csa-ccm 0.1.2 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CAIQ_v3.0.1-09-01-2017_FINAL_filled.answers.yaml +1380 -0
- data/CAIQ_v3.0.1-09-01-2017_FINAL_filled.control.yaml +2141 -0
- data/appveyor.yml +36 -0
- data/caiq-3.0.1.yaml +531 -419
- data/caiq.yaml +2141 -0
- data/lib/csa/ccm/answer.rb +6 -29
- data/lib/csa/ccm/cli/command.rb +67 -62
- data/lib/csa/ccm/cli/resource.rb +0 -9
- data/lib/csa/ccm/cli/version.rb +1 -1
- data/lib/csa/ccm/control.rb +3 -5
- data/lib/csa/ccm/control_domain.rb +2 -5
- data/lib/csa/ccm/matrix.rb +167 -46
- data/resources/csa-caiq-v3.0.1-12-05-2016.yaml +2141 -0
- data/samples/ccm-answers.schema.yaml +21 -0
- data/samples/ccm-answers.yaml +1 -1
- data/samples/ccm.schema.yaml +35 -0
- data/tmp/ccm-301-2.yaml +2141 -0
- data/tmp/ccm-301.yaml +531 -419
- data/tmp/test.answers.yaml +597 -0
- data/tmp/test.control.yaml +2141 -0
- metadata +13 -6
- data/3.0.1.yaml +0 -1517
- data/resources/~$csa-caiq-v3.0.1-09-01-2017.xlsx +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 55180ab1c78b1b3dc93b2e5ecd0c76b04e9e4d12ed0126d5fe1d4006f5efe4c2
|
|
4
|
+
data.tar.gz: 00f7af48d6ddb79d9b1e760d434e40159cb1e7407c9d525fb66f088f54954850
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fa0d2d7322786ed652ee5d02718b488cb7e6e0edb5ddf43e2b22afb486384ef0f6c4c18814e8752733cc96d81ccd66a622588cb848ccda175b7f401b02f3de01
|
|
7
|
+
data.tar.gz: 58cbad62d040070721b5bf3aa8097534a61962e66900e8457139185bb797478817470f50f1f7407afe4f48b5f4c67d6c374e4ef7661b5e1e26d8d0b1a62a2406
|
|
@@ -0,0 +1,1380 @@
|
|
|
1
|
+
---
|
|
2
|
+
ccm:
|
|
3
|
+
metadata:
|
|
4
|
+
version: 3.0.1
|
|
5
|
+
title: CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3.0.1
|
|
6
|
+
source_file: CAIQ_v3.0.1-09-01-2017_FINAL_filled.xlsx
|
|
7
|
+
answers:
|
|
8
|
+
- control_id: AIS-01
|
|
9
|
+
question_id: AIS-01.1
|
|
10
|
+
answer: 'yes'
|
|
11
|
+
comment: Ribose API design and implementation adheres to industry acceptance standards.
|
|
12
|
+
- control_id: AIS-01
|
|
13
|
+
question_id: AIS-01.2
|
|
14
|
+
answer: 'yes'
|
|
15
|
+
comment: In our implementation cycle, static code security analysis tools (e.g.
|
|
16
|
+
Brakeman) are automatically run for each commit ensuring the resulting code
|
|
17
|
+
does not contain any known vulnerabilities.
|
|
18
|
+
- control_id: AIS-01
|
|
19
|
+
question_id: AIS-01.3
|
|
20
|
+
answer: 'yes'
|
|
21
|
+
comment: For both design and implementation phases of our API, which constitutes
|
|
22
|
+
a "change" in our change management procedure, we perform requirement reviews
|
|
23
|
+
pre- and post-change implementation, including for legal, statutory, and compliance
|
|
24
|
+
obligations. This is performed during our weekly sprint cycles. All code is
|
|
25
|
+
peer reviewed.
|
|
26
|
+
- control_id: AIS-01
|
|
27
|
+
question_id: AIS-01.4
|
|
28
|
+
answer: NA
|
|
29
|
+
comment: Ribose does not rely on software suppliers. All software is developed
|
|
30
|
+
by Ribose.
|
|
31
|
+
- control_id: AIS-01
|
|
32
|
+
question_id: AIS-01.5
|
|
33
|
+
answer: 'yes'
|
|
34
|
+
comment: Ribose will test the applications piror to deployment to production.
|
|
35
|
+
- control_id: AIS-02
|
|
36
|
+
question_id: AIS-02.1
|
|
37
|
+
answer: 'yes'
|
|
38
|
+
comment: Customers are required to register with a password and have to agree
|
|
39
|
+
to our Terms of Service and Privacy Policy.
|
|
40
|
+
- control_id: AIS-02
|
|
41
|
+
question_id: AIS-02.2
|
|
42
|
+
answer: 'yes'
|
|
43
|
+
comment: Requirements and trust levels for customers's access are defined and
|
|
44
|
+
documented in Terms of Service and Privacy Policy.
|
|
45
|
+
- control_id: AIS-03
|
|
46
|
+
question_id: AIS-03.1
|
|
47
|
+
answer: 'yes'
|
|
48
|
+
comment: |-
|
|
49
|
+
Database import and export procedures contain a model verification procedure to prevent database integrity issues.
|
|
50
|
+
|
|
51
|
+
Application communication takes place over the secure HTTPS/TLS to make tampering of data impossible.
|
|
52
|
+
- control_id: AIS-04
|
|
53
|
+
question_id: AIS-04.1
|
|
54
|
+
answer: 'yes'
|
|
55
|
+
comment: Policies, procedures and technical measures have been implemented covering
|
|
56
|
+
this control. Sensitive user information is encrypted on the database and filesystem
|
|
57
|
+
levels. Monitoring solutions like NewRelic and CloudWatch are used to monitor
|
|
58
|
+
availibility of data. Ribose does not transfer any data to third-parties, and
|
|
59
|
+
is compliant with known legal and regulatory issues.
|
|
60
|
+
- control_id: AAC-01
|
|
61
|
+
question_id: AAC-01.1
|
|
62
|
+
answer: 'yes'
|
|
63
|
+
comment: |-
|
|
64
|
+
An audit program has been established and audit plans are prepared, discussed and approved by the integrated management committee (Crimson Committee).
|
|
65
|
+
Internal and external audits for ISO 27001 (ISM), ISO 22301 (BCM) are performed at least annually.
|
|
66
|
+
- control_id: AAC-02
|
|
67
|
+
question_id: AAC-02.1
|
|
68
|
+
answer: 'yes'
|
|
69
|
+
comment: Ribose allows tenants to view your SOC2/ISO 27001 or similar third-party
|
|
70
|
+
audit or certification reports.
|
|
71
|
+
- control_id: CO-02
|
|
72
|
+
question_id: AAC-02.2
|
|
73
|
+
answer: 'yes'
|
|
74
|
+
comment: Ribose conducts application and network penetration test annually.
|
|
75
|
+
- control_id: CO-02
|
|
76
|
+
question_id: AAC-02.3
|
|
77
|
+
answer: 'yes'
|
|
78
|
+
comment: Ribose conducts application and network penetration test annually.
|
|
79
|
+
- control_id: CO-02
|
|
80
|
+
question_id: AAC-02.4
|
|
81
|
+
answer: 'yes'
|
|
82
|
+
comment: Internal audits for ISO 27001 are performed by the BC manager and internal
|
|
83
|
+
audits for ISO 22301 are peformed by the IS manager to ensure segration of duty.
|
|
84
|
+
Audit results are reviewed by the integrated management committee (Crimson Committee).
|
|
85
|
+
- control_id: CO-02
|
|
86
|
+
question_id: AAC-02.5
|
|
87
|
+
answer: 'yes'
|
|
88
|
+
comment: External audits (e.g. ISO 27001, ISO 22301 , and etc.) are performed
|
|
89
|
+
regualrly by BSI.
|
|
90
|
+
- control_id: CO-02
|
|
91
|
+
question_id: AAC-02.6
|
|
92
|
+
answer: 'yes'
|
|
93
|
+
comment: The results of the penetration tests are available to tenants at their
|
|
94
|
+
request.
|
|
95
|
+
- control_id: CO-02
|
|
96
|
+
question_id: AAC-02.7
|
|
97
|
+
answer: 'yes'
|
|
98
|
+
comment: The results of internal and external audits are available to tenants
|
|
99
|
+
at their request.
|
|
100
|
+
- control_id: AAC-02
|
|
101
|
+
question_id: AAC-02.8
|
|
102
|
+
answer: 'yes'
|
|
103
|
+
comment: Our internal audit program allows for cross-functional audit of assessments.
|
|
104
|
+
- control_id: AAC-03
|
|
105
|
+
question_id: AAC-03.1
|
|
106
|
+
answer: 'yes'
|
|
107
|
+
comment: Each customer will have his own key to encrypt his data.
|
|
108
|
+
- control_id: CO-05
|
|
109
|
+
question_id: AAC-03.2
|
|
110
|
+
answer: 'yes'
|
|
111
|
+
comment: Ribose can restore the data to a independent infrastrucutre that allows
|
|
112
|
+
us to restore a specific customer in the case of a faulure or data loss.
|
|
113
|
+
- control_id: AAC-03
|
|
114
|
+
question_id: AAC-03.3
|
|
115
|
+
answer: 'yes'
|
|
116
|
+
comment: Ribose has implemented multi-region feature to allow customers to store
|
|
117
|
+
the data in a specific region.
|
|
118
|
+
- control_id: AAC-03
|
|
119
|
+
question_id: AAC-03.4
|
|
120
|
+
answer: 'yes'
|
|
121
|
+
comment: Risk and compliance policies and procedures have been implemented. An
|
|
122
|
+
inventory of legal and regulatory obligations are annually reviewed to adapt
|
|
123
|
+
to business needs.
|
|
124
|
+
- control_id: BCR-01
|
|
125
|
+
question_id: BCR-01.1
|
|
126
|
+
answer: 'yes'
|
|
127
|
+
comment: 'The production system of Ribose will hosts at least two geographically
|
|
128
|
+
seperated locations for resilience and failover.
