csa-ccm 0.1.2 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CAIQ_v3.0.1-09-01-2017_FINAL_filled.answers.yaml +1380 -0
- data/CAIQ_v3.0.1-09-01-2017_FINAL_filled.control.yaml +2141 -0
- data/appveyor.yml +36 -0
- data/caiq-3.0.1.yaml +531 -419
- data/caiq.yaml +2141 -0
- data/lib/csa/ccm/answer.rb +6 -29
- data/lib/csa/ccm/cli/command.rb +67 -62
- data/lib/csa/ccm/cli/resource.rb +0 -9
- data/lib/csa/ccm/cli/version.rb +1 -1
- data/lib/csa/ccm/control.rb +3 -5
- data/lib/csa/ccm/control_domain.rb +2 -5
- data/lib/csa/ccm/matrix.rb +167 -46
- data/resources/csa-caiq-v3.0.1-12-05-2016.yaml +2141 -0
- data/samples/ccm-answers.schema.yaml +21 -0
- data/samples/ccm-answers.yaml +1 -1
- data/samples/ccm.schema.yaml +35 -0
- data/tmp/ccm-301-2.yaml +2141 -0
- data/tmp/ccm-301.yaml +531 -419
- data/tmp/test.answers.yaml +597 -0
- data/tmp/test.control.yaml +2141 -0
- metadata +13 -6
- data/3.0.1.yaml +0 -1517
- data/resources/~$csa-caiq-v3.0.1-09-01-2017.xlsx +0 -0
data/tmp/ccm-301.yaml
CHANGED
@@ -6,10 +6,10 @@ ccm:
|
|
6
6
|
source_file: csa-caiq-v3.0.1-12-05-2016.xlsx
|
7
7
|
control_domains:
|
8
8
|
- id: AIS
|
9
|
-
|
9
|
+
title: Application & Interface Security
|
10
10
|
controls:
|
11
11
|
- id: AIS-01
|
12
|
-
|
12
|
+
title: Application Security
|
13
13
|
specification: Applications and programming interfaces (APIs) shall be designed,
|
14
14
|
developed, deployed, and tested in accordance with leading industry standards
|
15
15
|
(e.g., OWASP for web applications) and adhere to applicable legal, statutory,
|
@@ -33,7 +33,7 @@ ccm:
|
|
33
33
|
content: "(SaaS only) Do you review your applications for security vulnerabilities
|
34
34
|
and address any issues prior to deployment to production?"
|
35
35
|
- id: AIS-02
|
36
|
-
|
36
|
+
title: Customer Access Requirements
|
37
37
|
specification: 'Prior to granting customers access to data, assets, and information
|
38
38
|
systems, identified security, contractual, and regulatory requirements for
|
39
39
|
customer access shall be addressed. '
|
@@ -42,13 +42,11 @@ ccm:
|
|
42
42
|
content: Are all identified security, contractual, and regulatory requirements
|
43
43
|
for customer access contractually addressed and remediated prior to granting
|
44
44
|
customers access to data, assets, and information systems?
|
45
|
-
|
46
|
-
questions:
|
47
|
-
- id: AIS- 02.2
|
45
|
+
- id: AIS-02.2
|
48
46
|
content: Are all requirements and trust levels for customers’ access defined
|
49
47
|
and documented?
|
50
48
|
- id: AIS-03
|
51
|
-
|
49
|
+
title: Data Integrity
|
52
50
|
specification: Data input and output integrity routines (i.e., reconciliation
|
53
51
|
and edit checks) shall be implemented for application interfaces and databases
|
54
52
|
to prevent manual or systematic processing errors, corruption of data, or
|
@@ -59,7 +57,7 @@ ccm:
|
|
59
57
|
and edit checks) implemented for application interfaces and databases to
|
60
58
|
prevent manual or systematic processing errors or corruption of data?
|
61
59
|
- id: AIS-04
|
62
|
-
|
60
|
+
title: Data Security / Integrity
|
63
61
|
specification: Policies and procedures shall be established and maintained in
|
64
62
|
support of data security to include (confidentiality, integrity, and availability)
|
65
63
|
across multiple system interfaces, jurisdictions, and business functions to
|
@@ -70,10 +68,10 @@ ccm:
|
|
70
68
|
(e.g., CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, FedRAMP,
|
71
69
|
CAESARS)?
