227.79 KB
41 Pages

CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3.1Control DomainControl IDQuestion IDControl SpecificationConsensus AssessmentQuestionsConsensus Assessment AnswersYesApplication & Interface SecurityApplication SecurityApplication & Interface SecurityCustomer Access RequirementsAIS-01AIS-02AIS-01.1Do you use industry standards(i.e. OWASP SoftwareAssurance Maturity Model, ISO27034) to build in security foryour Systems/SoftwareDevelopment Lifecycle (SDLC)?XAIS-01.2Do you use an automatedsource code analysis tool todetect security defects in codeprior to production?XAIS-01.3Do you use manual sourcecode analysis to detectsecurity defects in code priorto production?XAIS-01.4Do you verify that all of yoursoftware suppliers adhere toindustry standards forSystems/SoftwareDevelopment Lifecycle (SDLC)security?XAIS-01.5(SaaS only) Do you review your Xapplications for securityvulnerabilities and address anyissues prior to deployment toproduction?AIS-02.1AIS- 02.2Applications and programming interfaces (APIs)shall be designed, developed, deployed, andtested in accordance with leading industrystandards (e.g., OWASP for web applications) andadhere to applicable legal, statutory, or regulatorycompliance obligations.NoPrior to granting customers access to data, assets,and information systems, identified security,contractual, and regulatory requirements forcustomer access shall be addressed.NotesNotApplicableXAre all identified security,contractual, and regulatoryrequirements for customeraccess contractually addressedand remediated prior togranting customers access todata, assets, and informationsystems?Are all requirements and trust Xlevels for customers’ accessdefined and documented?1

Application & Interface SecurityData IntegrityAIS-03AIS-03.1Data input and output integrity routines (i.e.,reconciliation and edit checks) shall beimplemented for application interfaces anddatabases to prevent manual or systematicprocessing errors, corruption of data, or misuse.AIS-03.2Does your data managementpolicies and proceduresrequire audits to verify datainput and output integrityroutines?AIS-04AIS-04.1Policies and procedures shall be established andmaintained in support of data security to include(confidentiality, integrity, and availability) acrossmultiple system interfaces, jurisdictions, andbusiness functions to prevent improperdisclosure, alternation, or destruction.Is your Data SecurityArchitecture designed using anindustry standard (e.g., CDSA,MULITSAFE, CSA Trusted CloudArchitectural Standard,FedRAMP, CAESARS)?Audit Assurance & ComplianceAudit PlanningAAC-01AAC-01.1Audit plans shall be developed and maintained toaddress business process disruptions. Auditingplans shall focus on reviewing the effectiveness ofthe implementation of security operations. Allaudit activities must be agreed upon prior toexecuting any audits.Do you develop and maintainan agreed upon audit plan (e.g., scope, objective, frequency,resources,etc.) for reviewingthe efficiency and effectivenessof implemented -02.3XAre data input and outputintegrity routines (i.e.MD5/SHA checksums)implemented for applicationinterfaces and databases toprevent manual or systematicprocessing errors or corruptionof data?Application & Interface SecurityData Security / IntegrityAudit Assurance & ComplianceIndependent AuditsXXDoes your audit program takeinto account effectiveness ofimplementation of securityoperations?Independent reviews and assessments shall beperformed at least annually to ensure that theorganization addresses nonconformities ofestablished policies, standards, procedures, andcompliance obligations.Do you allow tenants to viewyour SOC2/ISO 27001 orsimilar third-party audit orcertification reports?XXDo you conduct networkpenetration tests of your cloudservice infrastructure at leastannually?Do you conduct applicationXpenetration tests of your cloudinfrastructure regularly asprescribed by industry bestpractices and guidance?2

