Wilson Mar bio photo

Wilson Mar

Hello!

Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

A single set of questions about security controls that all cloud vendors use to present a description of their controls to SOC2, ISO 27000, FedRamp auditors

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

One Q&A to Answer Them All

Cloud providers make use of the Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ) v4 which they make avaialable in CSA’s Registry.

The spreadsheet of answers from various cloud providers incorporate CSA’s Cloud Controls Matrix (CCM) of each control expressed as a task.

Answer spreadsheets from notable cloud providers:

  • PDF: ESRI’s answers references both SOC2, ISO 27001:2018, and FedRamp 880-53.
  • PDF: Amazon’s answers
  • https://cloudsecurityalliance.org/star/registry/microsoft/
  • https://www.oracle.com/a/ocom/docs/oci-corporate-caiq.pdf
  • https://services.google.com/fh/files/misc/sep_2021_caiq_self_assessment.pdf
  • https://cloudsecurityalliance.org/star/registry/atlassian/services/jira-and-confluence-cloud/

Why CAIQ for vendor analysis vs. other questionnaires? The CCM aligns itself with over 40 of the leading standards and regulations, it basically eliminates the need for any other questionnaire.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

Categories

There are both full and lite editions of CAIQ.

The full CAIQ v4.0.1 has 261 questions in 17 control categories:

  1. A%A = Audit Assurance & Compliance
  2. AIS = Application & Interface Security
  3. BCR = Business Continuing Management & Operational Resilience
  4. CCC = Change Control & Configuration Management
  5. CEK = Cryptography, Encryption, and Key Management
  6. DCS = Datacenter Security
  7. DSP = Data Security & Privacy Lifecycle Management
  8. GRC = Governance, Risk Management, and Compliance
  9. HRS = Human Resources
  10. IAM = Identity & Access Management
  11. IPY = Interoperability & Portability
  12. IVS = Infrastructure & Virtualization Security
  13. LOG = Logging and Monitoring
  14. SEF = Security Incident Management, E-Discovery, and Cloud Forensics
  15. STA = Supply Chain Management, Transparancy, and Accountability
  16. TVM = Threat and Vulnerability Management
  17. UEM = Universal Endpoint Management

Click any of the three-letter codes to go to the list of questions for it.


Control ID Groupings

Each question is associate with a title, which can be shared with other questions.

For example, “A&A-01.1” and “A&A-01.2” share the title “Audit and Assurance Policy and Procedures” and the Control ID “A&A-01”.

Each Control ID is associated with a title, CCM control, and a Metric.

Ref. to ISO & FedRamp

Each title/CCM control in PDF: ESRI’s answers references both ISO 27001:2018, and FedRamp 880-53.

Security Metrics

CSA has mapped to the CCM v4 PDF: 34 security metrics to support Continuous Audit. These metrics aim to support internal CSP governance, risk, and compliance (GRC) activities and provide a helpful baseline for service-level agreement transparency.

For example, Metric “UEM-09-M1” is associated with CCMv4 Control ID “UEM-09” with this Description:

    This metric measures the percentage of instances which are an running anti-malware/virus service.

Each metric can be related to several controls.
For example, “UEM-09-M1” is related to “TVM-02, DCS-05, DCS-06, DSP-01”. UEM-09-M1 depends on an asset database such as from DCS-06.


Titles Alphabetically

The program also generates this list of titles in alphabetical order:

  1. Acceptable Use of Technology Policy and Procedures HRS-02.1
  2. Access Control Logs LOG-12.1
  3. Anti-Malware Detection and Prevention UEM-09.1
  4. Application & Interface Security (CATEGORY) AIS
  5. Application and Interface Security Policy and Procedures AIS-01.1
  6. Application and Service Approval UEM-02.1
  7. Application Interface Availability IPY-02.1
  8. Application Security Baseline Requirements AIS-02.1
  9. Application Security Metrics AIS-03.1
  10. Application Vulnerability Remediation AIS-07.1
  11. Asset returns HRS-05.1
  12. Assets Cataloguing and Tracking DCS-06.1
  13. Assets Classification DCS-05.1
  14. Audit Assurance & Compliance (CATEGORY) A%A
  15. Audit and Assurance Policy and Procedures A&A-01.1
  16. Audit Logs Access and Accountability LOG-04.1
  17. Audit Logs Monitoring and Response LOG-05.1
  18. Audit Logs Protection LOG-02.1
  19. Audit Management Process A&A-05.1
  20. Authorization Mechanisms IAM-16.1
  21. Automated Application Security Testing AIS-05.1
  22. Automated Secure Application Deployment AIS-06.1
  23. Automatic Lock Screen UEM-06.1
  24. Background Screening Policy and Procedures HRS-01.1
  25. Backup BCR-08.1
  26. Business Continuity Exercises BCR-06.1
  27. Business Continuing Management & Operational Resilience (CATEGORY) BCR
  28. Business Continuity Management Policy and Procedures BCR-01.1
  29. Business Continuity Planning BCR-04.1
  30. Business Continuity Strategy BCR-03.1
  31. Cabling Security DCS-12.1
  32. Capacity and Resource Planning IVS-02.1
  33. CEK Roles and Responsibilities CEK-02.1
  34. Change Agreements CCC-05.1
  35. Change Management Baseline CCC-06.1
  36. Change Control & Configuration Management (CATEGORY) CCC
  37. Change Management Policy and Procedures CCC-01.1
  38. Change Management Technology CCC-03.1
  39. Change Restoration CCC-09.1
  40. Clean Desk Policy and Procedures HRS-03.1
  41. Clock Synchronization LOG-06.1
  42. Communication BCR-07.1
  43. Compatibility UEM-03.1
  44. Compliance User Responsibility HRS-13.1
  45. Controlled Access Points DCS-07.1
  46. Cryptography, Encryption, and Key Management (CATEGORY) CEK
  47. CSC Key Management Capability CEK-08.1
  48. CSCs Approval for Agreed Privileged Access Roles IAM-11.1
  49. Data Classification DSP-04.1
  50. Data Encryption CEK-03.1
  51. Data Flow Documentation DSP-05.1
  52. Data Inventory DSP-03.1
  53. Data Location DSP-19.1
  54. Data Loss Prevention UEM-11.1
  55. Data Ownership and Stewardship DSP-06.1
  56. Data Portability Contractual Obligations IPY-04.1
  57. Data Privacy by Design and Default DSP-08.1
  58. Data Protection by Design and Default DSP-07.1
  59. Data Protection Impact Assessment DSP-09.1
  60. Data Retention and Deletion DSP-16.1
  61. Data Security & Privacy Lifecycle Management (CATEGORY) DSP
  62. Datacenter Security (CATEGORY) DCS
  63. Detection of Baseline Deviation CCC-07.1
  64. Detection Updates TVM-04.1
  65. Disaster Response Plan BCR-09.1
  66. Disclosure Notification DSP-18.1
  67. Disclosure of Data Sub-processors DSP-14.1
  68. Documentation BCR-05.1
  69. Employment Agreement Content HRS-08.1
  70. Employment Agreement Process HRS-07.1
  71. Employment Termination HRS-06.1
  72. Encryption Algorithm CEK-04.1
  73. Encryption and Key Management Audit CEK-09.1
  74. Encryption and Key Management Policy and Procedures CEK-01.1
  75. Encryption Change Cost Benefit Analysis CEK-06.1
  76. Encryption Change Management CEK-05.1
  77. Encryption Monitoring and Reporting LOG-10.1
  78. Encryption Risk Management CEK-07.1
  79. Endpoint Devices Policy and Procedures UEM-01.1
  80. Endpoint Inventory UEM-04.1
  81. Endpoint Management UEM-05.1
  82. Environmental Systems DCS-13.1
  83. Equipment Identification DCS-08.1
  84. Equipment Location DCS-15.1
  85. Equipment Redundancy BCR-11.1
  86. Event Triage Processes SEF-06.1
  87. Exception Management CCC-08.1
  88. External Library Vulnerabilities TVM-05.1
  89. Failures and Anomalies Reporting LOG-13.1
  90. Governance, Risk Management, and Compliance (CATEGORY) GRC
  91. Governance Program Policy and Procedures GRC-01.1
  92. Governance Responsibility Model GRC-06.1
  93. Human Resources (CATEGORY) HRS
  94. Identity & Access Management (CATEGORY) IAM
  95. Identity and Access Management Policy and Procedures IAM-01.1
  96. Identity Inventory IAM-03.1
  97. Incident Response Metrics SEF-05.1
  98. Incident Response Plans SEF-03.1
  99. Incident Response Testing SEF-04.1
  100. Independent Assessments A&A-02.1
  101. Information Security Program GRC-05.1
  102. Information System Regulatory Mapping GRC-07.1
  103. Infrastructure & Virtualization Security (CATEGORY) IVS
  104. Infrastructure and Virtualization Security Policy and Procedures IVS-01.1
  105. Internal Compliance Testing STA-11.1
  106. Interoperability & Portability (CATEGORY) IPY
  107. Interoperability and Portability Policy and Procedures IPY-01.1
  108. Key Activation CEK-15.1
  109. Key Archival CEK-18.1
  110. Key Compromise CEK-19.1
  111. Key Deactivation CEK-17.1
  112. Key Destruction CEK-14.1
  113. Key Generation CEK-10.1
  114. Key Inventory Management CEK-21.1
  115. Key Purpose CEK-11.1
  116. Key Recovery CEK-20.1
  117. Key Revocation CEK-13.1
  118. Key Rotation CEK-12.1
  119. Key Suspension CEK-16.1
  120. Least Privilege IAM-05.1
  121. Limitation of Production Data Use DSP-15.1
  122. Limitation of Purpose in Personal Data Processing DSP-12.1
  123. Log Protection LOG-09.1
  124. Log Records LOG-08.1
  125. Logging and Monitoring (CATEGORY) LOG
  126. Logging and Monitoring Policy and Procedures LOG-01.1
  127. Logging Scope LOG-07.1
  128. Malware Protection Policy and Procedures TVM-02.1
  129. Management of Privileged Access Roles IAM-10.1
  130. Migration to Cloud Environments IVS-07.1
  131. Network Architecture Documentation IVS-08.1
  132. Network Defense IVS-09.1
  133. Network Security IVS-03.1
  134. Non-Disclosure Agreements HRS-10.1
  135. Off-Site Equipment Disposal Policy and Procedures DCS-01.1
  136. Off-Site Transfer Authorization Policy and Procedures DCS-02.1
  137. Operating Systems UEM-07.1
  138. Organizational Policy Reviews GRC-03.1
  139. OS Hardening and Base Controls IVS-04.1
  140. Passwords Management IAM-15.1
  141. Penetration Testing TVM-06.1
  142. Personal and Sensitive Data Awareness and Training HRS-12.1
  143. Personal Data Access, Reversal, Rectification and Deletion DSP-11.1
  144. Personal Data Sub-processing DSP-13.1
  145. Personnel Roles and Responsibilities HRS-09.1
  146. Points of Contact Maintenance SEF-08.1
  147. Policy Exception Process GRC-04.1
  148. Primary Service and Contractual Agreement STA-09.1
  149. Production and Non-Production Environments IVS-05.1
  150. Quality Testing CCC-02.1
  151. Remediation A&A-06.1
  152. Remote and Home Working Policy and Procedures HRS-04.1
  153. Remote Locate UEM-12.1
  154. Remote Wipe UEM-13.1
  155. Requirements Compliance A&A-04.1
  156. Response Plan Exercise BCR-10.1
  157. Risk Assessment and Impact Analysis BCR-02.1
  158. Risk Based Planning Assessment A&A-03.1
  159. Risk Management Program GRC-02.1
  160. Safeguard Logs Integrity IAM-12.1
  161. Secure Application Design and Development AIS-04.1
  162. Secure Area Authorization DCS-09.1
  163. Secure Area Policy and Procedures DCS-03.1
  164. Secure Disposal DSP-02.1
  165. Secure Interoperability and Portability Management IPY-03.1
  166. Secure Media Transportation Policy and Procedures DCS-04.1
  167. Secure Utilities DCS-14.1
  168. Security and Privacy Policy and Procedures DSP-01.1
  169. Security Awareness Training HRS-11.1
  170. Security Breach Notification SEF-07.1
  171. Security Incident Management, E-Discovery, and Cloud Forensics (CATEGORY) SEF
  172. Security Incident Management Policy and Procedures SEF-01.1
  173. Security Monitoring and Alerting LOG-03.1
  174. Segmentation and Segregation IVS-06.1
  175. Segregation of Privileged Access Roles IAM-09.1
  176. Sensitive Data Protection DSP-17.1
  177. Sensitive Data Transfer DSP-10.1
  178. Separation of Duties IAM-04.1
  179. Service Management Policy and Procedures SEF-02.1
  180. Software Firewall UEM-10.1
  181. Special Interest Groups GRC-08.1
  182. SSRM Control Implementation STA-06.1
  183. SSRM Control Ownership STA-04.1
  184. SSRM Documentation Review STA-05.1
  185. SSRM Guidance STA-03.1
  186. SSRM Policy and Procedures STA-01.1
  187. SSRM Supply Chain STA-02.1
  188. Storage Encryption UEM-08.1
  189. Strong Authentication IAM-14.1
  190. Strong Password Policy and Procedures IAM-02.1
  191. Supply Chain Agreement Review STA-10.1
  192. Supply Chain Data Security Assessment STA-14.1
  193. Supply Chain Governance Review STA-13.1
  194. Supply Chain Inventory STA-07.1
  195. Supply Chain Management, Transparancy, and Accountability (CATEGORY) STA
  196. Supply Chain Risk Management STA-08.1
  197. Supply Chain Service Agreement Compliance STA-12.1
  198. Surveillance System DCS-10.1
  199. Third-Party Endpoint Security Posture UEM-14.1
  200. Threat and Vulnerability Management (CATEGORY) TVM
  201. Threat and Vulnerability Management Policy and Procedures TVM-01.1
  202. Transaction/Activity Logging LOG-11.1
  203. Unauthorized Access Response Training DCS-11.1
  204. Unauthorized Change Protection CCC-04.1
  205. Universal Endpoint Management (CATEGORY) UEM
  206. Uniquely Identifiable Users IAM-13.1
  207. User Access Changes and Revocation IAM-07.1
  208. User Access Provisioning IAM-06.1
  209. User Access Review IAM-08.1
  210. Vulnerability Identification TVM-07.1
  211. Vulnerability Management Metrics TVM-10.1
  212. Vulnerability Management Reporting TVM-09.1
  213. Vulnerability Prioritization TVM-08.1
  214. Vulnerability Remediation Schedule TVM-03.1

Individual Items by Category (with metrics by Group)

        A&A = Audit Assurance & Compliance

  1. A&A-01.1 - Audit and Assurance Policy and Procedures

    Are audit and assurance policies, procedures, and standards established, documented, approved, communicated, applied, evaluated, and maintained?

  2. A&A-01.2 - Audit and Assurance Policy and Procedures

    Are audit and assurance policies, procedures, and standards reviewed and updated at least annually?

  3. A&A-02.1 - Independent Assessments

    Are independent audit and assurance assessments conducted according to relevant standards at least annually?

  4. A&A-03.1 - Risk Based Planning Assessment

    Are independent audit and assurance assessments performed according to risk-based plans and policies?

  5. A&A-04.1 - Requirements Compliance

    Is compliance verified regarding all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit?

  6. A&A-05.1 - Audit Management Process

    Is an audit management process defined and implemented to support audit planning, risk analysis, security control assessments, conclusions, remediation schedules, report generation, and reviews of past reports and supporting evidence?

  7. A&A-06.1 - Remediation

    Is a risk-based corrective action plan to remediate audit findings established, documented, approved, communicated, applied, evaluated, and maintained?

  8. A&A-06.2 - Remediation

    Is the remediation status of audit findings reviewed and reported to relevant stakeholders?