|
72
70
|
- id: AAC
|
73
|
-
|
71
|
+
title: Audit Assurance & Compliance
|
74
72
|
controls:
|
75
73
|
- id: AAC-01
|
76
|
-
|
74
|
+
title: Audit Planning
|
77
75
|
specification: Audit plans shall be developed and maintained to address business
|
78
76
|
process disruptions. Auditing plans shall focus on reviewing the effectiveness
|
79
77
|
of the implementation of security operations. All audit activities must be
|
@@ -84,7 +82,7 @@ ccm:
|
|
84
82
|
format (e.g., CloudAudit/A6 URI Ontology, CloudTrust, SCAP/CYBEX, GRC XML,
|
85
83
|
ISACA's Cloud Computing Management Audit/Assurance Program, etc.)?
|
86
84
|
- id: AAC-02
|
87
|
-
|
85
|
+
title: Independent Audits
|
88
86
|
specification: Independent reviews and assessments shall be performed at least
|
89
87
|
annually to ensure that the organization addresses nonconformities of established
|
90
88
|
policies, standards, procedures, and compliance obligations.
|
@@ -92,6 +90,32 @@ ccm:
|
|
92
90
|
- id: AAC-02.1
|
93
91
|
content: Do you allow tenants to view your SOC2/ISO 27001 or similar third-party
|
94
92
|
audit or certification reports?
|
93
|
+
- id: AAC-02.8
|
94
|
+
content: Do you have an internal audit program that allows for cross-functional
|
95
|
+
audit of assessments?
|
96
|
+
- id: AAC-03
|
97
|
+
title: Information System Regulatory Mapping
|
98
|
+
specification: Organizations shall create and maintain a control framework which
|
99
|
+
captures standards, regulatory, legal, and statutory requirements relevant
|
100
|
+
for their business needs. The control framework shall be reviewed at least
|
101
|
+
annually to ensure changes that could affect the business processes are reflected.
|
102
|
+
questions:
|
103
|
+
- id: AAC-03.1
|
104
|
+
content: Do you have the ability to logically segment or encrypt customer
|
105
|
+
data such that data may be produced for a single tenant only, without inadvertently
|
106
|
+
accessing another tenant's data?
|
107
|
+
- id: AAC-03.3
|
108
|
+
content: Do you have the capability to restrict the storage of customer data
|
109
|
+
to specific countries or geographic locations?
|
110
|
+
- id: AAC-03.4
|
111
|
+
content: Do you have a program in place that includes the ability to monitor
|
112
|
+
changes to the regulatory requirements in relevant jurisdictions, adjust
|
113
|
+
your security program for changes to legal requirements, and ensure compliance
|
114
|
+
with relevant regulatory requirements?
|
115
|
+
- id: CO
|
116
|
+
controls:
|
117
|
+
- id: CO-02
|
118
|
+
questions:
|
95
119
|
- id: AAC-02.2
|
96
120
|
content: Do you conduct network penetration tests of your cloud service infrastructure
|
97
121
|
regularly as prescribed by industry best practices and guidance?
|
@@ -110,36 +134,16 @@ ccm:
|
|
110
134
|
- id: AAC-02.7
|
111
135
|
content: Are the results of internal and external audits available to tenants
|
112
136
|
at their request?
|
113
|
-
|
114
|
-
content: Do you have an internal audit program that allows for cross-functional
|
115
|
-
audit of assessments?
|
116
|
-
- id: AAC-03
|
117
|
-
name: Information System Regulatory Mapping
|
118
|
-
specification: Organizations shall create and maintain a control framework which
|
119
|
-
captures standards, regulatory, legal, and statutory requirements relevant
|
120
|
-
for their business needs. The control framework shall be reviewed at least
|
121
|
-
annually to ensure changes that could affect the business processes are reflected.
|
137
|
+
- id: CO-05
|
122
138
|
questions:
|
123
|
-
- id: AAC-03.1
|
124
|
-
content: Do you have the ability to logically segment or encrypt customer
|
125
|
-
data such that data may be produced for a single tenant only, without inadvertently
|
126
|
-
accessing another tenant's data?
|
127
139
|
- id: AAC-03.2
|
128
140
|
content: Do you have the capability to recover data for a specific customer
|
129
141
|
in the case of a failure or data loss?
|
130
|
-
- id: AAC-03.3
|
131
|
-
content: Do you have the capability to restrict the storage of customer data
|
132
|
-
to specific countries or geographic locations?
