NETLOCK: Findings in 2024 Audit
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: nagy.nikolett, Assigned: nagy.nikolett)
Details
(Whiteboard: [ca-compliance] [audit-finding])
Initial Audit Incident Report
We are filing an initial report for the findings of the 2024 Webroot audit of NETLOCK. We will post the full report in the next two weeks.
For all non-conformities, remediation has been scheduled within three months (28/11/2024) after the onsite audit at latest and will be covered by a corresponding audit.
Finding #1
7.3.2 Assets inventory and classification The TSP’s asset inventory (Adapto) contains the personal information assets, however it needs to contain the other information assets of the company. [REQ7.3.2.01X] The TSP maintains its asset inventory in Adapto (information assetst) and SnipeIT (Physical assets (HSM, PC, mobile devices, etc.) however the inventories does not contain the following informations about the assets: e) the asset type (e.g. software, hardware, services, facilities, HVAC systems, personnel, physical records); g) the date and version of the asset's last update or patch; h) the classification level of the asset; i) the asset's end of life. and are not fully consistens with eachother. [REQ-7.3.2.02X]
Root Cause Analysis
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Example | Prevent | 2024-11-28 |
Finding #2
7.11.2 Backup The TSP regurarly does backup restore tests with documented procedure, however the test report does not contains the following informations: OID of the applicable policy for the restore test, the restored file ID, time. [REQ-7.11.2-04X]
Root Cause Analysis
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Example | Prevent | 2024-11-28 |
Finding #3
7.11.3 Crisis management The TSP have a process for crisis management, which have been reviewed recently and needs to be updated and have to update it in the documentation. [REQ-7.11.3.-01X] The crisis management plan have not been tested yet. [REQ-7.11.3-03X]
Root Cause Analysis
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Example | Prevent | 2024-11-28 |
Finding #4
7.14 Supply chain The TSP’s evaluation process is the owner group companies evaluation process which does not contain evaluation of the cybersecurity requirements. The TSP shall make a supply chain evaluation process of its own which contains the evaluation of the suppliers cybersecurity conformity [REQ-7.14.1-01X]
Root Cause Analysis
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Example | Prevent | 2024-11-28 |
|
||
Updated•1 year ago
|
Incident Report
We are filing a full report for the findings of the 2024 Webroot audit of NETLOCK.
Summary
NETLOCK had its Webroot audit period from 14/06/2024 to 26/07/2024 (remote) and from 13/08/2024 to 15/08/2024 (on site).
For all non-conformities, remediation has been scheduled within three months (28/11/2024) after the onsite audit at latest, and the solutions will be covered by a corresponding audit.
Finding #1
7.3.2 Assets inventory and classification - The TSP’s asset inventory (Adapto) contains the personal information assets, however it needs to contain the other information assets of the company. [REQ7.3.2.01X] The TSP maintains its asset inventory in Adapto (information assetst) and SnipeIT (Physical assets (HSM, PC, mobile devices, etc.) however the inventories does not contain the following informations about the assets: e) the asset type (e.g. software, hardware, services, facilities, HVAC systems, personnel, physical records); g) the date and version of the asset's last update or patch; h) the classification level of the asset; i) the asset's end of life. and are not fully consistens with eachother. [REQ-7.3.2.02X]
Root Cause Analysis
NETLOCK conducted an audit process, including the review of changes to the Standards requirements.
