D5.1 Pilot definition, set-up & validation plan

Deli e able D5.1
Pilo de ini ion, se -up & alida ion plan
Edi o (s):
Oli ia Kage e (FABA)
Responsible Pa ne :
Fabaso R&D GmbH
S a us-Ve sion:
Final - 1.0
Da e:
31.07.2024
Type:
R
Dis ibu ion le el (SEN, PU):
PU
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 2 o 94
www.EMERALD-he.eu
P ojec Numbe :
101120688
P ojec Ti le:
EMERALD
Ti le o Deli e able:
D5.1 Pilo de ini ion, se -up & alida ion plan
Due Da e o Deli e y o he EC
31.07.2024
Wo kpackage esponsible o he
Deli e able:
WP5 - EMERALD ope a ional and inancial Pilo s
Edi o (s):
Fabaso R&D GmbH
Con ibu o (s):
Mika Leskinen (NIXU), Jo di Guija o (ONS), Ramon
Ma ín de Pozuelo (CXB), Na alia Sobieska (CF), Ne sane
Haile Geb eyesus (IONOS), Lukas Ruckens uhl (FABA)
Re iewe (s):
Angela Fessl (KNOW)
C is ina Ma ínez (TECNALIA)
SAB Re iewe s:
Samu Nisula (NIXU)
Cons an ino Vázquez (ONS)
Ma io Maawad (CXB)
Daniela G eb (FABA)
Tomasz Aniszewski (CF)
Ali Nikouka (IONOS)
App o ed by:
All Pa ne s
Recommended/manda o y
eade s:
WP1, WP2 WP3, WP4
Abs ac :
Ini ial e sion o he epo on Pilo se -up, alida ion
plan o he use in e ac ion concep , elici ed
equi emen s, and lis o KPIs o measu e he impac
Keywo d Lis :
Pilo s, Valida ion S a egy, Requi emen s, KPIs, Impac
Analysis
Licensing in o ma ion:
This wo k is licensed unde C ea i e Commons
A ibu ion-Sha eAlike 4.0 In e na ional (CC BY-SA 4.0
DEED h ps://c ea i ecommons.o g/licenses/by-sa/4.0/)
Disclaime
Funded by he Eu opean Union. Views and opinions
exp essed a e howe e hose o he au ho (s) only and
do no necessa ily e lec hose o he Eu opean Union.
The Eu opean Union canno be held esponsible o
hem.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 3 o 94
www.EMERALD-he.eu
Documen Desc ip ion
Ve sion
Da e
Modi ica ions In oduced
Modi ica ion Reason
Modi ied by
0.1
08.02.2024
Fi s d a e sion ToC
FABA
0.2
02.05.2024
Final e sion o ToC
FABA
0.3
16.05.2024
Finalized alida ion plan
FABA, NIXU
0.4
03.07.2024
Finalized con ibu ion pilo 4
FABA, ONS, CXB
0.5
03.07.2024
Finalized con ibu ion pilo 3
FABA
0.6
05.07.2024
Finalized con ibu ion pilo 1
IONOS
0.7
05.07.2024
Finalized con ibu ion pilo 2
CF
0.8
12.07.2024
QA and SAB e iew
KNOW
0.9
24.07.2024
Add ess he commen s om he QA
and SAB e iew
IONOS, CF, FABA, CXB,
ONS
1.0
31.07.2024
Submi ed o he Eu opean
Commission
TECNALIA
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 4 o 94
www.EMERALD-he.eu
Table o con en s
Te ms and abb e ia ions ............................................................................................................... 7
Execu i e Summa y ....................................................................................................................... 9
1 In oduc ion ......................................................................................................................... 10
Abou his deli e able .................................................................................................. 10
Documen s uc u e ..................................................................................................... 10
2 Pilo De ini ion and Se -Up .................................................................................................. 12
Pilo 1: IONOS .............................................................................................................. 13
2.1.1 In oduc ion and Mo i a ion ............................................................................. 13
2.1.2 Pilo de ini ion ................................................................................................... 14
2.1.3 In eg a ion App oach ........................................................................................ 21
Pilo 2: CloudFe o ....................................................................................................... 25
2.2.1 In oduc ion and Mo i a ion ............................................................................. 25
2.2.2 Pilo De ini ion ................................................................................................... 25
2.2.3 In eg a ion App oach ........................................................................................ 32
Pilo 3: Fabaso ........................................................................................................... 36
2.3.1 In oduc ion and Mo i a ion ............................................................................. 36
2.3.2 Pilo de ini ion ................................................................................................... 36
2.3.3 In eg a ion App oach ........................................................................................ 44
Pilo 4: EMERALD and Hyb id Cloud-Edge en i onmen s ............................................ 50
2.4.1 In oduc ion and Mo i a ion ............................................................................. 50
2.4.2 Pilo De ini ion ................................................................................................... 53
2.4.3 In eg a ion App oach ........................................................................................ 60
3 Valida ion Plan ..................................................................................................................... 66
S age-Ga e-P ocess ...................................................................................................... 67
3.1.1 S age 1: Planning ............................................................................................... 67
3.1.2 S age 2: EMERALD Se up ................................................................................... 68
3.1.3 S age 3: P epa a ion o Audi ........................................................................... 68
3.1.4 S age 4: Audi .................................................................................................... 68
3.1.5 S age 5: Ce i ica ion ......................................................................................... 69
Impac analysis ............................................................................................................ 69
3.2.1 Empi ical ques ionnai e analysing he alidi y o he alue s a emen ............ 69
3.2.2 Empi ical ques ionnai es analysing cus ome sa is ac ion ............................... 70
3.2.3 Impac KPI measu emen .................................................................................. 70
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 5 o 94
www.EMERALD-he.eu
Pilo KPI analysis .......................................................................................................... 71
Ful ilmen acking o business-d i en equi emen s ................................................. 71
UX Valida ion ............................................................................................................... 72
3.5.1 Thinking Aloud ................................................................................................... 73
3.5.2 Sys em Usabili y Scale ....................................................................................... 73
3.5.3 In e iew ............................................................................................................ 74
4 Conclusions .......................................................................................................................... 75
5 Re e ences ........................................................................................................................... 77
APPENDIX A: Business-d i en equi emen s ............................................................................... 78
APPENDIX B: KPIs and Impac KPIs .............................................................................................. 92
APPENDIX C: Impac KPI measu emen example ........................................................................ 94

D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 6 o 94
www.EMERALD-he.eu
Lis o ables
TABLE 1. BUSINESS-DRIVEN REQUIREMENTS FOR PILOT 1 ........................................................................ 18
TABLE 2. DESCRIPTION OF PILOT 2 ROLES ............................................................................................ 26
TABLE 3. BUSINESS-DRIVEN REQUIREMENTS FOR PILOT 2 ........................................................................ 29
TABLE 4. BUSINESS-DRIVEN REQUIREMENTS FOR PILOT 3 ........................................................................ 41
TABLE 5. BUSINESS-DRIVEN REQUIREMENTS FOR PILOT 4 ........................................................................ 57
Lis o igu es
FIGURE 1. OPERATIONAL STRUCTURE OF PILOT 1................................................................................... 15
FIGURE 2. HIGH LEVEL ARCHITECTURE OF PILOT 1 ................................................................................. 17
FIGURE 3. INITIAL WORKFLOW DIAGRAM OF PILOT 1 .............................................................................. 18
FIGURE 4. PILOT 2 ROLES AND USE CASES............................................................................................. 26
FIGURE 5. PILOT 2 HIGH LEVEL ARCHITECTURE ...................................................................................... 27
FIGURE 6. PILOT 2 WORKFLOW DIAGRAM ............................................................................................ 28
FIGURE 7. ONION DIAGRAM OF PILOT 3 STAKEHOLDERS......................................................................... 37
FIGURE 8. PILOT 3 WORKFLOW ......................................................................................................... 38
FIGURE 9. DOCUMENT GATHERING FLOW ............................................................................................ 40
FIGURE 10. FABASOFT APP.TELEMETRY FLOW ....................................................................................... 40
FIGURE 11. OVERVIEW OF THE PILOT 4 INFRASTRUCTURE ....................................................................... 53
FIGURE 12. PILOT 4 USE CASE DIAGRAM .............................................................................................. 54
FIGURE 13. PILOT 4 COMPONENT DIAGRAM ........................................................................................ 54
FIGURE 14. SEQUENCE DIAGRAM BETWEEN COMPONENTS OF THE PILOT 4 ................................................ 54
FIGURE 15. BLOCK DIAGRAM ............................................................................................................. 55
FIGURE 16. COMMUNICATION BETWEEN ENTITIES (1) ........................................................................... 56
FIGURE 17. COMMUNICATION BETWEEN ENTITIES (2) ........................................................................... 56
FIGURE 18. PILOT 4 ARCHITECTURE DEFINING ALL THE INVOLVED COMPONENTS, INFRASTRUCTURE, THIRD-PARTY
CLOUD SERVICES AND INFORMATION FLOW .................................................................................. 60
FIGURE 19. VALIDATION TIME PLAN .................................................................................................... 66
FIGURE 20. STAGE-GATE-PROCESS ..................................................................................................... 67
FIGURE 21. PILOT KPI ANALYSIS ......................................................................................................... 71
FIGURE 22. TRANSLATION OF REQUIREMENTS FOR IMPLEMENTATION....................................................... 72
FIGURE 23. FULFILMENT TRACKING OF BUSINESS-DRIVEN REQUIREMENTS ................................................. 72
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 7 o 94
www.EMERALD-he.eu
Te ms and abb e ia ions
AAA
Au hen ica ion, Au ho iza ion, and Accoun ing
AI
A i icial In elligence
AIC4
AI Cloud Se ice Compliance C i e ia Ca alogue
AMOE
Assessmen and Managemen o O ganiza ional E idence
API
Applica ion P og amming In e ace
AWS
Amazon Web Se ices
BDR
Business-D i en Requi emen s
BSI
Bundesam ü Siche hei in de In o ma ions echnik
C5
Cloud Compu ing Compliance C i e ia Ca alogue
CaaS
Ce i ica ion-as-a-Se ice
CF
CloudFe o
CI/CD
Con inuous In eg a ion / Con inuous Deli e y
CISO
Chie In o ma ion Secu i y O ice
CSA o EU CSA
EU Cybe secu i y Ac
CSP
Cloud Se ice P o ide
CSV
Comma-sepa a ed alues
DLR
Da a Re ie al Language
DoA
Desc ip ion o Ac ion
ECMWF
Eu opean Cen e o Medium-Range Wea he Fo ecas s
ESA
Eu opean Space Agency
EUCS
Eu opean Cybe secu i y Ce i ica ion Scheme o Cloud Se ices
EUMETSAT
Eu opean ope a ional sa elli e agency o moni o ing wea he , clima e and
he en i onmen
GA
Gene al Assembly
IaaS
In as uc u e-as-a-Se ice
ISO
In e na ional O ganiza ion o S anda diza ion
IT
In o ma ion Technologies
ITS
In o ma ion Technology Se ices
KPI
Key Pe o mance Indica o
KR
Key Resul
MARI
Mapping Assis an o Requi emen s wi h In elligence
ML
Machine Lea ning
NPS
Ne P omo e Sco e
OSCAL
Open Secu i y Con ols Assessmen Language
PaaS
Pla o m-as-a-Se ice
PGC
Plan Gene al de Con abilidad (cha o accoun s)
PSD2
Paymen Se ices Di ec i e2
RCM
Reposi o y o Con ols and Me ics
RFQ
Reques Fo Quo a ion
SaaS
So wa e-as-a-Se ice
SIEM
Secu i y In o ma ion and E en Managemen
SUS
Sys em Usabili y Scale
TWS
T us wo hiness Sys em
UI
Use In e ace
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 8 o 94
www.EMERALD-he.eu
UNED
Uni e sidad Nacional de Educación a Dis ancia (Na ional Uni e si y o
Dis ance Educa ion)
UVP
Unique Value P oposi ion
UX
Use Expe ience
VM
Vi ual Machine
WP
Wo k Package
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 9 o 94
www.EMERALD-he.eu
Execu i e Summa y
This deli e able D5.1 de ines he EMERALD pilo s as well as hei se -up. Addi ionally, i
in oduces he alida ion plan o he EMERALD amewo k and i s pilo s.
Th ough he de ini ion o he pilo s, speci ically hei espec i e business-d i en equi emen s
and he Key Pe o mance Indica o s (KPIs), he deli e able aims o suppo he echnical wo k
packages (WP1-WP4) o EMERALD in gaining a deepe unde s anding o he pilo goals and
equi emen s. This is in ended o ease he communica ion wi hin he EMERALD p ojec ,
speci ically be ween he echnical and non- echnical wo k packages.
I is in ended ha he alida ion plan will se e o gene a e i e a i e eedback o he echnical
wo k packages and he pilo s hemsel es. Speci ically wi h he S age-Ga e-P ocess, i will be
ensu ed ha he EMERALD amewo k can p o ide suppo o he au oma ion o audi s and
ha he pilo s p o ide he necessa y da a and inpu s o he EMERALD componen owne s.
As a esul , he main sec ions o his deli e able a e as ollows:
• Pilo de ini ion and se -up, which in oduces each pilo and i s espec i e goals. This
includes a lis o business-d i en equi emen s and pilo KPIs o each EMERALD pilo .
• Valida ion plan, which suppo s he gene a ion o i e a i e eedback o he
implemen a ion o he EMERALD amewo k, as pa o Task 5.2 and Task 5.3. This includes
he plan o he impac analysis, which de ails he app oach o measu ing and analysing
he impac o he EMERALD p ojec , which will be ollowed in Task 5.4.
The u u e deli e ables o WP5 will be based on his deli e able D5.1, as he pilo s will in eg a e
he EMERALD amewo k and will supply eedback by ollowing he alida ion plan. These esul s
will be epo ed in D5.2 and D5.3 (Pilo Ca ego y I), as well as in D5.4 and D5.5 (Pilo Ca ego y
II). In D5.6, he esul s o he impac analysis will be p esen ed.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 16 o 94
www.EMERALD-he.eu
Implemen a ion Phase
• Deploymen : Implemen he designed amewo k and ools wi hin he IONOS cloud
en i onmen , ensu ing all componen s a e p ope ly in eg a ed and unc ional.
• T aining: T ain he pe sonnel in ol ed in he pilo , including audi o s and echnical s a ,
on he new ools and p ocesses.
Tes ing and Valida ion Phase
• Pilo Tes ing: Run he pilo es cases o alida e he unc ionali y and e ec i eness o he
con inuous ce i ica ion p ocess.
• Feedback Collec ion: Ga he eedback om all s akeholde s, including cloud cus ome s
and echnology p o ide s, o assess he pilo 's pe o mance.
• Adjus men s and Op imiza ion: Make necessa y adjus men s based on eedback and ini ial
es ing ou comes o op imize he ce i ica ion p ocess.
Re iew and Compliance Assu ance Phase
• Compliance Checks: Pe o m ho ough compliance checks o ensu e ha all ce i ica ion
equi emen s a e me and main ained h oughou he pilo .
• Documen a ion: Documen all p ocesses, indings, and compliance s a uses in de ailed
epo s o in e nal and ex e nal use.
• Pilo E alua ion: E alua e he o e all success o he pilo based on p ede ined KPIs and
success c i e ia.