|
133
|
-
- id: AAC-03.4
|
134
|
-
content: Do you have a program in place that includes the ability to monitor
|
135
|
-
changes to the regulatory requirements in relevant jurisdictions, adjust
|
136
|
-
your security program for changes to legal requirements, and ensure compliance
|
137
|
-
with relevant regulatory requirements?
|
138
142
|
- id: BCR
|
139
|
-
|
143
|
+
title: Business Continuity Management & Operational Resilience
|
140
144
|
controls:
|
141
145
|
- id: BCR-01
|
142
|
-
|
146
|
+
title: Business Continuity Planning
|
143
147
|
specification: |-
|
144
148
|
A consistent unified framework for business continuity planning and plan development shall be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business continuity plans include the following:
|
145
149
|
• Defined purpose and scope, aligned with relevant dependencies
|
@@ -151,11 +155,8 @@ ccm:
|
|
151
155
|
questions:
|
152
156
|
- id: BCR-01.1
|
153
157
|
content: Do you provide tenants with geographically resilient hosting options?
|
154
|
-
- id: BCR-01.2
|
155
|
-
content: Do you provide tenants with infrastructure service failover capability
|
156
|
-
to other providers?
|
157
158
|
- id: BCR-02
|
158
|
-
|
159
|
+
title: Business Continuity Testing
|
159
160
|
specification: Business continuity and security incident response plans shall
|
160
161
|
be subject to testing at planned intervals or upon significant organizational
|
161
162
|
or environmental changes. Incident response plans shall involve impacted customers
|
@@ -167,7 +168,7 @@ ccm:
|
|
167
168
|
or upon significant organizational or environmental changes to ensure continuing
|
168
169
|
effectiveness?
|
169
170
|
- id: BCR-03
|
170
|
-
|
171
|
+
title: Power / Telecommunications
|
171
172
|
specification: Data center utilities services and environmental conditions (e.g.,
|
172
173
|
water, power, temperature and humidity controls, telecommunications, and internet
|
173
174
|
connectivity) shall be secured, monitored, maintained, and tested for continual
|
@@ -178,11 +179,8 @@ ccm:
|
|
178
179
|
- id: BCR-03.1
|
179
180
|
content: Do you provide tenants with documentation showing the transport route
|
180
181
|
of their data between your systems?
|
181
|
-
- id: BCR-03.2
|
182
|
-
content: Can tenants define how their data is transported and through which
|
183
|
-
legal jurisdictions?
|
184
182
|
- id: BCR-04
|
185
|
-
|
183
|
+
title: Documentation
|
186
184
|
specification: |-
|
187
185
|
Information system documentation (e.g., administrator and user guides, and architecture diagrams) shall be made available to authorized personnel to ensure the following:
|
188
186
|
• Configuring, installing, and operating the information system
|
@@ -193,7 +191,7 @@ ccm:
|
|
193
191
|
architecture diagrams, etc.) made available to authorized personnel to ensure
|
194
192
|
configuration, installation and operation of the information system?
|
195
193
|
- id: BCR-05
|
196
|
-
|
194
|
+
title: Environmental Risks
|
197
195
|
specification: Physical protection against damage from natural causes and disasters,
|
198
196
|
as well as deliberate attacks, including fire, flood, atmospheric electrical
|
199
197
|
discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion,
|
@@ -206,7 +204,7 @@ ccm:
|
|
206
204
|
disasters, deliberate attacks) anticipated and designed with countermeasures
|
207
205
|
applied?
|
208
206
|
- id: BCR-06
|
209
|
-
|
207
|
+
title: Equipment Location
|
210
208
|
specification: To reduce the risks from environmental threats, hazards, and
|
211
209
|
opportunities for unauthorized access, equipment shall be kept away from locations
|
212
210
|
subject to high probability environmental risks and supplemented by redundant
|
@@ -217,7 +215,7 @@ ccm:
|
|
217
215
|
of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes,
|
218
216
|
etc.)?
|
219
217
|
- id: BCR-07
|
220
|
-
|
218
|
+
title: Equipment Maintenance
|
221
219
|
specification: Policies and procedures shall be established, and supporting
|
222
220
|
business processes and technical measures implemented, for equipment maintenance
|
223
221
|
ensuring continuity and availability of operations and support personnel.