|
|
129
|
+
|
|
130
|
+
'
|
|
131
|
+
- control_id: RS-03
|
|
132
|
+
question_id: BCR-01.2
|
|
133
|
+
answer: 'yes'
|
|
134
|
+
comment: The production system of Ribose will hosts at least two geographically
|
|
135
|
+
seperated locations for resilience and failover.
|
|
136
|
+
- control_id: BCR-02
|
|
137
|
+
question_id: BCR-02.1
|
|
138
|
+
answer: 'yes'
|
|
139
|
+
comment: |-
|
|
140
|
+
Ribose has a tested framework for business continuity planning, rehearsed periodically to ensure smooth execution.
|
|
141
|
+
Security incident response testing is planned for and is aligned with NIST Special Publication 800-84 (definition of tabletop exercises).
|
|
142
|
+
- control_id: BCR-03
|
|
143
|
+
question_id: BCR-03.1
|
|
144
|
+
answer: NA
|
|
145
|
+
comment: 'Ribose is a SaaS, and our IaaS provider AWS satisies the datacenter
|
|
146
|
+
requirements. Amazon states in http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
|
|
147
|
+
on page 6 the following: "Business Continuity Management Amazon’s infrastructure
|
|
148
|
+
has a high level of availability and provides customers the features to deploy
|
|
149
|
+
a resilient IT architecture. AWS has designed its systems to tolerate system
|
|
150
|
+
or hardware failures with minimal customer impact. Data center Business Continuity
|
|
151
|
+
Management at AWS is under the direction of the Amazon Infrastructure Group.
|
|
152
|
+
Availability Data centers are built in clusters in various global regions. All
|
|
153
|
+
data centers are online and serving customers; no data center is “cold.” In
|
|
154
|
+
case of failure, automated processes move customer data traffic away from the
|
|
155
|
+
affected area. Core applications are deployed in an N+1 configuration, so that
|
|
156
|
+
in the event of a data center failure, there is sufficient capacity to enable
|
|
157
|
+
traffic to be load‐balanced to the remaining sites."'
|
|
158
|
+
- control_id: RS-08
|
|
159
|
+
question_id: BCR-03.2
|
|
160
|
+
answer: 'no'
|
|
161
|
+
comment: Customers can define the zone or region that data is available, but they
|
|
162
|
+
may not define if it is transported through a given legal jurisdiction.
|
|
163
|
+
- control_id: BCR-04
|
|
164
|
+
question_id: BCR-04.1
|
|
165
|
+
answer: 'yes'
|
|
166
|
+
comment: Ribose provides operational guides as well as an Information Security
|
|
167
|
+
Policy for authorized personnel only to ensure operational resilience.
|
|
168
|
+
- control_id: BCR-05
|
|
169
|
+
question_id: BCR-05.1
|
|
170
|
+
answer: 'yes'
|
|
171
|
+
comment: Ribose has a business continuity plan with countermeasures that covers
|
|
172
|
+
these areas.
|
|
173
|
+
- control_id: BCR-06
|
|
174
|
+
question_id: BCR-06.1
|
|
175
|
+
answer: 'no'
|
|
176
|
+
comment: Ribose uses the geographical resilience of the IaaS provider to ensure
|
|
177
|
+
that even running equipment have been disabled due to location, our backup systems
|
|
178
|
+
can be resumed in a short period of time.
|
|
179
|
+
- control_id: BCR-07
|
|
180
|
+
question_id: BCR-07.1
|
|
181
|
+
answer: 'yes'
|
|
182
|
+
comment: Ribose applications run on AWS and AWS has included independent hardware
|
|
183
|
+
restore and recovery capabilities.
|
|
184
|
+
- control_id: OP-04
|
|
185
|
+
question_id: BCR-07.2
|
|
186
|
+
answer: 'yes'
|
|
187
|
+
comment: Ribose applications are built on docker images with tags. Ribose restore
|
|
188
|
+
the applications by using an older images.
|
|
189
|
+
- control_id: OP-04
|
|
190
|
+
question_id: BCR-07.3
|
|
191
|
+
answer: 'yes'
|
|
192
|
+
comment: Ribose builds our images by using docker, which can be deployed into
|
|
193
|
+
other cloud providers.
|
|
194
|
+
- control_id: OP-04
|
|
195
|
+
question_id: BCR-07.4
|
|
196
|
+
answer: NA
|
|
197
|
+
comment: Ribose owns the images in a private repo which will not shared with customers.
|
|
198
|
+
- control_id: OP-04
|
|
199
|
+
question_id: BCR-07.5
|
|
200
|
+
answer: 'yes'
|
|
201
|
+
comment: Ribose implements different restore/recovery for differenet scenarios.
|
|
202
|
+
- control_id: BCR-08
|
|
203
|
+
question_id: BCR-08.1
|
|
204
|
+
answer: 'yes'
|
|
205
|
+
comment: Ribose has developed business continuity plans for natural, man-made
|
|
206
|
+
and geographically-specific risks. Examples of these risks are office physical
|
|
207
|
+
temporary unavailability in case of demonstrations or typhoons which are typical
|
|
208
|
+
for Hong Kong and happen frequently.
|
|
209
|
+
- control_id: BCR-09
|
|
210
|
+
question_id: BCR-09.1
|
|
211
|
+
answer: 'yes'
|
|
212
|
+
comment: Ribose maintains OLA which is available for all staffs.
|
|
213
|
+
- control_id: RS-02
|
|
214
|
+
question_id: BCR-09.2
|
|
215
|
+
answer: 'yes'
|
|
216
|
+
comment: The security metrics are defined in OLA.
|
|
217
|
+
- control_id: RS-02
|
|
218
|
+
question_id: BCR-09.3
|
|
219
|
+
answer: 'yes'
|
|
220
|
+
comment: Ribose maintains OLA which is available for all staffs.
|
|
221
|
+
- control_id: BCR-10
|
|
222
|
+
question_id: BCR-10.1
|
|
223
|
+
answer: 'yes'
|
|
224
|
+
comment: Ribose operational staff are trained in standards (ISO 27001, ISO 20000-1,
|
|
225
|
+
ISO 22301) and the company's change management policy and procedures provides
|
|
226
|
+
adequate definitions of roles and responsibilities. Ribose uses the task sheet
|
|
227
|
+
as a operational management system.
|
|
228
|
+
- control_id: BCR-11
|
|
229
|
+
question_id: BCR-11.1
|
|
230
|
+
answer: 'yes'
|
|
231
|
+
comment: Retention periods have been defined for all critical assets such as backup,
|
|
232
|
+
documentation and log files.
|
|
233
|
+
- control_id: DG-04
|
|
234
|
+
question_id: BCR-11.2
|
|
235
|
+
answer: 'yes'
|
|
236
|
+
comment: Retention procedures are documented in Crimson.
|
|
237
|
+
- control_id: BCR-11
|
|
238
|
+
question_id: BCR-11.4
|
|
239
|
+
answer: 'yes'
|
|
240
|
+
comment: Ribose has implemented backup mechanisms to ensure compliance with regulatory,
|
|
241
|
+
statutory, contractual or business requirements.
|
|
242
|
+
- control_id: BCR-11
|
|
243
|
+
question_id: BCR-11.5
|
|
244
|
+
answer: 'yes'
|
|
245
|
+
comment: Backup data will be tested in staging servers daily.
|
|
246
|
+
- control_id: CCC-01
|
|
247
|
+
question_id: CCC-01.1
|
|
248
|
+
answer: 'yes'
|
|
249
|
+
comment: Crimson
|
|
250
|
+
- control_id: CCC-01
|
|
251
|
+
question_id: CCC-01.2
|
|
252
|
+
answer: 'yes'
|
|
253
|
+
comment: Crimson
|
|
254
|
+
- control_id: CCC-02
|
|
255
|
+
question_id: CCC-02.1
|
|
256
|
+
answer: 'yes'
|
|
257
|
+
comment: change management procedure
|
|
258
|
+
- control_id: RM-04
|
|
259
|
+
question_id: CCC-02.2
|
|
260
|
+
answer: NA
|
|
261
|
+
comment: no outsouce development
|
|
262
|
+
- control_id: CCC-03
|
|
263
|
+
question_id: CCC-03.1
|
|
264
|
+
answer: 'yes'
|
|
265
|
+
comment: change management procedure and deployment procedure
|
|
266
|
+
- control_id: CCC-03
|
|
267
|
+
question_id: CCC-03.2
|
|
268
|
+
answer: 'yes'
|
|
269
|
+
comment: Crimson
|
|
270
|
+
- control_id: CCC-03
|
|
271
|
+
question_id: CCC-03.3
|
|
272
|
+
answer: 'yes'
|
|
273
|
+
comment: customer feedback and change management procedure
|
|
274
|
+
- control_id: CCC-03
|
|
275
|
+
question_id: CCC-03.4
|
|
276
|
+
answer: 'yes'
|
|
277
|
+
comment: code review
|
|
278
|
+
- control_id: CCC-04
|
|
279
|
+
question_id: CCC-04.1
|
|
280
|
+
answer: 'yes'
|
|
281
|
+
comment: Approved software list
|
|
282
|
+
- control_id: CCC-05
|
|
283
|
+
question_id: CCC-05.1
|
|
284
|
+
answer: 'yes'
|
|
285
|
+
comment: Crimson
|
|
286
|
+
- control_id: DSI-01
|
|
287
|
+
question_id: DSI-01.1
|
|
288
|
+
answer: 'yes'
|
|
289
|
+
comment: metadata in AWS console
|
|
290
|
+
- control_id: DG-02
|
|
291
|
+
question_id: DSI-01.2
|
|
292
|
+
answer: 'yes'
|
|
293
|
+
comment: instance type
|
|
294
|
+
- control_id: DG-02
|
|
295
|
+
question_id: DSI-01.3
|
|
296
|
+
answer: 'yes'
|
|
297
|
+
comment: IP
|
|
298
|
+
- control_id: DG-02
|
|
299
|
+
question_id: DSI-01.4
|
|
300
|
+
answer: 'yes'
|
|
301
|
+
comment: multi-region
|
|
302
|
+
- control_id: DG-02
|
|
303
|
+
question_id: DSI-01.5
|
|
304
|
+
answer: 'yes'
|
|
305
|
+
comment: multi-region
|
|
306
|
+
- control_id: DSI-01
|
|
307
|
+
question_id: DSI-01.6
|
|
308
|
+
answer: 'yes'
|
|
309
|
+
comment: data labeling policy
|
|
310
|
+
- control_id: DSI-01
|
|
311
|
+
question_id: DSI-01.7
|
|
312
|
+
answer: 'yes'
|
|
313
|
+
comment: multi-region
|
|
314
|
+
- control_id: DSI-02
|
|
315
|
+
question_id: DSI-02.1
|
|
316
|
+
answer: 'yes'
|
|
317
|
+
comment: inventory list
|
|
318
|
+
- control_id: DSI-02
|
|
319
|
+
question_id: DSI-02.2
|
|
320
|
+
answer: 'yes'
|
|
321
|
+
comment: multi-region
|
|
322
|
+
- control_id: DSI-03
|
|
323
|
+
question_id: DSI-03.1
|
|
324
|
+
answer: 'yes'
|
|
325
|
+
comment: AES encryption
|
|
326
|
+
- control_id: IS-28
|
|
327
|
+
question_id: DSI-03.2
|
|
328
|
+
answer: 'yes'
|
|
329
|
+
comment: OpenSSL
|
|
330
|
+
- control_id: DSI-04
|
|
331
|
+
question_id: DSI-04.1
|
|
332
|
+
answer: 'yes'
|
|
333
|
+
comment: Crimson
|
|
334
|
+
- control_id: DG-03
|
|
335
|
+
question_id: DSI-04.2
|
|
336
|
+
answer: 'yes'
|
|
337
|
+
comment: Space privacy and git security settings facilitate security inheritance.
