CSA Consensus Assessments Initiative Questionnaire (CAIQ)
CSA Consensus AssessmentsInitiative Questionnaire (CAIQ)February 2020
NoticesCustomers are responsible for making their own independent assessment of theinformation in this document. This document: (a) is for informational purposes only, (b)represents current AWS product offerings and practices, which are subject to changewithout notice, and (c) does not create any commitments or assurances from AWS andits affiliates, suppliers or licensors. AWS products or services are provided “as is”without warranties, representations, or conditions of any kind, whether express orimplied. The responsibilities and liabilities of AWS to its customers are controlled byAWS agreements, and this document is not part of, nor does it modify, any agreementbetween AWS and its customers. 2020 Amazon Web Services, Inc. or its affiliates. All rights reserved.
ContentsIntroduction .1CSA Consensus Assessments Initiative Questionnaire .1Further Reading .169Document Revisions.170
AbstractThe CSA Consensus Assessments Initiative Questionnaire provides a set of questionsthe CSA anticipates a cloud consumer and/or a cloud auditor would ask of a cloudprovider. It provides a series of security, control, and process questions which can thenbe used for a wide range of uses, including cloud provider selection and securityevaluation. AWS has completed this questionnaire with the answers below. Thequestionnaire has been completed using the current CSA CAIQ standard, v3.1.1 (1115-19 Update).
Amazon Web ServicesCSA Consensus Assessments Initiative Questionnaire (CAIQ)IntroductionThe Cloud Security Alliance (CSA) is a “not-for-profit organization with a mission to promote the use of best practices for providingsecurity assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms ofcomputing.” For more information, see https://cloudsecurityalliance.org/about/.A wide range of industry security practitioners, corporations, and associations participate in this organization to achieve its mission.CSA Consensus Assessments Initiative QuestionnaireQuestion IDConsensus -01.1Do you use industrystandards (i.e. OWASPSoftware Assurance MaturityModel, ISO 27034) to build insecurity for yourSystems/SoftwareDevelopment Lifecycle(SDLC)?ControlXNoN/AThe AWS system development lifecycle incorporatesindustry best practices which include formal designreviews by the AWS Security Team, threat modeling andcompletion of a risk assessment.AWSPage 1
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus -01.2Do you use an automatedsource code analysis tool todetect security defects incode prior to production?AIS-01.3Do you use manual sourcecode analysis to detectsecurity defects in code priorto production?ControlNoXXN/AAutomated code analysis tools are run as a part of theAWS Software Development Lifecycle, and all deployedsoftware undergoes recurring penetration testingperformed by carefully selected industry experts. Oursecurity risk assessment reviews begin during thedesign phase and the engagement lasts through launchto ongoing operations.Refer to the AWS Overview of Security Processes forfurther details. That whitepaper is located /AWS Security Whitepaper.pdfAWSManual source-code analysis is not employed.Automated code analysis tools are run as a part of theAWS Software Development Lifecycle.N/APage 2
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus -01.4Do you verify that all of yoursoftware suppliers adhere toindustry standards forSystems/SoftwareDevelopment Lifecycle(SDLC) security?ControlXNoN/AAWS implements open source software or custom codewithin its services. All open source software to includebinary or machine-executable code from third-parties isreviewed and approved by the Open Source Group priorto implementation, and has source code that is publiclyaccessible. AWS service teams are prohibited fromimplementing code from third parties unless it has beenapproved through the open source review. All codedeveloped by AWS is available for review by theapplicable service team, as well as AWS Security. By itsnature, open source code is available for review by theOpen Source Group prior to granting authorization foruse within Amazon.AWSPage 3
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus -01.5(SaaS only) Do you reviewyour applications for securityvulnerabilities and addressany issues prior todeployment to production?ControlXNoN/AStatic code analysis tools are run as a part of thestandard build process, and all deployed softwareundergoes recurring penetration testing performed bycarefully selected industry experts. Our security riskassessment reviews begin during the design phase andthe engagement lasts through launch to ongoingoperations.Refer to the AWS Overview of Security Processes forfurther details. That whitepaper is located curity/AWS Security Whitepaper.pdfCustomers are responsible for performing vulnerabilityscanning of their workloads based on their internalscanning requirements.AIS-02.1Are all identified security,contractual, and regulatoryrequirements for customeraccess contractuallyaddressed and remediatedprior to granting customersaccess to data, assets, andinformation systems?XAWS and customers agree to a service agreementoutlining the terms of service and responsibilities of bothparties prior to service delivery.SharedPage 4