|
@@ -225,21 +223,8 @@ ccm:
|
|
225
223
|
- id: BCR-07.1
|
226
224
|
content: If using virtual infrastructure, does your cloud solution include
|
227
225
|
independent hardware restore and recovery capabilities?
|
228
|
-
- id: BCR-07.2
|
229
|
-
content: If using virtual infrastructure, do you provide tenants with a capability
|
230
|
-
to restore a Virtual Machine to a previous state in time?
|
231
|
-
- id: BCR-07.3
|
232
|
-
content: If using virtual infrastructure, do you allow virtual machine images
|
233
|
-
to be downloaded and ported to a new cloud provider?
|
234
|
-
- id: BCR-07.4
|
235
|
-
content: If using virtual infrastructure, are machine images made available
|
236
|
-
to the customer in a way that would allow the customer to replicate those
|
237
|
-
images in their own off-site storage location?
|
238
|
-
- id: BCR-07.5
|
239
|
-
content: Does your cloud solution include software/provider independent restore
|
240
|
-
and recovery capabilities?
|
241
226
|
- id: BCR-08
|
242
|
-
|
227
|
+
title: Equipment Power Failures
|
243
228
|
specification: Protection measures shall be put into place to react to natural
|
244
229
|
and man-made threats based upon a geographically-specific business impact
|
245
230
|
assessment.
|
@@ -249,7 +234,7 @@ ccm:
|
|
249
234
|
from utility service outages (e.g., power failures, network disruptions,
|
250
235
|
etc.)?
|
251
236
|
- id: BCR-09
|
252
|
-
|
237
|
+
title: Impact Analysis
|
253
238
|
specification: |-
|
254
239
|
There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following:
|
255
240
|
• Identify critical products and services
|
@@ -264,14 +249,8 @@ ccm:
|
|
264
249
|
- id: BCR-09.1
|
265
250
|
content: Do you provide tenants with ongoing visibility and reporting of your
|
266
251
|
operational Service Level Agreement (SLA) performance?
|
267
|
-
- id: BCR-09.2
|
268
|
-
content: Do you make standards-based information security metrics (CSA, CAMM,
|
269
|
-
etc.) available to your tenants?
|
270
|
-
- id: BCR-09.3
|
271
|
-
content: Do you provide customers with ongoing visibility and reporting of
|
272
|
-
your SLA performance?
|
273
252
|
- id: BCR-10
|
274
|
-
|
253
|
+
title: Policy
|
275
254
|
specification: Policies and procedures shall be established, and supporting
|
276
255
|
business processes and technical measures implemented, for appropriate IT
|
277
256
|
governance and service management to ensure appropriate planning, delivery
|
@@ -284,7 +263,7 @@ ccm:
|
|
284
263
|
content: Are policies and procedures established and made available for all
|
285
264
|
personnel to adequately support services operations’ roles?
|
286
265
|
- id: BCR-11
|
287
|
-
|
266
|
+
title: Retention Policy
|
288
267
|
specification: Policies and procedures shall be established, and supporting
|
289
268
|
business processes and technical measures implemented, for defining and adhering
|
290
269
|
to the retention period of any critical asset as per established policies
|
@@ -295,19 +274,90 @@ ccm:
|
|
295
274
|
- id: BCR-11.1
|
296
275
|
content: Do you have technical control capabilities to enforce tenant data
|
297
276
|
retention policies?
|
298
|
-
- id: BCR-11.2
|
299
|
-
content: Do you have a documented procedure for responding to requests for
|
300
|
-
tenant data from governments or third parties?
|
301
277
|
- id: BCR-11.4
|
302
278
|
content: Have you implemented backup or redundancy mechanisms to ensure compliance
|
303
279
|
with regulatory, statutory, contractual or business requirements?
|
304
280
|
- id: BCR-11.5
|
305
281
|
content: Do you test your backup or redundancy mechanisms at least annually?
|
282
|
+
- id: RS
|
283
|
+
controls:
|
284
|
+
- id: RS-03
|
285
|
+
questions:
|
286
|
+
- id: BCR-01.2
|
287
|
+
content: Do you provide tenants with infrastructure service failover capability
|
288
|
+
to other providers?
|
289
|
+
- id: RS-08
|
290
|
+
questions:
|
291
|
+
- id: BCR-03.2
|
292
|
+
content: Can tenants define how their data is transported and through which
|
293
|
+
legal jurisdictions?