|
|
338
|
+
Objects within a space or in a git repository cannot have different security
|
|
339
|
+
settings than the parent.
|
|
340
|
+
- control_id: DSI-05
|
|
341
|
+
question_id: DSI-05.1
|
|
342
|
+
answer: 'yes'
|
|
343
|
+
comment: data masking
|
|
344
|
+
- control_id: DSI-06
|
|
345
|
+
question_id: DSI-06.1
|
|
346
|
+
answer: 'yes'
|
|
347
|
+
comment: We have established information labeling procedures that cover this control.
|
|
348
|
+
- control_id: DSI-07
|
|
349
|
+
question_id: DSI-07.1
|
|
350
|
+
answer: 'yes'
|
|
351
|
+
comment: A data masking procedure has been established and is enforced.
|
|
352
|
+
- control_id: DG-05
|
|
353
|
+
question_id: DSI-07.2
|
|
354
|
+
answer: 'yes'
|
|
355
|
+
comment: It is company policy to prohibit the copying of production customer data
|
|
356
|
+
to testing environments or other locations such as an office network
|
|
357
|
+
- control_id: DCS-01
|
|
358
|
+
question_id: DCS-01.1
|
|
359
|
+
answer: 'yes'
|
|
360
|
+
comment: inventory list
|
|
361
|
+
- control_id: FS-08
|
|
362
|
+
question_id: DCS-01.2
|
|
363
|
+
answer: 'yes'
|
|
364
|
+
comment: CMDB
|
|
365
|
+
- control_id: DCS-02
|
|
366
|
+
question_id: DCS-02.1
|
|
367
|
+
answer: 'yes'
|
|
368
|
+
comment: "Ribose utilizes a CCTV camera system and biometric + proximity card
|
|
369
|
+
based access control to secure the office location.\nThe Ribose office is located
|
|
370
|
+
in a building which has 24/7 security sentries.\n\nAmazon have stringent physical
|
|
371
|
+
security measures that deal with unauthorised access to their data center, as
|
|
372
|
+
described in http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
|
|
373
|
+
page 4.\n\n\"Physical and Environmental Security \n\nAWS’s data centers are
|
|
374
|
+
state of the art, utilizing innovative architectural and engineering approaches.
|
|
375
|
+
Amazon has many \nyears of experience in designing, constructing, and operating
|
|
376
|
+
large‐scale data centers. This experience has been applied \nto the AWS platform
|
|
377
|
+
and infrastructure. AWS data centers are housed in nondescript facilities. Physical
|
|
378
|
+
access is strictly \ncontrolled both at the perimeter and at building ingress
|
|
379
|
+
points by professional security staff utilizing video surveillance, \nintrusion
|
|
380
|
+
detection systems, and other electronic means. Authorized staff must pass two‐factor
|
|
381
|
+
authentication a \nminimum of two times to access data center floors. All visitors
|
|
382
|
+
and contractors are required to present identification and \nare signed in and
|
|
383
|
+
continually escorted by authorized staff. \nAWS only provides data center access
|
|
384
|
+
and information to employees and contractors who have a legitimate business
|
|
385
|
+
\nneed for such privileges. When an employee no longer has a business need for
|
|
386
|
+
these privileges, his or her access is \nimmediately revoked, even if they continue
|
|
387
|
+
to be an employee of Amazon or Amazon Web Services. All physical access \nto
|
|
388
|
+
data centers by AWS employees is logged and audited routinely.\""
|
|
389
|
+
- control_id: DCS-03
|
|
390
|
+
question_id: DCS-03.1
|
|
391
|
+
answer: 'yes'
|
|
392
|
+
comment: Ribose uses Amazon security groups. Server instances defined by environment
|
|
393
|
+
type (MY, QA) are automatically placed in the right security group according
|
|
394
|
+
to their label. It is not possible for a newly deployed server to contact other
|
|
395
|
+
instances outside it's security group unless specifically specified. No IP configuration
|
|
396
|
+
is required to setup this connection authentication.
|
|
397
|
+
- control_id: DCS-04
|
|
398
|
+
question_id: DCS-04.1
|
|
399
|
+
answer: 'yes'
|
|
400
|
+
comment: Ribose is a SaaS and uses IaaS provider's datacenters. Ribose staff adheres
|
|
401
|
+
to a Property Removal and Offsite Security Procedure to relocate or transfer
|
|
402
|
+
company assets.
|
|
403
|
+
- control_id: DCS-05
|
|
404
|
+
question_id: DCS-05.1
|
|
405
|
+
answer: 'yes'
|
|
406
|
+
comment: "1 i) Ribose has implemented and enforced a secure disposal procedure.\n1
|
|
407
|
+
ii) Ribose' IaaS provider Amazon states the following:\n\n\"Storage Device Decommissioning
|
|
408
|
+
\n \nWhen a storage device has reached the end of its useful life, AWS procedures
|
|
409
|
+
include a decommissioning process that is \ndesigned to prevent customer data
|
|
410
|
+
from being exposed to unauthorized individuals. AWS uses the techniques detailed
|
|
411
|
+
\nin DoD 5220.22‐M (“National Industrial Security Program Operating Manual “)
|
|
412
|
+
or NIST 800‐88 (“Guidelines for Media \nSanitization”) to destroy data as part
|
|
413
|
+
of the decommissioning process. All decommissioned magnetic storage devices
|
|
414
|
+
are \ndegaussed and physically destroyed in accordance with industry‐standard
|
|
415
|
+
practices.\"\n\nAs stated in http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
|
|
416
|
+
page 6."
|
|
417
|
+
- control_id: DCS-06
|
|
418
|
+
question_id: DCS-06.1
|
|
419
|
+
answer: 'yes'
|
|
420
|
+
comment: |-
|
|
421
|
+
1) Emergency exit and fire extinguisher procedures have been established and published in the Ribose security space.
|
|
422
|
+
2) A clean desk policy has been established as stated in our security policy.
|
|
423
|
+
3) Regular access audits are performed.
|
|
424
|
+
- control_id: DCS-06
|
|
425
|
+
question_id: DCS-06.2
|
|
426
|
+
answer: 'yes'
|
|
427
|
+
comment: security awareness training
|
|
428
|
+
- control_id: DCS-07
|
|
429
|
+
question_id: DCS-07.1
|
|
430
|
+
answer: 'yes'
|
|
431
|
+
comment: multi-region
|
|
432
|
+
- control_id: DCS-08
|
|
433
|
+
question_id: DCS-08.1
|
|
434
|
+
answer: 'yes'
|
|
435
|
+
comment: cctv
|
|
436
|
+
- control_id: DCS-09
|
|
437
|
+
question_id: DCS-09.1
|
|
438
|
+
answer: 'yes'
|
|
439
|
+
comment: |-
|
|
440
|
+
Secure physical access to the Ribose office is ensured by utilising biometric scanners using a system that is reviewed on a quarterly basis.
|
|
441
|
+
Ribose also maintains a list of approved users that can access the office computer room. This list is reviewed on a quarterly basis.
|
|
442
|
+
- control_id: EKM-01
|
|
443
|
+
question_id: EKM-01.1
|
|
444
|
+
answer: 'yes'
|
|
445
|
+
comment: Cryptographic Key management policies
|
|
446
|
+
- control_id: EKM-02
|
|
447
|
+
question_id: EKM-02.1
|
|
448
|
+
answer: 'yes'
|
|
449
|
+
comment: 'A separate encryption key management system and process is used for
|
|
450
|
+
Ribose customers for security of their data. '
|
|
451
|
+
- control_id: IS-19
|
|
452
|
+
question_id: EKM-02.2
|
|
453
|
+
answer: 'yes'
|
|
454
|
+
comment: |2-
|
|
455
|
+
|
|
456
|
+
Ribose customers do not have access to keys or key management because it is not used by them directly. Customers have no responsibility of this control.
|
|
457
|
+
- control_id: IS-19
|
|
458
|
+
question_id: EKM-02.3
|
|
459
|
+
answer: 'yes'
|
|
460
|
+
comment: Crimson
|
|
461
|
+
- control_id: IS-19
|
|
462
|
+
question_id: EKM-02.4
|
|
463
|
+
answer: 'yes'
|
|
464
|
+
comment: Crimson
|
|
465
|
+
- control_id: EKM-02
|
|
466
|
+
question_id: EKM-02.5
|
|
467
|
+
answer: 'no'
|
|
468
|
+
comment: Ribose uses a combination of open source and proprietary code to develop
|
|
469
|
+
its encryption solutions
|
|
470
|
+
- control_id: EKM-03
|
|
471
|
+
question_id: EKM-03.1
|
|
472
|
+
answer: 'yes'
|
|
473
|
+
comment: database and S3 are encrypted
|
|
474
|
+
- control_id: IS-18
|
|
475
|
+
question_id: EKM-03.2
|
|
476
|
+
answer: 'yes'
|
|
477
|
+
comment: AWS can transfer the container images to and from Amazon ECR via HTTPS.