AAC-02.4Do you conduct internal audits Xat least annually?AAC-02.5Do you conduct independentaudits at least annually?AAC-02.6Are the results of thepenetration tests available totenants at their request?XAAC-02.7Are the results of internal andexternal audits available totenants at their request?XXAudit Assurance & ComplianceInformation System RegulatoryMappingAAC-03AAC-03.1Organizations shall create and maintain a controlframework which captures standards, regulatory,legal, and statutory requirements relevant fortheir business needs. The control framework shallbe reviewed at least annually to ensure changesthat could affect the business processes arereflected.Do you have a program inplace that includes the abilityto monitor changes to theregulatory requirements inrelevant jurisdictions, adjustyour security program forchanges to legal requirements,and ensure compliance withrelevant regulatoryrequirements?Business Continuity Management &Operational ResilienceBusiness Continuity PlanningBCR-01BCR-01.1A consistent unified framework for businesscontinuity planning and plan development shall beestablished, documented, and adopted to ensureall business continuity plans are consistent inaddressing priorities for testing, maintenance, andinformation security requirements. Requirementsfor business continuity plans include thefollowing: Defined purpose and scope, aligned withrelevant dependencies Accessible to and understood by those who willuse them Owned by a named person(s) who isresponsible for their review, update, and approval Defined lines of communication, roles, andresponsibilities Detailed recovery procedures, manual workaround, and reference information Method for plan invocationDoes your organization have a Xplan or framework for businesscontinuity management ordisaster 5BCR-01.6BCR-01.7XDo you have more than oneprovider for each service youdepend on?XDo you provide a disasterrecovery capability?XDo you monitor servicecontinuity with upstreamproviders in the event ofprovider failure?XDo you provide access tooperational redundancyreports, including the servicesyou rely on?XDo you provide a tenanttriggered failover option?XDo you share your businesscontinuity and redundancyplans with your tenants?X3

Business Continuity Management &Operational ResilienceBusiness Continuity TestingBCR-02BCR-02.1Business continuity and security incident responseplans shall be subject to testing at plannedintervals or upon significant organizational orenvironmental changes. Incident response plansshall involve impacted customers (tenant) andother business relationships that represent criticalintra-supply chain business process dependencies.Are business continuity planssubject to testing at plannedintervals or upon significantorganizational orenvironmental changes toensure continuingeffectiveness?Business Continuity Management &Operational ResiliencePower / TelecommunicationsBCR-03BCR-03.1Data center utilities services and environmentalconditions (e.g., water, power, temperature andhumidity controls, telecommunications, andinternet connectivity) shall be secured,monitored, maintained, and tested for continualeffectiveness at planned intervals to ensureprotection from unauthorized interception ordamage, and designed with automated fail-overor other redundancies in the event of planned orunplanned disruptions.Does your organization adhereto any international or industrystandards when it comes tosecuring, monitoring,maintaining and testing ofdatacenter utilities services andenvironmental conditions?BCR-03.2Has your organizationimplemented environmentalcontrols, fail-over mechanismsor other redundancies tosecure utility services andmitigate environmentalconditions?XxBusiness Continuity Management &Operational ResilienceDocumentationBCR-04BCR-04.1Information system documentation (e.g.,administrator and user guides, and architecturediagrams) shall be made available to authorizedpersonnel to ensure the following: Configuring, installing, and operating theinformation system Effectively using the system’s security featuresxAre information systemdocuments (e.g., administratorand user guides, architecturediagrams, etc.) made availableto authorized personnel toensure configuration,installation and operation ofthe information system?Business Continuity Management &Operational ResilienceEnvironmental RisksBCR-05BCR-05.1Physical protection against damage from naturalcauses and disasters, as well as deliberate attacks,including fire, flood, atmospheric electricaldischarge, solar induced geomagnetic storm,wind, earthquake, tsunami, explosion, nuclearaccident, volcanic activity, biological hazard, civilunrest, mudslide, tectonic activity, and otherforms of natural or man-made disaster shall beanticipated, designed, and have countermeasuresapplied.xIs physical damage anticipatedand are countermeasuresincluded in the design ofphysical protections?To reduce the risks from environmental threats,hazards, and opportunities for unauthorizedaccess, equipment shall be kept away fromlocations subject to high probabilityenvironmental risks and supplemented byredundant equipment located at a reasonabledistance.Are any of your data centerslocated in places that have ahigh probability/occurrence ofhigh-impact environmentalrisks (floods, tornadoes,earthquakes, hurricanes, etc.)?Business Continuity Management &Operational ResilienceEquipment LocationBCR-06BCR-06.1Our CloudServiceProvider do itOur CloudServiceProvider do itxOur CloudServiceProvider do it4

