'Q2-OPS-18.2B','Does the online register indicate for every vulnerability a description of the remediation options for that vulnerability?','- Vulnerability online register','',1,44,357,1),
+(866,'Q3-OPS-18.2B','Does the online register indicate for every vulnerability information on the availability of updates or patches for that vulnerability?','- Vulnerability online register','',1,44,357,1),
+(867,'Q4-OPS-18.2B','Does the online register indicate for every vulnerability information about the remediation or deployment of patches or updates by the CSP or CSC, including detailed instructions for operations to be performed by the CSC?','- Vulnerability online register','',1,44,357,1),
+(868,'Q1-OPS-18.3B','Does the CSP publish a publicly and easily accessible online register of vulnerabilities that affect the cloud service and assets provided by the CSP that the CSCs have to install, provide or operate under their own responsibility?','- Vulnerability online register','',1,44,358,1),
+(869,'Q1-OPS-18.4B','Does the CSP consult regularly the online registers of vulnerabilities published by its subservice providers and suppliers?','- Direct links to CSP online repositories','consult regularly it is necessary specify regularly',1,44,359,1),
+(870,'Q2-OPS-18.4B','Does the CSP shall analyse the potential impact of the published vulnerabilities on the cloud service?','- Documented analysis of the potential impact of the published vulnerabilities on the cloud service','',1,44,359,1),
+(871,'Q3-OPS-18.4B','Does the CSP handle the vulnerabilities according to the vulnerability handling process (cf. OPS-17)?','- Audit records concerning to the handled vulnerabilities','',1,44,359,1),
+
+(901,'Q1-OPS-19.1B','Does the CSP perform on a regular basis tests to detect publicly known vulnerabilities on the system components used to provide the cloud service?','- Test report','regular basis tests it is necessary specify regular',1,45,371,1),
+
+(929,'Q1-OPS-20.1B','Does the CSP regularly measure the procedures with which vulnerabilities and incidents are handled to verify their continued suitability, appropriateness and effectiveness?','- Documented procedures review
+- Procedures’ review date
+','regularly it is necessary specify regularly',1,46,385,1),
+(930,'Q2-OPS-20.1B','Does the CSP regularly analyse the procedures with which vulnerabilities and incidents are handled to verify their continued suitability, appropriateness and effectiveness?','- Documented procedures review
+- Procedures’ review date
+','regularly it is necessary specify regularly',1,46,385,1),
+(931,'Q3-OPS-20.1B','Does the CSP regularly assess the procedures with which vulnerabilities and incidents are handled to verify their continued suitability, appropriateness and effectiveness?','- Documented procedures review
+- Procedures’ review date
+','regularly it is necessary specify regularly',1,46,385,1),
+
+(940,'Q1-OPS-21.1B','Does the CSP harden all the system components under its responsibility that are used to provide the cloud service, according to accepted industry standards?
+','- Documented hardens to all the system components under its responsibility
+- Changes in the system components (encompasses the hardens)','according to accepted industry standards may be ambiguous',1,47,390,1),
+(941,'Q1-OPS-21.2B','Are the hardening requirements for each system component documented?','- Documented hardening requirements for each system component','',1,47,391,1),
+
+(947,'Q1-OPS-22.1B','Does the CSP segregate the CSC data stored and processed on shared virtual and physical resources to ensure the confidentiality and integrity of this data?','- CSC data stored and processed on shared virtual and physical resources','',1,48,396,1);
+
+ -- A8. IAM
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(954,'Q1-IAM-01.1B','Have the CSP defined role and rights policies and procedures for controlling access to information resources?','- Documented role and rights policies and procedures for controlling access to information resources','',1,49,399,1),
+(955,'Q2-IAM-01.1B','Are the above defined policies and procedures aligned with the Global Information Security Policy defined in ISP-02?','- Cross references between role and rights policies and procedures for controlling access to information resources and Global Information Security Policy','',1,49,399,1),
+(956,'Q3-IAM-01.1B','Are the above defined policies and procedures based on the business and security requirements of the CSP?','- Policies and procedures review records (Approval signature)','',1,49,399,1),
+(957,'Q4-IAM-01.1B','Does the above defined policies and procedure contains at least:
+• Parameters to be considered for making access control decisions
+• Granting and modifying access rights based on the “least-privilege” principle and on the “need-to-know” principle.
+• Use of a role-based mechanism for the assignment of access rights
+• Segregation of duties between managing, approving and assigning access rights
+• Dedicated rules for users with privileged access
+• Requirements for the approval and documentation of the management of access rights','- Documented role and rights policies and procedures for controlling access to information resources (include these five topics)
+- Policies and procedures review records','',1,49,399,1),
+(958,'Q1-IAM-01.2B','Does the IAM-01.1 documented policy and the PS-02.1 documented policy make cross reference between them?','- Cross references between IAM-01-1 policy and PS-02.1 policy','',1,49,400,1),
+
+(975,'Q1-IAM-02.1B','Are the policies for managing accounts defined?','- Documented policies for managing accounts','',1,50,406,1),
+(976,'Q2-IAM-02.1B','Are the policies for managing accounts aligned with ISP-02 policy?','- Policies review records','',1,50,406,1),
+(977,'Q3-IAM-02.1B','Does the documented policies for managing accounts contain at least:
+• Parameters for making access control decisions
+• Assignment of unique usernames
+• Definition of the different types of accounts supported, and assignment of access control parameters and roles to be considered for each type
+• Events and periods of inactivity leading to blocking and revoking accounts.','- Documented policies (encompass assignment of unique usernames, definition of the different types of accounts supported, and assignment of access control parameters and roles to be considered for each type & events leading to blocking and revoking accounts)
+- Policies review records','',1,50,406,1),
+(978,'Q1-IAM-02.2B','Are the procedures for managing personal user accounts and access rights to employees specified in IAM-01 defined?','- Documented procedures for managing personal user accounts and access rights to employees ','',1,50,407,1),
+(979,'Q1-IAM-02.3B','Are the procedures for managing non-personal shared accounts and associated access rights specified in IAM-01 documented?','- Documented procedures for managing non-personal shared accounts and associated access rights','',1,50,408,1),
+(980,'Q1-IAM-02.4B','Are the procedures for managing technical accounts and associated access rights to system components involved in the operation of the cloud service specified in ISP-02 defined?','´- Documented procedures for managing technical accounts and associated access rights to system components involved in the operation of the cloud service','',1,50,409,1),
+(981,'Q2-IAM-02.4B','Are the previous documented policies comply the role and rights concept and with the policies for managing accounts?','- Policy assessment result','',1,50,409,1),
+(982,'Q3-IAM-02.4B','Are these procedures implemented?','- Technical accounts and associated access rights to system components involved in the operation of the cloud service','',1,50,409,1),
+(983,'Q1-IAM-02.5B','Can the CSP provide for a given user account, whether it falls under the responsibility of the CSP or of the CSC?','- Fault register associated to an user account in which it is specified if the faults responsibility is of CSP or CSC','',1,50,410,1),
+
+(1016,'Q1-IAM-03.1B','Does the CSP document a mechanism that automatically block user accounts after a certain period of inactivity?','- Documented description of the mechanism to block user accounts after a certain period of inactivity','',1,51,427,1),
+(1017,'Q2-IAM-03.1B','Is the certain period of inactivity quantified and documented somewhere?','- Document in which is specified the certain period of time after which the user account is automatically blocked','',1,51,427,1),
+(1018,'Q3-IAM-03.1B','Does the automated mechanism in place executed when some user account overcome the specified period of time?','- Evidences of blocked user accounts that meet the defined requirements','',1,51,427,1),
+(1019,'Q1-IAM-03.2B','Does the CSP define a mechanism that automatically block user accounts after a certain number of failed authentication attempts?','- Documented description of the mechanism to block user accounts','',1,51,428,1),
+
+(1049,'Q1-IAM-04.1B','Has the CSP documented procedures to grant, update, and revoke to a user account under its responsibility access rights to resources of the information system of the cloud service?','- Documented procedures to grant, update, and revoke to a user account under its responsibility access rights to resources of the information system of the cloud service','',1,52,440,1),
+(1050,'Q2-IAM-04.1B','Are these documented procedures compliant with the role and rights concept and with the policies for managing access rights?','- Procedure assessment results','',1,52,440,1),
+(1051,'Q3-IAM-04.1B','Are these procedure implemented within the CSP?','- Examples of user accounts to which access rights to resources of the information system of the cloud service have been granted, updated, revoked','',1,52,440,1),
+(1052,'Q1-IAM-04.2B','Has the CSP documented procedures to timely update or revoke the access rights of an internal or external employee when the role and responsibilities of the employee change?','- Documented procedures o timely update or revoke the access rights of an internal or external employee when the role and responsibilities of the employee change','',1,52,441,1),
+(1053,'Q2-IAM-04.2B','Are the previous documented procedures implemented for internal employees?','- Example of internal employees whose access rights have been updated/revoked when their role and responsibilities has changed','',1,52,441,1),
+(1054,'Q3-IAM-04.2B','Are the previous documented procedures implemented for external employees?','- Example of external employees whose access rights have been updated/revoked when their role and responsibilities has changed','',1,52,441,1),
+
+(1076,'Q1-IAM-05.1B','Does the CSP periodically review the access rights of all user accounts under its responsibility?','- Access rights review results (execution date less than 12 months).','',1,53,452,1),
+(1077,'Q2-IAM-05.1B','Is the previous review executed at least annually for all the user accounts under the CSP responsibility?','- Review execution dates of the last 2/3 years','',1,53,452,1),
+
+(1088,'Q1-IAM-06.1B','Are the shared accounts under the responsibility of the CSP assigned only to employees?','- Assignment of the shared accounts','',1,54,459,1),
+
+(1107,'Q1-IAM-07.1B','Have the CSP defined policy and procedures about authentication mechanisms according to IPS-02?','- Documented policy and procedures','',1,55,472,1),
+(1108,'Q2-IAM-07.1B','Does these policy and procedures cover at least the following aspects:
+• The selection of mechanisms suitable for every type of account and each level of risk;
+• The protection of credentials used by the authentication mechanism;
+• The generation and distribution of credentials for new accounts;
+• Rules for the renewal of credentials, including periodic renewals, renewals in case of loss or compromise; and
+• Rules on the required strength of credentials, together with mechanisms to communicate and enforce the rules','- Documented policy and procedures (encompass the five topics)
+- Documented policy and procedures review records
+','',1,55,472,1),
+(1109,'Q3-IAM-07.1B','Are these policy and procedures implemented within the CSP organization?','- Logs
+-Databases or any other software asset ','',1,55,472,1),
+(1110,'Q1-IAM-07.2B','Is the access to all the CSP environment authenticated?','- Access Logs to the -production environment, in order to see the authentication protocol applied to production environment','',1,55,473,1),
+(1111,'Q2-IAM-07.2B','Are the non-production environment also included in the previous authentication?','- Access Logs to the non-production environments, in order to see the authentication protocol applied to non-production environments','',1,55,473,1),
+(1112,'Q1-IAM-07.3B','Does every authentication mechanism in place within CSP include a mechanism to block an account after a predefined number of unsuccessful attempts?','- If this is something static: documents that for each authentication mechanism document the blocking mechanism
+- If this is something dynamic: examples of blocked account due to unsuccessful attempts','',1,55,474,1),
+(1113,'Q2-IAM-07.3B','Is somewhere documented for every authentication mechanism in place within the CSP the predefined number of unsuccessful attempts?','- Document that for each authentication mechanism the blocking mechanism and quantified the number of unsuccessful attempts','',1,55,474,1),
+
+(1136,'Q1-IAM-08.1B','Has the CSP documented rules and recommendations for the management of credentials?','- Document with rules and recommendations for the management of credentials','',1,56,491,1),
+(1137,'Q2-IAM-08.1B','Does the previous document contain at least:
+• Non-reuse of credentials
+• Trade-offs between entropy and ability to memorize
+• Recommendations for renewal of passwords
+• Rules on storage of passwords','- Document with rules and recommendations for the management of credentials (encompass the four topics)
+- Document with rules and recommendations for the management of credentials review records','',1,56,491,1),
+(1138,'Q3-IAM-08.1B','Have the CSP communicated to all users under its responsibility the rules and recommendations for the management of credentials?','- Communication mechanism:
+ -Intranet/WEB
+ -email
+ - Wallchart
+ - Specific meetings minutes
+ - Etc.','',1,56,491,1),
+(1139,'Q4-IAM-08.1B','Have the CSP made available to all users under its responsibility the rules and recommendations for the management of credentials?','- Examples of documents with rules and recommendations for the management of credentials provided by sampled users','',1,56,491,1),
+(1140,'Q1-IAM-08.2B','Are all the passwords stored using cryptographically strong hash functions according to the policy defined in CKM-01?','- Example of stored passwords randomly selected','',1,56,492,1),
+(1141,'Q1-IAM-08.3B','If cryptographic authentication mechanisms are used, do they follow the policies and procedures specified in CKM-01?','- Example of cryptographic authentication mechanisms randomly selected + Review results against CKM-01 policies','',1,56,493,1),
+
+(1171,'Q1-IAM-09.1B','Have the CSP implemented partitioning measures between the information system providing the cloud service and its other information systems?','- Example of partitioning measures randomly identified','',1,57,509,1),
+(1172,'Q2-IAM-09.1B','Are the partitioning measures sufficient?','N.B. Not possible to demonstrate with the current level of objectiveness','',1,57,509,1),
+(1173,'Q1-IAM-09.2B','Did the CSP implement measures for partitioning between the CSCs?','- Example of partitioning measures between CSCs randomly identified','',1,57,510,1);
+
+ -- A9.CKM
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(1213,'Q1-CKM-01.1B','Does the CSP document policies with technical and organizational safeguards for encryption and key management, according to ISP-02?','-Documented policies with technical and organizational safeguards for encryption and key management (encompasses the three aspects)','',1,58,525,1),
+(1214,'Q2-CKM-01.1B','Does the CSP implement policies with technical and organizational safeguards for encryption and key management, according to ISP-02?','- Audit records / Logs','',1,58,525,1),
+(1215,'Q3-CKM-01.1B','Do policies describe usage of strong encryption procedures and secure network protocols?','- Policies (describe usage of strong encryption procedures and secure network protocols)','',1,58,525,1),
+(1216,'Q4-CKM-01.1B','Do policies describe requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys?','- Policies (describe requirements for the secure generation, storage, archiving, retrieval, distribution, withdrawal and deletion of the keys)','',1,58,525,1),
+(1217,'Q5-CKM-01.1B','Do policies describe consideration of relevant legal and regulatory obligations and requirements?','- Policies (describe consideration of relevant legal and regulatory obligations and requirements)','',1,58,525,1),
+
+(1232,'Q1-CKM-02.1B','Does the CSP define strong encryption mechanisms for the transmission of CSC data over public networks?','- Encryption mechanisms design','strong encryption mechanisms what is strong?',1,59,528,1),
+(1233,'Q2-CKM-02.1B','Does the CSP implement strong encryption mechanisms for the transmission of cloud customer data over public networks?','- Audit records
+- Examples of encrypted data','',1,59,528,1),
+
+(1240,'Q1-CKM-03.1B','Does the CSP document procedures and technical safeguards to protect cloud customers’ data during storage according to ISP-02?','- Documented procedures and technical safeguards to encrypt cloud customers’ data during storage','',1,60,533,1),
+(1241,'Q2-CKM-03.1B','Does the CSP implement technical safeguards to protect cloud customers’ data during storage?','- Audit records
+- Examples of encrypted data','',1,60,533,1),
+(1242,'Q1-CKM-03.2B','Does the CSP notify customers about any updates to technical safeguards and to the procedures that protect the confidentiality of customers’ data during storage that may affect the confidentiality of the data?','- Documented notifications to customers (email, reports, web, etc.)','',1,60,534,1),
+(1243,'Q2-CKM-03.2B','Does the CSP notify customers about any changes in the storage of customer data that may affect the confidentiality of the data?','- Documented notifications to customers (email, reports, web, etc.)','',1,60,534,1),
+
+(1256,'Q1-CKM-04.1B','Do procedures and technical safeguards for secure key management in the area of responsibility of the CSP shall include a generation of keys for different cryptographic systems and applications?','- Documented procedures and technical safeguards for secure key management (include a generation of keys for different cryptographic systems and applications)
+- Documented procedures and technical safeguards for secure key management compliance review record','',1,61,541,1),
+(1257,'Q2-CKM-04.1B','Do procedures and technical safeguards for secure key management in the area of responsibility of the CSP include issuing and obtaining public-key certificates?','- Documented procedures and technical safeguards for secure key management (include issuing and obtaining public-key certificates)
+- Documented procedures and technical safeguards for secure key management compliance review record','',1,61,541,1),
+(1258,'Q3-CKM-04.1B','Do procedures and technical safeguards for secure key management in the area of responsibility of the CSP include provisioning and activation of the keys?','- Documented procedures and technical safeguards for secure key management (include provisioning and activation of the keys)
+- Documented procedures and technical safeguards for secure key management compliance review record','',1,61,541,1),
+(1259,'Q4-CKM-04.1B','Do procedures and technical safeguards for secure key management in the area of responsibility of the CSP include secure storage of keys including description of how authorised users get access?','- Documented procedures and technical safeguards for secure key management ( include secure storage of keys including description of how authorised users get access)
+- Documented procedures and technical safeguards for secure key management compliance review record','',1,61,541,1),
+(1260,'Q5-CKM-04.1B','Do procedures and technical safeguards for secure key management in the area of responsibility of the CSP include changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised?','- Documented procedures and technical safeguards for secure key management (include changing or updating cryptographic keys including policies defining under which conditions and in which manner the changes and/or updates are to be realised)
+- Documented procedures and technical safeguards for secure key management compliance review record','',1,61,541,1),
+(1261,'Q6-CKM-04.1B','Do procedures and technical safeguards for secure key management in the area of responsibility of the CSP include handling of compromised keys?','- Documented procedures and technical safeguards for secure key management (include handling of compromised keys)
+- Documented procedures and technical safeguards for secure key management compliance review record','',1,61,541,1),
+(1262,'Q7-CKM-04.1B','Do procedures and technical safeguards for secure key management in the area of responsibility of the CSP include withdrawal and deletion of keys?','- Documented procedures and technical safeguards for secure key management ( include withdrawal and deletion of keys)
+- Documented procedures and technical safeguards for secure key management compliance review record','',1,61,541,1);
+
+ -- A10.CS
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(1282,'Q1-CS-01.1B','Does the CSP document technical safeguards to ensure the protection of information and information processing systems that are suitable to promptly detect and respond to network-based attacks?','- Documented technical safeguards','',1,62,549,1),
+(1283,'Q2-CS-01.1B','Does the CSP implement technical safeguards that are suitable to promptly detect and respond to network-based attacks?','- Event log and monitoring to allow the recording and detection of actions that could affect, or be relevant, for information security
+- Audit report
+','',1,62,549,1),
+(1284,'Q3-CS-01.1B','Does the CSP define technical safeguards to ensure the protection of information and information processing systems?','- Documented technical safeguards','',1,62,549,1),
+(1285,'Q4-CS-01.1B','Does the CSP implement technical safeguards to ensure the protection of information and information processing systems?','- Event log and monitoring to allow the recording and detection of actions that could affect, or be relevant, for information security
+- Audit report','',1,62,549,1),
+
+(1300,'Q1-CS-02.1B','Do the CSP define specific security requirements to connect within its network?','- Documented specific security requirements to connect within its network','',1,63,556,1),
+(1301,'Q2-CS-02.1B','Do the CSP make available specific security requirements to connect within its network?','- Distribution mechanism:
+ - Information management system
+ -Intranet/WEB
+ -email
+ - Etc.','',1,63,556,1),
+(1302,'Q3-CS-02.1B','Do the CSP implement specific security requirements to connect within its network?','- Audit records','',1,63,556,1),
+(1303,'Q4-CS-02.1B','Do specific security requirements to connect within its network address when the security zones are to be separated and when the cloud customers are to be logically or physically segregated?','- Documented specific security requirements to connect within its network review record','',1,63,556,1),
+(1304,'Q5-CS-02.1B','Do specific security requirements to connect within its network address what communication relationships and what network and application protocols are permitted in each case?','- Documented specific security requirements to connect within its network review record','',1,63,556,1),
+(1305,'Q6-CS-02.1B','Do specific security requirements to connect within its network address how the data traffic for administration and monitoring are segregated from each other at the network level?','- Documented specific security requirements to connect within its network review record','',1,63,556,1),
+(1306,'Q7-CS-02.1B','Do specific security requirements to connect within its network address what internal, cross-location communication is permitted?','- Documented specific security requirements to connect within its network review record','',1,63,556,1),
+(1307,'Q8-CS-02.1B','Do specific security requirements to connect within its network address what cross-network communication is allowed?','- Documented specific security requirements to connect within its network review record','',1,63,556,1),
+
+(1324,'Q1-CS-03.1B','Does the CSP distinguish between trusted and untrusted networks?','- Documented list of trusted and untrusted networks','',1,64,559,1),
+(1325,'Q2-CS-03.1B','Is that distinction based on a risk assessment?','- Documented risk assessment','',1,64,559,1),
+(1326,'Q1-CS-03.2B','Does the CSP separate trusted and untrusted networks into different security zones for internal network areas?','- Documented network topology','',1,64,560,1),
+(1327,'Q2-CS-03.2B','Does the CSP separate trusted and untrusted networks into different security zones for external network areas?','- Documented network topology','',1,64,560,1),
+(1328,'Q3-CS-03.2B','Does the CSP separate trusted and untrusted networks into different security zones for DMZ, if applicable?','- Documented network topology','',1,64,560,1),
+(1329,'Q1-CS-03.3B','Does the CSP shall design virtualized network environments to restrict and monitor the connection to trusted or untrusted networks according to the defined security requirements (cf. CS-02)?','- Documented physical network environments design','',1,64,561,1),
+(1330,'Q2-CS-03.3B','Does the CSP shall design virtualized network environments to restrict and monitor the connection to trusted or untrusted networks according to the defined security requirements (cf. CS-02)?','- Documented virtualized network environments design','',1,64,561,1),
+(1331,'Q3-CS-03.3B','Does the CSP configure physical network environments to restrict and monitor the connection to trusted or untrusted networks according to the defined security requirements (cf. CS-02)','- Documented physical network environments configuration','',1,64,561,1),
+(1332,'Q4-CS-03.3B','Does the CSP configure virtualized network environments to restrict and monitor the connection to trusted or untrusted networks according to the defined security requirements (cf. CS-02)','- Documented virtualized network environments configuration','',1,64,561,1),
+(1333,'Q1-CS-03.4B','Does the CSP review at specified intervals the business justification for using all services, protocols, and ports?','- Documented review records (last 2/3 years)','specified intervals may be ambiguous',1,64,562,1),
+
+(1366,'Q1-CS-04.1B','Does the CSP define separate networks for the administrative management of the infrastructure and the operation of management consoles?','- Documented network topology
+- Documented network design','',1,65,575,1),
+(1367,'Q2-CS-04.1B','Does the CSP implement separate networks for the administrative management of the infrastructure and the operation of management consoles','- Audit records','',1,65,575,1),
+(1368,'Q1-CS-04.2B','Does the CSP logically or physically separate the networks for administration from the CSCs’ networks?','- Documented network topology
+- Documented network design','',1,65,576,1),
+(1369,'Q1-CS-04.3B','Does the CSP segregate physically or logically the networks used to migrate or create virtual machines?','- Documented network topology
+- Documented network design','',1,65,577,1),
+
+(1380,'Q1-CS-05.1B','Does the CSP define separation mechanisms at network level the data traffic of different CSCs?','- List of separation mechanisms at network level','',1,66,586,1),
+(1381,'Q2-CS-05.1B','Does the CSP document separation mechanisms at network level the data traffic of different cloud customers?','- Documented separation mechanisms design at network level','',1,66,586,1),
+(1382,'Q3-CS-05.1B','Does the CSP implement separation mechanisms at network level the data traffic of different cloud customers?','- Audit records','',1,66,586,1),
+
+(1390,'Q1-CS-06.1B','Does the CSP maintain up-to-date all documentation of the logical structure of the network used to provision or operate the cloud service?','-Document version control box up-to-date
+- Configuration management audit record','',1,67,590,1),
+(1391,'Q1-CS-06.2B','Does the documentation cover how the subnets are allocated?','- Documentation of the logical structure of the network used to provision or operate the cloud service review record','',1,67,591,1),
+(1392,'Q2-CS-06.2B','Does the documentation cover how the network is zoned and segmented?','- Documentation of the logical structure of the network used to provision or operate the cloud service review record','',1,67,591,1),
+(1393,'Q3-CS-06.2B','Does the documentation cover how it connects with third-party and public networks?','- Documentation of the logical structure of the network used to provision or operate the cloud service review record','',1,67,591,1),
+(1394,'Q4-CS-06.2B','Does the documentation cover the geographical locations in which the CSC data is stored?','- Documentation of the logical structure of the network used to provision or operate the cloud service review record','',1,67,591,1),
+
+(1411,'Q1-CS-07.1B','Does the CSP ensure the confidentiality of the cloud user data by suitable procedures when offering functions to CSCs for software-defined networking (SDN)?','- Documented suitable procedures to ensure the confidentiality of the cloud user data','suitable procedures may be ambiguous',1,68,600,1),
+(1412,'Q1-CS-07.2B','Does the CSP validate the functionality of the SDN functions before providing new SDN features to CSCs?','- SDN functions validation record','',1,68,601,1),
+
+(1419,'Q1-CS-08.1B','Does the CSP define policies and procedures with technical and organisational safeguards to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction, according to ISP-02?','- Documented policies and procedures with technical and organisational safeguards','',1,69,608,1),
+(1420,'Q2-CS-08.1B','Does the CSP implement policies and procedures with technical and organisational safeguards to protect the transmission of data against unauthorised interception, manipulation, copying, modification, redirection or destruction, according to ISP-02?','- Audit records','',1,69,608,1);
+
+ -- A11.PI
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(1427,'Q1-PI-01.1B','Is the cloud service accessible by cloud services from other CSPs or cloud customers IT systems?','- Accessible APIs
+- Public URLs','',1,70,611,1),
+(1428,'Q2-PI-01.1B','Are the inbound interfaces documented?','- Documented inbound interfaces (internal domain names)','',1,70,611,1),
+(1429,'Q3-PI-01.1B','Are the outbound interfaces documented?','- Documented outbound interfaces','',1,70,611,1),
+(1430,'Q1-PI-01.2B','Are the interfaces clearly documented for subject matter experts to understand how they can be used to retrieve the data?','- Documented inbound and outbound interfaces (internal domain names and ports, mechanisms, username/pwd, etc.)
+- Peer review of the documented interfaces','Clearly may be ambiguous',1,70,612,1),
+(1431,'Q1-PI-01.3B','Does communication on these interfaces use standardized communication protocols?','- Documented list of supported communication protocols
+','Is there a list of standardized communication protocols?',1,70,613,1),
+(1432,'Q2-PI-01.3B','Do protocols ensure the confidentiality and integrity of the transmitted information according to its protection requirements and the adequate authentication of the user?','- Documented list of supported communication protocols
+','Warning!!! When adequate is used you are introducing a subjective evaluation!',1,70,613,1),
+(1433,'Q1-PI-01.4B','Is the communication over untrusted networks protected in confidentiality, integrity and authenticity according to CKM-02?','- Authentication and Protection Settings','',1,70,614,1),
+
+(1450,'Q1-PI-02.1B','Does the CSP in cloud service contractual agreements concerning the termination of the contractual relationship include type, scope and format of the data the CSP provides to the CSC?','- Contractual agreements concerning the termination of the contractual relationship (include type, scope and format of the data the CSP provides to the CSC)','',1,71,624,1),
+(1451,'Q2-PI-02.1B','Does the CSP in cloud service contractual agreements concerning the termination of the contractual relationship include delivery methods of the data to the cloud customer?','- Contractual agreements concerning the termination of the contractual relationship (include delivery methods of the data to the cloud customer)','',1,71,624,1),
+(1452,'Q3-PI-02.1B','Does the CSP in cloud service contractual agreements concerning the termination of the contractual relationship include definition of the timeframe, within which the CSP makes the data available to the CSC?','- Contractual agreements concerning the termination of the contractual relationship (include definition of the timeframe, within which the CSP makes the data available to the CSC)','',1,71,624,1),
+(1453,'Q4-PI-02.1B','Does the CSP in cloud service contractual agreements concerning the termination of the contractual relationship include definition of the point in time as of which the CSP makes the data inaccessible to the CSC and deletes these?','- Contractual agreements concerning the termination of the contractual relationship ( include definition of the point in time as of which the CSP makes the data inaccessible to the CSC and deletes these)','',1,71,624,1),
+(1454,'Q5-PI-02.1B','Does the CSP in cloud service contractual agreements concerning the termination of the contractual relationship include the CSC’s responsibilities and obligations to cooperate for the provision of the data?','- Contractual agreements concerning the termination of the contractual relationship (include the CSC’s responsibilities and obligations to cooperate for the provision of the data)','',1,71,624,1),
+
+(1471,'Q1-PI-03.1B','Does the CSP implement procedures for deleting its customers’ data upon termination of their contract in compliance with the contractual agreements between them?','- Procedures for deleting customer’s data
+- Data destruction tools
+- Data destruction records (a filled form or screenshot identifying the data deletion (successful / fail)','',1,72,630,1),
+(1472,'Q1-PI-03.2B','Does the CSC’s data deletion include all CSC data, as well as related metadata and cloud service derived data?','- Procedures for deleting customer’s data
+- Data destruction tools
+- Data destruction records (a filled form or screenshot identifying the data deletion (successful / fail)','',1,72,631,1),
+(1473,'Q2-PI-03.2B','Does the CSC’s data deletion include data stored in the data backups?','- Procedures for detecting customer’s data
+- Data destruction tools
+- Data destruction records (a filled form or screenshot identifying the data deletion (successful / fail)','',1,72,631,1),
+(1474,'Q1-PI-03.3B','At the end of a contract, does the CSP delete the technical data concerning the CSC?','- Technical data erasure records','',1,72,632,1);
+
+ -- A12.CCM
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(1487,'Q1-CCM-01.1B','Is there a document describing the policy for change management of the IT systems supporting the cloud service?','- Change management policy document','In the requirement change the order of document, implement, and communicate to shall document, communicate and implement',1,73,643,1),
+(1488,'Q2-CCM-01.1B','Are there documented procedures for change management of the IT systems supporting the cloud service?','- Documented procedures for change management','',1,73,643,1),
+(1489,'Q3-CCM-01.1B','Does the CSP communicate the defined policies and procedures for change management of the IT systems supporting the cloud service?',' -Intranet/WEB
+-email
+- Wallchart
+- Specific meetings minutes
+- Etc.','',1,73,643,1),
+(1490,'Q4-CCM-01.1B','Does the CSP implement the defined policies and procedures for change management of the IT systems supporting the cloud service?','- Change managements record & evidences
+- Audit records','',1,73,643,1),
+
+(1507,'Q1-CCM-02.1B','Does the CSP categorize changes considering the potential security effects on the system components concerned?','-List of categorized changes','',1,74,646,1),
+(1508,'Q2-CCM-02.1B','Does the CSP prioritise changes considering the potential security effects on the system components concerned?','-List of how changes are prioritized','',1,74,646,1),
+
+(1519,'Q1-CCM-03.1B','Does the CSP test proposed changes before deployment to the production environment?','- Test plan
+- Tests (unit tests / continuous integration tests)
+- Documented test execution results','',1,75,653,1),
+(1520,'Q1-CCM-03.2B','Before using CSC data for tests, does the CSP first obtain approval from CSC?','- Documented approval from CSC','',1,75,654,1),
+(1521,'Q2-CCM-03.2B','Before using customer data for tests, does the CSP anonymise customer data?','- Documented compliance review of anonymized customer data','',1,75,654,1),
+(1522,'Q3-CCM-03.2B','Before using customer data for tests, does the CSP guarantee the confidentiality of the data during the whole process?','- Confidentiality agreement','',1,75,654,1),
+
+(1545,'Q1-CCM-04.1B','Is there defined criteria to approve any change to the cloud service before they are made available to CSCs in the production environment?','- Documented list of defined criteria to approve any change to the cloud service before they are made available to CSCs in the production environment','',1,76,666,1),
+(1546,'Q2-CCM-04.1B','Does the CSP use the defined criteria to approve any change to the cloud service before they are made available to CSCs in the production environment?','- Evidence of use the defined criteria to approve any change to the cloud service before they are made available to CSCs in the production environment
+- Audit records','',1,76,666,1),
+
+(1554,'Q1-CCM-05.1B','Does the CSP define roles for the authorised personnel or system components who are allowed to make changes to the cloud service in the production environment?','- Documented list of roles and the changes they are allowed to make and to which components','',1,77,669,1),
+(1555,'Q2-CCM-05.1B','Does the CSP shall define rights for the defined roles according to IAM-01 for the authorised personnel or system components who are allowed to make changes to the cloud service in the production environment?','- Documented list of rights for each role','',1,77,669,1),
+(1556,'Q1-CCM-05.2B','Are all changes to the cloud service in the production environment logged to the individual or system component that initiated the change?','- Log record of the session of the individual or system component that initiated the change','',1,77,670,1),
+(1557,'Q2-CCM-05.2B','Are all changes to the cloud service in the production environment traceable back to the individual or system component that initiated the change?','- Log record of the session of the individual or system component that initiated the change','',1,77,670,1),
+
+(1567,'Q1-CCM-06.1B','Does the CSP document version control procedures to track the dependencies of individual changes?','- Documented version control procedures','',1,78,675,1),
+(1568,'Q2-CCM-06.1B','Does the CSP implement version control procedures to track the dependencies of individual changes?','- Documented list of dependencies of individual changes
+- Version control management tool
+- Tool for the management of binaries','',1,78,675,1),
+(1569,'Q3-CCM-06.1B','Are the CSP document version control procedures able to restore affected system components back to their previous state as a result of errors or identified vulnerabilities?','- Documented version control procedures','',1,78,675,1),
+(1570,'Q4-CCM-06.1B','Does the CSP implement version control procedures that are able restore affected system components back to their previous state as a result of errors or identified vulnerabilities?','- System tags
+- Version control tool','',1,78,675,1);
+
+ -- A13.DEV
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(1584,'Q1-DEV-01.1B','Does the CSP define policies and procedures according to security policies and procedures (ISP-02) with technical and organisational measures for the secure development of the cloud service?','- Documented policies and procedures
+- Safe development guides for each programming language used
+- Safety requirements in the design phase
+- Security checkpoints incorporated into project milestones
+- Secure repositories
+- Security by design practices','',1,79,680,1),
+(1585,'Q1-DEV-01.2B','Do the policies for secure development consider information security from the earliest phases of design?','- Documented policies (encompasses information security from the earliest phases of design)','',1,79,681,1),
+(1586,'Q2-DEV-01.2B','Do the procedures for secure development consider information security from the earliest phases of design?','- Documented procedures (encompass information security from the earliest phases of design)','',1,79,681,1),
+
+(1603,'Q1-DEV-02.1B','Does the CSP maintain a list of dependencies to hardware products used in the development of its cloud service?','- Documented list of dependencies to hardware products used in the development of its cloud service','',1,80,688,1),
+(1604,'Q2-DEV-02.1B','Does the CSP maintain a list of dependencies to software products used in the development of its cloud service','- Documented list of dependencies to software products used in the development of its cloud service','',1,80,688,1),
+
+(1618,'Q1-DEV-03.1B','Does the CSP ensure that the confidentiality of the source code is adequately protected at all stages of development?',' - Source code protection policy (e.g., NDA, IPR, License)','Adequately introduce a subjective evaluation risk',1,81,696,1),
+(1619,'Q2-DEV-03.1B','Does the CSP ensure that the integrity of the source code is adequately protected at all stages of development?',' - SAST and DAST results
+- security code checks','',1,81,696,1),
+(1620,'Q1-DEV-03.2B','Does the CSP use version control to keep a history of the changes in source code?','- Version control tool in use','',1,81,697,1),
+(1621,'Q2-DEV-03.2B','Is it maintained an attribution of changes to individual developers?','- Version control tool
+- Change log records','',1,81,697,1),
+
+(1640,'Q1-DEV-04.1B','Does the CSP ensure that production environments are physically or logically separated from development environments?','- Documented environments description','',1,82,708,1),
+(1641,'Q2-DEV-04.1B','Does the CSP ensure that production environments are physically or logically separated from test environments?','- Documented environments description','',1,82,708,1),
+(1642,'Q3-DEV-04.1B','Does the CSP ensure that production environments are physically or logically separated romper-production environments?','- Documented environments description','',1,82,708,1),
+(1643,'Q1-DEV-04.2B','Is CSC data contained in the production environments being prevented to be used in development, test or pre-production environments?','- Data set used in test and pre-production environments','',1,82,709,1),
+
+(1657,'Q1-DEV-05.1B','Does the CSP define specific procedures for the development of functions that implement technical mechanisms or safeguards required by the EUCS scheme, with increased testing requirements?','- Documented specific procedures for the development of functions','',1,83,717,1),
+(1658,'Q2-DEV-05.1B','Does the CSP implement specific procedures for the development of functions that implement technical mechanisms or safeguards required by the EUCS scheme, with increased testing requirements?','- Technical mechanisms or safeguards required by the EUCS scheme, with increased testing requirements','',1,83,717,1),
+
+(1678,'Q1-DEV-06.1B','Does the CSP apply appropriate measures to check the cloud service for vulnerabilities that may have been integrated into the cloud service during the development process?','-Vulnerability assessments results (manual)',' appropriate measures is ambiguous',1,84,727,1),
+(1679,'Q1-DEV-06.2B','Are the procedures for identifying vulnerabilities integrated in the development process?',' - Documented procedures for identifying vulnerabilities
+- Documented development process
+- Development process audit records','',1,84,728,1),
+
+(1697,'Q1-DEV-07.1B','When outsourcing development of the cloud service or components thereof to a contractor, do the CSP and the contractor contractually agree on specifications regarding at security in software development (requirements, design, implementation, tests and verifications) in accordance with recognised standards and methods?','- Contract signed by both parts','in accordance with recognised standards and methods may be ambiguous',1,85,735,1),
+(1698,'Q2-DEV-07.1B','When outsourcing development of the cloud service or components thereof to a contractor, do the CSP and the contractor contractually agree on specifications regarding at acceptance testing of the quality of the services provided in accordance with the agreed functional and non-functional requirements?','- Contract signed by both parts','',1,85,735,1),
+(1699,'Q3-DEV-07.1B','When outsourcing development of the cloud service or components thereof to a contractor, do the CSP and the contractor contractually agree on specifications regarding a providing evidence that sufficient verifications have been carried out to rule out the existence of known vulnerabilities?','- Contract reviewed and signed by both parts','',1,85,735,1);
+
+ -- A14.PM
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(1735,'Q1-PM-01.1B','Is there a document describing the policy for controlling and monitoring third parties whose products or services contribute to the provision of the cloud service?','-Controlling and monitoring third parties whose products or services contribute to the provision of the cloud service policy document','',1,87,750,1),
+(1736,'Q2-PM-01.1B','Are there documented procedures for controlling and monitoring third parties whose products or services contribute to the provision of the cloud service?','- Documented procedures for controlling and monitoring third parties whose products or services contribute to the provision of the cloud service','',1,87,750,1),
+(1737,'Q3-PM-01.1B','Does the CSP implement the defined policies and procedures for controlling and monitoring third parties whose products or services contribute to the provision of the cloud service?','- Records that demonstrate the control to third parties whose products or services contribute to the provision of the cloud service records & evidences (e.g. Meeting minutes, monthly follow up reports)','',1,87,750,1),
+
+(1769,'Q1-PM-02.1B','Does the CSP perform a risk assessment of its suppliers or the control and monitoring of third parties before they start contributing to the provision of the cloud service?','- Documented risk assessment','',1,88,756,1),
+(1770,'Q2-PM-02.1B','Is the risk assessment performed in accordance with the policies and procedures for the control and monitoring of third parties before they start contributing to the provision of the cloud service?','- Documented risk assessment
+- Risk assessment review results','',1,88,756,1),
+(1771,'Q1-PM-02.2B','Following the risk assessment of a subservice provider, does the CSP define a list of Complementary Subservice Organization Controls (CSOC) to be implemented by the subservice provider?','- Documented list of Complementary Subservice Organization Controls','',1,88,757,1),
+(1772,'Q2-PM-02.2B','Is the list of Complementary Subservice Organization Controls (CSOC) been defined for every applicable EUCS?','- Documented list of Complementary Subservice Organization Controls
+- Documented list of Complementary Subservice Organization Controls review results','',1,88,757,1),
+(1773,'Q1-PM-02.3B','Does the CSP ensure that the subservice provider has implemented the CSOCs?','- Subservice provider CSOC documented implementation results review
+- Audit report to the Subservice provider','',1,88,758,1),
+(1774,'Q2-PM-02.3B','Does the CSP ensure that the subservice provider has made available evidence supporting the assessment of their effectiveness to the targeted evaluation level?','- Available evidence supporting the assessment of their effectiveness to the targeted evaluation level provided by the subservice provider','',1,88,758,1),
+(1775,'Q1-PM-02.4B','Is the adequacy of the risk assessment reviewed regularly?','- Documented risk assessment review records (2/3 years)','',1,88,759,1),
+(1776,'Q2-PM-02.4B','Is the adequacy of the definition of CSOCs reviewed regularly?','- Documented definition of CSOCs review','',1,88,759,1),
+(1777,'Q3-PM-02.4B','Is the adequacy of the risk assessment reviewed at least annually?','- Risk assessment review version control and change history','',1,88,759,1),
+(1778,'Q4-PM-02.4B','Is the adequacy of the definition of CSOCs reviewed at least annually?','- Definition of CSOCs review version control and change history','',1,88,759,1),
+
+(1808,'Q1-PM-03.1B','Does the CSP maintain a directory for controlling and monitoring the suppliers who contribute to the delivery of the cloud service?','- Centralized directory of suppliers','',1,89,769,1),
+(1809,'Q1-PM-03.2B','Do the CSP shall verify the directory for completeness, accuracy and validity?','- Directory audit report','',1,89,770,1),
+(1810,'Q2-PM-03.2B','The CSP shall verify the directory for completeness, accuracy and validity at least annually','- Directory audit report version control and change history','',1,89,770,1),
+
+(1819,'Q1-PM-04.1B','Does the CSP monitor the compliance of its suppliers with information security requirements in accordance with policies and procedures concerning controlling and monitoring of third-parties?',' - Documented compliance report of the monitoring','',1,90,775,1),
+(1820,'Q2-PM-04.1B','Does the CSP monitor the compliance of its suppliers with applicable legal and regulatory requirements in accordance with policies and procedures concerning controlling and monitoring of third-parties?',' - Documented compliance report of the monitoring','Which are the applicable legal and regulatory requirements?',1,90,775,1),
+(1821,'Q1-PM-04.2B','Does the CSP monitor the compliance of its subservice providers with the CSOCs applicable to them following the risk assessment?',' - Documented compliance report of the monitoring','',1,90,776,1),
+(1822,'Q1-PM-04.3B','Does the frequency of the monitoring correspond to the classification of the third party based on the risk assessment conducted by the Cloud Service Provider?',' - Documented compliance report of the monitoring version control and change history','',1,90,777,1),
+(1823,'Q2-PM-04.2B','Are the results of the monitoring included in the review of the third party’s risk assessment?','- Documented review of the third party’s risk assessment','',1,90,777,1),
+(1824,'Q1-PM-04.4B','Are Identified violations and deviations analysed, in accordance with the risk management procedure?','- Documented review of the Identified violations and deviations management','',1,90,778,1),
+(1825,'Q2-PM-04.4B','Are Identified violations and deviations evaluated in accordance with the risk management procedure?','- Documented review of the Identified violations and deviations management','',1,90,778,1),
+(1826,'Q3-PM-04.4B','Are Identified violations and deviations treated in accordance with the risk management procedure?','- Documented review of the Identified violations and deviations management','',1,90,778,1),
+(1827,'Q1-PM-04.5B','Does the CSP shall inform all of its CSCs without undue delay when a change in a third-party contributes to the delivery of the cloud service affects its level of security?',' -Intranet/WEB
+- email
+- Etc.','without undue delay, be more specific if possible…when it is considered undue?',1,90,779,1),
+
+(1860,'Q1-PM-05.1B','Does the CSP define exit strategies for the purchase of services where the risk assessment of the suppliers identified a very high dependency?','- Documented exit strategies for the purchase of services','',1,91,794,1),
+(1861,'Q2-PM-05.1B','Are exit strategies for the purchase of services aligned with operational continuity plans?','- Documented exit strategies for the purchase of services','',1,91,794,1),
+(1862,'Q3-PM-05.1B','Do exit strategies for the purchase of services include analysis of the potential costs, impacts, resources, and timing of the transition of a purchased service to an alternative service provider or supplier?','- Documented exit strategies for the purchase of services','',1,91,794,1),
+(1863,'Q4-PM-05.1B','Do exit strategies for the purchase of services include definition and allocation of roles, responsibilities, and sufficient resources to perform the activities for a transition?','- Documented exit strategies for the purchase of services','',1,91,794,1),
+(1864,'Q5-PM-05.1B','Do exit strategies for the purchase of services include definition of success criteria for the transition?','- Documented exit strategies for the purchase of services','',1,91,794,1),
+(1865,'Q6-PM-05.1B','Do exit strategies for the purchase of services include definition of indicators for service performance monitoring, which should initiate the withdrawal from the service if the results are unacceptable?','- Documented exit strategies for the purchase of services','',1,91,794,1),
+(1866,'Q7-PM-05.2B','When the CSP relies for the provision of the cloud service on products or services from a supplier for which the CSP has identified a very high dependency (cf. PM- 05.1H), is the CSP guaranteed contractually by its supplier operational autonomy in the provision of the cloud service for a specified period of time?','- Documented exit strategies for the purchase of services','',1,91,794,1);
+
+ -- A15.IM
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(1881,'Q1-IM-01.1B','Are the all known security incidents documented?','- Documented security incidents
+- Guidelines for the classification, prioritization, and escalation of security incidents;
+- Description of interfaces for incident management and business continuity management.