|
|
478
|
+
AWS images are also automatically encrypted at rest using Amazon S3 server-side
|
|
479
|
+
encryption.
|
|
480
|
+
- control_id: EKM-03
|
|
481
|
+
question_id: EKM-03.3
|
|
482
|
+
answer: 'yes'
|
|
483
|
+
comment: Each customer will have his own key to encrypt his data.
|
|
484
|
+
- control_id: EKM-03
|
|
485
|
+
question_id: EKM-03.4
|
|
486
|
+
answer: 'yes'
|
|
487
|
+
comment: Crimson
|
|
488
|
+
- control_id: EKM-04
|
|
489
|
+
question_id: EKM-04.1
|
|
490
|
+
answer: 'yes'
|
|
491
|
+
comment: Our key management system uses industry-best filesystem encryption and
|
|
492
|
+
is maintained by ourselves.
|
|
493
|
+
- control_id: EKM-04
|
|
494
|
+
question_id: EKM-04.2
|
|
495
|
+
answer: 'yes'
|
|
496
|
+
comment: Ribose maintains its own encryption keys.
|
|
497
|
+
- control_id: EKM-04
|
|
498
|
+
question_id: EKM-04.3
|
|
499
|
+
answer: 'yes'
|
|
500
|
+
comment: database and environment vairable
|
|
501
|
+
- control_id: EKM-04
|
|
502
|
+
question_id: EKM-04.4
|
|
503
|
+
answer: 'yes'
|
|
504
|
+
comment: Ribose's key management operates as a service for development teams to
|
|
505
|
+
use in their application code.
|
|
506
|
+
- control_id: GRM-01
|
|
507
|
+
question_id: GRM-01.1
|
|
508
|
+
answer: 'yes'
|
|
509
|
+
comment: The document "Technical Baseline Guidance" specifies baselines for UNIX
|
|
510
|
+
systems, Windows systems, OSX systems, Juniper and Cisco systems. In ISP it
|
|
511
|
+
is stated that this document is reviewed annually for changes or updates and
|
|
512
|
+
baseline deviations must be approved through change management procedures.
|
|
513
|
+
- control_id: IS-04
|
|
514
|
+
question_id: GRM-01.2
|
|
515
|
+
answer: 'yes'
|
|
516
|
+
comment: review annually
|
|
517
|
+
- control_id: IS-04
|
|
518
|
+
question_id: GRM-01.3
|
|
519
|
+
answer: NA
|
|
520
|
+
comment: Ribose is SAAS, but not PAAS or IAAS
|
|
521
|
+
- control_id: GRM-02
|
|
522
|
+
question_id: GRM-02.1
|
|
523
|
+
answer: 'yes'
|
|
524
|
+
comment: brakeman
|
|
525
|
+
- control_id: GRM-02
|
|
526
|
+
question_id: GRM-02.2
|
|
527
|
+
answer: 'yes'
|
|
528
|
+
comment: Data classification, location and retention period is defined.
|
|
529
|
+
- control_id: GRM-03
|
|
530
|
+
question_id: GRM-03.1
|
|
531
|
+
answer: 'yes'
|
|
532
|
+
comment: Security awareness sessions are mandatory and employees are required
|
|
533
|
+
to sign an attendance list or finish an exam.
|
|
534
|
+
- control_id: GRM-04
|
|
535
|
+
question_id: GRM-04.1
|
|
536
|
+
answer: 'yes'
|
|
537
|
+
comment: Ribose is ISO/IEC 27001:2013 certified and the ISMP is similar to the
|
|
538
|
+
operation of an ISMS.
|
|
539
|
+
- control_id: GRM-04
|
|
540
|
+
question_id: GRM-04.2
|
|
541
|
+
answer: 'yes'
|
|
542
|
+
comment: internal and external audits
|
|
543
|
+
- control_id: GRM-05
|
|
544
|
+
question_id: GRM-05.1
|
|
545
|
+
answer: 'yes'
|
|
546
|
+
comment: supplier evaluations
|
|
547
|
+
- control_id: GRM-06
|
|
548
|
+
question_id: GRM-06.1
|
|
549
|
+
answer: 'yes'
|
|
550
|
+
comment: ISO 27001, ISO 22301, ISO 20000-1
|
|
551
|
+
- control_id: GRM-06
|
|
552
|
+
question_id: GRM-06.2
|
|
553
|
+
answer: 'yes'
|
|
554
|
+
comment: Tos and privacy policy
|
|
555
|
+
- control_id: GRM-06
|
|
556
|
+
question_id: GRM-06.3
|
|
557
|
+
answer: 'yes'
|
|
558
|
+
comment: Crimson
|
|
559
|
+
- control_id: GRM-06
|
|
560
|
+
question_id: GRM-06.4
|
|
561
|
+
answer: 'yes'
|
|
562
|
+
comment: announced in commitments
|
|
563
|
+
- control_id: GRM-07
|
|
564
|
+
question_id: GRM-07.1
|
|
565
|
+
answer: 'yes'
|
|
566
|
+
comment: |-
|
|
567
|
+
Chapter 21 in the Information Security Policy covers the control specification:
|
|
568
|
+
"Staff of Ribose has the responsibility to enforce compliance with this policy. Violations of security policy are subject to disciplinary action.
|
|
569
|
+
Team leads shall require employees, contractors and third party users to follow the principles and standard as described in this policy.
|
|
570
|
+
Information Security Officer has the responsibility to enforce compliance with this policy, and ensure that internal audit mechanisms exist to monitor and mea- sure compliance with this policy."
|
|
571
|
+
|
|
572
|
+
Ribose staff is required to sign the "appropriate usage of company resources and facilities" document:
|
|
573
|
+
"I agree to adhere to the guidelines stated in the Company’s policies and procedures as may be amended from time to time.
|
|
574
|
+
|
|
575
|
+
I agree to:
|
|
576
|
+
|
|
577
|
+
1. Conform to the Company’s obligations pertaining to the use of software.
|
|
578
|
+
2. Install and use only that software which is relevant for my work in the Company.
|
|
579
|
+
3. Not use any software downloaded from the Internet without proper authorization.
|
|
580
|
+
4. Not use any software beyond the period for which its use is authorized or legally permitted.
|
|
581
|
+
5. Abide by Company’s policy in respect of password control.
|
|
582
|
+
6. Access only those web sites, which are relevant to my work at hand.
|
|
583
|
+
7. Not indulge in "Hacking"
|
|
584
|
+
8. Not circulate or distribute offensive/ pornographic material through e-mail or in any other manner.
|
|
585
|
+
|
|
586
|
+
I am aware that relevant process documents are available on the LAN and shall refer to them in case of doubt.
|
|
587
|
+
|
|
588
|
+
I am fully aware that violation of the above undertaking in any manner will lead to disciplinary action, including termination of my employment (or secondment)."
|
|
589
|
+
- control_id: IS-06
|
|
590
|
+
question_id: GRM-07.2
|
|
591
|
+
answer: 'yes'
|
|
592
|
+
comment: security awareness training
|
|
593
|
+
- control_id: GRM-08
|
|
594
|
+
question_id: GRM-08.1
|
|
595
|
+
answer: 'yes'
|
|
596
|
+
comment: During the annual review of risk assessments any policies that require
|
|
597
|
+
modification will be updated following the document control procedure.
|
|
598
|
+
- control_id: GRM-09
|
|
599
|
+
question_id: GRM-09.1
|
|
600
|
+
answer: 'yes'
|
|
601
|
+
comment: ISC consists of management and all team leads. This can be proven with
|
|
602
|
+
the ISC meeting minute notes as verified during internal and external audits.
|
|
603
|
+
- control_id: GRM-09
|
|
604
|
+
question_id: GRM-09.2
|
|
605
|
+
answer: 'yes'
|
|
606
|
+
comment: internal and external audits
|
|
607
|
+
- control_id: GRM-10
|
|
608
|
+
question_id: GRM-10.1
|
|
609
|
+
answer: 'yes'
|
|
610
|
+
comment: Risk assessments have been performed and have been audited during internal
|
|
611
|
+
and external audits. Every risk assessment will be reviewed annually.
|
|
612
|
+
- control_id: RI-02
|
|
613
|
+
question_id: GRM-10.2
|
|
614
|
+
answer: 'yes'
|
|
615
|
+
comment: Outputs from audit results, threat and vulnerability analysis, and regulatory
|
|
616
|
+
compliance are reviewed in Crimson Committee Meetings and tasks are created
|
|
617
|
+
in task list for continuous imrpovement .
|
|
618
|
+
- control_id: GRM-11
|
|
619
|
+
question_id: GRM-11.1
|
|
620
|
+
answer: 'yes'
|
|
621
|
+
comment: Crimson
|
|
622
|
+
- control_id: RI-01
|
|
623
|
+
question_id: GRM-11.2
|
|
624
|
+
answer: 'yes'
|
|
625
|
+
comment: Published in ribose.com
|
|
626
|
+
- control_id: HRS-01
|
|
627
|
+
question_id: HRS-01.1
|
|
628
|
+
answer: 'yes'
|
|
629
|
+
comment: papertrails and datadog
|
|
630
|
+
- control_id: IS-27
|
|
631
|
+
question_id: HRS-01.2
|
|
632
|
+
answer: 'yes'
|
|
633
|
+
comment: ISO 27001
|
|
634
|
+
- control_id: HRS-02
|
|
635
|
+
question_id: HRS-02.1
|
|
636
|
+
answer: 'yes'
|
|
637
|
+
comment: Stringent background checks are performed as pre-employment checks. Contractors
|
|
638
|
+
and third-parties are subject to background checks depending on business requirements
|
|
639
|
+
and risks. See Ribose HR space.
