2021 Q3

Audit date: 06 October 2021

Category	Activity	Scope	Status of the internal audit
Product Development Environment	Product Team Workstations	Updated Virus Protection Full Disk Encrytion No unauthorized access	Product Team Workstations We have validated the notebooks of all of our 15 product team members.
Source Code Management System	Login access is restricted only to authorized persons Only minimal permissions are granted No unauthorized access	Bitbucket Cloud - META-INF Source code management and Build system to store and build the code of our applications. Permissions Admin : Can create, delete repositories and modify repository settings. Write : Can push and merge source code modifications and trigger manual build pipelines. Read : Can pull source code, read build logs and pull requests. Repository1 Admin 1 DevOps Engineer 2 Product Owner Write 6 Software Developer ( 1 Contractor ) 1 Product Owner Repository2 Admin 1 DevOps Engineer 2 Product Owner Write 6 Software Developer ( 1 Contractor ) 1 Product Owner Repository3 Admin 1 DevOps Engineer 2 Product Owner Write 6 Software Developer ( 1 Contractor ) 1 Product Owner Repository4 Admin 1 DevOps Engineer 2 Product Owner Write 6 Software Developer ( 1 Contractor ) 1 Product Owner Repository5 Admin 1 DevOps Engineer 2 Product Owner Write 6 Software Developer ( 1 Contractor ) 1 Product Owner Repository6 Admin 1 DevOps Engineer 2 Product Owner Write 1 DevOps Engineer 6 Software Developer ( 1 Contractor ) 2 Test Engineer 1 Product Owner 1 Technical Account Repository7 Admin 1 DevOps Engineer 2 Product Owner Write 1 DevOps Engineer 6 Software Developer ( 1 Contractor ) 2 Test Engineer 1 Product Owner Repository8 Admin 1 DevOps Engineer 2 Product Owner Write 1 DevOps Engineer 6 Software Developer ( 1 Contractor ) 2 Test Engineer 1 Product Owner Repository9 Admin 1 DevOps Engineer 2 Product Owner Write 1 DevOps Engineer 6 Software Developer ( 1 Contractor ) 2 Test Engineer 1 Product Owner
Artifact Management System	Login access is restricted only to authorized persons Only minimal permissions are granted No unauthorized access	Jfrog Artifactory Artifact management system to store the build logs and artifacts of your application. Permissions Admin : Can create, delete repositories and modify repository settings. Write : Can upload, delete, overwrite (in snapshot repositories) artifacts. Read : Can list, download artifacts. Repository1 Admin 1 DevOps Engineer Write 1 Technical Account Read 2 DevOps Engineer 6 Software Developer ( 1 Contractor ) 2 Test Engineer 1 Product Owner Repository2 Admin 1 DevOps Engineer Write 1 Technical Account Read 2 DevOps Engineer 6 Software Developer ( 1 Contractor ) 2 Test Engineer 1 Product Owner
Staging Environment	AWS Staging Environment	Cloud Console access is restricted only to authorized persons SSH access is protected by keys and MFA Database access is possible only from the internal network Kubernetes access is possible only from the internal network Only minimal permissions are granted No unauthorized access	AWS Stage Separated AWS Account for the Stage resources. Permissions Admin : Can list, create, delete, modify AWS resources. Container Image Admin : Can list, create, delete, modify (in snapshot repositories) Docker images. Container Image Read : Can list Docker images. S3 Backup : Can list, create, delete, modify items in the Backup S3 Bucket. Stage Deploy : Can list, create, delete, modify Kubernetes resources and list Docker images. Admin 1 DevOps Engineer 3 Infrastructure Engineer ( 3 Contractor ) 1 Software Developer Container Image Admin 1 Technical Account Container Image Read 1 Technical Account S3 Backup 1 Technical Account Stage Deploy 2 Software Developer ( 1 Contractor ) AWS Stage Bastion EC2 instance to access the Stage internal network and databases. Permissions Root : Can administer Linux OS. User : Can log in and access the internal network of the Staging environment. Root 1 DevOps Engineer 1 Infrastructure Engineer ( 1 Contractor ) User 1 DevOps Engineer 2 Infrastructure Engineer ( 2 Contractor ) 3 Software Developer ( 1 Contractor ) 1 Test Engineer 1 Technical Account

Production Environment

AWS Production Environment

Cloud Console access is restricted only to authorized persons
SSH access is protected by keys and MFA
Database access is possible only from the internal network
Kubernetes access is possible only from the internal network
Only minimal permissions are granted
No unauthorized access

AWS Prod

Separated AWS Account for the Prod resources.

Permissions

Admin : Can list, create, delete, modify AWS resources.
Container Image Admin : Can list, create, delete, modify (in snapshot repositories) Docker images.
Prod Deploy : Can list, create, delete, modify Kubernetes resources and list Docker images.
Admin
1 DevOps Engineer
1 Infrastructure Engineer ( 1 Contractor )
1 Software Developer
Container Image Admin
1 Technical Account
Prod Deploy
2 Software Developer ( 1 Contractor )

AWS Prod Bastion

EC2 instance to access the Prod internal network and databases.

Permissions

Root : Can administer Linux OS.
User : Can log in and access the internal network of the Production environment.
Root
1 DevOps Engineer
1 Infrastructure Engineer ( 1 Contractor )
User
3 Software Developer ( 1 Contractor )
1 Technical Account

Log Analysis and Monitoring

Datadog Loggin and Monitoring System

Login access is restricted only to authorized persons
Only minimal permissions are granted
No unauthorized access

Datadog

Log management and monitoring tool for our staging and production applications.

Permissions

Admin : Can administer all resources. Can not delete logs.
Write : Can read, create, delete, modify monitors, dashboards. Can read logs.
Read : Can read monitors, dashboards, logs.
Admin
1 DevOps Engineer
1 Software Developer
1 Technical Account
Write
1 DevOps Engineer
1 Software Developer ( 1 Contractor )
Read
1 Infrastructure Engineer ( 1 Contractor )
4 Software Developer
2 Test Engineer
3 Support Agent
3 Product Owner