| CAIQ Item & Title | Question | Imp? | Answer |
|---|
| AIS = Application & Interface Security |
| 1. AIS-06.2 - Automated Secure Application Deployment | Is the deployment and integration of application code automated where possible?
| Y | We installed Consul using automated CI/CD for repeatability.
|
| BCR = Business Continuing Management & Operational Resilience |
| 2. BCR-08.1 - Backup | Is cloud data periodically backed up?
| Y | A Consul Enterprise feature is used to automatically back up snapshots of data in Consul, even what's in memory.
|
| 3. BCR-08.2 - Backup | Is the confidentiality, integrity, and availability of backup data ensured?
| Y | Snapshots of Consul data are encrypted and transferred to a separate cloud account which the account used for write cannot delete.
|
| 4. BCR-08.3 - Backup | Can backups be restored appropriately for resiliency?
| Y | Restore of Consul snapshots from backup is tested during the implementation.
|
| 5. BCR-11.1 - Equipment Redundancy | Is business-critical equipment supplemented with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards?
| Y | We configure each Consul datacenter to use 5 nodes over 3 AZs so that Consul's Gossip protocol can automatically recognize and reallocate work if up to two nodes fail.
|
| CCC = Change Control & Configuration Management |
| 6. CCC-03.1 - Change Management Technology | Are risks associated with changing organizational assets (including applications, systems, infrastructure, configuration, etc.) managed, regardless of whether asset management occurs internally or externally (i.e., outsourced)?
| Y | The publisher of Consul, HashiCorp, publishes its CAIQ and SOC2 attestations at ____
|
| CEK = Cryptography, Encryption, and Key Management |
| 7. CEK-12.1 - Key Rotation | Are cryptographic keys rotated based on a cryptoperiod calculated while considering information disclosure risks and legal and regulatory requirements?
| Y | ACL Tokens used in Consul are rotated using HashiCorp Enterprise Vault. See https://learn.hashicorp.com/tutorials/consul/vault-consul-secrets
|
| 8. CEK-13.1 - Key Revocation | Are cryptographic keys revoked and removed before the end of the established cryptoperiod (when a key is compromised, or an entity is no longer part of the organization) per defined, implemented, and evaluated processes, procedures, and technical measures to include legal and regulatory requirement provisions?
| Y | The CRL to our implementation of Consul is managed by HashiCorp Vault.
|
| 9. CEK-21.1 - Key Inventory Management | Are key management system processes, procedures, and technical measures being defined, implemented, and evaluated to track and report all cryptographic materials and status changes that include legal and regulatory requirements provisions?
| Y | We use Consul to maintain a Service Registry which tracks each service and other services it can communicate with (as Intentions) and what permissions (as ACLs).
|
| DCS = Datacenter Security |
| 10. DCS-15.1 - Equipment Location | Is business-critical equipment segregated from locations subject to a high probability of environmental risk events?
| Y | We installed Enterprise Consul in the cloud region appropriate to the data laws of each country. For example, sensitive data of German citizens are stored in servers in a region in Germany.
|
| DSP = Data Security & Privacy Lifecycle Management |
| 11. DSP-01.1 - Security and Privacy Policy and Procedures | Are policies and procedures established, documented, approved, communicated, enforced, evaluated, and maintained for the classification, protection, and handling of data throughout its lifecycle according to all applicable laws and regulations, standards, and risk level?
| Y | For Consul, see the Implementation Guide and Impact Assessment
|
| 12. DSP-08.2 - Data Privacy by Design and Default | Are systems' privacy settings configured by default and according to all applicable laws and regulations?
| Y | Consul works with internal services info, not customer data.
|
| GRC = Governance, Risk Management, and Compliance |
| 13. GRC-06.1 - Governance Responsibility Model | Are roles and responsibilities for planning, implementing, operating, assessing, and improving governance programs defined and documented?
| Y | The initial assessment of Consul includes identification of persona and stakeholders.
|
| HRS = Human Resources |
| 14. HRS-02.2 - Acceptable Use of Technology Policy and Procedures | Are the policies and procedures for defining allowances and conditions for the acceptable use of organizationally-owned or managed assets reviewed and updated at least annually?