Business Continuity Management &Operational ResilienceEquipment MaintenanceBCR-07BCR-07.1BCR-07.2Policies and procedures shall be established, andsupporting business processes and technicalmeasures implemented, for equipmentmaintenance ensuring continuity and availabilityof operations and support personnel.Do you have documentedpolicies, procedures andsupporting business processesfor equipment and datacentermaintenance?Do you have an equipment anddatacenter maintenanceroutine or plan?Business Continuity Management &Operational ResilienceEquipment Power FailuresBCR-08BCR-08.1Protection measures shall be put into place toreact to natural and man-made threats basedupon a geographically-specific business impactassessment.Are security mechanisms andredundancies implemented toprotect equipment from utilityservice outages (e.g., powerfailures, network disruptions,etc.)?Business Continuity Management &Operational ResilienceImpact AnalysisBCR-09BCR-09.1There shall be a defined and documented methodfor determining the impact of any disruption tothe organization (cloud provider, cloud consumer)that must incorporate the following: Identify critical products and services Identify all dependencies, including processes,applications, business partners, and third partyservice providers Understand threats to critical products andservices Determine impacts resulting from planned orPoliciesanddisruptionsproceduresandshallbe theseestablished,andunplannedhowvary oversupportingbusiness processes and priateIT for Establishthe maximumperiodgovernancedisruption and service management to ensureappropriateplanning, fordeliveryand support of the Establish prioritiesrecoveryorganization'sIT capabilitiessupporting Establish recoverytime umptionworkforce,of critical and/orproductsand L v4 andtheir maximumtolerableperiodof disruptionCOBIT5). Additionally,policiesand procedures Estimatethe resourcesrequiredfor resumptionshall include defined roles and responsibilitiessupported by regular workforce training.Do you use industry standardsand frameworks to determinethe impact of any disruption toyour organization (i.e. criticalityof services and recoverypriorities, disruption tolerance,RPO and RTO etc) ?xDoes your organizationconduct impact analysispertaining to possibledisruptions to the cloudservice?xPolicies and procedures shall be established, andsupporting business processes and technicalmeasures implemented, for defining and adheringto the retention period of any critical asset as perestablished policies and procedures, as well asapplicable legal, statutory, or regulatorycompliance obligations. Backup and recoverymeasures shall be incorporated as part of businesscontinuity planning and tested accordingly foreffectiveness.Do you have technicalcapabilities to enforce tenantdata retention policies?xDo you have documentedpolicies and proceduresdemonstrating adherence todata retention periods as perlegal, statutory or regulatorycompliance requirements?xBCR-09.2Business Continuity Management &Operational ResiliencePolicyBusiness Continuity Management &Operational ResilienceRetention PolicyBCR-10BCR-11BCR-10.1BCR-11.1BCR-11.2xOur CloudServiceProvider do itxOur CloudServiceProvider do itxOur CloudServiceProvider do itxAre policies and proceduresestablished and madeavailable for all personnel toadequately support servicesoperations’ roles?5

BCR-11.3Change Control & ConfigurationManagementNew Development / AcquisitionCCC-01Change Control & ConfigurationManagementOutsourced DevelopmentCCC-02to the retention period of any critical asset as perestablished policies and procedures, as well asapplicable legal, statutory, or regulatorycompliance obligations. Backup and recoverymeasures shall be incorporated as part of businesscontinuity planning and tested accordingly forHave you implemented backup xeffectiveness.or recovery mechanisms toensure compliance withregulatory, statutory,contractual or businessrequirements?BCR-11.4If using virtual infrastructure, xdoes your cloud solutioninclude independent hardwarerestore and recoverycapabilities?BCR-11.5If using virtual infrastructure,do you provide tenants with acapability to restore a virtualmachine to a previousconfiguration?xBCR-11.6Does your cloud solutioninclude software/providerindependent restore andrecovery capabilities?xBCR-11.7Do you test your backup orredundancy mechanisms atleast annually?xCCC-01.1CCC-02.1CCC-02.2Policies and procedures shall be established, andsupporting business processes and technicalmeasures implemented, to ensure thedevelopment and/or acquisition of new data,physical or virtual applications, infrastructurenetwork and systems components, or anycorporate, operations and/or data center facilitieshave been pre-authorized by the organization'sbusiness leadership or other accountable businessrole or function.External business partners shall adhere to thesame policies and procedures for changemanagement, release, and testing as internaldevelopers within the organization (e.g., ITILservice management processes).Cloud providerdo itxAre policies and proceduresestablished for managementauthorization for developmentor acquisition of newapplications, systems,databases, infrastructure,services, operations andfacilities?Are policies and procedures for xchange management, release,and testing adequatelycommunicated to externalbusiness partners?Are policies and proceduresadequately enforced to ensureexternal business partnerscomply with changemanagement requirements?x6