|
|
640
|
+
- control_id: HRS-03
|
|
641
|
+
question_id: HRS-03.1
|
|
642
|
+
answer: 'yes'
|
|
643
|
+
comment: security awareness training
|
|
644
|
+
- control_id: HR-02
|
|
645
|
+
question_id: HRS-03.2
|
|
646
|
+
answer: 'yes'
|
|
647
|
+
comment: attendance list
|
|
648
|
+
- control_id: HRS-03
|
|
649
|
+
question_id: HRS-03.3
|
|
650
|
+
answer: 'yes'
|
|
651
|
+
comment: All staff are required to sign NDA and the Ribose Confidential Information
|
|
652
|
+
Agreement
|
|
653
|
+
- control_id: HRS-03
|
|
654
|
+
question_id: HRS-03.4
|
|
655
|
+
answer: 'yes'
|
|
656
|
+
comment: security awareness training
|
|
657
|
+
- control_id: HRS-03
|
|
658
|
+
question_id: HRS-03.5
|
|
659
|
+
answer: 'yes'
|
|
660
|
+
comment: security awareness training
|
|
661
|
+
- control_id: HRS-04
|
|
662
|
+
question_id: HRS-04.1
|
|
663
|
+
answer: 'yes'
|
|
664
|
+
comment: Employment procedures are documented in the Ribose HR space. Our HR process
|
|
665
|
+
is outsourced.
|
|
666
|
+
- control_id: HRS-04
|
|
667
|
+
question_id: HRS-04.2
|
|
668
|
+
answer: 'yes'
|
|
669
|
+
comment: exit procedures
|
|
670
|
+
- control_id: HRS-05
|
|
671
|
+
question_id: HRS-05.1
|
|
672
|
+
answer: 'yes'
|
|
673
|
+
comment: Mobile device policies are covered in the ISP and regularly reviewed
|
|
674
|
+
by the ISC to adjust for business risks.
|
|
675
|
+
- control_id: HRS-06
|
|
676
|
+
question_id: HRS-06.1
|
|
677
|
+
answer: 'yes'
|
|
678
|
+
comment: Our employee agreements and confidential agreements are reviewed on every
|
|
679
|
+
usage.
|
|
680
|
+
- control_id: HRS-07
|
|
681
|
+
question_id: HRS-07.1
|
|
682
|
+
answer: 'yes'
|
|
683
|
+
comment: We have a company organogram describing the roles of all staff.
|
|
684
|
+
- control_id: HRS-08
|
|
685
|
+
question_id: HRS-08.1
|
|
686
|
+
answer: 'yes'
|
|
687
|
+
comment: Covered by ISP Mobile Devices chapter.
|
|
688
|
+
- control_id: IS-26
|
|
689
|
+
question_id: HRS-08.2
|
|
690
|
+
answer: 'yes'
|
|
691
|
+
comment: privacy policy
|
|
692
|
+
- control_id: IS-26
|
|
693
|
+
question_id: HRS-08.3
|
|
694
|
+
answer: 'yes'
|
|
695
|
+
comment: Agreed privacy policy before use
|
|
696
|
+
- control_id: HRS-09
|
|
697
|
+
question_id: HRS-09.1
|
|
698
|
+
answer: 'yes'
|
|
699
|
+
comment: All staff are required to participate in the CFISA security awareness
|
|
700
|
+
training and mobile device security training.
|
|
701
|
+
- control_id: IS-11
|
|
702
|
+
question_id: HRS-09.2
|
|
703
|
+
answer: 'yes'
|
|
704
|
+
comment: All staff are required to participate in the CFISA security awareness
|
|
705
|
+
training and mobile device security training.
|
|
706
|
+
- control_id: HRS-10
|
|
707
|
+
question_id: HRS-10.1
|
|
708
|
+
answer: 'yes'
|
|
709
|
+
comment: All staff are required to participate in the CFISA security awareness
|
|
710
|
+
training and mobile device security training.
|
|
711
|
+
- control_id: IS-16
|
|
712
|
+
question_id: HRS-10.2
|
|
713
|
+
answer: 'yes'
|
|
714
|
+
comment: All staff are required to participate in the CFISA security awareness
|
|
715
|
+
training and mobile device security training.
|
|
716
|
+
- control_id: IS-16
|
|
717
|
+
question_id: HRS-10.3
|
|
718
|
+
answer: 'yes'
|
|
719
|
+
comment: All staff are required to participate in the CFISA security awareness
|
|
720
|
+
training and mobile device security training.
|
|
721
|
+
- control_id: HRS-11
|
|
722
|
+
question_id: HRS-11.1
|
|
723
|
+
answer: 'yes'
|
|
724
|
+
comment: Roles and responsbilities
|
|
725
|
+
- control_id: IS-16
|
|
726
|
+
question_id: HRS-11.2
|
|
727
|
+
answer: 'yes'
|
|
728
|
+
comment: papertrails
|
|
729
|
+
- control_id: IS-16
|
|
730
|
+
question_id: HRS-11.3
|
|
731
|
+
answer: 'yes'
|
|
732
|
+
comment: Images are managed by git and only authorized users can make changes
|
|
733
|
+
- control_id: IAM-01
|
|
734
|
+
question_id: IAM-01.1
|
|
735
|
+
answer: 'yes'
|
|
736
|
+
comment: |-
|
|
737
|
+
Ribose uses S3 storage to place log archives. Ribose also uses a remote syslog service.
|
|
738
|
+
S3 and the remote syslog have strong authentication mechanisms. papertrails and datadog
|
|
739
|
+
- control_id: IAM-01
|
|
740
|
+
question_id: IAM-01.2
|
|
741
|
+
answer: 'yes'
|
|
742
|
+
comment: papertrails and datadog
|
|
743
|
+
- control_id: IAM-02
|
|
744
|
+
question_id: IAM-02.1
|
|
745
|
+
answer: 'yes'
|
|
746
|
+
comment: Ribose has defined a data governance procedure that covers the account
|
|
747
|
+
life cycle (removal) of Ribose users.
|
|
748
|
+
- control_id: IS-07
|
|
749
|
+
question_id: IAM-02.2
|
|
750
|
+
answer: 'yes'
|
|
751
|
+
comment: Crimson
|
|
752
|
+
- control_id: IAM-03
|
|
753
|
+
question_id: IAM-03.1
|
|
754
|
+
answer: 'yes'
|
|
755
|
+
comment: VPC
|
|
756
|
+
- control_id: IAM-04
|
|
757
|
+
question_id: IAM-04.1
|
|
758
|
+
answer: 'yes'
|
|
759
|
+
comment: All user accounts are centrally egistered in the Access Rights spreadsheet.
|
|
760
|
+
Network, system and document access is based on least priviledge.
|
|
761
|
+
- control_id: IAM-04
|
|
762
|
+
question_id: IAM-04.2
|
|
763
|
+
answer: 'yes'
|
|
764
|
+
comment: All user accounts are centrally egistered in the Access Rights spreadsheet.
|
|
765
|
+
Network, system and document access is based on least priviledge.
|
|
766
|
+
- control_id: IAM-05
|
|
767
|
+
question_id: IAM-05.1
|
|
768
|
+
answer: 'yes'
|
|
769
|
+
comment: An Access Control Policy has been defined in the Information Security
|
|
770
|
+
Policy.
|
|
771
|
+
- control_id: IAM-06
|
|
772
|
+
question_id: IAM-06.1
|
|
773
|
+
answer: 'yes'
|
|
774
|
+
comment: Access control to the Ribose version control system (git) is enforced
|
|
775
|
+
by change management requiring senior management approval.
|
|
776
|
+
- control_id: IS-33
|
|
777
|
+
question_id: IAM-06.2
|
|
778
|
+
answer: 'yes'
|
|
779
|
+
comment: Access control to the Ribose version control system (git) is enforced
|
|
780
|
+
by change management requiring senior management approval.
|
|
781
|
+
- control_id: IAM-07
|
|
782
|
+
question_id: IAM-07.1
|
|
783
|
+
answer: 'yes'
|
|
784
|
+
comment: BCP and risk management procedure
|
|
785
|
+
- control_id: RI-05
|
|
786
|
+
question_id: IAM-07.2
|
|
787
|
+
answer: 'yes'
|
|
788
|
+
comment: datadog
|
|
789
|
+
- control_id: RI-05
|
|
790
|
+
question_id: IAM-07.3
|
|
791
|
+
answer: 'yes'
|
|
792
|
+
comment: Mainly AWS, can be switched to Rackspace or Azure
|
|
793
|
+
- control_id: RI-05
|
|
794
|
+
question_id: IAM-07.4
|
|
795
|
+
answer: 'yes'
|
|
796
|
+
comment: network diagram
|
|
797
|
+
- control_id: RI-05
|
|
798
|
+
question_id: IAM-07.5
|
|
799
|
+
answer: 'yes'
|
|
800
|
+
comment: customer feedback
|
|
801
|
+
- control_id: RI-05
|
|
802
|
+
question_id: IAM-07.6
|
|
803
|
+
answer: NA
|
|
804
|
+
comment: SaaS, not Iaas. failover will be performed automatically
|
|
805
|
+
- control_id: RI-05
|
|
806
|
+
question_id: IAM-07.7
|
|
807
|
+
answer: 'yes'
|
|
808
|
+
comment: on request
|
|
809
|
+
- control_id: IAM-08
|
|
810
|
+
question_id: IAM-08.1
|
|
811
|
+
answer: 'yes'
|
|
812
|
+
comment: |-
|
|
813
|
+
Chapter 11, Access Control Policy of the ISP covers this control:
|
|
814
|
+
Principles
|
|
815
|
+
- Access to network, systems, applications and information are granted to users on a need-to-know basis, taking into considerations of the business need versus security implications, separation of duties within business pro- cesses, and classification of information.
|
|
816
|
+
- For network connectivity or services, the security principle “Everything is generally forbidden unless expressly permitted” shall also be considered when granting accesses.
|
|
817
|
+
- control_id: IS-08
|
|
818
|
+
question_id: IAM-08.2
|
|
819
|
+
answer: 'yes'
|
|
820
|
+
comment: Data classification is defined.