|
294
|
+
- id: RS-02
|
295
|
+
questions:
|
296
|
+
- id: BCR-09.2
|
297
|
+
content: Do you make standards-based information security metrics (CSA, CAMM,
|
298
|
+
etc.) available to your tenants?
|
299
|
+
- id: BCR-09.3
|
300
|
+
content: Do you provide customers with ongoing visibility and reporting of
|
301
|
+
your SLA performance?
|
302
|
+
- id: OP
|
303
|
+
controls:
|
304
|
+
- id: OP-04
|
305
|
+
questions:
|
306
|
+
- id: BCR-07.2
|
307
|
+
content: If using virtual infrastructure, do you provide tenants with a capability
|
308
|
+
to restore a Virtual Machine to a previous state in time?
|
309
|
+
- id: BCR-07.3
|
310
|
+
content: If using virtual infrastructure, do you allow virtual machine images
|
311
|
+
to be downloaded and ported to a new cloud provider?
|
312
|
+
- id: BCR-07.4
|
313
|
+
content: If using virtual infrastructure, are machine images made available
|
314
|
+
to the customer in a way that would allow the customer to replicate those
|
315
|
+
images in their own off-site storage location?
|
316
|
+
- id: BCR-07.5
|
317
|
+
content: Does your cloud solution include software/provider independent restore
|
318
|
+
and recovery capabilities?
|
319
|
+
- id: OP-03
|
320
|
+
questions:
|
321
|
+
- id: IVS-04.2
|
322
|
+
content: Do you restrict use of the memory oversubscription capabilities present
|
323
|
+
in the hypervisor?
|
324
|
+
- id: DG
|
325
|
+
controls:
|
326
|
+
- id: DG-04
|
327
|
+
questions:
|
328
|
+
- id: BCR-11.2
|
329
|
+
content: Do you have a documented procedure for responding to requests for
|
330
|
+
tenant data from governments or third parties?
|
331
|
+
- id: DG-02
|
332
|
+
questions:
|
333
|
+
- id: DSI-01.2
|
334
|
+
content: Do you provide a capability to identify hardware via policy tags/metadata/hardware
|
335
|
+
tags (e.g., TXT/TPM, VN-Tag, etc.)?
|
336
|
+
- id: DSI-01.3
|
337
|
+
content: Do you have a capability to use system geographic location as an
|
338
|
+
authentication factor?
|
339
|
+
- id: DSI-01.4
|
340
|
+
content: Can you provide the physical location/geography of storage of a tenant’s
|
341
|
+
data upon request?
|
342
|
+
- id: DSI-01.5
|
343
|
+
content: Can you provide the physical location/geography of storage of a tenant's
|
344
|
+
data in advance?
|
345
|
+
- id: DG-03
|
346
|
+
questions:
|
347
|
+
- id: DSI-04.2
|
348
|
+
content: Are mechanisms for label inheritance implemented for objects that
|
349
|
+
act as aggregate containers for data?
|
350
|
+
- id: DG-05
|
351
|
+
questions:
|
352
|
+
- id: DSI-07.2
|
353
|
+
content: Can you provide a published procedure for exiting the service arrangement,
|
354
|
+
including assurance to sanitize all computing resources of tenant data once
|
355
|
+
a customer has exited your environment or has vacated a resource?
|
306
356
|
- id: CCC
|
307
|
-
|
357
|
+
title: Change Control & Configuration Management
|
308
358
|
controls:
|
309
359
|
- id: CCC-01
|
310
|
-
|
360
|
+
title: New Development / Acquisition
|
311
361
|
specification: Policies and procedures shall be established, and supporting
|
312
362
|
business processes and technical measures implemented, to ensure the development
|
313
363
|
and/or acquisition of new data, physical or virtual applications, infrastructure
|
@@ -323,7 +373,7 @@ ccm:
|
|
323
373
|
content: Is documentation available that describes the installation, configuration,
|
324
374
|
and use of products/services/features?
|
325
375
|
- id: CCC-02
|
326
|
-
|
376
|
+
title: Outsourced Development
|
327
377
|
specification: External business partners shall adhere to the same policies
|
328
378
|
and procedures for change management, release, and testing as internal developers
|
329
379
|
within the organization (e.g., ITIL service management processes).
|
@@ -331,11 +381,8 @@ ccm:
|
|
331
381
|
- id: CCC-02.1
|
332
382
|
content: Do you have controls in place to ensure that standards of quality
|
333
383
|
are being met for all software development?