AIS = Application & Interface Security

  1. AIS-01.1 - Application and Interface Security Policy and Procedures

    Are application security policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained to guide appropriate planning, delivery, and support of the organization’s application security capabilities?

  2. AIS-01.2 - Application and Interface Security Policy and Procedures

    Are application security policies and procedures reviewed and updated at least annually?

  3. AIS-02.1 - Application Security Baseline Requirements

    Are baseline requirements to secure different applications established, documented, and maintained?

  4. AIS-03.1 - Application Security Metrics

    Are technical and operational metrics defined and implemented according to business objectives, security requirements, and compliance obligations?

  5. AIS-04.1 - Secure Application Design and Development

    Is an SDLC process defined and implemented for application design, development, deployment, and operation per organizationally designed security requirements?

  6. AIS-05.1 - Automated Application Security Testing

    Does the testing strategy outline criteria to accept new information systems, upgrades, and new versions while ensuring application security, compliance adherence, and organizational speed of delivery goals?

  7. AIS-05.2 - Automated Application Security Testing

    Is testing automated when applicable and possible?

    AIS-06-M1 CCM METRIC SLO: 95% Test Coverage = percent of running production code can be directly traced back to automated security and quality tests that verify the compliance of each build.
  8. AIS-06.1 - Automated Secure Application Deployment

    Are strategies and capabilities established and implemented to deploy application code in a secure, standardized, and compliant manner?

  9. AIS-06.2 - Automated Secure Application Deployment

    Is the deployment and integration of application code automated where possible?

    AIS-07-M3 CCM METRIC SLO: zero Safe Apps = percent problematic (criticical or high vulnerabilities) not fixed or marked as accepted within the time specified by policy.
    AIS-07-M6 CCM METRIC SLO: 90% Problematic Vulnerabilities Unfixed = percent of critical or high vulnerabilities fixed or marked as accepted within the time specified by policy (have an age greater than the policy defined maximum age).
  10. AIS-07.1 - Application Vulnerability Remediation

    Are application security vulnerabilities remediated following defined processes?

  11. AIS-07.2 - Application Vulnerability Remediation

    Is the remediation of application security vulnerabilities automated when possible?

    BCR = Business Continuing Management & Operational Resilience

  12. BCR-01.1 - Business Continuity Management Policy and Procedures

    Are business continuity management and operational resilience policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained?

  13. BCR-01.2 - Business Continuity Management Policy and Procedures

    Are the policies and procedures reviewed and updated at least annually?

  14. BCR-02.1 - Risk Assessment and Impact Analysis

    Are criteria for developing business continuity and operational resiliency strategies and capabilities established based on business disruption and risk impacts?

  15. BCR-03.1 - Business Continuity Strategy

    Are strategies developed to reduce the impact of, withstand, and recover from business disruptions in accordance with risk appetite?

  16. BCR-04.1 - Business Continuity Planning

    Are operational resilience strategies and capability results incorporated to establish, document, approve, communicate, apply, evaluate, and maintain a business continuity plan?

  17. BCR-05.1 - Documentation

    Is relevant documentation developed, identified, and acquired to support business continuity and operational resilience plans?

  18. BCR-05.2 - Documentation

    Is business continuity and operational resilience documentation available to authorized stakeholders?

  19. BCR-05.3 - Documentation

    Is business continuity and operational resilience documentation reviewed periodically?

    BCR-06-M1 CCM METRIC SLO: 80% Critical Systems BCR assured = percent of critical systems that passed Business Continuity Management and Operational Resilience (CCMv4 domain BCR) (Chaos) tests.
  20. BCR-06.1 - Business Continuity Exercises

    Are the business continuity and operational resilience plans exercised and tested at least annually and when significant changes occur?

  21. BCR-07.1 - Communication

    Do business continuity and resilience procedures establish communication with stakeholders and participants?

  22. BCR-08.1 - Backup

    Is cloud data periodically backed up?

  23. BCR-08.2 - Backup

    Is the confidentiality, integrity, and availability of backup data ensured?

  24. BCR-08.3 - Backup

    Can backups be restored appropriately for resiliency?

  25. BCR-09.1 - Disaster Response Plan

    Is a disaster response plan established, documented, approved, applied, evaluated, and maintained to ensure recovery from natural and man-made disasters?

  26. BCR-09.2 - Disaster Response Plan

    Is the disaster response plan updated at least annually, and when significant changes occur?

  27. BCR-10.1 - Response Plan Exercise

    Is the disaster response plan exercised annually or when significant changes occur?

  28. BCR-10.2 - Response Plan Exercise

    Are local emergency authorities included, if possible, in the exercise?

  29. BCR-11.1 - Equipment Redundancy

    Is business-critical equipment supplemented with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards?

    CCC = Change Control & Configuration Management

  30. CCC-01.1 - Change Management Policy and Procedures

    Are risk management policies and procedures associated with changing organizational assets including applications, systems, infrastructure, configuration, etc., established, documented, approved, communicated, applied, evaluated and maintained (regardless of whether asset management is internal or external)?

  31. CCC-01.2 - Change Management Policy and Procedures

    Are the policies and procedures reviewed and updated at least annually?

  32. CCC-02.1 - Quality Testing

    Is a defined quality change control, approval and testing process (with established baselines, testing, and release standards) followed?

    CCC-03-M1 CCM METRIC SLO: 80% Assets under Change Mgmt = percent of all assets have change management technology integrated.
  33. CCC-03.1 - Change Management Technology

    Are risks associated with changing organizational assets (including applications, systems, infrastructure, configuration, etc.) managed, regardless of whether asset management occurs internally or externally (i.e., outsourced)?

  34. CCC-04.1 - Unauthorized Change Protection

    Is the unauthorized addition, removal, update, and management of organization assets restricted?

  35. CCC-05.1 - Change Agreements

    Are provisions to limit changes that directly impact CSC-owned environments and require tenants to authorize requests explicitly included within the service level agreements (SLAs) between CSPs and CSCs?

  36. CCC-06.1 - Change Management Baseline

    Are change management baselines established for all relevant authorized changes on organizational assets?

    CCC-07-M1 CCM METRIC SLO: 95% Config Items assured = percent of positive test results from all configuration tests performed.
  37. CCC-07.1 - Detection of Baseline Deviation

    Are detection measures implemented with proactive notification if changes deviate from established baselines?

  38. CCC-08.1 - Exception Management

    Is a procedure implemented to manage exceptions, including emergencies, in the change and configuration process?

  39. CCC-08.2 - Exception Management

    Is the procedure aligned with the requirements of the GRC-04: Policy Exception Process?’

  40. CCC-09.1 - Change Restoration

    Is a process to proactively roll back changes to a previously known “good state” defined and implemented in case of errors or security concerns?

    CEK = Cryptography, Encryption, and Key Management

  41. CEK-01.1 - Encryption and Key Management Policy and Procedures

    Are cryptography, encryption, and key management policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained?

  42. CEK-01.2 - Encryption and Key Management Policy and Procedures

    Are cryptography, encryption, and key management policies and procedures reviewed and updated at least annually?

  43. CEK-02.1 - CEK Roles and Responsibilities

    Are cryptography, encryption, and key management roles and responsibilities defined and implemented?

    CEK-03-M2 CCM METRIC SLO: 85% Cryto Assets assured = percent of cryptographic modules continue to be up to approved standards.
  44. CEK-03.1 - Data Encryption

    Are data at-rest and in-transit cryptographically protected using cryptographic libraries certified to approved standards?

    CEK-04-M1 CCM METRIC SLO: 90% Crypto Functions meeting req. = percent of assets with cryptographic functions meet the organization's defined cryptographic requirements.
  45. CEK-04.1 - Encryption Algorithm

    Are appropriate data protection encryption algorithms used that consider data classification, associated risks, and encryption technology usability?

  46. CEK-05.1 - Encryption Change Management

    Are standard change management procedures established to review, approve, implement and communicate cryptography, encryption, and key management technology changes that accommodate internal and external sources?

