5.2.2 Implemented controls to adequately address each of the defined security risks
The repository shall have implemented controls to adequately address each of the defined security risks.
This is necessary in order to ensure that controls are in place to meet the security needs of the repository
Repository employs the codes of practice found in the ISO 27000 series of standards; system control list; risk, threat, or control analyses; and addition of controls based on ongoing risk detection and assessment. Repository maintains ISO 17799 certification.
The repository should show how it has dealt with its security requirements. If some types of material are more likely to be attacked, the repository will need to provide more protection, for instance. Repositories that have experienced incidents could record such instances, including the times when systems or content were affected and describe procedures that have been put in place to prevent similar occurrences in the future. Repositories may also conduct a variety of disaster drills that may involve their parent organization or the community at large. Contingency plans are especially important and need to be tested, updated, and revised on a regular basis.
AWS Shared model discussion.
AWS meets ISO 27001 standards. ISO certificate AWS
Wasabi meets ISO 27001 standards.
“Wasabi is deployed in top tier data centers certified for SOC 2, ISO 27001 and PCI-DSS. Copies of SOC 2 or ISO 27001 reports for data centers can be obtained by requesting them here.”
Threat model and mitigations are documented here: Risk Management, Threats, and Mitigations
Update Risk Management files, which are underway. IAM roles specific authority and assignments. New risk management documentation is being created. Reference as this is generated.