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus yYesNoN/AAIS- 02.2Are all requirements and trustlevels for customers’ accessdefined and documented?XAWS and customers agree to a service agreementoutlining the terms of service and responsibilities of bothparties prior to service delivery.SharedAIS-03.1Does your data managementpolicies and proceduresrequire audits to verify datainput and output integrityroutines?XAWS data integrity controls as described in AWS SOCreports for S3, illustrates the data integrity controlsmaintained through all phases including transmission,storage and processing.Customers are responsible for control implementationrelated to Application interfaces and databases utilizedwithin AWS environment.SharedAIS-03.2Are data input and outputintegrity routines (i.e.MD5/SHA checksums)implemented for applicationinterfaces and databases toprevent manual or systematicprocessing errors orcorruption of data?XAWS data integrity controls as described in AWS SOCreports for S3, illustrates the data integrity controlsmaintained through all phases including transmission,storage and processing.Customers are responsible for control implementationrelated to Application interfaces and databases utilizedwithin AWS environment.SharedPage 5
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus yYesNoN/AAIS-04.1Is your Data SecurityArchitecture designed usingan industry standard (e.g.,CDSA, MULITSAFE, CSATrusted Cloud ArchitecturalStandard, FedRAMP,CAESARS)?XAWS has developed and implemented a security controlenvironment designed to protect the confidentiality,integrity, and availability of customers’ systems andcontent. AWS maintains a broad range of industry andgeography specific compliance programs and iscontinually assessed by external certifying bodies andindependent auditors to provide assurance the policies,processes, and controls established and operated byAWS are in alignment with these program standards andthe highest industry standards. Refer AC-01.1Do you develop and maintainan agreed upon audit plan(e.g., scope, objective,frequency, resources,etc.) forreviewing the efficiency andeffectiveness of implementedsecurity controls?XAWS has established a formal, periodic audit programthat includes continual, independent internal andexternal assessments to validate the implementation andoperating effectiveness of the AWS control environment.AWSPage 6
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus yYesNoN/AAAC-01.2Does your audit program takeinto account effectiveness ofimplementation of securityoperations?XInternal and external audits are planned and performedaccording to the documented audit scheduled to reviewthe continued performance of AWS against standardsbased criteria and to identify general improvementopportunities. Standards-based criteria includes but isnot limited to the ISO/IEC 27001, Federal Risk andAuthorization Management Program (FedRAMP), theAmerican Institute of Certified Public Accountants(AICPA): AT 801 (formerly Statement on Standards forAttestation Engagements [SSAE] 16), and theInternational Standards for Assurance EngagementsNo.3402 (ISAE 3402) professional standards.AWSAAC-02.1Do you allow tenants to viewyour SOC2/ISO 27001 orsimilar third-party audit orcertification reports?XAWS provides third-party attestations, certifications,Service Organization Controls (SOC) reports and otherrelevant compliance reports directly to our customersunder NDA.AWSPage 7
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus -02.2Do you conduct networkpenetration tests of yourcloud service infrastructure atleast annually?ControlXNoN/AAlthough AWS Security regularly engages carefullyselected industry experts and independent security firmsto perform recurring penetration testing, we do not sharethe results directly with customers. Instead, the resultsare reviewed and validated by our auditors.AWSCustomers can request permission to conductpenetration testing to or originating from any AWSresources as long as they are limited to the customer’sinstances and do not violate the AWS Acceptable UsePolicy. Penetration tests should include customer IPaddresses and not AWS endpoints. AWS endpoints aretested as part of AWS compliance vulnerability scans.Advance approval for these types of scans can beinitiated by submitting a request using the AWSVulnerability / Penetration Testing Request Form foundhere: /Page 8
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus -02.3Do you conduct applicationpenetration tests of yourcloud infrastructure regularlyas prescribed by industry bestpractices and guidance?ControlXNoN/AAlthough AWS Security regularly engages carefullyselected industry experts and independent security firmsto perform recurring penetration testing, we do not sharethe results directly with customers. Instead, the resultsare reviewed and validated by our auditors.AWSCustomers can request permission to conductpenetration testing to or originating from any AWSresources as long as they are limited to the customer’sinstances and do not violate the AWS Acceptable UsePolicy. Penetration tests should include customer IPaddresses and not AWS endpoints. AWS endpoints aretested as part of AWS compliance vulnerability scans.Advance approval for these types of scans can beinitiated by submitting a request using the AWSVulnerability / Penetration Testing Request Form foundhere: /Page 9