+- Security incidents communicated (a sample)','',1,92,798,1),
+(1882,'Q2-IM-01.1B','Does the CSP document policies and procedures containing technical and organisational safeguards to ensure a response to all known security incidents?','- Documented policies and procedures about security incidents management','',1,92,798,1),
+(1883,'Q3-IM-01.1B','Does the documented technical and organisational safeguards ensure a fast, effective and proper response to all know security incidents?','- Technical and organisational safeguards assessment result','The issue is how to evaluate fast, effective and proper response?',1,92,798,1),
+(1884,'Q4-IM-01.1B','Are the previous policies and procedures aligned with the ISP-02 policy (Global Security Policy)and do they include:
+• Guidelines for the classification, prioritization, and escalation of security incidents;
+• Description of interfaces for incident management and business continuity management?','- Cross References between Global Security Policy and Security Incident management Policy','',1,92,798,1),
+(1885,'Q5-IM-01.1B','Are the previous policies and procedures implemented?','- Example of policy/procedures implementation randomly sampled','',1,92,798,1),
+(1886,'Q1-IM-01.2B','Has the CSP established a point of contact, for a coordinated resolution of security incidents?','- Contact point’s name','',1,92,799,1),
+
+(1908,'Q1-IM-02.1B','Does the CSP classify and prioritize security events that could constitute a security incident?','- List of security events','',1,93,806,1),
+(1909,'Q2-IM-02.1B','For the events that could constitute a security incident, does the CSP perform root-cause analysis?','- Security Incidents database
+- Root-Cause Analysis result document
+- Root-cause analysis','',1,93,806,1),
+(1910,'Q3-IM-02.1B','In the root-analysis sessions are the subject matter experts involved?','- Root-Cause Analysis result document','',1,93,806,1),
+(1911,'Q4-IM-02.1B','In the root-analysis sessions are external security providers involved where appropriate?','- Root-Cause Analysis result document','',1,93,806,1),
+
+(1930,'Q1-IM-03.1B','Does the CSP document the implemented measures after a security incident has been processed and, in accordance with contractual agreements between CSC and CSP?','- Documented measures derived from the root-cause analysis','',1,94,815,1),
+(1931,'Q2-IM-03.1B','Is the information made available to the affected CSCs for final acknowledgment or, if applicable, as confirmation?','- Security Incident newsletter/document for the customers','',1,94,815,1),
+(1932,'Q1-IM-03.2B','Does the CSP make information on security incidents or confirmed security breaches available to all affected customers?','Information mechanism used
+ - WEB
+ - email
+ - Specific meetings minutes
+ - Etc.','',1,94,816,1),
+(1933,'Q2-IM-03.2B','Does the CSP send information of security incidents to all the documented affected customers?','- Security Incident Newsletter for each affected customers','',1,94,816,1),
+
+(1940,'Q1-IM-04.1B','Does the CSP inform employees of their contractual obligations to report all security events that become known to them and are directly related to the cloud service?','Information mechanism used
+ -Intranet/WEB
+ -email
+ - Wallchart
+ - Specific meetings minutes
+ - Etc.','',1,95,821,1),
+(1941,'Q2-IM-04.1B','Does the CSP inform external business partners of their contractual obligations to report all security events that become known to them and are directly related to the cloud service?','Information mechanism used
+ -Intranet/WEB
+ -email
+ - Wallchart
+ - Specific meetings minutes
+ - Etc.','',1,95,821,1),
+(1942,'Q1-IM-04.2B','Does the security incident management policy contain an explicit mention that the CSP not take any negative action against those who communicate false reports of events that do not subsequently turn out to be incidents?','- Security incident management policy','',1,95,822,1),
+(1943,'Q2-IM-04.2B','Is the previous policy communicated to employees?','Information mechanism used
+ -Intranet/WEB
+ -email
+ - Wallchart
+ - Specific meetings minutes
+ - Etc.','',1,95,822,1),
+(1944,'Q3-IM-04.2B','Is the previous policy communicated to external business partners?','Information mechanism used
+ -Intranet/WEB
+ -email
+ - Wallchart
+ - Specific meetings minutes
+ - Etc.','',1,95,822,1),
+(1945,'Q1-IM-04.3B','Has the CSP established a single point of contact to report security events?','Documented Role and Responsibilities related to the Security Incidents Manager/Collector','',1,95,823,1),
+(1946,'Q2-IM-04.3B','Is the single point of contact made public?','Information mechanism used
+ -Intranet/WEB
+ -email
+ - Wallchart
+ - Specific meetings minutes
+ - Etc.','',1,95,823,1),
+(1947,'Q3-IM-04.3B','Is the single point of contact operative?','- List of security incident received and managed by the single point of contact','',1,95,823,1),
+
+(1964,'Q1-IM-05.1B','Does the CSP periodically inform its CSCs on the status of the incidents affecting the CSC?','- Security Incident Newsletter / periodic communication to customers','periodically must be specified',1,96,830,1),
+(1965,'Q2-IM-05.1B','Where appropriate and necessary, does the CSP involve customers in the incidents resolution according to the contractual agreements?','- Requests of participations in incidents analysis
+- Contractual Agreements','',1,96,830,1),
+(1966,'Q1-IM-05.2B','As soon as an incident has been closed, does the CSP inform the customers about the actions taken, according to the contractual agreements?','- Security Incident Newsletter
+- Contractual Agreements','',1,96,831,1),
+
+(1974,'Q1-IM-06.1B','Does the CSP perform a security incidents analysis to identify recurrent and/or significant incidents?','- Security Incident Data Base with the classification of recurrent and significant incidents','',1,97,837,1),
+(1975,'Q2-IM-06.1B','In case of recurrent or significant incidents detected, does the CSP identify need for further protection?','- Documented further protection associated to recurrent and significant incidents','',1,97,837,1),
+(1976,'Q3-IM-06.1B','Does the CSP involve external bodies if necessary?','- Contracts with external bodies','',1,97,837,1),
+(1977,'Q1-IM-06.2B','If the CSP determines the need for external assistance, is selected a competent and trustworthy incident response service provider or one that is recommended by its NCCA?','- Qualifications of the contracted external bodies','',1,97,838,1),
+
+(1996,'Q1-IM-07.1B','Does the CSP document a procedure to archive all documents and evidence that provide details on security incidents?','- Documented procedure to archive security incidents','',1,98,847,1),
+(1997,'Q2-IM-07.1B','Is the previous documented procedure implemented?','- Example of security incidents documentation randomly selected','',1,98,847,1),
+(1998,'Q1-IM-07.2B','Does the CSP implement security mechanisms and processes for protecting all the information related to security incidents?','- Example of security mechanisms and processes for protecting all the information related to security incidents randomly sampled','',1,98,848,1),
+(1999,'Q2-IM-07.2B','Are the implemented security mechanism and processes in accordance with criticality levels and legal requirements in effect','- Audit records','',1,98,848,1);
+
+ -- A16.BC
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(2014,'Q1-BC-01.1B','Has the CSP defined policies and procedures to ensure business continuity and contingency according to ISP-02?','- Documented policies and procedures related to business continuity and contingency','',1,99,856,1),
+(2015,'Q2-BC-01.1B','Does the defined policies and procedures establish the strategy and guidelines to ensure business continuity and contingency?','- Documented policies and procedures related to business continuity and contingency (encompass the strategy and guidelines to ensure business continuity and contingency)','',1,99,856,1),
+
+(2022,'Q1-BC-02.1B','Does the CSP document all the possible malfunction to the cloud service or enterprise?','- Documented list of all the possible malfunction to the cloud service or enterprise','',1,100,861,1),
+(2023,'Q2-BC-02.1B','Does the business continuity and contingency management policies and procedure contain the need to perform a business impact analysis related to all the documented malfunctions?','- Business continuity and contingency management policies and procedures (encompass the need to perform a business impact analysis related to all the documented malfunctions)','',1,100,861,1),
+
+(2054,'Q1-BC-03.1B','Does the CSP document a business continuity plan?','- Business Continuity Plan','',1,101,866,1),
+(2055,'Q2-BC-03.1B','Does the CSP document a contingency plan to ensure continuity of the services?','- Contingency Plan','',1,101,866,1),
+(2056,'Q3-BC-03.1B','Does the documented business continuity plan take into account information security constraints and the results of the business impact analysis?','- Business Continuity Plan (encompasses information security constraints and the results of the business impact analysis)
+- Business Continuity Plan review','',1,101,866,1),
+(2057,'Q4-BC-03.1B','Does the documented contingency plan take into account information security constraints and the results of the business impact analysis?','- Contingency Plan (encompasses information security constraints and the results of the business impact analysis)
+- Contingency Plan Review','',1,101,866,1),
+(2058,'Q5-BC-03.1B','Does the CSP implement the business continuity plan?','- According with the business continuity plan requirements, execution evidences randomly selected','',1,101,866,1),
+(2059,'Q6-BC-03.1B','Does the CSP implement the contingency plan?','- According with the contingency plan requirements, execution evidences randomly selected','',1,101,866,1);
+
+ -- A17.CO
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(2119,'Q1-CO-01.1B','Does the CSP document the legal requirements relevant to the information security of the cloud service?','- Documented list of requirements (encompasses the legal requirements relevant to the information security of the cloud service)
+- Documented review of the list of requirements','',1,103,878,1),
+(2120,'Q2-CO-01.1B','Does the CSP document the regulatory requirements relevant to the information security of the cloud service?','- Documented list of requirements (the regulatory requirements relevant to the information security of the cloud service)
+- Documented review of the list of requirements','',1,103,878,1),
+(2121,'Q3-CO-01.1B','Does the CSP document the self-imposed requirements relevant to the information security of the cloud service?','- Documented list of requirements (encompasses the self-imposed requirements relevant to the information security of the cloud service)
+- Documented review of the list of requirements','',1,103,878,1),
+(2122,'Q4-CO-01.1B','Does the CSP shall document the contractual requirements relevant to the information security of the cloud service?','- Documented list of requirements (encompasses the contractual requirements relevant to the information security of the cloud service)
+- Documented review of the list of requirements','',1,103,878,1),
+
+(2138,'Q1-CO-02.1B','Does the CSP define policies and procedures for planning and conducting audits?','- Audit policy document
+- Audit planning and conducting procedures','',1,104,885,1),
+(2139,'Q2-CO-02.1B','Does the CSP implement policies and procedures for planning and conducting audits?','- Audit plan
+- Audit report
+- Documented list of nonconformities','',1,104,885,1),
+
+(2161,'Q1-CO-03.1B','Does the CSP perform audits to check the compliance of their internal security control system to the requirements defined?','- Audit plan
+- Audit report
+- Documented list of nonconformities','',1,105,891,1),
+(2162,'Q2-CO-03.1B','Are the internal audits performed by subject matter experts?','- Internal auditor´s training records','',1,105,891,1),
+(2163,'Q3-CO-03.1B','Are the internal audits performed at least annually?','- Documented audit plan','',1,105,891,1),
+(2164,'Q4-CO-03.1B','Does the internal audit check the compliance to the requirements defined in CO1 and to the requirements of the EUCS scheme at the targeted evaluation level?','- Internal audit reports and/or checklist aligned with EUCS scheme at the targeted evaluation level','',1,105,891,1),
+(2165,'Q1-CO-03.2B','Does the CSP document specifically deviations that are nonconformities from the EUCS requirements?','- Audit report
+- Documented list of deviations that are nonconformities from the EUCS requirements','',1,105,892,1),
+(2166,'Q2-CO-03.2B','Do the documented deviations include an assessment of their severity?','- Documented list of deviations including an assessment of their severity','',1,105,892,1),
+(2167,'Q3-CO-03.2B','Does the CSP keep track of their remediation?','- Monitoring report of the non-conformities from the EUCS requirements remediation','',1,105,892,1),
+
+(2192,'Q1-CO-04.1B','Does the CSP regular inform its top management about the information security performance within the scope of the internal control system?',' - Information security performance report to top management
+- email
+- Other specific document','',1,106,903,1);
+
+ -- A18.DOC
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(2197,'Q1-DOC-01.1B','Does the CSP make publicly available guidelines and recommendations to assist the Cloud Service Users?','- Guidelines
+- Distribution mechanism:
+- Information management system
+- Intranet/WEB
+- Etc.','',1,107,908,1),
+(2198,'Q1-DOC-01.2B','Does the CSP maintain guidelines and recommendations applicable to the cloud service in the version intended for productive use?','- Guidelines and recommendations version control and change history','',1,107,909,1),
+
+(2221,'Q1-DOC-02.1B','Does the CSP provide comprehensible and transparent information on Its jurisdiction?','-Contractual agreement: it indicates the location and the jurisdiction, explicitly
+-Web
+- Service catalogue
+- e-mail','How do we evaluate if the information is comprehensible and transparent?',1,108,917,1),
+(2222,'Q2-DOC-02.1B','Does the CSP provide comprehensible and transparent information on system component locations?','-Web
+- Service catalogue
+- e-mail
+-Contractual agreement: it indicates the location and the jurisdiction, explicitly','',1,108,917,1),
+(2223,'Q3-DOC-02.1B','Does the CSP provide comprehensible and transparent information on its subcontractors?','-Web
+- Service catalogue
+- e-mail
+-Contractual agreement: it indicates the location and the jurisdiction, explicitly','',1,108,917,1),
+(2224,'Q4-DOC-02.1B','Does the CSP provide comprehensible and transparent information on where the cloud customer’s data is processed, stored and backed up?','-Web
+- Service catalogue
+- e-mail
+-Contractual agreement: it indicates the location and the jurisdiction, explicitly','',1,108,917,1),
+(2225,'Q5-DOC-02.1B','Does the CSP provide comprehensible and transparent information about the on where the cloud customer’s data is processed, stored and backed up?','- Service Catalogue
+- Other internal Documentation
+- Contractual agreement: it shall indicate where the data is processed, stored and backed up','This is sensible info so it can’t be public, right?',1,108,917,1),
+(2226,'Q1-DOC-02.2B','Does the CSP provide sufficient information for subject matter experts of the CSC to determine and to assess the suitability of the cloud service’s jurisdiction and locations from a legal and regulatory perspective?','-Contractual agreement','How do we evaluate if the information is sufficient?',1,108,918,1),
+
+(2245,'Q1-DOC-03.1B','Does the CSP provide a justification for the evaluation level targeted for certification, based on the risks associated to the cloud service’s targeted customers and use cases?','. Documented justification for the evaluation level targeted for certification','',1,109,923,1),
+(2246,'Q1-DOC-03.2B','If the CSP claims compliance to extension profiles for its cloud service, dos the justification cover these extension profiles?','- Public repository with the summary of the justification','',1,109,924,1),
+(2247,'Q1-DOC-03.3B','Is there a summary of the justification made publicly available as part of the certification package?','- Public repository with the summary of the justification','',1,109,925,1),
+
+(2256,'Q1-DOC-04.1B','If a CSP wants to allow CSCs to certify with EUCS their own services based on the CSP’s cloud service using composition, does the CSP develop specific documentation and make it available to CSCs upon request, based on the complementary user entity controls (CUECs) that they have defined?','- Documented specific documentation','',1,110,932,1),
+(2257,'Q2-DOC-04.1B','Does the CSP make documentation available to CSCs upon request?','- Requests for specific documentation by the CSC
+- Records showing that the documentation has been sent to the CSC.','',1,110,932,1),
+(2258,'Q1-DOC-04.2B','Does the CSP include in the description provided for each CUEC a list of actionable requirements for the CSC?','- Documented list of actionable requirements','',1,110,933,1),
+(2259,'Q2-DOC-04.2B','- Each CCC is associated with an EUCS requirement.','- Traceability between each CCC to an EUCS requirement','',1,110,933,1),
+
+(2270,'Q1-DOC-05.1B','If a CSP wants to allow CSCs to certify with EUCS their own services based on the CSP’s cloud service using composition, it documents for each EUCS requirement how its cloud service will contribute (if any) to the fulfilment of the requirement by the cloud service developed by the CSC using the CSP as subservice provider.','- Documentation for each EUCS requirement on how its cloud service (if any) will contribute to the fulfilment of the requirement through the cloud service developed by the CSC using the CSP as a subservice organization.','',1,111,940,1),
+(2271,'Q1-DOC-05.2B','Does the CSP make this documentation available to CSCs upon request?','- CSS documentation request
+- Record of submission of the required documentation
+- e-mail
+- other','',1,111,941,1);
+
+ -- A19.INQ
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(2278,'Q1-INQ-01.1B','Does the CSP execute a legal assessment of every investigation request received from government agencies?','- Legal assessment results','',1,112,948,1),
+(2279,'Q2-INQ-01.1B','Is the assessor an expert of the subject matter?','- Assessor documented qualifications','It would be necessary to limit when a person considers himself an expert in the subject matter',1,112,948,1),
+(2280,'Q1-INQ-01.2B','Does the government agency that sent the request have an applicable and legally valid basis?','- Foundations of the government agency','',1,112,949,1),
+(2281,'Q2-INQ-01.2B','Does the legal assessment results contain the further steps need to be taken in response of the investigation request received?','- Legal assessment results (contain the further steps need to be taken in response of the investigation request received)','',1,112,949,1),
+
+(2290,'Q1-INQ-02.1B','Does the CSP inform without undue delay the affected CSC(s) about the received investigation requests?','- Documented notice sent to every CSC affected by the investigation request. This document must include the delivery date','It would be necessary to limit when the delay in the notice is acceptable or not-acceptable',1,113,954,1),
+(2291,'Q2-INQ-02.1B','In case CSP did not inform the affected CSC(s) was because the applicable legal basis on which the government agency is based prohibits this or because there are clear indications of illegal actions in connection with the use of the cloud service?','- Investigation Request + Legal Assessment Results','',1,113,954,1),
+
+(2296,'Q1-INQ-03.1B','Has the CSP provided access to or disclose CSC data to government agency only after the legal assessment has shown that an applicable and valid legal basis exists?','- Record of the data in which CSP has provided access to customer data to the government agency
++
+Assessment Results','',1,114,957,1),
+(2297,'Q1-INQ-03.2B','Does the CSP document procedures to ensure that government agencies only have access to the data they need to investigate?','- Documented procedure that describe the mechanism to provide access to customer data to government agency by limiting the scope to only that data they need to investigate according to the investigation request','',1,114,958,1),
+(2298,'Q2-INQ-03.2B','Does the CSP implement the documented procedures to ensure that government agencies only have access to the data they need to investigate?','- Examples of Investigation Requests+Data needed for the investigation+evidences that the access has been authorized ONLY to that data','',1,114,958,1);
+
+ -- A20.PSS
+INSERT INTO cocbackend.question (id, code, question, default_evidence, default_comment, assurance_level_id, control_id, tom_id, framework_id) VALUES
+(2308,'Q1-PSS-01.1B','Does the CSP offer to their CSCs error handling mechanisms?','- Error handling mechanism instantiated to every customer','a reference to online repositories listing publicly disclosed vulnerabilities related to the ICT product, ICT service or ICT process and to any relevant cybersecurity advisories.',1,115,966,1),
+(2309,'Q2-PSS-01.1B','Does error handling mechanisms allow customers to obtain security-related information about the security status of the cloud service as well as the data, services or functions it provides?','- Operation manual of the error handling mechanism','',1,115,966,1),
+(2310,'Q3-PSS-01.1B','Does the CSP offer to their CSCs logging mechanisms?','- Logging mechanism instantiated to every customer','',1,115,966,1),
+(2311,'Q4-PSS-01.1B','Does logging mechanisms allow customers to obtain security-related information about the security status of the cloud service as well as the data, services or functions it provides?','- Operation manual of the logging mechanism','',1,115,966,1),
+
+(2333,'Q1-PSS-02.1B','Is a state-of-the-art session management system used? Is it protected against known attacks?','´- Session management system description (functional)','How do you assess that a session management system is suitable?
+Define state-of-the-art
+',1,116,976,1),
+
+(2340,'Q1-PSS-03.1B','Does the CSP document procedures to ensure the confidentiality of CSC data when offering functions for software-defined networking (SDN).?','- Documented procedures','When is a procedure appropriate?
+How do you define the suitability of a process for this?',1,117,983,1),
+(2341,'Q2-PSS-03.1B','Does the CSP implement the procedures to ensure the confidentiality of CSC data when offering functions for software-defined networking (SDN).?','- Audit records','',1,117,983,1),
+(2342,'Q1-PSS-03.2B','Does the CSP validate the functionality of the SDN functions before providing new SDN features to CSCs?','- Validation Report','',1,117,984,1),
+
+(2351,'Q1-PSS-04.1B','When the CSC operates virtual machine, does the CSP ensure that the CSC can restrict the selection of images of virtual machines according to his specifications?','- Authorization authentication procedures to access containers and the registry where they are stored','',1,118,991,1),
+(2352,'Q2-PSS-04.1B','When the CSC operates container, does the CSP ensure that the CSC can restrict the selection of images of containers according to his specifications?','- Authorization authentication procedures to access containers and the registry where they are stored','',1,118,991,1),
+(2353,'Q3-PSS-04.1B','Are the mages made available by the CSP to the CSC labelled with information about their origin (CSP or third-party)?','- Images origin information','',1,118,991,1),
+(2354,'Q4-PSS-04.1B','Are the images provided by the CSP hardened according to generally accepted industry standards?','- Use of generally accepted industry standards for securing images (e.g. CIS Hardened images, DISA STIG, NIST SP 800-190, …)','generally accepted industry standards????',1,118,991,1);
+/*!40000 ALTER TABLE `question` ENABLE KEYS */;
+
+SET FOREIGN_KEY_CHECKS=1;
+COMMIT;
\ No newline at end of file
diff --git a/git/cocMysql/startupscripts/07_initialDataCocGateway.sql b/git/cocMysql/startupscripts/07_initialDataCocGateway.sql
new file mode 100644
index 0000000000000000000000000000000000000000..bb67709e3663d7422b4158f40b7e744ee18f31be
--- /dev/null
+++ b/git/cocMysql/startupscripts/07_initialDataCocGateway.sql
@@ -0,0 +1,56 @@
+--
+-- Database: `cocgateway`
+--
+USE `cocgateway`;
+SET FOREIGN_KEY_CHECKS=0;
+
+-- -----------------------------------
+-- Table: `jhi_authority`
+-- -----------------------------------
+/*!40000 ALTER TABLE `jhi_authority` DISABLE KEYS */;
+INSERT INTO cocgateway.jhi_authority (name) VALUES
+ ('ROLE_ADMIN'),
+ ('ROLE_USER'),
+ ('SecurityGovernance'),
+ ('SecurityAnalyst'),
+ ('DomainGovernance'),
+ ('ProductOwner'),
+ ('ProductSecurityEng'),
+ ('CISO'),
+ ('Customer'),
+ ('Auditor');
+/*!40000 ALTER TABLE `jhi_authority` ENABLE KEYS */;
+
+-- -----------------------------------
+-- Table: `jhi_user`
+-- -----------------------------------
+/*!40000 ALTER TABLE `jhi_user` DISABLE KEYS */;
+INSERT INTO cocgateway.jhi_user (id,login,first_name,last_name,email,company,image_url,activated,lang_key,created_by,created_date,last_modified_by,last_modified_date) VALUES
+ ('4c973896-5761-41fc-8217-07c5d13a004b','admin','Admin','Administrator','admin@localhost','Tecnalia R&I',NULL,1,'en','admin','2021-10-08 13:30:37','admin','2021-10-08 13:30:37'),
+ ('33fd7b03-130f-4045-8b14-6cf1e6aa0265','UC1_SecGov','UC1_SecGov','UC1_SecGov','uc1_secgov@localhost','Tecnalia R&I',NULL,1,'en','admin','2021-10-08 13:30:37','admin','2021-10-08 13:30:37'),
+ ('ffca6c60-9312-4059-806d-c2a4bb25887d','UC1_SecAnalyst','UC1_SecAnalyst','UC1_SecAnalyst','uc1_secanalyst@localhost','Tecnalia R&I',NULL,1,'en','admin','2021-10-08 13:30:37','admin','2021-10-08 13:30:37'),
+ ('a0287bf6-f933-4b90-9199-32b004559262','UC1_DomGov','UC1_DomGov','UC1_DomGov','uc1_domgov@localhost','Tecnalia R&I',NULL,1,'en','admin','2021-10-08 13:30:37','admin','2021-10-08 13:30:37'),
+ ('d8a504f8-d80f-4c87-b6e2-5833613e4047','UC1_ProdOwn','UC1_ProdOwn','UC1_ProdOwn','uc1_prodown@localhost','Tecnalia R&I',NULL,1,'en','admin','2021-10-08 13:30:37','admin','2021-10-08 13:30:37'),
+ ('c3aa057c-6704-4ea9-9cc6-5d26619781ef','UC1_ProdSec','UC1_ProdSec','UC1_ProdSec','uc1_prodsec@localhost','Tecnalia R&I',NULL,1,'en','admin','2021-10-08 13:30:37','admin','2021-10-08 13:30:37'),
+ ('e0540e54-da32-4717-a14e-d6aa0517cc18','UC1_CISO','UC1_CISO','UC1_CISO','uc1_ciso@localhost','Tecnalia R&I',NULL,1,'en','admin','2021-10-08 13:30:37','admin','2021-10-08 13:30:37'),
+ ('85a47682-55a7-46d6-b670-d7f016857cad','UC1_Auditor','UC1_Auditor','UC1_Auditor','uc1_auditor@localhost','Tecnalia R&I',NULL,1,'en','admin','2021-10-08 13:30:37','admin','2021-10-08 13:30:37');
+/*!40000 ALTER TABLE `jhi_user` ENABLE KEYS */;
+
+-- -----------------------------------
+-- Table: `jhi_user_authority`
+-- -----------------------------------
+/*!40000 ALTER TABLE `jhi_user_authority` DISABLE KEYS */;
+INSERT INTO cocgateway.jhi_user_authority (user_id,authority_name) VALUES
+ ('4c973896-5761-41fc-8217-07c5d13a004b','ROLE_ADMIN'),
+ ('4c973896-5761-41fc-8217-07c5d13a004b','ROLE_USER'),
+ ('33fd7b03-130f-4045-8b14-6cf1e6aa0265','SecurityGovernance'),
+ ('ffca6c60-9312-4059-806d-c2a4bb25887d','SecurityAnalyst'),
+ ('a0287bf6-f933-4b90-9199-32b004559262','DomainGovernance'),
+ ('d8a504f8-d80f-4c87-b6e2-5833613e4047','ProductOwner'),
+ ('c3aa057c-6704-4ea9-9cc6-5d26619781ef','ProductSecurityEng'),
+ ('e0540e54-da32-4717-a14e-d6aa0517cc18','CISO'),
+ ('85a47682-55a7-46d6-b670-d7f016857cad','Auditor');
+/*!40000 ALTER TABLE `jhi_user_authority` ENABLE KEYS */;
+
+SET FOREIGN_KEY_CHECKS=1;
+COMMIT;
diff --git a/git/cocMysql/startupscripts/06_end.sh b/git/cocMysql/startupscripts/08_end.sh
old mode 100755
new mode 100644
similarity index 100%
rename from git/cocMysql/startupscripts/06_end.sh
rename to git/cocMysql/startupscripts/08_end.sh
diff --git a/git/cocRegistry/Dockerfile b/git/cocRegistry/Dockerfile
index cf46ff68722b5a320b9692301599fc1999f374e3..ff8268a1131d09cea4c39779ea049a84359329f8 100755
--- a/git/cocRegistry/Dockerfile
+++ b/git/cocRegistry/Dockerfile
@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
FROM maven:3.8.1-jdk-11 as builder
WORKDIR /code
@@ -6,15 +5,15 @@ COPY pom.xml /code/pom.xml
# this does not seem to work as expected RUN mvn -Pprod,dev,api-docs dependency:resolve-plugins dependency:go-offline -B
# https://github.com/qaware/go-offline-maven-plugin proposes an alternative that seems to work better, but not perfectly as there are two dependencies taht I need to download manually
RUN \
- mvn -DgroupId=org.glassfish.jaxb -DartifactId=jaxb-runtime -Dversion=2.3.3 dependency:get && \
+ mvn -DgroupId=org.glassfish.jaxb -DartifactId=jaxb-runtime -Dversion=2.3.3 dependency:get && \
mvn -DgroupId=org.jboss.logging -DartifactId=jboss-logging -Dversion=3.4.1.Final dependency:get && \
- mvn -Pprod de.qaware.maven:go-offline-maven-plugin:resolve-dependencies -B
+ mvn -Pprod de.qaware.maven:go-offline-maven-plugin:resolve-dependencies -B
COPY package.json /code/package.json
COPY package-lock.json /code/package-lock.json
RUN \
- mvn -o -DnodeVersion=v14.17.1 -DnpmVersion=7.18.1 -Pprod com.github.eirslett:frontend-maven-plugin:install-node-and-npm com.github.eirslett:frontend-maven-plugin:npm -Dmaven.test.skip=true
+ mvn -o -DnodeVersion=v14.17.1 -DnpmVersion=7.18.1 -Pprod com.github.eirslett:frontend-maven-plugin:install-node-and-npm com.github.eirslett:frontend-maven-plugin:npm -Dmaven.test.skip=true
COPY sonar-project.properties /code/sonar-project.properties
COPY webpack /code/webpack
@@ -44,8 +43,8 @@ ARG EXTRA_CA_URL
RUN /bin/bash -c "[ -z $EXTRA_CA_URL ] || ( curl $EXTRA_CA_URL --output /ca.pem && keytool -import -noprompt -trustcacerts -alias ca -file /ca.pem -cacerts -storepass changeit )"
# to check if ca is installed keytool -list -cacerts -alias ca --storepass changeit
-COPY --from=builder /registry.jar .
+COPY --from=builder /registry.jar .
CMD echo "The jhipster registry will start in ${JHIPSTER_SLEEP}s..." && \
sleep $JHIPSTER_SLEEP && \
java $JAVA_OPTS -Dspring.profiles.active=$RUN_PROFILE -jar /registry.jar
-
+
\ No newline at end of file
diff --git a/git/cocRegistry/src/main/java/io/github/jhipster/registry/JHipsterRegistryApp.java b/git/cocRegistry/src/main/java/io/github/jhipster/registry/JHipsterRegistryApp.java
index bbbf3cc95fd5c3592bc304926fc2ba42adef952b..5489e5dac92fe363fa9e1a435dee67ce1993b38e 100755
--- a/git/cocRegistry/src/main/java/io/github/jhipster/registry/JHipsterRegistryApp.java
+++ b/git/cocRegistry/src/main/java/io/github/jhipster/registry/JHipsterRegistryApp.java
@@ -1,4 +1,3 @@
-# SPDX-License-Identifier: Apache-2.0
package io.github.jhipster.registry;
import io.github.jhipster.registry.config.ApplicationProperties;
diff --git a/git/keycloak/.env b/git/keycloak/.env
index 774c7d1248a95980be2806448c5987d62814a76a..503899f0fbc2932174bbba749afca055971bb874 100755
--- a/git/keycloak/.env
+++ b/git/keycloak/.env
@@ -1,6 +1,7 @@
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
ADMIN_USER=admin
ADMIN_PASSWORD=keycloakPassword
-HTTPS_PORT=443
SERVER_HOST=euve.digital.tecnalia.dev
KEYCLOAK_VERSION=
COMPOSE_PROJECT_NAME=keycloak-production
diff --git a/git/keycloak/.env.gen b/git/keycloak/.env.gen
index 1f4572bed6a2993ddf1ca46e1e10a99a3582a686..3a53c2f1377c38a2a5d310cd0d7e545e7e7ba028 100755
--- a/git/keycloak/.env.gen
+++ b/git/keycloak/.env.gen
@@ -2,25 +2,48 @@
# Focus default variables as production, to allow direct download and run in production
# Required external variables that must be defined externally are those that have no value
+#### Environments managed
+# this is the default environment if needed uncomment and adjust
+# some conventions on environment prefixes
+# - _ENV_LOCAL_ .env.local purpouse is to cache build and start the setup locally using cache images exposing dev ports (i.e 3306, 5432, 8086, ...) for debug and development purposes. It is the default behaviour (_ENV_LOCAL_:build-cache:.env.local)
+# - _ENV_CACHE_ .env.cache purpouse is to generate images tagged for build cache from that use BUILDKIT_INLINE_CACHE 1 (_ENV_CACHE_:build-cache:.env.cache)
+# - _ENV_RELEASE_ .env.release purpouse is to generate images (that do not use BUILDKIT_INLINE_CACHE 1) tagged for the clients/pilots usage (_ENV_RELEASE_:build-release:.env.release)
+# - _ENV_DEPLOY_ .env purpose is to generate non building docker-compose that uses the release to deploy on generic client (_ENV_DEPLOY_:release:.env)
+# - _ENV_TEST_ .env.test the purpouse is to test from the cache images the correct behaviour without exposing ports (_ENV_TEST_:build-cache:.env.test)
+# types of building
+# - build-cache: it focuses in the generation of images with BUILDKIT_INLINE_CACHE 1 for its usage in the cache-from for subsequent build, for each compose-file in compose-file build it finds build/cache the same name to add it to the build, it will use cache from.