| Y |
|
| 15. HRS-03.2 - Clean Desk Policy and Procedures | Are policies and procedures requiring unattended workspaces to conceal confidential data reviewed and updated at least annually?
| Y |
|
| 16. HRS-04.2 - Remote and Home Working Policy and Procedures | Are policies and procedures to protect information accessed, processed, or stored at remote sites and locations reviewed and updated at least annually?
| Y |
|
| IAM = Identity & Access Management |
| 17. IAM-06.1 - User Access Provisioning | Is a user access provisioning process defined and implemented which authorizes, records, and communicates data and assets access changes?
| Y | Because Consul is configured to continuously use Health Checks, Consul is able to only route traffic to healthy app services.
|
| 18. IAM-12.1 - Safeguard Logs Integrity | Are processes, procedures, and technical measures to ensure the logging infrastructure is "read-only" for all with write access (including privileged access roles) defined, implemented, and evaluated?
| Y | Yes
|
| 19. IAM-13.1 - Uniquely Identifiable Users | Are processes, procedures, and technical measures that ensure users are identifiable through unique identification (or can associate individuals with user identification usage) defined, implemented, and evaluated?
| Y | We use Consul to control routing of traffic among apps based on Intentions and ACL (Access Control List) in the Consul KV (Key Value) store. Intentions determine the identities which an app may communicate with. ACLs determine whether specific permissions (such a Read, Write) are allowed or denied.
|
| IPY = Interoperability & Portability |
| 20. IPY-01.1 - Interoperability and Portability Policy and Procedures | Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for communications between application services (e.g., APIs)?
| Y | The Consul Global Service Mesh enables communication among services from inside Kubernetes out to Databases, VM instances, Serverless, etc.
|
| 21. IPY-01.3 - Interoperability and Portability Policy and Procedures | Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for application development portability?
| Y | Consul is designed to operate using legacy and modern operating systems on mult-platforms within multiple regions on multiple clouds.
|
| 22. IPY-02.1 - Application Interface Availability | Are CSCs able to programmatically retrieve their data via an application interface(s) to enable interoperability and portability?
| Y | Consul agents provide a clicable user interface as well as CLI and API.
|
| IVS = Infrastructure & Virtualization Security |
| 23. IVS-02.1 - Capacity and Resource Planning | Is resource availability, quality, and capacity planned and monitored in a way that delivers required system performance, as determined by the business?
| Y | Performance evaluation is part of the Reliability Plan of the Consul Aceleration Program.
|
| 24. IVS-03.1 - Network Security | Are communications between environments monitored?
| Y | We configure Consul to emit a logs of each communication.
|
| 25. IVS-03.2 - Network Security | Are communications between environments encrypted?
| Y | We installed Enterprise Consul to use a Consul Network Mesh to provide mTLS (Mutual TLS) communicatons between app services and also with services (through a Gateway) on a wide variety of services
|
| 26. IVS-03.3 - Network Security | Are communications between environments restricted to only authenticated and authorized connections, as justified by the business?
| Y | We installed Enterprise Consul to ensure that communicatons between app services are authenticated based on the cryptographic identity of sender and receiver.
|
| 27. IVS-04.1 - OS Hardening and Base Controls | Is every host and guest OS, hypervisor, or infrastructure control plane hardened (according to their respective best practices) and supported by technical controls as part of a security baseline?
| Y | We configure each service to route traffic through the Consul agent so only authorized ports are used with the authorization.
|
| 28. IVS-07.1 - Migration to Cloud Environments | Are secure and encrypted communication channels including only up-to-date and approved protocols used when migrating servers, services, applications, or data to cloud environments?
| Y | Yes
|
| 29. IVS-08.1 - Network Architecture Documentation | Are high-risk environments identified and documented?
| Y | This is identified during part of the Consul Acellerator Program.
|
| 30. IVS-09.1 - Network Defense | Are processes, procedures, and defense-in-depth techniques defined, implemented, and evaluated for protection, detection, and timely response to network-based attacks?
