Audit date: 06 October 2021

Category Activity Scope Status of the internal audit
Product Development Environment Product Team Workstations
  • Updated Virus Protection

  • Full Disk Encrytion

  • No unauthorized access

Product Team Workstations

We have validated the notebooks of all of our 15 product team members.

Source Code Management System
  • Login access is restricted only to authorized persons

  • Only minimal permissions are granted

  • No unauthorized access

Bitbucket Cloud - META-INF

Source code management and Build system to store and build the code of our applications.

Permissions

  • Admin : Can create, delete repositories and modify repository settings.

  • Write : Can push and merge source code modifications and trigger manual build pipelines.

  • Read : Can pull source code, read build logs and pull requests.

Repository1

  • Admin
    1 DevOps Engineer
    2 Product Owner
  • Write
    6 Software Developer ( 1 Contractor )
    1 Product Owner

Repository2

  • Admin
    1 DevOps Engineer
    2 Product Owner
  • Write
    6 Software Developer ( 1 Contractor )
    1 Product Owner

Repository3

  • Admin
    1 DevOps Engineer
    2 Product Owner
  • Write
    6 Software Developer ( 1 Contractor )
    1 Product Owner

Repository4

  • Admin
    1 DevOps Engineer
    2 Product Owner
  • Write
    6 Software Developer ( 1 Contractor )
    1 Product Owner

Repository5

  • Admin
    1 DevOps Engineer
    2 Product Owner
  • Write
    6 Software Developer ( 1 Contractor )
    1 Product Owner

Repository6

  • Admin
    1 DevOps Engineer
    2 Product Owner
  • Write
    1 DevOps Engineer
    6 Software Developer ( 1 Contractor )
    2 Test Engineer
    1 Product Owner
    1 Technical Account

Repository7

  • Admin
    1 DevOps Engineer
    2 Product Owner
  • Write
    1 DevOps Engineer
    6 Software Developer ( 1 Contractor )
    2 Test Engineer
    1 Product Owner

Repository8

  • Admin
    1 DevOps Engineer
    2 Product Owner
  • Write
    1 DevOps Engineer
    6 Software Developer ( 1 Contractor )
    2 Test Engineer
    1 Product Owner

Repository9

  • Admin
    1 DevOps Engineer
    2 Product Owner
  • Write
    1 DevOps Engineer
    6 Software Developer ( 1 Contractor )
    2 Test Engineer
    1 Product Owner

Artifact Management System

  • Login access is restricted only to authorized persons

  • Only minimal permissions are granted

  • No unauthorized access

Jfrog Artifactory

Artifact management system to store the build logs and artifacts of your application.

Permissions

  • Admin : Can create, delete repositories and modify repository settings.

  • Write : Can upload, delete, overwrite (in snapshot repositories) artifacts.

  • Read : Can list, download artifacts.

Repository1

  • Admin
    1 DevOps Engineer

  • Write
    1 Technical Account

  • Read
    2 DevOps Engineer
    6 Software Developer ( 1 Contractor )
    2 Test Engineer
    1 Product Owner

Repository2

  • Admin
    1 DevOps Engineer

  • Write
    1 Technical Account

  • Read
    2 DevOps Engineer
    6 Software Developer ( 1 Contractor )
    2 Test Engineer
    1 Product Owner

Staging Environment AWS Staging Environment
  • Cloud Console access is restricted only to authorized persons

  • SSH access is protected by keys and MFA

  • Database access is possible only from the internal network

  • Kubernetes access is possible only from the internal network

  • Only minimal permissions are granted

  • No unauthorized access

AWS Stage

Separated AWS Account for the Stage resources.

Permissions

  • Admin : Can list, create, delete, modify AWS resources.

  • Container Image Admin : Can list, create, delete, modify (in snapshot repositories) Docker images.

  • Container Image Read : Can list Docker images.

  • S3 Backup : Can list, create, delete, modify items in the Backup S3 Bucket.

  • Stage Deploy : Can list, create, delete, modify Kubernetes resources and list Docker images.

  • Admin
    1 DevOps Engineer
    3 Infrastructure Engineer ( 3 Contractor )
    1 Software Developer

  • Container Image Admin
    1 Technical Account

  • Container Image Read
    1 Technical Account

  • S3 Backup
    1 Technical Account

  • Stage Deploy
    2 Software Developer ( 1 Contractor )

AWS Stage Bastion

EC2 instance to access the Stage internal network and databases.

Permissions

  • Root : Can administer Linux OS.

  • User : Can log in and access the internal network of the Staging environment.

  • Root
    1 DevOps Engineer
    1 Infrastructure Engineer ( 1 Contractor )

  • User
    1 DevOps Engineer
    2 Infrastructure Engineer ( 2 Contractor )
    3 Software Developer ( 1 Contractor )
    1 Test Engineer
    1 Technical Account

Production Environment

AWS Production Environment

  • Cloud Console access is restricted only to authorized persons

  • SSH access is protected by keys and MFA

  • Database access is possible only from the internal network

  • Kubernetes access is possible only from the internal network

  • Only minimal permissions are granted

  • No unauthorized access

AWS Prod

Separated AWS Account for the Prod resources.

Permissions

  • Admin : Can list, create, delete, modify AWS resources.

  • Container Image Admin : Can list, create, delete, modify (in snapshot repositories) Docker images.

  • Prod Deploy : Can list, create, delete, modify Kubernetes resources and list Docker images.

  • Admin
    1 DevOps Engineer
    1 Infrastructure Engineer ( 1 Contractor )
    1 Software Developer

  • Container Image Admin
    1 Technical Account

  • Prod Deploy
    2 Software Developer ( 1 Contractor )

AWS Prod Bastion

EC2 instance to access the Prod internal network and databases.

Permissions

  • Root : Can administer Linux OS.

  • User : Can log in and access the internal network of the Production environment.

  • Root
    1 DevOps Engineer
    1 Infrastructure Engineer ( 1 Contractor )

  • User
    3 Software Developer ( 1 Contractor )
    1 Technical Account

Log Analysis and Monitoring

Datadog Loggin and Monitoring System

  • Login access is restricted only to authorized persons

  • Only minimal permissions are granted

  • No unauthorized access

Datadog

Log management and monitoring tool for our staging and production applications.

Permissions

  • Admin : Can administer all resources. Can not delete logs.

  • Write : Can read, create, delete, modify monitors, dashboards. Can read logs.

  • Read : Can read monitors, dashboards, logs.

  • Admin
    1 DevOps Engineer
    1 Software Developer
    1 Technical Account

  • Write
    1 DevOps Engineer
    1 Software Developer ( 1 Contractor )

  • Read
    1 Infrastructure Engineer ( 1 Contractor )
    4 Software Developer
    2 Test Engineer
    3 Support Agent
    3 Product Owner