+# - build-release: it focuses in the generation of images for distribution it avoid using BUILDKIT_INLINE_CACHE 1 to reduce the size, it will use cache from.
+# - cache: it runs using cache images
+# - release: it runs using release images
+# default enviroment
+# _ENVIRONMENTS=_ENV_LOCAL_:build-cache:.env.local
+# to add more enviroments use split with ";"
+_ENVIRONMENTS=_ENV_LOCAL_:build-cache:.env.local;_ENV_RELEASE_:build-release:.env.release;_ENV_DEPLOY_:release:.env
+
#### Common image related ####
DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
DOCKER_REGISTRY_CACHE_VERSION=latest
#### Common Build related ####
# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-DOCKER_BUILDKIT=1
-COMPOSE_DOCKER_CLI_BUILD=1
+# DOCKER_BUILDKIT=1
+# COMPOSE_DOCKER_CLI_BUILD=1
+
+### Common Traefik related ###
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+# TRAEFIK_HTTP_ENTRYPOINT_NAME=web
#### Common Production related ####
ADMIN_USER=admin
ADMIN_PASSWORD=keycloakPassword
-HTTPS_PORT=443
-# SERVER_HOST=
-_ENV_DEPLOY_SERVER_HOST=euve.digital.tecnalia.dev
-_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
+# HTTPS_PORT must be 443 if you use step-ca
+# HTTPS_PORT=443
+# server host is configured during the sync based on _ENV_LOCAL_ and _ENV_DEPLOY, _ENV_LOCAL_ will be used for test and release unless _ENV_RELEASE_ or _ENV_TEST_ specified
+SERVER_HOST=euve.digital.tecnalia.dev
#### Platform Specific ####
-TZ=Madrid
+# TZ=Madrid
KEYCLOAK_VERSION=
#### Common docker-compose related ####
@@ -34,11 +57,12 @@ COMPOSE_PROJECT_NAME=keycloak-production
# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
COMPOSE_FILE_BASE=docker-compose.yaml
+COMPOSE_FILE_BASE_NETWORK=docker-compose-traefik-network-external.yaml
COMPOSE_FILE=
# COMPOSE_FILE Is generated automatically
-COMPOSE_FILE_BASE_NETWORK=docker-compose-traefik-network-external.yaml
-
KEYCLOAK_CONFIG_PATH=
KEYCLOAK_BASE_PATH=
+
+_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
diff --git a/git/keycloak/.env.local b/git/keycloak/.env.local
index bc8931c3f5300746596e5c93a4bd642cc9d68b05..048c0cbdbdd539a33d9942306cad7ca0a8c1c9f9 100755
--- a/git/keycloak/.env.local
+++ b/git/keycloak/.env.local
@@ -1,38 +1,12 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
DOCKER_REGISTRY_CACHE_VERSION=latest
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-
-#### Common Production related ####
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
ADMIN_USER=admin
ADMIN_PASSWORD=keycloakPassword
-HTTPS_PORT=443
-# SERVER_HOST=
SERVER_HOST=192.168.56.1.nip.io
-
-#### Platform Specific ####
KEYCLOAK_VERSION=
-
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
COMPOSE_PROJECT_NAME=keycloak-production
-# _ENV_LOCAL_COMPOSE_FILE_BASE= # These are oriented for local vagrant usually it contains local traefik configuration, dev services, etc
-# _ENV_RELEASE_COMPOSE_FILE_BASE= # These are oriented for tagging relevant images for upload to official release repositories
-# _ENV_DEPLOY_COMPOSE_FILE_BASE= # These are oriented for final deployment it contains production traefik configuration, etc
-# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
-# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-
-
-# COMPOSE_FILE Is generated automatically
-
-
KEYCLOAK_CONFIG_PATH=
KEYCLOAK_BASE_PATH=
-COMPOSE_FILE=docker-compose.yaml:docker-compose-traefik-network-external.yaml:build/docker-compose.yaml:build/cache/docker-compose.yaml:build/image/docker-compose.yaml
+COMPOSE_FILE=docker-compose.yaml:docker-compose-traefik-network-external.yaml:build/docker-compose.yaml:build/inline-cache/docker-compose.yaml:build/image/docker-compose.yaml
diff --git a/git/keycloak/.env.release b/git/keycloak/.env.release
new file mode 100644
index 0000000000000000000000000000000000000000..2f3c4c122fafa9a6fa7c6c8307ab7a900a225903
--- /dev/null
+++ b/git/keycloak/.env.release
@@ -0,0 +1,12 @@
+DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
+DOCKER_REGISTRY_CACHE_VERSION=latest
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+ADMIN_USER=admin
+ADMIN_PASSWORD=keycloakPassword
+SERVER_HOST=euve.digital.tecnalia.dev
+KEYCLOAK_VERSION=
+COMPOSE_PROJECT_NAME=keycloak-production
+KEYCLOAK_CONFIG_PATH=
+KEYCLOAK_BASE_PATH=
+COMPOSE_FILE=docker-compose.yaml:docker-compose-traefik-network-external.yaml:build/docker-compose.yaml:release/docker-compose.yaml
diff --git a/git/keycloak/.env.test b/git/keycloak/.env.test
deleted file mode 100755
index 685830d9e194a898c9214f40f13b5fb66dc8cbcc..0000000000000000000000000000000000000000
--- a/git/keycloak/.env.test
+++ /dev/null
@@ -1,39 +0,0 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
-DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
-DOCKER_REGISTRY_CACHE_VERSION=latest
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-
-#### Common Production related ####
-ADMIN_USER=admin
-ADMIN_PASSWORD=keycloakPassword
-HTTPS_PORT=443
-# SERVER_HOST=
-SERVER_HOST=192.168.56.1.nip.io
-
-#### Platform Specific ####
-KEYCLOAK_VERSION=
-
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
-COMPOSE_PROJECT_NAME=keycloak-production-test
-# _ENV_LOCAL_COMPOSE_FILE_BASE= # These are oriented for local vagrant usually it contains local traefik configuration, dev services, etc
-# _ENV_RELEASE_COMPOSE_FILE_BASE= # These are oriented for tagging relevant images for upload to official release repositories
-# _ENV_DEPLOY_COMPOSE_FILE_BASE= # These are oriented for final deployment it contains production traefik configuration, etc
-# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
-# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-
-COMPOSE_FILE_BASE=docker-compose.yaml
-
-# COMPOSE_FILE Is generated automatically
-
-
-KEYCLOAK_CONFIG_PATH=
-KEYCLOAK_BASE_PATH=
-COMPOSE_FILE=docker-compose.yaml:docker-compose-traefik-network-external.yaml:build/docker-compose.yaml:build/cache/docker-compose.yaml:release/docker-compose.yaml
diff --git a/git/keycloak/build/cache/docker-compose.yaml b/git/keycloak/build/cache/docker-compose.yaml
deleted file mode 100755
index 6f9ed35caa09c6813a70fae7577886a2699e94d4..0000000000000000000000000000000000000000
--- a/git/keycloak/build/cache/docker-compose.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-services:
- keycloak-setup:
- build:
- cache_from:
- - ${DOCKER_REGISTRY_CACHE_PREFIX}/euve/keycloak-setup:${DOCKER_REGISTRY_CACHE_VERSION:?err}
- args:
- BUILDKIT_INLINE_CACHE: 1 # For multistage docker
diff --git a/git/keycloak/build/docker-compose.yaml b/git/keycloak/build/docker-compose.yaml
index 5dbbfe02bd352bc704db845e4e0a2dcf38fe6dd2..a3abbce322406973fbf247eec87771270967dddb 100755
--- a/git/keycloak/build/docker-compose.yaml
+++ b/git/keycloak/build/docker-compose.yaml
@@ -3,3 +3,5 @@ services:
build:
context: ${KEYCLOAK_BASE_PATH}git/keycloak-setup
dockerfile: Dockerfile
+ cache_from:
+ - ${DOCKER_REGISTRY_CACHE_PREFIX}/euve/keycloak-setup:${DOCKER_REGISTRY_CACHE_VERSION:?err}
diff --git a/git/keycloak/build/inline-cache/docker-compose.yaml b/git/keycloak/build/inline-cache/docker-compose.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6dee83a4bc7319e872bbf63614f0dd3b5f90b8d1
--- /dev/null
+++ b/git/keycloak/build/inline-cache/docker-compose.yaml
@@ -0,0 +1,5 @@
+services:
+ keycloak-setup:
+ build:
+ args:
+ BUILDKIT_INLINE_CACHE: 1 # For multistage docker
diff --git a/git/keycloak/data/keycloak-setup/192.168.56.1.nip.io/realm.json b/git/keycloak/data/keycloak-setup/192.168.56.1.nip.io/realm.json
index 498842400ab275d6f856313b23c84e6fee6d8942..bf0354ec9d06f6e93840ea3a1a0aafe7bc5e8cd0 100755
--- a/git/keycloak/data/keycloak-setup/192.168.56.1.nip.io/realm.json
+++ b/git/keycloak/data/keycloak-setup/192.168.56.1.nip.io/realm.json
@@ -1,2220 +1,1730 @@
{
- "id": "jhipster",
- "realm": "jhipster",
- "notBefore": 0,
- "revokeRefreshToken": false,
- "refreshTokenMaxReuse": 0,
- "accessTokenLifespan": 300,
- "accessTokenLifespanForImplicitFlow": 900,
- "ssoSessionIdleTimeout": 1800,
- "ssoSessionMaxLifespan": 36000,
- "ssoSessionIdleTimeoutRememberMe": 0,
- "ssoSessionMaxLifespanRememberMe": 0,
- "offlineSessionIdleTimeout": 2592000,
- "offlineSessionMaxLifespanEnabled": false,
- "offlineSessionMaxLifespan": 5184000,
- "clientSessionIdleTimeout": 0,
- "clientSessionMaxLifespan": 0,
- "clientOfflineSessionIdleTimeout": 0,
- "clientOfflineSessionMaxLifespan": 0,
- "accessCodeLifespan": 60,
- "accessCodeLifespanUserAction": 300,
- "accessCodeLifespanLogin": 1800,
- "actionTokenGeneratedByAdminLifespan": 43200,
- "actionTokenGeneratedByUserLifespan": 300,
- "enabled": true,
- "sslRequired": "external",
- "registrationAllowed": false,
- "registrationEmailAsUsername": false,
- "rememberMe": false,
- "verifyEmail": false,
- "loginWithEmailAllowed": true,
- "duplicateEmailsAllowed": false,
- "resetPasswordAllowed": false,
- "editUsernameAllowed": false,
- "bruteForceProtected": false,
- "permanentLockout": false,
- "maxFailureWaitSeconds": 900,
- "minimumQuickLoginWaitSeconds": 60,
- "waitIncrementSeconds": 60,
- "quickLoginCheckMilliSeconds": 1000,
- "maxDeltaTimeSeconds": 43200,
- "failureFactor": 30,
- "roles": {
- "realm": [
- {
- "id": "8e986fb5-dafb-43bf-a7c2-7e57572d3d80",
- "name": "ROLE_ADMIN",
- "description": "Jhipster administrator role",
- "composite": false,
- "clientRole": false,
- "containerId": "jhipster",
- "attributes": {}
- },
- {
- "id": "e1b19afd-f612-4a79-bdf8-26a99b89b10b",
- "name": "offline_access",
- "description": "${role_offline-access}",
- "composite": false,
- "clientRole": false,
- "containerId": "jhipster",
- "attributes": {}
- },
- {
- "id": "ec5705e1-fc1d-4d21-8364-abd3bd4efcd0",
- "name": "ROLE_USER",
- "description": "Jhipster user role",
- "composite": false,
- "clientRole": false,
- "containerId": "jhipster",
- "attributes": {}
- },
- {
- "id": "2eec61d0-9581-4dbf-8c7b-f32dc5fac3ce",
- "name": "uma_authorization",
- "description": "${role_uma_authorization}",
- "composite": false,
- "clientRole": false,
- "containerId": "jhipster",
- "attributes": {}
- }
- ],
- "client": {
- "internal": [],
- "realm-management": [
- {
- "id": "a6249a12-d76c-4514-b137-e3018b243e25",
- "name": "manage-authorization",
- "description": "${role_manage-authorization}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "a28bc401-c5ad-4fab-aef4-42629988c10b",
- "name": "view-realm",
- "description": "${role_view-realm}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "464bca1f-136f-45de-a7fc-b976a185ce7e",
- "name": "view-users",
- "description": "${role_view-users}",
- "composite": true,
- "composites": {
- "client": {
- "realm-management": ["query-users", "query-groups"]
- }
- },
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "98c2fa77-d3c8-4f68-b9f4-b79f87efd4a9",
- "name": "query-users",
- "description": "${role_query-users}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "6b82bfdb-c8de-4274-95b4-a683eb4ead50",
- "name": "view-identity-providers",
- "description": "${role_view-identity-providers}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "3c6b9cfe-80c4-41d5-a5ac-0cadebacfc8d",
- "name": "manage-identity-providers",
- "description": "${role_manage-identity-providers}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "23676fb8-235a-4e54-a0d0-9bed1ccbe2f8",
- "name": "query-groups",
- "description": "${role_query-groups}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "b71fe952-bb06-4e4a-91ef-2d2714f770e1",
- "name": "impersonation",
- "description": "${role_impersonation}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "0813cbd0-c73d-469d-a54d-84a865c302af",
- "name": "manage-events",
- "description": "${role_manage-events}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "c7a4f4c1-9089-458c-a765-f6d22ea94690",
- "name": "view-authorization",
- "description": "${role_view-authorization}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "2e1bc884-e9d3-45d2-909c-2777a78ca8ae",
- "name": "manage-realm",
- "description": "${role_manage-realm}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "0a05451e-7d64-4e87-b585-f1143ce5752e",
- "name": "query-clients",
- "description": "${role_query-clients}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "dfad4d08-6d75-42b6-8699-4886e47bc464",
- "name": "view-events",
- "description": "${role_view-events}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "392ed0a3-f6ad-48a1-b201-648037d2b4bd",
- "name": "realm-admin",
- "description": "${role_realm-admin}",
- "composite": true,
- "composites": {
- "client": {
- "realm-management": [
- "manage-authorization",
- "view-realm",
- "view-users",
- "query-users",
- "manage-identity-providers",
- "view-identity-providers",
- "query-groups",
- "impersonation",
- "manage-events",
- "query-clients",
- "manage-realm",
- "view-authorization",
- "view-events",
- "view-clients",
- "create-client",
- "manage-clients",
- "manage-users",
- "query-realms"
- ]
- }
- },
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "d7efdf61-affb-42a1-bcb0-b2c30d87a39e",
- "name": "view-clients",
- "description": "${role_view-clients}",
- "composite": true,
- "composites": {
- "client": {
- "realm-management": ["query-clients"]
- }
- },
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "14da8e56-5c8b-4764-96da-250449a32fd4",
- "name": "create-client",
- "description": "${role_create-client}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "88e6a9f5-259c-487d-af35-2a98da066816",
- "name": "manage-clients",
- "description": "${role_manage-clients}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "932273a7-c02b-43db-81c5-96a0dc45e454",
- "name": "manage-users",
- "description": "${role_manage-users}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- },
- {
- "id": "e3edf335-cec5-4012-a00d-fcac045052e1",
- "name": "query-realms",
- "description": "${role_query-realms}",
- "composite": false,
- "clientRole": true,
- "containerId": "898488c8-e260-41c5-a463-7ceea14d587a",
- "attributes": {}
- }
- ],
- "jhipster-control-center": [],
- "security-admin-console": [],
- "web_app": [],
- "admin-cli": [],
- "account-console": [],
- "jhipster-registry": [],
- "broker": [
- {
- "id": "5b08a930-9f1d-4030-ae75-92c1e4c9352c",
- "name": "read-token",
- "description": "${role_read-token}",
- "composite": false,
- "clientRole": true,
- "containerId": "88e1225b-f0b9-46ba-8efd-f2c10ce23058",
- "attributes": {}
- }
- ],
- "account": [
- {
- "id": "a88c56b8-6bc9-418a-92bc-7a17e7707f60",
- "name": "view-profile",
- "description": "${role_view-profile}",
- "composite": false,
- "clientRole": true,
- "containerId": "6cc5a716-0880-47dc-b714-9a4967246b2f",
- "attributes": {}
- },
- {
- "id": "0cb954ab-987f-482a-b2d7-0d481ba1d532",
- "name": "view-applications",
- "description": "${role_view-applications}",
- "composite": false,
- "clientRole": true,
- "containerId": "6cc5a716-0880-47dc-b714-9a4967246b2f",
- "attributes": {}
- },
- {
- "id": "6450156d-7526-48f2-8ea0-bb1e51f9eefa",
- "name": "manage-account",
- "description": "${role_manage-account}",
- "composite": true,
- "composites": {
- "client": {
- "account": ["manage-account-links"]
- }
- },
- "clientRole": true,
- "containerId": "6cc5a716-0880-47dc-b714-9a4967246b2f",
- "attributes": {}
- },
- {
- "id": "e5b2ba76-4c36-4ba1-b210-89a1ac3c6bbe",
- "name": "view-consent",
- "description": "${role_view-consent}",
- "composite": false,
- "clientRole": true,
- "containerId": "6cc5a716-0880-47dc-b714-9a4967246b2f",
- "attributes": {}
- },
- {
- "id": "35537940-67a6-4217-881b-1ff98109b374",
- "name": "manage-consent",
- "description": "${role_manage-consent}",
- "composite": true,
- "composites": {
- "client": {
- "account": ["view-consent"]
- }
- },
- "clientRole": true,
- "containerId": "6cc5a716-0880-47dc-b714-9a4967246b2f",
- "attributes": {}
- },
- {
- "id": "5ebf404b-7805-4da2-abb4-9db7d3b36120",
- "name": "delete-account",
- "description": "${role_delete-account}",
- "composite": false,
- "clientRole": true,
- "containerId": "6cc5a716-0880-47dc-b714-9a4967246b2f",
- "attributes": {}
- },
- {
- "id": "a7f45fab-19c3-4c48-aca3-85f828ca0fed",
- "name": "manage-account-links",
- "description": "${role_manage-account-links}",
- "composite": false,
- "clientRole": true,
- "containerId": "6cc5a716-0880-47dc-b714-9a4967246b2f",
- "attributes": {}
- }
- ]
- }
- },
- "groups": [
- {
- "id": "afb0c768-ab0f-454c-a8ea-bc9e70b50248",
- "name": "Admins",
- "path": "/Admins",
- "attributes": {},
- "realmRoles": ["ROLE_ADMIN"],
- "clientRoles": {},
- "subGroups": []
- },
- {
- "id": "672767bb-4ab0-4d37-93a1-9b6c2416b6b2",
- "name": "Users",
- "path": "/Users",
- "attributes": {},
- "realmRoles": ["ROLE_USER"],
- "clientRoles": {},
- "subGroups": []
- }
- ],
- "defaultRoles": ["uma_authorization", "offline_access"],
- "requiredCredentials": ["password"],
- "otpPolicyType": "totp",
- "otpPolicyAlgorithm": "HmacSHA1",
- "otpPolicyInitialCounter": 0,
- "otpPolicyDigits": 6,
- "otpPolicyLookAheadWindow": 1,
- "otpPolicyPeriod": 30,
- "otpSupportedApplications": ["FreeOTP", "Google Authenticator"],
- "webAuthnPolicyRpEntityName": "keycloak",
- "webAuthnPolicySignatureAlgorithms": ["ES256"],
- "webAuthnPolicyRpId": "",
- "webAuthnPolicyAttestationConveyancePreference": "not specified",
- "webAuthnPolicyAuthenticatorAttachment": "not specified",
- "webAuthnPolicyRequireResidentKey": "not specified",
- "webAuthnPolicyUserVerificationRequirement": "not specified",
- "webAuthnPolicyCreateTimeout": 0,
- "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
- "webAuthnPolicyAcceptableAaguids": [],
- "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
- "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"],
- "webAuthnPolicyPasswordlessRpId": "",
- "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
- "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
- "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
- "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
- "webAuthnPolicyPasswordlessCreateTimeout": 0,
- "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
- "webAuthnPolicyPasswordlessAcceptableAaguids": [],
- "users": [
- {
- "id": "f742ba6f-1d8a-4dec-bf15-e02dab508283",
- "createdTimestamp": 1598681172054,
- "username": "service-account-internal",
- "enabled": true,
- "totp": false,
- "emailVerified": false,
- "serviceAccountClientId": "internal",
- "disableableCredentialTypes": [],
- "requiredActions": [],
- "realmRoles": ["offline_access", "uma_authorization"],
- "clientRoles": {
- "account": ["view-profile", "manage-account"]
- },
- "notBefore": 0,
- "groups": []
- }
- ],
- "scopeMappings": [
- {
- "clientScope": "offline_access",
- "roles": ["offline_access"]
- }
- ],
- "clientScopeMappings": {
- "account": [
- {
- "client": "account-console",
- "roles": ["manage-account"]
+ "id" : "euve",
+ "realm" : "euve",
+ "notBefore" : 0,
+ "defaultSignatureAlgorithm" : "RS256",
+ "revokeRefreshToken" : false,
+ "refreshTokenMaxReuse" : 0,
+ "accessTokenLifespan" : 300,
+ "accessTokenLifespanForImplicitFlow" : 900,
+ "ssoSessionIdleTimeout" : 1800,
+ "ssoSessionMaxLifespan" : 36000,
+ "ssoSessionIdleTimeoutRememberMe" : 0,
+ "ssoSessionMaxLifespanRememberMe" : 0,
+ "offlineSessionIdleTimeout" : 2592000,
+ "offlineSessionMaxLifespanEnabled" : false,
+ "offlineSessionMaxLifespan" : 5184000,
+ "clientSessionIdleTimeout" : 0,
+ "clientSessionMaxLifespan" : 0,
+ "clientOfflineSessionIdleTimeout" : 0,
+ "clientOfflineSessionMaxLifespan" : 0,
+ "accessCodeLifespan" : 60,
+ "accessCodeLifespanUserAction" : 300,
+ "accessCodeLifespanLogin" : 1800,
+ "actionTokenGeneratedByAdminLifespan" : 43200,
+ "actionTokenGeneratedByUserLifespan" : 300,
+ "oauth2DeviceCodeLifespan" : 600,
+ "oauth2DevicePollingInterval" : 5,
+ "enabled" : true,
+ "sslRequired" : "external",
+ "registrationAllowed" : false,
+ "registrationEmailAsUsername" : false,
+ "rememberMe" : false,
+ "verifyEmail" : false,
+ "loginWithEmailAllowed" : true,
+ "duplicateEmailsAllowed" : false,
+ "resetPasswordAllowed" : false,
+ "editUsernameAllowed" : false,
+ "bruteForceProtected" : false,
+ "permanentLockout" : false,
+ "maxFailureWaitSeconds" : 900,
+ "minimumQuickLoginWaitSeconds" : 60,
+ "waitIncrementSeconds" : 60,
+ "quickLoginCheckMilliSeconds" : 1000,
+ "maxDeltaTimeSeconds" : 43200,
+ "failureFactor" : 30,
+ "roles" : {
+ "realm" : [ {
+ "id" : "1e98141f-01ab-456b-aa22-d0fc9fa1feba",
+ "name" : "offline_access",
+ "description" : "${role_offline-access}",
+ "composite" : false,
+ "clientRole" : false,
+ "containerId" : "euve",
+ "attributes" : { }
+ }, {
+ "id" : "c97eafa4-6b60-4641-85e8-ca7636e2ccc4",
+ "name" : "default-roles-euve",
+ "description" : "${role_default-roles}",
+ "composite" : true,
+ "composites" : {
+ "realm" : [ "offline_access", "uma_authorization" ],
+ "client" : {
+ "account" : [ "manage-account", "view-profile" ]
}
- ]
- },
- "clients": [
- {
- "id": "6cc5a716-0880-47dc-b714-9a4967246b2f",
- "clientId": "account",
- "name": "${client_account}",
- "rootUrl": "${authBaseUrl}",
- "baseUrl": "/realms/jhipster/account/",
- "surrogateAuthRequired": false,
- "enabled": true,
- "alwaysDisplayInConsole": false,
- "clientAuthenticatorType": "client-secret",
- "secret": "**********",
- "defaultRoles": ["manage-account", "view-profile"],
- "redirectUris": ["/realms/jhipster/account/*"],
- "webOrigins": [],
- "notBefore": 0,
- "bearerOnly": false,
- "consentRequired": false,
- "standardFlowEnabled": true,
- "implicitFlowEnabled": false,
- "directAccessGrantsEnabled": false,
- "serviceAccountsEnabled": false,
- "publicClient": false,
- "frontchannelLogout": false,
- "protocol": "openid-connect",
- "attributes": {},
- "authenticationFlowBindingOverrides": {},
- "fullScopeAllowed": false,
- "nodeReRegistrationTimeout": 0,
- "defaultClientScopes": ["web-origins", "role_list", "profile", "roles", "email"],
- "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
- },
- {
- "id": "fb0a4870-06db-4f9d-9d44-baf51a00cc34",
- "clientId": "account-console",
- "name": "${client_account-console}",
- "rootUrl": "${authBaseUrl}",
- "baseUrl": "/realms/jhipster/account/",
- "surrogateAuthRequired": false,
- "enabled": true,
- "alwaysDisplayInConsole": false,
- "clientAuthenticatorType": "client-secret",
- "secret": "**********",
- "redirectUris": ["/realms/jhipster/account/*"],
- "webOrigins": [],
- "notBefore": 0,
- "bearerOnly": false,
- "consentRequired": false,
- "standardFlowEnabled": true,
- "implicitFlowEnabled": false,
- "directAccessGrantsEnabled": false,
- "serviceAccountsEnabled": false,
- "publicClient": true,
- "frontchannelLogout": false,
- "protocol": "openid-connect",
- "attributes": {
- "pkce.code.challenge.method": "S256"
- },
- "authenticationFlowBindingOverrides": {},
- "fullScopeAllowed": false,
- "nodeReRegistrationTimeout": 0,
- "protocolMappers": [
- {
- "id": "c5c4ebe5-d009-4f96-b143-1b36d770eafb",
- "name": "audience resolve",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-audience-resolve-mapper",
- "consentRequired": false,
- "config": {}
- }
- ],
- "defaultClientScopes": ["web-origins", "role_list", "profile", "roles", "email"],
- "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
- },
- {
- "id": "bb166356-838d-445e-94e3-9330ad7ab51b",
- "clientId": "admin-cli",
- "name": "${client_admin-cli}",
- "surrogateAuthRequired": false,
- "enabled": true,
- "alwaysDisplayInConsole": false,
- "clientAuthenticatorType": "client-secret",
- "secret": "**********",
- "redirectUris": [],
- "webOrigins": [],
- "notBefore": 0,
- "bearerOnly": false,
- "consentRequired": false,
- "standardFlowEnabled": false,
- "implicitFlowEnabled": false,
- "directAccessGrantsEnabled": true,
- "serviceAccountsEnabled": false,
- "publicClient": true,
- "frontchannelLogout": false,
- "protocol": "openid-connect",
- "attributes": {},
- "authenticationFlowBindingOverrides": {},
- "fullScopeAllowed": false,
- "nodeReRegistrationTimeout": 0,
- "defaultClientScopes": ["web-origins", "role_list", "profile", "roles", "email"],
- "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
- },
- {
- "id": "88e1225b-f0b9-46ba-8efd-f2c10ce23058",
- "clientId": "broker",
- "name": "${client_broker}",
- "surrogateAuthRequired": false,
- "enabled": true,
- "alwaysDisplayInConsole": false,
- "clientAuthenticatorType": "client-secret",
- "secret": "**********",
- "redirectUris": [],
- "webOrigins": [],
- "notBefore": 0,
- "bearerOnly": false,
- "consentRequired": false,
- "standardFlowEnabled": true,
- "implicitFlowEnabled": false,
- "directAccessGrantsEnabled": false,
- "serviceAccountsEnabled": false,
- "publicClient": false,
- "frontchannelLogout": false,
- "protocol": "openid-connect",
- "attributes": {},
- "authenticationFlowBindingOverrides": {},
- "fullScopeAllowed": false,
- "nodeReRegistrationTimeout": 0,
- "defaultClientScopes": ["web-origins", "role_list", "profile", "roles", "email"],
- "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
},
- {
- "id": "10e6ea34-9f1e-49ef-8e28-7eb851459694",
- "clientId": "internal",
- "surrogateAuthRequired": false,
- "enabled": true,
- "alwaysDisplayInConsole": false,
- "clientAuthenticatorType": "client-secret",
- "secret": "internal",
- "redirectUris": [],
- "webOrigins": [],
- "notBefore": 0,
- "bearerOnly": false,
- "consentRequired": false,
- "standardFlowEnabled": false,
- "implicitFlowEnabled": false,
- "directAccessGrantsEnabled": false,
- "serviceAccountsEnabled": true,
- "publicClient": false,
- "frontchannelLogout": false,
- "protocol": "openid-connect",
- "attributes": {
- "saml.assertion.signature": "false",
- "saml.force.post.binding": "false",
- "saml.multivalued.roles": "false",
- "saml.encrypt": "false",
- "saml.server.signature": "false",
- "saml.server.signature.keyinfo.ext": "false",
- "exclude.session.state.from.auth.response": "false",
- "saml_force_name_id_format": "false",
- "saml.client.signature": "false",
- "tls.client.certificate.bound.access.tokens": "false",
- "saml.authnstatement": "false",
- "display.on.consent.screen": "false",
- "saml.onetimeuse.condition": "false"
- },
- "authenticationFlowBindingOverrides": {},
- "fullScopeAllowed": true,
- "nodeReRegistrationTimeout": -1,
- "protocolMappers": [
- {
- "id": "ff2f50b4-5409-4789-bdda-fe731f14fbff",
- "name": "Client IP Address",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usersessionmodel-note-mapper",
- "consentRequired": false,
- "config": {
- "user.session.note": "clientAddress",
- "userinfo.token.claim": "true",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "clientAddress",
- "jsonType.label": "String"
- }
- },
- {
- "id": "72f9ae74-9e95-4b7b-a709-5086137410bb",
- "name": "Client ID",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usersessionmodel-note-mapper",
- "consentRequired": false,
- "config": {
- "user.session.note": "clientId",
- "userinfo.token.claim": "true",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "clientId",
- "jsonType.label": "String"
- }
- },
- {
- "id": "029bf6c8-5a19-4798-984c-bdb205d752d5",
- "name": "Client Host",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usersessionmodel-note-mapper",
- "consentRequired": false,
- "config": {
- "user.session.note": "clientHost",
- "userinfo.token.claim": "true",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "clientHost",
- "jsonType.label": "String"
- }
- }
- ],
- "defaultClientScopes": ["web-origins", "role_list", "profile", "roles", "email"],
- "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
- },
- {
- "id": "1acf7ad0-68cb-46a6-a3e4-8b2f2abecb85",
- "clientId": "jhipster-control-center",
- "rootUrl": "http://localhost:7419",
- "adminUrl": "http://localhost:7419",
- "surrogateAuthRequired": false,
- "enabled": true,
- "alwaysDisplayInConsole": false,
- "clientAuthenticatorType": "client-secret",
- "secret": "jhipster-control-center",
- "redirectUris": ["dev.localhost.ionic:*", "http://127.0.0.1:*", "http://localhost:*", "https://127.0.0.1:*", "https://localhost:*"],
- "webOrigins": ["*"],
- "notBefore": 0,
- "bearerOnly": false,
- "consentRequired": false,
- "standardFlowEnabled": true,
- "implicitFlowEnabled": true,
- "directAccessGrantsEnabled": false,
- "serviceAccountsEnabled": false,
- "publicClient": true,
- "frontchannelLogout": false,
- "protocol": "openid-connect",
- "attributes": {
- "saml.assertion.signature": "false",
- "saml.force.post.binding": "false",
- "saml.multivalued.roles": "false",
- "saml.encrypt": "false",
- "saml.server.signature": "false",
- "saml.server.signature.keyinfo.ext": "false",
- "exclude.session.state.from.auth.response": "false",
- "saml_force_name_id_format": "false",
- "saml.client.signature": "false",
- "tls.client.certificate.bound.access.tokens": "false",
- "saml.authnstatement": "false",
- "display.on.consent.screen": "false",
- "saml.onetimeuse.condition": "false"
- },
- "authenticationFlowBindingOverrides": {},
- "fullScopeAllowed": true,
- "nodeReRegistrationTimeout": -1,
- "defaultClientScopes": ["web-origins", "jhipster", "role_list", "profile", "roles", "email"],
- "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
- },
- {
- "id": "9057870f-8775-448d-a194-1d4e122f44d5",
- "clientId": "jhipster-registry",
- "rootUrl": "https://registry.192.168.56.1.nip.io:8443",
- "adminUrl": "https://registry.192.168.56.1.nip.io:8443",
- "surrogateAuthRequired": false,
- "enabled": true,
- "alwaysDisplayInConsole": false,
- "clientAuthenticatorType": "client-secret",
- "secret": "jhipster-registry",
- "redirectUris": ["http://127.0.0.1:*", "http://localhost:*", "https://registry.192.168.56.1.nip.io:*"],
- "webOrigins": ["*"],
- "notBefore": 0,
- "bearerOnly": false,
- "consentRequired": false,
- "standardFlowEnabled": true,
- "implicitFlowEnabled": false,
- "directAccessGrantsEnabled": true,
- "serviceAccountsEnabled": false,
- "publicClient": true,
- "frontchannelLogout": false,
- "protocol": "openid-connect",
- "attributes": {
- "saml.assertion.signature": "false",
- "saml.force.post.binding": "false",
- "saml.multivalued.roles": "false",
- "saml.encrypt": "false",
- "saml.server.signature": "false",
- "saml.server.signature.keyinfo.ext": "false",
- "exclude.session.state.from.auth.response": "false",
- "saml_force_name_id_format": "false",
- "saml.client.signature": "false",
- "tls.client.certificate.bound.access.tokens": "false",
- "saml.authnstatement": "false",
- "display.on.consent.screen": "false",
- "saml.onetimeuse.condition": "false"
- },
- "authenticationFlowBindingOverrides": {},
- "fullScopeAllowed": true,
- "nodeReRegistrationTimeout": -1,
- "defaultClientScopes": ["web-origins", "jhipster", "role_list", "roles", "profile", "email"],
- "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
- },
- {
- "id": "898488c8-e260-41c5-a463-7ceea14d587a",
- "clientId": "realm-management",
- "name": "${client_realm-management}",
- "surrogateAuthRequired": false,
- "enabled": true,
- "alwaysDisplayInConsole": false,
- "clientAuthenticatorType": "client-secret",
- "secret": "**********",
- "redirectUris": [],
- "webOrigins": [],
- "notBefore": 0,
- "bearerOnly": true,
- "consentRequired": false,
- "standardFlowEnabled": true,
- "implicitFlowEnabled": false,
- "directAccessGrantsEnabled": false,
- "serviceAccountsEnabled": false,
- "publicClient": false,
- "frontchannelLogout": false,
- "protocol": "openid-connect",
- "attributes": {},
- "authenticationFlowBindingOverrides": {},
- "fullScopeAllowed": false,
- "nodeReRegistrationTimeout": 0,
- "defaultClientScopes": ["web-origins", "role_list", "profile", "roles", "email"],
- "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
- },
- {
- "id": "989d2b96-b820-4f9b-aa17-55e6488b08c8",
- "clientId": "security-admin-console",
- "name": "${client_security-admin-console}",
- "rootUrl": "${authAdminUrl}",
- "baseUrl": "/admin/jhipster/console/",
- "surrogateAuthRequired": false,
- "enabled": true,
- "alwaysDisplayInConsole": false,
- "clientAuthenticatorType": "client-secret",
- "secret": "**********",
- "redirectUris": ["/admin/jhipster/console/*"],
- "webOrigins": ["+"],
- "notBefore": 0,
- "bearerOnly": false,
- "consentRequired": false,
- "standardFlowEnabled": true,
- "implicitFlowEnabled": false,
- "directAccessGrantsEnabled": false,
- "serviceAccountsEnabled": false,
- "publicClient": true,
- "frontchannelLogout": false,
- "protocol": "openid-connect",
- "attributes": {
- "pkce.code.challenge.method": "S256"
- },
- "authenticationFlowBindingOverrides": {},
- "fullScopeAllowed": false,
- "nodeReRegistrationTimeout": 0,
- "protocolMappers": [
- {
- "id": "5fd34289-c644-411a-874c-849475d9d102",
- "name": "locale",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "locale",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "locale",
- "jsonType.label": "String"
- }
+ "clientRole" : false,
+ "containerId" : "euve",
+ "attributes" : { }
+ }, {
+ "id" : "49c49ab1-5ff6-41fe-9523-36cfd30fe62b",
+ "name" : "uma_authorization",
+ "description" : "${role_uma_authorization}",
+ "composite" : false,
+ "clientRole" : false,
+ "containerId" : "euve",
+ "attributes" : { }
+ } ],
+ "client" : {
+ "realm-management" : [ {
+ "id" : "0a73cdcf-635f-404e-811b-85d088c244d1",
+ "name" : "impersonation",
+ "description" : "${role_impersonation}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "a9e87592-c9a2-440b-9ef2-ccb29a31c2ac",
+ "name" : "view-users",
+ "description" : "${role_view-users}",
+ "composite" : true,
+ "composites" : {
+ "client" : {
+ "realm-management" : [ "query-groups", "query-users" ]
}
- ],
- "defaultClientScopes": ["web-origins", "role_list", "profile", "roles", "email"],
- "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
- },
- {
- "id": "6e8deddb-b4d6-4e2e-b389-b397d3f74fcd",
- "clientId": "web_app",
- "rootUrl": "https://iop-gateway.192.168.56.1.nip.io:8443",
- "adminUrl": "https://iop-gateway.192.168.56.1.nip.io:8443",
- "surrogateAuthRequired": false,
- "enabled": true,
- "alwaysDisplayInConsole": false,
- "clientAuthenticatorType": "client-secret",
- "secret": "web_app",
- "redirectUris": [
- "dev.localhost.ionic:*",
- "http://127.0.0.1:*",
- "http://localhost:*",
- "https://127.0.0.1:*",
- "https://localhost:*",
- "https://iop-gateway.192.168.56.1.nip.io:*"],
- "webOrigins": ["*"],
- "notBefore": 0,
- "bearerOnly": false,
- "consentRequired": false,
- "standardFlowEnabled": true,
- "implicitFlowEnabled": true,
- "directAccessGrantsEnabled": false,
- "serviceAccountsEnabled": false,
- "publicClient": true,
- "frontchannelLogout": false,
- "protocol": "openid-connect",
- "attributes": {
- "saml.assertion.signature": "false",
- "saml.force.post.binding": "false",
- "saml.multivalued.roles": "false",
- "saml.encrypt": "false",
- "saml.server.signature": "false",
- "saml.server.signature.keyinfo.ext": "false",
- "exclude.session.state.from.auth.response": "false",
- "saml_force_name_id_format": "false",
- "saml.client.signature": "false",
- "tls.client.certificate.bound.access.tokens": "false",
- "saml.authnstatement": "false",
- "display.on.consent.screen": "false",
- "saml.onetimeuse.condition": "false"
},
- "authenticationFlowBindingOverrides": {},
- "fullScopeAllowed": true,
- "nodeReRegistrationTimeout": -1,
- "defaultClientScopes": ["web-origins", "jhipster", "role_list", "profile", "roles", "email"],
- "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
- }
- ],
- "clientScopes": [
- {
- "id": "52d73c82-423c-44a8-b2ec-1e13f4cd6065",
- "name": "address",
- "description": "OpenID Connect built-in scope: address",
- "protocol": "openid-connect",
- "attributes": {
- "include.in.token.scope": "true",
- "display.on.consent.screen": "true",
- "consent.screen.text": "${addressScopeConsentText}"
- },
- "protocolMappers": [
- {
- "id": "98230752-36b9-4755-8661-a7de1926d0d4",
- "name": "address",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-address-mapper",
- "consentRequired": false,
- "config": {
- "user.attribute.formatted": "formatted",
- "user.attribute.country": "country",
- "user.attribute.postal_code": "postal_code",
- "userinfo.token.claim": "true",
- "user.attribute.street": "street",
- "id.token.claim": "true",
- "user.attribute.region": "region",
- "access.token.claim": "true",
- "user.attribute.locality": "locality"
- }
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "a841bcf7-6c13-42e7-941d-fd2e1640a308",
+ "name" : "manage-clients",
+ "description" : "${role_manage-clients}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "de94dd2f-0d26-4ed1-b605-773204d9a79a",
+ "name" : "create-client",
