NETLOCK: Findings in 2024 Audit - initial report
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: nagy.nikolett, Assigned: nagy.nikolett)
Details
(Whiteboard: [ca-compliance] [audit-finding])
Initial Audit Incident Report
We are filing an initial report for the findings of the 2024 Webroot audit of NETLOCK. We will post the full report in the next two weeks.
For all non-conformities, remediation has been scheduled within three months (28/11/2024) after the onsite audit at latest and will be covered by a corresponding audit.
Finding #1
7.3.2 Assets inventory and classification The TSP’s asset inventory (Adapto) contains the personal information assets, however it needs to contain the other information assets of the company. [REQ7.3.2.01X] The TSP maintains its asset inventory in Adapto (information assetst) and SnipeIT (Physical assets (HSM, PC, mobile devices, etc.) however the inventories does not contain the following informations about the assets: e) the asset type (e.g. software, hardware, services, facilities, HVAC systems, personnel, physical records); g) the date and version of the asset's last update or patch; h) the classification level of the asset; i) the asset's end of life. and are not fully consistens with eachother. [REQ-7.3.2.02X]
Root Cause Analysis
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Example | Prevent | 2024-11-28 |
Finding #2
7.11.2 Backup The TSP regurarly does backup restore tests with documented procedure, however the test report does not contains the following informations: OID of the applicable policy for the restore test, the restored file ID, time. [REQ-7.11.2-04X]
Root Cause Analysis
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Example | Prevent | 2024-11-28 |
Finding #3
7.11.3 Crisis management The TSP have a process for crisis management, which have been reviewed recently and needs to be updated and have to update it in the documentation. [REQ-7.11.3.-01X] The crisis management plan have not been tested yet. [REQ-7.11.3-03X]
Root Cause Analysis
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Example | Prevent | 2024-11-28 |
Finding #4
7.14 Supply chain The TSP’s evaluation process is the owner group companies evaluation process which does not contain evaluation of the cybersecurity requirements. The TSP shall make a supply chain evaluation process of its own which contains the evaluation of the suppliers cybersecurity conformity [REQ-7.14.1-01X]
Root Cause Analysis
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Example | Prevent | 2024-11-28 |
|
||
Updated•11 days ago
|
Incident Report
We are filing a full report for the findings of the 2024 Webroot audit of NETLOCK.
Summary
NETLOCK had its Webroot audit period from 14/06/2024 to 26/07/2024 (remote) and from 13/08/2024 to 15/08/2024 (on site).
For all non-conformities, remediation has been scheduled within three months (28/11/2024) after the onsite audit at latest, and the solutions will be covered by a corresponding audit.
Finding #1
7.3.2 Assets inventory and classification - The TSP’s asset inventory (Adapto) contains the personal information assets, however it needs to contain the other information assets of the company. [REQ7.3.2.01X] The TSP maintains its asset inventory in Adapto (information assetst) and SnipeIT (Physical assets (HSM, PC, mobile devices, etc.) however the inventories does not contain the following informations about the assets: e) the asset type (e.g. software, hardware, services, facilities, HVAC systems, personnel, physical records); g) the date and version of the asset's last update or patch; h) the classification level of the asset; i) the asset's end of life. and are not fully consistens with eachother. [REQ-7.3.2.02X]
Root Cause Analysis
NETLOCK conducted an audit process, including the review of changes to the Standards requirements.
The risk management system needs to be expanded to include all relevant asset characteristics data in one IT system. The practice beforehand for the TSP was to store information in several systems.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Adapto risk management system update with the type of devices | Mitigate | 2024-09-30 |
| Adapto risk management system update with the date and version number of the last update of the devices | Mitigate | 2024-10-31 |
| Adapto risk management system update with the with the corresponding level of qualification | Mitigate | 2024-10-20 |
| Adapto risk management system update with the with the end of life of the asset | Mitigate | 2024-11-10 |
| Adapto risk management system check for the changes made | Prevent | 2024-11-15 |
Finding #2
7.11.2 Backup - The TSP regurarly does backup restore tests with the documented procedure, however the test report does not contain the following informations: OID of the applicable policy for the restore test, the restored file ID, time. [REQ-7.11.2-04X]
Root Cause Analysis
Documentation needs for the backup restore test used by the TSP to achieve an accurate identification and change management process, because until now, the document has not been created in accordance with the established policy development process.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| The backup restore test document will be modified and updated with the restored file ID | Mitigate | 2024-09-30 |
Finding #3
7.11.3 Crisis management - The TSP have a process for crisis management, which have been reviewed recently and needs to be updated and have to update it in the documentation. [REQ-7.11.3.-01X] The crisis management plan have not been tested yet. [REQ-7.11.3-03X]
Root Cause Analysis
The incident management and crisis management processes have not been clearly separated by the TSP up to this date because the processes have been managed together. In order to ensure a more effective incident and crisis management procedure in the future, and to comply with webpki and our trust service obligations, TSP is revisiting the entire process and clarifying the existing documentation.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Clarification and supplementation of the existing documentation | Mitigate | 2024-10-20 |
| Crisis management test | Prevent | 2024-11-10 |
Finding #4
7.14 Supply chain - The TSP’s evaluation process is the owner group companies evaluation process which does not contain evaluation of the cybersecurity requirements. The TSP shall make a supply chain evaluation process of its own which contains the evaluation of the suppliers cybersecurity conformity [REQ-7.14.1-01X]
Root Cause Analysis
Due to the rapidly changing European legislation, TSP needs to carry out an extended cybersecurity assessment to be able to address the issues more extensively and safely, and to conduct its future investigations with the appropriate level of effectiveness.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Including the cybersecurity requirements into TSP’s evaluation process | Mitigate | 2024-10-31 |
| Creation and documentation of the evaluation process | Mitigate | 2024-11-15 |
| Self Assesment audit | Prevent | 2024-11-20 |
Description
•