Change Control & ConfigurationManagementQuality TestingCCC-03CCC-03.1CCC-03.2Change Control & ConfigurationManagementUnauthorized Software InstallationsChange Control & ConfigurationManagementProduction ChangesCCC-04CCC-05Organizations shall follow a defined qualitychange control and testing process (e.g., ITILService Management) with established baselines,testing, and release standards which focus onsystem availability, confidentiality, and integrity ofsystems and services.Do you have a defined qualitychange control and testingprocess in place based onsystem availability,confidentiality, and integrity?xIs documentation describingknown issues with certainproducts/services available?xCCC-03.3Are there policies andxprocedures in place to triageand remedy reported bugs andsecurity vulnerabilities forproduct and service offerings?CCC-03.4Do you have controls in placeto ensure that standards ofquality are being met for allsoftware development?CCC-03.5Do you have controls in place xto detect source code securitydefects for any outsourcedsoftware developmentactivities?CCC-03.6Are mechanisms in place toensure that all debugging andtest code elements areremoved from releasedsoftware versions?CCC-04.1CCC-05.1Policies and procedures shall be established, andsupporting business processes and technicalmeasures implemented, to restrict the installationof unauthorized software on organizationallyowned or managed user end-point devices (e.g.,issued workstations, laptops, and mobile devices)and IT infrastructure network and systemscomponents.Policies and procedures shall be established formanaging the risks associated with applyingchanges to: Business-critical or customer (tenant)impacting (physical and virtual) applications andsystem-system interface (API) designs andconfigurations. Infrastructure network and systemscomponents.Technical measures shall be implemented toprovide assurance that all changes directlycorrespond to a registered change request,business-critical or customer (tenant), and/orauthorization by, the customer (tenant) as peragreement (SLA) prior to deployment.xxxDo you have controls in placeto restrict and monitor theinstallation of unauthorizedsoftware onto your systems?Do you provide tenants withdocumentation that describesyour production changemanagement procedures andtheirroles/rights/responsibilitieswithin it?x7

Production ChangesCCC-05.2CCC-05.3Data Security & Information nges to: Business-critical or customer (tenant)impacting (physical and virtual) applications andsystem-system interface (API) designs andconfigurations. Infrastructure network and systemscomponents.Technical measures shall be implemented toprovide assurance that all changes directlycorrespond to a registered change request,business-critical or customer (tenant), and/orauthorization by, the customer (tenant) as peragreement (SLA) prior to deployment.Data and objects containing data shall be assigneda classification by the data owner based on datatype, value, sensitivity, and criticality to theorganization.DSI-01.2Data Security & Information LifecycleManagementData Inventory / FlowsDSI-02DSI-02.1DSI-02.2Data Security & Information LifecycleManagementE-commerce TransactionsDSI-03DSI-03.1Policies and procedures shall be established, andsupporting business processes and technicalmeasures implemented, to inventory, document,and maintain data flows for data that is resident(permanently or temporarily) within the service'sgeographically distributed (physical and virtual)applications and infrastructure network andsystems components and/or shared with otherthird parties to ascertain any regulatory,statutory, or supply chain agreement (SLA)compliance impact, and to address any otherData related to electronic commerce (ebusiness risks associated with the data. Uponcommerce) that traverses public networks shall berequest, provider shall inform customer (tenant)appropriately classified and protected fromof compliance impact and risk, especially iffraudulent activity, unauthorized disclosure, orcustomer data is used as part of the services.modification in such a manner to prevent contractdispute and compromise of data.Do you have policies andxprocedures established formanaging risks with respect tochange management inproduction environments?Do you have technicalmeasures in place to ensurethat changes in productionenvironments are registered,authorized and in adherencewith existing SLAs?xDo you provide a capability toidentify data and virtualmachines via policytags/metadata (e.g., tags canbe used to limit guestoperating systems frombooting/instantiating/transporting data in the wrongcountry)?xDo you provide a capability toidentify data and hardware viapolicytags/metadata/

Assurance Maturity Model, ISO 27034) to build in security for your Systems/Software Development Lifecycle (SDLC)? X AIS-01.2 Do you use an automated source code analysis tool to detect security defects in code prior to production? X AIS-01.3 Do you use manual source-code analysis to detect security defects in code prior to production? X AIS-01.4 Do you verify that all of your software ...