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus -02.4Do you conduct internalaudits at least annually?ControlNoXN/AAWS has established a formal audit program thatincludes continual, independent internal and externalassessments to validate the implementation andoperating effectiveness of the AWS control environment.AWSInternal audits are performed at a regular basis to coverdifferent AWS products and services using a standardsbased approach. Internal audit function operatesindependently of AWS teams and establishes a riskbased approach to reviewing compliance to standards atAWS.AAC-02.5Do you conduct independentaudits at least annually?AAC-02.6Are the results of thepenetration tests available totenants at their request?XXAWS has established a formal audit program thatincludes continual, independent internal and externalassessments to validate the implementation andoperating effectiveness of the AWS control environment.AWSAlthough AWS Security regularly engages carefullyselected industry experts and independent security firmsto perform recurring penetration testing, we do not sharethe results directly with customers. Instead, the resultsare reviewed and validated by our auditors.N/APage 10
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus -02.7Are the results of internal andexternal audits available totenants at their request?ControlXNoN/AAWS provides third-party attestations, certifications,Service Organization Controls (SOC) reports and otherrelevant compliance reports directly to our customersunder NDA.AWSAWS shares the results of internal audit with our externalauditors but not directly with customers.AAC-03.1Do you have a program inplace that includes the abilityto monitor changes to theregulatory requirements inrelevant jurisdictions, adjustyour security program forchanges to legalrequirements, and ensurecompliance with relevantregulatory requirements?XAWS maintains relationships with internal and externalparties to monitor legal, regulatory, and contractualrequirements. Should a new security directive be issued,AWS has documented plans in place to implement thatdirective with designated timeframes.AWSPage 11
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus -01.1Does your organization havea plan or framework forbusiness continuitymanagement or disasterrecovery management?ControlXNoN/AThe AWS business continuity plan details the threephased approach that AWS has developed to recoverand reconstitute the AWS infrastructure: Activation and Notification Phase Recovery Phase Reconstitution PhaseAWSThis approach ensures that AWS performs systemrecovery and reconstitution efforts in a methodicalsequence, maximizing the effectiveness of the recoveryand reconstitution efforts and minimizing system outagetime due to errors and omissions.BCR-01.2Do you have more than oneprovider for each service youdepend on?XComponents (N) have at least one independent backupcomponent ( 1), so the backup component is active inthe operation even if all other components are fullyfunctional. In order to eliminate single points of failure,this model is applied throughout AWS, including networkand data center implementation. All data centers areonline and serving traffic; no data center is “cold.” Incase of failure, there is sufficient capacity to enabletraffic to be load-balanced to the remaining sites.AWSPage 12
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus -01.3Do you provide a disasterrecovery capability?ControlXNoN/AAWS provides customers the flexibility to placeinstances and store data within multiple geographicregions as well as across multiple Availability Zoneswithin each region. Each Availability Zone is designed asan independent failure zone. In case of failure,automated processes move customer data traffic awayfrom the affected area. AWS SOC reports provide furtherdetails. ISO 27001 standard Annex A, domain 15provides additional details. AWS has been validated andcertified by an independent auditor to confirm alignmentwith ISO 27001 certification.CustomerPage 13
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus -01.4Do you monitor servicecontinuity with upstreamproviders in the event ofprovider failure?ControlNoXN/AAWS maintains a ubiquitous security controlenvironment across all regions. Each data center is builtto physical, environmental, and security standards in anactive-active configuration, employing an n 1redundancy model to ensure system availability in theevent of component failure.AWSComponents (N) have at least one independent backupcomponent ( 1), so the backup component is active inthe operation even if all other components are fullyfunctional. In order to eliminate single points of failure,this model is applied throughout AWS, including networkand data center implementation. All data centers areonline and serving traffic; no data center is “cold.” Incase of failure, there is sufficient capacity to enabletraffic to be load-balanced to the remaining sites.BCR-01.5Do you provide access tooperational redundancyreports, including the servicesyou rely on?XThe information is shared with independent third partyauditors and the results of those audit engagements areshared with customers.N/APage 14