|
334
|
-
- id: CCC-02.2
|
335
|
-
content: Do you have controls in place to detect source code security defects
|
336
|
-
for any outsourced software development activities?
|
337
384
|
- id: CCC-03
|
338
|
-
|
385
|
+
title: Quality Testing
|
339
386
|
specification: Organizations shall follow a defined quality change control and
|
340
387
|
testing process (e.g., ITIL Service Management) with established baselines,
|
341
388
|
testing, and release standards which focus on system availability, confidentiality,
|
@@ -354,7 +401,7 @@ ccm:
|
|
354
401
|
content: Are mechanisms in place to ensure that all debugging and test code
|
355
402
|
elements are removed from released software versions?
|
356
403
|
- id: CCC-04
|
357
|
-
|
404
|
+
title: Unauthorized Software Installations
|
358
405
|
specification: Policies and procedures shall be established, and supporting
|
359
406
|
business processes and technical measures implemented, to restrict the installation
|
360
407
|
of unauthorized software on organizationally-owned or managed user end-point
|
@@ -365,7 +412,7 @@ ccm:
|
|
365
412
|
content: Do you have controls in place to restrict and monitor the installation
|
366
413
|
of unauthorized software onto your systems?
|
367
414
|
- id: CCC-05
|
368
|
-
|
415
|
+
title: Production Changes
|
369
416
|
specification: |-
|
370
417
|
Policies and procedures shall be established for managing the risks associated with applying changes to:
|
371
418
|
• Business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations.
|
@@ -376,11 +423,18 @@ ccm:
|
|
376
423
|
content: Do you provide tenants with documentation that describes your production
|
377
424
|
change management procedures and their roles/rights/responsibilities within
|
378
425
|
it?
|
426
|
+
- id: RM
|
427
|
+
controls:
|
428
|
+
- id: RM-04
|
429
|
+
questions:
|
430
|
+
- id: CCC-02.2
|
431
|
+
content: Do you have controls in place to detect source code security defects
|
432
|
+
for any outsourced software development activities?
|
379
433
|
- id: DSI
|
380
|
-
|
434
|
+
title: Data Security & Information Lifecycle Management
|
381
435
|
controls:
|
382
436
|
- id: DSI-01
|
383
|
-
|
437
|
+
title: Classification
|
384
438
|
specification: Data and objects containing data shall be assigned a classification
|
385
439
|
by the data owner based on data type, value, sensitivity, and criticality
|
386
440
|
to the organization.
|
@@ -389,18 +443,6 @@ ccm:
|
|
389
443
|
content: Do you provide a capability to identify virtual machines via policy
|
390
444
|
tags/metadata (e.g., tags can be used to limit guest operating systems from
|
391
445
|
booting/instantiating/transporting data in the wrong country)?
|
392
|
-
- id: DSI-01.2
|
393
|
-
content: Do you provide a capability to identify hardware via policy tags/metadata/hardware
|
394
|
-
tags (e.g., TXT/TPM, VN-Tag, etc.)?
|
395
|
-
- id: DSI-01.3
|
396
|
-
content: Do you have a capability to use system geographic location as an
|
397
|
-
authentication factor?
|
398
|
-
- id: DSI-01.4
|
399
|
-
content: Can you provide the physical location/geography of storage of a tenant’s
|
400
|
-
data upon request?
|
401
|
-
- id: DSI-01.5
|
402
|
-
content: Can you provide the physical location/geography of storage of a tenant's
|
403
|
-
data in advance?
|
404
446
|
- id: DSI-01.6
|
405
447
|
content: Do you follow a structured data-labeling standard (e.g., ISO 15489,
|
406
448
|
Oasis XML Catalog Specification, CSA data type guidance)?
|
@@ -408,7 +450,7 @@ ccm:
|
|
408
450
|
content: Do you allow tenants to define acceptable geographical locations
|
409
451
|
for data routing or resource instantiation?
|
410
452
|
- id: DSI-02
|
411
|
-
|
453
|
+
title: Data Inventory / Flows
|
412
454
|
specification: Policies and procedures shall be established, and supporting
|
413
455
|
business processes and technical measures implemented, to inventory, document,
|
414
456
|
and maintain data flows for data that is resident (permanently or temporarily)
|
@@ -427,7 +469,7 @@ ccm:
|
|
427
469
|
content: Can you ensure that data does not migrate beyond a defined geographical
|
428
470
|
residency?