2.1.2.3 Technical pe spec i e and sys em a chi ec u e
To enhance he eliabili y and pe o mance o he EMERALD in eg a ion, se e al IONOS se ices
will be u ilized. IONOS Kube ne es and Con aine Regis y will hos a mic ose ices a chi ec u e,
ensu ing scalable deploymen o all EMERALD componen s. Kube ne es o ches a ion will
acili a e seamless in e ac ions be ween componen s, while he Con aine Regis y will manage
he s o age and dis ibu ion o con aine images. IONOS Cloud S o age and Da abase Solu ions
will suppo he da a s o age needs o he RCM and TWS componen s, p o iding high-
pe o mance, scalable, and secu e s o age solu ions necessa y o managing la ge olumes o
compliance da a and e idence. IONOS Ne wo king Solu ions will ensu e secu e and eliable
connec i i y be ween he deployed componen s, sa egua ding da a in ansi and ensu ing
compliance wi h da a p o ec ion egula ions. Figu e 2 shows a high-le el a chi ec u e o pilo 1.
The p oposed in eg a ion s a egy is designed o op imize he unc ionali y o he EMERALD
componen s wi hin he IONOS cloud, ensu ing ha pilo 1 no only mee s bu exceeds i s
ope a ional objec i es, deli e ing e icien , secu e, and complian cloud se ices.

D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 17 o 94
www.EMERALD-he.eu
Figu e 2. High le el A chi ec u e o pilo 1
2.1.2.4 Secu i y con ols and measu es
Pilo 1 is se o c ea e a seg ega ed en i onmen wi hin he IONOS cloud in as uc u e,
speci ically designed o house all EMERALD componen s—Cloudi o , TWS, MARI, RCM, AMOE,
Codyze, AI-SEC, and he EMERALD UI/UX—deployed as mic ose ices. This isola ion ensu es ha
he ope a ional in eg i y and compliance a e main ained sepa a e om egula business
ope a ions. To gua an ee he secu i y o his a chi ec u e, a comp ehensi e secu i y pene a ion
es will be execu ed o de ec and mi iga e any ulne abili ies, enhancing he secu i y
amewo k be o e he sys em goes li e.
Key secu i y measu es include implemen ing ad anced enc yp ion and ole-based access
con ols (RBAC) ac oss all componen s. Access will be s ic ly managed o ensu e ha only
au ho ized pe sonnel, such as compliance manage s, sys em adminis a o s, de elope s, and
audi o s, can access speci ic unc ionali ies based on hei oles. Addi ionally, con inuous
moni o ing will be employed using IONOS's own ools o o e see he pe o mance and heal h
o he componen s, allowing o p oac i e main enance and upda es o secu i y and
unc ionali y as needed. This app oach ensu es a obus , secu e, and complian deploymen o
he EMERALD componen s in pilo 1.
2.1.2.5 Communica ion and wo k low diag am
The sequence diag am below (Figu e 3) illus a es he in eg a ion and wo k low o he EMERALD
amewo k wi hin he IONOS cloud o Pilo 1, ocusing on e idence ex ac ion and s o age
p ocesses. I begins wi h Cloudi o ini ia ing he e idence collec ion om sou ce code
eposi o ies and o ganiza ional policy documen s. The collec ed code and policy documen s a e
hen p ocessed by Codyze o s a ic code analysis and AMOE o policy compliance assessmen ,
espec i ely. The esul s om hese analyses a e s o ed in he T us wo hiness Sys em (TWS)
o secu e, long- e m s o age, while also upda ing he Reposi o y o Con ols and Me ics (RCM)
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 18 o 94
www.EMERALD-he.eu
wi h he la es compliance me ics and con ols. Finally, Cloudi o compiles all he esul s in o
comp ehensi e compliance epo s o in e nal and ex e nal audi s.
Figu e 3. Ini ial wo k low diag am o pilo 1
2.1.2.6 Business-d i en Requi emen s
Fo IONOS, he p ima y goal o pa icipa ing in pilo 1 o he EMERALD p ojec is o es ablish a
s eamlined, e ec i e, and con inuously moni o ed cloud se ice ce i ica ion p ocess. This
in ol emen will no only enhance secu i y and compliance bu also ensu e g ea e cus ome
sa is ac ion and us in cloud se ices o e ed by IONOS.
Table 1 summa izes he business-d i en equi emen s ha desc ibe he equi emen s o he
pilo 1 owa ds he unc ionali y o he EMERALD amewo k. The ull in o ma ion can be ound
in APPENDIX A: Business-d i en equi emen s.
Table 1. Business-d i en equi emen s o pilo 1
ID
Name
Desc ip ion
BDRP1.01
Au oma e and
S eamline Ce i ica ion
P ocesses
As IONOS pilo 1,
we wan he ce i ica ion p ocess o be au oma ed,
so ha he ime spen on manual en ies can be
educed and we ocus mo e on s a egic compliance
planning.
BDRP1.02
Secu e and Reliable
Long- e m E idence
S o age
As IONOS pilo 1,
we need a sys em ha secu ely s o es all compliance
e idence long- e m,
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 19 o 94
www.EMERALD-he.eu
so ha we can e ie e i quickly and eliably o any
audi s o compliance checks wi hou ea ing da a loss
o co up ion.
BDRP1.03
E icien Requi emen
and Compliance
Mapping
As IONOS pilo 1,
we wan o use an AI-assis ed mapping ool o
quickly align ou se ice o e ings wi h mul iple
compliance amewo ks, ensu ing accu acy and
sa ing ime on c oss- e e encing s anda ds
manually.
BDRP1.04
Cen al Managemen
o Con ols and
Me ics
As IONOS pilo 1,
we need a cen al eposi o y o easily manage and
upda e secu i y con ols and me ics o p opaga e
changes accu a ely and imely ac oss all compliance
documen a ion and epo s.
BDRP1.05
Compliance
Ve i ica ion o
O ganiza ional Policies
As IONOS pilo 1,
we wan a ool ha can au oma ically assess ou
o ganiza ional policies agains compliance
s anda ds,
so ha we can easily iden i y and add ess gaps in
ou in e nal policies wi hou manually e iewing
each one.
BDRP1.06
Ensu e So wa e
Compliance h ough
S a ic Code Analysis
As IONOS pilo 1,
we need a s a ic code analysis ool ha in eg a es
in o ou CI/CD pipeline o e i y compliance be o e
deploymen , ensu ing ha any compliance issues
a e caugh and esol ed ea ly in he de elopmen
p ocess
BDRP1.07
In ui i e Use
Expe ience o
Compliance
Moni o ing
As IONOS pilo 1,
we wan a use - iendly in e ace ha allows us o
moni o compliance s a us ac oss a ious cloud
se ices easily,
so ha we can make quick decisions based on eal-
ime da a and e ec i ely communica e compliance
s a us o s akeholde s.
2.1.2.7 Pilo KPIs
The ollowing a e he KPIs de ined o e alua e he success o pilo 1. They a e essen ial o
ensu ing ha he pilo aligns wi h he business objec i es.
KPI
1.1- Reduc ion in Ce i ica ion Time
Desc ip ion
Measu e he dec ease in ime equi ed o achie e and enew
ce i ica ions wi h he EMERALD amewo k compa ed o adi ional
me hods
Goal
Reduce ce i ica ion ime
P io i y
High
Bene i
Fas e ce i ica ion p ocesses allow quicke ma ke en y o new
se ices and upda es, imp o ing business agili y
Obs acle
In eg a ing au oma ed p ocesses wi h exis ing manual p ocesses may
equi e signi ican ini ial adjus men s and aining
Measu emen
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 20 o 94
www.EMERALD-he.eu
Measu ed by
Time aken om he s a o he ce i ica ion p ocess o i s
comple ion
Uni
Days
Baseline alue
A e age days aken p io o he EMERALD implemen a ion
KPI
1.2 – Compliance E o Ra e
Desc ip ion
T ack he a e o compliance e o s o omissions iden i ied du ing
audi s
Goal
Achie e a educ ion o 40% in compliance e o s
P io i y
High
Bene i
Enhances he eliabili y and secu i y o IONOS se ices, ensu ing
adhe ence o egula o y s anda ds
Obs acle
Po en ial esis ance o new au oma ed ools and p ocesses, which
could ini ially lead o e o s in handling o da a en y
Measu emen
Measu ed by
Compliance audi epo s
Uni
# o e o s
Baseline alue
A e age numbe o e o s epo ed in audi s p io o EMERALD
KPI
1.3 – Audi P epa a ion Cos
Desc ip ion
Assess he inancial impac o EMERALD by measu ing he educ ion
in cos s associa ed wi h p epa ing o audi s
Goal
Reduce audi p epa a ion cos s
P io i y
High
Bene i
Lowe cos s lead o mo e esou ces a ailable o o he s a egic
ini ia i es and imp o emen s
Obs acle
Ini ial in es men in he EMERALD sys em and po en ial un o eseen
cos s du ing in eg a ion
Measu emen
Measu ed by
Financial accoun ing and epo ing sys ems
Uni
Eu o (€)
Baseline alue
Cu en a e age cos o audi p epa a ion
KPI
1.4 – Use Sa is ac ion Sco e
Desc ip ion
E alua e he sa is ac ion o in e nal use s (compliance manage s,
audi o s) wi h he new EMERALD amewo k
Goal
Achie e highe use sa is ac ion sco e
P io i y
High
Bene i
High use sa is ac ion indica es e ec i e implemen a ion and use -
iendliness o he EMERALD amewo k, leading o be e adop ion
Obs acle
Resis ance o change and he lea ning cu e associa ed wi h new
sys ems
Measu emen
Measu ed by
In e nal su ey ools
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 21 o 94
www.EMERALD-he.eu
Uni
Pe cen age
Baseline alue
Sa is ac ion le el p io o EMERALD, based on in e nal su eys
KPI
1.5 – In e ope abili y Inciden Ra e
Desc ip ion
T ack he equency o inciden s ela ed o in e ope abili y issues
wi h o he sys ems and se ices pos -EMERALD in eg a ion
Goal
Reduce in e ope abili y inciden s
P io i y
High
Bene i
Smoo h in e ope abili y enhances se ice eliabili y and cus ome
expe ience
Obs acle
Compa ibili y issues wi h exis ing IT in as uc u e o hi d-pa y
se ices
Measu emen
Measu ed by
IT suppo inciden logs
Uni
# o Inciden s
Baseline alue
Cu en a e o in e ope abili y inciden s be o e implemen a ion
2.1.3 In eg a ion App oach
This sec ion ou lines he s a egic and echnical p ocesses h ough which he EMERALD
componen s will be seamlessly inco po a ed wi hin he IONOS cloud in as uc u e o pilo 1.
2.1.3.1 Iden i ica ion o Ce i ica ion Ta ge s
The ollowing ables p esen ce i ica ion a ge s which can be used by he EMERALD e idence
collec ion ools as basis o he ce i ica ion o pilo 1. These a ge s a e en a i ely p oposed
and subjec o u he alida ion and po en ial modi ica ion by he secu i y eam du ing he pilo
implemen a ion. Depending on he e ol ing needs and secu i y assessmen s, addi ional
ce i ica ion a ge s may be included in pilo 1 o ensu e a comp ehensi e and e ec i e
compliance amewo k.
Ce i ica ion Ta ge
Sou ce Code Reposi o ies
Type
Code
Desc ip ion
Reposi o ies con aining all sou ce code o cloud se ices
A ailabili y o componen
owne (s)
A ailable ia secu e API o di ec eposi o y access wi h
p ope au hen ica ion
E idence Collec ion Tool
Codyze
Hos ing
EMERALD
E idence s o ed a
IONOS Cloud/EMERALD
E idence p ocessed a
IONOS Cloud
P ocessed esul s in eg a ed in
EMERALD UI/UX
Ce i ica ion Ta ge
O ganiza ional Policy Documen s
Type
Documen
Desc ip ion
Documen s ou lining o ganiza ional secu i y policies and
p ocedu es
A ailabili y o componen
owne (s)
S o ed in a cen alized documen managemen sys em
accessible o compliance manage s

D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 22 o 94
www.EMERALD-he.eu
E idence Collec ion Tool
AMOE
Hos ing
EMERALD
E idence s o ed a
IONOS Cloud/EMERALD
E idence p ocessed a
IONOS Cloud
P ocessed esul s in eg a ed in
EMERALD UI/UX
2.1.3.2 In eg a ion and Applica ion o Componen s
The in eg a ion and applica ion sec ion de ails how speci ic EMERALD componen s like
Cloudi o , TWS, and MARI a e deployed and u ilized wi hin pilo 1. I includes desc ip ions o
componen unc ionali ies, in eg a ion s a egies, and access con ols o ensu e e ec i e and
secu e ope a ions.
2.1.3.2.1 Cloudi o /O ches a o
• (How) will he componen be used in he pilo ?
o Cloudi o will be used as he o ches a ion hub and will ac as he cen al
command cen e o managing he compliance wo k low.
• Wha a e he expec ed bene i s?
o I will au oma e asks such as ini ia ing compliance checks, agg ega ing esul s
om o he componen s like Codyze o code analysis, and AMOE o policy
assessmen , and compiling hese in o compliance epo s.
• Wha a e he componen -speci ic equi emen s?
o A high-le el equi emen o his componen a his poin , is ha i needs o
in eg a e seamlessly wi h exis ing IaaS sys ems a IONOS and mus suppo he
au oma ion o compliance checks o a ge ed ce i ica es which a e in oduced
abo e.
• Whe e will i be hos ed (EMERALD/pilo -speci ic)?
o The cu en plan is o hos he componen wi hin he IONOS cloud in as uc u e
o ensu e secu e and eliable access du ing he pilo .
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Compliance manage s and cloud secu i y manage s a IONOS will ha e access
o he o ches a ion esul s; IT secu i y audi o s will ha e ead-only access o
e i ica ion.
2.1.3.2.2 T us wo hiness Sys em (TWS)
• (How) will he componen be used in he pilo ?
o TWS will secu ely s o e all long- e m compliance and audi - ela ed e idence. I
will be in eg a ed o ecei e inpu s om all componen s, ensu ing ha e idence
collec ed du ing compliance checks is secu ely logged and e ie able o u u e
audi s.
• Wha a e he expec ed bene i s?
o This will acili a e a comp ehensi e audi ail ha suppo s compliance
e i ica ion o e ime.
• Wha a e he componen -speci ic equi emen s?
o O e all, he componen is equi ed o ensu e high-secu i y s o age and quick
da a e ie al capabili ies. Compliance wi h GDPR and o he p i acy s anda ds
is essen ial.
• Whe e will i be hos ed (EMERALD/pilo -speci ic)?
o In a secu e segmen o he IONOS da a cen e alloca ed o compliance and
secu i y-sensi i e ope a ions.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 23 o 94
www.EMERALD-he.eu
o IT secu i y audi o s and compliance o ice s o IONOS should ha e ull access,
wi h audi logs a ailable o senio managemen o o e sigh .
2.1.3.2.3 Mapping Assis an o Requi emen s wi h In elligence (MARI)
• (How) will he componen be used in he pilo ?
o MARI will u ilize a i icial in elligence o e icien ly map IONOS cloud se ice
o e ings agains applicable compliance amewo ks.
• Wha a e he expec ed bene i s?
• This componen will d aw on da a om he RCM o ensu e accu a e alignmen o me ics
wi h compliance con ols, educing manual mapping e o s.
• Wha a e he componen -speci ic equi emen s?
o MARI equi es up- o-da e da ase s o compliance amewo ks and he abili y o
lea n om adjus men s made by compliance o ice s.
• Whe e will i be hos ed (EMERALD/pilo -speci ic)?
o I will be hos ed whe e he pilo can le e age cen alized AI lea ning and
upda es.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Compliance o ice s p ima ily, wi h o e sigh access o isk manage s o e iew
and con i m alignmen .