+ "description" : "${role_create-client}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "decaecce-ccf8-4424-a5b9-afb197c3bb48",
+ "name" : "manage-realm",
+ "description" : "${role_manage-realm}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "1fb34bc8-c3d3-4bc1-aaa4-feae578848b6",
+ "name" : "manage-users",
+ "description" : "${role_manage-users}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "08409953-c23a-4c81-b7e5-b100961d6478",
+ "name" : "query-clients",
+ "description" : "${role_query-clients}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "ce1ea1a5-5161-4f91-9c16-7741c11034b5",
+ "name" : "manage-events",
+ "description" : "${role_manage-events}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "22434921-66fe-46c6-ac3b-ebea78ef585a",
+ "name" : "query-groups",
+ "description" : "${role_query-groups}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "2a4d3e7e-fcb5-415f-b2b0-f9d4efe3e027",
+ "name" : "query-realms",
+ "description" : "${role_query-realms}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "fd879028-9c09-4eb8-865e-da8641d97a4a",
+ "name" : "query-users",
+ "description" : "${role_query-users}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "62bc21f3-d5a8-4d43-a09a-035ac8ec1675",
+ "name" : "view-events",
+ "description" : "${role_view-events}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "f25cfa0c-fe97-4037-819d-ce702d07be59",
+ "name" : "manage-authorization",
+ "description" : "${role_manage-authorization}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "f324d3fa-4bff-4db4-8a19-6401a959720c",
+ "name" : "view-authorization",
+ "description" : "${role_view-authorization}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "183fc5ab-70b1-4912-92c8-b51b1149d40d",
+ "name" : "view-realm",
+ "description" : "${role_view-realm}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "13bd92ce-d1f8-4df8-9243-0933c7dde3aa",
+ "name" : "manage-identity-providers",
+ "description" : "${role_manage-identity-providers}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "50cb60e9-ebed-4d79-a2f0-bca4bf9897d3",
+ "name" : "realm-admin",
+ "description" : "${role_realm-admin}",
+ "composite" : true,
+ "composites" : {
+ "client" : {
+ "realm-management" : [ "impersonation", "view-users", "manage-clients", "query-clients", "manage-users", "create-client", "manage-realm", "query-groups", "query-realms", "manage-events", "view-events", "query-users", "manage-authorization", "view-authorization", "view-realm", "manage-identity-providers", "view-clients", "view-identity-providers" ]
}
- ]
- },
- {
- "id": "44d24405-87bf-4b37-a627-e3fdabb93f50",
- "name": "email",
- "description": "OpenID Connect built-in scope: email",
- "protocol": "openid-connect",
- "attributes": {
- "include.in.token.scope": "true",
- "display.on.consent.screen": "true",
- "consent.screen.text": "${emailScopeConsentText}"
},
- "protocolMappers": [
- {
- "id": "36800088-6d17-4c18-93e8-2bc93901d8b7",
- "name": "email",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-property-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "email",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "email",
- "jsonType.label": "String"
- }
- },
- {
- "id": "3ea34afd-30b5-4e5d-a836-dbda439dce6f",
- "name": "email verified",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-property-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "emailVerified",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "email_verified",
- "jsonType.label": "boolean"
- }
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "316b2844-ae27-42bd-8872-adef4179e1f9",
+ "name" : "view-clients",
+ "description" : "${role_view-clients}",
+ "composite" : true,
+ "composites" : {
+ "client" : {
+ "realm-management" : [ "query-clients" ]
}
- ]
- },
- {
- "id": "9816de82-24b7-42fe-a85a-1264868ec293",
- "name": "jhipster",
- "description": "Jhipster specific claims",
- "protocol": "openid-connect",
- "attributes": {
- "include.in.token.scope": "false",
- "display.on.consent.screen": "false"
},
- "protocolMappers": [
- {
- "id": "0f9c9347-aad6-4bff-94f4-e11937f2ad33",
- "name": "langKey",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "langKey",
- "id.token.claim": "false",
- "access.token.claim": "false",
- "claim.name": "langKey",
- "jsonType.label": "String"
- }
- },
- {
- "id": "69729907-8d1c-4961-81c0-91766f548cc9",
- "name": "roles",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-realm-role-mapper",
- "consentRequired": false,
- "config": {
- "multivalued": "true",
- "userinfo.token.claim": "true",
- "id.token.claim": "false",
- "access.token.claim": "true",
- "claim.name": "roles",
- "jsonType.label": "String"
- }
- },
- {
- "id": "336acfe2-a717-492a-9055-5b70e808f42f",
- "name": "login",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "preferred_username",
- "id.token.claim": "false",
- "access.token.claim": "false",
- "claim.name": "login",
- "jsonType.label": "String"
- }
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ }, {
+ "id" : "3e34daf5-e7d8-46bc-bf3b-90a73b1f70c2",
+ "name" : "view-identity-providers",
+ "description" : "${role_view-identity-providers}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "attributes" : { }
+ } ],
+ "security-admin-console" : [ ],
+ "admin-cli" : [ ],
+ "account-console" : [ ],
+ "broker" : [ {
+ "id" : "308ea9cf-c503-423a-b1a6-dc0d05dfe19e",
+ "name" : "read-token",
+ "description" : "${role_read-token}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "1f554bba-9cef-42b6-9275-1993bf584e14",
+ "attributes" : { }
+ } ],
+ "account" : [ {
+ "id" : "6ec046ae-a913-467d-bd69-b424c9e9f20c",
+ "name" : "manage-account-links",
+ "description" : "${role_manage-account-links}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "98e120d2-58fc-413a-9677-99f85441420b",
+ "attributes" : { }
+ }, {
+ "id" : "1182b5b1-055d-4a71-9c29-48b43f97e3d7",
+ "name" : "manage-account",
+ "description" : "${role_manage-account}",
+ "composite" : true,
+ "composites" : {
+ "client" : {
+ "account" : [ "manage-account-links" ]
}
- ]
- },
- {
- "id": "87d299f2-434f-4abd-8cb0-a16231acd713",
- "name": "microprofile-jwt",
- "description": "Microprofile - JWT built-in scope",
- "protocol": "openid-connect",
- "attributes": {
- "include.in.token.scope": "true",
- "display.on.consent.screen": "false"
},
- "protocolMappers": [
- {
- "id": "fce09d51-cb85-4ccd-b83d-865a4d4bf650",
- "name": "groups",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-realm-role-mapper",
- "consentRequired": false,
- "config": {
- "multivalued": "true",
- "userinfo.token.claim": "true",
- "user.attribute": "foo",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "groups",
- "jsonType.label": "String"
- }
- },
- {
- "id": "3d1ee7e2-b7e1-4504-bd52-b47a2cb10eec",
- "name": "upn",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-property-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "username",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "upn",
- "jsonType.label": "String"
- }
+ "clientRole" : true,
+ "containerId" : "98e120d2-58fc-413a-9677-99f85441420b",
+ "attributes" : { }
+ }, {
+ "id" : "0e2f4735-6ced-4b75-a91e-896410aff718",
+ "name" : "delete-account",
+ "description" : "${role_delete-account}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "98e120d2-58fc-413a-9677-99f85441420b",
+ "attributes" : { }
+ }, {
+ "id" : "fef62204-9392-4473-9e6a-0e1bbdf47c98",
+ "name" : "manage-consent",
+ "description" : "${role_manage-consent}",
+ "composite" : true,
+ "composites" : {
+ "client" : {
+ "account" : [ "view-consent" ]
}
- ]
- },
- {
- "id": "0399b625-22d7-4d68-b4db-fd1dc2effacc",
- "name": "offline_access",
- "description": "OpenID Connect built-in scope: offline_access",
- "protocol": "openid-connect",
- "attributes": {
- "consent.screen.text": "${offlineAccessScopeConsentText}",
- "display.on.consent.screen": "true"
- }
- },
- {
- "id": "2b867b2d-3373-43ff-b50f-ea37a5e1c390",
- "name": "phone",
- "description": "OpenID Connect built-in scope: phone",
- "protocol": "openid-connect",
- "attributes": {
- "include.in.token.scope": "true",
- "display.on.consent.screen": "true",
- "consent.screen.text": "${phoneScopeConsentText}"
},
- "protocolMappers": [
- {
- "id": "daa0191b-20d1-4f71-b191-6c48a37e3677",
- "name": "phone number",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "phoneNumber",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "phone_number",
- "jsonType.label": "String"
- }
- },
- {
- "id": "32213de7-12f7-4864-b696-c8e6c5e0c26e",
- "name": "phone number verified",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "phoneNumberVerified",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "phone_number_verified",
- "jsonType.label": "boolean"
- }
- }
- ]
- },
- {
- "id": "60a44832-9776-449f-94cd-fa8c24a75f35",
- "name": "profile",
- "description": "OpenID Connect built-in scope: profile",
- "protocol": "openid-connect",
- "attributes": {
- "include.in.token.scope": "true",
- "display.on.consent.screen": "true",
- "consent.screen.text": "${profileScopeConsentText}"
- },
- "protocolMappers": [
- {
- "id": "a59584ab-7a7c-4b23-95b5-be8dbbfadc6f",
- "name": "family name",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-property-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "lastName",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "family_name",
- "jsonType.label": "String"
- }
- },
- {
- "id": "d382c1dc-d5d8-479e-8809-f0a618113a07",
- "name": "website",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "website",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "website",
- "jsonType.label": "String"
- }
- },
- {
- "id": "559f86c1-1187-498d-8354-723f4ea5721c",
- "name": "full name",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-full-name-mapper",
- "consentRequired": false,
- "config": {
- "id.token.claim": "true",
- "access.token.claim": "true",
- "userinfo.token.claim": "true"
- }
- },
- {
- "id": "0925e106-a8e2-4ad1-b75e-4147d185894a",
- "name": "updated at",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "updatedAt",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "updated_at",
- "jsonType.label": "String"
- }
- },
- {
- "id": "eb8e2c73-5c65-4b53-8d55-46edef61315b",
- "name": "locale",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "locale",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "locale",
- "jsonType.label": "String"
- }
- },
- {
- "id": "4c109376-01bc-4b69-a3c0-4b830ecad674",
- "name": "middle name",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "middleName",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "middle_name",
- "jsonType.label": "String"
- }
- },
- {
- "id": "b3813956-e556-4b57-a06b-f71b0d6f3d47",
- "name": "nickname",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "nickname",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "nickname",
- "jsonType.label": "String"
- }
- },
- {
- "id": "28beb4c0-029b-4aa5-ad5f-6d824ca67e15",
- "name": "username",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-property-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "username",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "preferred_username",
- "jsonType.label": "String"
- }
- },
- {
- "id": "53d681bc-ec29-4f57-924b-ff5bd22d4093",
- "name": "profile",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "profile",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "profile",
- "jsonType.label": "String"
- }
- },
- {
- "id": "12ba8e12-157d-4729-918b-0d74fa444fba",
- "name": "picture",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "picture",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "picture",
- "jsonType.label": "String"
- }
- },
- {
- "id": "ddb818fe-8e4a-4b26-9c5d-2467a26af6dc",
- "name": "gender",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "gender",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "gender",
- "jsonType.label": "String"
- }
- },
- {
- "id": "f78b1746-2be1-45f4-9c1e-1f6141ccdb65",
- "name": "birthdate",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "birthdate",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "birthdate",
- "jsonType.label": "String"
- }
- },
- {
- "id": "7723245c-4952-4822-86ae-084048b1f2f2",
- "name": "given name",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-property-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "firstName",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "given_name",
- "jsonType.label": "String"
- }
- },
- {
- "id": "b192fe9f-aa82-4d7d-b8c7-eb7d1ba888d4",
- "name": "zoneinfo",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-attribute-mapper",
- "consentRequired": false,
- "config": {
- "userinfo.token.claim": "true",
- "user.attribute": "zoneinfo",
- "id.token.claim": "true",
- "access.token.claim": "true",
- "claim.name": "zoneinfo",
- "jsonType.label": "String"
- }
- }
- ]
- },
- {
- "id": "d181691e-b4a6-4063-9eba-6b984402a9a7",
- "name": "role_list",
- "description": "SAML role list",
- "protocol": "saml",
- "attributes": {
- "consent.screen.text": "${samlRoleListScopeConsentText}",
- "display.on.consent.screen": "true"
- },
- "protocolMappers": [
- {
- "id": "724b16d4-8a9b-42d8-850f-99ca1ab3c958",
- "name": "role list",
- "protocol": "saml",
- "protocolMapper": "saml-role-list-mapper",
- "consentRequired": false,
- "config": {
- "single": "false",
- "attribute.nameformat": "Basic",
- "attribute.name": "Role"
- }
- }
- ]
- },
- {
- "id": "915fcb95-81da-4e4c-86ee-73f3b52c83e9",
- "name": "roles",
- "description": "OpenID Connect scope for add user roles to the access token",
- "protocol": "openid-connect",
- "attributes": {
- "include.in.token.scope": "false",
- "display.on.consent.screen": "true",
- "consent.screen.text": "${rolesScopeConsentText}"
- },
- "protocolMappers": [
- {
- "id": "12f0b32d-8911-4028-809b-fc1c0e5e9207",
- "name": "audience resolve",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-audience-resolve-mapper",
- "consentRequired": false,
- "config": {}
- },
- {
- "id": "5b997b66-937f-46d3-9e8b-70dca949f682",
- "name": "realm roles",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-realm-role-mapper",
- "consentRequired": false,
- "config": {
- "user.attribute": "foo",
- "access.token.claim": "true",
- "claim.name": "realm_access.roles",
- "jsonType.label": "String",
- "multivalued": "true"
- }
- },
- {
- "id": "cdcd6969-a9aa-4de5-adbe-dc83da4184c5",
- "name": "client roles",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-usermodel-client-role-mapper",
- "consentRequired": false,
- "config": {
- "user.attribute": "foo",
- "access.token.claim": "true",
- "claim.name": "resource_access.${client_id}.roles",
- "jsonType.label": "String",
- "multivalued": "true"
- }
- }
- ]
- },
- {
- "id": "2daaac74-636f-4074-87a9-d1aba9dffb96",
- "name": "web-origins",
- "description": "OpenID Connect scope for add allowed web origins to the access token",
- "protocol": "openid-connect",
- "attributes": {
- "include.in.token.scope": "false",
- "display.on.consent.screen": "false",
- "consent.screen.text": ""
- },
- "protocolMappers": [
- {
- "id": "752e035f-038d-46ac-b65d-91f863fdd986",
- "name": "allowed web origins",
- "protocol": "openid-connect",
- "protocolMapper": "oidc-allowed-origins-mapper",
- "consentRequired": false,
- "config": {}
- }
- ]
+ "clientRole" : true,
+ "containerId" : "98e120d2-58fc-413a-9677-99f85441420b",
+ "attributes" : { }
+ }, {
+ "id" : "049039c6-1edf-4775-8dc1-d9cb5caaa1fa",
+ "name" : "view-profile",
+ "description" : "${role_view-profile}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "98e120d2-58fc-413a-9677-99f85441420b",
+ "attributes" : { }
+ }, {
+ "id" : "de62369d-8a1f-4b60-87f1-a8e490f2e630",
+ "name" : "view-consent",
+ "description" : "${role_view-consent}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "98e120d2-58fc-413a-9677-99f85441420b",
+ "attributes" : { }
+ }, {
+ "id" : "703a0926-f24b-4e4e-8ea6-b8694f729157",
+ "name" : "view-applications",
+ "description" : "${role_view-applications}",
+ "composite" : false,
+ "clientRole" : true,
+ "containerId" : "98e120d2-58fc-413a-9677-99f85441420b",
+ "attributes" : { }
+ } ]
+ }
+ },
+ "groups" : [ ],
+ "defaultRole" : {
+ "id" : "c97eafa4-6b60-4641-85e8-ca7636e2ccc4",
+ "name" : "default-roles-euve",
+ "description" : "${role_default-roles}",
+ "composite" : true,
+ "clientRole" : false,
+ "containerId" : "euve"
+ },
+ "requiredCredentials" : [ "password" ],
+ "otpPolicyType" : "totp",
+ "otpPolicyAlgorithm" : "HmacSHA1",
+ "otpPolicyInitialCounter" : 0,
+ "otpPolicyDigits" : 6,
+ "otpPolicyLookAheadWindow" : 1,
+ "otpPolicyPeriod" : 30,
+ "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ],
+ "webAuthnPolicyRpEntityName" : "keycloak",
+ "webAuthnPolicySignatureAlgorithms" : [ "ES256" ],
+ "webAuthnPolicyRpId" : "",
+ "webAuthnPolicyAttestationConveyancePreference" : "not specified",
+ "webAuthnPolicyAuthenticatorAttachment" : "not specified",
+ "webAuthnPolicyRequireResidentKey" : "not specified",
+ "webAuthnPolicyUserVerificationRequirement" : "not specified",
+ "webAuthnPolicyCreateTimeout" : 0,
+ "webAuthnPolicyAvoidSameAuthenticatorRegister" : false,
+ "webAuthnPolicyAcceptableAaguids" : [ ],
+ "webAuthnPolicyPasswordlessRpEntityName" : "keycloak",
+ "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ],
+ "webAuthnPolicyPasswordlessRpId" : "",
+ "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified",
+ "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified",
+ "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified",
+ "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified",
+ "webAuthnPolicyPasswordlessCreateTimeout" : 0,
+ "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false,
+ "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ],
+ "scopeMappings" : [ {
+ "clientScope" : "offline_access",
+ "roles" : [ "offline_access" ]
+ } ],
+ "clientScopeMappings" : {
+ "account" : [ {
+ "client" : "account-console",
+ "roles" : [ "manage-account" ]
+ } ]
+ },
+ "clients" : [ {
+ "id" : "98e120d2-58fc-413a-9677-99f85441420b",
+ "clientId" : "account",
+ "name" : "${client_account}",
+ "rootUrl" : "${authBaseUrl}",
+ "baseUrl" : "/realms/euve/account/",
+ "surrogateAuthRequired" : false,
+ "enabled" : true,
+ "alwaysDisplayInConsole" : false,
+ "clientAuthenticatorType" : "client-secret",
+ "redirectUris" : [ "/realms/euve/account/*" ],
+ "webOrigins" : [ ],
+ "notBefore" : 0,
+ "bearerOnly" : false,
+ "consentRequired" : false,
+ "standardFlowEnabled" : true,
+ "implicitFlowEnabled" : false,
+ "directAccessGrantsEnabled" : false,
+ "serviceAccountsEnabled" : false,
+ "publicClient" : true,
+ "frontchannelLogout" : false,
+ "protocol" : "openid-connect",
+ "attributes" : { },
+ "authenticationFlowBindingOverrides" : { },
+ "fullScopeAllowed" : false,
+ "nodeReRegistrationTimeout" : 0,
+ "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ],
+ "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+ }, {
+ "id" : "4fab43e5-3879-4895-a90a-42e88b51e19f",
+ "clientId" : "account-console",
+ "name" : "${client_account-console}",
+ "rootUrl" : "${authBaseUrl}",
+ "baseUrl" : "/realms/euve/account/",
+ "surrogateAuthRequired" : false,
+ "enabled" : true,
+ "alwaysDisplayInConsole" : false,
+ "clientAuthenticatorType" : "client-secret",
+ "redirectUris" : [ "/realms/euve/account/*" ],
+ "webOrigins" : [ ],
+ "notBefore" : 0,
+ "bearerOnly" : false,
+ "consentRequired" : false,
+ "standardFlowEnabled" : true,
+ "implicitFlowEnabled" : false,
+ "directAccessGrantsEnabled" : false,
+ "serviceAccountsEnabled" : false,
+ "publicClient" : true,
+ "frontchannelLogout" : false,
+ "protocol" : "openid-connect",
+ "attributes" : {
+ "pkce.code.challenge.method" : "S256"
+ },
+ "authenticationFlowBindingOverrides" : { },
+ "fullScopeAllowed" : false,
+ "nodeReRegistrationTimeout" : 0,
+ "protocolMappers" : [ {
+ "id" : "762e21d2-68ae-4e99-9fca-dea8e91ebee3",
+ "name" : "audience resolve",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-audience-resolve-mapper",
+ "consentRequired" : false,
+ "config" : { }
+ } ],
+ "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ],
+ "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+ }, {
+ "id" : "a1ff42ca-0b7d-41d5-a4d9-839e0905c41d",
+ "clientId" : "admin-cli",
+ "name" : "${client_admin-cli}",
+ "surrogateAuthRequired" : false,
+ "enabled" : true,
+ "alwaysDisplayInConsole" : false,
+ "clientAuthenticatorType" : "client-secret",
+ "redirectUris" : [ ],
+ "webOrigins" : [ ],
+ "notBefore" : 0,
+ "bearerOnly" : false,
+ "consentRequired" : false,
+ "standardFlowEnabled" : false,
+ "implicitFlowEnabled" : false,
+ "directAccessGrantsEnabled" : true,
+ "serviceAccountsEnabled" : false,
+ "publicClient" : true,
+ "frontchannelLogout" : false,
+ "protocol" : "openid-connect",
+ "attributes" : { },
+ "authenticationFlowBindingOverrides" : { },
+ "fullScopeAllowed" : false,
+ "nodeReRegistrationTimeout" : 0,
+ "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ],
+ "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+ }, {
+ "id" : "1f554bba-9cef-42b6-9275-1993bf584e14",
+ "clientId" : "broker",
+ "name" : "${client_broker}",
+ "surrogateAuthRequired" : false,
+ "enabled" : true,
+ "alwaysDisplayInConsole" : false,
+ "clientAuthenticatorType" : "client-secret",
+ "redirectUris" : [ ],
+ "webOrigins" : [ ],
+ "notBefore" : 0,
+ "bearerOnly" : true,
+ "consentRequired" : false,
+ "standardFlowEnabled" : true,
+ "implicitFlowEnabled" : false,
+ "directAccessGrantsEnabled" : false,
+ "serviceAccountsEnabled" : false,
+ "publicClient" : false,
+ "frontchannelLogout" : false,
+ "protocol" : "openid-connect",
+ "attributes" : { },
+ "authenticationFlowBindingOverrides" : { },
+ "fullScopeAllowed" : false,
+ "nodeReRegistrationTimeout" : 0,
+ "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ],
+ "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+ }, {
+ "id" : "d7ba05c6-095f-47a7-9817-737ecf0b7f16",
+ "clientId" : "realm-management",
+ "name" : "${client_realm-management}",
+ "surrogateAuthRequired" : false,
+ "enabled" : true,
+ "alwaysDisplayInConsole" : false,
+ "clientAuthenticatorType" : "client-secret",
+ "redirectUris" : [ ],
+ "webOrigins" : [ ],
+ "notBefore" : 0,
+ "bearerOnly" : true,
+ "consentRequired" : false,
+ "standardFlowEnabled" : true,
+ "implicitFlowEnabled" : false,
+ "directAccessGrantsEnabled" : false,
+ "serviceAccountsEnabled" : false,
+ "publicClient" : false,
+ "frontchannelLogout" : false,
+ "protocol" : "openid-connect",
+ "attributes" : { },
+ "authenticationFlowBindingOverrides" : { },
+ "fullScopeAllowed" : false,
+ "nodeReRegistrationTimeout" : 0,
+ "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ],
+ "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+ }, {
+ "id" : "4b850259-ac84-4df8-a077-83db296ed555",
+ "clientId" : "security-admin-console",
+ "name" : "${client_security-admin-console}",
+ "rootUrl" : "${authAdminUrl}",
+ "baseUrl" : "/admin/euve/console/",
+ "surrogateAuthRequired" : false,
+ "enabled" : true,
+ "alwaysDisplayInConsole" : false,
+ "clientAuthenticatorType" : "client-secret",
+ "redirectUris" : [ "/admin/euve/console/*" ],
+ "webOrigins" : [ "+" ],
+ "notBefore" : 0,
+ "bearerOnly" : false,
+ "consentRequired" : false,
+ "standardFlowEnabled" : true,
+ "implicitFlowEnabled" : false,
+ "directAccessGrantsEnabled" : false,
+ "serviceAccountsEnabled" : false,
+ "publicClient" : true,
+ "frontchannelLogout" : false,
+ "protocol" : "openid-connect",
+ "attributes" : {
+ "pkce.code.challenge.method" : "S256"
+ },
+ "authenticationFlowBindingOverrides" : { },
+ "fullScopeAllowed" : false,
+ "nodeReRegistrationTimeout" : 0,
+ "protocolMappers" : [ {
+ "id" : "2cc2d516-4dd3-4bcd-9a42-8a73e377b7f7",
+ "name" : "locale",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "locale",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "locale",
+ "jsonType.label" : "String"
}
- ],
- "defaultDefaultClientScopes": ["web-origins", "email", "profile", "roles", "role_list"],
- "defaultOptionalClientScopes": ["offline_access", "phone", "address", "microprofile-jwt"],
- "browserSecurityHeaders": {
- "contentSecurityPolicyReportOnly": "",
- "xContentTypeOptions": "nosniff",
- "xRobotsTag": "none",
- "xFrameOptions": "SAMEORIGIN",
- "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
- "xXSSProtection": "1; mode=block",
- "strictTransportSecurity": "max-age=31536000; includeSubDomains"
+ } ],
+ "defaultClientScopes" : [ "web-origins", "profile", "roles", "email" ],
+ "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
+ } ],
+ "clientScopes" : [ {
+ "id" : "18a82a10-f7bc-4e39-8074-1b49dab559bb",
+ "name" : "web-origins",
+ "description" : "OpenID Connect scope for add allowed web origins to the access token",
+ "protocol" : "openid-connect",
+ "attributes" : {
+ "include.in.token.scope" : "false",
+ "display.on.consent.screen" : "false",
+ "consent.screen.text" : ""
},
- "smtpServer": {},
- "eventsEnabled": false,
- "eventsListeners": ["jboss-logging"],
- "enabledEventTypes": [],
- "adminEventsEnabled": false,
- "adminEventsDetailsEnabled": false,
- "identityProviders": [],
- "identityProviderMappers": [],
- "components": {
- "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
- {
- "id": "827fde01-dc1b-4c1f-a529-9ef833ca3432",
- "name": "Allowed Protocol Mapper Types",
- "providerId": "allowed-protocol-mappers",
- "subType": "authenticated",
- "subComponents": {},
- "config": {
- "allowed-protocol-mapper-types": [
- "oidc-full-name-mapper",
- "saml-user-property-mapper",
- "saml-role-list-mapper",
- "oidc-address-mapper",
- "oidc-usermodel-property-mapper",
- "oidc-sha256-pairwise-sub-mapper",
- "saml-user-attribute-mapper",
- "oidc-usermodel-attribute-mapper"
- ]
- }
- },
- {
- "id": "0a429e7e-be7a-46b4-b42a-d1f8b265ff16",
- "name": "Allowed Client Scopes",
- "providerId": "allowed-client-templates",
- "subType": "authenticated",
- "subComponents": {},
- "config": {
- "allow-default-scopes": ["true"]
- }
- },
- {
- "id": "5a1ff0b4-250f-48ee-8169-abff30cf7534",
- "name": "Allowed Client Scopes",
- "providerId": "allowed-client-templates",
- "subType": "anonymous",
- "subComponents": {},
- "config": {
- "allow-default-scopes": ["true"]
- }
- },
- {
- "id": "c79f6629-84a9-467c-81d0-63e20b19f916",
- "name": "Full Scope Disabled",
- "providerId": "scope",
- "subType": "anonymous",
- "subComponents": {},
- "config": {}
- },
- {
- "id": "b6b23ef8-96e8-4e2e-8efe-8003057a8d42",
- "name": "Max Clients Limit",
- "providerId": "max-clients",
- "subType": "anonymous",
- "subComponents": {},
- "config": {
- "max-clients": ["200"]
- }
- },
- {
- "id": "36dfaa02-0252-4448-9cdf-a17abf239f78",
- "name": "Trusted Hosts",
- "providerId": "trusted-hosts",
- "subType": "anonymous",
- "subComponents": {},
- "config": {
- "host-sending-registration-request-must-match": ["true"],
- "client-uris-must-match": ["true"]
- }
- },
- {
- "id": "8216421d-34fb-4726-8331-137217657bdb",
- "name": "Allowed Protocol Mapper Types",
- "providerId": "allowed-protocol-mappers",
- "subType": "anonymous",
- "subComponents": {},
- "config": {
- "allowed-protocol-mapper-types": [
- "saml-user-attribute-mapper",
- "oidc-address-mapper",
- "oidc-sha256-pairwise-sub-mapper",
- "oidc-usermodel-property-mapper",
- "oidc-full-name-mapper",
- "oidc-usermodel-attribute-mapper",
- "saml-user-property-mapper",
- "saml-role-list-mapper"
- ]
- }
- },
- {
- "id": "d045f3f9-15e6-4e69-a419-0e7ff8a635ef",
- "name": "Consent Required",
- "providerId": "consent-required",
- "subType": "anonymous",
- "subComponents": {},
- "config": {}
- }
- ],
- "org.keycloak.keys.KeyProvider": [
- {
- "id": "62707fae-58f9-4fc2-89fb-0c5d212dc3dc",
- "name": "rsa-generated",
- "providerId": "rsa-generated",
- "subComponents": {},
- "config": {
- "priority": ["100"]
- }
- },
- {
- "id": "4a8480bc-96fd-4906-a907-f948a73bab38",
- "name": "hmac-generated",
- "providerId": "hmac-generated",
- "subComponents": {},
- "config": {
- "priority": ["100"],
- "algorithm": ["HS256"]
- }
- },
- {
- "id": "40c01a32-0c0b-4dbb-9595-e5a5c8d26bc4",
- "name": "aes-generated",
- "providerId": "aes-generated",
- "subComponents": {},
- "config": {
- "priority": ["100"]
- }
- }
- ]
+ "protocolMappers" : [ {
+ "id" : "2e3f7745-7197-4d9e-ab0a-e7f85bcf6678",
+ "name" : "allowed web origins",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-allowed-origins-mapper",
+ "consentRequired" : false,
+ "config" : { }
+ } ]
+ }, {
+ "id" : "4833e1b5-8300-449c-b2d0-c8f4436b996a",
+ "name" : "offline_access",
+ "description" : "OpenID Connect built-in scope: offline_access",
+ "protocol" : "openid-connect",
+ "attributes" : {
+ "consent.screen.text" : "${offlineAccessScopeConsentText}",
+ "display.on.consent.screen" : "true"
+ }
+ }, {
+ "id" : "af993910-73df-40d2-bb26-3dadf6c9920a",
+ "name" : "phone",
+ "description" : "OpenID Connect built-in scope: phone",
+ "protocol" : "openid-connect",
+ "attributes" : {
+ "include.in.token.scope" : "true",
+ "display.on.consent.screen" : "true",
+ "consent.screen.text" : "${phoneScopeConsentText}"
},
- "internationalizationEnabled": false,
- "supportedLocales": [],
- "authenticationFlows": [
- {
- "id": "491fbbc9-b70b-45bd-8243-2039ae3f115d",
- "alias": "Account verification options",
- "description": "Method with which to verity the existing account",
- "providerId": "basic-flow",
- "topLevel": false,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "idp-email-verification",
- "requirement": "ALTERNATIVE",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "requirement": "ALTERNATIVE",
- "priority": 20,
- "flowAlias": "Verify Existing Account by Re-authentication",
- "userSetupAllowed": false,
- "autheticatorFlow": true
- }
- ]
- },
- {
- "id": "2c63ad60-76ab-4350-9def-74328bab70d0",
- "alias": "Authentication Options",
- "description": "Authentication options.",
- "providerId": "basic-flow",
- "topLevel": false,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "basic-auth",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "basic-auth-otp",
- "requirement": "DISABLED",
- "priority": 20,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "auth-spnego",
- "requirement": "DISABLED",
- "priority": 30,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- }
- ]
- },
- {
- "id": "82b9b584-2243-4893-b58c-4567f34434a6",
- "alias": "Browser - Conditional OTP",
- "description": "Flow to determine if the OTP is required for the authentication",
- "providerId": "basic-flow",
- "topLevel": false,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "conditional-user-configured",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "auth-otp-form",
- "requirement": "REQUIRED",
- "priority": 20,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- }
- ]
- },
- {
- "id": "e70e7c74-8ab5-411c-b06c-d478a452bee3",
- "alias": "Direct Grant - Conditional OTP",
- "description": "Flow to determine if the OTP is required for the authentication",
- "providerId": "basic-flow",
- "topLevel": false,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "conditional-user-configured",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "direct-grant-validate-otp",
- "requirement": "REQUIRED",
- "priority": 20,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- }
- ]
- },
- {
- "id": "4f3e6fdd-9b4d-4dc0-946a-1e1ccae7af71",
- "alias": "First broker login - Conditional OTP",
- "description": "Flow to determine if the OTP is required for the authentication",
- "providerId": "basic-flow",
- "topLevel": false,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "conditional-user-configured",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "auth-otp-form",
- "requirement": "REQUIRED",
- "priority": 20,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- }
- ]
- },
- {
- "id": "aa66c794-f21b-4663-9de1-9e27a7e425ab",
- "alias": "Handle Existing Account",
- "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
- "providerId": "basic-flow",
- "topLevel": false,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "idp-confirm-link",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "requirement": "REQUIRED",
- "priority": 20,
- "flowAlias": "Account verification options",
- "userSetupAllowed": false,
- "autheticatorFlow": true
- }
- ]
- },
- {
- "id": "2d4499a0-399c-4b6c-970c-7b441498f7b9",
- "alias": "Reset - Conditional OTP",
- "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
- "providerId": "basic-flow",
- "topLevel": false,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "conditional-user-configured",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "reset-otp",
- "requirement": "REQUIRED",
- "priority": 20,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- }
- ]
- },
- {
- "id": "710f4172-56a5-466e-bc75-ad7405ff62b5",
- "alias": "User creation or linking",
- "description": "Flow for the existing/non-existing user alternatives",
- "providerId": "basic-flow",
- "topLevel": false,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticatorConfig": "create unique user config",
- "authenticator": "idp-create-user-if-unique",
- "requirement": "ALTERNATIVE",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "requirement": "ALTERNATIVE",
- "priority": 20,
- "flowAlias": "Handle Existing Account",
- "userSetupAllowed": false,
- "autheticatorFlow": true
- }
- ]
- },
- {
- "id": "da7d3a39-7077-4354-9ffc-5b9f79fbaf0d",
- "alias": "Verify Existing Account by Re-authentication",
- "description": "Reauthentication of existing account",
- "providerId": "basic-flow",
- "topLevel": false,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "idp-username-password-form",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "requirement": "CONDITIONAL",
- "priority": 20,
- "flowAlias": "First broker login - Conditional OTP",
- "userSetupAllowed": false,
- "autheticatorFlow": true
- }
- ]
- },
- {
- "id": "6285968e-6200-463a-a329-8c60bc8fe9fc",
- "alias": "browser",
- "description": "browser based authentication",
- "providerId": "basic-flow",
- "topLevel": true,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "auth-cookie",
- "requirement": "ALTERNATIVE",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "auth-spnego",
- "requirement": "DISABLED",
- "priority": 20,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "identity-provider-redirector",
- "requirement": "ALTERNATIVE",
- "priority": 25,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "requirement": "ALTERNATIVE",
- "priority": 30,
- "flowAlias": "forms",
- "userSetupAllowed": false,
- "autheticatorFlow": true
- }
- ]
- },
- {
- "id": "10393f04-3922-40db-a622-2655dfcae45d",
- "alias": "clients",
- "description": "Base authentication for clients",
- "providerId": "client-flow",
- "topLevel": true,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "client-secret",
- "requirement": "ALTERNATIVE",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "client-jwt",
- "requirement": "ALTERNATIVE",
- "priority": 20,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "client-secret-jwt",
- "requirement": "ALTERNATIVE",
- "priority": 30,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "client-x509",
- "requirement": "ALTERNATIVE",
- "priority": 40,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- }
- ]
- },
- {
- "id": "4e5e164e-3c7e-4ca5-a10c-d7b817a7d468",
- "alias": "direct grant",
- "description": "OpenID Connect Resource Owner Grant",
- "providerId": "basic-flow",
- "topLevel": true,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "direct-grant-validate-username",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "direct-grant-validate-password",
- "requirement": "REQUIRED",
- "priority": 20,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "requirement": "CONDITIONAL",
- "priority": 30,
- "flowAlias": "Direct Grant - Conditional OTP",
- "userSetupAllowed": false,
- "autheticatorFlow": true
- }
- ]
- },
- {
- "id": "80f88b0b-70de-4e4c-ae56-0293558301c5",
- "alias": "docker auth",
- "description": "Used by Docker clients to authenticate against the IDP",
- "providerId": "basic-flow",
- "topLevel": true,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "docker-http-basic-authenticator",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- }
- ]
- },
- {
- "id": "821af41a-6e77-4e8c-85a6-0280d5268909",
- "alias": "first broker login",
- "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