|
|
821
|
+
- control_id: IAM-09
|
|
822
|
+
question_id: IAM-09.1
|
|
823
|
+
answer: 'yes'
|
|
824
|
+
comment: |-
|
|
825
|
+
An Access Control Policy has been defined in the Information Security Policy.
|
|
826
|
+
|
|
827
|
+
Ribose users have fine grained access control over the spaces that they administer.
|
|
828
|
+
- control_id: IAM-09
|
|
829
|
+
question_id: IAM-09.2
|
|
830
|
+
answer: NA
|
|
831
|
+
comment: Ribose users have fine grained access control over the spaces that they
|
|
832
|
+
administer.
|
|
833
|
+
- control_id: IAM-10
|
|
834
|
+
question_id: IAM-10.1
|
|
835
|
+
answer: 'yes'
|
|
836
|
+
comment: An Access Control Policy has been defined in the Information Security
|
|
837
|
+
Policy.
|
|
838
|
+
- control_id: IS-10
|
|
839
|
+
question_id: IAM-10.2
|
|
840
|
+
answer: 'yes'
|
|
841
|
+
comment: log changes in auditing and papertrails
|
|
842
|
+
- control_id: IS-10
|
|
843
|
+
question_id: IAM-10.3
|
|
844
|
+
answer: NA
|
|
845
|
+
comment: Ribose will notice customers for security incidents
|
|
846
|
+
- control_id: IAM-11
|
|
847
|
+
question_id: IAM-11.1
|
|
848
|
+
answer: 'yes'
|
|
849
|
+
comment: |-
|
|
850
|
+
Entry and Exit Procedures are described in the Ribose Operations wiki
|
|
851
|
+
1. Entry Procedures
|
|
852
|
+
2. Exit Procedures
|
|
853
|
+
- control_id: IS-09
|
|
854
|
+
question_id: IAM-11.2
|
|
855
|
+
answer: 'yes'
|
|
856
|
+
comment: exit procedures
|
|
857
|
+
- control_id: IAM-12
|
|
858
|
+
question_id: IAM-12.1
|
|
859
|
+
answer: 'yes'
|
|
860
|
+
comment: Users can access all applications in Ribose after sign on.
|
|
861
|
+
- control_id: SA-02
|
|
862
|
+
question_id: IAM-12.2
|
|
863
|
+
answer: 'yes'
|
|
864
|
+
comment: devise
|
|
865
|
+
- control_id: SA-02
|
|
866
|
+
question_id: IAM-12.3
|
|
867
|
+
answer: 'yes'
|
|
868
|
+
comment: devise
|
|
869
|
+
- control_id: SA-02
|
|
870
|
+
question_id: IAM-12.4
|
|
871
|
+
answer: 'yes'
|
|
872
|
+
comment: User Access Management policy
|
|
873
|
+
- control_id: SA-02
|
|
874
|
+
question_id: IAM-12.5
|
|
875
|
+
answer: 'yes'
|
|
876
|
+
comment: role-based
|
|
877
|
+
- control_id: SA-02
|
|
878
|
+
question_id: IAM-12.6
|
|
879
|
+
answer: 'yes'
|
|
880
|
+
comment: 2 factor authentication enabled for AWS console
|
|
881
|
+
- control_id: SA-02
|
|
882
|
+
question_id: IAM-12.7
|
|
883
|
+
answer: 'yes'
|
|
884
|
+
comment: AWS supports integration with third-party identity assurance services.
|
|
885
|
+
- control_id: IAM-12
|
|
886
|
+
question_id: IAM-12.8
|
|
887
|
+
answer: 'yes'
|
|
888
|
+
comment: Password Management Policy
|
|
889
|
+
- control_id: IAM-12
|
|
890
|
+
question_id: IAM-12.9
|
|
891
|
+
answer: 'no'
|
|
892
|
+
comment: Ribose enforces the password policy
|
|
893
|
+
- control_id: IAM-12
|
|
894
|
+
question_id: IAM-12.10
|
|
895
|
+
answer: 'yes'
|
|
896
|
+
comment: Users need to enter the password himself when first logon.
|
|
897
|
+
- control_id: IAM-12
|
|
898
|
+
question_id: IAM-12.11
|
|
899
|
+
answer: NA
|
|
900
|
+
comment: account locking is disabled to prevent hackers to lock someone's account.
|
|
901
|
+
- control_id: IAM-13
|
|
902
|
+
question_id: IAM-13.1
|
|
903
|
+
answer: 'yes'
|
|
904
|
+
comment: administrators
|
|
905
|
+
- control_id: IS-34
|
|
906
|
+
question_id: IAM-13.2
|
|
907
|
+
answer: 'no'
|
|
908
|
+
comment: detections by Amazon
|
|
909
|
+
- control_id: IS-34
|
|
910
|
+
question_id: IAM-13.3
|
|
911
|
+
answer: 'yes'
|
|
912
|
+
comment: BCP and risk management procedure
|
|
913
|
+
- control_id: IVS-01
|
|
914
|
+
question_id: IVS-01.1
|
|
915
|
+
answer: 'yes'
|
|
916
|
+
comment: AIDE installed
|
|
917
|
+
- control_id: SA-14
|
|
918
|
+
question_id: IVS-01.2
|
|
919
|
+
answer: 'yes'
|
|
920
|
+
comment: audit and logging are enabled
|
|
921
|
+
- control_id: SA-14
|
|
922
|
+
question_id: IVS-01.3
|
|
923
|
+
answer: 'yes'
|
|
924
|
+
comment: Legal and Regulatory Compliance Procedure
|
|
925
|
+
- control_id: IVS-01
|
|
926
|
+
question_id: IVS-01.4
|
|
927
|
+
answer: 'yes'
|
|
928
|
+
comment: papertrails and S3
|
|
929
|
+
- control_id: IVS-01
|
|
930
|
+
question_id: IVS-01.5
|
|
931
|
+
answer: 'yes'
|
|
932
|
+
comment: papertrails
|
|
933
|
+
- control_id: IVS-02
|
|
934
|
+
question_id: IVS-02.1
|
|
935
|
+
answer: 'yes'
|
|
936
|
+
comment: changes are restrcited by git and user permission
|
|
937
|
+
- control_id: IVS-02
|
|
938
|
+
question_id: IVS-02.2
|
|
939
|
+
answer: 'yes'
|
|
940
|
+
comment: changes are restrcited by git and user permission
|
|
941
|
+
- control_id: IVS-03
|
|
942
|
+
question_id: IVS-03.1
|
|
943
|
+
answer: 'yes'
|
|
944
|
+
comment: NTP
|
|
945
|
+
- control_id: IVS-04
|
|
946
|
+
question_id: IVS-04.1
|
|
947
|
+
answer: 'yes'
|
|
948
|
+
comment: Crimson and git repo ribose-infrastructure
|
|
949
|
+
- control_id: OP-03
|
|
950
|
+
question_id: IVS-04.2
|
|
951
|
+
answer: 'yes'
|
|
952
|
+
comment: ribose-infrastructure
|
|
953
|
+
- control_id: IVS-04
|
|
954
|
+
question_id: IVS-04.3
|
|
955
|
+
answer: 'yes'
|
|
956
|
+
comment: capacity plan and auto scaling
|
|
957
|
+
- control_id: IVS-04
|
|
958
|
+
question_id: IVS-04.4
|
|
959
|
+
answer: 'yes'
|
|
960
|
+
comment: AWS metrics and datadog
|
|
961
|
+
- control_id: IVS-05
|
|
962
|
+
question_id: IVS-05.1
|
|
963
|
+
answer: 'yes'
|
|
964
|
+
comment: penetration test and vulnerability scanning
|
|
965
|
+
- control_id: IVS-06
|
|
966
|
+
question_id: IVS-06.1
|
|
967
|
+
answer: NA
|
|
968
|
+
comment: SaaS
|
|
969
|
+
- control_id: IVS-06
|
|
970
|
+
question_id: IVS-06.2
|
|
971
|
+
answer: 'yes'
|
|
972
|
+
comment: network diagram
|
|
973
|
+
- control_id: IVS-06
|
|
974
|
+
question_id: IVS-06.3
|
|
975
|
+
answer: 'yes'
|
|
976
|
+
comment: change management procedure
|
|
977
|
+
- control_id: IVS-06
|
|
978
|
+
question_id: IVS-06.4
|
|
979
|
+
answer: 'yes'
|
|
980
|
+
comment: ribose-infrastructure
|
|
981
|
+
- control_id: IVS-07
|
|
982
|
+
question_id: IVS-07.1
|
|
983
|
+
answer: 'yes'
|
|
984
|
+
comment: ribose-infrastructure
|
|
985
|
+
- control_id: IVS-08
|
|
986
|
+
question_id: IVS-08.1
|
|
987
|
+
answer: 'yes'
|
|
988
|
+
comment: prodcution environment for customers and staging environment for internal
|
|
989
|
+
developers
|
|
990
|
+
- control_id: SA-06
|
|
991
|
+
question_id: IVS-08.2
|
|
992
|
+
answer: NA
|
|
993
|
+
comment: SaaS
|
|
994
|
+
- control_id: IVS-08
|
|
995
|
+
question_id: IVS-08.3
|
|
996
|
+
answer: 'yes'
|
|
997
|
+
comment: different VPC
|
|
998
|
+
- control_id: IVS-09
|
|
999
|
+
question_id: IVS-09.1
|
|
1000
|
+
answer: 'yes'
|
|
1001
|
+
comment: VPC and security groups
|
|
1002
|
+
- control_id: SA-09
|
|
1003
|
+
question_id: IVS-09.2
|
|
1004
|
+
answer: 'yes'
|
|
1005
|
+
comment: VPC and security groups
|
|
1006
|
+
- control_id: SA-09
|
|
1007
|
+
question_id: IVS-09.3
|
|
1008
|
+
answer: 'yes'
|
|
1009
|
+
comment: different VPC
|
|
1010
|
+
- control_id: SA-09
|
|
1011
|
+
question_id: IVS-09.4
|
|
1012
|
+
answer: 'yes'
|
|
1013
|
+
comment: VPC and security groups
|
|
1014
|
+
- control_id: IVS-10
|
|
1015
|
+
question_id: IVS-10.1
|
|
1016
|
+
answer: 'yes'
|
|
1017
|
+
comment: SSH and SSL
|
|
1018
|
+
- control_id: IVS-10
|
|
1019
|
+
question_id: IVS-10.2
|
|
1020
|
+
answer: 'yes'
|
|
1021
|
+
comment: VPC
|
|
1022
|
+
- control_id: IVS-11
|
|
1023
|
+
question_id: IVS-11.1
|
|
1024
|
+
answer: 'yes'
|
|
1025
|
+
comment: administrators
|
|
1026
|
+
- control_id: IVS-12
|
|
1027
|
+
question_id: IVS-12.1
|
|
1028
|
+
answer: 'yes'
|
|
1029
|
+
comment: Wireless Communication Policy
|
|
1030
|
+
- control_id: SA-10
|
|
1031
|
+
question_id: IVS-12.2
|
|
1032
|
+
answer: 'yes'
|
|
1033
|
+
comment: Wireless Communication Policy
|
|
1034
|
+
- control_id: SA-10
|
|
1035
|
+
question_id: IVS-12.3
|
|
1036
|
+
answer: 'yes'
|
|
1037
|
+
comment: whitelist of company-owned/managed MAC addresses used to reject any rogue
|
|
1038
|
+
wireless network devices.