2.1.3.2.4 Reposi o y o Con ols and Me ics (RCM)
• (How) will he componen be used in he pilo ?
o RCM will ac as a cen alized da abase o all con ols, equi emen s, and
me ics ela ed o cloud se ice ce i ica ions a IONOS.
• Wha a e he expec ed bene i s?
o I ensu es consis ency and eliabili y in compliance da a ac oss he o ganiza ion,
acili a ing quicke upda es and compliance checks.
• Wha a e he componen -speci ic equi emen s?
o This componen equi es o suppo eal- ime upda es and in eg a ion wi h
o he EMERALD componen s like Cloudi o and RMA.
• Whe e will i be hos ed (EMERALD/pilo -speci ic)?
o The hos ing en i onmen will be selec ed conside ing he need o ensu e
in eg a ion wi h o he componen s and cen alized managemen .
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Sys em adminis a o s and compliance manage s will ha e edi access; audi o s
and isk manage s will ha e ead-only access.
2.1.3.2.5 AMOE, Codyze, AI-SEC, and EMERALD UI/UX
• (How) will he componen be used in he pilo ?
o These componen s will handle speci ic asks like assessing o ganiza ional
policies (AMOE), conduc ing s a ic code analysis (Codyze), e alua ing AI model
secu i y (AI-SEC), and p o iding a use in e ace (EMERALD UI/UX).
• Wha a e he expec ed bene i s?
o They enhance speci ic a eas such as policy compliance, code secu i y, AI sa e y,
and use expe ience, espec i ely.
• Wha a e he componen -speci ic equi emen s?
o Each componen mus in eg a e wi h he IONOS in as uc u e and mee
speci ic ope a ional benchma ks like speed, accu acy, and use - iendliness.
• Whe e will i be hos ed (EMERALD/pilo -speci ic)?
o Each will be hos ed wi hin he IONOS in as uc u e o main ain secu i y and
in eg a ion ac oss he sys em.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 24 o 94
www.EMERALD-he.eu
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Di e en le els o access o di e en oles based on hei needs—de elope s
o Codyze, AI de elope s o AI-SEC, compliance o ice s o AMOE, and a ious
use s o EMERALD.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 25 o 94
www.EMERALD-he.eu
Pilo 2: CloudFe o
This sec ion in oduces pilo 2 which aims a demons a ing Ce i ica ion as a Se ice wi h
EMERALD on IaaS / PaaS. To achie e his goal, CloudFe o will se up es en i onmen s which
will be used by he EMERALD componen s o e idence collec ion. De ails a e desc ibed in he
ollowing sec ions.
2.2.1 In oduc ion and Mo i a ion
CloudFe o (CF) p o ides cloud compu ing se ices dedica ed o speci ic indus ies. CF
specializes in he s o age and p ocessing o la ge da a se s, including Ea h obse a ion sa elli e
da a eposi o ies. I is he la ges company in he Polish space sec o , a leade in he Eu opean
Ea h Obse a ion sec o and a p ime con ac o o ins i u ions such as ESA, EUMETSAT,
ECMWF and DLR. CloudFe o as a Cloud Se ice P o ide (CSP) is one o he main EMERALD's
s akeholde s and will alida e p ojec ou comes in pilo 2.
The main goal o all pilo s is o alida e p ojec ou comes in eal li e use cases. pilo 2, as a pa
o Ca ego y I, is aimed a es ing ools in IaaS/PaaS en i onmen on public cloud. The e o e, in
o de o be able o ca y ou a eal-li e use case, CF will p o ide esou ces on i s public cloud and
p epa e IaaS and PaaS es en i onmen s, which will be used o e idence collec ion by
EMERALD ools.
2.2.1.1 Cu en P ac ice and P oblem S a emen (be o e EMERALD)
CloudFe o has h ee secu i y audi s each yea – ISO 27001, BSI 200-1, BSI C5. They a e all ime-
consuming because hey a e comp ehensi e. Audi usually akes 2-4 days, bu a lo o ime is
also needed o p epa a ion. Main da a o audi s a e exis ing audi checklis , policies,
p ocedu es (no all mus be documen ed), speci ica ions, desc ip ions e c. Cu en ly we do no
use any ools, we do e e y hing manually.
2.2.1.2 Expec ed Bene i s (a e EMERALD)
CloudFe o’s audi igh now a e based on documen a ion and demand manual wo k o many
people o days. Because o ha , ou main goals o achie e by using EMERALD a e:
• Au oma ion o documen e i ica ion p ocess
• Reduc ion o audi cos - dec ease o ime o /and people needed o audi because o
EMERALD ools
• Reusabili y o ools - as e and easie ece i ica ion (and audi s)
2.2.2 Pilo De ini ion
This sec ion p o ides de ails o pilo 2, such as a chi ec u e, oles, wo k low e c.
2.2.2.1 Pilo Diag am
Figu e 4 shows h ee main oles in pilo 2 which will use EMERALD and he use cases o each o
hem.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 32 o 94
www.EMERALD-he.eu
Measu ed by
Numbe o co e ed equi emen s/numbe s all o equi emen s
Measu emen
In e al
End o p ojec
Uni
%
Baseline alue
0%
KPI
2.8 – Time needed o documen e i ica ion
Desc ip ion
Time in hou s needed o he documen e i ica ion p ocess
Goal
Dec ease (sho e han manual)
P io i y
1 - mus
Bene i
Achie ing his goal shows ha using EMERALD ools makes sense,
because hey help us au oma e ou wo k
Obs acle
No obs acle iden i ied
Measu emen
Measu ed by
Es ima ion ime
Measu emen
In e al
Begin & end o p ojec
Uni
h
Baseline alue
No a ailable
KPI
2.9 – Possibili y o use ools o di e en cloud se ice models
Desc ip ion
Checking whe he i is possible o mee he p ope equi emen s o
di e en cloud se ice models.
Goal
Abili y o use EMERALD o IaaS and PaaS
P io i y
1 - mus
Bene i
Achie ing his goal is necessa y o conduc he pilo acco ding o i s
de ini ion - IaaS/PaaS on public clouds.
Obs acle
No obs acle iden i ied
Measu emen
Measu ed by
P o ided by he use a e e i ying whe he i is possible o mee he
equi emen s o IaaS and PaaS
Measu emen
In e al
End o p ojec
Uni
Boolean
Baseline alue
No
2.2.3 In eg a ion App oach
This sec ion desc ibes how he pilo 2 will in eg a e EMERALD componen s in o i s sys ems.
2.2.3.1 Iden i ica ion o Ce i ica ion Ta ge s
The ollowing ables p esen which a ge s should be ce i ied by EMERALD in pilo 2.
Ce i ica ion Ta ge
IaaS en i onmen
Type
Se ice

D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 33 o 94
www.EMERALD-he.eu
Desc ip ion
Tes IaaS en i onmen will be based on CF’s public cloud wi h
esou ces like VMs, S o age e c.
A ailabili y o
componen owne (s)
CF employees will ha e access o he IaaS en i onmen . The
e idence ga he ed om he en i onmen ia API will be a ailable
in EMERALD.
E idence Collec ion Tool
Cloudi o
Hos ing
EMERALD
E idence s o ed a
E idence ga he ed om he en i onmen ia API can be s o ed
in EMERALD.
E idence p ocessed a
E idence ga he ed om he en i onmen ia API can be
p ocessed in EMERALD.
P ocessed esul s
in eg a ed in
Resul s will be used in he TWS, EMERALD UI and in any o he
componen s i needed.
Ce i ica ion Ta ge
PaaS en i onmen
Type
Se ice
Desc ip ion
Tes PaaS en i onmen will be based on con aine o ches a ion
solu ion.
A ailabili y o
componen owne (s)
CF employees will ha e access o he PaaS en i onmen . The
e idence ga he ed om he en i onmen ia API will be a ailable
in EMERALD.
E idence Collec ion Tool
Cloudi o
Hos ing
EMERALD
E idence s o ed a
E idence ga he ed om he en i onmen ia API can be s o ed
in EMERALD.
E idence p ocessed a
E idence ga he ed om he en i onmen ia API can be
p ocessed in EMERALD.
P ocessed esul s
in eg a ed in
Resul s will be used in TWS, EMERALD UI and in any o he
componen s i needed.
Ce i ica ion Ta ge
Policy
Type
Documen
Desc ip ion
All anonymized documen a ion which is needed o ga he
e idence.
A ailabili y o
componen owne (s)
Documen a ion in anonymized e sion (wi hou p i a e
company de ails) could be sha ed.
E idence Collec ion Tool
AMOE
Hos ing
EMERALD
E idence s o ed a
E idence ga he ed om he en i onmen ia API can be s o ed
in EMERALD.
E idence p ocessed a
E idence ga he ed om he en i onmen ia API can be
p ocessed in EMERALD.
P ocessed esul s
in eg a ed in
Resul s will be used in TWS, EMERALD UI and in any o he
componen s i needed.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 34 o 94
www.EMERALD-he.eu
2.2.3.2 In eg a ion and Applica ion o Componen s
CF plans o hos all EMERALD componen s a he EMERALD in as uc u e hos ed by TECNALIA,
and no a he pilo i sel .
2.2.3.2.1 Cloudi o /O ches a o
• (How) will he componen be used in he pilo ?
o Cloudi o will be used o cloud esou ces e idence collec ion.
• Wha a e he expec ed bene i s?
o Au oma ic compliance o echnical equi emen s.
• Wha a e he componen -speci ic equi emen s?
o Cloudi o mus be able o ga he e idence om cloud based on OpenS ack
(BDRP2.01).
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Con ol Owne – se -up, moni o and manage disco e y p ocess.
o Compliance Manage - se -up, moni o and manage disco e y p ocess.
o Audi o – moni o esul s.
2.2.3.2.2 T us wo hiness Sys em (TWS)
• (How) will he componen be used in he pilo ?
• TWS will be used as s o age o hashes o e idence and assessmen esul s.
• Wha a e he expec ed bene i s?
o Inc ease o anspa ency.
• Wha a e he componen -speci ic equi emen s?
o The e a e no pilo speci ic equi emen s.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Compliance Manage and Audi o should ha e access o e idence and
assessmen esul .
2.2.3.2.3 Mapping Assis an o Requi emen s wi h In elligence (MARI)
• (How) will he componen be used in he pilo ?
o MARI will be used o map me ics o con ols/ equi emen s.
• Wha a e he expec ed bene i s?
o Au oma ic mapping o me ics o con ols/ equi emen s.
• Wha a e he componen -speci ic equi emen s?
o The e a e no pilo speci ic equi emen s.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Compliance Manage and Con ol Owne should ha e access o mapping esul s.
2.2.3.2.4 Reposi o y o Con ols and Me ics (RCM)
• (How) will he componen be used in he pilo ?
o RCM will be used as a s o age o ce i ica ion schemes and ele an con ols.
• Wha a e he expec ed bene i s?
o Easy access o con ols o a chosen ce i ica ion scheme.
• Wha a e he componen -speci ic equi emen s?
o BSI-C5 a ailable in RCM (BDRP2.05).
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Compliance Manage should ha e access o he lis o all ce i ica ion schemes,
con ols, e c.
o Con ol Owne should ha e access only o ele an con ols.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 35 o 94
www.EMERALD-he.eu
2.2.3.2.5 AMOE
• (How) will he componen be used in he pilo ?
o AMOE will be used o ge e idence collec ion om documen a ion like policies
e c.
• Wha a e he expec ed bene i s?
o Au oma ion o he documen e i ica ion p ocess.
• Wha a e he componen -speci ic equi emen s?
o The e a e no pilo speci ic equi emen s.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Compliance Manage and Con ol Owne should ha e access o e idence
esul s.
2.2.3.2.6 Codyze, eknows, AI-SEC
• (How) will he componen be used in he pilo ?
o Codyze, eknows and AI-SEC won’ be used in pilo 2.
2.2.3.2.7 EMERALD UI
• (How) will he componen be used in he pilo ?
o EMERALD UI will be used by use s o in e ac wi h componen s.
• Wha a e he expec ed bene i s?
o Use s can in e ac wi h componen s and ha e access only o hose hey should.
• Wha a e he componen -speci ic equi emen s?
o I should be in ui i e and eadable e en o non- echnical employees
(BDRP2.04).
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o All o use s should ha e access o UI.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 36 o 94
www.EMERALD-he.eu
Pilo 3: Fabaso
In he ollowing sec ion, pilo 3 is in oduced, ollowing he o e all pilo s uc u e. The pilo
a emp s o in eg a e all EMERALD ools. The goal is o achie e an assis ed ce i ica ion wi h he
EUCS le el high equi emen s and o e alua e he applicabili y o he pilo indings o a BSI C5
audi . Fo his, he Fabaso pilo will se up a es en i onmen which can be ce i ied by
EMERALD’s CaaS app oach.
2.3.1 In oduc ion and Mo i a ion
Fabaso PROCECO
4
is a unique business ecosys em p o iding selec ed, powe ul and seamlessly
in eg a ed solu ions o documen -in ensi e business p ocesses. The echnological basis o he
ecosys em is he highly secu e and ce i ied Fabaso Cloud
5
. Fabaso s i es o be a he
o e on o da a p o ec ion and in o ma ion secu i y, con inuously s eng hening he cybe -
esiliency o i s p oduc s and se ices and p o iding p oo o his wi h in e na ionally ecognized
ce i ica ions.
Fo pilo 3, Fabaso ’s adi ional audi s will be adap ed o a con inuous ce i ica ion p ocess. I
is he Fabaso pilo ’s in en ion o ha e de ined p ocesses which allow a ully digi alized and
au oma ed audi . The audi anspa ency should be u he inc eased so ha cus ome s can
easily con i m i s signi icance.
2.3.1.1 Cu en P ac ice and P oblem S a emen (be o e EMERALD)
While con inuous ce i ica ion cu en ly imposes se e al challenges, e idence collec ion and
e idence p ocessing can be ully au oma ed by u ilizing exis ing ools. These can be eused as
basis o he Fabaso pilo , wi h he goal o e en ually c ea ing a ully au oma ed audi p ocess.
Addi ionally, he Fabaso pilo is looking o educe he o e all e o equi ed du ing he
ce i ica ion p ocess. This is mos ly based on ime consuming epe i i e asks, which equi e he
manual wo k o specially ained pe sonnel and he managemen o all in ol ed pe sonnel. As a
consequence, he Fabaso pilo seeks o a eusable se o p ocesses and ce i ica ion objec s
(e.g., me ics, con ols) and wishes o euse exis ing ooling so ha es ablished p ocesses can
be in eg a ed.
2.3.1.2 Expec ed Bene i s (a e EMERALD)
By u ilizing EMERALD and he e o e adop ing con inuous ce i ica ion in Fabaso ’s audi
li ecycle, he pilo seeks o highe anspa ency in he en i e audi p ocess, easy- o-use ooling
o acili a e compliance manage s’ needs, educ ion o manual asks o a minimum and he
c ea ion o a cen alized, en e p ise-wide iew o he en i e y o Fabaso ’s audi s and i s sub-
p ocesses.
2.3.2 Pilo de ini ion
The Fabaso pilo is se up o abs ac he audi p ocesses a Fabaso which a e ele an o he
EMERALD p ojec . De ails ega ding his a e p esen ed in his sec ion.
