Platinum Label Requirements

Please describe your rules and regulations (e.g. information security guidelines, policies, etc.) and the extent to which they address the security objectives of your network and information systems, including implementation measures, are known to all employees and have been formally approved by top management.

Please describe your roles and responsibilities for information security and whether a person is directly responsible to the top management with regards to network and information systems security.

Please describe your information security risk management system and the extent to which it is integrated into the overall risk management of the organisation and identifies, assesses and appropriately addresses all information security risks relevant to the organisation.

Please describe whether and how you regularly review compliance with your information security concepts, policies and guidelines and whether you report the results to your top management. 

Please describe whether and how you regularly arrange for independent reviews of your approach to managing the security of network and information systems and its implementation, and report the results to your top management.

Please describe your concept or process for recognising, analysing and managing security incidents, the associated responsibilities, and how you test and update this at regular intervals.

Please describe what logging measures are in place in your systems, what events they cover and whether and how you monitor them on an ongoing basis? Please also provide information on the retention period of the logs.

Please describe the mechanism by which suspicious events can be reported to you and to what extent providers and customers are informed about this reporting mechanism.

Please describe your mechanism for evaluating and classifying events.

Please describe how you respond to security incidents in a timely manner, document your response and follow your own security incident procedures as described in 3.1.

Please describe whether and how you conduct a review after security incidents, analysing the causes of the incident and the appropriateness of your response and, if necessary, deriving improvements for the future.

Please describe your business continuity and disaster recovery plan and how it is based on a scenario analysis and a business impact analysis (BIA) and is regularly tested and updated.

Please describe your backup and redundancy concept that enables you to achieve the recovery times required according to the risk analysis and how you test its effectiveness.

Please describe your crisis management, including appropriate roles and responsibilities and means of communication, and the extent to which this is regularly tested and updated.

Please describe your supply chain security policy or process and the extent to which it checks the quality and resilience of ICT products and services in the area of cyber security at your direct suppliers on the basis of a risk assessment and also contractually requires this.

Please describe your register of providers and service providers and to what extent this includes all ICT products, services and processes.

Please describe your procedure for ensuring appropriate security measures when purchasing ICT services or ICT products, including defined security requirements.

Please describe your requirements and associated process for secure software development, and how this covers all phases of development, including specification, design, development, implementation and testing.

Please describe your configuration management and the extent to which it defines, documents, implements and monitors security configurations of hardware, software, services and networks.

Please describe your change management and the extent to which it checks planned and unplanned changes (emergency changes) to the network and information systems for risks before they are implemented.

Please describe your specifications and procedures for security testing, to what extent this is based on a risk assessment (in accordance with 2.1) and, if applicable, risk minimisation measures are applied. 

Please describe your security patch management and the extent to which it ensures the application of security patches within a reasonable period of time.

Please describe your network security measures and the extent to which they limit communication within your network and access from outside to the necessary minimum and also ensure integrity and confidentiality at network level.

Please describe how you have implemented network segmentation and the extent to which this appropriately separates systems with different security requirements.

Please describe how you use software to detect and prevent malware.

Please describe how you use software to detect and prevent unauthorised software.

Please describe your procedures for detecting, assessing and addressing vulnerabilities.

Please describe your procedures for assessing the effectiveness of risk management measures in the area of cyber security.

Please describe your awareness-raising measures and how they ensure that your employees, including members of top management, are aware of cybersecurity risks and apply basic cyber hygiene procedures.

Please describe whether and to what extent you provide role-specific security training that covers all security-related skills and expertise required for the respective role.

Please describe your concepts and procedures in relation to cryptography and how these define the type, strength and quality of cryptographic measures and key management.

Please describe how you ensure that your employees and, where applicable, your direct suppliers and service providers understand and fulfil their responsibilities according to their roles in the area of security.

Please describe if and how you conduct background checks on your employees if this is necessary for their role.

Please describe your contractual arrangements with your employees regarding security and confidentiality and whether these remain valid after termination of employment or contract.

Please describe if and what procedures you have in place for dealing with breaches of network and information system security concepts.

Please describe your concept for the logical and physical control of access to your network and information systems for all persons and how it provides for appropriate authentication.

Please describe whether and to what extent you have a documented and logged management of access rights, which only grants and withdraws rights according to "need-to-know" and "need-to-use".

Please describe your concept for the management of privileged accounts and system administration accounts, which defines and restricts system administration rights as far as possible on an individual basis and provides for strong authentication procedures (e.g. multi-factor authentication).

Please describe whether you use system administration systems exclusively for the purposes of system administration and how you protect access to them through authentication and encryption.

Please describe whether and to what extent you manage identities throughout their lifecycle and ensure that each identifier is always linked to a unique user or, in the case of (absolutely necessary) shared identifiers, that authorisation and traceability of use is guaranteed.

Please describe which secure authentication methods you use and to what extent these authentication methods are appropriate to the criticality of the accessed assets.

Please describe whether and to what extent you use multi-factor authentication, if appropriate to the criticality of the assets accessed.

Please describe how you perform an ongoing asset classification that specifies the protection required for all assets based on confidentiality, integrity, authenticity and availability requirements according to their criticality and risk.

Please describe your approach to the proper treatment of assets (including information) throughout their lifecycle (including acquisition, use, storage, transport and disposal), based on the classification of assets.

Please describe your concept for the management of removable media with regard to security.

Please describe how you maintain a complete, accurate, up-to-date and coherent inventory of your assets.

Please describe how you ensure the handover, return or deletion of assets upon termination of employment in a documented manner.

Please describe your concept and measures to prevent interruptions to your operations due to the failure or disruption of supporting utility services such as electricity and telecommunications and the extent to which you regularly test them.

Please describe your concept for protection against physical and environmental threats and the extent to which you regularly test it.

Please describe whether and to what extent you protect your perimeter and take suitable measures to prevent unauthorised physical access to, damage to and interference with your network and information systems and to what extent you regularly test these protective measures.