|
429
471
|
- id: DSI-03
|
430
|
-
|
472
|
+
title: E-commerce Transactions
|
431
473
|
specification: Data related to electronic commerce (e-commerce) that traverses
|
432
474
|
public networks shall be appropriately classified and protected from fraudulent
|
433
475
|
activity, unauthorized disclosure, or modification in such a manner to prevent
|
@@ -437,12 +479,8 @@ ccm:
|
|
437
479
|
content: Do you provide open encryption methodologies (3.4ES, AES, etc.) to
|
438
480
|
tenants in order for them to protect their data if it is required to move
|
439
481
|
through public networks (e.g., the Internet)?
|
440
|
-
- id: DSI-03.2
|
441
|
-
content: Do you utilize open encryption methodologies any time your infrastructure
|
442
|
-
components need to communicate with each other via public networks (e.g.,
|
443
|
-
Internet-based replication of data from one environment to another)?
|
444
482
|
- id: DSI-04
|
445
|
-
|
483
|
+
title: Handling / Labeling / Security Policy
|
446
484
|
specification: Policies and procedures shall be established for labeling, handling,
|
447
485
|
and the security of data and objects which contain data. Mechanisms for label
|
448
486
|
inheritance shall be implemented for objects that act as aggregate containers
|
@@ -451,11 +489,8 @@ ccm:
|
|
451
489
|
- id: DSI-04.1
|
452
490
|
content: Are policies and procedures established for labeling, handling and
|
453
491
|
the security of data and objects that contain data?
|
454
|
-
- id: DSI-04.2
|
455
|
-
content: Are mechanisms for label inheritance implemented for objects that
|
456
|
-
act as aggregate containers for data?
|
457
492
|
- id: DSI-05
|
458
|
-
|
493
|
+
title: Nonproduction Data
|
459
494
|
specification: Production data shall not be replicated or used in non-production
|
460
495
|
environments. Any use of customer data in non-production environments requires
|
461
496
|
explicit, documented approval from all customers whose data is affected, and
|
@@ -466,7 +501,7 @@ ccm:
|
|
466
501
|
content: Do you have procedures in place to ensure production data shall not
|
467
502
|
be replicated or used in non-production environments?
|
468
503
|
- id: DSI-06
|
469
|
-
|
504
|
+
title: Ownership / Stewardship
|
470
505
|
specification: All data shall be designated with stewardship, with assigned
|
471
506
|
responsibilities defined, documented, and communicated.
|
472
507
|
questions:
|
@@ -474,7 +509,7 @@ ccm:
|
|
474
509
|
content: Are the responsibilities regarding data stewardship defined, assigned,
|
475
510
|
documented, and communicated?
|
476
511
|
- id: DSI-07
|
477
|
-
|
512
|
+
title: Secure Disposal
|
478
513
|
specification: Policies and procedures shall be established with supporting
|
479
514
|
business processes and technical measures implemented for the secure disposal
|
480
515
|
and complete removal of data from all storage media, ensuring data is not
|
@@ -483,15 +518,174 @@ ccm:
|
|
483
518
|
- id: DSI-07.1
|
484
519
|
content: Do you support secure deletion (e.g., degaussing/cryptographic wiping)
|
485
520
|
of archived and backed-up data as determined by the tenant?
|
486
|
-
|
487
|
-
|
488
|
-
|
489
|
-
|
521
|
+
- id: IS
|
522
|
+
controls:
|
523
|
+
- id: IS-28
|
524
|
+
questions:
|
525
|
+
- id: DSI-03.2
|
526
|
+
content: Do you utilize open encryption methodologies any time your infrastructure
|
527
|
+
components need to communicate with each other via public networks (e.g.,
|
528
|
+
Internet-based replication of data from one environment to another)?
|
529
|
+
- id: IS-19
|
530
|
+
questions:
|
531
|
+
- id: EKM-02.2
|
532
|
+
content: Do you have a capability to manage encryption keys on behalf of tenants?
|
533
|
+
- id: EKM-02.3
|
534
|
+
content: Do you maintain key management procedures?
|
535
|
+
- id: EKM-02.4
|
536
|
+
content: Do you have documented ownership for each stage of the lifecycle
|
537
|
+
of encryption keys?