2.3.2.1 Pilo Diag am
This s akeholde diag am (see Figu e 7) lis s all pa icipan s needed by pilo 3 and i s alida ion
phase. While s akeholde s ound in laye 2 will use EMERALD and i s componen s di ec ly,
s akeholde s om laye 3 and laye 4 will ei he bene i om he use o EMERALD o indi ec ly
4
h ps://www. abaso .com/de/on-p oceco
5
h ps://en.wikipedia.o g/wiki/Fabaso _Folio_Cloud
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 37 o 94
www.EMERALD-he.eu
use EMERALD componen s. EMERALD componen s ha a e no speci ically c ea ed by Fabaso
o his pilo a e no lis ed as hey a e pa o he “EMERALD pilo 3” laye .
Figu e 7. Onion Diag am o pilo 3 S akeholde s
2.3.2.2 Pilo Wo k low
Pilo 3 aims o EMERALD o suppo all in e nal audi p ocesses and o inc ease anspa ency
o cloud cus ome s. Figu e 8 desc ibes how he pilo cu en ly pe cei es he applica ion o he
EMERALD amewo k wi hin he EMERALD p ojec (le ) and wi hin he pilo i sel ( igh ). The
oles wi hin he pilo we e gene alized o easie communica ion and can be adap ed o he
UI/UX s a egy o WP4.

D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 38 o 94
www.EMERALD-he.eu
Figu e 8. Pilo 3 Wo k low
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 39 o 94
www.EMERALD-he.eu
2.3.2.3 Technical pe spec i e and sys em a chi ec u e
The en i onmen on which Fabaso is going o ope a e and es pilo 3 is called he Fabaso
Resea ch Pla o m. The pilo 3 e idence collec o s will be deployed in a mix o he EMERALD
en i onmen hos ed by TECNALIA and he Fabaso Resea ch Pla o m. The Fabaso Resea ch
Pla o m consis s among o he sys em ele an applica ions (e.g., iden i y p o ide s), a
Kube ne es clus e se up whe e selec ed EMERALD se ices can be deployed and es ed. Cus om
e idence collec o s, such as desc ibed in 2.3.3 In eg a ion App oach can be hos ed he e. The
se ices will be moni o ed and main ained by dedica ed sys ems which a e pa o he Fabaso
Resea ch Pla o m.
The Fabaso Resea ch Pla o m ope a es on a need- o-know p inciple. This means ha
applica ion igh s a e assigned when eques ed and a e egula ly e oked. Fo his sys em, CIS
benchma king
6
is implemen ed and selec ed equi emen s will be mapped o con ols and
me ics, such ha he sys em can be in eg a ed in o he EMERALD amewo k.
2.3.2.4 Secu i y con ols and measu es
Fabaso has c ea ed a dedica ed en i onmen o pilo 3 in which he EMERALD amewo k and
i s associa ed applica ions will be hos ed. This es ing en i onmen is sepa a ed om any
p oduc ion en i onmen and hos s nei he secu i y c i ical no business c i ical applica ions.
While he componen s used o his es ing en i onmen mus add ess in e nal secu i y- and
o ganiza ional policies, he pilo has decided no o pe o m any secu i y ela ed es ing (e.g.,
Pen- es ing) in his con ex . Access o and om his en i onmen is hea ily es ic ed and
con olled by a ious ules and access con ol lis s. Fu he mo e, i is also possible o es ic
access igh s o speci ic EMERALD p ojec oles wi hin he depa men , i deemed necessa y.
2.3.2.5 Communica ion and wo k low diag am
These diag ams (see Figu e 9 and Figu e 10) show he communica ion low be ween he
e idence collec o s and he a ious componen s needed o pu e idence in o he e idence
collec o s.
The Cloud E idence Collec o akes a con igu a ion, which lis s all documen s and p ope ies
ha a e needed o he e idence. A e he e idence collec o is con igu ed p ope ly, i will
e ie e he da a om he Fabaso Cloud API and ex ac he necessa y da a. Once he
ex ac ion is success ul, i will send he e idence o he E idence S o e, so ha EMERALD can
use hem in he ce i ica ion p ocess.
6
h ps://www.cisecu i y.o g/cis-benchma ks-o e iew
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 40 o 94
www.EMERALD-he.eu
Figu e 9. Documen ga he ing low
While he Fabaso app. eleme y collec o se es a simila pu pose o he cloud collec o ,
ins ead o using he Fabaso Cloud API i uses he Fabaso app. eleme y API o ecei e he
necessa y sys em and pla o m me ics con igu ed by he Me ic implemen e . These me ics
will hen be sen as e idence o he EMERALD E idence S o e.
O he collec o s (e.g., Codyze) and hei wo k lows will wo k as de ined by he esponsible
pa ne .
Figu e 10. Fabaso app. eleme y low
Me ic Implemen e
Me ic Implemen e
Fabaso Cloud E idence Collec o
Fabaso Cloud E idence Collec o
Fabaso Cloud
Fabaso Cloud
E idence S o e
E idence S o e
CONFIGURES collec o
loop
[n . o documen s]
GET documen and p ope ies
SEND documen and p ope ies
EXTRACT me ics om documen s and p ope ies
PUT e idence
SEND ope a ion esul
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 41 o 94
www.EMERALD-he.eu
2.3.2.6 Business-d i en Requi emen s
Table 4 summa izes he business-d i en equi emen s ha desc ibe he equi emen s o he
Fabaso pilo owa ds he unc ionali y o he EMERALD amewo k. The ull in o ma ion can be
ound in APPENDIX A: Business-d i en equi emen s.
Table 4. Business-d i en equi emen s o pilo 3
ID
Name
Desc ip ion
BDRP3.01
UI/UX Concep
As Fabaso pilo 3,
we wan a well-c a ed UI/UX concep ,
so ha ou use s pe cei e EMERALD as an in ui i e
audi solu ion.
BDRP3.02
AI Guideline
As Fabaso pilo 3,
we wan o be educa ed on a eas o applica ion o
AI in ce i ica ion-as-a-se ice en i onmen s wi h he
help o EMERALD’s well-s uc u ed AI guidelines,
so ha we can ep oduce his in u u e use cases.
BDRP3.03
In eg a ion o In e nal
e idence collec ion
ools
As Fabaso pilo 3,
we wan o in eg a e ou in e nal e idence
collec ion ools (e.g., Fabaso app. eleme y),
so ha we can use and euse he ex ac ed e idence
in he CaaS and exploi he oppo uni y o ha e ou
ool as a alid e idence ex ac o .
BDRP3.04
Reusable Me ics
As Fabaso pilo 3,
we wan o use EMERALD’s eusable me ics,
so ha he audi p ocess is simpli ied.
BDRP3.05
Secu i y Schemes pilo 3
As Fabaso pilo 3,
we wan o manage Fabaso ’s audi (BSI C5 (mus ),
EUCS (mus ), AIC4 (mus )) h ough he applica ion o
EMERALD,
so ha esou ce consump ion is minimized.
BDRP3.06
Cus om se o
equi emen s
As Fabaso pilo 3,
we wan o manage an audi p ocess based on an
indi idual se o equi emen s – e.g., o igina ing
om a cloud cus ome as planned in pilo 4,
so ha Fabaso is able o add ess speci ic cloud
cus ome needs as seen in he inancial sec o .
BDRP3.07
Enhance cu en audi
p ocess
As Fabaso pilo 3,
we wan o unde s and how we could ans e ou
cu en audi p ocess o EMERALD and enhance
hem by his change,
so ha we unde s and he bene i s o EMERALD and
es ima e any e iciency inc ease.
BDRP3.08
Audi T anspa ency
As Fabaso pilo 3,
we wan o u ilize EMERALD unc ionali y,
so ha he audi anspa ency is inc eased.
BDRP3.09
Manual Con ols
As Fabaso ,
we wan EMERALD o ha e a s a egy on how
manual con ols can be included in an au oma ed
audi (e.g., in he UI),
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 48 o 94
www.EMERALD-he.eu
o A compliance manage and a CISO should ha e access ( ead/w i e/dele e) o all
in o ma ion abou he pilo om AMOE. An in e nal con ol owne and in e nal
con ol implemen e should ha e his access while a con ol is assigned o hem.
Only Compliance Manage s and CISOs can dele e documen s.
2.3.3.2.6 Codyze & eknows
• How will he componen be used in he pilo ?
o Bo h Codyze and eknows will be used o sou ce code analysis in pilo 3, o
ex ac he equi ed e idence o he espec i e me ics.
• Wha a e he expec ed bene i s?
o The e idence ex ac ion ools a e expec ed o suppo he iden i ica ion o
secu i y issues in he sou ce code and he iden i ica ion o non-compliance.
• Wha a e he componen -speci ic equi emen s?
o Any iden i ied issues should be suppo ed by enough in o ma ion o enable a
quick eac ion by he espec i e oles.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o The e idence should only be accessible o oles which need o see hem o hei
asks, e.g., an Audi o o a Compliance Manage who a e aiming o each
ce i ica ion o he espec i e Cloud Se ice, o a Con ol Owne wo king on he
espec i e Me ic.
2.3.3.2.7 AI-SEC
• How will he componen be used in he pilo ?
o AI-SEC will be used o e idence collec ion om AI models, speci ically ega ding
obus ness agains a acks, explainabili y and ai ness.
• Wha a e he expec ed bene i s?
o Pilo 3 addi ionally an icipa es ha he use o he newly de eloped AI-SEC will
suppo he pilo in gaining a deepe unde s anding o he cu en esea ch and
no el echniques o he assessmen and upcoming audi s o AI Models.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o The e idence should only be accessible o oles which need o see hem o hei
asks, e.g., an Audi o o a Compliance Manage who a e aiming o each
ce i ica ion o he espec i e Cloud Se ice, o a Con ol Owne wo king on he
espec i e Me ic.
2.3.3.2.8 EMERALD UI
• How will he componen be used in he pilo ?
o The Fabaso pilo 3 plans o use he EMERALD UI o he whole audi p ocess
o he pilo o he ag eed upon secu i y schemes. This includes au oma ic and
con inuous con ols as well as manual con ols which ha e o be audi ed
ollowing he adi ional pa h.
• Wha a e he expec ed bene i s?
o The pilo expec s ha he EMERALD UI will allow a seamless in e ac ion wi h all
EMERALD componen s and hei unc ionali ies, and ha he EMERALD UI will
suppo he use s o he pilo in hei audi ela ed p ocesses.
• Wha a e he componen -speci ic equi emen s?
o This should help educe he equi ed esou ces o eaching ce i ica ion,
suppo audi ela ed communica ion and dec ease he isk o audi ela ed
e o s.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?

D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 49 o 94
www.EMERALD-he.eu
o E e y pilo ela ed ole as well as he audi o s should be able o use he
EMERALD UI. The pe missions which we e speci ied o each EMERALD
componen should be conside ed in he UI.
2.3.3.2.9 Addi ional Pilo -speci ic ool: Fabaso app. eleme y
• How will he componen be used in he pilo ?
o The Fabaso pilo 3 plans o implemen addi ional e idence collec ing ools o
in eg a e pilo -speci ic applica ions and ooling in o he EMERALD F amewo k,
howe e his is highly op ional.
• Wha a e he expec ed bene i s?
o As such, he Fabaso app. eleme y e idence collec o in eg a es he
moni o ing capabili ies o Fabaso app. eleme y. This in eg a ion allows
Fabaso app. eleme y use s o use applica ion speci ic e en s and da a which
is collec ed h ough Fabaso ’s ooling o ul il equi emen s needed o
ce i ica ions.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Fo his pu pose, he Fabaso app. eleme y e idence collec o needs access o
he E idence S o e componen o impo in o ma ion in a s anda dized manne .
The E idence Collec o will be hos ed on Fabaso ’s p emises. As app. eleme y
is no an in e ac i e ool, he e idence which will be p o ided is he only pa
ha shall be accessible o use s – especially me ic owne s - o he EMERALD
amewo k.
2.3.3.2.10 Addi ional Pilo -speci ic ool: Fabaso Cloud documen e idence collec o
• How will he componen be used in he pilo ?
o The Fabaso Cloud documen e idence collec o is an addi ional pilo speci ic
ool which is used o access documen s and me a da a ha is sa ed on Fabaso
Cloud.
• Wha a e he expec ed bene i s?
o This op ional e idence collec o allows manual con ols, signa u es and any
o he ele an me a da a which is sa ed on he Fabaso PROCECO Cloud o be
used as e idence in he EMERALD amewo k. This is ele an o o ganiza ional
equi emen s ha ocus on policy documen s and manual asks.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Fo his pu pose, he Fabaso Cloud documen e idence collec o needs access
o he E idence S o e componen o impo da a in a s anda dized manne . The
E idence Collec o will be hos ed on Fabaso ’s p emises. As he Fabaso Cloud
documen e idence collec o is no an in e ac i e ool, he e idence which will
be p o ided is he only pa ha shall be accessible o use s – especially me ics
owne s - o he EMERALD amewo k.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 50 o 94
www.EMERALD-he.eu
Pilo 4: EMERALD and Hyb id Cloud-Edge en i onmen s
This sec ion in oduces pilo 4, which is a Ca ego y II pilo ha aims he ce i ica ion o hyb id
cloud-edge en i onmen s o he inancial sec o .
2.4.1 In oduc ion and Mo i a ion
This pilo 4 aims he ce i ica ion o hyb id cloud-edge en i onmen s o he inancial sec o . The
main d i e o his ca ego y de ini ion is CaixaBank (CXB), which cu en ly holds a la ge numbe
o on-p emise se ices and is ying o expand his in o he ield o public clouds, i.e., using SaaS
o IaaS p o ide s. Howe e , due o egula ion, he e is a need o con inuous ce i ica ion in he
sec o . The applica ion o EMERALD would ensu e he eal- ime assessmen o se e al cloud
se ices, alida ing ha hey a e complian wi h he con ols de ined in a speci ic secu i y
amewo k. Summa ized, EMERALD add esses he main challenges o CXB as a cus ome o cloud
and edge se ice p o ide s. ONS, as a Eu opean specialis in managing hyb id cloud-edge
en i onmen s, will lead his pilo .
Open Challenges:
• Secu i y o cloud cus ome da a, in he con ex o PSD2: Highly egula ed indus ies need
o be ex a ca e ul in selec ing, in eg a ing o on-boa ding new cloud and edge se ices
and in assessing hem.
• Lack o s anda diza ion o in e ope abili y o cybe secu i y ce i ica ion in mul i-p o ide
cloud-edge en i onmen s: Eu opean SaaS p o ide s (e.g., FABA) a e in e es ed in p o iding
specialized se ices, bu ace high en y ba ie s.
Applica ion o EMERALD ool s ack
This Ca ego y II pilo will a ge compliance o he le el ‘high’ o con inuous ce i ica ion wi h
he EUCS and will also make use o he EMERALD UI. The speci ic o Ca ego y II is ha he
EMERALD app oach can p o ide a pla o m o exchange eal- ime in o ma ion o ce i ica ion
s a es o se ices wi hin he da acen e-cloud-edge con inuum used in he inancial sec o .
Mo e speci ically, i o e s a secu e-by-design applica ion ha moni o s compliance o se ices
wi h he same echnology on-p em, on he cloud, o a he edge (public o p i a e). This ensu es
he secu e in eg a ion o hi d-pa y se ices, gua an eeing hei alida ion o i - o -pu poses.
Pilo Roles:
• End-use – CaixaBank
• SaaS – Fabaso
• IaaS / PaaS – IONOS, CloudFe o
• Cloud-Edge s ack – OpenNebula
Expec ed gene al Pilo bene i s
• P oposing a echnical implemen a ion ha p o ides answe s o he abo e-men ioned
challenges.