The risk management system needs to be expanded to include all relevant asset characteristics data in one IT system. The practice beforehand for the TSP was to store information in several systems.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Adapto risk management system update with the type of devices | Mitigate | 2024-09-30 |
| Adapto risk management system update with the date and version number of the last update of the devices | Mitigate | 2024-10-31 |
| Adapto risk management system update with the with the corresponding level of qualification | Mitigate | 2024-10-20 |
| Adapto risk management system update with the with the end of life of the asset | Mitigate | 2024-11-10 |
| Adapto risk management system check for the changes made | Prevent | 2024-11-15 |
Finding #2
7.11.2 Backup - The TSP regurarly does backup restore tests with the documented procedure, however the test report does not contain the following informations: OID of the applicable policy for the restore test, the restored file ID, time. [REQ-7.11.2-04X]
Root Cause Analysis
Documentation needs for the backup restore test used by the TSP to achieve an accurate identification and change management process, because until now, the document has not been created in accordance with the established policy development process.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| The backup restore test document will be modified and updated with the restored file ID | Mitigate | 2024-09-30 |
Finding #3
7.11.3 Crisis management - The TSP have a process for crisis management, which have been reviewed recently and needs to be updated and have to update it in the documentation. [REQ-7.11.3.-01X] The crisis management plan have not been tested yet. [REQ-7.11.3-03X]
Root Cause Analysis
The incident management and crisis management processes have not been clearly separated by the TSP up to this date because the processes have been managed together. In order to ensure a more effective incident and crisis management procedure in the future, and to comply with webpki and our trust service obligations, TSP is revisiting the entire process and clarifying the existing documentation.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Clarification and supplementation of the existing documentation | Mitigate | 2024-10-20 |
| Crisis management test | Prevent | 2024-11-10 |
Finding #4
7.14 Supply chain - The TSP’s evaluation process is the owner group companies evaluation process which does not contain evaluation of the cybersecurity requirements. The TSP shall make a supply chain evaluation process of its own which contains the evaluation of the suppliers cybersecurity conformity [REQ-7.14.1-01X]
Root Cause Analysis
Due to the rapidly changing European legislation, TSP needs to carry out an extended cybersecurity assessment to be able to address the issues more extensively and safely, and to conduct its future investigations with the appropriate level of effectiveness.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Including the cybersecurity requirements into TSP’s evaluation process | Mitigate | 2024-10-31 |
| Creation and documentation of the evaluation process | Mitigate | 2024-11-15 |
| Self Assesment audit | Prevent | 2024-11-20 |
|
|
||
Updated•1 year ago
|
Hello Everyone, we are sorry for the delay.
Here are our updated action items:
Action Items
| Action Item | Kind | Due Date - Status |
|---|---|---|
| Adapto risk management system update with the type of devices | Mitigate | 2024-09-30 - Done |
| Adapto risk management system update with the date and version number of the last update of the devices | Mitigate | 2024-10-31 - Done |
| Adapto risk management system update with the with the corresponding level of qualification | Mitigate | 2024-10-20 - Done |
| Adapto risk management system update with the with the end of life of the asset | Mitigate | 2024-11-10 - Done |
| Adapto risk management system check for the changes made | Prevent | 2024-11-15 - Done |
In addition to regular risk management training, our colleagues have also received Adapto-specific training on how to use the software.
| Action Item | Kind | Due Date - Done |
|---|---|---|
| The backup restore test document will be modified and updated with the restored file ID | Mitigate | 2024-09-30 - Done |
We updated the document details with the right Organisation ID number.
| Action Item | Kind | Due Date - Status |
|---|---|---|
| Clarification and supplementation of the existing documentation | Mitigate | 2024-10-20 - Done |
| Crisis management test | Prevent | 2024-11-10 - Done |
The documentation has been updated, the crisis management test has been performed succesfully.
| Action Item | Kind | Due Date - Status |
|---|---|---|
| Including the cybersecurity requirements into TSP’s evaluation process | Mitigate | 2024-10-31 - Done |
| Creation and documentation of the evaluation process | Mitigate | 2024-11-15 - Done |
| Self Assesment audit | Prevent | 2024-11-20 - Done |
We would like to ask for the ticket to be closed.
If we need to upload the self-assessment audit document, please let us know and we will be uploading it to this ticket.
|
|
||
Comment 4•11 months ago
|
||
Please provide a Closure Summary.
A Closure Summary should briefly:
- describe the incident, its root cause(s), and remediation;
- summarize any ongoing commitments made in response to the incident; and
- attest that all Action Items have been completed.
Here is a markdown template if needed:
Incident Report Closure Summary
- Incident Description: [Two or three sentences summarizing the incident.]
- Incident Root Cause(s): [Two or three sentences summarizing the root cause(s).]