  47. CEK-06.1 - Encryption Change Cost Benefit Analysis

    Are changes to cryptography-, encryption- and key management-related systems, policies, and procedures, managed and adopted in a manner that fully accounts for downstream effects of proposed changes, including residual risk, cost, and benefits analysis?

  48. CEK-07.1 - Encryption Risk Management

    Is a cryptography, encryption, and key management risk program established and maintained that includes risk assessment, risk treatment, risk context, monitoring, and feedback provisions?

  49. CEK-08.1 - CSC Key Management Capability

    Are CSPs providing CSCs with the capacity to manage their own data encryption keys?

  50. CEK-09.1 - Encryption and Key Management Audit

    Are encryption and key management systems, policies, and processes audited with a frequency proportional to the system’s risk exposure, and after any security event?

  51. CEK-09.2 - Encryption and Key Management Audit

    Are encryption and key management systems, policies, and processes audited (preferably continuously but at least annually)?

  52. CEK-10.1 - Key Generation

    Are cryptographic keys generated using industry-accepted and approved cryptographic libraries that specify algorithm strength and random number generator specifications?

  53. CEK-11.1 - Key Purpose

    Are private keys provisioned for a unique purpose managed, and is cryptography secret?

  54. CEK-12.1 - Key Rotation

    Are cryptographic keys rotated based on a cryptoperiod calculated while considering information disclosure risks and legal and regulatory requirements?

  55. CEK-13.1 - Key Revocation

    Are cryptographic keys revoked and removed before the end of the established cryptoperiod (when a key is compromised, or an entity is no longer part of the organization) per defined, implemented, and evaluated processes, procedures, and technical measures to include legal and regulatory requirement provisions?

  56. CEK-14.1 - Key Destruction

    Are processes, procedures and technical measures to destroy unneeded keys defined, implemented and evaluated to address key destruction outside secure environments, revocation of keys stored in hardware security modules (HSMs), and include applicable legal and regulatory requirement provisions?

  57. CEK-15.1 - Key Activation

    Are processes, procedures, and technical measures to create keys in a pre-activated state (i.e., when they have been generated but not authorized for use) being defined, implemented, and evaluated to include legal and regulatory requirement provisions?

  58. CEK-16.1 - Key Suspension

    Are processes, procedures, and technical measures to monitor, review and approve key transitions (e.g., from any state to/from suspension) being defined, implemented, and evaluated to include legal and regulatory requirement provisions?

  59. CEK-17.1 - Key Deactivation

    Are processes, procedures, and technical measures to deactivate keys (at the time of their expiration date) being defined, implemented, and evaluated to include legal and regulatory requirement provisions?

  60. CEK-18.1 - Key Archival

    Are processes, procedures, and technical measures to manage archived keys in a secure repository (requiring least privilege access) being defined, implemented, and evaluated to include legal and regulatory requirement provisions?

  61. CEK-19.1 - Key Compromise

    Are processes, procedures, and technical measures to encrypt information in specific scenarios (e.g., only in controlled circumstances and thereafter only for data decryption and never for encryption) being defined, implemented, and evaluated to include legal and regulatory requirement provisions?

  62. CEK-20.1 - Key Recovery

    Are processes, procedures, and technical measures to assess operational continuity risks (versus the risk of losing control of keying material and exposing protected data) being defined, implemented, and evaluated to include legal and regulatory requirement provisions?

  63. CEK-21.1 - Key Inventory Management

    Are key management system processes, procedures, and technical measures being defined, implemented, and evaluated to track and report all cryptographic materials and status changes that include legal and regulatory requirements provisions?

    DCS = Datacenter Security

  64. DCS-01.1 - Off-Site Equipment Disposal Policy and Procedures

    Are policies and procedures for the secure disposal of equipment used outside the organization’s premises established, documented, approved, communicated, enforced, and maintained?

  65. DCS-01.2 - Off-Site Equipment Disposal Policy and Procedures

    Is a data destruction procedure applied that renders information recovery information impossible if equipment is not physically destroyed?

  66. DCS-01.3 - Off-Site Equipment Disposal Policy and Procedures

    Are policies and procedures for the secure disposal of equipment used outside the organization’s premises reviewed and updated at least annually?

  67. DCS-02.1 - Off-Site Transfer Authorization Policy and Procedures

    Are policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location established, documented, approved, communicated, implemented, enforced, maintained?

  68. DCS-02.2 - Off-Site Transfer Authorization Policy and Procedures

    Does a relocation or transfer request require written or cryptographically verifiable authorization?

  69. DCS-02.3 - Off-Site Transfer Authorization Policy and Procedures

    Are policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location reviewed and updated at least annually?

  70. DCS-03.1 - Secure Area Policy and Procedures

    Are policies and procedures for maintaining a safe and secure working environment (in offices, rooms, and facilities) established, documented, approved, communicated, enforced, and maintained?

  71. DCS-03.2 - Secure Area Policy and Procedures

    Are policies and procedures for maintaining safe, secure working environments (e.g., offices, rooms) reviewed and updated at least annually?

  72. DCS-04.1 - Secure Media Transportation Policy and Procedures

    Are policies and procedures for the secure transportation of physical media established, documented, approved, communicated, enforced, evaluated, and maintained?

  73. DCS-04.2 - Secure Media Transportation Policy and Procedures

    Are policies and procedures for the secure transportation of physical media reviewed and updated at least annually?

  74. DCS-05.1 - Assets Classification

    Is the classification and documentation of physical and logical assets based on the organizational business risk?

    DCS-06-M1 CCM METRIC SLO: 95% Audit Log Items tracked = percent of managed assets are cataloged and tracked to detected assets.
  75. DCS-06.1 - Assets Cataloguing and Tracking

    Are all relevant physical and logical assets at all CSP sites cataloged and tracked within a secured system?

  76. DCS-07.1 - Controlled Access Points

    Are physical security perimeters implemented to safeguard personnel, data, and information systems?

  77. DCS-07.2 - Controlled Access Points

    Are physical security perimeters established between administrative and business areas, data storage, and processing facilities?

  78. DCS-08.1 - Equipment Identification

    Is equipment identification used as a method for connection authentication?

  79. DCS-09.1 - Secure Area Authorization

    Are solely authorized personnel able to access secure areas, with all ingress and egress areas restricted, documented, and monitored by physical access control mechanisms?

  80. DCS-09.2 - Secure Area Authorization

    Are access control records retained periodically, as deemed appropriate by the organization?

  81. DCS-10.1 - Surveillance System

    Are external perimeter datacenter surveillance systems and surveillance systems at all ingress and egress points implemented, maintained, and operated?

  82. DCS-11.1 - Unauthorized Access Response Training

    Are datacenter personnel trained to respond to unauthorized access or egress attempts?

  83. DCS-12.1 - Cabling Security

    Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure risk-based protection of power and telecommunication cables from interception, interference, or damage threats at all facilities, offices, and rooms?

  84. DCS-13.1 - Environmental Systems

    Are data center environmental control systems designed to monitor, maintain, and test that on-site temperature and humidity conditions fall within accepted industry standards effectively implemented and maintained?

  85. DCS-14.1 - Secure Utilities

    Are utility services secured, monitored, maintained, and tested at planned intervals for continual effectiveness?

  86. DCS-15.1 - Equipment Location

    Is business-critical equipment segregated from locations subject to a high probability of environmental risk events?

    DSP = Data Security & Privacy Lifecycle Management

  87. DSP-01.1 - Security and Privacy Policy and Procedures

    Are policies and procedures established, documented, approved, communicated, enforced, evaluated, and maintained for the classification, protection, and handling of data throughout its lifecycle according to all applicable laws and regulations, standards, and risk level?

  88. DSP-01.2 - Security and Privacy Policy and Procedures

    Are data security and privacy policies and procedures reviewed and updated at least annually?

  89. DSP-02.1 - Secure Disposal

    Are industry-accepted methods applied for secure data disposal from storage media so information is not recoverable by any forensic means?

  90. DSP-03.1 - Data Inventory

    Is a data inventory created and maintained for sensitive and personal information (at a minimum)?