• Elabo a e on eal- ime hyb id cloud secu i y, compliance assessmen and ce i ica ion
ac oss se e al cloud and edge in as uc u e and se ice p o ide s.
• Valida ion o he concep s o WP1 (CaaS amewo k) and WP4 (use in e ac ion).
• Combined e o o s a emen s on he EMERALD capabili ies o hyb id cloud-edge
en i onmen s.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 51 o 94
www.EMERALD-he.eu
2.4.1.1 Cu en P ac ice and P oblem S a emen (be o e EMERALD)
This subsec ion desc ibes he cu en si ua ion and he p oblem, which should be add essed in
EMERALD o each o he oles de ined in he pilo :
• End-use – CXB
• SaaS – Fabaso
• IaaS / PaaS – IONOS, CloudFe o
• Cloud-Edge s ack – OpenNebula
2.4.1.1.1 End-use s – CXB
CaixaBank is one o he leading inancial ins i u ions in Spain. Managing a wide a ay o hi d-
pa y cloud se ices ha need o be s ongly secu ed and audi ed o sa e-keeping and
esilience, necessi a ing s ingen con ols and con inuous o e sigh o mi iga e isks and
comply wi h egula o y s anda ds.
CXB's cu en audi p ocess o cloud sys ems begins wi h he Se ice Owne ini ia ing he
acquisi ion o hi d-pa y cloud se ices, de ailing he se ice and da a p ocessing loca ions. This
p ocess includes cha ac e iza ion by PGC, ga he ing isk in o ma ion om UNED, comple ing a
secu i y ques ionnai e, iden i ying applicable con ols and gene a ing he e idence ma ix,
pe o ming isk analysis and con ol e alua ion, and ongoing moni o ing and e-e alua ion o
ensu e con inued compliance and add ess changes as needed.
The EMERALD p ojec aims o au oma e e idence managemen , enhancing he usabili y o audi
ools, ensu ing comple e aceabili y o ce i ica es and audi s, and in eg a ing seamlessly wi h
exis ing in e nal ools. Addi ionally, EMERALD will suppo a ious ce i ica ion schemes,
allowing CXB o u ilize i s in e nal secu i y amewo k. These ini ia i es will s eamline he audi
p ocess, imp o e e iciency, and ensu e compliance wi h egula o y equi emen s, add essing
he scale, manual p ocesses, and con inuous moni o ing limi a ions cu en ly aced by CXB.
2.4.1.1.2 SaaS – Fabaso
Fabaso PROCECO is a unique business ecosys em p o iding selec ed, powe ul and seamlessly
in eg a ed solu ions o documen -in ensi e business p ocesses. While con inuous ce i ica ion
cu en ly imposes se e al challenges, e idence collec ion and e idence p ocessing can be ully
au oma ed by u ilizing exis ing ools. These can be eused as basis o he Fabaso pilo 4
pa icipa ion, wi h he goal o e en ually c ea ing a ully au oma ed audi p ocess and SaaS
EMERALD in eg a ion.
The p oduc used o his pa will be Fabaso DORA
7
. Wi h Fabaso DORA, i is possible o
c ea e necessa y audi epo s, such as he in o ma ion egis e in acco dance wi h ITS, a he
ouch o a bu on and submi hem secu ely o he supe iso y au ho i ies. A e a posi i e ini ial
assessmen , a s anda dized e iew p ocess ensu es ull compliance wi h all egula o y
equi emen s. Elec onic wo k low signa u es documen e e y inciden in a e i iable manne .
The in eg a ion o ex e nal pa ne s also enables documen s and ce i ica es o be submi ed
wi hou media discon inui y.
Fabaso belie es ha his solu ion is he pe ec i o no only demons a e he EMERALD
capabili ies in his pilo , bu also showcase he unc ionali ies o an in eg a ed audi suppo o
he inancial sec o acco ding o he Eu opean Digi al Ope a ional Resilience Ac (DORA).
7
h ps://www. abaso .com/en/on-p oceco/con ac s-con ac -managemen /digi al-ope a ional-
esilience-ac
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 52 o 94
www.EMERALD-he.eu
2.4.1.1.3 IaaS / PaaS – IONOS, CloudFe o
IONOS and CloudFe o a e pa icipa ing in pilo 4 o he EMERALD p ojec o ad ance and
in eg a e s a e-o - he-a cloud ce i ica ion echnologies ailo ed o sec o s wi h s ingen
secu i y demands, such as inance and heal hca e. This ini ia i e aims o solidi y IaaS and PaaS
CSP's posi ion as a leade in secu e cloud solu ions, enhancing i s o e ings and demons a ing a
commi men o inno a ion and secu i y in a compe i i e ma ke . The goal is o ca e o he
speci ic equi emen s o highly egula ed indus ies, which will help a ac new cus ome s and
e ain exis ing ones.
The p edominan challenges include he labou -in ensi e na u e o compliance checks and he
cumbe some in eg a ion o a ious sys ems. These me hods no only s ain esou ces bu also
lead o ine iciencies and a heigh ened isk o e o s, po en ially exposing CSPs o legal isks.
Fu he mo e, he cu en sys ems do no suppo eal- ime compliance moni o ing o p o ide
comp ehensi e isibili y ac oss cloud se ices, which is c ucial o swi ly adap ing o new
egula ions. The absence o a uni ied pla o m o compliance managemen complica es
anspa en epo ing and audi ails, which a e i al o es ablishing us wi h clien s and
egula o y au ho i ies.
By add essing hese challenges h ough pilo 4, IONOS and CloudFe o aim o enhance
ope a ional e iciency, compliance accu acy, and o e all cus ome us , aligning wi h he la es
egula o y s anda ds and echnological ad ancemen s.
2.4.1.1.4 Cloud-Edge s ack – OpenNebula
OpenNebula
8
is a powe ul Eu opean open-sou ce pla o m o build and manage En e p ise
Clouds, which p o ides uni ied managemen o IT in as uc u e and applica ions, a oiding
endo lock-in and educing complexi y, esou ce consump ion and ope a ional cos s. I
combines i ualiza ion and con aine echnologies wi h mul i- enancy, au oma ic p o ision,
and elas ici y o o e on-demand applica ions and se ices. OpenNebula suppo s he
deploymen o hyb id and edge en i onmen s wi h in as uc u e esou ces om di e en
p o ide s (e.g., AWS and Equinix Me al). Addi ional in as uc u e p o ide s can be in eg a ed
as long as Te a o m
9
P o ide s exis o hem o a e de eloped by he in e es ed s akeholde s.
Fo his, a minimum se o unc ionali ies will be de ined, in o de o gua an ee co ec
in e ope abili y wi h he es o he EMERALD s ack.
OpenNebula is widely used in en e p ise da acen es, and also used by o he companies o
de elop sec o -speci ic, e ical p oduc s. All he modi ica ions done in he con ex o he
EMERALD p ojec , he e o e, would ha e an easy way in o comme cial p oduc s. Mo eo e ,
OpenNebula, as an open-sou ce p ojec , has a as communi y o use s ha will also bene i
om he ou comes o EMERALD. Th ough EMERALD, OpenNebula is going o Inco po a e new
ea u es in o he OpenNebula pla o m o p o ide use s and cus ome s wi h inno a i e ea u es
o cybe secu i y ce i ica ion o mul i-p o ide / hyb id cloud-edge en i onmen s.
2.4.1.2 Expec ed Bene i s (a e EMERALD)
The bene i s expec ed om EMERALD a e he ollowing:
• E iciency and a ailabili y o ce i y hyb id cloud-edge en i onmen s wi hin he inancial
sec o : As CXB ad ances in o he in eg a ion o SaaS and IaaS wi h hei cu en on-p emise
8
h ps://opennebula.io/
9
h ps://de elope .hashico p.com/ e a o m/docs
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 53 o 94
www.EMERALD-he.eu
se ices, we look o wa d o ensu ing an ad ance and au oma ed con inuous compliance
wi h he igo ous secu i y amewo ks equi ed by inancial egula ions.
• Real- ime Compliance Moni o ing: We expec EMERALD o be capable o eal- ime
compliance moni o ing o he hyb id en i onmen s o mee high-le el EUCS s anda ds.
• Secu e In eg a ion o Se ices: Wi h EMERALD, he in eg a ion o hi d-pa y cloud
se ices can be mo e secu e and agile han nowadays.
• O e come S anda diza ion Ba ie s: Wi h EMERALD we expec o o e come he lack o
s anda diza ion in cybe secu i y ce i ica ion ac oss mul i-p o ide en i onmen s,
acili a ing easie en y o specialized se ice p o ide s.
• Use - iendly UI: We expec ha EMERALD’s UI/UX helps audi o s and use s ha moni o
he compliance le els and me ics. Allowing a luid unde s anding and acking o he
equi emen s and e idence as well as con igu a ions and o he ele an ea u es.
2.4.2 Pilo De ini ion
This sec ion co e s he speci ica ions (diag ams and summa y) o he pilo de ini ion.
2.4.2.1 Gene al Pilo Diag am
Figu e 11 ep esen s he o e all pilo 4 a chi ec u e, e lec ing he in ol ed EMERALD
componen s, in as uc u e, hi d-pa y cloud p o ide s and he in o ma ion low. I will be
analysed in Sec ion 2.4.3 In eg a ion App oach.
Figu e 11. O e iew o he pilo 4 in as uc u e
2.4.2.2 Pilo Hyb id Cloud Deploymen Wo k low
Fo he pilo 4, OpenNebula will be used as a Cloud o ches a o , and he edge capabili ies will
be p o ided by he OneP o ision module. Figu e 12 shows some UML diag ams depic ed in he
documen a ion ha a e jus a subse o OpenNebula capabili ies ele an o he pilo 4
deploymen . The module mainly pe mi s he p o ision and managemen o emo e edge nodes
and clus e s.

D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 54 o 94
www.EMERALD-he.eu
Figu e 12. Pilo 4 use case diag am
The componen diag am in Figu e 13 is an o e iew o he OpenNebula modules in ol ed in he
pilo 4 and he IaaS/PaaS CSPs pa icipan s in e ac ion.
Figu e 13. Pilo 4 Componen Diag am
The sequence diag am in Figu e 14 shows he necessa y s eps o c ea e a new CSP p o ision.
Figu e 14. Sequence diag am be ween componen s o he pilo 4
The main OneP o ision’s ole is he con igu a ion o he ex e nal p o ide (s) ha will be used in
he pilo . A he momen o w i ing his epo AWS and Equinix a e he only suppo ed
p o ide s. In his pilo IONOS and CloudFe o will be in eg a ed as CSPs h ough new d i e s
o e hei cu en ba e me al and ne wo king se ices.
Once he p o ide has been c ea ed, a p o ision o an edge clus e will be ins an ia ed. The
pa ame e s needed o an edge clus e p o ision will ix he amoun o ba e me al ins ances ha
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 55 o 94
www.EMERALD-he.eu
will be c ea ed in he p o ide and he numbe o public IPs ha will be used o access he
emo e edge clus e s.
The p o ision o he Edge clus e is made using Te a o m
10
and Ansible
11
ools o c ea e he
edge clus e and con igu e i . Because o ha , i will be added o he cu en OpenNebula
managed pilo in as uc u e.
A e ha , he ollowing esou ces will be c ea ed locally o use in he edge clus e :
• Sys em and Image da as o es
• Vi ual ne wo k empla e
• Pool o public cloud IPs
2.4.2.3 Hyb id Cloud A chi ec u e Technical equi emen s
Fo he pilo 4, OpenNebula Communi y Edi ion on end
12
will be deployed on an on-p emise
CaixaBank i ual se e . The e a e some ne wo king and secu i y equi emen s a ound he
mul icloud planned en i onmen . Figu e 15 ep esen s he main componen s in ol ed in he
deploymen and he in e ac ion wi h EMERALD componen s.
Figu e 15. Block diag am
OpenNebula ne wo k equi emen s: a alid, au hen ica ed endpoin o he Cloud Se ice
P o ide . This will enable he emo e clus e deploymen ea u es ha OpenNebula p o ides.
Also, EMERALD Cloudi o will need access o OpenNebula API in o de o alida e secu i y
policies. A alid AAA (Au hen ica ion, Au ho iza ion, and Accoun ing) policy will be de ined in
OpenNebula in o de o p o ide he associa ed se ice p o iding he in as uc u e equi ed
da a.
10
h ps://de elope .hashico p.com/ e a o m/docs
11
h ps://docs.ansible.com/
12
h ps://docs.opennebula.io/6.8/in o_ elease_no es/ elease_no es_communi y/wha _is.h ml
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 56 o 94
www.EMERALD-he.eu
2.4.2.4 Secu i y con ols and measu es
The app oach o secu i y con ols and measu es o pilo 4 is cu en ly unde de elopmen and
will be p esen ed in he ollowing deli e ables o WP5. The c ea ion o he s a egy has o con-
side he equi emen s and expec a ions o each pilo 4 pa ne .
2.4.2.5 Communica ion and wo k low diag am
Figu e 16 shows he communica ion diag am be ween he asse s ha OpenNebula p o ides.
The CSP API o in eg a e he p o ision engine wi h IONOS and CloudFe o will be implemen ed
du ing he p ojec .
Figu e 16. Communica ion be ween en i ies (1)
OpenNebula will, as well, implemen he necessa y API modi ica ion o p o ide Cloudi o
equi emen s o he alida ion o he equi ed secu i y policies, as shown in Figu e 17.
Figu e 17. Communica ion be ween en i ies (2)
2.4.2.6 Business-d i en Requi emen s
Table 5 summa izes he business-d i en equi emen s ha desc ibe he equi emen s o he
pilo 4 owa ds he unc ionali y o he EMERALD amewo k. The ull in o ma ion can be ound
in APPENDIX A: Business-d i en equi emen s.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 57 o 94
www.EMERALD-he.eu
Table 5. Business-d i en equi emen s o pilo 4
ID
Name
Desc ip ion
BDRP4.01
B oad Usabili y &
BYOCS (B ing You Own
Ce i ica ion Scheme)
As CaixaBank,
we wan EMERALD o be able o analyse and check
egula o y equi emen s om di e en secu i y
schemes,
so ha we can use ou own secu i y amewo k.
BDRP4.02
Enhancing E iciency
and Func ionali y
As CaixaBank,
we wan ha EMERALD pu sues e iciency and
unc ionali y,
so ha he pla o m pe o ms well and luidly o he
end-use s.
BDRP4.03
Ensu ing T aceabili y
o Ce i ica es and
Audi s
As CaixaBank,
we wan ha EMERALD ensu es aceabili y o us as
clien s and use s ega ding ou ce i ica es and audi s,
so ha we can ully unde s and and ack e e y
equi emen and me ic o i s o igin.
BDRP4.04
Use -F iendly
In e ace o All
Employees
As CaixaBank,
we wan ha EMERALD has an in ui i e UI which is
eadable o e e yone,
so ha all employees can use i and unde s and i
wi hou high-le el skills on legal, compliance o
cybe secu i y.
BDRP4.05
In eg a ion wi h
In e nal Tools
As CaixaBank,
we wan EMERALD o be able o in eg a e wi h CXB
in e nal e idence collec o ools,
so ha we can euse he componen s and
in as uc u e a place.
BDRP4.06
Seamless Mig a ion
and In eg a ion
As CaixaBank,
we wan EMERALD’s exploi a ion and mig a ion o be
as smoo h as possible in eg a ing all he cu en se ice
audi /assessmen unc ionali ies and equi emen s,
so ha we can ha e an easy ansi ion, inc easing
se ices audi /assessmen e iciency, dec easing
p ocess ime and au oma ing ini ial epo s.