- "providerId": "basic-flow",
- "topLevel": true,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticatorConfig": "review profile config",
- "authenticator": "idp-review-profile",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "requirement": "REQUIRED",
- "priority": 20,
- "flowAlias": "User creation or linking",
- "userSetupAllowed": false,
- "autheticatorFlow": true
- }
- ]
- },
- {
- "id": "c4058fb0-ad93-4595-96ef-7d4bc5cbef4d",
- "alias": "forms",
- "description": "Username, password, otp and other auth forms.",
- "providerId": "basic-flow",
- "topLevel": false,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "auth-username-password-form",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "requirement": "CONDITIONAL",
- "priority": 20,
- "flowAlias": "Browser - Conditional OTP",
- "userSetupAllowed": false,
- "autheticatorFlow": true
- }
- ]
- },
- {
- "id": "a2a1d056-2521-498f-b345-b7db56f9342c",
- "alias": "http challenge",
- "description": "An authentication flow based on challenge-response HTTP Authentication Schemes",
- "providerId": "basic-flow",
- "topLevel": true,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "no-cookie-redirect",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "requirement": "REQUIRED",
- "priority": 20,
- "flowAlias": "Authentication Options",
- "userSetupAllowed": false,
- "autheticatorFlow": true
- }
- ]
- },
- {
- "id": "13e68e1b-4b44-4f21-a253-5b2dea24404b",
- "alias": "registration",
- "description": "registration flow",
- "providerId": "basic-flow",
- "topLevel": true,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "registration-page-form",
- "requirement": "REQUIRED",
- "priority": 10,
- "flowAlias": "registration form",
- "userSetupAllowed": false,
- "autheticatorFlow": true
- }
- ]
- },
- {
- "id": "e7588789-22d4-459b-96d6-1b480520f487",
- "alias": "registration form",
- "description": "registration form",
- "providerId": "form-flow",
- "topLevel": false,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "registration-user-creation",
- "requirement": "REQUIRED",
- "priority": 20,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "registration-profile-action",
- "requirement": "REQUIRED",
- "priority": 40,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "registration-password-action",
- "requirement": "REQUIRED",
- "priority": 50,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "registration-recaptcha-action",
- "requirement": "DISABLED",
- "priority": 60,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- }
- ]
- },
- {
- "id": "8dc399ef-cf7d-46d5-9688-678c146ea8c4",
- "alias": "reset credentials",
- "description": "Reset credentials for a user if they forgot their password or something",
- "providerId": "basic-flow",
- "topLevel": true,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "reset-credentials-choose-user",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "reset-credential-email",
- "requirement": "REQUIRED",
- "priority": 20,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "authenticator": "reset-password",
- "requirement": "REQUIRED",
- "priority": 30,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- },
- {
- "requirement": "CONDITIONAL",
- "priority": 40,
- "flowAlias": "Reset - Conditional OTP",
- "userSetupAllowed": false,
- "autheticatorFlow": true
- }
- ]
- },
- {
- "id": "47ab5a7a-f67a-4a66-bdac-932ee230000d",
- "alias": "saml ecp",
- "description": "SAML ECP Profile Authentication Flow",
- "providerId": "basic-flow",
- "topLevel": true,
- "builtIn": true,
- "authenticationExecutions": [
- {
- "authenticator": "http-basic-authenticator",
- "requirement": "REQUIRED",
- "priority": 10,
- "userSetupAllowed": false,
- "autheticatorFlow": false
- }
- ]
+ "protocolMappers" : [ {
+ "id" : "6762dbdc-88e3-4410-93ac-2b4527c2aebe",
+ "name" : "phone number verified",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "phoneNumberVerified",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "phone_number_verified",
+ "jsonType.label" : "boolean"
}
- ],
- "authenticatorConfig": [
- {
- "id": "b12be521-4e2b-42f0-a1a2-f1ba47ab4854",
- "alias": "create unique user config",
- "config": {
- "require.password.update.after.registration": "false"
- }
- },
- {
- "id": "58bf2d56-1c45-4acc-9005-23b978d961d7",
- "alias": "review profile config",
- "config": {
- "update.profile.on.first.login": "missing"
- }
+ }, {
+ "id" : "4e36e050-92cd-42e0-a04a-27fd101a4d95",
+ "name" : "phone number",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "phoneNumber",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "phone_number",
+ "jsonType.label" : "String"
}
- ],
- "requiredActions": [
- {
- "alias": "CONFIGURE_TOTP",
- "name": "Configure OTP",
- "providerId": "CONFIGURE_TOTP",
- "enabled": true,
- "defaultAction": false,
- "priority": 10,
- "config": {}
- },
- {
- "alias": "terms_and_conditions",
- "name": "Terms and Conditions",
- "providerId": "terms_and_conditions",
- "enabled": false,
- "defaultAction": false,
- "priority": 20,
- "config": {}
- },
- {
- "alias": "UPDATE_PASSWORD",
- "name": "Update Password",
- "providerId": "UPDATE_PASSWORD",
- "enabled": true,
- "defaultAction": false,
- "priority": 30,
- "config": {}
- },
- {
- "alias": "UPDATE_PROFILE",
- "name": "Update Profile",
- "providerId": "UPDATE_PROFILE",
- "enabled": true,
- "defaultAction": false,
- "priority": 40,
- "config": {}
- },
- {
- "alias": "VERIFY_EMAIL",
- "name": "Verify Email",
- "providerId": "VERIFY_EMAIL",
- "enabled": true,
- "defaultAction": false,
- "priority": 50,
- "config": {}
- },
- {
- "alias": "delete_account",
- "name": "Delete Account",
- "providerId": "delete_account",
- "enabled": false,
- "defaultAction": false,
- "priority": 60,
- "config": {}
- },
- {
- "alias": "update_user_locale",
- "name": "Update User Locale",
- "providerId": "update_user_locale",
- "enabled": true,
- "defaultAction": false,
- "priority": 1000,
- "config": {}
+ } ]
+ }, {
+ "id" : "3b007656-87ab-4236-a838-2cd1534c68fe",
+ "name" : "address",
+ "description" : "OpenID Connect built-in scope: address",
+ "protocol" : "openid-connect",
+ "attributes" : {
+ "include.in.token.scope" : "true",
+ "display.on.consent.screen" : "true",
+ "consent.screen.text" : "${addressScopeConsentText}"
+ },
+ "protocolMappers" : [ {
+ "id" : "138498ed-dec2-4530-8d57-53fceef22090",
+ "name" : "address",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-address-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "user.attribute.formatted" : "formatted",
+ "user.attribute.country" : "country",
+ "user.attribute.postal_code" : "postal_code",
+ "userinfo.token.claim" : "true",
+ "user.attribute.street" : "street",
+ "id.token.claim" : "true",
+ "user.attribute.region" : "region",
+ "access.token.claim" : "true",
+ "user.attribute.locality" : "locality"
+ }
+ } ]
+ }, {
+ "id" : "32f645bd-fdf7-4ab8-9696-0e00600f29ca",
+ "name" : "email",
+ "description" : "OpenID Connect built-in scope: email",
+ "protocol" : "openid-connect",
+ "attributes" : {
+ "include.in.token.scope" : "true",
+ "display.on.consent.screen" : "true",
+ "consent.screen.text" : "${emailScopeConsentText}"
+ },
+ "protocolMappers" : [ {
+ "id" : "1d70f12b-9c9f-4cbb-97f7-85b0b9a9b10e",
+ "name" : "email",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-property-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "email",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "email",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "2ef7503e-0718-4ef2-a989-c36b7b79ba01",
+ "name" : "email verified",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-property-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "emailVerified",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "email_verified",
+ "jsonType.label" : "boolean"
}
- ],
- "browserFlow": "browser",
- "registrationFlow": "registration",
- "directGrantFlow": "direct grant",
- "resetCredentialsFlow": "reset credentials",
- "clientAuthenticationFlow": "clients",
- "dockerAuthenticationFlow": "docker auth",
- "attributes": {
- "clientOfflineSessionMaxLifespan": "0",
- "clientSessionIdleTimeout": "0",
- "clientSessionMaxLifespan": "0",
- "clientOfflineSessionIdleTimeout": "0"
+ } ]
+ }, {
+ "id" : "75921190-ece6-4fef-9072-ec7a43c6cbcf",
+ "name" : "profile",
+ "description" : "OpenID Connect built-in scope: profile",
+ "protocol" : "openid-connect",
+ "attributes" : {
+ "include.in.token.scope" : "true",
+ "display.on.consent.screen" : "true",
+ "consent.screen.text" : "${profileScopeConsentText}"
},
- "keycloakVersion": "12.0.4",
- "userManagedAccessAllowed": false
- }
\ No newline at end of file
+ "protocolMappers" : [ {
+ "id" : "15ef0a0c-6bff-43d7-92bd-ce0d1ef7c57d",
+ "name" : "zoneinfo",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "zoneinfo",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "zoneinfo",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "083c31ce-2914-41bb-9c4d-ab77922b5300",
+ "name" : "locale",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "locale",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "locale",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "875a3ec8-d561-47ba-95ff-5ceec90fbd89",
+ "name" : "profile",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "profile",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "profile",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "0e4888d1-5957-470d-805d-8e361a06bc4f",
+ "name" : "birthdate",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "birthdate",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "birthdate",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "f8b47626-fa53-4546-8ad9-92e124295f28",
+ "name" : "website",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "website",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "website",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "aadddefc-1f31-41af-8d01-93b1a8fb8f52",
+ "name" : "given name",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-property-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "firstName",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "given_name",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "2c47df6f-0aa6-4fa2-a639-e357d1b11efe",
+ "name" : "full name",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-full-name-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "userinfo.token.claim" : "true"
+ }
+ }, {
+ "id" : "2681202c-12cd-42c3-a2af-32a0f2b960c7",
+ "name" : "picture",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "picture",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "picture",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "ad31b24e-8f1d-4116-91d4-d461e9de2e81",
+ "name" : "username",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-property-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "username",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "preferred_username",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "1e939ee6-d1fb-4718-b761-0646e48333a3",
+ "name" : "updated at",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "updatedAt",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "updated_at",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "d5c31ca9-84ff-4f70-bc23-1ff05c71cd57",
+ "name" : "gender",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "gender",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "gender",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "8412fde2-a180-46c2-b8f5-7e2f1a9c1831",
+ "name" : "family name",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-property-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "lastName",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "family_name",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "a7bfbea0-0ea6-4135-b787-b72f073661c2",
+ "name" : "middle name",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "middleName",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "middle_name",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "ccd463f7-6f71-471f-a9d1-a67236349b80",
+ "name" : "nickname",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-attribute-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "nickname",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "nickname",
+ "jsonType.label" : "String"
+ }
+ } ]
+ }, {
+ "id" : "6a64e6e8-4083-4ec1-a3c9-a93d953168e4",
+ "name" : "microprofile-jwt",
+ "description" : "Microprofile - JWT built-in scope",
+ "protocol" : "openid-connect",
+ "attributes" : {
+ "include.in.token.scope" : "true",
+ "display.on.consent.screen" : "false"
+ },
+ "protocolMappers" : [ {
+ "id" : "e3c86445-5352-4c09-b8d0-ac70e5508619",
+ "name" : "upn",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-property-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "userinfo.token.claim" : "true",
+ "user.attribute" : "username",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "upn",
+ "jsonType.label" : "String"
+ }
+ }, {
+ "id" : "14ae13af-14a1-4d93-b1f9-638d90cba93c",
+ "name" : "groups",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-realm-role-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "multivalued" : "true",
+ "user.attribute" : "foo",
+ "id.token.claim" : "true",
+ "access.token.claim" : "true",
+ "claim.name" : "groups",
+ "jsonType.label" : "String"
+ }
+ } ]
+ }, {
+ "id" : "01113fef-1410-488d-b25f-7aeed7901d19",
+ "name" : "roles",
+ "description" : "OpenID Connect scope for add user roles to the access token",
+ "protocol" : "openid-connect",
+ "attributes" : {
+ "include.in.token.scope" : "false",
+ "display.on.consent.screen" : "true",
+ "consent.screen.text" : "${rolesScopeConsentText}"
+ },
+ "protocolMappers" : [ {
+ "id" : "b7b23545-fbde-47f2-8d8e-44e30f221b15",
+ "name" : "client roles",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-client-role-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "user.attribute" : "foo",
+ "access.token.claim" : "true",
+ "claim.name" : "resource_access.${client_id}.roles",
+ "jsonType.label" : "String",
+ "multivalued" : "true"
+ }
+ }, {
+ "id" : "bc1fd07f-c180-4a5c-bcf5-c1a654a6923b",
+ "name" : "realm roles",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-usermodel-realm-role-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "user.attribute" : "foo",
+ "access.token.claim" : "true",
+ "claim.name" : "realm_access.roles",
+ "jsonType.label" : "String",
+ "multivalued" : "true"
+ }
+ }, {
+ "id" : "928b5d2c-d203-498f-931f-981f1959b68d",
+ "name" : "audience resolve",
+ "protocol" : "openid-connect",
+ "protocolMapper" : "oidc-audience-resolve-mapper",
+ "consentRequired" : false,
+ "config" : { }
+ } ]
+ }, {
+ "id" : "1c4c67a9-4e0d-4fe2-a816-a39df23571ed",
+ "name" : "role_list",
+ "description" : "SAML role list",
+ "protocol" : "saml",
+ "attributes" : {
+ "consent.screen.text" : "${samlRoleListScopeConsentText}",
+ "display.on.consent.screen" : "true"
+ },
+ "protocolMappers" : [ {
+ "id" : "2ff8cc7c-7ec7-4a1a-bd3c-8605df24b100",
+ "name" : "role list",
+ "protocol" : "saml",
+ "protocolMapper" : "saml-role-list-mapper",
+ "consentRequired" : false,
+ "config" : {
+ "single" : "false",
+ "attribute.nameformat" : "Basic",
+ "attribute.name" : "Role"
+ }
+ } ]
+ } ],
+ "defaultDefaultClientScopes" : [ "roles", "web-origins", "role_list", "email", "profile" ],
+ "defaultOptionalClientScopes" : [ "address", "offline_access", "microprofile-jwt", "phone" ],
+ "browserSecurityHeaders" : {
+ "contentSecurityPolicyReportOnly" : "",
+ "xContentTypeOptions" : "nosniff",
+ "xRobotsTag" : "none",
+ "xFrameOptions" : "SAMEORIGIN",
+ "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+ "xXSSProtection" : "1; mode=block",
+ "strictTransportSecurity" : "max-age=31536000; includeSubDomains"
+ },
+ "smtpServer" : { },
+ "eventsEnabled" : false,
+ "eventsListeners" : [ "jboss-logging" ],
+ "enabledEventTypes" : [ ],
+ "adminEventsEnabled" : false,
+ "adminEventsDetailsEnabled" : false,
+ "identityProviders" : [ ],
+ "identityProviderMappers" : [ ],
+ "components" : {
+ "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ {
+ "id" : "cb98426c-c22e-403f-89b4-10e18c76cdba",
+ "name" : "Allowed Protocol Mapper Types",
+ "providerId" : "allowed-protocol-mappers",
+ "subType" : "authenticated",
+ "subComponents" : { },
+ "config" : {
+ "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "oidc-address-mapper", "saml-user-attribute-mapper" ]
+ }
+ }, {
+ "id" : "6e3438f1-6ba6-46a7-95ec-f826678365e4",
+ "name" : "Trusted Hosts",
+ "providerId" : "trusted-hosts",
+ "subType" : "anonymous",
+ "subComponents" : { },
+ "config" : {
+ "host-sending-registration-request-must-match" : [ "true" ],
+ "client-uris-must-match" : [ "true" ]
+ }
+ }, {
+ "id" : "c49e802e-635c-4620-a0fa-36fbc70af1dd",
+ "name" : "Allowed Protocol Mapper Types",
+ "providerId" : "allowed-protocol-mappers",
+ "subType" : "anonymous",
+ "subComponents" : { },
+ "config" : {
+ "allowed-protocol-mapper-types" : [ "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "oidc-full-name-mapper" ]
+ }
+ }, {
+ "id" : "236aa5b7-38c8-474b-b701-031cad0028b6",
+ "name" : "Allowed Client Scopes",
+ "providerId" : "allowed-client-templates",
+ "subType" : "anonymous",
+ "subComponents" : { },
+ "config" : {
+ "allow-default-scopes" : [ "true" ]
+ }
+ }, {
+ "id" : "54fae3ff-6546-4a8b-9c12-e2695d63da3e",
+ "name" : "Max Clients Limit",
+ "providerId" : "max-clients",
+ "subType" : "anonymous",
+ "subComponents" : { },
+ "config" : {
+ "max-clients" : [ "200" ]
+ }
+ }, {
+ "id" : "b2bfe8a9-172f-4eb1-a2b6-74271d7e29d2",
+ "name" : "Consent Required",
+ "providerId" : "consent-required",
+ "subType" : "anonymous",
+ "subComponents" : { },
+ "config" : { }
+ }, {
+ "id" : "c57b1267-1fd5-48d7-9037-7268b3a9fc29",
+ "name" : "Full Scope Disabled",
+ "providerId" : "scope",
+ "subType" : "anonymous",
+ "subComponents" : { },
+ "config" : { }
+ }, {
+ "id" : "f7410942-879d-478a-a55f-54fce498006b",
+ "name" : "Allowed Client Scopes",
+ "providerId" : "allowed-client-templates",
+ "subType" : "authenticated",
+ "subComponents" : { },
+ "config" : {
+ "allow-default-scopes" : [ "true" ]
+ }
+ } ],
+ "org.keycloak.keys.KeyProvider" : [ {
+ "id" : "18ee30c5-98da-4b16-af67-838c6bf71d3a",
+ "name" : "hmac-generated",
+ "providerId" : "hmac-generated",
+ "subComponents" : { },
+ "config" : {
+ "kid" : [ "5a87e94a-16a3-45c7-8210-a03b3b2b6dad" ],
+ "secret" : [ "qoYms3VN1xY6dBsRXslDNy_i9Cb4tmuZPwN6kro2USJAXqQvdxGRzbGdqkZCACB7_GD26WEB95Ihr_hoQW1Inw" ],
+ "priority" : [ "100" ],
+ "algorithm" : [ "HS256" ]
+ }
+ }, {
+ "id" : "f02f63df-0790-4c5e-a761-a57380dfa9dd",
+ "name" : "rsa-enc-generated",
+ "providerId" : "rsa-enc-generated",
+ "subComponents" : { },
+ "config" : {
+ "privateKey" : [ "MIIEpAIBAAKCAQEAoV8fQVvxdoPYIIrU0QIcqdnpdiWrY0mW+Pmv28uy1DanszPW/nN1nh17ORV9jxdEg8dGbjN9/btQKTkVsy1AUpevWBhRPfEpSojp6kH+etMXkDOFokEfodWKRyDuwOfaEbkrkznjFrOmu3PaugSeAHSSaPYcGFTjFFXLDqh0DuRu5m4t3lWsYfvNzVAWfrgyvEouZ8d3lOlY0Rq7qOFRsz9wBd9DP82Z/9kRlGrExzTZrB0mt8zilVg06zDZ8/147inJrukOQwoHOBdJVdWqWbSDN5ie1W7gSW6xtAZcOwB1zf52qQI0bzHScXM91cpSO93Koandml+V3zacvBRSPwIDAQABAoIBAE/QGkdbUDwLzbOattOBNegULVIQI4qB9TfDVuVhBFvNhHgvpaBIPt4rOqzrIiTJn0uGHiGXOjNql6Ur5L2wHeY7u6/YpyX5xzBkMz130oOxMDBUKz4q85g5Y6D2et/STJsDeLfio5yw0kBYdtAWRId5IIjlYNPv+DgwjrP7QRuzuKX0QKPbPUvdJpdYLD1Mg992ehPVdSGkvPCPz0Ur05gYLvqYTq0gHoM3r8U6cq5VrLMDo1v0JIfsPrfYwJaLKH86brOIb1sWJNeSFyT4ROKOILHj3S1XBFy1Y+UIYdwUU4GVMbfJLq8vRi+G6NhfLgP6fBJ+9lRZLvp3VowSfwECgYEA61bA+MrTPD9Rfw+5JZhOqJm0jiRexL14U2gwE/F4VXqq8E8zkzU1GQLXQlNOTKld79NqSjq3W9u+/SWZaJJosPEo3Plz46zSldW+OZDFmjaFn2Bot5FF0UHcVad5LiArJMsWaEPJbboPG65Fd8Kr6zWknprS+hBgWoFot8Yk3f8CgYEAr4nzkn2kMzPxMeDGueNTftNZy7b1MXdvxMeS8XlvZGjiiWPgIoxp8O/xR5ACO71LMV0cY5eLtJhTphaARGqiU12ye+mTB2XasQLjMFkKfQKi2gwRB7+WBPhMnfX+PP8YOuXuha0l5Y21wrKVsLmChyjHvjk0G7Kwv6hffZlBC8ECgYBbr+/8viCwH0ckBr8ue3lhzIiAvIDDi8HeVQAuNOyZ+PGyMFk6qAco2Gd/Kq+dxHqZnjeR9fBL9IAjZkuvZyMslLhD51gUQtfEkoLLMLEb1NQYdNo3cnzN+yfZoybeJqBIdGslcgt/GXcbZLkh4JFUURDyzgUWcdzoRfTDbIoehwKBgQCY2tuKuHV/UL+62yyxOc6/JXOP/OVOCd79z3uZYlEpcluxn5LRAsxNzeKgmjoXoyIS/i12W8R/ohVVD0rqSKDJT1HYrPAnBP6GHSmQNDj52o3Mqa06vg34je7JrieRHeEPiKFHLhtN5TRdMf0/Qory/wPQFSfW5qcafZeJWyZVAQKBgQCtSzxpMNUpt5+KVez5pRuqVRFKJjJ8NsOBuCYWlX/1DsMkOwWAlUToiM5JjzxkfiUzT4eyWnsSBCHh7z5ZqvYFLkQPV0elHpE9qag2OD3y5L1mKtqdk3f/E7wQFDw9GvhHFcWX6cWVTxmbQwvxGnL+dfEicS/xiZ1gQSyFC1T+kQ==" ],
+ "keyUse" : [ "ENC" ],
+ "certificate" : [ "MIIClzCCAX8CBgGGdmij3TANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARldXZlMB4XDTIzMDIyMTIzNTUxNFoXDTMzMDIyMTIzNTY1NFowDzENMAsGA1UEAwwEZXV2ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKFfH0Fb8XaD2CCK1NECHKnZ6XYlq2NJlvj5r9vLstQ2p7Mz1v5zdZ4dezkVfY8XRIPHRm4zff27UCk5FbMtQFKXr1gYUT3xKUqI6epB/nrTF5AzhaJBH6HVikcg7sDn2hG5K5M54xazprtz2roEngB0kmj2HBhU4xRVyw6odA7kbuZuLd5VrGH7zc1QFn64MrxKLmfHd5TpWNEau6jhUbM/cAXfQz/Nmf/ZEZRqxMc02awdJrfM4pVYNOsw2fP9eO4pya7pDkMKBzgXSVXVqlm0gzeYntVu4ElusbQGXDsAdc3+dqkCNG8x0nFzPdXKUjvdyqGp3Zpfld82nLwUUj8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEARYVvNmnyrBgmuWeKsBD82pKJd+pjPviHRhntPayO8m4dqS4k9KXBZlOTUoD6DiPfGPkKRuNQ4qOoYWg1mkFavUakPEZD1xxBoOn+rdRbUBJlLSBtz4rNWlXK+zFWLOBDH3oV5yLvhIhATi9ZQbQyjICJSO+HOuCHfi6AAWqDXp4rFyKjcIgJdgPA1ek+QkvYGWPqpDGDFHigI+3KN34NqwanL00BtS/VAC7U/5tFEqPVG7PDSMhBLQDmQS/6lh8bEQjV8roRA40ZU/elYhPIP/nbZw/8W3uWjoQrg5Pa3zsfauhFIPECtBmBQilkW4vMpILUFrfMTZmK2vpUNFmQFQ==" ],
+ "priority" : [ "100" ],
+ "algorithm" : [ "RSA-OAEP" ]
+ }
+ }, {
+ "id" : "9b740a6f-767f-4303-9275-b7f7509dc6bb",
+ "name" : "rsa-generated",
+ "providerId" : "rsa-generated",
+ "subComponents" : { },
+ "config" : {
+ "privateKey" : [ "MIIEpAIBAAKCAQEAq5v6XSK+VtpxrWBE/Jh7L6hJ/kfJGkHlmkMCSWorzyw4V77wnBo+BGcX5CTFGx7k8fc4UHV2GSIa7Wt8/qEUtSOyg+G7cTe3JttwTKnwoqgGwycRFKBDu8+V3vQxgWlJKzIC2CxuXrhQf2uNLjDPrXihEZZBQmLaEzuuEEN1hySmb0MrLpYshsQ7GpYCwXOHHjrZ4t71e4/2uECNh3Kxoy1wo26RuCDjcI2nCO/a1LFKWtc+6V5p5n/WpuFc556Exs90dk5zHUw/3D9siDc7OrN/udtd67E+KqTgtzBUoWETwDAY5NcoOSogV45R1iFRGt2pOTBoRBcDxhsq1dkhhQIDAQABAoIBAByQuSsZpm9Uq0l91d3qD89OBwsRrfL19x8nelD4IFS6+qH4gZqqb5pSAtMSH9E04k04pqIV+1ORrsPIeaT08Tp5t7RmNcpRyOXp7xaDzy90IrQHY7t4Ne4kTsEvCrKM8QYErB6JvtF7gsLDB1wh+d/ZTY5c4X4IcF51N7MzV3PoKo0GP5RQB8/SzcvGwwu5Bc0XKsh9FXuHX2MntZs94+/9z3EYPV0NINtaBwI4T0fpnCfxOKq9+biy1ePJKqwH/CUvMjDJS0cJDo8HR5vOloCxjQZvE9DQqY3HAb7mrFlST5umPzoitKGjD4AGbuF/o7SurRsJBKCyZWNAUSBfrgECgYEA7YBhsjltgkOEqrja5kZcIiCPXHtPWhChMDuZjGGTUNI4cHLUFCJ2EJljWHAK/RAK83+9Lx+EC6J0Qmh1kNyiQPvIG7V5DX+vSvS0eOHvHb1iAlRnXwQLLZEgPq1KBet2MADlKuo4Uc9mWJSAHQGRbyXZCC5qjihJHJ9fuckYmgUCgYEAuPnAKKoS9I/sbgk/a+2hrCPH40JAdDy01m6X679Pi6tke0ybXx4pl/9v5rojmtvib7G+jNIfKYUbE62DCr3hoDOczF/5dski5D2xhC4ObSclkQPUHDGs6JQPhWNGa/9UcfsW9BJG0Z4sanSnfn6RNyhgydWSEYtFdvDn+QwrgYECgYEA0mbYpfZgQHWmM0RekIAmoQktWCXZr5Vp5vv11Lqgson5/AyOO2QoKh5pN3DTG0u6F+vDYtrNtSzvR+GYvYPorh8gMQP8wOusFIBi3XBy0Gr1R9EUXsWLTYvy//Ouzz3Az1gLrZAf4sIVDkZIlOnNuKTT935/YX7o/lVmjYVMqS0CgYEAoLa2Q16Je510saItTWu49WRdLtIISDXadRi/vF+LEHIIqqxDrl/5iYuxQQlnGAyF77/CLH3//0Yb4Xv3CCU0XMmbKWMVzyQwwZfsnUia1jGWDSoDZ7+tWKIT3jQEIp9EUofzSHp8t3Gza4cRY/E54G+fsJ1z/PRBlXb4RcVSI4ECgYA8l/2a43vaZ09e7XH2a45TCx6OZHZ5ozYL4BoM3mv8ANvNO9LMx36a0leaTeuXcseirL0tvxxkHJkFLZOHIbActKI1pEnOQK/j3SWZy/L2jFWPTNsYZxq+ewyataNwEchggs+wwE0tt0zFp3I8es4bZXcYeQOoO/EdTHArcnxu3g==" ],
+ "keyUse" : [ "SIG" ],
+ "certificate" : [ "MIIClzCCAX8CBgGGdmii9jANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARldXZlMB4XDTIzMDIyMTIzNTUxNFoXDTMzMDIyMTIzNTY1NFowDzENMAsGA1UEAwwEZXV2ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKub+l0ivlbaca1gRPyYey+oSf5HyRpB5ZpDAklqK88sOFe+8JwaPgRnF+QkxRse5PH3OFB1dhkiGu1rfP6hFLUjsoPhu3E3tybbcEyp8KKoBsMnERSgQ7vPld70MYFpSSsyAtgsbl64UH9rjS4wz614oRGWQUJi2hM7rhBDdYckpm9DKy6WLIbEOxqWAsFzhx462eLe9XuP9rhAjYdysaMtcKNukbgg43CNpwjv2tSxSlrXPuleaeZ/1qbhXOeehMbPdHZOcx1MP9w/bIg3Ozqzf7nbXeuxPiqk4LcwVKFhE8AwGOTXKDkqIFeOUdYhURrdqTkwaEQXA8YbKtXZIYUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAR7nlLnbTJX2feBmnkjpDilFqaVqJO8SbmDp1WfsRL3Gohjif0kznudb2+us7+AIbSXOy0MYZjJ6rDl+wUuqKr4/dOLMu52MvYn40cPlx5jdtwQfzCSX6cdpxRQNWJ6y0ExQ9wSczzVpJAeknpBZ4XtUop+kxtUfuznbgva6M5GKkhAHhEE82DWs04+rQ2Z2KYaWhu5jTjDhOx/xZv1+G5JorSMX1yI4ILzudYQd9rjmBgMVFthNYVZIqP1JjKo26KKbaUdwTmD3sLxJObrHFs5p+27KNSgIUsmwdCmnEMm5avSQELpdrvdGQ0mIJpH5Ce/RWRH7V+wyrINV0FeJpQg==" ],
+ "priority" : [ "100" ]
+ }
+ }, {
+ "id" : "8cc3851f-ea1a-4549-ac09-00ea10ffde62",
+ "name" : "aes-generated",
+ "providerId" : "aes-generated",
+ "subComponents" : { },
+ "config" : {
+ "kid" : [ "49ddfd6e-fb09-471e-97be-6429d0077d68" ],
+ "secret" : [ "6ntz9s3PoavLavEpQ7BGAw" ],
+ "priority" : [ "100" ]
+ }
+ } ]
+ },
+ "internationalizationEnabled" : false,
+ "supportedLocales" : [ ],
+ "authenticationFlows" : [ {
+ "id" : "551a46b5-2605-463d-b7ca-69bc96f63a2e",
+ "alias" : "Account verification options",
+ "description" : "Method with which to verity the existing account",
+ "providerId" : "basic-flow",
+ "topLevel" : false,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "idp-email-verification",
+ "authenticatorFlow" : false,
+ "requirement" : "ALTERNATIVE",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticatorFlow" : true,
+ "requirement" : "ALTERNATIVE",
+ "priority" : 20,
+ "flowAlias" : "Verify Existing Account by Re-authentication",
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : true
+ } ]
+ }, {
+ "id" : "ae4bf7ab-eb87-46aa-91cd-4f2e8d6b1cf1",
+ "alias" : "Authentication Options",
+ "description" : "Authentication options.",
+ "providerId" : "basic-flow",
+ "topLevel" : false,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "basic-auth",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "basic-auth-otp",
+ "authenticatorFlow" : false,
+ "requirement" : "DISABLED",
+ "priority" : 20,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "auth-spnego",
+ "authenticatorFlow" : false,
+ "requirement" : "DISABLED",
+ "priority" : 30,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ } ]
+ }, {
+ "id" : "425e572d-b52b-4458-ad67-13c18de24770",
+ "alias" : "Browser - Conditional OTP",
+ "description" : "Flow to determine if the OTP is required for the authentication",
+ "providerId" : "basic-flow",
+ "topLevel" : false,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "conditional-user-configured",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "auth-otp-form",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 20,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ } ]
+ }, {
+ "id" : "37e27bef-9097-43e4-affe-bc286b57be9c",
+ "alias" : "Direct Grant - Conditional OTP",
+ "description" : "Flow to determine if the OTP is required for the authentication",
+ "providerId" : "basic-flow",
+ "topLevel" : false,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "conditional-user-configured",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "direct-grant-validate-otp",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 20,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ } ]
+ }, {
+ "id" : "b3746a40-8bd6-4207-ba38-fe67bd18dd08",
+ "alias" : "First broker login - Conditional OTP",
+ "description" : "Flow to determine if the OTP is required for the authentication",
+ "providerId" : "basic-flow",
+ "topLevel" : false,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "conditional-user-configured",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "auth-otp-form",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 20,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ } ]
+ }, {
+ "id" : "442f143d-9039-4bc7-ae15-6cfd3ab19ec0",
+ "alias" : "Handle Existing Account",
+ "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
+ "providerId" : "basic-flow",
+ "topLevel" : false,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "idp-confirm-link",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticatorFlow" : true,
+ "requirement" : "REQUIRED",
+ "priority" : 20,
+ "flowAlias" : "Account verification options",
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : true
+ } ]
+ }, {
+ "id" : "a7435a23-970b-411f-8c67-250f9d2f7ea1",
+ "alias" : "Reset - Conditional OTP",
+ "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
+ "providerId" : "basic-flow",
+ "topLevel" : false,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "conditional-user-configured",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "reset-otp",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 20,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ } ]
+ }, {
+ "id" : "69706849-0b76-40cc-9ab4-cf01f8b201cb",
+ "alias" : "User creation or linking",
+ "description" : "Flow for the existing/non-existing user alternatives",
+ "providerId" : "basic-flow",
+ "topLevel" : false,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticatorConfig" : "create unique user config",
+ "authenticator" : "idp-create-user-if-unique",
+ "authenticatorFlow" : false,
+ "requirement" : "ALTERNATIVE",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticatorFlow" : true,
+ "requirement" : "ALTERNATIVE",
+ "priority" : 20,
+ "flowAlias" : "Handle Existing Account",
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : true
+ } ]
+ }, {
+ "id" : "28de8d6f-9edb-44b9-b02a-e4091b6bdc0d",
+ "alias" : "Verify Existing Account by Re-authentication",
+ "description" : "Reauthentication of existing account",
+ "providerId" : "basic-flow",
+ "topLevel" : false,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "idp-username-password-form",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticatorFlow" : true,
+ "requirement" : "CONDITIONAL",
+ "priority" : 20,
+ "flowAlias" : "First broker login - Conditional OTP",
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : true
+ } ]
+ }, {
+ "id" : "d538865a-cb37-4ce9-ae70-ff4ac94165e6",
+ "alias" : "browser",
+ "description" : "browser based authentication",
+ "providerId" : "basic-flow",
+ "topLevel" : true,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "auth-cookie",
+ "authenticatorFlow" : false,
+ "requirement" : "ALTERNATIVE",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "auth-spnego",
+ "authenticatorFlow" : false,
+ "requirement" : "DISABLED",
+ "priority" : 20,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "identity-provider-redirector",
+ "authenticatorFlow" : false,
+ "requirement" : "ALTERNATIVE",
+ "priority" : 25,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticatorFlow" : true,
+ "requirement" : "ALTERNATIVE",
+ "priority" : 30,
+ "flowAlias" : "forms",
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : true
+ } ]
+ }, {
+ "id" : "0f6c83d0-1fe3-47a5-bf3a-b70e75ab946c",
+ "alias" : "clients",
+ "description" : "Base authentication for clients",
+ "providerId" : "client-flow",
+ "topLevel" : true,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "client-secret",
+ "authenticatorFlow" : false,
+ "requirement" : "ALTERNATIVE",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "client-jwt",
+ "authenticatorFlow" : false,
+ "requirement" : "ALTERNATIVE",
+ "priority" : 20,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "client-secret-jwt",
+ "authenticatorFlow" : false,
+ "requirement" : "ALTERNATIVE",
+ "priority" : 30,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "client-x509",
+ "authenticatorFlow" : false,
+ "requirement" : "ALTERNATIVE",
+ "priority" : 40,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ } ]
+ }, {
+ "id" : "02380d42-deee-415f-b4b2-7f154dcf1c39",
+ "alias" : "direct grant",
+ "description" : "OpenID Connect Resource Owner Grant",
+ "providerId" : "basic-flow",
+ "topLevel" : true,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "direct-grant-validate-username",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "direct-grant-validate-password",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 20,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticatorFlow" : true,
+ "requirement" : "CONDITIONAL",
+ "priority" : 30,
+ "flowAlias" : "Direct Grant - Conditional OTP",
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : true
+ } ]
+ }, {
+ "id" : "1faee034-05b4-43d2-ab4c-30d9c5e42192",
+ "alias" : "docker auth",
+ "description" : "Used by Docker clients to authenticate against the IDP",
+ "providerId" : "basic-flow",
+ "topLevel" : true,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "docker-http-basic-authenticator",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ } ]
+ }, {
+ "id" : "11ad747f-d588-48e6-8b77-fde6e63fba29",
+ "alias" : "first broker login",
+ "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
+ "providerId" : "basic-flow",
+ "topLevel" : true,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticatorConfig" : "review profile config",
+ "authenticator" : "idp-review-profile",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticatorFlow" : true,
+ "requirement" : "REQUIRED",
+ "priority" : 20,
+ "flowAlias" : "User creation or linking",
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : true
+ } ]
+ }, {
+ "id" : "cf88f546-f38c-4eaf-9f79-2b4ffad6fcc1",
+ "alias" : "forms",
+ "description" : "Username, password, otp and other auth forms.",
+ "providerId" : "basic-flow",
+ "topLevel" : false,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "auth-username-password-form",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticatorFlow" : true,
+ "requirement" : "CONDITIONAL",
+ "priority" : 20,
+ "flowAlias" : "Browser - Conditional OTP",
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : true
+ } ]
+ }, {
+ "id" : "910736f3-16e4-4c68-8951-fb6b3fee3113",
+ "alias" : "http challenge",
+ "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes",
+ "providerId" : "basic-flow",
+ "topLevel" : true,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "no-cookie-redirect",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticatorFlow" : true,
+ "requirement" : "REQUIRED",
+ "priority" : 20,
+ "flowAlias" : "Authentication Options",
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : true
+ } ]
+ }, {
+ "id" : "40845ac6-baca-4f44-bd7e-fcf4c1e9e14d",
+ "alias" : "registration",
+ "description" : "registration flow",
+ "providerId" : "basic-flow",
+ "topLevel" : true,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "registration-page-form",
+ "authenticatorFlow" : true,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "flowAlias" : "registration form",
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : true
+ } ]
+ }, {
+ "id" : "3ee14025-6706-4788-ab78-bc872b89df13",
+ "alias" : "registration form",
+ "description" : "registration form",
+ "providerId" : "form-flow",
+ "topLevel" : false,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "registration-user-creation",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 20,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "registration-profile-action",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 40,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "registration-password-action",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 50,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "registration-recaptcha-action",
+ "authenticatorFlow" : false,
+ "requirement" : "DISABLED",
+ "priority" : 60,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ } ]
+ }, {
+ "id" : "65942830-514f-4d58-8b21-2f1e78ede1e9",
+ "alias" : "reset credentials",
+ "description" : "Reset credentials for a user if they forgot their password or something",
+ "providerId" : "basic-flow",
+ "topLevel" : true,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "reset-credentials-choose-user",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "reset-credential-email",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 20,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticator" : "reset-password",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 30,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ }, {
+ "authenticatorFlow" : true,
+ "requirement" : "CONDITIONAL",
+ "priority" : 40,
+ "flowAlias" : "Reset - Conditional OTP",
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : true
+ } ]
+ }, {
+ "id" : "4abca537-091b-4020-9990-a0e625334335",
+ "alias" : "saml ecp",
+ "description" : "SAML ECP Profile Authentication Flow",
+ "providerId" : "basic-flow",
+ "topLevel" : true,
+ "builtIn" : true,
+ "authenticationExecutions" : [ {
+ "authenticator" : "http-basic-authenticator",
+ "authenticatorFlow" : false,
+ "requirement" : "REQUIRED",
+ "priority" : 10,
+ "userSetupAllowed" : false,
+ "autheticatorFlow" : false