    DSP-04-M2 CCM METRIC SLO: 99% Data records classified = percent of data assets classified according to the data classification policies specific to the organization.
    DSP-04-M3 CCM METRIC SLO: 99% Assets classified = percent (ratio) of assets in the asset catalog classified according to the data classification policies specific to each organization.
  91. DSP-04.1 - Data Classification

    Is data classified according to type and sensitivity levels?

    DSP-05-M1 CCM METRIC SLO: 80% Data records documented = percent of records from the data inventory required by control DSP-03 included in data flow documentation.
    DSP-05-M2 CCM METRIC SLO: 80% Data streams documented = percent of data streams from the data inventory required by control DSP-03 are included in the data flow documentation.
  92. DSP-05.1 - Data Flow Documentation

    Is data flow documentation created to identify what data is processed and where it is stored and transmitted?

  93. DSP-05.2 - Data Flow Documentation

    Is data flow documentation reviewed at defined intervals, at least annually, and after any change?

  94. DSP-06.1 - Data Ownership and Stewardship

    Is the ownership and stewardship of all relevant personal and sensitive data documented?

  95. DSP-06.2 - Data Ownership and Stewardship

    Is data ownership and stewardship documentation reviewed at least annually?

  96. DSP-07.1 - Data Protection by Design and Default

    Are systems, products, and business practices based on security principles by design and per industry best practices?

  97. DSP-08.1 - Data Privacy by Design and Default

    Are systems, products, and business practices based on privacy principles by design and according to industry best practices?

  98. DSP-08.2 - Data Privacy by Design and Default

    Are systems’ privacy settings configured by default and according to all applicable laws and regulations?

  99. DSP-09.1 - Data Protection Impact Assessment

    Is a data protection impact assessment (DPIA) conducted when processing personal data and evaluating the origin, nature, particularity, and severity of risks according to any applicable laws, regulations and industry best practices?

  100. DSP-10.1 - Sensitive Data Transfer

    Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope (as permitted by respective laws and regulations)?

  101. DSP-11.1 - Personal Data Access, Reversal, Rectification and Deletion

    Are processes, procedures, and technical measures defined, implemented, and evaluated to enable data subjects to request access to, modify, or delete personal data (per applicable laws and regulations)?

  102. DSP-12.1 - Limitation of Purpose in Personal Data Processing

    Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure personal data is processed (per applicable laws and regulations and for the purposes declared to the data subject)?

  103. DSP-13.1 - Personal Data Sub-processing

    Are processes, procedures, and technical measures defined, implemented, and evaluated for the transfer and sub-processing of personal data within the service supply chain (according to any applicable laws and regulations)?

  104. DSP-14.1 - Disclosure of Data Sub-processors

    Are processes, procedures, and technical measures defined, implemented, and evaluated to disclose details to the data owner of any personal or sensitive data access by sub-processors before processing initiation?

  105. DSP-15.1 - Limitation of Production Data Use

    Is authorization from data owners obtained, and the associated risk managed, before replicating or using production data in non-production environments?

  106. DSP-16.1 - Data Retention and Deletion

    Do data retention, archiving, and deletion practices follow business requirements, applicable laws, and regulations?

  107. DSP-17.1 - Sensitive Data Protection

    Are processes, procedures, and technical measures defined and implemented to protect sensitive data throughout its lifecycle?

  108. DSP-18.1 - Disclosure Notification

    Does the CSP have in place, and describe to CSCs, the procedure to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities according to applicable laws and regulations?

  109. DSP-18.2 - Disclosure Notification

    Does the CSP give special attention to the notification procedure to interested CSCs, unless otherwise prohibited, such as a prohibition under criminal law to preserve confidentiality of a law enforcement investigation?

  110. DSP-19.1 - Data Location

    Are processes, procedures, and technical measures defined and implemented to specify and document physical data locations, including locales where data is processed or backed up?

    GRC = Governance, Risk Management, and Compliance

  111. GRC-01.1 - Governance Program Policy and Procedures

    Are information governance program policies and procedures sponsored by organizational leadership established, documented, approved, communicated, applied, evaluated, and maintained?

  112. GRC-01.2 - Governance Program Policy and Procedures

    Are the policies and procedures reviewed and updated at least annually?

  113. GRC-02.1 - Risk Management Program

    Is there an established formal, documented, and leadership-sponsored enterprise risk management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks?

  114. GRC-03.1 - Organizational Policy Reviews

    Are all relevant organizational policies and associated procedures reviewed at least annually, or when a substantial organizational change occurs?

    GRC-04-M1 CCM METRIC SLO: 90% Policy exceptions resolution timeliness = percent active policy exceptions where the time to resolution is within the documented timeline for resolution. (the effectiveness of governance exception handling processes).
  115. GRC-04.1 - Policy Exception Process

    Is an approved exception process mandated by the governance program established and followed whenever a deviation from an established policy occurs?

  116. GRC-05.1 - Information Security Program

    Has an information security program (including programs of all relevant CCM domains) been developed and implemented?

  117. GRC-06.1 - Governance Responsibility Model

    Are roles and responsibilities for planning, implementing, operating, assessing, and improving governance programs defined and documented?

  118. GRC-07.1 - Information System Regulatory Mapping

    Are all relevant standards, regulations, legal/contractual, and statutory requirements applicable to your organization identified and documented?

  119. GRC-08.1 - Special Interest Groups

    Is contact established and maintained with cloud-related special interest groups and other relevant entities?

    HRS = Human Resources

  120. HRS-01.1 - Background Screening Policy and Procedures

    Are background verification policies and procedures of all new employees (including but not limited to remote employees, contractors, and third parties) established, documented, approved, communicated, applied, evaluated, and maintained?

  121. HRS-01.2 - Background Screening Policy and Procedures

    Are background verification policies and procedures designed according to local laws, regulations, ethics, and contractual constraints and proportional to the data classification to be accessed, business requirements, and acceptable risk?

  122. HRS-01.3 - Background Screening Policy and Procedures

    Are background verification policies and procedures reviewed and updated at least annually?

  123. HRS-02.1 - Acceptable Use of Technology Policy and Procedures

    Are policies and procedures for defining allowances and conditions for the acceptable use of organizationally-owned or managed assets established, documented, approved, communicated, applied, evaluated, and maintained?

  124. HRS-02.2 - Acceptable Use of Technology Policy and Procedures

    Are the policies and procedures for defining allowances and conditions for the acceptable use of organizationally-owned or managed assets reviewed and updated at least annually?

    ANSWER : Review of HRS policies and procedures for ___ organizationally-owned assets is in the team’s calendar. :

  125. HRS-03.1 - Clean Desk Policy and Procedures

    Are policies and procedures requiring unattended workspaces to conceal confidential data established, documented, approved, communicated, applied, evaluated, and maintained?

  126. HRS-03.2 - Clean Desk Policy and Procedures

    Are policies and procedures requiring unattended workspaces to conceal confidential data reviewed and updated at least annually?

    ANSWER : Review of HRC policies and procedures for concealing ___ data is in the team’s calendar. :

  127. HRS-04.1 - Remote and Home Working Policy and Procedures

    Are policies and procedures to protect information accessed, processed, or stored at remote sites and locations established, documented, approved, communicated, applied, evaluated, and maintained?

  128. HRS-04.2 - Remote and Home Working Policy and Procedures

    Are policies and procedures to protect information accessed, processed, or stored at remote sites and locations reviewed and updated at least annually?

    ANSWER : Review of HRC policies and procedures for remote ___ data is in the team’s calendar. :

  129. HRS-05.1 - Asset returns

    Are return procedures of organizationally-owned assets by terminated employees established and documented?

  130. HRS-06.1 - Employment Termination

    Are procedures outlining the roles and responsibilities concerning changes in employment established, documented, and communicated to all personnel?

  131. HRS-07.1 - Employment Agreement Process

    Are employees required to sign an employment agreement before gaining access to organizational information systems, resources, and assets?

  132. HRS-08.1 - Employment Agreement Content

    Are provisions and/or terms for adherence to established information governance and security policies included within employment agreements?