BDRP4.07
Documen a ion
As CaixaBank,
we wan EMERALD o ha e a ull documen a ion abou
he componen s and he unc ionali ies,
so ha we can ully unde s and he ool and
componen s and ease he onboa ding o new audi o s
and ool adminis a o s.
2.4.2.7 Pilo KPIs
The ollowing KPIs desc ibe he equi emen s o pilo 4 owa ds he unc ionali y o he
EMERALD amewo k.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 64 o 94
www.EMERALD-he.eu
o Codyze and eknows will no be used o pe o m s a ic code analysis o e i y
so wa e compliance wi h secu i y s anda ds and ce i ica ion schemes as i will
be ou o he pilo ’s scope.
2.4.3.2.8 AI-SEC
• (How) will he componen be used in he pilo ?
o AI-SEC will be used o analyse ML and AI models o obus ness, explainabili y,
and ai ness.
• Wha a e he expec ed bene i s?
o Holis ic e idence collec ion o AI model e alua ion.
o Imp o ed us in AI models h ough comp ehensi e analysis.
o Enhanced obus ness and ai ness o AI models.
• Wha a e he componen -speci ic equi emen s?
o AI-SEC.01 - Selec ion o AI C i e ia
o AI-SEC.02 - Selec ion o AI model
o AI-SEC.03 - Design he AI-SEC and es i wi h selec ed AI Model(s)
o AI-SEC.04 - Analyse and de ine he e idence o be ex ac ed
o AI-SEC.05 - Decide and e ine he app oach o e idence ex ac ion
• Whe e will i be hos ed (EMERALD/pilo -speci ic)?
o The componen will be hos ed on he EMERALD pla o m, deployed in CXB’s
VM.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Audi o /CISO: Full access o all s o ed e idence and assessmen esul s.
o IT Team: Access o ope a ional insigh s and compliance main enance.
2.4.3.2.9 EMERALD UI
• (How) will he componen be used in he pilo ?
o The EMERALD UI will be used o p o ide a eliable, explainable, and us wo hy
in e ace o in e ac ing wi h he EMERALD componen s.
• Wha a e he expec ed bene i s?
o Imp o ed use expe ience and usabili y.
o Cen alized access o all EMERALD ools and esul s.
o Enhanced anspa ency and explainabili y o end-use s.
• Wha a e he componen -speci ic equi emen s?
o RCM.01 - Mul i-schema suppo
o RCM.02 - Accessible by he es o componen s
o AMOE.01 - Upload PDF documen
o AMOE.04 - Compa e esul s om mul iple documen s
o AMOE.05 - Selec me ics pe documen
o AMOE.06 - Classi y documen , selec espec i e me ics (op ional)
o AMOE.07 - Me ic s a es
o TWS.01 - P o ide in eg i y p oo o e idence
o TWS.02 - P o ide in eg i y p oo o assessmen esul s
o TWS.03 - P o ide access h ough REST API o g aphical in e ace
o RCM.06 - Impo /expo o secu i y schemes in CSV o ma
• Whe e will i be hos ed (EMERALD/pilo -speci ic)?
o The componen will be hos ed on he EMERALD pla o m, deployed in CXB’s
VM.
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o Audi o /CISO: Full access o all s o ed e idence and assessmen esul s.
o IT Team: Access o ope a ional insigh s and compliance main enance.

D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 65 o 94
www.EMERALD-he.eu
2.4.3.2.10 Addi ional Pilo -speci ic ools
• (How) will he componen be used in he Pilo ?
o Assessing he possibili y o in eg a e exis ing e idence collec o ools.
• Wha a e he expec ed bene i s?
o Valida e he in e connec i i y o he EMERALD amewo k in o CXB’s exis ing
en i onmen .
• Wha a e he componen -speci ic equi emen s?
o TBD
• Whe e will i be hos ed (EMERALD/pilo -speci ic)?
o Pilo -speci ic in as uc u e
• Who should ha e access ( oles/pe missions) o which esul s o he componen ?
o TBD
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 66 o 94
www.EMERALD-he.eu
3 Valida ion Plan
The alida ion plan is expec ed o co e se e al aspec s o he EMERALD amewo k and o he
indi idual pilo s. Consequen ly, he plan is a he ex ensi e. I will be execu ed by he pilo s and
suppo ed by expe s o he indi idual alida ion me hodologies, as de ailed in he speci ic
sec ions below, and by he componen owne s o he EMERALD componen s.
To educe he bu den o alida ion ac i i ies in he pilo s, a ime plan was c ea ed, as shown in
Figu e 19. This plan can be adap ed, conside ing ha alida ion ac i i ies depend on he
implemen a ion o he EMERALD amewo k and di e en ac o s ela ed o he pilo pa ne s.
Figu e 19. Valida ion ime plan
The EMERALD amewo k has h ee eleases (in e im, in e media e, inal) and espec i e
deadlines o he alida ion plan, as documen ed by he miles ones de ined in he DoA [1]. These
miles ones will guide and s uc u e he alida ion plan:
• MS3 (M18) Fi s elease o EMERALD in eg a ed audi sui e. Fi s e sion o he EMERALD
business models and plans, communica ion and dissemina ion epo .
• MS4 (M20) E alua ion o he i s elease comple ed.
• MS6 (M30) Second elease o EMERALD in eg a ed audi sui e
• MS7 (M32) E alua ion o he second elease comple ed.
• MS8 (M34) Final elease o EMERALD in eg a ed audi sui e.
• MS9 (M36) E alua ion o he inal elease comple ed.
To alida e he EMERALD amewo k, he ul ilmen o he business-d i en equi emen s (BDR)
o each pilo , as well as he EMERALD UI/UX ha e o be conside ed. Addi ionally, he pilo KPIs
ha e o be acked. To suppo and inalize he alida ion, he impac o he EMERALD
amewo k on he di e en pilo s will be moni o ed and analysed owa ds he end o he p ojec .
This includes o ecas ing he ma ke impac o he solu ion h ough he Impac KPIs, assessing
alidi y o he alue s a emen s, and measu ing cus ome sa is ac ion. Th ough he S age-Ga e-
P ocess, a “mini audi ” will be conduc ed o each pilo o ensu e ha EMERALD acili a es he
audi scena ios (KPI 8.1
13
).
The esul s o he alida ion ac i i ies need o be epo ed back o he echnical pa ne s o allow
an i e a i e imp o emen o he amewo k. This can be achie ed by p esen ing he esul s
du ing he Gene al Assemblies (GAs) and h ough s uc u ed documen a ion in he WP5
deli e ables.
13
F om DoA [1]: KPI 8.1 Facili a e a leas wo di e en audi scena ios, one o public clouds, one o
p i a e cloud ins alla ions
7 8 9 10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6 7 8 9 10
Pa icipan E en M9 M10 M11 M12 M13 M14 M15 M16 M17 M18 M19 M20 M21 M22 M23 M24 M25 M26 M27 M28 M29 M30 M31 M32 M33 M34 M35 M36
Miles ones R1 Val1 R2 Val2 R3 Val3
Gene al Assemblies GA GA GA GA GA GA GA
Deli e ables D5.1
D5.2
D5.4
D5.3
D5.5
D5.6
Pilo S age Ga e P ocess G1 G2 G3 G4 G5 G6
Componen Owne BDR T acking BDR BDR BDR BDR BDR BDR
Pilo Use UX UX UX
Pilo Owne KPI Analysis KPI KPI KPI KPI
S akeholde s Value S a emen UVP UVP UVP
S akeholde s Ne P omo e Sco e NPS NPS NPS
2024
2025
2026
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 67 o 94
www.EMERALD-he.eu
In he ollowing sec ions, he indi idual alida ion me hodologies a e desc ibed, including he
goal o he alida ion app oach, he expec ed imeline, he in ol ed pa ies and he u iliza ion
and communica ion o he esul s.
S age-Ga e-P ocess
The p og ess o he pilo s (Task 5.2 and Task 5.3) is d i en by a S age-Ga e-P ocess
14
. The s age
in a S age-Ga e p ocess e e s o a dis inc phase wi hin he p ojec li ecycle in which speci ic
asks a e pe o med and comple ed. The S age-Ga e p ocess is di ided in o se e al s ages, each
ending wi h a "ga e." A hese ga es, he p og ess o he p ojec is e iewed, and ele an
decisions a e made o ensu e i s success ul comple ion.
Fo EMERALD, he S age-Ga e-P ocess is de ined below and shown in Figu e 20. NIXU will be a
ga ekeepe o each o he ga es and will p o ide he necessa y suppo o he pilo s o pass
he ga es. The use o he S age-Ga e-P ocess will demons a e he alidi y o he de eloped ools
and me hodologies and p o ide aluable eedback o he componen owne s.
Figu e 20. S age-Ga e-P ocess
3.1.1 S age 1: Planning
S age one o he S age-Ga e-P ocess ensu es ha he audi o and he CSP ag ee on a scope o
he audi . The CSP selec s a amewo k, con ols, and ep esen a i es o he espec i e oles o
he audi p ocess. Addi ionally, he CSP and he audi o ag ee on a schedule o he audi .
• Compliance Manage asks o he Planning S age
o The pilo nomina es a Compliance Manage , who will be esponsible o all u -
he compliance asks in he espec i e pilo o he S age-Ga e-P ocess.
o The pilo de ines a compliance amewo k ha is o be pu sued du ing he
S age-Ga e-P ocess.
o The pilo selec s con ols om he amewo k which should be conside ed o
ce i ica ion (scoping).
o The pilo decides i con inuous audi /ce i ica ion is equi ed o i he pilo p e-
e s he audi o be a one- ime-e en .
o The pilo p epa es and p esen s a schedule o he audi .
o The pilo pe o ms a RFQ simula ion. This means ha he pilo will p epa e a
sho eques and he audi o will espond wi h a p oposal.
o The o e all plan is app o ed by he pilo s’ CISO.
• Audi o asks o he Planning S age
o The audi o p epa es a wo k e o es ima ion acco ding o he de ined scope.
14
h ps://www.s age-ga e.com/blog/ he-s age-ga e-model-an-o e iew/
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 68 o 94
www.EMERALD-he.eu
• Ga e
o The plan o cloud compliance is eady (M10).
3.1.2 S age 2: EMERALD Se up
S age wo o he S age-Ga e-P ocess ensu es ha EMERALD is se up and eady o he audi o
each pilo . The equi ed me ics should be implemen ed a his poin , and all necessa y
EMERALD e idence collec ion ools a e ope a ional.
• Compliance Manage asks o he EMERALD Se up S age
o The cloud se ice is se up and unning in a es en i onmen .
o The o ganiza ional and echnical me ics a e designed and implemen ed
acco ding o he planned scope.
o The EMERALD ools a e ope a ional and collec ing e idence acco ding o he
scope.
• Ga e
o The compliance moni o ing is implemen ed (M25).
3.1.3 S age 3: P epa a ion o Audi
S age h ee o he S age-Ga e-P ocess ensu es ha bo h he CSP and he audi o a e eady o
he audi . To do so, he CSP has o e iew and communica e he scope o he audi , comple e
he sel -assessmen and sha e he documen a ion wi h he audi o . In he mean ime, he audi o
nomina es a echnical audi o and assesses he EMERALD ools and collec ed e idence.
• Compliance Manage asks o he P epa a ion o Audi S age
o The scope o he audi is communica ed o he audi o .
o The sel -assessmen has been comple ed.
o The o ganisa ional and p ocess documen a ion is sha ed wi h he audi o .
• Audi o asks o P epa a ion o Audi S age
o The lead audi o is nomina ed.
o The echnical audi o is nomina ed.
o The alida ion o he EMERALD amewo k is pe o med. Be o e conduc ing he
audi , an audi o assesses he EMERALD ools and e idence o be used o hei
us wo hiness and applicabili y.
• Ga e
o The audi p epa a ions a e eady (M26).
3.1.4 S age 4: Audi
S age ou o he S age-Ga e-P ocess includes he o ganiza ional and echnical audi , which
equi es he CSP o p o ide access o he moni o ing ools o he audi o s. The audi o s e iew
he e idence and e e o he CSP’s compliance manage o ques ions.
• Compliance Manage asks o he O ganiza ional Audi S age
o An access o he EMERALD compliance moni o ing ools is gi en o he lead
audi o .
o The Compliance Manage is a ailable o ques ions and has he necessa y
e idence a ailable o he audi wo kshop.
• Audi o asks o he O ganiza ional Audi S age
o The documen a ion is e iewed.
o O ganiza ional con ols a e assessed acco ding o he scope.
o An audi wo kshop is comple ed wi h he Compliance Manage .
• Compliance Manage asks o he Technical Audi S age
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 69 o 94
www.EMERALD-he.eu
o Access o he EMERALD compliance moni o ing is gi en o he echnical audi o .
o The Compliance Manage is a ailable o ques ions and has he equi ed
e idence p epa ed o he audi wo kshop.
• Audi o asks o he Technical Audi S age
o The implemen a ion o he echnical con ols is assessed acco ding o he scope.
o The echnical con ols a e e alua ed o compliance.
• Ga es
o The o ganiza ional audi is comple ed. (M30)
o The echnical audi is comple ed. (M31)
3.1.5 S age 5: Ce i ica ion
S age i e o he S age-Ga e-P ocess concludes he audi by esul ing in a ce i ica ion. The
audi o s iden i y all non-compliances, communica e he indings and deli e an audi epo o
he Compliance Manage .
• Audi o asks o he Ce i ica ion S age
o The audi epo is deli e ed o he Compliance Manage
o Non-complian con ols a e iden i ied.
o All indings a e communica ed.
• Ga e
o The ce i ica ion decision is done. (M34)
Impac analysis
The impac o he EMERALD amewo k will be assessed using wo dimensions: he Unique Value
P oposi ion (see Sec ion 3.2.1), and he Ne P omo e Sco e (see Sec ion 3.2.2). Bo h dimensions
will be measu ed using empi ical ques ionnai es a ge ed o he pilo s in M18, M30 and M34
(see Figu e 19).
Fo he EMERALD p ojec , sco ing high in bo h dimensions will enhance he likelihood o
achie ing ma ke impac in e ms o cus ome engagemen s. In addi ion, he EMERALD Impac
KPIs [1] (see APPENDIX B: KPIs and Impac KPIs) will i s be measu ed wi h cu en ools o
c ea e baseline alues (M14) and hen hey e-measu ed using he EMERALD amewo k a e
each inc emen (M18, M30, M34). These KPI alues can hen be compa ed be ween he
measu emen s. The expec a ion is ha he e will be an inc ease in e iciency ha will con ibu e,
o example, o cos sa ings.
The main s akeholde s o he EMERALD p ojec esul s a e he audi o s om he ce i ica ion
app o al body, as well as Compliance Manage s and CISOs o he pilo CSPs. The plan is o use
he p ojec membe s in espec i e oles o execu e he alida ion plan.
3.2.1 Empi ical ques ionnai e analysing he alidi y o he alue s a emen
The alue s a emen in a Lean Can as, also known as he Unique Value P oposi ion (UVP), is a
clea and concise s a emen ha ou lines he unique bene i o alue ha a p oduc p o ides o
i s a ge cus ome s. This s a emen di e en ia es he p oduc om i s compe i o s and explains
why cus ome s should choose i o e o he al e na i es.