+ } ]
+ } ],
+ "authenticatorConfig" : [ {
+ "id" : "d2dc83bf-7aa0-4d27-88a6-17f47e892e85",
+ "alias" : "create unique user config",
+ "config" : {
+ "require.password.update.after.registration" : "false"
+ }
+ }, {
+ "id" : "07500a9d-d6a6-43c2-80c6-8fbb8da82056",
+ "alias" : "review profile config",
+ "config" : {
+ "update.profile.on.first.login" : "missing"
+ }
+ } ],
+ "requiredActions" : [ {
+ "alias" : "CONFIGURE_TOTP",
+ "name" : "Configure OTP",
+ "providerId" : "CONFIGURE_TOTP",
+ "enabled" : true,
+ "defaultAction" : false,
+ "priority" : 10,
+ "config" : { }
+ }, {
+ "alias" : "terms_and_conditions",
+ "name" : "Terms and Conditions",
+ "providerId" : "terms_and_conditions",
+ "enabled" : false,
+ "defaultAction" : false,
+ "priority" : 20,
+ "config" : { }
+ }, {
+ "alias" : "UPDATE_PASSWORD",
+ "name" : "Update Password",
+ "providerId" : "UPDATE_PASSWORD",
+ "enabled" : true,
+ "defaultAction" : false,
+ "priority" : 30,
+ "config" : { }
+ }, {
+ "alias" : "UPDATE_PROFILE",
+ "name" : "Update Profile",
+ "providerId" : "UPDATE_PROFILE",
+ "enabled" : true,
+ "defaultAction" : false,
+ "priority" : 40,
+ "config" : { }
+ }, {
+ "alias" : "VERIFY_EMAIL",
+ "name" : "Verify Email",
+ "providerId" : "VERIFY_EMAIL",
+ "enabled" : true,
+ "defaultAction" : false,
+ "priority" : 50,
+ "config" : { }
+ }, {
+ "alias" : "delete_account",
+ "name" : "Delete Account",
+ "providerId" : "delete_account",
+ "enabled" : false,
+ "defaultAction" : false,
+ "priority" : 60,
+ "config" : { }
+ }, {
+ "alias" : "update_user_locale",
+ "name" : "Update User Locale",
+ "providerId" : "update_user_locale",
+ "enabled" : true,
+ "defaultAction" : false,
+ "priority" : 1000,
+ "config" : { }
+ } ],
+ "browserFlow" : "browser",
+ "registrationFlow" : "registration",
+ "directGrantFlow" : "direct grant",
+ "resetCredentialsFlow" : "reset credentials",
+ "clientAuthenticationFlow" : "clients",
+ "dockerAuthenticationFlow" : "docker auth",
+ "attributes" : {
+ "cibaBackchannelTokenDeliveryMode" : "poll",
+ "cibaExpiresIn" : "120",
+ "cibaAuthRequestedUserHint" : "login_hint",
+ "oauth2DeviceCodeLifespan" : "600",
+ "oauth2DevicePollingInterval" : "5",
+ "parRequestUriLifespan" : "60",
+ "cibaInterval" : "5"
+ },
+ "keycloakVersion" : "16.1.1",
+ "userManagedAccessAllowed" : false,
+ "clientProfiles" : {
+ "profiles" : [ ]
+ },
+ "clientPolicies" : {
+ "policies" : [ ]
+ }
+}
\ No newline at end of file
diff --git a/git/keycloak/data/keycloak-setup/192.168.56.1.nip.io/users.json b/git/keycloak/data/keycloak-setup/192.168.56.1.nip.io/users.json
index 8d199a34b36c007c425e7c617c17cd3502419ec6..fba165a1f32c8b38879912be30762bf5c1ea8046 100755
--- a/git/keycloak/data/keycloak-setup/192.168.56.1.nip.io/users.json
+++ b/git/keycloak/data/keycloak-setup/192.168.56.1.nip.io/users.json
@@ -1,61 +1,47 @@
{
- "realm": "jhipster",
- "users": [
- {
- "id": "4c973896-5761-41fc-8217-07c5d13a004b",
- "createdTimestamp": 1505479415590,
- "username": "admin",
- "enabled": true,
- "totp": false,
- "emailVerified": true,
- "firstName": "Admin",
- "lastName": "Administrator",
- "email": "admin@localhost",
- "credentials": [
- {
- "id": "b860462b-9b02-48ba-9523-d3a8926a917b",
- "type": "password",
- "createdDate": 1505479429154,
- "secretData": "{\"value\":\"4pf9K2jWSCcHC+CwsZP/qidN5pSmDUe6AX6wBerSGdBVKkExay8MWKx+EKmaaObZW6FVsD8vdW/ZsyUFD9gJ1Q==\",\"salt\":\"1/qNkZ5kr77jOMOBPBogGw==\"}",
- "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}"
- }
- ],
- "disableableCredentialTypes": [],
- "requiredActions": [],
- "realmRoles": ["offline_access", "uma_authorization"],
- "clientRoles": {
- "account": ["view-profile", "manage-account"]
- },
- "notBefore": 0,
- "groups": ["/Admins", "/Users"]
- },
- {
- "id": "c4af4e2f-b432-4c3b-8405-cca86cd5b97b",
- "createdTimestamp": 1505479373742,
- "username": "user",
- "enabled": true,
- "totp": false,
- "emailVerified": true,
- "firstName": "",
- "lastName": "User",
- "email": "user@localhost",
- "credentials": [
- {
- "id": "7821832b-1e82-45a2-b8d3-f1a6ad909e64",
- "type": "password",
- "createdDate": 1505479392766,
- "secretData": "{\"value\":\"MbKsMgWPnZyImih8s4SaoCSCq+XIY/c6S9F93sXEidHF1TjPWxCqMkec0+o3860CMLXHt3az61cIJOWI0FW9aw==\",\"salt\":\"fmpBI1r8R1u75hDLMUlwBw==\"}",
- "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}"
- }
- ],
- "disableableCredentialTypes": [],
- "requiredActions": [],
- "realmRoles": ["offline_access", "uma_authorization"],
- "clientRoles": {
- "account": ["view-profile", "manage-account"]
- },
- "notBefore": 0,
- "groups": ["/Users"]
- }
- ]
+ "users" : [ {
+ "id" : "4dab5526-cdc8-4d63-bd4e-956c3c153bb0",
+ "createdTimestamp" : 1677055899000,
+ "username" : "admin",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : true,
+ "firstName" : "Admin",
+ "lastName" : "Administrator",
+ "email" : "admin@euve.eu",
+ "credentials" : [ {
+ "id" : "b860462b-9b02-48ba-9523-d3a8926a917b",
+ "type" : "password",
+ "createdDate" : 1505479429154,
+ "secretData" : "{\"value\":\"4pf9K2jWSCcHC+CwsZP/qidN5pSmDUe6AX6wBerSGdBVKkExay8MWKx+EKmaaObZW6FVsD8vdW/ZsyUFD9gJ1Q==\",\"salt\":\"1/qNkZ5kr77jOMOBPBogGw==\"}",
+ "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}"
+ } ],
+ "disableableCredentialTypes" : [ ],
+ "requiredActions" : [ ],
+ "realmRoles" : [ "offline_access", "default-roles-euve", "uma_authorization" ],
+ "notBefore" : 0,
+ "groups" : [ ]
+ }, {
+ "id" : "257bb10d-e3c3-4289-a52b-c623408eab49",
+ "createdTimestamp" : 1677028667934,
+ "username" : "user",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : true,
+ "firstName" : "",
+ "lastName" : "User",
+ "email" : "user@euve.eu",
+ "credentials" : [ {
+ "id" : "7821832b-1e82-45a2-b8d3-f1a6ad909e64",
+ "type" : "password",
+ "createdDate" : 1677029479752,
+ "secretData" : "{\"value\":\"E5KbiF1K9OIqoNUtHEWuHzXDV+sidWy7iQU9spu5OaiH8y2KZ2LIHkIxdtO8HPfWkWuP5E7m/w5Wh0mcQfQzhQ==\",\"salt\":\"7UqNw3bDjZEVdtrqbSEkeA==\",\"additionalParameters\":{}}",
+ "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+ } ],
+ "disableableCredentialTypes" : [ ],
+ "requiredActions" : [ ],
+ "realmRoles" : [ "offline_access", "default-roles-euve", "uma_authorization" ],
+ "notBefore" : 0,
+ "groups" : [ ]
+ } ]
}
\ No newline at end of file
diff --git a/git/keycloak/docker-compose-traefik-network-external.yaml b/git/keycloak/docker-compose-traefik-network-external.yaml
index 6149618e9408dec1168a12175ab70e38c67cc86c..072eb9ddaea6fc008e2c55f9d166d07ca55ad2f6 100755
--- a/git/keycloak/docker-compose-traefik-network-external.yaml
+++ b/git/keycloak/docker-compose-traefik-network-external.yaml
@@ -1,4 +1,4 @@
networks:
traefik_network:
- name: traefik_network
+ name: ${TRAEFIK_NETWORK_NAME:?err}
external: true
diff --git a/git/keycloak/docker-compose.yaml b/git/keycloak/docker-compose.yaml
index 34610f927f02f2929c411e10e5f6c73714cd800e..23d7233f634aa20d5142c75b05e6cbf5bfa7cd24 100755
--- a/git/keycloak/docker-compose.yaml
+++ b/git/keycloak/docker-compose.yaml
@@ -12,9 +12,9 @@ services:
traefik_network:
labels:
- "traefik.enable=true"
+ - "traefik.docker.network=${TRAEFIK_NETWORK_NAME:?err}"
- "traefik.http.routers.keycloak.rule=Host(`auth.${SERVER_HOST:?err}`)"
- - "traefik.http.routers.keycloak.entrypoints=websecure"
- - "traefik.docker.network=traefik_network"
+ - "traefik.http.routers.keycloak.entrypoints=${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}"
volumes:
- keycloak_data:/opt/jboss/keycloak/standalone/data
@@ -23,9 +23,11 @@ services:
- ./${KEYCLOAK_CONFIG_PATH}data/keycloak-setup/${SERVER_HOST:?err}:/data
environment:
# this variables can be defined inside env file or inside variables of gitlab ci/cd settings
- KEYCLOAK_URL: https://auth.${SERVER_HOST}:${HTTPS_PORT}
+ KEYCLOAK_URL: ${KEYCLOAK_URL:-http://keycloak:8080}
KEYCLOAK_ADMIN_PASSWORD: ${ADMIN_PASSWORD}
# REALM_JSON_PATH: /data/clients.json
+ networks:
+ traefik_network:
volumes:
keycloak_data:
diff --git a/git/keycloak/git/keycloak-setup/Dockerfile b/git/keycloak/git/keycloak-setup/Dockerfile
index f406f2a8676695b58719cc4969e35eed14ec71a4..f6b6fcfeb131d7c63f6a82267be4088fe6e4933f 100755
--- a/git/keycloak/git/keycloak-setup/Dockerfile
+++ b/git/keycloak/git/keycloak-setup/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.12.0 as builder
+FROM alpine:3.12.0
RUN apk update \
&& rm -rf /tmp/*.tar.gz /var/cache/apk/* \
@@ -7,6 +7,9 @@ RUN apk update \
ADD . /
ENV KEYCLOAK_URL=must_be_defined \
REALM_JSON_PATH=/data/realm.json \
+CLIENT_ROLES_JSON_PATH=/data/client-roles.json \
+CLIENT_SCOPES_JSON_PATH=/data/client-scopes.json \
+CLIENT_SCOPES_CLIENT_ROLES_MAPPINGS_JSON_PATH=/data/client-scopes-client-roles-mappings.json \
CLIENTS_JSON_PATH=/data/clients.json \
ROLES_JSON_PATH=/data/clients.json \
GROUPS_JSON_PATH=/data/clients.json \
diff --git a/git/keycloak/git/keycloak-setup/create_client_roles.sh b/git/keycloak/git/keycloak-setup/create_client_roles.sh
new file mode 100644
index 0000000000000000000000000000000000000000..3da54d886350d48753799d2877ed5b6efd3cdad7
--- /dev/null
+++ b/git/keycloak/git/keycloak-setup/create_client_roles.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+echo " ********** Create Keycloak client roles *************"
+[ -z "$REALM_JSON_PATH" ] && echo "no realm file exiting" && exit 0
+[ -z "$CLIENT_ROLES_JSON_PATH" ] && echo "no client roles file exiting" && exit 0
+
+[ ! -f "$REALM_JSON_PATH" ] && echo "realm file does not exists" && exit 0
+[ ! -f "$CLIENT_ROLES_JSON_PATH" ] && echo "client roles file does not exists" && exit 0
+
+printf "ACCESS_TOKEN=$ACCESS_TOKEN\n"
+
+# Execute the CURL command to check if realm exists
+REALM_NAME=$(cat $REALM_JSON_PATH | jq -r '.realm')
+echo REALM_NAME=$REALM_NAME
+
+# resultCheckExists=$(curl -k -s -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME")
+# ERROR=$(echo $resultCheckExists | jq -r '.error')
+# if [ "$ERROR" = 'Realm not found.' ];
+# then
+# echo REALM $REALM_NAME not found
+# exit 1
+# fi
+
+REALM_CLIENTS=$(curl -k -s -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME/clients")
+CLIENT_ROLES=$(cat $CLIENT_ROLES_JSON_PATH | jq -r '.roles.client')
+
+for row in $(echo "${CLIENT_ROLES}" | jq -r 'to_entries[] | @base64'); do
+ _jq() {
+ echo ${row} | base64 -d | jq -r ${1}
+ }
+ CLIENT_ROLES_SPEC="$(_jq '.')"
+ echo CLIENT_ROLES_SPEC=$CLIENT_ROLES_SPEC
+ CLIENT_NAME="$(echo $CLIENT_ROLES_SPEC | jq -r '.key')"
+ echo CLIENT_NAME=$CLIENT_NAME
+ ROLES="$(echo $CLIENT_ROLES_SPEC | jq -r '.value')"
+ echo ROLES=$ROLES
+ CLIENT_ID=$(echo $REALM_CLIENTS | jq -r ".[] | select(.clientId==\"$CLIENT_NAME\") | .id")
+ echo CLIENT_ID=$CLIENT_ID
+
+ for row in $(echo "${ROLES}" | jq -r '.[] | @base64'); do
+ _jq() {
+ echo ${row} | base64 -d | jq -r ${1}
+ }
+ CLIENT_ROLE="$(_jq '.')"
+ echo CLIENT_ROLE=$CLIENT_ROLE
+
+ # https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_roles_resource
+ # https://www.keycloak.org/docs-api/15.0/rest-api/index.html#
+ resultCheckExists=$(curl -k -s --data-raw "$CLIENT_ROLE" -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME/clients/$CLIENT_ID/roles")
+
+ done
+done
diff --git a/git/keycloak/git/keycloak-setup/create_client_scopes.sh b/git/keycloak/git/keycloak-setup/create_client_scopes.sh
new file mode 100644
index 0000000000000000000000000000000000000000..1c92f46267a91fd1a239a642c090201d078a652e
--- /dev/null
+++ b/git/keycloak/git/keycloak-setup/create_client_scopes.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+echo " ********** Create Keycloak client scopes *************"
+[ -z "$REALM_JSON_PATH" ] && echo "no realm file exiting" && exit 0
+[ -z "$CLIENT_SCOPES_JSON_PATH" ] && echo "no client scopes file exiting" && exit 0
+
+[ ! -f "$REALM_JSON_PATH" ] && echo "realm file does not exists" && exit 0
+[ ! -f "$CLIENT_SCOPES_JSON_PATH" ] && echo "client scopes file does not exists" && exit 0
+
+printf "ACCESS_TOKEN=$ACCESS_TOKEN\n"
+
+# Execute the CURL command to check if realm exists
+REALM_NAME=$(cat $REALM_JSON_PATH | jq -r '.realm')
+echo REALM_NAME=$REALM_NAME
+
+resultCheckExists=$(curl -k -s -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME")
+ERROR=$(echo $resultCheckExists | jq -r '.error')
+if [ "$ERROR" = 'Realm not found.' ];
+then
+ echo REALM $REALM_NAME not found
+ exit 1
+fi
+
+CLIENT_SCOPES=$(cat $CLIENT_SCOPES_JSON_PATH | jq -r '.clientScopes')
+for row in $(echo "${CLIENT_SCOPES}" | jq -r '.[] | @base64'); do
+ _jq() {
+ echo ${row} | base64 -d | jq -r ${1}
+ }
+ CLIENT_SCOPE="$(_jq '.')"
+ echo CLIENT_SCOPE=$CLIENT_SCOPE
+
+ #https://keycloak.discourse.group/t/getting-client-scopes-from-other-clients/3757
+ resultCheckExists=$(curl -k -s --data-raw "$CLIENT_SCOPE" -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME/client-scopes")
+done
diff --git a/git/keycloak/git/keycloak-setup/create_client_scopes_client_roles_mappings.sh b/git/keycloak/git/keycloak-setup/create_client_scopes_client_roles_mappings.sh
new file mode 100644
index 0000000000000000000000000000000000000000..a65af85898bb4631e0fc0526d02dccd5684cd27c
--- /dev/null
+++ b/git/keycloak/git/keycloak-setup/create_client_scopes_client_roles_mappings.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+echo " ********** Create Keycloak client scopes client roles mappings *************"
+[ -z "$REALM_JSON_PATH" ] && echo "no realm file exiting" && exit 0
+[ -z "$CLIENT_SCOPES_CLIENT_ROLES_MAPPINGS_JSON_PATH" ] && echo "no client scopes client roles mappings file exiting" && exit 0
+
+[ ! -f "$REALM_JSON_PATH" ] && echo "realm file does not exists" && exit 0
+[ ! -f "$CLIENT_SCOPES_CLIENT_ROLES_MAPPINGS_JSON_PATH" ] && echo "client scopes client roles mappings file does not exists" && exit 0
+
+printf "ACCESS_TOKEN=$ACCESS_TOKEN\n"
+
+REALM_NAME=$(cat $REALM_JSON_PATH | jq -r '.realm')
+
+resultCheckExists=$(curl -k -s -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME")
+ERROR=$(echo $resultCheckExists | jq -r '.error')
+if [ "$ERROR" = 'Realm not found.' ];
+then
+ echo REALM $REALM_NAME not found
+ exit 1
+fi
+
+REALM_CLIENTS=$(curl -k -s -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME/clients")
+REALM_CLIENTSCOPES=$(curl -k -s -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME/client-scopes")
+CLIENT_SCOPES_CLIENT_ROLES_MAPPINGS=$(cat $CLIENT_SCOPES_CLIENT_ROLES_MAPPINGS_JSON_PATH | jq -r '.clientScopeMappings')
+
+for row in $(echo "${CLIENT_SCOPES_CLIENT_ROLES_MAPPINGS}" | jq -r 'to_entries[] | @base64'); do
+ _jq() {
+ echo ${row} | base64 -d | jq -r ${1}
+ }
+ CLIENT_ROLES_MAPPINGS="$(_jq '.')"
+ echo CLIENT_ROLES_MAPPINGS=$CLIENT_ROLES_MAPPINGS
+ CLIENT_NAME="$(echo $CLIENT_ROLES_MAPPINGS | jq -r '.key')"
+ echo CLIENT_NAME=$CLIENT_NAME
+ CLIENT_ROLES_MAPPINGS_SPEC="$(echo $CLIENT_ROLES_MAPPINGS | jq -r '.value')"
+ echo CLIENT_ROLES_MAPPINGS_SPEC=$CLIENT_ROLES_MAPPINGS_SPEC
+ CLIENT_ID=$(echo $REALM_CLIENTS | jq -r ".[] | select(.clientId==\"$CLIENT_NAME\") | .id")
+ echo CLIENT_ID=$CLIENT_ID
+
+ for row in $(echo "${CLIENT_ROLES_MAPPINGS_SPEC}" | jq -r '.[] | @base64'); do
+ _jq() {
+ echo ${row} | base64 -d | jq -r ${1}
+ }
+ CLIENT_ROLES_MAPPING_SPEC="$(_jq '.')"
+ echo CLIENT_ROLES_MAPPING_SPEC=$CLIENT_ROLES_MAPPING_SPEC
+ CLIENT_SCOPE_NAME="$(echo $CLIENT_ROLES_MAPPING_SPEC | jq -r '.clientScope')"
+ echo CLIENT_SCOPE_NAME=$CLIENT_SCOPE_NAME
+ echo $REALM_CLIENTSCOPES | jq -r "."
+ CLIENT_SCOPE_ID=$(echo $REALM_CLIENTSCOPES | jq -r ".[] | select(.name==\"$CLIENT_SCOPE_NAME\") | .id")
+ echo CLIENT_SCOPE_ID=$CLIENT_SCOPE_ID
+
+ CLIENT_ROLES=$(curl -k -s -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME/clients/$CLIENT_ID/roles")
+
+ ROLES="$(echo $CLIENT_ROLES_MAPPING_SPEC | jq -r '.roles')"
+ for row in $(echo "${ROLES}" | jq -r '.[]'); do
+ ROLE_NAME="$row"
+ echo ROLE=$ROLE_NAME
+ ROLE_ID=$(echo $CLIENT_ROLES | jq -r ".[] | select(.name==\"$ROLE_NAME\") | .id")
+ echo ROLE_ID=$ROLE_ID
+
+ resultCheckExists=$(curl -k -s --data-raw '[{"id":"'$ROLE_ID'","name":"'$ROLE_NAME'"}]' -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME/client-scopes/$CLIENT_SCOPE_ID/scope-mappings/clients/$CLIENT_ID")
+ done
+ done
+done
+
diff --git a/git/keycloak/git/keycloak-setup/create_users_client_roles_mappings.sh b/git/keycloak/git/keycloak-setup/create_users_client_roles_mappings.sh
new file mode 100644
index 0000000000000000000000000000000000000000..6ff95054a8cfa8c5c94b4fdfdb431dd5d62b1a25
--- /dev/null
+++ b/git/keycloak/git/keycloak-setup/create_users_client_roles_mappings.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+echo " ********** Create Keycloak users roles mappings *************"
+[ -z "$REALM_JSON_PATH" ] && echo "no realm file exiting" && exit 0
+[ -z "$USERS_JSON_PATH" ] && echo "no users file exiting" && exit 0
+
+[ ! -f "$REALM_JSON_PATH" ] && echo "realm file does not exists" && exit 0
+[ ! -f "$USERS_JSON_PATH" ] && echo "users file does not exists" && exit 0
+
+printf "ACCESS_TOKEN=$ACCESS_TOKEN\n"
+
+REALM_NAME=$(cat $REALM_JSON_PATH | jq -r '.realm')
+
+resultCheckExists=$(curl -k -s -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME")
+ERROR=$(echo $resultCheckExists | jq -r '.error')
+if [ "$ERROR" = 'Realm not found.' ];
+then
+ echo REALM $REALM_NAME not found
+ exit 1
+fi
+
+USERS=$(cat $USERS_JSON_PATH | jq -r '.users')
+
+REALM_CLIENTS=$(curl -k -s -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME/clients")
+CREATED_USERS=$(curl -k -s -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME/users")
+
+for row in $(echo "${USERS}" | jq -r '.[] | @base64'); do
+ _jq() {
+ echo ${row} | base64 -d | jq -r ${1}
+ }
+ USER="$(_jq '.')"
+ echo USER=$USER
+ echo $USER | jq .
+ USER_ID="$(echo $USER | jq -r '.id')"
+ echo USER_ID=$USER_ID
+ USER_NAME="$(echo $USER | jq -r '.username')"
+ echo USER_NAME=$USER_NAME
+ USER_CLIENT_ROLES="$(echo $USER | jq '.clientRoles')"
+ echo USER_CLIENT_ROLES=$USER_CLIENT_ROLES
+ CREATED_USER_ID=$(echo $CREATED_USERS | jq -r ".[] | select(.username==\"$USER_NAME\") | .id")
+ echo CREATED_USER_ID=$CREATED_USER_ID
+ for row in $(echo "$USER_CLIENT_ROLES" | jq -r '. | to_entries[] | @base64'); do
+ _jq() {
+ echo ${row} | base64 -d | jq -r ${1}
+ }
+ CLIENT_ROLES_MAPPINGS="$(_jq '.')"
+ echo CLIENT_ROLES_MAPPINGS=$CLIENT_ROLES_MAPPINGS
+ CLIENT_NAME="$(echo $CLIENT_ROLES_MAPPINGS | jq -r '.key')"
+ echo CLIENT_NAME=$CLIENT_NAME
+ CLIENT_ROLES_MAPPINGS_SPEC="$(echo $CLIENT_ROLES_MAPPINGS | jq -r '.value')"
+ echo CLIENT_ROLES_MAPPINGS_SPEC=$CLIENT_ROLES_MAPPINGS_SPEC
+ CLIENT_ID=$(echo $REALM_CLIENTS | jq -r ".[] | select(.clientId==\"$CLIENT_NAME\") | .id")
+ echo CLIENT_ID=$CLIENT_ID
+ CLIENT_ROLES=$(curl -k -s -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME/clients/$CLIENT_ID/roles")
+ echo CLIENT_ROLES=$CLIENT_ROLES
+ for row in $(echo "${CLIENT_ROLES_MAPPINGS_SPEC}" | jq -r '.[]'); do
+ ROLE_NAME="$row"
+ echo ROLE=$ROLE_NAME
+ ROLE_ID=$(echo $CLIENT_ROLES | jq -r ".[] | select(.name==\"$ROLE_NAME\") | .id")
+ echo ROLE_ID=$ROLE_ID
+
+ resultCheckExists=$(curl -k -s --data-raw '[{"id":"'$ROLE_ID'","name":"'$ROLE_NAME'"}]' -H "Content-Type: application/json" -H "Authorization: bearer $ACCESS_TOKEN" "$KEYCLOAK_URL/auth/admin/realms/$REALM_NAME/users/$CREATED_USER_ID/role-mappings/clients/$CLIENT_ID")
+ done
+ done
+done
diff --git a/git/keycloak/git/keycloak-setup/create_users_rolesmappings.sh b/git/keycloak/git/keycloak-setup/create_users_roles_mappings.sh
old mode 100755
new mode 100644
similarity index 97%
rename from git/keycloak/git/keycloak-setup/create_users_rolesmappings.sh
rename to git/keycloak/git/keycloak-setup/create_users_roles_mappings.sh
index d1c470eb065a69a290d1752189b4290a12fb40be..1788691aa2c86be7db33af58d6935e2e8198628b
--- a/git/keycloak/git/keycloak-setup/create_users_rolesmappings.sh
+++ b/git/keycloak/git/keycloak-setup/create_users_roles_mappings.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-echo " ********** Create Keycloak users rolesmappings *************"
+echo " ********** Create Keycloak users roles mappings *************"
[ -z "$REALM_JSON_PATH" ] && echo "no realm file exiting" && exit 0
[ -z "$USERS_JSON_PATH" ] && echo "no users file exiting" && exit 0
diff --git a/git/keycloak/git/keycloak-setup/setup_keycloak.sh b/git/keycloak/git/keycloak-setup/setup_keycloak.sh
index eac616289d10f9f14d9af750a31d6d32d9980dd8..15c29cdf1611f279d427c43f0ba3268e1ce881a3 100755
--- a/git/keycloak/git/keycloak-setup/setup_keycloak.sh
+++ b/git/keycloak/git/keycloak-setup/setup_keycloak.sh
@@ -18,11 +18,15 @@ source ./get_auth_token.sh
echo ACCESS_TOKEN=$ACCESS_TOKEN
export ACCESS_TOKEN
./create_realm.sh
+./create_client_scopes.sh
./create_clients.sh
./create_roles.sh
+./create_client_roles.sh
+./create_client_scopes_client_roles_mappings.sh
./create_groups.sh
./create_users.sh
-./create_users_rolesmappings.sh
+./create_users_roles_mappings.sh
+./create_users_client_roles_mappings.sh
printf "************************************\n"
printf "Setup Keycloak finished\n"
printf "************************************\n"
diff --git a/git/portainer/.env b/git/portainer/.env
index ba8d6cb471e1d2b06028de65c53c620e709ce0c3..dac5fb8f3053982772e87ccc7b1246098e34b721 100755
--- a/git/portainer/.env
+++ b/git/portainer/.env
@@ -1,7 +1,9 @@
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
ADMIN_USER=admin
ADMIN_PASSWORD=portainerPassword
HTTPS_PORT=443
SERVER_HOST=euve.digital.tecnalia.dev
TZ=Madrid
COMPOSE_PROJECT_NAME=portainer-production
-COMPOSE_FILE=docker-compose.yaml:docker-compose-traefik-network-external.yaml:release/docker-compose.yaml
+COMPOSE_FILE=docker-compose.yaml:docker-compose-setup-local.yaml:docker-compose-traefik-network-external.yaml:release/docker-compose-setup-local.yaml
diff --git a/git/portainer/.env.gen b/git/portainer/.env.gen
index c2bc19d9b0e94bf7bd898bdb8808a0f4a858cc53..629b5948d334b0dd3a00122fe5ffab41260ca7ee 100755
--- a/git/portainer/.env.gen
+++ b/git/portainer/.env.gen
@@ -2,22 +2,45 @@
# Focus default variables as production, to allow direct download and run in production
# Required external variables that must be defined externally are those that have no value
+#### Environments managed
+# this is the default environment if needed uncomment and adjust
+# some conventions on environment prefixes
+# - _ENV_LOCAL_ .env.local purpouse is to cache build and start the setup locally using cache images exposing dev ports (i.e 3306, 5432, 8086, ...) for debug and development purposes. It is the default behaviour (_ENV_LOCAL_:build-cache:.env.local)
+# - _ENV_CACHE_ .env.cache purpouse is to generate images tagged for build cache from that use BUILDKIT_INLINE_CACHE 1 (_ENV_CACHE_:build-cache:.env.cache)
+# - _ENV_RELEASE_ .env.release purpouse is to generate images (that do not use BUILDKIT_INLINE_CACHE 1) tagged for the clients/pilots usage (_ENV_RELEASE_:build-release:.env.release)
+# - _ENV_DEPLOY_ .env purpose is to generate non building docker-compose that uses the release to deploy on generic client (_ENV_DEPLOY_:release:.env)
+# - _ENV_TEST_ .env.test the purpouse is to test from the cache images the correct behaviour without exposing ports (_ENV_TEST_:build-cache:.env.test)
+# types of building
+# - build-cache: it focuses in the generation of images with BUILDKIT_INLINE_CACHE 1 for its usage in the cache-from for subsequent build, for each compose-file in compose-file build it finds build/cache the same name to add it to the build, it will use cache from.
+# - build-release: it focuses in the generation of images for distribution it avoid using BUILDKIT_INLINE_CACHE 1 to reduce the size, it will use cache from.
+# - cache: it runs using cache images
+# - release: it runs using release images
+# default enviroment
+# _ENVIRONMENTS=_ENV_LOCAL_:build-cache:.env.local
+# to add more enviroments use split with ";"
+_ENVIRONMENTS=_ENV_LOCAL_:build-cache:.env.local;_ENV_DEPLOY_:release:.env;_ENV_RELEASE_:build-release:.env.release
+
#### Common image related ####
DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
DOCKER_REGISTRY_CACHE_VERSION=latest
#### Common Build related ####
# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-DOCKER_BUILDKIT=1
-COMPOSE_DOCKER_CLI_BUILD=1
+# DOCKER_BUILDKIT=1
+# COMPOSE_DOCKER_CLI_BUILD=1
+
+### Common Traefik related ###
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+# TRAEFIK_HTTP_ENTRYPOINT_NAME=web
#### Common Production related ####
ADMIN_USER=admin
ADMIN_PASSWORD=portainerPassword
+# HTTPS_PORT must be 443 if you use step-ca
HTTPS_PORT=443
-# SERVER_HOST=
-_ENV_DEPLOY_SERVER_HOST=euve.digital.tecnalia.dev
-_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
+# server host is configured during the sync based on _ENV_LOCAL_ and _ENV_DEPLOY, _ENV_LOCAL_ will be used for test and release unless _ENV_RELEASE_ or _ENV_TEST_ specified
+SERVER_HOST=euve.digital.tecnalia.dev
#### Platform Specific ####
TZ=Madrid
@@ -33,10 +56,12 @@ COMPOSE_PROJECT_NAME=portainer-production
# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
COMPOSE_FILE_BASE=docker-compose.yaml
+COMPOSE_FILE_BASE_SETUP_LOCAL=docker-compose-setup-local.yaml
+COMPOSE_FILE_BASE_NETWORK=docker-compose-traefik-network-external.yaml
COMPOSE_FILE=
# COMPOSE_FILE Is generated automatically
-COMPOSE_FILE_BASE_NETWORK=docker-compose-traefik-network-external.yaml
-
PORTAINER_BASE_PATH=
+
+_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
diff --git a/git/portainer/.env.local b/git/portainer/.env.local
index c359e55003fcbc80ab120598b089d98d4160d08f..125e681ef922bde97234c2efcd21d88d2f8cffec 100755
--- a/git/portainer/.env.local
+++ b/git/portainer/.env.local
@@ -1,37 +1,12 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
DOCKER_REGISTRY_CACHE_VERSION=latest
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-
-#### Common Production related ####
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
ADMIN_USER=admin
ADMIN_PASSWORD=portainerPassword
HTTPS_PORT=443
-# SERVER_HOST=
SERVER_HOST=192.168.56.1.nip.io
-
-#### Platform Specific ####
TZ=Madrid
-
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
COMPOSE_PROJECT_NAME=portainer-production
-# _ENV_LOCAL_COMPOSE_FILE_BASE= # These are oriented for local vagrant usually it contains local traefik configuration, dev services, etc
-# _ENV_RELEASE_COMPOSE_FILE_BASE= # These are oriented for tagging relevant images for upload to official release repositories
-# _ENV_DEPLOY_COMPOSE_FILE_BASE= # These are oriented for final deployment it contains production traefik configuration, etc
-# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
-# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-
-
-# COMPOSE_FILE Is generated automatically
-
-
PORTAINER_BASE_PATH=
-COMPOSE_FILE=docker-compose.yaml:docker-compose-traefik-network-external.yaml:build/docker-compose.yaml:build/cache/docker-compose.yaml:build/image/docker-compose.yaml
+COMPOSE_FILE=docker-compose.yaml:docker-compose-setup-local.yaml:docker-compose-traefik-network-external.yaml:build/docker-compose-setup-local.yaml:build/image/docker-compose-setup-local.yaml
diff --git a/git/portainer/.env.release b/git/portainer/.env.release
new file mode 100644
index 0000000000000000000000000000000000000000..c5eb6aa16247ab93b62d2d46fbe573e02d095965
--- /dev/null
+++ b/git/portainer/.env.release
@@ -0,0 +1,10 @@
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+ADMIN_USER=admin
+ADMIN_PASSWORD=portainerPassword
+HTTPS_PORT=443
+SERVER_HOST=euve.digital.tecnalia.dev
+TZ=Madrid
+COMPOSE_PROJECT_NAME=portainer-production
+PORTAINER_BASE_PATH=
+COMPOSE_FILE=docker-compose.yaml:docker-compose-setup-local.yaml:docker-compose-traefik-network-external.yaml:build/docker-compose-setup-local.yaml:release/docker-compose-setup-local.yaml
diff --git a/git/portainer/.env.test b/git/portainer/.env.test
deleted file mode 100755
index b9bccb4decfe4c0c63cd320bb13fab13db153077..0000000000000000000000000000000000000000
--- a/git/portainer/.env.test
+++ /dev/null
@@ -1,38 +0,0 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
-DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
-DOCKER_REGISTRY_CACHE_VERSION=latest
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-
-#### Common Production related ####
-ADMIN_USER=admin
-ADMIN_PASSWORD=portainerPassword
-HTTPS_PORT=443
-# SERVER_HOST=
-SERVER_HOST=192.168.56.1.nip.io
-
-#### Platform Specific ####
-TZ=Madrid
-
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
-COMPOSE_PROJECT_NAME=portainer-production-test
-# _ENV_LOCAL_COMPOSE_FILE_BASE= # These are oriented for local vagrant usually it contains local traefik configuration, dev services, etc
-# _ENV_RELEASE_COMPOSE_FILE_BASE= # These are oriented for tagging relevant images for upload to official release repositories
-# _ENV_DEPLOY_COMPOSE_FILE_BASE= # These are oriented for final deployment it contains production traefik configuration, etc
-# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
-# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-
-COMPOSE_FILE_BASE=docker-compose.yaml
-
-# COMPOSE_FILE Is generated automatically
-
-
-PORTAINER_BASE_PATH=
-COMPOSE_FILE=docker-compose.yaml:docker-compose-traefik-network-external.yaml:build/docker-compose.yaml:build/cache/docker-compose.yaml:release/docker-compose.yaml
diff --git a/git/portainer/.gitmodules b/git/portainer/.gitmodules
index 8e882fd1f1f27f622b7eab7789f6e872f762ddbe..2e81987f81e7675735a0f5f788cc8fe5752264b7 100755
--- a/git/portainer/.gitmodules
+++ b/git/portainer/.gitmodules
@@ -1,3 +1,3 @@
-[submodule "git/portainer"]
- path = git/portainer
- url = ../../../../smartdatalab/libraries/docker/portainer.git
+[submodule "git/portainer-local-setup"]
+ path = git/portainer-setup-local
+ url = ../../../../smartdatalab/libraries/docker/portainer-local-setup.git
diff --git a/git/portainer/build/cache/docker-compose-setup-local.yaml b/git/portainer/build/cache/docker-compose-setup-local.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..270035cf8f78d8909e5dab0d47f2b492846fcce7
--- /dev/null
+++ b/git/portainer/build/cache/docker-compose-setup-local.yaml
@@ -0,0 +1,7 @@
+services:
+ portainer-setup-local:
+ build:
+ cache_from:
+ - ${DOCKER_REGISTRY_CACHE_PREFIX}/euve/portainer-setup-local:${DOCKER_REGISTRY_CACHE_VERSION:?err}
+ args:
+ BUILDKIT_INLINE_CACHE: 1 # For multistage docker
diff --git a/git/portainer/build/cache/docker-compose.yaml b/git/portainer/build/cache/docker-compose.yaml
deleted file mode 100755
index 91468018f647a7eadc7a71c2b7baf040df0c4114..0000000000000000000000000000000000000000
--- a/git/portainer/build/cache/docker-compose.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-services:
- portainer:
- build:
- cache_from:
- - ${DOCKER_REGISTRY_CACHE_PREFIX}/euve/portainer:${DOCKER_REGISTRY_CACHE_VERSION:?err}
- args:
- BUILDKIT_INLINE_CACHE: 1 # For multistage docker
diff --git a/git/portainer/build/docker-compose-setup-local.yaml b/git/portainer/build/docker-compose-setup-local.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..898bacc116f60fa73c6eab382c1c7c674469fd71
--- /dev/null
+++ b/git/portainer/build/docker-compose-setup-local.yaml
@@ -0,0 +1,5 @@
+services:
+ portainer-setup-local:
+ build:
+ context: ${PORTAINER_BASE_PATH}git/portainer-setup-local
+ dockerfile: Dockerfile
diff --git a/git/portainer/build/docker-compose.yaml b/git/portainer/build/docker-compose.yaml
deleted file mode 100755
index 39894276e9d5bf3374bab4c10a26d1901f5bcdc5..0000000000000000000000000000000000000000
--- a/git/portainer/build/docker-compose.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-services:
- portainer:
- build:
- context: ${PORTAINER_BASE_PATH}git/portainer
- dockerfile: Dockerfile
diff --git a/git/portainer/build/image/docker-compose-setup-local.yaml b/git/portainer/build/image/docker-compose-setup-local.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6340445e06243b02b98735d34c4fd18cdc50d060
--- /dev/null
+++ b/git/portainer/build/image/docker-compose-setup-local.yaml
@@ -0,0 +1,3 @@
+services:
+ portainer-setup-local:
+ image: ${DOCKER_REGISTRY_CACHE_PREFIX}/euve/portainer-setup-local:${DOCKER_REGISTRY_CACHE_VERSION:?err}
\ No newline at end of file
diff --git a/git/portainer/build/image/docker-compose.yaml b/git/portainer/build/image/docker-compose.yaml
deleted file mode 100755
index 02f663b090baa8eb10304df327ce542e762b2404..0000000000000000000000000000000000000000
--- a/git/portainer/build/image/docker-compose.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-services:
- portainer:
- image: ${DOCKER_REGISTRY_CACHE_PREFIX}/euve/portainer:${DOCKER_REGISTRY_CACHE_VERSION:?err}
\ No newline at end of file
diff --git a/git/portainer/docker-compose-setup-local.yaml b/git/portainer/docker-compose-setup-local.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..2cd86c789e14199597904ce9d8b74e6ba1976d76
--- /dev/null
+++ b/git/portainer/docker-compose-setup-local.yaml
@@ -0,0 +1,11 @@
+services:
+ portainer-setup-local:
+ environment:
+ - TZ=${TZ:?err}
+ - PORTAINER_URL=http://portainer:9000
+ - PORTAINER_ADMIN_PASSWORD=${ADMIN_PASSWORD:?err}
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock
+ - portainer_data:/data
+ networks:
+ traefik_network:
diff --git a/git/portainer/docker-compose-traefik-network-external.yaml b/git/portainer/docker-compose-traefik-network-external.yaml
index 6149618e9408dec1168a12175ab70e38c67cc86c..072eb9ddaea6fc008e2c55f9d166d07ca55ad2f6 100755
--- a/git/portainer/docker-compose-traefik-network-external.yaml
+++ b/git/portainer/docker-compose-traefik-network-external.yaml
@@ -1,4 +1,4 @@
networks:
traefik_network:
- name: traefik_network
+ name: ${TRAEFIK_NETWORK_NAME:?err}
external: true
diff --git a/git/portainer/docker-compose.yaml b/git/portainer/docker-compose.yaml
index f993670caa465ec369fcbf20239997d819dee617..92162df603b18542f04c71f97f4c754b4a8a3f91 100755
--- a/git/portainer/docker-compose.yaml
+++ b/git/portainer/docker-compose.yaml
@@ -1,25 +1,34 @@
services:
portainer:
+ image: portainer/portainer-ce:2.16.2-alpine
restart: always
environment:
- TZ=${TZ:?err}
- ADMIN_PASS=${ADMIN_PASSWORD:?err}
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- - /var/lib/docker/volumes:/var/lib/docker/volumes
- - portainer_data:/var/lib/portainer
+ - portainer_data:/data
init: true
networks:
traefik_network:
labels:
- "traefik.enable=true"
- - "traefik.docker.network=traefik_network"
+ - "traefik.docker.network=${TRAEFIK_NETWORK_NAME:?err}"
- "traefik.http.routers.portainer.rule=Host(`portainer.${SERVER_HOST:?err}`)"
- - "traefik.http.routers.portainer.entrypoints=websecure"
- # - "traefik.http.services.portainer.loadbalancer.server.port=9000"
- - "traefik.http.routers.portainer.middlewares=portainer-noCreate"
+ - "traefik.http.routers.portainer.entrypoints=${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}"
+ - "traefik.http.services.portainer.loadbalancer.server.port=9000"
+ - "traefik.http.routers.portainer.service=portainer"
- "traefik.http.middlewares.portainer-noCreate.redirectregex.regex=^.*[containers|volumes|images]/create.*$$"
- "traefik.http.middlewares.portainer-noCreate.redirectregex.replacement=https://portainer.${SERVER_HOST:?err}:${HTTPS_PORT:?err}/notallowed/"
+ - "traefik.http.routers.portainer.middlewares=portainer-noCreate"
+ entrypoint:
+ - /bin/sh
+ - -c
+ - |
+ if [ ! -f /portainer_password ]; then
+ echo -n $$ADMIN_PASS > /portainer_password
+ fi
+ /portainer --admin-password-file /portainer_password
volumes:
portainer_data:
diff --git a/git/portainer/git/portainer-setup-local/Dockerfile b/git/portainer/git/portainer-setup-local/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..39083c72741cc9ac7ec10a412508064c1d000bcc
--- /dev/null
+++ b/git/portainer/git/portainer-setup-local/Dockerfile
@@ -0,0 +1,14 @@
+FROM alpine:3.12.0 as builder
+
+RUN apk update \
+ && rm -rf /tmp/*.tar.gz /var/cache/apk/* \
+ && apk add curl bash jq
+
+ADD . /
+ENV PORTAINER_URL=must_be_defined \
+PORTAINER_ADMIN_USER=admin \
+PORTAINER_ADMIN_PASSWORD=must_be_defined
+
+RUN chmod +x ./*.sh
+CMD ["/bin/bash", "-c", "./setup.sh"]
+
diff --git a/git/portainer/git/portainer-setup-local/README.md b/git/portainer/git/portainer-setup-local/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..1381379ecdc9561de15a40c2442ddb922565bd2b
--- /dev/null
+++ b/git/portainer/git/portainer-setup-local/README.md
@@ -0,0 +1,6 @@
+# portainer-local-setup
+
+The objective of this project is to provide a local setup for Portainer. This setup is intended to be used for development purposes only.