|
|
1039
|
+
- control_id: IVS-13
|
|
1040
|
+
question_id: IVS-13.1
|
|
1041
|
+
answer: 'yes'
|
|
1042
|
+
comment: Crimson states which legal and privacy regulations affect the data handling
|
|
1043
|
+
and location
|
|
1044
|
+
- control_id: IVS-13
|
|
1045
|
+
question_id: IVS-13.2
|
|
1046
|
+
answer: 'yes'
|
|
1047
|
+
comment: Ribose IaaS provider Amazon has various levels of protection
|
|
1048
|
+
- control_id: IPY-01
|
|
1049
|
+
question_id: IPY-01.1
|
|
1050
|
+
answer: 'yes'
|
|
1051
|
+
comment: Ribose-api in github
|
|
1052
|
+
- control_id: IPY-02
|
|
1053
|
+
question_id: IPY-02.1
|
|
1054
|
+
answer: 'yes'
|
|
1055
|
+
comment: json
|
|
1056
|
+
- control_id: IPY-03
|
|
1057
|
+
question_id: IPY-03.1
|
|
1058
|
+
answer: 'yes'
|
|
1059
|
+
comment: same as service
|
|
1060
|
+
- control_id: IPY-03
|
|
1061
|
+
question_id: IPY-03.2
|
|
1062
|
+
answer: 'yes'
|
|
1063
|
+
comment: same as service
|
|
1064
|
+
- control_id: IPY-04
|
|
1065
|
+
question_id: IPY-04.1
|
|
1066
|
+
answer: 'yes'
|
|
1067
|
+
comment: ssl
|
|
1068
|
+
- control_id: IPY-04
|
|
1069
|
+
question_id: IPY-04.2
|
|
1070
|
+
answer: NA
|
|
1071
|
+
comment: https is a common protocol
|
|
1072
|
+
- control_id: IPY-05
|
|
1073
|
+
question_id: IPY-05.1
|
|
1074
|
+
answer: 'yes'
|
|
1075
|
+
comment: Xen
|
|
1076
|
+
- control_id: IPY-05
|
|
1077
|
+
question_id: IPY-05.2
|
|
1078
|
+
answer: 'yes'
|
|
1079
|
+
comment: Refer to the AWS Cloud Security Whitepaper for additional details - available
|
|
1080
|
+
at http://aws.amazon.com/security."
|
|
1081
|
+
- control_id: MOS-01
|
|
1082
|
+
question_id: MOS-01.1
|
|
1083
|
+
answer: 'yes'
|
|
1084
|
+
comment: Training is included and performed. This is incorporated in our Information
|
|
1085
|
+
Security Policy, chapter "Mobile Device Policy"
|
|
1086
|
+
- control_id: MOS-02
|
|
1087
|
+
question_id: MOS-02.1
|
|
1088
|
+
answer: 'yes'
|
|
1089
|
+
comment: Approved software list
|
|
1090
|
+
- control_id: MOS-03
|
|
1091
|
+
question_id: MOS-03.1
|
|
1092
|
+
answer: 'yes'
|
|
1093
|
+
- control_id: MOS-04
|
|
1094
|
+
question_id: MOS-04.1
|
|
1095
|
+
answer: NA
|
|
1096
|
+
comment: Ribose does not allow BYOD.
|
|
1097
|
+
- control_id: MOS-05
|
|
1098
|
+
question_id: MOS-05.1
|
|
1099
|
+
answer: 'yes'
|
|
1100
|
+
comment: This is incorporated in our Information Security Policy, chapter "Mobile
|
|
1101
|
+
Device Policy"
|
|
1102
|
+
- control_id: MOS-06
|
|
1103
|
+
question_id: MOS-06.1
|
|
1104
|
+
answer: 'yes'
|
|
1105
|
+
comment: This is incorporated in our Information Security Policy, chapter "Mobile
|
|
1106
|
+
Device Policy"
|
|
1107
|
+
- control_id: MOS-07
|
|
1108
|
+
question_id: MOS-07.1
|
|
1109
|
+
answer: 'yes'
|
|
1110
|
+
comment: Ribose has a documented application validation process in the Ribose
|
|
1111
|
+
development space wiki named "Application Validation Process"
|
|
1112
|
+
- control_id: MOS-08
|
|
1113
|
+
question_id: MOS-08.1
|
|
1114
|
+
answer: NA
|
|
1115
|
+
comment: Ribose does not allow BYOD.
|
|
1116
|
+
- control_id: MOS-09
|
|
1117
|
+
question_id: MOS-09.1
|
|
1118
|
+
answer: NA
|
|
1119
|
+
comment: Ribose does not allow BYOD.
|
|
1120
|
+
- control_id: MOS-10
|
|
1121
|
+
question_id: MOS-10.1
|
|
1122
|
+
answer: 'yes'
|
|
1123
|
+
comment: meraki
|
|
1124
|
+
- control_id: MOS-11
|
|
1125
|
+
question_id: MOS-11.1
|
|
1126
|
+
answer: 'yes'
|
|
1127
|
+
comment: 'Mobile device policy requires use of entire disk encryption. '
|
|
1128
|
+
- control_id: MOS-12
|
|
1129
|
+
question_id: MOS-12.1
|
|
1130
|
+
answer: 'yes'
|
|
1131
|
+
comment: This is incorporated in our Information Security Policy, chapter "Mobile
|
|
1132
|
+
Device Policy"
|
|
1133
|
+
- control_id: MOS-12
|
|
1134
|
+
question_id: MOS-12.2
|
|
1135
|
+
answer: 'yes'
|
|
1136
|
+
comment: This is incorporated in our Information Security Policy, chapter "Mobile
|
|
1137
|
+
Device Policy"
|
|
1138
|
+
- control_id: MOS-13
|
|
1139
|
+
question_id: MOS-13.1
|
|
1140
|
+
answer: NA
|
|
1141
|
+
comment: Ribose does not allow BYOD.
|
|
1142
|
+
- control_id: MOS-13
|
|
1143
|
+
question_id: MOS-13.2
|
|
1144
|
+
answer: NA
|
|
1145
|
+
comment: Ribose does not allow BYOD.
|
|
1146
|
+
- control_id: MOS-14
|
|
1147
|
+
question_id: MOS-14.1
|
|
1148
|
+
answer: 'yes'
|
|
1149
|
+
comment: Screensaver functionality has been enabled.
|
|
1150
|
+
- control_id: MOS-15
|
|
1151
|
+
question_id: MOS-15.1
|
|
1152
|
+
answer: 'yes'
|
|
1153
|
+
comment: meraki
|
|
1154
|
+
- control_id: MOS-16
|
|
1155
|
+
question_id: MOS-16.1
|
|
1156
|
+
answer: 'yes'
|
|
1157
|
+
comment: password policy
|
|
1158
|
+
- control_id: MOS-16
|
|
1159
|
+
question_id: MOS-16.2
|
|
1160
|
+
answer: 'yes'
|
|
1161
|
+
comment: Password policy has been enforced.
|
|
1162
|
+
- control_id: MOS-16
|
|
1163
|
+
question_id: MOS-16.3
|
|
1164
|
+
answer: 'yes'
|
|
1165
|
+
comment: Password policy has been enforced.
|
|
1166
|
+
- control_id: MOS-17
|
|
1167
|
+
question_id: MOS-17.1
|
|
1168
|
+
answer: NA
|
|
1169
|
+
comment: Ribose does not allow BYOD.
|
|
1170
|
+
- control_id: MOS-17
|
|
1171
|
+
question_id: MOS-17.2
|
|
1172
|
+
answer: NA
|
|
1173
|
+
comment: Ribose does not allow BYOD.
|
|
1174
|
+
- control_id: MOS-17
|
|
1175
|
+
question_id: MOS-17.3
|
|
1176
|
+
answer: NA
|
|
1177
|
+
comment: Ribose does not allow BYOD.
|
|
1178
|
+
- control_id: MOS-18
|
|
1179
|
+
question_id: MOS-18.1
|
|
1180
|
+
answer: NA
|
|
1181
|
+
comment: Ribose does not allow BYOD.
|
|
1182
|
+
- control_id: MOS-18
|
|
1183
|
+
question_id: MOS-18.2
|
|
1184
|
+
answer: 'yes'
|
|
1185
|
+
comment: meraki
|
|
1186
|
+
- control_id: MOS-19
|
|
1187
|
+
question_id: MOS-19.1
|
|
1188
|
+
answer: 'yes'
|
|
1189
|
+
comment: meraki
|
|
1190
|
+
- control_id: MOS-19
|
|
1191
|
+
question_id: MOS-19.2
|
|
1192
|
+
answer: 'yes'
|
|
1193
|
+
comment: meraki
|
|
1194
|
+
- control_id: MOS-20
|
|
1195
|
+
question_id: MOS-20.1
|
|
1196
|
+
answer: NA
|
|
1197
|
+
comment: Ribose does not allow BYOD.