  133. HRS-09.1 - Personnel Roles and Responsibilities

    Are employee roles and responsibilities relating to information assets and security documented and communicated?

  134. HRS-10.1 - Non-Disclosure Agreements

    Are requirements for non-disclosure/confidentiality agreements reflecting organizational data protection needs and operational details identified, documented, and reviewed at planned intervals?

  135. HRS-11.1 - Security Awareness Training

    Is a security awareness training program for all employees of the organization established, documented, approved, communicated, applied, evaluated and maintained?

  136. HRS-11.2 - Security Awareness Training

    Are regular security awareness training updates provided?

  137. HRS-12.1 - Personal and Sensitive Data Awareness and Training

    Are all employees granted access to sensitive organizational and personal data provided with appropriate security awareness training?

  138. HRS-12.2 - Personal and Sensitive Data Awareness and Training

    Are all employees granted access to sensitive organizational and personal data provided with regular updates in procedures, processes, and policies relating to their professional function?

  139. HRS-13.1 - Compliance User Responsibility

    Are employees notified of their roles and responsibilities to maintain awareness and compliance with established policies, procedures, and applicable legal, statutory, or regulatory compliance obligations?

    IAM = Identity & Access Management

  140. IAM-01.1 - Identity and Access Management Policy and Procedures

    Are identity and access management policies and procedures established, documented, approved, communicated, implemented, applied, evaluated, and maintained?

  141. IAM-01.2 - Identity and Access Management Policy and Procedures

    Are identity and access management policies and procedures reviewed and updated at least annually?

  142. IAM-02.1 - Strong Password Policy and Procedures

    Are strong password policies and procedures established, documented, approved, communicated, implemented, applied, evaluated, and maintained?

  143. IAM-02.2 - Strong Password Policy and Procedures

    Are strong password policies and procedures reviewed and updated at least annually?

  144. IAM-03.1 - Identity Inventory

    Is system identity information and levels of access managed, stored, and reviewed?

  145. IAM-04.1 - Separation of Duties

    Is the separation of duties principle employed when implementing information system access?

  146. IAM-05.1 - Least Privilege

    Is the least privilege principle employed when implementing information system access?

  147. IAM-06.1 - User Access Provisioning

    Is a user access provisioning process defined and implemented which authorizes, records, and communicates data and assets access changes?

    IAM-07-M1 CCM METRIC SLO: 99% User terminations timeliness = percent of users leaving the organization are deprovisioned from the identity management system in compliance with identity and access management policies.
  148. IAM-07.1 - User Access Changes and Revocation

    Is a process in place to de-provision or modify the access, in a timely manner, of movers / leavers or system identity changes, to effectively adopt and communicate identity and access management policies?

    IAM-08-M2 CCM METRIC SLO: 95% Account access correct = percent of time elapsed since the last recertification for all types of privileges (including user roles, group memberships, read/write/ execute permissions to files/databases/scripts/jobs, etc).
  149. IAM-08.1 - User Access Review

    Are reviews and revalidation of user access for least privilege and separation of duties completed with a frequency commensurate with organizational risk tolerance?

    IAM-09-M1 CCM METRIC SLO: 99% Privileged users as admin = percent of users with production access have admin access (duties segregated).
  150. IAM-09.1 - Segregation of Privileged Access Roles

    Are processes, procedures, and technical measures for the segregation of privileged access roles defined, implemented, and evaluated such that administrative data access, encryption, key management capabilities, and logging capabilities are distinct and separate?

  151. IAM-10.1 - Management of Privileged Access Roles

    Is an access process defined and implemented to ensure privileged access roles and rights are granted for a limited period?

  152. IAM-10.2 - Management of Privileged Access Roles

    Are procedures implemented to prevent the culmination of segregated privileged access?

  153. IAM-11.1 - CSCs Approval for Agreed Privileged Access Roles

    Are processes and procedures for customers to participate, where applicable, in granting access for agreed, high risk as (defined by the organizational risk assessment) privileged access roles defined, implemented and evaluated?

  154. IAM-12.1 - Safeguard Logs Integrity

    Are processes, procedures, and technical measures to ensure the logging infrastructure is “read-only” for all with write access (including privileged access roles) defined, implemented, and evaluated?

  155. IAM-12.2 - Safeguard Logs Integrity

    Is the ability to disable the “read-only” configuration of logging infrastructure controlled through a procedure that ensures the segregation of duties and break glass procedures?

  156. IAM-13.1 - Uniquely Identifiable Users

    Are processes, procedures, and technical measures that ensure users are identifiable through unique identification (or can associate individuals with user identification usage) defined, implemented, and evaluated?

  157. IAM-14.1 - Strong Authentication

    Are processes, procedures, and technical measures for authenticating access to systems, application, and data assets including multifactor authentication for a least-privileged user and sensitive data access defined, implemented, and evaluated?

  158. IAM-14.2 - Strong Authentication

    Are digital certificates or alternatives that achieve an equivalent security level for system identities adopted?

  159. IAM-15.1 - Passwords Management

    Are processes, procedures, and technical measures for the secure management of passwords defined, implemented, and evaluated?

  160. IAM-16.1 - Authorization Mechanisms

    Are processes, procedures, and technical measures to verify access to data and system functions authorized, defined, implemented, and evaluated?

    IPY = Interoperability & Portability

  161. IPY-01.1 - Interoperability and Portability Policy and Procedures

    Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for communications between application services (e.g., APIs)?

  162. IPY-01.2 - Interoperability and Portability Policy and Procedures

    Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for information processing interoperability?

  163. IPY-01.3 - Interoperability and Portability Policy and Procedures

    Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for application development portability?

  164. IPY-01.4 - Interoperability and Portability Policy and Procedures

    Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for information/data exchange, usage, portability, integrity, and persistence?

  165. IPY-01.5 - Interoperability and Portability Policy and Procedures

    Are interoperability and portability policies and procedures reviewed and updated at least annually?

  166. IPY-02.1 - Application Interface Availability

    Are CSCs able to programmatically retrieve their data via an application interface(s) to enable interoperability and portability?

    IPY-03-M2 CCM METRIC SLO: 99.99% Data flows cryptographic = percent of data flows use an approved, standardized cryptographic security function for interoperable transmissions of data.
  167. IPY-03.1 - Secure Interoperability and Portability Management

    Are cryptographically secure and standardized network protocols implemented for the management, import, and export of data?

  168. IPY-04.1 - Data Portability Contractual Obligations

    Do agreements include provisions specifying CSC data access upon contract termination, and have the following? a. Data format b. Duration data will be stored c. Scope of the data retained and made available to the CSCs d. Data deletion policy

    IVS = Infrastructure & Virtualization Security

  169. IVS-01.1 - Infrastructure and Virtualization Security Policy and Procedures

    Are infrastructure and virtualization security policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained?

  170. IVS-01.2 - Infrastructure and Virtualization Security Policy and Procedures

    Are infrastructure and virtualization security policies and procedures reviewed and updated at least annually?

  171. IVS-02.1 - Capacity and Resource Planning

    Is resource availability, quality, and capacity planned and monitored in a way that delivers required system performance, as determined by the business?

  172. IVS-03.1 - Network Security

    Are communications between environments monitored?

  173. IVS-03.2 - Network Security

    Are communications between environments encrypted?

  174. IVS-03.3 - Network Security

    Are communications between environments restricted to only authenticated and authorized connections, as justified by the business?

  175. IVS-03.4 - Network Security

    Are network configurations reviewed at least annually?

  176. IVS-03.5 - Network Security

    Are network configurations supported by the documented justification of all allowed services, protocols, ports, and compensating controls?

    IVS-04-M1 CCM METRIC SLO: 99.99% Assets hardened = percent of assets in compliance with the providerÕs configuration security policy and hardening baselines derived from accepted industry sources (e.g., NIST, vendor recommendations, Center for Internet Security Benchmarks, etc.).
  177. IVS-04.1 - OS Hardening and Base Controls

    Is every host and guest OS, hypervisor, or infrastructure control plane hardened (according to their respective best practices) and supported by technical controls as part of a security baseline?