+
+It receives as input the credentials and using the Portainer API it creates the following resources:
+- local endpoint
\ No newline at end of file
diff --git a/git/portainer/git/portainer-setup-local/configure_local_endpoint.sh b/git/portainer/git/portainer-setup-local/configure_local_endpoint.sh
new file mode 100644
index 0000000000000000000000000000000000000000..7bd2a2214ea0966052ea263a578bf37c09b8377f
--- /dev/null
+++ b/git/portainer/git/portainer-setup-local/configure_local_endpoint.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+echo " ********** Get Portainer access token *************"
+
+printf "parameters received:\n"
+printf " - PORTAINER_URL=$PORTAINER_URL\n"
+printf " - ACCESS_TOKEN=$ACCESS_TOKEN\n"
+printf "1\n"
+ENVIRONMENT_DATA=$( curl -k -s -H "Authorization: Bearer $ACCESS_TOKEN" -d "Name=\"local\"" -d "EndpointCreationType=1" "$PORTAINER_URL/api/endpoints")
+
+echo $ENVIRONMENT_DATA | jq .
diff --git a/git/portainer/git/portainer-setup-local/get_auth_token.sh b/git/portainer/git/portainer-setup-local/get_auth_token.sh
new file mode 100644
index 0000000000000000000000000000000000000000..aa41ce7c8fd6e70bdfd5d2e369dd99eef954d3d1
--- /dev/null
+++ b/git/portainer/git/portainer-setup-local/get_auth_token.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+echo " ********** Get Portainer access token *************"
+
+printf "parameters received:\n"
+printf " - PORTAINER_URL=$PORTAINER_URL\n"
+printf " - PORTAINER_ADMIN_USER=$PORTAINER_ADMIN_USER\n"
+printf " - PORTAINER_ADMIN_PASSWORD=$PORTAINER_ADMIN_PASSWORD\n"
+
+# Execute the CURL command to request the access-token
+# http POST my-portainer-server:9443/api/auth Username="admin" Password="adminpassword"
+printf "1\n"
+ACCESS_TOKEN=$( curl -k -s -d "{\"Username\": \"$PORTAINER_ADMIN_USER\", \"Password\": \"$PORTAINER_ADMIN_PASSWORD\"}" "$PORTAINER_URL/api/auth" | jq -r .jwt )
+
+if [ "$ACCESS_TOKEN" = '' ];
+then
+ echo ACCESS_TOKEN not adquired
+ exit 1
+fi
+
+export ACCESS_TOKEN=$ACCESS_TOKEN
+echo ACCESS_TOKEN
diff --git a/git/portainer/git/portainer-setup-local/setup.sh b/git/portainer/git/portainer-setup-local/setup.sh
new file mode 100644
index 0000000000000000000000000000000000000000..55da6d7b6bdb8411f96fb04fe07ef04734a0afd3
--- /dev/null
+++ b/git/portainer/git/portainer-setup-local/setup.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+set -e
+
+printf "************************************\n"
+printf "Setup Portainer\n"
+printf "************************************\n"
+
+./wait_for_portainer.sh
+
+source ./get_auth_token.sh
+
+./configure_local_endpoint.sh
+
+printf "************************************\n"
+printf "Setup Portainer finished\n"
+printf "************************************\n"
diff --git a/git/portainer/git/portainer-setup-local/wait_for_portainer.sh b/git/portainer/git/portainer-setup-local/wait_for_portainer.sh
new file mode 100644
index 0000000000000000000000000000000000000000..8cb988473bc592898006e851d0df16b06df47d32
--- /dev/null
+++ b/git/portainer/git/portainer-setup-local/wait_for_portainer.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+echo " ********** Wait for portainer *************"
+
+attempt_counter=0
+max_attempts=20
+#curl http://127.0.0.1:9990/health/ready
+#curl http://127.0.0.1:9990/health/live
+#but this requires access to admin url ...
+
+until $(curl -k --output /dev/null --silent --fail $PORTAINER_URL/api/status); do
+ if [ ${attempt_counter} -eq ${max_attempts} ];then
+ echo "Max attempts reached"
+ exit 1
+ fi
+
+ printf '.'
+ attempt_counter=$(($attempt_counter+1))
+ sleep 6s
+done
+
+sleep 5
\ No newline at end of file
diff --git a/git/portainer/git/portainer/Dockerfile b/git/portainer/git/portainer/Dockerfile
deleted file mode 100755
index bb16712e82b21f7e082445eb5fd1db7931c3db1c..0000000000000000000000000000000000000000
--- a/git/portainer/git/portainer/Dockerfile
+++ /dev/null
@@ -1,24 +0,0 @@
-FROM alpine:3.12
-
-ENV PORTAINER_VERSION=2.1.1 \
- PORTAINER_HOME=/var/lib/portainer
-
-RUN mkdir ${PORTAINER_HOME} && \
- addgroup -S portainer && \
- adduser -S -D -g "" -G portainer -s /bin/sh -h ${PORTAINER_HOME} portainer && \
- chown portainer:portainer ${PORTAINER_HOME}
-
-RUN apk --no-cache add curl su-exec tzdata
-
-RUN curl -sSL https://github.com/portainer/portainer/releases/download/${PORTAINER_VERSION}/portainer-${PORTAINER_VERSION}-linux-amd64.tar.gz | tar -xzo -C /usr/local
-
-COPY entrypoint.sh /
-RUN chmod 750 /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
-CMD []
-
-EXPOSE 9000
-VOLUME ["/var/lib/portainer"]
-
-HEALTHCHECK CMD if [ $(curl --silent http://localhost:9000 -o /dev/stderr -w "%{http_code}") -eq 200 ]; then exit 0; else exit 1; fi
diff --git a/git/portainer/git/portainer/README.md b/git/portainer/git/portainer/README.md
deleted file mode 100755
index 4e17d11f4e77fc372063db0dea0bfd00e6c1e3ef..0000000000000000000000000000000000000000
--- a/git/portainer/git/portainer/README.md
+++ /dev/null
@@ -1,6 +0,0 @@
-# portainer
-This dockerfile contenerizes portainer itself. The reason to do this was to be able to setup the password from clear text.
-
-We take the password from a variable call ADMIN_PASS
-
-base portainer-ce has the posibility to setup the admin password from command line, but this has to be supplied in md5 form https://gist.github.com/deviantony/62c009b41bde5e078b1a7de9f11f5e55 which complicates a bit the usage. That's why we have created this custom portainer image.
diff --git a/git/portainer/git/portainer/entrypoint.sh b/git/portainer/git/portainer/entrypoint.sh
deleted file mode 100755
index 4cb964d3d50320a34c915d01b1b70e57f1ca921b..0000000000000000000000000000000000000000
--- a/git/portainer/git/portainer/entrypoint.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-PORTAINER_OPTIONS="-H unix:///var/run/docker.sock"
-if [[ ! -z "$ADMIN_PASS" ]]
-then
- echo -n $ADMIN_PASS > /portainer_password
- PORTAINER_OPTIONS="$PORTAINER_OPTIONS --admin-password-file /portainer_password "
- echo "PORTAINER_OPTIONS $PORTAINER_OPTIONS"
-fi
-
-chmod 777 /var/run/docker.sock
-
-cd /usr/local/portainer || exit 1
-su-exec portainer:portainer /usr/local/portainer/portainer -d "${PORTAINER_HOME}" \
-${PORTAINER_OPTIONS}
diff --git a/git/portainer/release/docker-compose-setup-local.yaml b/git/portainer/release/docker-compose-setup-local.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..3a66fdb25e90d4d8f3632004f3491d179762ea6e
--- /dev/null
+++ b/git/portainer/release/docker-compose-setup-local.yaml
@@ -0,0 +1,3 @@
+services:
+ portainer-setup-local:
+ image: cache.euve.digital.tecnalia.dev:5000/euve/portainer-setup-local:latest
\ No newline at end of file
diff --git a/git/portainer/release/docker-compose.yaml b/git/portainer/release/docker-compose.yaml
deleted file mode 100755
index 7f77f6a37cda8aebc94924a4ab13029ec76e3db0..0000000000000000000000000000000000000000
--- a/git/portainer/release/docker-compose.yaml
+++ /dev/null
@@ -1,3 +0,0 @@
-services:
- portainer:
- image: cache.euve.digital.tecnalia.dev:5000/euve/portainer:latest
\ No newline at end of file
diff --git a/git/step-ca/.env b/git/step-ca/.env
index 2b5c4725402b14408c57c19e99feeae94ac77b7b..3554fc4a33520cbbcd6ed55599a8eaa0d2ae17b4 100755
--- a/git/step-ca/.env
+++ b/git/step-ca/.env
@@ -1,6 +1,6 @@
+TRAEFIK_NETWORK_NAME=traefik_network
ADMIN_USER=admin
ADMIN_PASSWORD=stepcaPassword
-HTTPS_PORT=443
STEP_CA_CONFIG_PATH=
COMPOSE_PROJECT_NAME=stepca-production
COMPOSE_FILE=docker-compose.yaml:docker-compose-traefik-network-external.yaml
diff --git a/git/step-ca/.env.gen b/git/step-ca/.env.gen
index 4c9187037f80f66ace85f200d3026a2e916864ba..20806ac0e3d9be8e02f089290c1174117bf6e976 100755
--- a/git/step-ca/.env.gen
+++ b/git/step-ca/.env.gen
@@ -2,22 +2,45 @@
# Focus default variables as production, to allow direct download and run in production
# Required external variables that must be defined externally are those that have no value
+#### Environments managed
+# this is the default environment if needed uncomment and adjust
+# some conventions on environment prefixes
+# - _ENV_LOCAL_ .env.local purpouse is to cache build and start the setup locally using cache images exposing dev ports (i.e 3306, 5432, 8086, ...) for debug and development purposes. It is the default behaviour (_ENV_LOCAL_:build-cache:.env.local)
+# - _ENV_CACHE_ .env.cache purpouse is to generate images tagged for build cache from that use BUILDKIT_INLINE_CACHE 1 (_ENV_CACHE_:build-cache:.env.cache)
+# - _ENV_RELEASE_ .env.release purpouse is to generate images (that do not use BUILDKIT_INLINE_CACHE 1) tagged for the clients/pilots usage (_ENV_RELEASE_:build-release:.env.release)
+# - _ENV_DEPLOY_ .env purpose is to generate non building docker-compose that uses the release to deploy on generic client (_ENV_DEPLOY_:release:.env)
+# - _ENV_TEST_ .env.test the purpouse is to test from the cache images the correct behaviour without exposing ports (_ENV_TEST_:build-cache:.env.test)
+# types of building
+# - build-cache: it focuses in the generation of images with BUILDKIT_INLINE_CACHE 1 for its usage in the cache-from for subsequent build, for each compose-file in compose-file build it finds build/cache the same name to add it to the build, it will use cache from.
+# - build-release: it focuses in the generation of images for distribution it avoid using BUILDKIT_INLINE_CACHE 1 to reduce the size, it will use cache from.
+# - cache: it runs using cache images
+# - release: it runs using release images
+# default enviroment
+# _ENVIRONMENTS=_ENV_LOCAL_:build-cache:.env.local
+# to add more enviroments use split with ";"
+_ENVIRONMENTS=_ENV_LOCAL_:build-cache:.env.local;_ENV_DEPLOY_:release:.env
+
#### Common image related ####
DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
DOCKER_REGISTRY_CACHE_VERSION=latest
#### Common Build related ####
# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-DOCKER_BUILDKIT=1
-COMPOSE_DOCKER_CLI_BUILD=1
+# DOCKER_BUILDKIT=1
+# COMPOSE_DOCKER_CLI_BUILD=1
+
+### Common Traefik related ###
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+# TRAEFIK_HTTP_ENTRYPOINT_NAME=web
#### Common Production related ####
ADMIN_USER=admin
ADMIN_PASSWORD=stepcaPassword
-HTTPS_PORT=443
-# SERVER_HOST=
-_ENV_DEPLOY_SERVER_HOST=euve.digital.tecnalia.dev
-_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
+# HTTPS_PORT must be 443 if you use step-ca
+# HTTPS_PORT=443
+# server host is configured during the sync based on _ENV_LOCAL_ and _ENV_DEPLOY, _ENV_LOCAL_ will be used for test and release unless _ENV_RELEASE_ or _ENV_TEST_ specified
+SERVER_HOST=euve.digital.tecnalia.dev
#### Platform Specific ####
TZ=Madrid
@@ -36,8 +59,11 @@ COMPOSE_PROJECT_NAME=stepca-production
# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
COMPOSE_FILE_BASE=docker-compose.yaml
+COMPOSE_FILE_BASE_NETWORK=docker-compose-traefik-network-external.yaml
COMPOSE_FILE=
# COMPOSE_FILE Is generated automatically
-COMPOSE_FILE_BASE_NETWORK=docker-compose-traefik-network-external.yaml
+_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
+_ENV_LOCAL_COMPOSE_FILE_BASE_TEST_WHOAMI=docker-compose-test-whoami.yaml
+_ENV_LOCAL_COMPOSE_FILE_BASE_DEV_LOG=docker-compose-dev-log.yaml
diff --git a/git/step-ca/.env.gen.test b/git/step-ca/.env.gen.test
deleted file mode 100755
index 8668ae26a70ae523f0c2c2481cf60bd1f14c5192..0000000000000000000000000000000000000000
--- a/git/step-ca/.env.gen.test
+++ /dev/null
@@ -1,37 +0,0 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
-DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
-DOCKER_REGISTRY_CACHE_VERSION=latest
-DOCKER_REGISTRY_CACHE_PROJECT_NAME=/euve
-DOCKER_REGISTRY_PROJECT_NAME=/euve
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-DOCKER_BUILDKIT=1
-COMPOSE_DOCKER_CLI_BUILD=1
-
-#### Common Production related ####
-ADMIN_USER=stepca
-ADMIN_PASSWORD=stepcaPassword
-HTTPS_PORT=443
-SERVER_HOST=192.168.56.1.nip.io
-
-#### Platform Specific ####
-TZ=Madrid
-STEP_UID=1000
-STEP_GID=1000
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
-COMPOSE_PROJECT_NAME=stepca-production
-COMPOSE_FILE_BASE_DEV=
-COMPOSE_FILE_BASE_TEST=docker-compose-test-whoami.yaml
-COMPOSE_FILE_BASE_TRAEFIK=docker-compose-traefik-network-external.yaml
-COMPOSE_FILE_BASE=docker-compose.yaml
-
-COMPOSE_FILE_BUILD=
-COMPOSE_FILE_BUILD_CACHE=
-COMPOSE_FILE=docker-compose.yaml:docker-compose-test-whoami.yaml:docker-compose-traefik-network-external.yaml
diff --git a/git/step-ca/.env.local b/git/step-ca/.env.local
index 8e204aa920390ff975946da3224d77738f720dc7..9f3dfd112d772a25a7ac6e7b27d0b05c19fcc7db 100755
--- a/git/step-ca/.env.local
+++ b/git/step-ca/.env.local
@@ -1,32 +1,8 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-
-#### Common Production related ####
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
ADMIN_USER=admin
ADMIN_PASSWORD=stepcaPassword
-HTTPS_PORT=443
-# SERVER_HOST=
-
-#### Platform Specific ####
+SERVER_HOST=192.168.56.1.nip.io
STEP_CA_CONFIG_PATH=
-
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
COMPOSE_PROJECT_NAME=stepca-production
-# _ENV_LOCAL_COMPOSE_FILE_BASE= # These are oriented for local vagrant usually it contains local traefik configuration, dev services, etc
-# _ENV_RELEASE_COMPOSE_FILE_BASE= # These are oriented for tagging relevant images for upload to official release repositories
-# _ENV_DEPLOY_COMPOSE_FILE_BASE= # These are oriented for final deployment it contains production traefik configuration, etc
-# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
-# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-
-
-# COMPOSE_FILE Is generated automatically
-
-COMPOSE_FILE=docker-compose.yaml:docker-compose-traefik-network-external.yaml
+COMPOSE_FILE=docker-compose.yaml:docker-compose-traefik-network-external.yaml:docker-compose-test-whoami.yaml:docker-compose-dev-log.yaml
diff --git a/git/step-ca/.env.test b/git/step-ca/.env.test
deleted file mode 100755
index c166e8fdb38a3c601000e5d12b4afb6a5b9e452c..0000000000000000000000000000000000000000
--- a/git/step-ca/.env.test
+++ /dev/null
@@ -1,33 +0,0 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-
-#### Common Production related ####
-ADMIN_USER=admin
-ADMIN_PASSWORD=stepcaPassword
-HTTPS_PORT=443
-# SERVER_HOST=
-
-#### Platform Specific ####
-STEP_CA_CONFIG_PATH=
-
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
-COMPOSE_PROJECT_NAME=stepca-production-test
-# _ENV_LOCAL_COMPOSE_FILE_BASE= # These are oriented for local vagrant usually it contains local traefik configuration, dev services, etc
-# _ENV_RELEASE_COMPOSE_FILE_BASE= # These are oriented for tagging relevant images for upload to official release repositories
-# _ENV_DEPLOY_COMPOSE_FILE_BASE= # These are oriented for final deployment it contains production traefik configuration, etc
-# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
-# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-
-COMPOSE_FILE_BASE=docker-compose.yaml
-
-# COMPOSE_FILE Is generated automatically
-
-COMPOSE_FILE=docker-compose.yaml:docker-compose-traefik-network-external.yaml
diff --git a/git/step-ca/data/step-ca/certs/intermediate_ca.crt b/git/step-ca/data/step-ca/certs/intermediate_ca.crt
index 5e545ce925c6a04e0be07b89db508af34e0b1311..c02505bfa1fd5e7f9895cdee56acbd672e81f221 100755
--- a/git/step-ca/data/step-ca/certs/intermediate_ca.crt
+++ b/git/step-ca/data/step-ca/certs/intermediate_ca.crt
@@ -1,23 +1,23 @@
-----BEGIN CERTIFICATE-----
-MIIDzDCCAbSgAwIBAgIRAOez4Q0UwaVXdscuPsfnvSEwDQYJKoZIhvcNAQENBQAw
-ejELMAkGA1UEBhMCRVMxEDAOBgNVBAgMB0JpemthaWExDzANBgNVBAcMBkJpbGJh
-bzERMA8GA1UECgwIVGVjbmFsaWExFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxHTAb
-BgNVBAMMFENBIHNlcnZlciBlc2lsYWIub3JnMB4XDTIyMDcyNTAwMTgzOFoXDTMy
-MDcyMjAwMTgzOFowLDEMMAoGA1UEChMDZGV2MRwwGgYDVQQDExNkZXYgSW50ZXJt
-ZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuzWJlbR9OVY3pnJG
-fbHvxiMERPYUgh5Na2R7da1CTYI3+NsovQuGlZDgpBw7G8lzu0LIOxjAh9O5Ma4k
-ls6hHaNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYD
-VR0OBBYEFIfevTmZVFeHDeOmwlZhOx9Tm6ypMB8GA1UdIwQYMBaAFDB2n8XTjPIp
-1PMAj2w3SSakHYz8MA0GCSqGSIb3DQEBDQUAA4ICAQAHQI3V69sadm+WW/LetcyE
-/LYm7lanBaDJvEb/mvjHoxMeRPx5qbq840tWQbOYidCYX+SZtdVhIHik84ulXzz8
-26Dv/Xkn3GkBus9+++923y924YLRRdHSk+y2e+gYUSGvRNSP+bM67K8VwYNZ2lXV
-XJcD0JeHY7Tj1ycoMjt4YmQT4czAN4+kLHjTo+hXKWwQ51QKfwsMrqvpcustq1AI
-CrtUtxCCno5LLBSGmojUAx/Xelm8NPQtYE5MTnjDgNCJu/tRGZGyyp66pD/F9veZ
-xrTImPZa2qFlEkxH2XA4mZdKT/OEoNpkWf8auPnIer3YnPeGD2TLh7KlOpp+vrNn
-zdGUDy1DncO0E9dvx2u0xw9BaGnKSNI8tjotNHDpj2BUHXy2xpHXb9dERTD0rCcV
-yuNC+QZ+mTG4QpP1V7I1K0grPBmN/V8HEPEgF5fjS5dzzBRxsZhWY0ebZoSNy0rm
-rxJ+EPPpa6zmNdNXs79mn63sLb2shAScBPJQadsNWtrRtNkanlqwX6ybXhbWSyfQ
-70x+PRuLSNFE0OHFTWo78Irvt0KMgh9F/tIkv/g6Ymno13jGqY6LPrDp/dqMXosd
-A6zgCUX3/nuuFxh/GgByJtz7sPyTLUr64tHCCTkQEet43YrhgQBMBs1UQNPF07+C
-3AYSr3Jx8pJtGiKYZtdAKg==
+MIIDyzCCAbOgAwIBAgIQISrt04b1FXLXO9t6Ii9vqzANBgkqhkiG9w0BAQ0FADB6
+MQswCQYDVQQGEwJFUzEQMA4GA1UECAwHQml6a2FpYTEPMA0GA1UEBwwGQmlsYmFv
+MREwDwYDVQQKDAhUZWNuYWxpYTEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDEdMBsG
+A1UEAwwUQ0Egc2VydmVyIGVzaWxhYi5vcmcwHhcNMjMwMzI3MTIxNjU1WhcNMzMw
+MzI0MTIxNjU1WjAsMQwwCgYDVQQKEwNkZXYxHDAaBgNVBAMTE2RldiBJbnRlcm1l
+ZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARSh689oiOFXBTMgNHS
+7qbAivjDqe7qA23qGXCG0I9iaF4LDe5uaggXcVnkif0krmLKj+7LSutN165Y3tjE
+qA79o2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
+HQ4EFgQUZQdornzwfFn3g9YOAvnu7pOz13UwHwYDVR0jBBgwFoAUMHafxdOM8inU
+8wCPbDdJJqQdjPwwDQYJKoZIhvcNAQENBQADggIBAAGHHKosg4l+gPnTSbldBlop
+NnXoWfoB72378/GhLaPdv+u982Oxh9fhoB2ekBwee3GgxywJzthOSdutAKlmtLl8
+aPRbsItyJjrqwmCipnBRRtOxPAC7JnTuGd7JiszCvpzxs2PYxmh21eiwsquhIXUr
+L3u8NVa89s4EmBc/VFZ7ClcRxEgb2nrTvBaJEq5WQURcWeQ0iRb1VZ518ZWR/3rA
+aINJU6yEKBLGd+P69xNanRxUbobvuDA7QxuYVnYvVXrM25Sdi611ZYpiCPkZRGsK
+hxCWW+6SSoseVsC0dgPF+l89Ur3FbTzieCTCYzWEu83VhEDkeDXonwQJsPqehZ6O
+/qUKR/5J77DGdMORdMurz/Qqsq5KA6X+cx9wnCBWQZ3wtGgUSXwdlZcc9zRNs2J4
+bcs++ruaWL5bDJFBcuD/Pbk3C0DFzLESWnZHIslEnKK3/bi6ElQt6luu5d8IQ28z
+eo9H2m62v1LGZuQQyRtGQuz2mHZBaLCpEpZZrx7KItDD3z0VeoJ4zQUymyMeQf0t
+Pl/xzQCa6cbPYnN7WoUZk3tbkRyhqxhvkPtpKLbEyGdVi0bYixy8CxQgNAYx4Hsz
+e1GaO0HhurMPksWjc/X9I3h8h5+OkVHh1gcewgAXLH6oauC/gKMzai3xErn9ZxgU
+bUhhS2HrqxTgp+Ci8th/
-----END CERTIFICATE-----
diff --git a/git/step-ca/data/step-ca/config/ca.json b/git/step-ca/data/step-ca/config/ca.json
index 7f594b4f6ca6ee63c457f9bc437083fccb62cbb3..467156ffa35b7bf64c5d338183d2f1933ec4f92d 100755
--- a/git/step-ca/data/step-ca/config/ca.json
+++ b/git/step-ca/data/step-ca/config/ca.json
@@ -1,65 +1,72 @@
{
- "root": "/home/step/certs/root_ca.crt",
- "federatedRoots": null,
- "crt": "/home/step/certs/intermediate_ca.crt",
- "key": "/home/step/secrets/intermediate_ca_key",
- "address": ":9000",
- "insecureAddress": "",
- "dnsNames": [
- "localhost",
- "ca.internal",
- "ca.192.168.56.1.nip.io",
- "acme.192.168.56.1.nip.io"
- ],
- "logger": {
- "format": "text"
- },
- "db": {
- "type": "badgerv2",
- "dataSource": "/home/step/db",
- "badgerFileLoadingMode": ""
- },
- "authority": {
- "provisioners": [
- {
- "type": "JWK",
- "name": "admin",
- "key": {
- "use": "sig",
- "kty": "EC",
- "kid": "YSF1ihodoNlLI7OUaCjyz7NHPpqT7K7S-twVJfcBMOI",
- "crv": "P-256",
- "alg": "ES256",
- "x": "KtyRZrHo8UYcOO2ONd4FxLpchq8i47UjLyY8XxjWNq0",
- "y": "J3MJMmF_6sYqyT_IBFsDdf_fFxL99HAl2FXadGTvrwg"
- },
- "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiRnFXNUJ2c0NoYi11YlQwMVpoWWVCQSJ9.bS29p0EGLKJskUDzvgJAdWYrpb2_krHOYjDqk5ZSiO8CbbLjxM-1Ig.yaRCpufHIcGmSGH1.X5U-hXL9G7_6hm3zlR9FZM7ti5XVSBTk7wckYZ-wnUprBfMnMfUurGQizSFNNLZZCvMR3w90vxYTUNQtYNL1N9IAssZZZEj-1iPvheQ9rLvrPkBW_oHJIulgi-KtDf_Zqf3s-FXLpe5TW4DbNgv6lDinLAvPgC3pdIcigB2A9yCwezsrD8u4nRWqIf-IRgJdan05HoTNv_RxuutkJ086Th4Qm-bJoeWE46Vh2JqXOeRgO_1tmAQSEZ9gATbtuN_py6nP1O83l3iDHSznIc8zURrCJWMMQby_2mlKkePuMWV1pm3IecjDcq5iqjZWclGFRFpXd_CX2irHQTnR8T8.xQFmaOcHtcBMZHdCDPeUJg"
- },
- {
- "type": "ACME",
- "name": "acme",
- "claims": {
- "enableSSHCA": true,
- "disableRenewal": false,
- "allowRenewalAfterExpiry": false
- },
- "options": {
- "x509": {},
- "ssh": {}
- }
- }
- ],
- "template": {},
- "backdate": "1m0s"
- },
- "tls": {
- "cipherSuites": [
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- ],
- "minVersion": 1.2,
- "maxVersion": 1.3,
- "renegotiation": false
- },
- "commonName": "Step Online CA"
+ "root": "/home/step/certs/root_ca.crt",
+ "federatedRoots": null,
+ "crt": "/home/step/certs/intermediate_ca.crt",
+ "key": "/home/step/secrets/intermediate_ca_key",
+ "address": ":9000",
+ "insecureAddress": "",
+ "dnsNames": [
+ "localhost",
+ "step-ca"
+ ],
+ "logger": {
+ "format": "text"
+ },
+ "db": {
+ "type": "badgerv2",
+ "dataSource": "/home/step/db",
+ "badgerFileLoadingMode": ""
+ },
+ "authority": {
+ "provisioners": [
+ {
+ "type": "JWK",
+ "name": "admin",
+ "key": {
+ "use": "sig",
+ "kty": "EC",
+ "kid": "6uqSCoymV0MowBWAfjYPfyXK0w1zOZI6HNu17S6JEcE",
+ "crv": "P-256",
+ "alg": "ES256",
+ "x": "4vy6KYBIihpJbOCl0y8sDGAKqdVaHhK6OH4jQ-PNG6g",
+ "y": "Fav6rMrkUdMvNt0AlX6FpClwaa3dalgJaYSaP5xppds"
+ },
+ "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiVktRU3pvbzdNaEIyeEx6STdUdkhsdyJ9.AM7irQiz_cu3ya8NbLN1c_gQRXU7MGt-4dHnw47zByFzong6xcf9og.ljaCnMiyAMYAgV2E.F_xMG2F0j9FyWtYb8sqdV99uoUw4__iEwhxrsfFKTGKzNCKqydioFJwsjf6ccI_VEHP2w-vOVbR0J5euSG0zQrVNKH7ejx3-UrJaio12gQeJncVTcxvh0WJzEWT0oH4-Llyu927Yynjrj0t_94dxA1vVGLgPNMvpcyQtBof7yZEnTab5rW8Myn24pwWf8DUSgGyjBL4Gs-3w3eVMkUjXPWnuBV2-g7QEgXp4tIrI0Op6eSFjZ4XFHJDtxSRRFaQtoFwihlqHnEWIyYOIZVGmDKRApaNBZLhSt82Mmde21IvTWHH8k8JEvMQqUQbpZGqngK_vWyw0FrVGP0KYNsU.DCPonfvrCPOzI5TgtBBwEw"
+ },
+ {
+ "type": "ACME",
+ "name": "acme",
+ "claims": {
+ "enableSSHCA": true,
+ "disableRenewal": false,
+ "allowRenewalAfterExpiry": true,
+ "minTLSCertDuration": "5m",
+ "maxTLSCertDuration": "168h",
+ "defaultTLSCertDuration": "168h"
+ },
+ "options": {
+ "x509": {},
+ "ssh": {}
+ }
+ }
+ ],
+ "template": {},
+ "backdate": "1m0s",
+ "claims": {
+ "minTLSCertDuration": "5m",
+ "maxTLSCertDuration": "168h",
+ "defaultTLSCertDuration": "168h",
+ "allowRenewalAfterExpiry": true
+ }
+ },
+ "tls": {
+ "cipherSuites": [
+ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+ ],
+ "minVersion": 1.2,
+ "maxVersion": 1.3,
+ "renegotiation": false
+ },
+ "commonName": "Step Online CA"
}
diff --git a/git/step-ca/data/step-ca/secrets/intermediate_ca_key b/git/step-ca/data/step-ca/secrets/intermediate_ca_key
index c56bffc933ee2e1365886a0a1ee0037ae54a59c2..9b95c141d9e6aae14a936272706b5bf424fab889 100755
--- a/git/step-ca/data/step-ca/secrets/intermediate_ca_key
+++ b/git/step-ca/data/step-ca/secrets/intermediate_ca_key
@@ -1,8 +1,8 @@
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,966e824367d9eb9c2c53fa6106aeb471
+DEK-Info: AES-256-CBC,42d195b7d1a14b071c0446e026464f64
-nAXR//rkLUpjf947GE7bkL0r1Httlgc0JJv43sZaKiN1J9GCOigee2XCfZg5v1Sr
-jOBNlM+pKOazCu8apHA9/VN5wz52ygP7fDuKtuU2wEc7Km+azVtaCE6YTz2b26o/
-bdoLa/R0w4fbf4QbZhH/rILVJ0HYWRyrpDpmD3vbm+k=
+cLLntWe8CIToj3VQgSOG89mZ5xnhXi5ELyEcKA39MemAvwpzZ7VwLtki+6p5fIxB
+iZ0Z00tBC9SH2epUzSvlUITX0xCuKOVLIbGqCnN7Z3IsWPUeFO0IrDuvjCRr6Avw
+vyPSax5uAmUCio7fE0AZb96hV+Zjb1tYL26fWXie4V8=
-----END EC PRIVATE KEY-----
diff --git a/git/step-ca/data/step-ca/secrets/password b/git/step-ca/data/step-ca/secrets/password
index ee6c4501c1ae5078a8ba9b1c78637768c1d9b290..4030a7e98972d58398ee968513b7257cccfc481d 100755
--- a/git/step-ca/data/step-ca/secrets/password
+++ b/git/step-ca/data/step-ca/secrets/password
@@ -1 +1 @@
-91U9IvDrB/kvr9/5gfwO011l5QwouuNsF/1PPMseBDkgww957k3DgBdeXGhzI7uR
+uTCatwOq7iUVqi/NWlsr54whP+byjHS0fTGvpjVdT2Sq5TJj76w1dGzz9VlZT2AV
diff --git a/git/step-ca/docker-compose-dev-log.yaml b/git/step-ca/docker-compose-dev-log.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f6f7744b866b360899c264e05b0bb7ce39f39810
--- /dev/null
+++ b/git/step-ca/docker-compose-dev-log.yaml
@@ -0,0 +1,4 @@
+services:
+ step-ca:
+ environment:
+ - STEPDEBUG=1
diff --git a/git/step-ca/docker-compose-test-whoami.yaml b/git/step-ca/docker-compose-test-whoami.yaml
index 693fdcd087d71534482ff667184ad5324bc1d15c..81e07afe01fed24d04cdc32515909cfda5b0362b 100755
--- a/git/step-ca/docker-compose-test-whoami.yaml
+++ b/git/step-ca/docker-compose-test-whoami.yaml
@@ -1,12 +1,12 @@
services:
- whoami:
+ stepca-test-whoami:
image: containous/whoami:v1.5.0
restart: always
- hostname: "whoami1"
+ hostname: "stepca-test-whoami"
networks:
traefik_network:
labels:
- "traefik.enable=true"
- - "traefik.docker.network=traefik_network"
- - "traefik.http.routers.whoami1.entrypoints=websecure"
- - "traefik.http.routers.whoami1.rule=Host(`whoami.whoami.${SERVER_HOST:?err}`)"
+ - "traefik.docker.network=${TRAEFIK_NETWORK_NAME:?err}"
+ - "traefik.http.routers.stepca-test-whoami.entrypoints=${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}"
+ - "traefik.http.routers.stepca-test-whoami.rule=Host(`stepca-test-whoami.${SERVER_HOST:?err}`)"
diff --git a/git/step-ca/docker-compose-traefik-network-external.yaml b/git/step-ca/docker-compose-traefik-network-external.yaml
index 6149618e9408dec1168a12175ab70e38c67cc86c..072eb9ddaea6fc008e2c55f9d166d07ca55ad2f6 100755
--- a/git/step-ca/docker-compose-traefik-network-external.yaml
+++ b/git/step-ca/docker-compose-traefik-network-external.yaml
@@ -1,4 +1,4 @@
networks:
traefik_network:
- name: traefik_network
+ name: ${TRAEFIK_NETWORK_NAME:?err}
external: true
diff --git a/git/step-ca/docker-compose.yaml b/git/step-ca/docker-compose.yaml
index c1973c7da0d387d95c646a6965124ab7f63cddc2..3a65fd05c1cd738167bc4e8d36d76b54b8d8989a 100755
--- a/git/step-ca/docker-compose.yaml
+++ b/git/step-ca/docker-compose.yaml
@@ -1,11 +1,9 @@
services:
step-ca:
- image: smallstep/step-ca:0.21.0
+ image: smallstep/step-ca:0.23.1
restart: always
networks:
traefik_network:
- aliases:
- - acme.${SERVER_HOST}
volumes:
- ./${STEP_CA_CONFIG_PATH}data/step-ca/certs:/home/step/certs
- ./${STEP_CA_CONFIG_PATH}data/step-ca/config:/home/step/config
diff --git a/git/traefik/.env b/git/traefik/.env
index f6608217e24028296b172a50a623fe3e17abb4ba..086e05ac132fd182b39e7df1acf484b986d20f99 100755
--- a/git/traefik/.env
+++ b/git/traefik/.env
@@ -2,6 +2,10 @@ ADMIN_USER=admin
ADMIN_PASSWORD=traefikPassword
HTTPS_PORT=443
SERVER_HOST=euve.digital.tecnalia.dev
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+TRAEFIK_HTTP_ENTRYPOINT_NAME=web
TRAEFIK_CONSTRAINTS=
+PROJECT_NAME=traefik
COMPOSE_PROJECT_NAME=traefik-production
-COMPOSE_FILE=docker-compose-expose.yaml:docker-compose-dev.yaml:docker-compose-redirect-ca.yaml:docker-compose-acme.yaml
+COMPOSE_FILE=docker-compose-redirect-ca.yaml:docker-compose-acme.yaml:docker-compose-expose.yaml
diff --git a/git/traefik/.env.cache b/git/traefik/.env.cache
new file mode 100644
index 0000000000000000000000000000000000000000..650940f97088da5f64c86456f617ee128eb84838
--- /dev/null
+++ b/git/traefik/.env.cache
@@ -0,0 +1,14 @@
+DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
+DOCKER_REGISTRY_CACHE_VERSION=latest
+ADMIN_USER=admin
+ADMIN_PASSWORD=traefikPassword
+HTTPS_PORT=443
+SERVER_HOST=euve.digital.tecnalia.dev
+TRAEFIK_NETWORK_NAME=traefik_network
+TZ=Madrid
+TRAEFIK_CONSTRAINTS=
+PROJECT_NAME=traefik
+COMPOSE_PROJECT_NAME=traefik-production
+TRAEFIK_BASE_PATH=
+CERTIFICATE_SIGNING_KEY_PASSPHRASE=to_be_provided
+COMPOSE_FILE=docker-compose-tecnalia-selfsigned.yaml:docker-compose-expose.yaml:build/docker-compose-tecnalia-selfsigned.yaml:build/inline-cache/docker-compose-tecnalia-selfsigned.yaml:build/image/docker-compose-tecnalia-selfsigned.yaml
diff --git a/git/traefik/.env.certs b/git/traefik/.env.certs
new file mode 100644
index 0000000000000000000000000000000000000000..a048c4b6c03f50bd4a1cb7b60cd5da3f8362c533
--- /dev/null
+++ b/git/traefik/.env.certs
@@ -0,0 +1,12 @@
+ADMIN_USER=admin
+ADMIN_PASSWORD=traefikPassword
+HTTPS_PORT=443
+SERVER_HOST=euve.digital.tecnalia.dev
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+TRAEFIK_HTTP_ENTRYPOINT_NAME=web
+TRAEFIK_CONSTRAINTS=
+PROJECT_NAME=traefik
+COMPOSE_PROJECT_NAME=traefik-production
+TRAEFIK_BASE_PATH=
+COMPOSE_FILE=docker-compose-redirect-ca.yaml:docker-compose-certs.yaml:docker-compose-expose.yaml
diff --git a/git/traefik/.env.gen b/git/traefik/.env.gen
index 5fca325d8ec4945a0fcc8ff989e41c8211509cba..dad825dee46c053c83085d11dd1cc55a590760de 100755
--- a/git/traefik/.env.gen
+++ b/git/traefik/.env.gen
@@ -2,26 +2,53 @@
# Focus default variables as production, to allow direct download and run in production
# Required external variables that must be defined externally are those that have no value
+#### Environments managed
+# this is the default environment if needed uncomment and adjust
+# some conventions on environment prefixes
+# - _ENV_LOCAL_ .env.local purpouse is to cache build and start the setup locally using cache images exposing dev ports (i.e 3306, 5432, 8086, ...) for debug and development purposes. It is the default behaviour (_ENV_LOCAL_:build-cache:.env.local)
+# - _ENV_CACHE_ .env.cache purpouse is to generate images tagged for build cache from that use BUILDKIT_INLINE_CACHE 1 (_ENV_CACHE_:build-cache:.env.cache)
+# - _ENV_RELEASE_ .env.release purpouse is to generate images (that do not use BUILDKIT_INLINE_CACHE 1) tagged for the clients/pilots usage (_ENV_RELEASE_:build-release:.env.release)
+# - _ENV_DEPLOY_ .env purpose is to generate non building docker-compose that uses the release to deploy on generic client (_ENV_DEPLOY_:release:.env)
+# - _ENV_TEST_ .env.test the purpouse is to test from the cache images the correct behaviour without exposing ports (_ENV_TEST_:build-cache:.env.test)
+# types of building
+# - build-cache: it focuses in the generation of images with BUILDKIT_INLINE_CACHE 1 for its usage in the cache-from for subsequent build, for each compose-file in compose-file build it finds build/cache the same name to add it to the build, it will use cache from.