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus -01.6Do you provide a tenanttriggered failover option?BCR-01.7Do you share your businesscontinuity and redundancyplans with your tenants?BCR-02.1Are business continuity planssubject to testing at plannedintervals or upon significantorganizational orenvironmental changes toensure continuingeffectiveness?ControlNoXXXN/AAWS provides publicly available mechanisms forcustomers to report security and/or privacy events,including disasters.CustomerThe information is shared with independent third-partyauditors and the results of those audit engagements areshared with customers.N/AAWS Business Continuity Policies and Plans have beendeveloped and tested in alignment with ISO 27001standards.Refer to ISO 27001 standard, annex A domain 17 forfurther details on AWS and business continuity.AWSPage 15
Amazon Web ServicesQuestion IDCSA Consensus Assessments Initiative Questionnaire (CAIQ)Consensus yYesNoN/ABCR-03.1Does your organizationadhere to any international orindustry standards when itcomes to securing,monitoring, maintaining andtesting of datacenter utilitiesservices and environmentalconditions?XAWS data centers incorporate physical protectionagainst environmental risks. AWS' physical protectionagainst environmental risks has been validated by anindependent auditor and has been certified as being inalignment with ISO 27002 best practices.Refer to ISO 27001 standard, Annex A domain 11 andlink below for Data center controls ter/controls/AWSBCR-03.2Has your organizationimplemented environmentalcontrols, fail-overmechanisms or otherredundancies to secure utilityservices and mitigateenvironmental conditions?XAWS has been validated and certified by an independentauditor to confirm alignment with ISO 27001 certificationstandard.AWS SOC reports provide additional details on controlsin place to minimize
Model, ISO 27034) to build in security for your Systems/Software Development Lifecycle (SDLC)? X The AWS system development lifecycle incorporates industry best practices which include formal design reviews by the AWS Security Team, threat modeling and completion of a risk assessment. AWS . Amazon Web Services CSA Consensus Assessments Initiative Questionnaire (CAIQ) Page 2 Question ID .
john deere john deere john deere john deere kw (1) 8 13 17 22 33 43 26 50 63 81 certif. csa csa csa csa csa csa csa csa csa csa model hyw 9 m6 hyw 13 m6 hyw 20 m6 hyw 25 m6 hyw 35 m6 hyw 45 m6 hjw 30 m6 hjw 55 m6 hjw 70 m6 hjw 85 m6 genset open type s.a.e. 723 853 1003 1332 1548 2083 1205 1
asme a112.19.3-2008 (csa, b45.4-2008) asme a112.19.5-2017/ csa b45.15-17 asme a112.36.2-1991(r2012) asme b16.23-2011(csa, b158.1-1976) asme b16.29-2001 asse: asse 1001-2008(csa, can/csa-b64 series-2011;b64 series-2011) asse 1002-2008 asse 1003-2009 asse 1011-2004e1(csa, can/csa-b64 series-201
Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ) 3.1 - July 2021. . (CAIQ) for ArcGIS Online. The questionnaire published by the CSA, provides a way to reference and document what security controls exist in Esri's ArcGIS Online offering. The questionnaire provides a set of 310 questions a cloud consumer .
2 Questionnaire survey Survey research Rossi, P. H., et al. (2013). [4] 3 Questionnaire design A split questionnaire survey design Raghunathan, T. E., et al. (1995). [5] 4 Questionnaire design Designing a questionnaire Ballinger, C., et al. (1998). [6] 5 Questionnaire design Questionnaire design: the good, the bad and the pitfalls.
en 60079-15:2010 iec-ex iec 60079-0:2017 iec 60079-11:2011 iec 60079-15:2010 ccoe peso india iec 60079-0:2011 iec 60079-11:2011 iec 60079-15:2010 csa can/csa-c22.2 no. 0-10 can/csa-c22.2 no. 61010-1-12 can/csa-c22.2 no. 60079-0:15 can/csa-c22.2 no. 60079-11:14 can/csa-c22.2 no.
(a) Fabrication has been or will be in accordance with CAN/CSA-S16 and CAN/CSA-S136, as applicable. (b) Welding has been or will be performed in accordance with CSA W59 and CAN/CSA-S136, as applicable. (c) The Manufacturer has been certified in accordance with CSA W47.1, for Division 1 or Division 2, and/or CSA W55.3, if applicable.
Designer Tool: Questionnaires Questionnaire(s) can be sourced from following three ways; my questionnaire (private) -only user that created can see it; questionnaire shared with me - private questionnaire that can be seen by other authorized users; public questionnaire -any user of Survey Solutions can see the questionnaire (not data) And create your survey questionnaire;
Black holes are predictions of Einstein’s theory of general relativity, which describes gravity, not as a force, but as the curvature of space and time. 2. Black holes act like one-way membranes from which nothing can escape. 3. Although they have several weird properties, observations strongly support their existence. 4. Gravitational waves are vibrations in the gravitational field that .