To c ea e alue s a emen s o EMERALD, each componen owne will be asked o c ea e alue
s a emen s o hei own componen . Some examples will be p epa ed o suppo he
componen owne s. Subsequen ly, EMERALD s akeholde s (see sec ion 3.2) will be asked o
e alua e i hey ag ee wi h he s a emen s on a 5-poin LIKERT scale (S ongly disag ee, Disag ee,
Neu al, Ag ee, S ongly ag ee).

D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 70 o 94
www.EMERALD-he.eu
The alue s a emen s o he indi idual componen s will be e alua ed a each inc emen o he
componen s (M18, M30, M34), o ensu e imely eedback (see Figu e 19). This allows he
componen owne s o eac immedia ely and wo k owa ds imp o ing hei sco e.
3.2.2 Empi ical ques ionnai es analysing cus ome sa is ac ion
The Ne P omo e Sco e (NPS)
15
is a widely used ma ke esea ch me ic ha gages cus ome
loyal y and sa is ac ion. NPS se es as a concise measu e o how likely cus ome s a e o
ecommend a company's p oduc s o se ices o o he s. NPS is based on he undamen al
pe spec i e ha cus ome s can be di ided in o h ee ca ego ies:
• P omo e s: cus ome s who a e sa is ied and will e e o he s (9-10)
• Passi es: cus ome s who a e sa is ied bu a e open o compe i i e o e ings (7-8)
• De ac o s: cus ome s who a e dissa is ied and gene a e nega i e wo d-o -mou h (0-6)
To assign a cus ome o a ca ego y, hey a e asked how likely hey a e o ecommend he b and
o p oduc o a iend o colleague, on a scale om one o en. Cus ome s who ha e answe ed
ze o o six a e conside ed De ac o s, cus ome s who ha e answe ed se en o eigh a e
conside ed Passi es and cus ome s who ha e answe ed nine o en a e conside ed P omo e s.
Each componen owne is a subjec o Ne P omo e sco e (NPS) measu emen whe e
s akeholde s will answe how likely hey will ecommend he solu ion o a iend o colleague.
The NPS is calcula ed by sub ac ing he pe cen age o De ac o s om he pe cen age o
P omo e s (% P omo e s - % De ac o s = NPS). The sco e is no exp essed as a pe cen age bu
as an absolu e numbe lying be ween -100 and +100. Cus ome sa is ac ion will be e alua ed a
each inc emen o he EMERALD amewo k (M18, M30, M34), as shown in Figu e 19.
3.2.3 Impac KPI measu emen
The expec ed impac will be measu ed using he impac KPIs (see APPENDIX B: KPIs and Impac
KPIs), which we e de ined in he DoA [1]. Each pilo will pe o m a measu emen o he impac
KPI: a) wi h he cu en ly used adi ional/cu en me hods/ ools o eaching ce i ica ion, and
b) hen again wi h EMERALD me hods and ools a di e en poin s in ime.
To gua an ee a common app oach owa ds he measu emen o he impac KPIs, ins uc ions
o he measu emen asks, and ables o he acking o alues will be p epa ed. An example
o his can be ound in APPENDIX C: Impac KPI measu emen example. I has o be conside ed
ha he example is s ill wo k in p og ess and p one o change. Each pilo owne will be asked o
ollow his measu emen plan. I is o eseen ha he ins uc ions a e aligned wi h he scena ios
de eloped in WP4, o gua an ee ha hey can be ollowed in he EMERALD UI o he
measu emen o he KPIs. Fu he mo e, he componen owne s will be equi ed o suppo he
pilo owne s as needed i hei componen is di ec ly o indi ec ly in ol ed in he asks.
Impac KPIs will be measu ed a each inc emen o he EMERALD de elopmen (M18, M30,
M34), as well as in M14, o achie e a baseline alue (see Figu e 19). The KPIs in M14 a e
measu ed wi hou using he EMERALD amewo k. As a esul , he measu emen o hese KPIs
should be adap ed o he needs o each pilo , while s ill ollowing he ins uc ions o subsequen
measu emen s as closely as possible.
15
h ps://www.ne p omo e .com/know/
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 71 o 94
www.EMERALD-he.eu
The pilo s will hen analyse he collec ed impac KPI measu emen s. I he impac KPI a ge
could no be achie ed o one o mo e pilo owne s, he pilo owne s will p o ide eedback o
he componen owne s.
Pilo KPI analysis
Pilo KPIs we e elici ed by he indi idual pilo s in Task 5.1. They a e p esen ed in he espec i e
sec ion “Pilo KPIs” o each pilo in Sec ion 2. To ack and analyse hese KPIs, each pilo should
measu e he ini ial KPIs wi h cu en audi p ocesses and me hods a he beginning o he
p ojec . A e e e y elease o he EMERALD F amewo k (M18, M30, M34) he KPIs should be
measu ed again, using he cu en e sion o he EMERALD ools. The ini ial measu emen can
hen be compa ed o he inal measu emen in M34, while he measu emen s o M18 and M30
can be used o ecognize and coun e ac any de ia ions (see Figu e 21).
Figu e 21. Pilo KPI analysis
As each pilo has di e en KPIs and e en simila KPIs will be measu ed di e en ly by he
indi idual pilo s, he pu pose o hese KPIs is o show how he indi idual pilo s can bene i om
he use o EMERALD, no o compa e he di e en pilo s. The KPIs will be measu ed by each
pilo owne . The imp o emen be ween measu emen s can hen be epo ed in absolu e o
ela i e numbe s, depending on he pilo s’ p e e ences and secu i y guidelines.
To ensu e ha he componen owne s ha e all ele an in o ma ion o conside he KPIs du ing
componen implemen a ion, pilo owne s will e alua e whe he KPIs a e ep esen ed in he
echnical equi emen s o whe he pilo owne s s ill need o c ea e echnical equi emen s in
WP1.
Ful ilmen acking o business-d i en equi emen s
The business-d i en equi emen s we e elici ed by he indi idual pilo s in Task 5.1. They a e
p esen ed in he espec i e sec ion “Business-d i en equi emen s” o each pilo in Sec ion 2.
The business-d i en equi emen s ha e o be implemen ed in he espec i e componen s. To
ensu e he echnical easibili y o he implemen a ion and o assign he co ec componen
owne s, he business-d i en equi emen s we e e iewed in collabo a ion wi h WP1 and hen
ansla ed in o o mapped o one o mo e echnical equi emen s o each ele an componen
(see Figu e 22). Each echnical equi emen has a ield “ alida ion c i e ia” which has o be
e iewed by he pilo owne s. This helps o ensu e ha he echnical equi emen ul ils he
expec a ions o he pilo s ega ding he business-d i en equi emen .
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 72 o 94
www.EMERALD-he.eu
Figu e 22. T ansla ion o equi emen s o implemen a ion
To ack he implemen a ion o he espec i e echnical equi emen s, business-d i en
equi emen s will be e iewed a o a ound he ime o a Gene al Assembly (see Figu e 19),
whe e each owne o a echnical equi emen ela ed o a business-d i en equi emen will be
asked o gi e a sho , w i en s a emen on he implemen a ion, easibili y and any issues a ising
in ela ion o he echnical equi emen . I necessa y, he echnical equi emen may be changed
o gua an ee a sa is ac o y implemen a ion o he pilo s (see Figu e 23). This will be
documen ed and epo ed in each o he ollowing WP5 deli e ables.
Figu e 23. Ful ilmen acking o business-d i en equi emen s
UX Valida ion
The goal o he UX alida ion is o ensu e an easy- o-use in e ace o he EMERALD use s, which
suppo s anspa ency ega ding he EMERALD algo i hms, and o ein o ce he use cen ic
app oach. As a esul , he main ocus o he UX alida ion is o p o ide eedback on he concep
and implemen a ion o he use in e ace (usabili y & anspa ency) and on he EMERALD
componen s ( anspa ency & unc ionali y).
This eedback has o be p o ided in ime o allow o ele an changes in he use in e ace
concep and he componen s. To enable an i e a i e de elopmen o he use in e ace and i s
concep , he UX alida ion has wo i e a ions. The i s i e a ion is planned o he beginning o
he second yea o he p ojec , and he second o he beginning o he hi d yea . A e each
i e a ion, how o imp o e he usabili y and anspa ency o he use in e ace should be
e alua ed, based on he esul s, in a collabo a i e e o be ween WP4 and WP5. While he
second i e a ion will be conduc ed using he al eady implemen ed EMERALD use in e ace, he
i s i e a ion will be based on he mock-ups c ea ed in WP4.
Fo he UX alida ion a mixed me hods app oach will be applied: Thinking Aloud [2], Sys em
Usabili y Scale (SUS) [3], and a concluding in e iew. These me hods a e desc ibed below. Fo
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 73 o 94
www.EMERALD-he.eu
each i e a ion, he pilo pa ne s a e asked o p o ide pa icipan s o he UX alida ion. These
pa icipan s should wo k as one o he EMERALD oles, so ha inpu om ele an sou ces can
be collec ed.
An i e a ion o he UX alida ion is expec ed o ake be ween one and wo hou s pe pa icipan ,
depending on he ex en o he o-be-de eloped use in e ace. I is en isaged ha he UX
alida ion will be conduc ed h ough eam calls. The mee ing will s a wi h a sho in oduc ion
b ie ing pa icipan s abou EMERALD and he upcoming session. Fo his pu pose, a pa icipa ion
in o ma ion shee , a consen o m and a da a p o ec ion shee will be p epa ed. This will be
ollowed by he hink-aloud use es , ollowed by he SUS ques ionnai e. The UX alida ion will
conclude wi h a sho in e iew, in which he pa icipan will ha e he oppo uni y o sha e hei
inal hough s on he UI and he EMERALD amewo k.
3.5.1 Thinking Aloud
Thinking aloud is a usabili y es ing me hod whe e pa icipan s a e asked o use he designed
sys em, while con inuously oicing hei hough s on he expe ience. To ensu e ha all ele an
use in e ace ea u es a e es ed and ha he esul s a e compa able, he asks o be pe o med
du ing he es a e p epa ed.
Fo he UX alida ion o EMERALD, pa icipan s will ecei e asks based on he wo k lows
p epa ed by WP4. A his s age, he UI concep is unde de elopmen , so i is no possible o
p edic how he UI can be bes used. The WP4 wo k lows will desc ibe how a use should use
EMERALD and a e he e o e he op imal basis o hese asks. Pa icipan s will be asked o
pe o m he asks and o con inuously oice hei hough s. Meanwhile, EMERALD UX expe s
will eco d he session and ake addi ional no es. The expe s will emind he pa icipan s o
con inue hei monologue, i necessa y, bu will no o he wise in e e e du ing he session.
A e he sessions, he eco dings and no es will be e iewed, and he insigh s documen ed. The
summa ized esul s will hen be discussed wi h WP4 o p o ide eedback o he de elopmen
o he use in e ace. The e alua ion will ocus no only on he usabili y o he use in e ace, bu
also on he anspa ency o he o e all EMERALD amewo k, as pe cei ed h ough he use
in e ace.
3.5.2 Sys em Usabili y Scale
The Sys em Usabili y Scale (SUS) [3] is a ques ionnai e consis ing o 10 i ems ha a e a ed on a
5 poin -Like scale ( om s ongly disag ee (1) o s ongly ag ee (5)) o measu e he subjec i e
expe ience o he usabili y o a sys em. I is used a e pa icipan s ha e used he sys em bu
be o e any discussion ega ding he sys em has happened. The esul s o he SUS can hen be
used o compa e he usabili y o a sys em o simila sys ems and o compa e di e en i e a ions
o he same UI. The SUS was ansla ed o se e al languages. To gua an ee consis en esul s,
he o iginal e sion by John B ooke [3] in English will be used:
1. I hink ha I would like o use his sys em equen ly
2. I ound he sys em unnecessa ily complex
3. I hough he sys em was easy o use
4. I hink ha I would need he suppo o a echnical pe son o be able o use his sys em
5. I ound he a ious unc ions in his sys em we e well in eg a ed
6. I hough he e was oo much inconsis ency in his sys em
7. I would imagine ha mos people would lea n o use his sys em e y quickly
8. I ound he sys em e y cumbe some o use
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 80 o 94
www.EMERALD-he.eu
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR1_Ex ac
Rela ed KPI
KPI 1.1
Valida ion
accep ance c i e ia
Reduc ion in compliance gaps iden i ied du ing audi s compa ed o
baseline
Requi emen ID
BDRP1.06
Sho i le
Ensu e So wa e Compliance h ough S a ic Code Analysis
Desc ip ion
As IONOS pilo 1,
we need a s a ic code analysis ool ha in eg a es in o ou CI/CD
pipeline o e i y compliance be o e deploymen , ensu ing ha any
compliance issues a e caugh and esol ed ea ly in he de elopmen
p ocess
S a us
P oposal
P io i y
Mus
Componen s
CODYZE
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR1_Ex ac
Rela ed KPI
KPI 1.1
Valida ion
accep ance c i e ia
S a ic code analysis de ec s mo e compliance issues p e-deploymen
han cu en ools.
Requi emen ID
BDRP1.07
Sho i le
In ui i e Use Expe ience o Compliance Moni o ing
Desc ip ion
As IONOS pilo 1,
we wan a use - iendly in e ace ha allows o moni o compliance
s a us ac oss a ious cloud se ices easily,
so ha we can make quick decisions based on eal- ime da a and
e ec i ely communica e compliance s a us o s akeholde s.
S a us
P oposal
P io i y
Mus
Componen s
EMERALD UI/UX
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR6_EMERALD UI/UX
Rela ed KPI
KPI 6.3, KPI 6.4
Valida ion
accep ance c i e ia
Use sa is ac ion wi h he new UI/UX is a ed highe in use su eys

D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 81 o 94
www.EMERALD-he.eu
Requi emen ID
BDRP2.01
Sho i le
OpenS ack
Desc ip ion
As CloudFe o,
I wan EMERALD o be able o ga he e idence collec ion abou
esou ces om OpenS ack (including Magnum o PaaS),
so ha we can use i .
S a us
P oposed
P io i y
Mus
Componen s
See Gi Lab
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR8
Rela ed KPI
KPI 8.1
Valida ion
accep ance c i e ia
EMERALD can be ully used wi h OpenS ack.
Requi emen ID
BDRP2.02
Sho i le
Reusable Me ics & Requi emen s
Desc ip ion
As CloudFe o,
I wan ha a equi emen o me ic which was al eady implemen ed
can be eused,
so ha he audi ime can be dec eased.
S a us
P oposed
P io i y
Mus
Componen s
EMERALD UI, RCM
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR4
Rela ed KPI
KPI 4.1
Valida ion
accep ance c i e ia
A e a use has se up a me ic o equi emen , his me ic o
equi emen can be eused o measu e he same hing in a di e en
secu i y ce i ica ion scheme.
Requi emen ID
BDRP2.03
Sho i le
T anspa ency inc ease
Desc ip ion
As CloudFe o,
I wan ha EMERALD inc eases anspa ency o ou clien s and use s
abou ou ce i ica es and audi s,
so ha we can ensu e o ou clien s ha ou se ices a e secu ed
p ope ly.
S a us
P oposed
P io i y
Should
Componen s
TWS, Cloudi o -O ches a o
Sou ce
Pilo s
Type
Pilo s
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 82 o 94
www.EMERALD-he.eu
Rela ed KR
KR7
Rela ed KPI
KPI 7.1
Valida ion
accep ance c i e ia
I has o be easy o unde s and o use s how and why he audi
esul s we e eached.
I has o be easy o unde s and o use s, which ce i ica es a e issued.
