View Page

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pub:trust_center:controls [15.06.2025 22:05] – [Table] Predrag Tasevskipub:trust_center:controls [15.06.2025 22:09] (current) – [Table] Predrag Tasevski
Line 18: Line 18:
 | Business Controls  | Data handling                   | End-of-life handling logged in OpenProject. Data deletion procedures follow checklist in **Unicis Cybersecurity Controls**.                     | | Business Controls  | Data handling                   | End-of-life handling logged in OpenProject. Data deletion procedures follow checklist in **Unicis Cybersecurity Controls**.                     |
  
-| Application Design Controls | Single Sign-On (SSO) | SSO (e.g., Keycloak) enforced across platform. Self-hosted clients can connect to external IdP. | +| Application Design Controls  | Single Sign-On (SSO)               | SSO enforced across platform. Self-hosted clients can connect to external IdP.                             
-| Application Design Controls | Multi-Factor Authentication (MFA) | MFA required for all critical systems using TOTP or YubiKey. Enforced at SSO level. | +| Application Design Controls  | Multi-Factor Authentication (MFA)  | MFA required for all critical systems using TOTP or YubiKey. Enforced at SSO level.                        
-| Application Design Controls | HTTPS-only | HTTPS enforced sitewide with HSTS; Let’s Encrypt certs auto-renewed. | +| Application Design Controls  | HTTPS-only                         | HTTPS enforced sitewide with HSTS; Let’s Encrypt certs auto-renewed.                                       
-| Application Design Controls | Security Headers | CSP, X-Frame, HSTS, etc. enforced by server and app; tested on CI/CD deploys. | +| Application Design Controls  | Security Headers                   | CSP, X-Frame, HSTS, etc. enforced by server and app; tested on CI/CD deploys.                              
-| Application Design Controls | Password policy | SSO enforces 12+ character passwords; passphrases supported; Zxcvbn used. No passwords stored locally. | +| Application Design Controls  | Password policy                    | SSO enforces 12+ character passwords; passphrases supported; Bitwarden used. No passwords stored locally.  
-| Application Design Controls | Security libraries | Shared internal security modules reviewed periodically. | +| Application Design Controls  | Security libraries                 | Shared internal security modules reviewed periodically.                                                    
-| Application Design Controls | Dependency patching | Monitored via Dependabot/Renovate. Wazuh flags CVEs. Fix SLA: <72h for critical. | +| Application Design Controls  | Dependency patching                | Monitored via Dependabot/Renovate. Wazuh flags CVEs. Fix SLA: <72h for critical.                           
-| Application Design Controls | Logging | Wazuh collects auth and admin logs. Logs retained ≥180 days. Alerts forwarded to IRIS. | +| Application Design Controls  | Logging                            | Wazuh collects auth and admin logs. Logs retained ≥180 days. Alerts forwarded to IRIS.                     
-| Application Design Controls | Encryption | AES-256 at rest, TLS 1.3 in transit. Secrets handled securely; API keys scoped and rotated. |+| Application Design Controls  | Encryption                         | AES-256 at rest, TLS 1.3 in transit. Secrets handled securely; API keys scoped and rotated.                |
  
 | Application Implementation Controls | List of data | Data types (PII, etc.) documented in EspoCRM. Models versioned in Git and listed in Nextcloud. | | Application Implementation Controls | List of data | Data types (PII, etc.) documented in EspoCRM. Models versioned in Git and listed in Nextcloud. |
Line 34: Line 34:
 | Application Implementation Controls | Build process | CI/CD pipelines enforce clean builds, no hardcoded secrets. Provenance signed and tracked. | | Application Implementation Controls | Build process | CI/CD pipelines enforce clean builds, no hardcoded secrets. Provenance signed and tracked. |
  
-| Operational Controls | Physical access | Data centers via Hetzner/Scaleway (ISO 27001). On-prem setups provided with compliance templates. | +| Operational Controls  | Physical access             | Data centers via Hetzner/Scaleway (ISO 27001). On-prem setups provided with compliance templates.                                   
-| Operational Controls | Logical access | RBAC + SSO + MFA enforced. Access reviews quarterly using **Unicis Cybersecurity Controls**. Inactive accounts deactivated by n8n. | +| Operational Controls  | Logical access              | RBAC + SSO + MFA enforced. Access reviews quarterly using **Unicis Cybersecurity Controls**. Inactive accounts deactivated by n8n.  
-| Operational Controls | Sub-processors | Public DPA maintained. Sub-processors reviewed annually and stored in Nextcloud. Linked to **Unicis Cybersecurity Controls**. | +| Operational Controls  | Sub-processors              | Public DPA maintained. Sub-processors reviewed annually and stored in Nextcloud. Linked to **Unicis Cybersecurity Controls**.       
-| Operational Controls | Backup & Disaster Recovery | Daily encrypted backups, restore tests monthly. Logged in OpenProject, tracked in audit module. |+| Operational Controls  | Backup & Disaster Recovery  Weekly encrypted backups, restore tests annually. Logged in OpenProject, tracked in audit module.                                   |