|
|
1198
|
+
- control_id: MOS-20
|
|
1199
|
+
question_id: MOS-20.2
|
|
1200
|
+
answer: NA
|
|
1201
|
+
comment: Ribose does not allow BYOD.
|
|
1202
|
+
- control_id: SEF-01
|
|
1203
|
+
question_id: SEF-01.1
|
|
1204
|
+
answer: 'yes'
|
|
1205
|
+
comment: A contact law enforcement policy has been established with details of
|
|
1206
|
+
the Hong Kong Police Force Technology Crime Division(TCD).
|
|
1207
|
+
- control_id: SEF-02
|
|
1208
|
+
question_id: SEF-02.1
|
|
1209
|
+
answer: 'yes'
|
|
1210
|
+
comment: A security incident procedure has been established.
|
|
1211
|
+
- control_id: IS-22
|
|
1212
|
+
question_id: SEF-02.2
|
|
1213
|
+
answer: 'yes'
|
|
1214
|
+
comment: A security incident procedure has been established.
|
|
1215
|
+
- control_id: IS-22
|
|
1216
|
+
question_id: SEF-02.3
|
|
1217
|
+
answer: 'yes'
|
|
1218
|
+
comment: Terms of Use
|
|
1219
|
+
- control_id: SEF-02
|
|
1220
|
+
question_id: SEF-02.4
|
|
1221
|
+
answer: 'yes'
|
|
1222
|
+
comment: BCP
|
|
1223
|
+
- control_id: SEF-03
|
|
1224
|
+
question_id: SEF-03.1
|
|
1225
|
+
answer: 'yes'
|
|
1226
|
+
comment: A security incident procedure has been established.
|
|
1227
|
+
- control_id: IS-23
|
|
1228
|
+
question_id: SEF-03.2
|
|
1229
|
+
answer: NA
|
|
1230
|
+
comment: SaaS
|
|
1231
|
+
- control_id: SEF-04
|
|
1232
|
+
question_id: SEF-04.1
|
|
1233
|
+
answer: 'yes'
|
|
1234
|
+
comment: ISO 27001
|
|
1235
|
+
- control_id: IS-24
|
|
1236
|
+
question_id: SEF-04.2
|
|
1237
|
+
answer: 'yes'
|
|
1238
|
+
comment: Ribose has established a forensics evidence procedure.
|
|
1239
|
+
- control_id: IS-24
|
|
1240
|
+
question_id: SEF-04.3
|
|
1241
|
+
answer: 'yes'
|
|
1242
|
+
comment: account can be disabled
|
|
1243
|
+
- control_id: IS-24
|
|
1244
|
+
question_id: SEF-04.4
|
|
1245
|
+
answer: NA
|
|
1246
|
+
comment: SaaS
|
|
1247
|
+
- control_id: SEF-05
|
|
1248
|
+
question_id: SEF-05.1
|
|
1249
|
+
answer: 'yes'
|
|
1250
|
+
comment: papertrails
|
|
1251
|
+
- control_id: IS-25
|
|
1252
|
+
question_id: SEF-05.2
|
|
1253
|
+
answer: NA
|
|
1254
|
+
comment: SaaS
|
|
1255
|
+
- control_id: STA-01
|
|
1256
|
+
question_id: STA-01.1
|
|
1257
|
+
answer: 'yes'
|
|
1258
|
+
comment: This control has been incorporated in the External Service Provider Audit
|
|
1259
|
+
Checklist which has been used for key vendors. These checklists are subject
|
|
1260
|
+
to annual review.
|
|
1261
|
+
- control_id: STA-01
|
|
1262
|
+
question_id: STA-01.2
|
|
1263
|
+
answer: 'yes'
|
|
1264
|
+
comment: This control has been incorporated in the External Service Provider Audit
|
|
1265
|
+
Checklist which has been used for key vendors. These checklists are subject
|
|
1266
|
+
to annual review.
|
|
1267
|
+
- control_id: STA-02
|
|
1268
|
+
question_id: STA-02.1
|
|
1269
|
+
answer: 'yes'
|
|
1270
|
+
comment: All users will be notified of security incidents through the Ribose blog.
|
|
1271
|
+
This is listed in the communications procedure.
|
|
1272
|
+
- control_id: STA-03
|
|
1273
|
+
question_id: STA-03.1
|
|
1274
|
+
answer: 'yes'
|
|
1275
|
+
comment: capacity plan and auto scaling
|
|
1276
|
+
- control_id: IS-31
|
|
1277
|
+
question_id: STA-03.2
|
|
1278
|
+
answer: NA
|
|
1279
|
+
comment: SaaS
|
|
1280
|
+
- control_id: STA-04
|
|
1281
|
+
question_id: STA-04.1
|
|
1282
|
+
answer: 'yes'
|
|
1283
|
+
comment: internal and external audits
|
|
1284
|
+
- control_id: STA-05
|
|
1285
|
+
question_id: STA-05.1
|
|
1286
|
+
answer: 'yes'
|
|
1287
|
+
comment: supplier evaluations
|
|
1288
|
+
- control_id: LG-02
|
|
1289
|
+
question_id: STA-05.2
|
|
1290
|
+
answer: 'yes'
|
|
1291
|
+
comment: supplier evaluations
|
|
1292
|
+
- control_id: LG-02
|
|
1293
|
+
question_id: STA-05.3
|
|
1294
|
+
answer: 'yes'
|
|
1295
|
+
comment: supplier evaluations
|
|
1296
|
+
- control_id: STA-05
|
|
1297
|
+
question_id: STA-05.4
|
|
1298
|
+
answer: 'yes'
|
|
1299
|
+
comment: supplier evaluations
|
|
1300
|
+
- control_id: STA-05
|
|
1301
|
+
question_id: STA-05.5
|
|
1302
|
+
answer: 'yes'
|
|
1303
|
+
comment: supplier evaluations
|
|
1304
|
+
- control_id: STA-06
|
|
1305
|
+
question_id: STA-06.1
|
|
1306
|
+
answer: 'yes'
|
|
1307
|
+
comment: Annual review during of the risk assessment and External Service Provider
|
|
1308
|
+
Audit Checklist is performed.
|
|
1309
|
+
- control_id: STA-07
|
|
1310
|
+
question_id: STA-07.1
|
|
1311
|
+
answer: 'yes'
|
|
1312
|
+
comment: OLA and datadog
|
|
1313
|
+
- control_id: STA-07
|
|
1314
|
+
question_id: STA-07.2
|
|
1315
|
+
answer: 'yes'
|
|
1316
|
+
comment: Ribose performs annual reviews of supplier evalutations
|
|
1317
|
+
- control_id: STA-07
|
|
1318
|
+
question_id: STA-07.3
|
|
1319
|
+
answer: 'yes'
|
|
1320
|
+
comment: Ribose defined OLA/SLA with the alignment of suppliers
|
|
1321
|
+
- control_id: STA-07
|
|
1322
|
+
question_id: STA-07.4
|
|
1323
|
+
answer: 'yes'
|
|
1324
|
+
comment: Ribose performs annual reviews of supplier evalutations
|
|
1325
|
+
- control_id: STA-08
|
|
1326
|
+
question_id: STA-08.1
|
|
1327
|
+
answer: 'yes'
|
|
1328
|
+
comment: Ribose performs annual reviews of supplier evalutations
|
|
1329
|
+
- control_id: STA-08
|
|
1330
|
+
question_id: STA-08.2
|
|
1331
|
+
answer: 'yes'
|
|
1332
|
+
comment: Ribose performs annual reviews of supplier evalutations
|
|
1333
|
+
- control_id: STA-09
|
|
1334
|
+
question_id: STA-09.1
|
|
1335
|
+
answer: 'yes'
|
|
1336
|
+
comment: Ribose performs annual reviews of supplier evalutations
|
|
1337
|
+
- control_id: STA-09
|
|
1338
|
+
question_id: STA-09.2
|
|
1339
|
+
answer: 'yes'
|
|
1340
|
+
comment: vulnerability scans and penetration tests are performed annually.
|
|
1341
|
+
- control_id: TVM-01
|
|
1342
|
+
question_id: TVM-01.1
|
|
1343
|
+
answer: 'yes'
|
|
1344
|
+
comment: Relevant policies and procedures are defined in the ISMS
|
|
1345
|
+
- control_id: IS-21
|
|
1346
|
+
question_id: TVM-01.2
|
|
1347
|
+
answer: 'yes'
|
|
1348
|
+
comment: meraki
|
|
1349
|
+
- control_id: TVM-02
|
|
1350
|
+
question_id: TVM-02.1
|
|
1351
|
+
answer: 'yes'
|
|
1352
|
+
comment: suricata
|
|
1353
|
+
- control_id: IS-20
|
|
1354
|
+
question_id: TVM-02.2
|
|
1355
|
+
answer: 'yes'
|
|
1356
|
+
comment: vuls openscap
|
|
1357
|
+
- control_id: IS-20
|
|
1358
|
+
question_id: TVM-02.3
|
|
1359
|
+
answer: 'yes'
|
|
1360
|
+
comment: Ossec
|
|
1361
|
+
- control_id: IS-20
|
|
1362
|
+
question_id: TVM-02.4
|
|
1363
|
+
answer: NA
|
|
1364
|
+
comment: SaaS
|
|
1365
|
+
- control_id: IS-20
|
|
1366
|
+
question_id: TVM-02.5
|
|
1367
|
+
answer: 'yes'
|
|
1368
|
+
comment: packer
|
|
1369
|
+
- control_id: IS-20
|
|
1370
|
+
question_id: TVM-02.6
|
|
1371
|
+
answer: 'yes'
|
|
1372
|
+
comment: maintenance page (statuspage)
|
|
1373
|
+
- control_id: TVM-03
|
|
1374
|
+
question_id: TVM-03.1
|
|
1375
|
+
answer: 'yes'
|
|
1376
|
+
comment: antivirus installed
|
|
1377
|
+
- control_id: SA-15
|
|
1378
|
+
question_id: TVM-03.2
|
|
1379
|
+
answer: 'yes'
|
|
1380
|
+
comment: antivirus installed
|