Requi emen ID
BDRP2.04
Sho i le
In ui i e UI
Desc ip ion
As CloudFe o,
I wan ha EMERALD has an in ui i e UI which is eadable o
e e yone,
so ha e en non- echnical employees like compliance manage s can
use i wi hou p oblem.
S a us
P oposed
P io i y
Should
Componen s
EMERALD UI
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR6
Rela ed KPI
KPI 6.2, KPI 6.3
Valida ion
accep ance c i e ia
A non- echnical employee, like a compliance manage , can
success ully use he UI wi hou echnical suppo .
Requi emen ID
BDRP2.05
Sho i le
Secu i y Schemes
Desc ip ion
As CloudFe o,
I wan EMERALD ools o ce i y BSI-C5 (mus ), ISO 27001 (could), BSI
200-1 (could),
so ha EMERALD can suppo us wi h ce i ica es we al eady use.
S a us
P oposed
P io i y
Mus
Componen s
RCM
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR4, KR7
Rela ed KPI
KPI 4.1
Valida ion
accep ance c i e ia
-
Requi emen ID
BDRP3.01
Sho i le
UI/UX Concep
Desc ip ion
As Fabaso pilo 3,
we wan a well-c a ed UI/UX concep ,
so ha ou use s pe cei e EMERALD as an in ui i e audi solu ion.
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 83 o 94
www.EMERALD-he.eu
S a us
P oposed
P io i y
Mus
Componen s
EMERALDUI, Cloudi o -O ches a o
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR6_EMERALD UI/UX
Rela ed KPI
KPI 6.3
Valida ion
accep ance c i e ia
A comple e UI/UX concep is a ailable which can be used o c a he
Use In e ace o EMERALD.
Fo be e unde s anding, UI/UX concep is clea ly explained and can
be used wi hou suppo .
Requi emen ID
BDRP3.02
Sho i le
AI Guideline
Desc ip ion
As Fabaso pilo 3,
we wan o be educa ed on a eas o applica ion o AI in
ce i ica ion-as-a-se ice en i onmen s wi h he help o EMERALD’s
well-s uc u ed AI guidelines,
so ha we can ep oduce his in u u e use cases.
S a us
P oposed
P io i y
Mus
Componen s
AI-SEC
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR5_AIPOC
Rela ed KPI
KPI 5.1, KPI 5.2
Valida ion
accep ance c i e ia
A well-s uc u ed AI guideline is a ailable which can also be used o
u u e use cases. The guideline educa es on a eas o applica ion o
AI in ce i ica ion-as-a-se ice en i onmen s.
Requi emen ID
BDRP3.03
Sho i le
In eg a ion o In e nal e idence collec ion ools
Desc ip ion
As Fabaso pilo 3,
we wan o in eg a e ou in e nal e idence collec ion ools (e.g.,
Fabaso app. eleme y),
so ha we can use and euse he ex ac ed e idence in he CaaS and
exploi he oppo uni y o ha e ou ool as a alid e idence
ex ac o .
S a us
P oposed
P io i y
Mus
Componen s
Cloudi o -E idenceS o e
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR1_EXTRACT, KR2_CERTGRAPH
Rela ed KPI
KPI 1.1, KPI 2.1
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 84 o 94
www.EMERALD-he.eu
Valida ion
accep ance c i e ia
I is possible o use in e nal e idence collec ion ools as alid
e idence ex ac o s. The collec ed e idence h ough he in e nal
e idence collec o can be used and eused in EMERALD.
Requi emen ID
BDRP3.04
Sho i le
Reusable Me ics
Desc ip ion
As Fabaso pilo 3,
we wan o use EMERALD’s eusable me ics,
so ha he audi p ocess is simpli ied.
S a us
P oposed
P io i y
Mus
Componen s
RCM, EMERALDUI
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR4_MULTICERT
Rela ed KPI
KPI 4.1
Valida ion
accep ance c i e ia
A e a use has se up a me ic, his me ic can be eused o
measu e he same hing in a di e en secu i y ce i ica ion scheme.
This me ic is sugges ed o he use , when he second ce i ica ion
scheme is looked a , so ha he use does no ha e o emembe
ha his me ic exis s and measu es he ele an in o ma ion
al eady.
Requi emen ID
BDRP3.05
Sho i le
Secu i y Schemes pilo 3
Desc ip ion
As Fabaso pilo 3,
we wan o manage Fabaso ’s audi (BSIC5 (mus ), EUCS (mus ),
AIC4 (mus )) h ough he applica ion o EMERALD,
so ha esou ce consump ion is minimized.
S a us
P oposed
P io i y
Mus
Componen s
Cloudi o -Assessmen , EMERALDUI, RCM
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR4_MULTICERT, KR7_INTEROP
Rela ed KPI
KPI 4.1
Valida ion
accep ance c i e ia
The BSI C5 audi is suppo ed by EMERALDs ools and p ocesses.
Requi emen ID
BDRP3.06
Sho i le
Cus om se o equi emen s
Desc ip ion
As Fabaso pilo 3,
we wan o manage an audi p ocess based on an indi idual se o
equi emen s – e.g., o igina ing om a cloud cus ome as planned in
pilo 4,
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 85 o 94
www.EMERALD-he.eu
so ha Fabaso is able o add ess speci ic cloud cus ome needs as
seen in he inancial sec o .
S a us
P oposed
P io i y
Mus
Componen s
EMERALDUI, RCM
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR3_OPTIMA, KR4_MULTICERT, KR6_EMERALD UI/UX, KR7_INTEROP
Rela ed KPI
KPI 3.2, KPI 3.3, KPI 4.1, KPI 6.2, KPI 7.1, KPI 7.2
Valida ion
accep ance c i e ia
I is possible o c ea e a cus om se o equi emen s in a cus om
collec ion.
I is possible o publish his collec ion.
I is possible o o he CSPs o assign his collec ion o hem and o
publish he esul s o he audi o he issue o his collec ion (o o
ano he pa y).
Requi emen ID
BDRP3.07
Sho i le
Enhance cu en audi p ocess
Desc ip ion
As Fabaso pilo 3,
we wan o unde s and how we could ans e ou cu en audi
p ocess o EMERALD and enhance hem by his change,
so ha we unde s and he bene i s o EMERALD and es ima e any
e iciency inc ease.
S a us
P oposed
P io i y
Should
Componen s
EMERALDUI
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR6_EMERALD UI/UX
Rela ed KPI
KPI 6.1, KPI 6.2, KPI 6.3
Valida ion
accep ance c i e ia
The e is a wo k low o simila which desc ibes how he cu en audi
p ocess can be ans e ed o EMERALD. The UI suppo s he Use
h ough his wo k low.
Requi emen ID
BDRP3.08
Sho i le
Audi T anspa ency
Desc ip ion
As Fabaso pilo 3,
we wan o u ilize EMERALD unc ionali y,
so ha he audi anspa ency is inc eased.
S a us
P oposed
P io i y
Should
Componen s
Cloudi o -Assessmen , Cloudi o -O ches a o , TWS
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR7_INTEROP

D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 86 o 94
www.EMERALD-he.eu
Rela ed KPI
KPI 7.1
Valida ion
accep ance c i e ia
I has o be easy o unde s and o use s how and why he audi
esul s we e eached
Requi emen ID
BDRP3.09
Sho i le
Manual Con ols
Desc ip ion
As Fabaso pilo 3,
we wan EMERALD o ha e a s a egy on how manual con ols can
be included in an au oma ed audi (e.g., in he UI),
so ha a comple e audi can be suppo ed by EMERALD.
S a us
P oposed
P io i y
Should
Componen s
EMERALDUI, Cloudi o -Assessmen , Cloudi o -E idenceS o e,
Cloudi o -O ches a o
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR8_PILOTS, KR2_CERTGRAPH, KR4_MULTICERT
Rela ed KPI
KPI 8.1
Valida ion
accep ance c i e ia
I is no necessa y o CSPs o use mul iple Sys ems o hei audi
p ocesses. EMERALD suppo s he au oma ed con ols, bu also
allows he managemen o con ols wi h ha e o be done manually
(documen a ion, communica ion w. audi o , se ing o app op ia e
s a us...).
Requi emen ID
BDRP3.10
Sho i le
Sa e secu i y scheme upda es
Desc ip ion
As Fabaso pilo 3,
we wan o be awa e i he e is a ele an upda e in a secu i y
scheme we use and we wan o be able o sa ely ans e o he new
e sion,
so ha we do no lose ou ce i ica ion o my da a when we choose
o upda e he scheme.
S a us
P oposed
P io i y
Should
Componen s
RCM, Cloudi o -O ches a o
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR7_INTEROP
Rela ed KPI
KPI 7.2
Valida ion
accep ance c i e ia
Use ge s in o ma ion when he secu i y scheme needs o be
upda ed. Use can choose when o do i and use can do i in a way
whe e hey will no empo a ily loose he ce i ica ion
Requi emen ID
BDRP3.11
Sho i le
Checks o policy documen s
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 87 o 94
www.EMERALD-he.eu
Desc ip ion
As Fabaso pilo 3,
we would like o see i he policy documen is con aining he
ele an in o ma ion acco ding o he equi emen s,
so ha we can be su e all o ganisa ional equi emen s a e co e ed,
and we do no ha e o sea ch he documen manually.
S a us
P oposed
P io i y
Mus
Componen s
AMOE, EMERALDUI
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR1_Ex ac , KR6_EMERALD UI/UX
Rela ed KPI
KPI 1.1, KPI 6.3
Valida ion
accep ance c i e ia
The use shall upload a documen and is able o see how many
equi emen s x/y a e done. Also, he use shall be able o iew
which pa s a e ok / no ok.
The use shall see i a documen is p o iding ele an e idence
when looking a a ce ain me ic.
Requi emen ID
BDRP3.12
Sho i le
Use o s anda d o expo /impo
Desc ip ion
As Fabaso pilo 3,
we wan o be able o use a known s anda d o he expo and
impo o in o ma ion om and o he EMERALD amewo k,
so ha his is easily possible whe e needed.
S a us
P oposed
P io i y
Should
Componen s
RCM, EMERALDUI
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR7_INTEROP
Rela ed KPI
KPI 7.1
Valida ion
accep ance c i e ia
In o ma ion can be impo ed and expo ed om EMERALD using a
known s anda d.
Requi emen ID
BDRP4.01
Sho i le
Capaci y o be able o iden i y any ype o ce i ica ion schema wi hin
he scope o he p ojec
Desc ip ion
As CaixaBank,
we wan EMERALD o be able o analyse and check egula o y
equi emen s om di e en secu i y schemes,
so ha we can use ou own secu i y amewo k.
S a us
P oposed
P io i y
Mus
Componen s
AMOE; RCM
Sou ce
Pilo s
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 88 o 94
www.EMERALD-he.eu
Type
Pilo s
Rela ed KR
KR4_MULTICERT; KR7_INTEROP
Rela ed KPI
KPI 4.1, KPI 4.2, KPI 7.1, KPI 7.2
Valida ion
accep ance c i e ia
In o de o alida e his equi emen , EMERALD mus be able o
iden i y and analyse any ce i ica ion schema wi hin he p ojec 's
scope, allowing CaixaBank o use i s own secu i y amewo k. Tes ing
EMERALD’s componen s o ensu e hey can accu a ely in e p e and
check egula o y equi emen s om a ious secu i y schemes,
mee ing all de ined accep ance c i e ia.
Requi emen ID
BDRP4.02
Sho i le
Ensu e EMERALD pla o m deli e s high e iciency and smoo h
unc ionali y o op imal end-use pe o mance.
Desc ip ion
As CaixaBank,
we wan ha EMERALD pu sues e iciency and unc ionali y,
so ha he pla o m pe o ms well and luidly o he end-use s.
S a us
P oposed
P io i y
Mus
Componen s
AI-SEC; AMOE; Cloudi o -O ches a o ; Codyze; eknows; EMERALDUI;
Cloudi o -E idenceS o e; RCM; RMA; TWS
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR6_EMERALD UI/UX; KR7_INTEROP; KR8_PILOTS
Rela ed KPI
KPI 6.1, KPI 6.2, KPI 6.3, KPI 7.1, KPI 7.2, KPI 8.2
Valida ion
accep ance c i e ia
To alida e his equi emen he pla o m mus espond o use
ac ions wi hin ew seconds o all in e ac ions. The ini ial load ime o
he pla o m should no exceed no mal iming on a s anda d
b oadband connec ion. Finally, he pla o m should main ain
pe o mance benchma ks unde peak load condi ions.
Requi emen ID
BDRP4.03
Sho i le
Ensu e EMERALD p o ides comple e aceabili y o ce i ica es and
audi s, enabling ull acking o equi emen s and me ics o hei
o igin.
Desc ip ion
As CaixaBank,
we wan ha EMERALD ensu es aceabili y o us as clien s and use s
ega ding ou ce i ica es and audi s,
so ha we can ully unde s and and ack e e y equi emen and
me ic o i s o igin.
S a us
P oposed
P io i y
Mus
Componen s
Cloudi o -O ches a o ; Cloudi o -Assessmen ; TWS
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR7_INTEROP; KR8_PILOTS
Rela ed KPI
KPI 7.1, KPI 7.2, KPI 8.2
D5.1 – Pilo de ini ion, se -up & alida ion plan Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 89 o 94
www.EMERALD-he.eu
Valida ion
accep ance c i e ia
EMERALD mus p o ide comple e aceabili y o ce i ica es and
audi s, enabling use s o unde s and he au oma ed decisions and
ules used by he AI models. Use s should be able o eplica e all he
s eps aken by he EMERALD ool.
The alida ion could include es ing Cloudi o -O ches a o ,
Cloudi o -Assessmen , and TWS componen s o ensu e ha e e y
equi emen and me ic can be acked o i s o igin, and all decision-
making p ocesses a e anspa en and ep oducible, wi h
documen ed esul s mee ing he accep ance c i e ia.
Requi emen ID
BDRP4.04
Sho i le
Enable EMERALD wi h a use - iendly in e ace, ensu ing all
employees can na iga e and comp ehend i wi hou highly-
specialized knowledge.
Desc ip ion
As CaixaBank,
we wan ha EMERALD has an in ui i e UI which is eadable o
e e yone,
so ha all employees can use i and unde s and i wi hou high-le el
skills on legal, compliance o cybe secu i y.
S a us
P oposed
P io i y
Should
Componen s
EMERALD-UI
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR6_EMERALD UI/UX
Rela ed KPI
KPI 6.2, KPI 6.3
Valida ion
accep ance c i e ia
To alida e his equi emen , we p opose ha employees can
na iga e and unde s and wi hou specialized knowledge in legal,
compliance, o cybe secu i y. Valida ion includes usabili y es ing
wi h a di e se g oup o employees, ensu ing he UI is in ui i e and
accessible, wi h posi i e eedback on ease o use and comp ehension,
mee ing all de ined accep ance c i e ia and documen ing he esul s.
Requi emen ID
BDRP4.05
Sho i le
Ensu e ha EMERALD's componen s a e able o in eg a e wi h CXB's
in e nal e idence collec o ools, allowing euse o exis ing
componen s and in as uc u e such as endpoin agen s.
Desc ip ion
As CaixaBank,
we wan EMERALD o be able o in eg a e wi h CXB in e nal e idence
collec o ools,
so ha we can euse he componen s and in as uc u e a place.
S a us
P oposed
P io i y
Mus
Componen s
Cloudi o -E idence S o e; Cloudi o -O ches a o
Sou ce
Pilo s
Type
Pilo s
Rela ed KR
KR1_EXTRACT