  178. IVS-05.1 - Production and Non-Production Environments

    Are production and non-production environments separated?

  179. IVS-06.1 - Segmentation and Segregation

    Are applications and infrastructures designed, developed, deployed, and configured such that CSP and CSC (tenant) user access and intra-tenant access is appropriately segmented, segregated, monitored, and restricted from other tenants?

  180. IVS-07.1 - Migration to Cloud Environments

    Are secure and encrypted communication channels including only up-to-date and approved protocols used when migrating servers, services, applications, or data to cloud environments?

  181. IVS-08.1 - Network Architecture Documentation

    Are high-risk environments identified and documented?

  182. IVS-09.1 - Network Defense

    Are processes, procedures, and defense-in-depth techniques defined, implemented, and evaluated for protection, detection, and timely response to network-based attacks?

    LOG = Logging and Monitoring

  183. LOG-01.1 - Logging and Monitoring Policy and Procedures

    Are logging and monitoring policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained?

  184. LOG-01.2 - Logging and Monitoring Policy and Procedures

    Are policies and procedures reviewed and updated at least annually?

  185. LOG-02.1 - Audit Logs Protection

    Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure audit log security and retention?

    LOG-03-M1 CCM METRIC SLO: 95% Log sources with sec. alerts = percent of logs configured to generate security alerts for anomalous activity across control domains.
  186. LOG-03.1 - Security Monitoring and Alerting

    Are security-related events identified and monitored within applications and the underlying infrastructure?

  187. LOG-03.2 - Security Monitoring and Alerting

    Is a system defined and implemented to generate alerts to responsible stakeholders based on security events and their corresponding metrics?

  188. LOG-04.1 - Audit Logs Access and Accountability

    Is access to audit logs restricted to authorized personnel, and are records maintained to provide unique access accountability?

    LOG-05-M1 CCM METRIC SLO: 95% Anomalies review timeliness = percent of discovered anomalies resolved within required timelines (effective log monitoring and response process).
  189. LOG-05.1 - Audit Logs Monitoring and Response

    Are security audit logs monitored to detect activity outside of typical or expected patterns?

  190. LOG-05.2 - Audit Logs Monitoring and Response

    Is a process established and followed to review and take appropriate and timely actions on detected anomalies?

  191. LOG-06.1 - Clock Synchronization

    Is a reliable time source being used across all relevant information processing systems?

  192. LOG-07.1 - Logging Scope

    Are logging requirements for information meta/data system events established, documented, and implemented?

  193. LOG-07.2 - Logging Scope

    Is the scope reviewed and updated at least annually, or whenever there is a change in the threat environment?

  194. LOG-08.1 - Log Records

    Are audit records generated, and do they contain relevant security information?

  195. LOG-09.1 - Log Protection

    Does the information system protect audit records from unauthorized access, modification, and deletion?

    LOG-10-M1 CCM METRIC SLO: 80% CEK Controls with metrics = percent of CEK (cryptography, encryption, and key management) controls have defined metrics.
  196. LOG-10.1 - Encryption Monitoring and Reporting

    Are monitoring and internal reporting capabilities established to report on cryptographic operations, encryption, and key management policies, processes, procedures, and controls?

  197. LOG-11.1 - Transaction/Activity Logging

    Are key lifecycle management events logged and monitored to enable auditing and reporting on cryptographic keys’ usage?

  198. LOG-12.1 - Access Control Logs

    Is physical access logged and monitored using an auditable access control system?

    LOG-13-M2 CCM METRIC SLO: 99% Monitoring uptime = percent uptime minutes of the monitoring system during the sampling period.
  199. LOG-13.1 - Failures and Anomalies Reporting

    Are processes and technical measures for reporting monitoring system anomalies and failures defined, implemented, and evaluated?

  200. LOG-13.2 - Failures and Anomalies Reporting

    Are accountable parties immediately notified about anomalies and failures?

    SEF = Security Incident Management, E-Discovery, and Cloud Forensics

  201. SEF-01.1 - Security Incident Management Policy and Procedures

    Are policies and procedures for security incident management, e-discovery, and cloud forensics established, documented, approved, communicated, applied, evaluated, and maintained?

  202. SEF-01.2 - Security Incident Management Policy and Procedures

    Are policies and procedures reviewed and updated annually?

  203. SEF-02.1 - Service Management Policy and Procedures

    Are policies and procedures for timely management of security incidents established, documented, approved, communicated, applied, evaluated, and maintained?

  204. SEF-02.2 - Service Management Policy and Procedures

    Are policies and procedures for timely management of security incidents reviewed and updated at least annually?

  205. SEF-03.1 - Incident Response Plans

    Is a security incident response plan that includes relevant internal departments, impacted CSCs, and other business-critical relationships (such as supply-chain) established, documented, approved, communicated, applied, evaluated, and maintained?

  206. SEF-04.1 - Incident Response Testing

    Is the security incident response plan tested and updated for effectiveness, as necessary, at planned intervals or upon significant organizational or environmental changes?

    SEF-05-M1 CCM METRIC SLO: 90% Security Events automated = percent of security events sourced from automated systems.
  207. SEF-05.1 - Incident Response Metrics

    Are information security incident metrics established and monitored?

    SEF-06-M1 CCM METRIC SLO: 99% Security Events triage timeliness = percent of security events triaged within policy timeframe targets.
    SEF-06-M2 CCM METRIC SLO: 0.5+? Event triage timeliness trend = SLOPE (Y) of a linear regression of the triage times over time is > 0 (improving), not <0 (worsening).
  208. SEF-06.1 - Event Triage Processes

    Are processes, procedures, and technical measures supporting business processes to triage security-related events defined, implemented, and evaluated?

  209. SEF-07.1 - Security Breach Notification

    Are processes, procedures, and technical measures for security breach notifications defined and implemented?

  210. SEF-07.2 - Security Breach Notification

    Are security breaches and assumed security breaches reported (including any relevant supply chain breaches) as per applicable SLAs, laws, and regulations?

  211. SEF-08.1 - Points of Contact Maintenance

    Are points of contact maintained for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities?

    STA = Supply Chain Management, Transparancy, and Accountability

  212. STA-01.1 - SSRM Policy and Procedures

    Are policies and procedures implementing the shared security responsibility model (SSRM) within the organization established, documented, approved, communicated, applied, evaluated, and maintained?

  213. STA-01.2 - SSRM Policy and Procedures

    Are the policies and procedures that apply the SSRM reviewed and updated annually?

  214. STA-02.1 - SSRM Supply Chain

    Is the SSRM applied, documented, implemented, and managed throughout the supply chain for the cloud service offering?

  215. STA-03.1 - SSRM Guidance

    Is the CSC given SSRM guidance detailing information about SSRM applicability throughout the supply chain?

  216. STA-04.1 - SSRM Control Ownership

    Is the shared ownership and applicability of all CSA CCM controls delineated according to the SSRM for the cloud service offering?

  217. STA-05.1 - SSRM Documentation Review

    Is SSRM documentation for all cloud services the organization uses reviewed and validated?

  218. STA-06.1 - SSRM Control Implementation

    Are the portions of the SSRM the organization is responsible for implemented, operated, audited, or assessed?

    STA-07-M3 CCM METRIC SLO: 99.90% 3rd party components authorized = percent of third-party software components seen in [production assets] are sourced from an approved supplier in the software inventory.
    STA-07-M5 CCM METRIC SLO: 99% Providers connected = percent of approved supply chain upstream cloud services relationships recorded in logged data connections.
  219. STA-07.1 - Supply Chain Inventory

    Is an inventory of all supply chain relationships developed and maintained?

  220. STA-08.1 - Supply Chain Risk Management

    Are risk factors associated with all organizations within the supply chain periodically reviewed by CSPs?