- Remediation Description: [Two or three sentences summarizing the incident's remediation.]
- Commitment Summary: [A few sentences summarizing ongoing commitments made in response to this incident.]
"All Action Items disclosed in this Incident Report have been completed as described, and we request its closure."
There's an expectation of weekly status updates to all non-closed incidents.
There have not been recent updates to Bug #1904041, Bug# 1905509, Bug #1947691, Bug #1917046
In similar cases, the lack of updates is itself cause to file a separate incident report.
|
|
||
Comment 6•10 months ago
|
||
Bug #1957474 has been opened.
Dear Members,
Thank you very much for the patient and for the new bug :)
You can read below is our closing summary.
Incident description:
During the 2024 Webroot Audit, the auditor identified 4 types of findings, which concerned Asset Inventory, Backup, Crisis Management and Supply chain eveluation. For asset inventory, the software used for documentation was not included: the asset type; the date and version of the asset's last update or patch; h) the classification level of the asset; the asset's end of life. A In relation to the back-up, it was found that however the test report does not contains the following informations: OID of the applicable policy for the restore test, the restored file ID, time. On crisis management have been identified: the process for crisis management needs to be updated and have to update it in the documentation and the crisis management plan have not been tested yet. It was found that the upply chain evaluation process is does not contain cybersecurity requirements.
The root cause(s) of the incident:
Not enough attention has been paid to the full extension of the risk management system and the full use of the existing possibilities.
We did not pay sufficient attention that the backup restore test report contained all the data required by the standard, the tests were performed but the documentation was not complete.
We have prepared our crisis management plan and renewed our intervals, but no real testing has taken place.
Our vendors were tested to the owner's expectations, but cybersecurity conformity was not addressed in the documentation as expected by the industry standard.
Commitment Summary:
The speed of technological development means that standard requirements are changing rapidly. TSPs need to adapt quickly to the changing environment. The TSP has committed itself to placing greater emphasis on proper documentation to demonstrate its commitment to compliance and to taking more seriously the testing of its plans in a realistic environment to demonstrate the timeliness of its measures.
All action items in this report have been completed as described and we are requesting closure of this report.
Thank you
(In reply to Dorottya from comment #7)
Dear Members,
Thank you very much for the patient (and for the new bug)
You can read below is our closing summary:Incident description:
During the 2024 Webroot Audit, the auditor identified 4 types of findings, which concerned Asset Inventory, Backup, Crisis Management and Supply chain eveluation. For asset inventory, the software used for documentation was not included: the asset type; the date and version of the asset's last update or patch; h) the classification level of the asset; the asset's end of life. A In relation to the back-up, it was found that however the test report does not contains the following informations: OID of the applicable policy for the restore test, the restored file ID, time. On crisis management have been identified: the process for crisis management needs to be updated and have to update it in the documentation and the crisis management plan have not been tested yet. It was found that the upply chain evaluation process is does not contain cybersecurity requirements.The root cause(s) of the incident:
Not enough attention has been paid to the full extension of the risk management system and the full use of the existing possibilities.
We did not pay sufficient attention that the backup restore test report contained all the data required by the standard, the tests were performed but the documentation was not complete.
We have prepared our crisis management plan and renewed our intervals, but no real testing has taken place.
Our vendors were tested to the owner's expectations, but cybersecurity conformity was not addressed in the documentation as expected by the industry standard.Commitment Summary:
The speed of technological development means that standard requirements are changing rapidly. TSPs need to adapt quickly to the changing environment. The TSP has committed itself to placing greater emphasis on proper documentation to demonstrate its commitment to compliance and to taking more seriously the testing of its plans in a realistic environment to demonstrate the timeliness of its measures.
All action items in this report have been completed as described and we are requesting closure of this report.Thank you
Hi Ben,
we have uploaded the Closure Summary you requested. We would like to ask for the ticket to be closed.
|
|
||
Comment 10•10 months ago
|
||
Thanks.
I will close this on or about Friday, 18-April-2025, unless additional discussion is needed.
Ben
|
|
||
Updated•10 months ago
|
Description
•