+# - build-release: it focuses in the generation of images for distribution it avoid using BUILDKIT_INLINE_CACHE 1 to reduce the size, it will use cache from.
+# - cache: it runs using cache images
+# - release: it runs using release images
+# default enviroment
+# _ENVIRONMENTS=_ENV_LOCAL_:build-cache:.env.local
+# to add more enviroments use split with ";"
+_ENVIRONMENTS=_ENV_LOCAL_:build-cache:.env.local;_ENV_DEPLOY_BASE_:release:.env;_ENV_CACHE_:build-cache:.env.cache;_ENV_DEPLOY_CERTS_:release:.env.certs;_ENV_SELFSIGNED_:release:.env.selfsigned;_ENV_DEPLOY_TECNALIA_:release:.env.tecnalia
+
#### Common image related ####
DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
DOCKER_REGISTRY_CACHE_VERSION=latest
#### Common Build related ####
# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-DOCKER_BUILDKIT=1
-COMPOSE_DOCKER_CLI_BUILD=1
+# DOCKER_BUILDKIT=1
+# COMPOSE_DOCKER_CLI_BUILD=1
+
+### Common Traefik related ###
+# TRAEFIK_NETWORK_NAME=traefik_network
+# TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+# TRAEFIK_HTTP_ENTRYPOINT_NAME=web
#### Common Production related ####
ADMIN_USER=admin
ADMIN_PASSWORD=traefikPassword
+# HTTPS_PORT must be 443 if you use step-ca
HTTPS_PORT=443
-# SERVER_HOST=
-_ENV_DEPLOY_SERVER_HOST=euve.digital.tecnalia.dev
-_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
+# server host is configured during the sync based on _ENV_LOCAL_ and _ENV_DEPLOY, _ENV_LOCAL_ will be used for test and release unless _ENV_RELEASE_ or _ENV_TEST_ specified
+SERVER_HOST=euve.digital.tecnalia.dev
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+TRAEFIK_HTTP_ENTRYPOINT_NAME=web
#### Platform Specific ####
TZ=Madrid
TRAEFIK_CONSTRAINTS=
+PROJECT_NAME=traefik
#### Common docker-compose related ####
# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
@@ -33,12 +60,30 @@ COMPOSE_PROJECT_NAME=traefik-production
# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-COMPOSE_FILE_BASE=docker-compose-expose.yaml
+COMPOSE_FILE_BASE=docker-compose-redirect-ca.yaml:docker-compose-acme.yaml
+COMPOSE_FILE_BASE_EXPOSE=docker-compose-expose.yaml
-COMPOSE_FILE=
# COMPOSE_FILE Is generated automatically
-_ENV_LOCAL_COMPOSE_FILE_BASE=docker-compose-dev.yaml:docker-compose-redirect-ca.yaml:docker-compose-ca.yaml
-_ENV_DEPLOY_COMPOSE_FILE_BASE=docker-compose-dev.yaml:docker-compose-redirect-ca.yaml:docker-compose-acme.yaml
-
TRAEFIK_CONFIG_PATH=
+TRAEFIK_BASE_PATH=
+
+_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
+_ENV_LOCAL_COMPOSE_FILE_BASE=docker-compose-redirect-ca.yaml:docker-compose-ca.yaml
+_ENV_LOCAL_COMPOSE_FILE_BASE_DEV=docker-compose-dev.yaml
+
+_ENV_LOCAL_TRAEFIK_LOG_LEVEL=DEBUG
+_ENV_LOCAL_TRAEFIK_LOG=true
+
+_ENV_CACHE_CERTIFICATE_SIGNING_KEY_PASSPHRASE=to_be_provided
+_ENV_CACHE_COMPOSE_FILE_BASE=docker-compose-tecnalia-selfsigned.yaml
+
+_ENV_RELEASE_CERTIFICATE_SIGNING_KEY_PASSPHRASE=to_be_provided
+_ENV_RELEASE_COMPOSE_FILE_BASE=docker-compose-tecnalia-selfsigned.yaml
+
+_ENV_DEPLOY_CERTS_COMPOSE_FILE_BASE=docker-compose-redirect-ca.yaml:docker-compose-certs.yaml
+
+_ENV_DEPLOY_SELFSIGNED_COMPOSE_FILE_BASE=docker-compose-redirect-ca.yaml:docker-compose-selfsigned.yaml
+
+_ENV_DEPLOY_TECNALIA_CERTIFICATE_SIGNING_KEY_PASSPHRASE=to_be_provided
+_ENV_DEPLOY_TECNALIA_COMPOSE_FILE_BASE=docker-compose-redirect-ca.yaml:docker-compose-tecnalia-selfsigned.yaml
diff --git a/git/traefik/.env.gen.ca b/git/traefik/.env.gen.ca
deleted file mode 100755
index 8e616105dc13f4adba92dc9efd3cdad15256f0ad..0000000000000000000000000000000000000000
--- a/git/traefik/.env.gen.ca
+++ /dev/null
@@ -1,43 +0,0 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
-DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
-DOCKER_REGISTRY_CACHE_VERSION=latest
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-DOCKER_BUILDKIT=1
-COMPOSE_DOCKER_CLI_BUILD=1
-
-#### Common Production related ####
-ADMIN_USER=admin
-ADMIN_PASSWORD=traefikPassword
-HTTPS_PORT=443
-# SERVER_HOST=
-_ENV_DEPLOY_SERVER_HOST=euve.digital.tecnalia.dev
-_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
-
-#### Platform Specific ####
-TZ=Madrid
-TRAEFIK_CONSTRAINTS=
-
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
-COMPOSE_PROJECT_NAME=traefik-production
-# _ENV_LOCAL_COMPOSE_FILE_BASE= # These are oriented for local vagrant usually it contains local traefik configuration, dev services, etc
-# _ENV_RELEASE_COMPOSE_FILE_BASE= # These are oriented for tagging relevant images for upload to official release repositories
-# _ENV_DEPLOY_COMPOSE_FILE_BASE= # These are oriented for final deployment it contains production traefik configuration, etc
-# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
-# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-
-_ENV_LOCAL_COMPOSE_FILE_BASE=docker-compose-dev.yaml:docker-compose-redirect-ca.yaml:docker-compose-ca.yaml
-_ENV_DEPLOY_COMPOSE_FILE_BASE=docker-compose-dev.yaml:docker-compose-redirect-ca.yaml:docker-compose-acme.yaml
-COMPOSE_FILE_BASE=docker-compose-expose.yaml
-
-COMPOSE_FILE=
-# COMPOSE_FILE Is generated automatically
-
-TRAEFIK_CONFIG_PATH=
diff --git a/git/traefik/.env.gen.certs b/git/traefik/.env.gen.certs
deleted file mode 100755
index d20d961410cf93d37c79030efcb15f6a4b25023f..0000000000000000000000000000000000000000
--- a/git/traefik/.env.gen.certs
+++ /dev/null
@@ -1,44 +0,0 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
-DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
-DOCKER_REGISTRY_CACHE_VERSION=latest
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-DOCKER_BUILDKIT=1
-COMPOSE_DOCKER_CLI_BUILD=1
-
-#### Common Production related ####
-ADMIN_USER=admin
-ADMIN_PASSWORD=traefikPassword
-HTTPS_PORT=443
-# SERVER_HOST=
-_ENV_DEPLOY_SERVER_HOST=euve.digital.tecnalia.dev
-_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
-
-#### Platform Specific ####
-TZ=Madrid
-TRAEFIK_CONSTRAINTS=
-
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
-COMPOSE_PROJECT_NAME=traefik-production
-# _ENV_LOCAL_COMPOSE_FILE_BASE= # These are oriented for local vagrant usually it contains local traefik configuration, dev services, etc
-# _ENV_RELEASE_COMPOSE_FILE_BASE= # These are oriented for tagging relevant images for upload to official release repositories
-# _ENV_DEPLOY_COMPOSE_FILE_BASE= # These are oriented for final deployment it contains production traefik configuration, etc
-# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
-# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-
-_ENV_LOCAL_COMPOSE_FILE_BASE=docker-compose-dev.yaml:docker-compose-redirect-ca.yaml:docker-compose-certs.yaml
-_ENV_DEPLOY_COMPOSE_FILE_BASE=docker-compose-dev.yaml:docker-compose-redirect-ca.yaml:docker-compose-acme.yaml
-COMPOSE_FILE_BASE=docker-compose-expose.yaml
-
-COMPOSE_FILE=
-# COMPOSE_FILE Is generated automatically
-
-TRAEFIK_CONFIG_PATH=
-
diff --git a/git/traefik/.env.gen.selfsigned b/git/traefik/.env.gen.selfsigned
deleted file mode 100755
index 3d532441eedbc722fdaa0a8306410f001d710323..0000000000000000000000000000000000000000
--- a/git/traefik/.env.gen.selfsigned
+++ /dev/null
@@ -1,41 +0,0 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
-DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
-DOCKER_REGISTRY_CACHE_VERSION=latest
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-DOCKER_BUILDKIT=1
-COMPOSE_DOCKER_CLI_BUILD=1
-
-#### Common Production related ####
-ADMIN_USER=admin
-ADMIN_PASSWORD=traefikPassword
-HTTPS_PORT=443
-# SERVER_HOST=
-_ENV_DEPLOY_SERVER_HOST=euve.digital.tecnalia.dev
-_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
-
-#### Platform Specific ####
-TZ=Madrid
-TRAEFIK_CONSTRAINTS=
-
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
-COMPOSE_PROJECT_NAME=traefik-production
-# _ENV_LOCAL_COMPOSE_FILE_BASE= # These are oriented for local vagrant usually it contains local traefik configuration, dev services, etc
-# _ENV_RELEASE_COMPOSE_FILE_BASE= # These are oriented for tagging relevant images for upload to official release repositories
-# _ENV_DEPLOY_COMPOSE_FILE_BASE= # These are oriented for final deployment it contains production traefik configuration, etc
-# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
-# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-
-_ENV_LOCAL_COMPOSE_FILE_BASE=docker-compose-dev.yaml:docker-compose-redirect-ca.yaml:docker-compose-selfsigned.yaml
-_ENV_DEPLOY_COMPOSE_FILE_BASE=docker-compose-dev.yaml:docker-compose-redirect-ca.yaml:docker-compose-acme.yaml
-COMPOSE_FILE_BASE=docker-compose-expose.yaml
-
-COMPOSE_FILE=
-# COMPOSE_FILE Is generated automatically
diff --git a/git/traefik/.env.gen.tecnalia.selfsigned b/git/traefik/.env.gen.tecnalia.selfsigned
deleted file mode 100755
index 70157beb2d56c6ac501a626dfc4b5a7a2f1c0ce9..0000000000000000000000000000000000000000
--- a/git/traefik/.env.gen.tecnalia.selfsigned
+++ /dev/null
@@ -1,42 +0,0 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
-DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
-DOCKER_REGISTRY_CACHE_VERSION=latest
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-DOCKER_BUILDKIT=1
-COMPOSE_DOCKER_CLI_BUILD=1
-
-#### Common Production related ####
-ADMIN_USER=admin
-ADMIN_PASSWORD=traefikPassword
-HTTPS_PORT=443
-# SERVER_HOST=
-_ENV_DEPLOY_SERVER_HOST=euve.digital.tecnalia.dev
-_ENV_LOCAL_SERVER_HOST=192.168.56.1.nip.io
-
-#### Platform Specific ####
-TZ=Madrid
-TRAEFIK_CONSTRAINTS=
-CERTIFICATE_SIGNING_KEY_PASSPHRASE=
-
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
-COMPOSE_PROJECT_NAME=traefik-production
-# _ENV_LOCAL_COMPOSE_FILE_BASE= # These are oriented for local vagrant usually it contains local traefik configuration, dev services, etc
-# _ENV_RELEASE_COMPOSE_FILE_BASE= # These are oriented for tagging relevant images for upload to official release repositories
-# _ENV_DEPLOY_COMPOSE_FILE_BASE= # These are oriented for final deployment it contains production traefik configuration, etc
-# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
-# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-
-_ENV_RELEASE_COMPOSE_FILE_BASE=docker-compose-dev.yaml:docker-compose-tecnalia-selfsigned.yaml
-_ENV_DEPLOY_COMPOSE_FILE_BASE=docker-compose-dev.yaml:docker-compose-redirect-ca.yaml
-COMPOSE_FILE_BASE=docker-compose-expose.yaml
-
-COMPOSE_FILE=
-# COMPOSE_FILE Is generated automatically
diff --git a/git/traefik/.env.local b/git/traefik/.env.local
index 7e41980de063022369a76b602764884368b768fc..395174e81d5a061f12426ea3466d1503611dd32d 100755
--- a/git/traefik/.env.local
+++ b/git/traefik/.env.local
@@ -1,35 +1,14 @@
-# Reference documentation https://docs.docker.com/compose/environment-variables/
-# Focus default variables as production, to allow direct download and run in production
-# Required external variables that must be defined externally are those that have no value
-
-#### Common image related ####
-
-#### Common Build related ####
-# DOCKER_BUILDKIT and COMPOSE_DOCKER_CLI_BUILD do not have effect here, we leave them as documentation
-
-#### Common Production related ####
ADMIN_USER=admin
ADMIN_PASSWORD=traefikPassword
HTTPS_PORT=443
-# SERVER_HOST=
SERVER_HOST=192.168.56.1.nip.io
-
-#### Platform Specific ####
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+TRAEFIK_HTTP_ENTRYPOINT_NAME=web
TRAEFIK_CONSTRAINTS=
-
-#### Common docker-compose related ####
-# https://docs.docker.com/compose/reference/envvars/#compose_file#compose_project_name
-# these are docker-compose related environment variables
+PROJECT_NAME=traefik
COMPOSE_PROJECT_NAME=traefik-production
-# _ENV_LOCAL_COMPOSE_FILE_BASE= # These are oriented for local vagrant usually it contains local traefik configuration, dev services, etc
-# _ENV_RELEASE_COMPOSE_FILE_BASE= # These are oriented for tagging relevant images for upload to official release repositories
-# _ENV_DEPLOY_COMPOSE_FILE_BASE= # These are oriented for final deployment it contains production traefik configuration, etc
-# _ENV_TEST_COMPOSE_FILE_BASE= # These are oriented for testing
-# COMPOSE_FILE_BASE= # (MANDATORY) These are those main services of the project, that will apply to all the scenarios
-
-
-# COMPOSE_FILE Is generated automatically
-
-
TRAEFIK_CONFIG_PATH=
-COMPOSE_FILE=docker-compose-expose.yaml:docker-compose-dev.yaml:docker-compose-redirect-ca.yaml:docker-compose-ca.yaml
+TRAEFIK_LOG_LEVEL=DEBUG
+TRAEFIK_LOG=true
+COMPOSE_FILE=docker-compose-redirect-ca.yaml:docker-compose-ca.yaml:docker-compose-expose.yaml:docker-compose-dev.yaml
diff --git a/git/traefik/.env.selfsigned b/git/traefik/.env.selfsigned
new file mode 100644
index 0000000000000000000000000000000000000000..086e05ac132fd182b39e7df1acf484b986d20f99
--- /dev/null
+++ b/git/traefik/.env.selfsigned
@@ -0,0 +1,11 @@
+ADMIN_USER=admin
+ADMIN_PASSWORD=traefikPassword
+HTTPS_PORT=443
+SERVER_HOST=euve.digital.tecnalia.dev
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+TRAEFIK_HTTP_ENTRYPOINT_NAME=web
+TRAEFIK_CONSTRAINTS=
+PROJECT_NAME=traefik
+COMPOSE_PROJECT_NAME=traefik-production
+COMPOSE_FILE=docker-compose-redirect-ca.yaml:docker-compose-acme.yaml:docker-compose-expose.yaml
diff --git a/git/traefik/.env.tecnalia b/git/traefik/.env.tecnalia
new file mode 100644
index 0000000000000000000000000000000000000000..4a4bddfeb62071147c75915d27f757fc0573d71c
--- /dev/null
+++ b/git/traefik/.env.tecnalia
@@ -0,0 +1,14 @@
+DOCKER_REGISTRY_CACHE_PREFIX=cache.euve.digital.tecnalia.dev:5000
+DOCKER_REGISTRY_CACHE_VERSION=latest
+ADMIN_USER=admin
+ADMIN_PASSWORD=traefikPassword
+HTTPS_PORT=443
+SERVER_HOST=euve.digital.tecnalia.dev
+TRAEFIK_NETWORK_NAME=traefik_network
+TRAEFIK_HTTPS_ENTRYPOINT_NAME=websecure
+TZ=Madrid
+TRAEFIK_CONSTRAINTS=
+PROJECT_NAME=traefik
+COMPOSE_PROJECT_NAME=traefik-production
+CERTIFICATE_SIGNING_KEY_PASSPHRASE=to_be_provided
+COMPOSE_FILE=docker-compose-redirect-ca.yaml:docker-compose-tecnalia-selfsigned.yaml:docker-compose-expose.yaml:release/docker-compose-tecnalia-selfsigned.yaml
diff --git a/git/traefik/build/docker-compose-tecnalia-selfsigned.yaml b/git/traefik/build/docker-compose-tecnalia-selfsigned.yaml
index f80584fb64571e00f673a1953d46608a32f5897e..92a2229ac8c8813ed0c10db26dafc8cbe9f83374 100755
--- a/git/traefik/build/docker-compose-tecnalia-selfsigned.yaml
+++ b/git/traefik/build/docker-compose-tecnalia-selfsigned.yaml
@@ -4,3 +4,5 @@ services:
build:
context: ${TRAEFIK_BASE_PATH}git/traefik
dockerfile: Dockerfile
+ cache_from:
+ - ${DOCKER_REGISTRY_CACHE_PREFIX}/euve/traefik:${DOCKER_REGISTRY_CACHE_VERSION:?err}
diff --git a/git/traefik/build/cache/docker-compose-tecnalia-selfsigned.yaml b/git/traefik/build/inline-cache/docker-compose-tecnalia-selfsigned.yaml
old mode 100755
new mode 100644
similarity index 50%
rename from git/traefik/build/cache/docker-compose-tecnalia-selfsigned.yaml
rename to git/traefik/build/inline-cache/docker-compose-tecnalia-selfsigned.yaml
index 247f1906c9f974cfdb258d9db4d886acb6658f9d..8b3eb1484bd2ceccea4b3c216f17a3ebfbb41792
--- a/git/traefik/build/cache/docker-compose-tecnalia-selfsigned.yaml
+++ b/git/traefik/build/inline-cache/docker-compose-tecnalia-selfsigned.yaml
@@ -2,7 +2,5 @@ services:
## Common structure
traefik:
build:
- cache_from:
- - ${DOCKER_REGISTRY_CACHE_PREFIX}/euve/traefik:${DOCKER_REGISTRY_CACHE_VERSION:?err}
args:
BUILDKIT_INLINE_CACHE: 1 # For multistage docker
diff --git a/git/traefik/data/traefik/ca/root_ca.crt b/git/traefik/data/traefik/ca/ca/root_ca.crt
old mode 100755
new mode 100644
similarity index 100%
rename from git/traefik/data/traefik/ca/root_ca.crt
rename to git/traefik/data/traefik/ca/ca/root_ca.crt
diff --git a/git/traefik/data/traefik/certs/certificate.crt.pem b/git/traefik/data/traefik/certs/certs/certificate.crt.pem
old mode 100755
new mode 100644
similarity index 100%
rename from git/traefik/data/traefik/certs/certificate.crt.pem
rename to git/traefik/data/traefik/certs/certs/certificate.crt.pem
diff --git a/git/traefik/data/traefik/certs/certificate.key.pem b/git/traefik/data/traefik/certs/certs/certificate.key.pem
old mode 100755
new mode 100644
similarity index 100%
rename from git/traefik/data/traefik/certs/certificate.key.pem
rename to git/traefik/data/traefik/certs/certs/certificate.key.pem
diff --git a/git/traefik/data/traefik/dynamic/tls.yml b/git/traefik/data/traefik/certs/dynamic/tls.yml
old mode 100755
new mode 100644
similarity index 100%
rename from git/traefik/data/traefik/dynamic/tls.yml
rename to git/traefik/data/traefik/certs/dynamic/tls.yml
diff --git a/git/traefik/docker-compose-acme.yaml b/git/traefik/docker-compose-acme.yaml
index b74465a7074deaacbb2bb261bb38c4ec351dfb53..d36d2408a0f5a810fe21cf6016e63ec957ebf0de 100755
--- a/git/traefik/docker-compose-acme.yaml
+++ b/git/traefik/docker-compose-acme.yaml
@@ -1,7 +1,7 @@
services:
## Common structure
traefik:
- image: traefik:v2.5.2
+ image: traefik:v2.6.0
restart: always
hostname: ${SERVER_HOST}
command:
@@ -10,29 +10,31 @@ services:
--api.dashboard=true
--serverstransport.insecureskipverify=true
--ping=true
+ --providers.file.directory=/data/dynamic/
--providers.docker=true
--providers.docker.constraints="${TRAEFIK_CONSTRAINTS}"
--providers.docker.exposedbydefault=false
- --entrypoints.web=true
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure=true
- --entrypoints.websecure.address=:${HTTPS_PORT:?err}
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certresolver=leresolver
+ --entrypoints.${TRAEFIK_HTTP_ENTRYPOINT_NAME:?err}=true
+ --entrypoints.${TRAEFIK_HTTP_ENTRYPOINT_NAME:?err}.address=:80
+ --entrypoints.${TRAEFIK_HTTP_ENTRYPOINT_NAME:?err}.http.redirections.entrypoint.to=${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}
+ --entrypoints.${TRAEFIK_HTTP_ENTRYPOINT_NAME:?err}.http.redirections.entrypoint.scheme=https
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}=true
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.address=:${HTTPS_PORT:?err}
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.http.tls=true
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.http.tls.certresolver=leresolver
--certificatesresolvers.leresolver.acme.tlsChallenge=true
--certificatesresolvers.leresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.leresolver.acme.email=${PROJECT_NAME}@esilab.org
+ --certificatesresolvers.leresolver.acme.email=${PROJECT_NAME?err}@esilab.org
--certificatesresolvers.leresolver.acme.storage=/etc/traefik/acme/acme.json
- # --entrypoints.websecure.http.tls.domains[0].main=${SERVER_HOST}
- # --entrypoints.websecure.http.tls.domains[0].sans=${SANS}
+ # --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.http.tls.domains[0].main=${SERVER_HOST}
+ # --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.http.tls.domains[0].sans=${SANS}
# --log.level=DEBUG
# --log=true
# --providers.docker.endpoint=unix:///var/run/docker.sock
volumes:
- - traefik_data:/etc/traefik/acme
+ - ./${TRAEFIK_CONFIG_PATH}data/traefik/acme:/data
- /var/run/docker.sock:/var/run/docker.sock
+ - traefik_data:/etc/traefik/acme
networks:
traefik_network:
aliases:
@@ -43,5 +45,5 @@ volumes:
networks:
traefik_network:
- name: traefik_network
+ name: ${TRAEFIK_NETWORK_NAME:?err}
external: false
diff --git a/git/traefik/docker-compose-ca.yaml b/git/traefik/docker-compose-ca.yaml
index 5bdc8455fee2205e7749924f6ed64438be9c31c7..132612dd84a6b85af90b8252d5473621fa946c16 100755
--- a/git/traefik/docker-compose-ca.yaml
+++ b/git/traefik/docker-compose-ca.yaml
@@ -1,6 +1,6 @@
services:
traefik:
- image: traefik:v2.5.2
+ image: traefik:v2.9.9
restart: always
command:
--api=true
@@ -8,33 +8,34 @@ services:
--api.dashboard=true
--serverstransport.insecureskipverify=true
--ping=true
+ --providers.file.directory=/data/dynamic/
--providers.docker=true
--providers.docker.constraints="${TRAEFIK_CONSTRAINTS}"
--providers.docker.exposedbydefault=false
--providers.docker.network=traefik-net
--accesslog=false
- --log=true
- --log.level=DEBUG
- --entrypoints.web=true
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.web.http.redirections.entrypoint.scheme=https
- --entrypoints.websecure=true
- --entrypoints.websecure.address=:${HTTPS_PORT:?err}
- --entrypoints.websecure.http.tls=true
- --entrypoints.websecure.http.tls.certresolver=myresolver
- --certificatesResolvers.myresolver.acme.tlsChallenge=true
- --certificatesResolvers.myresolver.acme.email=admin
- --certificatesResolvers.myresolver.acme.storage=/etc/acme/acme.json
- --certificatesresolvers.myresolver.acme.caserver=https://acme.${SERVER_HOST:?err}:9000/acme/acme/directory
- --certificatesResolvers.myresolver.acme.tlsChallenge=true
+ --entrypoints.${TRAEFIK_HTTP_ENTRYPOINT_NAME:?err}=true
+ --entrypoints.${TRAEFIK_HTTP_ENTRYPOINT_NAME:?err}.address=:80
+ --entrypoints.${TRAEFIK_HTTP_ENTRYPOINT_NAME:?err}.http.redirections.entrypoint.to=${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}
+ --entrypoints.${TRAEFIK_HTTP_ENTRYPOINT_NAME:?err}.http.redirections.entrypoint.scheme=https
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}=true
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.address=:${HTTPS_PORT:?err}
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.http.tls=true
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.http.tls.certresolver=myresolver
+ --certificatesresolvers.myresolver.acme.tlsChallenge=true
+ --certificatesresolvers.myresolver.acme.email=admin
+ --certificatesresolvers.myresolver.acme.storage=/etc/acme/acme.json
+ --certificatesresolvers.myresolver.acme.caserver=https://step-ca:9000/acme/acme/directory
+ --certificatesresolvers.myresolver.acme.certificatesduration=24
+ --log.level=${TRAEFIK_LOG_LEVEL:-INFO}
+ --log=${TRAEFIK_LOG:-false}
volumes:
+ - ./${TRAEFIK_CONFIG_PATH}data/traefik/ca:/data
- /var/run/docker.sock:/var/run/docker.sock
- traefik_data:/etc/acme
- - ./${TRAEFIK_CONFIG_PATH}data/traefik:/data
environment:
LEGO_CA_CERTIFICATES: "/data/ca/root_ca.crt"
- LEGO_CA_SERVER_NAME: "acme.${SERVER_HOST:?err}"
+ LEGO_CA_SERVER_NAME: "step-ca"
networks:
traefik_network:
aliases:
@@ -45,5 +46,5 @@ volumes:
networks:
traefik_network:
- name: traefik_network
+ name: ${TRAEFIK_NETWORK_NAME:?err}
external: false
diff --git a/git/traefik/docker-compose-certs.yaml b/git/traefik/docker-compose-certs.yaml
index 917ef479ca8f7ea0b22515b5e93158a33de32a56..a77dcd1dfbec80ac50045f4caf32450112e6ae64 100755
--- a/git/traefik/docker-compose-certs.yaml
+++ b/git/traefik/docker-compose-certs.yaml
@@ -1,7 +1,7 @@
services:
## Common structure
traefik:
- image: traefik:v2.5.2
+ image: traefik:v2.6.0
restart: always
hostname: ${SERVER_HOST}
command:
@@ -13,12 +13,12 @@ services:
--providers.docker=true
--providers.docker.constraints="${TRAEFIK_CONSTRAINTS}"
--providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:${HTTPS_PORT:?err}
- --entrypoints.websecure.http.tls=true
+ --entrypoints.${TRAEFIK_HTTP_ENTRYPOINT_NAME:?err}.address=:80
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.address=:${HTTPS_PORT:?err}
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.http.tls=true
# --log.level=DEBUG
volumes:
- - ./${TRAEFIK_BASE_PATH}data/traefik:/data
+ - ./${TRAEFIK_CONFIG_PATH}data/traefik/certs:/data
- /var/run/docker.sock:/var/run/docker.sock
networks:
traefik_network:
@@ -27,5 +27,5 @@ services:
networks:
traefik_network:
- name: traefik_network
+ name: ${TRAEFIK_NETWORK_NAME:?err}
external: false
diff --git a/git/traefik/docker-compose-dev-auth.yaml b/git/traefik/docker-compose-dev-auth.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1dbc4458b3fdd4012a44e424e4d755dd3c26f69b
--- /dev/null
+++ b/git/traefik/docker-compose-dev-auth.yaml
@@ -0,0 +1,6 @@
+services:
+ ## Common structure
+ traefik:
+ labels:
+ - "traefik.http.routers.${COMPOSE_PROJECT_NAME:?err}-dashboard-api.middlewares=${COMPOSE_PROJECT_NAME:?err}-dashboard-api-auth"
+ - "traefik.http.middlewares.${COMPOSE_PROJECT_NAME:?err}-dashboard-api-auth.basicauth.users=${ADMIN_USER_PASSWORD_HASH:?err}"
diff --git a/git/traefik/docker-compose-dev.yaml b/git/traefik/docker-compose-dev.yaml
index 4a405b888fba5b29fa249c01bb6d9194d159f4a1..2be03a434861e52735bda13ab5a742928e3a8f2a 100755
--- a/git/traefik/docker-compose-dev.yaml
+++ b/git/traefik/docker-compose-dev.yaml
@@ -1,17 +1,15 @@
services:
## Common structure
traefik:
- environment:
- - ENABLE_LOG=true
networks:
traefik_network:
aliases:
- traefik.${SERVER_HOST}
labels:
- "traefik.enable=true"
- - "traefik.docker.network=traefik_network"
+ - "traefik.docker.network=${TRAEFIK_NETWORK_NAME:?err}"
# this enables access to the API and the dashboard
- - "traefik.http.services.frontend.loadbalancer.server.port=8080"
- - "traefik.http.routers.dashboard-catchall.rule=Host(`traefik.${SERVER_HOST:?err}`)"
- - "traefik.http.routers.dashboard-catchall.entrypoints=websecure"
- - "traefik.http.routers.dashboard-catchall.service=api@internal"
+ # - "traefik.http.services.${COMPOSE_PROJECT_NAME:?err}-frontend.loadbalancer.server.port=8080"
+ - "traefik.http.routers.${COMPOSE_PROJECT_NAME:?err}-dashboard-api.rule=Host(`traefik.${SERVER_HOST:?err}`)"
+ - "traefik.http.routers.${COMPOSE_PROJECT_NAME:?err}-dashboard-api.entrypoints=${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}"
+ - "traefik.http.routers.${COMPOSE_PROJECT_NAME:?err}-dashboard-api.service=api@internal"
diff --git a/git/traefik/docker-compose-redirect-ca.yaml b/git/traefik/docker-compose-redirect-ca.yaml
index 063a66e9780ea2f970141120abdb0d651e3ca1e7..0c71fa0453df6ab52fdf089e46473d149ceb0c1a 100755
--- a/git/traefik/docker-compose-redirect-ca.yaml
+++ b/git/traefik/docker-compose-redirect-ca.yaml
@@ -2,12 +2,11 @@ services:
traefik:
labels:
- "traefik.enable=true"
- - "traefik.docker.network=traefik_network"
- - "traefik.http.routers.ca-catchall.rule=Host(`traefik.${SERVER_HOST:?err}`) && (PathPrefix(`/ca`))"
- - "traefik.http.routers.ca-catchall.entryPoints=websecure"
- - "traefik.http.routers.ca-catchall.service=ca-gitlab"
- - "traefik.http.routers.ca-catchall.tls=true"
- - "traefik.http.routers.ca-catchall.middlewares=ca-redirectregex"
- - "traefik.http.middlewares.ca-redirectregex.redirectRegex.regex=^(.*)/ca$$"
- - "traefik.http.middlewares.ca-redirectregex.redirectRegex.replacement=https://git.code.tecnalia.com/smartdatalab/ca"
- - "traefik.http.services.ca-gitlab.loadbalancer.server.url=https://git.code.tecnalia.com/"
+ - "traefik.docker.network=${TRAEFIK_NETWORK_NAME:?err}"
+ - "traefik.http.routers.${COMPOSE_PROJECT_NAME:?err}-ca-redirect.rule=Host(`ca.${SERVER_HOST:?err}`)"
+ - "traefik.http.routers.${COMPOSE_PROJECT_NAME:?err}-ca-redirect.entryPoints=${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}"
+ - "traefik.http.routers.${COMPOSE_PROJECT_NAME:?err}-ca-redirect.service=${COMPOSE_PROJECT_NAME:?err}-ca-gitlab"
+ - "traefik.http.routers.${COMPOSE_PROJECT_NAME:?err}-ca-redirect.middlewares=${COMPOSE_PROJECT_NAME:?err}-ca-redirectregex"
+ - "traefik.http.middlewares.${COMPOSE_PROJECT_NAME:?err}-ca-redirectregex.redirectRegex.regex=^(.*)$$"
+ - "traefik.http.middlewares.${COMPOSE_PROJECT_NAME:?err}-ca-redirectregex.redirectRegex.replacement=https://git.code.tecnalia.com/smartdatalab/public/ca"
+ - "traefik.http.services.${COMPOSE_PROJECT_NAME:?err}-ca-gitlab.loadbalancer.server.url=https://git.code.tecnalia.com/"
diff --git a/git/traefik/docker-compose-redirect-http.yaml b/git/traefik/docker-compose-redirect-http.yaml
index ec0a3405061850f1d2145965c9897e2cf6dc75f6..d54e3ea85fa204fec29d91c6b30b23930b8d1acd 100755
--- a/git/traefik/docker-compose-redirect-http.yaml
+++ b/git/traefik/docker-compose-redirect-http.yaml
@@ -8,6 +8,6 @@ services:
- "traefik.http.routers.http-catchall.service=api@internal"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.port=${HTTPS_PORT:?err}"
- - "traefik.docker.network=traefik_network"
+ - "traefik.docker.network=${TRAEFIK_NETWORK_NAME:?err}"
ports:
- 80:80
diff --git a/git/traefik/docker-compose-selfsigned.yaml b/git/traefik/docker-compose-selfsigned.yaml
index 2f72d0dc361dde9363e8f8a23468d71e87ade2ee..76da7ecbc792365db034f2feb2fd14877fb3bb0f 100755
--- a/git/traefik/docker-compose-selfsigned.yaml
+++ b/git/traefik/docker-compose-selfsigned.yaml
@@ -1,7 +1,7 @@
services:
## Common structure
traefik:
- image: traefik:v2.5.2
+ image: traefik:v2.6.0
restart: always
hostname: ${SERVER_HOST}
command:
@@ -12,9 +12,9 @@ services:
--providers.docker=true
--providers.docker.constraints="${TRAEFIK_CONSTRAINTS}"
--providers.docker.exposedbydefault=false
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:${HTTPS_PORT:?err}
- --entrypoints.websecure.http.tls=true
+ --entrypoints.${TRAEFIK_HTTP_ENTRYPOINT_NAME:?err}.address=:80
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.address=:${HTTPS_PORT:?err}
+ --entrypoints.${TRAEFIK_HTTPS_ENTRYPOINT_NAME:?err}.http.tls=true
# --log.level=DEBUG
volumes:
- /var/run/docker.sock:/var/run/docker.sock
@@ -25,5 +25,5 @@ services:
networks:
traefik_network:
- name: traefik_network
+ name: ${TRAEFIK_NETWORK_NAME:?err}
external: false
diff --git a/git/traefik/docker-compose-tecnalia-selfsigned.yaml b/git/traefik/docker-compose-tecnalia-selfsigned.yaml
index d0c3d7c8d173d56ccf5100c82d1b26915ca95649..142e55bb02fa5e64d952daa639bbe974e25088e9 100755
--- a/git/traefik/docker-compose-tecnalia-selfsigned.yaml
+++ b/git/traefik/docker-compose-tecnalia-selfsigned.yaml
@@ -25,5 +25,5 @@ services:
networks:
traefik_network:
- name: traefik_network
+ name: ${TRAEFIK_NETWORK_NAME:?err}
external: false