  221. STA-09.1 - Primary Service and Contractual Agreement

    Do service agreements between CSPs and CSCs (tenants) incorporate at least the following mutually agreed upon provisions and/or terms? • Scope, characteristics, and location of business relationship and services offered • Information security requirements (including SSRM) • Change management process • Logging and monitoring capability • Incident management and communication procedures • Right to audit and third-party assessment • Service termination • Interoperability and portability requirements • Data privacy

  222. STA-10.1 - Supply Chain Agreement Review

    Are supply chain agreements between CSPs and CSCs reviewed at least annually?

  223. STA-11.1 - Internal Compliance Testing

    Is there a process for conducting internal assessments at least annually to confirm the conformance and effectiveness of standards, policies, procedures, and SLA activities?

  224. STA-12.1 - Supply Chain Service Agreement Compliance

    Are policies that require all supply chain CSPs to comply with information security, confidentiality, access control, privacy, audit, personnel policy, and service level requirements and standards implemented?

  225. STA-13.1 - Supply Chain Governance Review

    Are supply chain partner IT governance policies and procedures reviewed periodically?

  226. STA-14.1 - Supply Chain Data Security Assessment

    Is a process to conduct periodic security assessments for all supply chain organizations defined and implemented?

    TVM = Threat and Vulnerability Management

  227. TVM-01.1 - Threat and Vulnerability Management Policy and Procedures

    Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained to identify, report, and prioritize the remediation of vulnerabilities to protect systems against vulnerability exploitation?

  228. TVM-01.2 - Threat and Vulnerability Management Policy and Procedures

    Are threat and vulnerability management policies and procedures reviewed and updated at least annually?

  229. TVM-02.1 - Malware Protection Policy and Procedures

    Are policies and procedures to protect against malware on managed assets established, documented, approved, communicated, applied, evaluated, and maintained?

  230. TVM-02.2 - Malware Protection Policy and Procedures

    Are asset management and malware protection policies and procedures reviewed and updated at least annually?

    TVM-03-M1 CCM METRIC SLO: 99% Vulnerability remediation timeliness = percent of high and critical vulnerabilities remediated within the organizationÕs policy timeframes. This reflects the time between when a vulnerability is identified on an organizationÕs assets and when remediation is complete.
  231. TVM-03.1 - Vulnerability Remediation Schedule

    Are processes, procedures, and technical measures defined, implemented, and evaluated to enable scheduled and emergency responses to vulnerability identifications (based on the identified risk)?

  232. TVM-04.1 - Detection Updates

    Are processes, procedures, and technical measures defined, implemented, and evaluated to update detection tools, threat signatures, and compromise indicators weekly (or more frequent) basis?

  233. TVM-05.1 - External Library Vulnerabilities

    Are processes, procedures, and technical measures defined, implemented, and evaluated to identify updates for applications that use third-party or open-source libraries (according to the organization’s vulnerability management policy)?

  234. TVM-06.1 - Penetration Testing

    Are processes, procedures, and technical measures defined, implemented, and evaluated for periodic, independent, third-party penetration testing?

    TVM-07-M1 CCM METRIC SLO: 99% Assets scanned = percent of managed assets scanned monthly.
  235. TVM-07.1 - Vulnerability Identification

    Are processes, procedures, and technical measures defined, implemented, and evaluated for vulnerability detection on organizationally managed assets at least monthly?

  236. TVM-08.1 - Vulnerability Prioritization

    Is vulnerability remediation prioritized using a risk-based model from an industry-recognized framework?

  237. TVM-09.1 - Vulnerability Management Reporting

    Is a process defined and implemented to track and report vulnerability identification and remediation activities that include stakeholder notification?

    TVM-10-M1 CCM METRIC SLO: 99%? Public Vulnerability remediation timeliness = percent of publicly known vulnerabilities are identified for an organizationÕs assets within the organizationÕs required timeframes.
  238. TVM-10.1 - Vulnerability Management Metrics

    Are metrics for vulnerability identification and remediation established, monitored, and reported at defined intervals?

    UEM = Universal Endpoint Management

  239. UEM-01.1 - Endpoint Devices Policy and Procedures

    Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained for all endpoints?

  240. UEM-01.2 - Endpoint Devices Policy and Procedures

    Are universal endpoint management policies and procedures reviewed and updated at least annually?

  241. UEM-02.1 - Application and Service Approval

    Is there a defined, documented, applicable and evaluated list containing approved services, applications, and the sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data?

  242. UEM-03.1 - Compatibility

    Is a process defined and implemented to validate endpoint device compatibility with operating systems and applications?

    UEM-04-M1 CCM METRIC SLO: 95% Endpoints logged = percent of endpoints actively maintained in the asset inventory (appearing in security audit logs).
  243. UEM-04.1 - Endpoint Inventory

    Is an inventory of all endpoints used and maintained to store and access company data?

    UEM-05-M1 CCM METRIC SLO: 99% Endpoints in compliance = percent of unique endpoints with suitable policy enforcement tools have reported compliance state within the sampling period (ability of an organization to control the configuration and behavior of assets which directly create, read, write, or delete organizational data).
  244. UEM-05.1 - Endpoint Management

    Are processes, procedures, and technical measures defined, implemented and evaluated, to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data?

  245. UEM-06.1 - Automatic Lock Screen

    Are all relevant interactive-use endpoints configured to require an automatic lock screen?

  246. UEM-07.1 - Operating Systems

    Are changes to endpoint operating systems, patch levels, and/or applications managed through the organizational change management process?

  247. UEM-08.1 - Storage Encryption

    Is information protected from unauthorized disclosure on managed endpoints with storage encryption?

    UEM-09-M1 CCM METRIC SLO: 99% Active endpoints being scanned = percent of instances run anti-malware/virus services.
  248. UEM-09.1 - Anti-Malware Detection and Prevention

    Are anti-malware detection and prevention technology services configured on managed endpoints?

  249. UEM-10.1 - Software Firewall

    Are software firewalls configured on managed endpoints?

  250. UEM-11.1 - Data Loss Prevention

    Are managed endpoints configured with data loss prevention (DLP) technologies and rules per a risk assessment?

  251. UEM-12.1 - Remote Locate

    Are remote geolocation capabilities enabled for all managed mobile endpoints?

  252. UEM-13.1 - Remote Wipe

    Are processes, procedures, and technical measures defined, implemented, and evaluated to enable remote company data deletion on managed endpoint devices?

  253. UEM-14.1 - Third-Party Endpoint Security Posture

    Are processes, procedures, and technical and/or contractual measures defined, implemented, and evaluated to maintain proper security of third-party endpoints with access to organizational assets?

<– 262 CAIQ rows in, 17 categories, 26 CCM metrics. 261 questions+answers printed. –>


Tools

The above are generated by my Python program caiq-html-gen.py. Alternately, excel-to-gm.py uses library openpyxl (xlrd) which enables reading of a comma-delimited file CAIQ4.0.1.csv (for CAIQ v4.0.1). It’s based on a spreadsheet after manual removal of extraneous text wrap, cell merges, and line breaks in text. A feature flag in the program can filter output to only questions which contain an answer.

The program creates a heading line when the first 3 characters of the Question ID changes</a>

https://github.com/metanorma/csa-ccm-tools


Professional Certifications

CSA CCSK: Certificate of Cloud Security Knowledge by CSA tests the knowledge and competency of a person in the field of primary cloud security issues. Recommended for IT auditors. US $495

CCAK: Certificate of Cloud Auditing Knowledge

CSA CCSP Certified Cloud Security Professional is a global credential representing the highest standard for expertise in cloud security. It was created by two organizations: Cloud Security Alliance and International Standardization Council. Recommended for the IT and ICT professionals who are working for IT architecture, web and cloud engineering, information security, governance, risk and compliance and IT auditing.


More about Security

This is one of a series about cyber security:

  1. SOC2
  2. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

  3. Git Signing
  4. Hashicorp Vault

  5. WebGoat known insecure PHP app and vulnerability scanners
  6. Test for OWASP using ZAP on the Broken Web App

  7. Encrypt all the things

  8. AWS Security (certification exam)
  9. AWS IAM (Identity and Access Management)

  10. Cyber Security
  11. Security certifications