| Y | We configure Consul to use the "consul-terraform-sync" (CTS) module broadcast changes recognized which can be used to update Terraform code dynamically for automatic resources reconfiguration -- This decreases the possibility of human error in manually editing configuration files and decreases time to propagate configuration changes to networks.
|
| LOG = Logging and Monitoring |
| 31. LOG-02.1 - Audit Logs Protection | Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure audit log security and retention?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 32. LOG-03.1 - Security Monitoring and Alerting | Are security-related events identified and monitored within applications and the underlying infrastructure?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 33. LOG-03.2 - Security Monitoring and Alerting | Is a system defined and implemented to generate alerts to responsible stakeholders based on security events and their corresponding metrics?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 34. LOG-04.1 - Audit Logs Access and Accountability | Is access to audit logs restricted to authorized personnel, and are records maintained to provide unique access accountability?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 35. LOG-05.1 - Audit Logs Monitoring and Response | Are security audit logs monitored to detect activity outside of typical or expected patterns?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 36. LOG-05.2 - Audit Logs Monitoring and Response | Is a process established and followed to review and take appropriate and timely actions on detected anomalies?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 37. LOG-06.1 - Clock Synchronization | Is a reliable time source being used across all relevant information processing systems?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 38. LOG-07.1 - Logging Scope | Are logging requirements for information meta/data system events established, documented, and implemented?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 39. LOG-07.2 - Logging Scope | Is the scope reviewed and updated at least annually, or whenever there is a change in the threat environment?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 40. LOG-08.1 - Log Records | Are audit records generated, and do they contain relevant security information?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 41. LOG-09.1 - Log Protection | Does the information system protect audit records from unauthorized access, modification, and deletion?
| Y | Snapshots of Consul data are encrypted and transferred to a separate cloud account which the account used for write cannot delete.
|
| 42. LOG-10.1 - Encryption Monitoring and Reporting | Are monitoring and internal reporting capabilities established to report on cryptographic operations, encryption, and key management policies, processes, procedures, and controls?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 43. LOG-11.1 - Transaction/Activity Logging | Are key lifecycle management events logged and monitored to enable auditing and reporting on cryptographic keys' usage?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 44. LOG-13.2 - Failures and Anomalies Reporting | Are accountable parties immediately notified about anomalies and failures?
| Y | QUESTION: When ACL is turned off, the SOC is notified
|
| SEF = Security Incident Management, E-Discovery, and Cloud Forensics |
| 45. SEF-01.1 - Security Incident Management Policy and Procedures | Are policies and procedures for security incident management, e-discovery, and cloud forensics established, documented, approved, communicated, applied, evaluated, and maintained?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 46. SEF-01.2 - Security Incident Management Policy and Procedures | Are policies and procedures reviewed and updated annually?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 47. SEF-02.1 - Service Management Policy and Procedures | Are policies and procedures for timely management of security incidents established, documented, approved, communicated, applied, evaluated, and maintained?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 48. SEF-02.2 - Service Management Policy and Procedures | Are policies and procedures for timely management of security incidents reviewed and updated at least annually?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| 49. SEF-03.1 - Incident Response Plans | Is a security incident response plan that includes relevant internal departments, impacted CSCs, and other business-critical relationships (such as supply-chain) established, documented, approved, communicated, applied, evaluated, and maintained?
| Y | This is conducted while following the Adoption Plan defined during the Consul Accelerator Program.
|
| UEM = Universal Endpoint Management |
| 50. UEM-04.1 - Endpoint Inventory | Is an inventory of all endpoints used and maintained to store and access company data?
| Y | We installed Consul to maintain a Service Catalog which associates identities with each IP address used.
|
| 51. UEM-07.1 - Operating Systems | Are changes to endpoint operating systems, patch levels, and/or applications managed through the organizational change management process?
| Y | We installed Consul Enterprise to automatically upgrade agent versions at the same time (by creating new instances and switching en masse), to avoid issues of partial implementations.
|
<– 262 rows read, 14 categories, 51 rows printed. –>