|
538
|
+
- id: IS-18
|
539
|
+
questions:
|
540
|
+
- id: EKM-03.2
|
541
|
+
content: Do you leverage encryption to protect data and virtual machine images
|
542
|
+
during transport across and between networks and hypervisor instances?
|
543
|
+
- id: IS-04
|
544
|
+
questions:
|
545
|
+
- id: GRM-01.2
|
546
|
+
content: Do you have the capability to continuously monitor and report the
|
547
|
+
compliance of your infrastructure against your information security baselines?
|
548
|
+
- id: GRM-01.3
|
549
|
+
content: Do you allow your clients to provide their own trusted virtual machine
|
550
|
+
image to ensure conformance to their own internal standards?
|
551
|
+
- id: IS-06
|
552
|
+
questions:
|
553
|
+
- id: GRM-07.2
|
554
|
+
content: Are employees made aware of what actions could be taken in the event
|
555
|
+
of a violation via their policies and procedures?
|
556
|
+
- id: IS-27
|
557
|
+
questions:
|
558
|
+
- id: HRS-01.2
|
559
|
+
content: Is your Privacy Policy aligned with industry standards?
|
560
|
+
- id: IS-26
|
561
|
+
questions:
|
562
|
+
- id: HRS-08.2
|
563
|
+
content: Do you collect or create metadata about tenant data usage through
|
564
|
+
inspection technologies (e.g., search engines, etc.)?
|
565
|
+
- id: HRS-08.3
|
566
|
+
content: Do you allow tenants to opt out of having their data/metadata accessed
|
567
|
+
via inspection technologies?
|
568
|
+
- id: IS-11
|
569
|
+
questions:
|
570
|
+
- id: HRS-09.2
|
571
|
+
content: Are administrators and data stewards properly educated on their legal
|
572
|
+
responsibilities with regard to security and data integrity?
|
573
|
+
- id: IS-16
|
574
|
+
questions:
|
575
|
+
- id: HRS-10.2
|
576
|
+
content: Are users made aware of their responsibilities for maintaining a
|
577
|
+
safe and secure working environment?
|
578
|
+
- id: HRS-10.3
|
579
|
+
content: Are users made aware of their responsibilities for leaving unattended
|
580
|
+
equipment in a secure manner?
|
581
|
+
- id: HRS-11.2
|
582
|
+
content: Do your data management policies and procedures include a tamper
|
583
|
+
audit or software integrity function for unauthorized access to tenant data?
|
584
|
+
- id: HRS-11.3
|
585
|
+
content: Does the virtual machine management infrastructure include a tamper
|
586
|
+
audit or software integrity function to detect changes to the build/configuration
|
587
|
+
of the virtual machine?
|
588
|
+
- id: IS-07
|
589
|
+
questions:
|
590
|
+
- id: IAM-02.2
|
591
|
+
content: Do you provide metrics to track the speed with which you are able
|
592
|
+
to remove systems access that is no longer required for business purposes?
|
593
|
+
- id: IS-33
|
594
|
+
questions:
|
595
|
+
- id: IAM-06.2
|
596
|
+
content: Are controls in place to prevent unauthorized access to tenant application,
|
597
|
+
program, or object source code, and assure it is restricted to authorized
|
598
|
+
personnel only?
|
599
|
+
- id: IS-08
|
600
|
+
questions:
|
601
|
+
- id: IAM-08.2
|
602
|
+
content: Do you have a method of aligning provider and tenant data classification
|
603
|
+
methodologies for access control purposes?
|
604
|
+
- id: IS-10
|
605
|
+
questions:
|
606
|
+
- id: IAM-10.2
|
607
|
+
content: If users are found to have inappropriate entitlements, are all remediation
|
608
|
+
and certification actions recorded?
|
609
|
+
- id: IAM-10.3
|
610
|
+
content: Will you share user entitlement remediation and certification reports
|
611
|
+
with your tenants, if inappropriate access may have been allowed to tenant
|
612
|
+
data?
|
613
|
+
- id: IS-09
|
614
|
+
questions:
|
615
|
+
- id: IAM-11.2
|
616
|
+
content: Is any change in user access status intended to include termination
|
617
|
+
of employment, contract or agreement, change of employment or transfer within
|
618
|
+
the organization?
|
619
|
+
- id: IS-34
|
620
|
+
questions:
|
621
|
+
- id: IAM-13.2
|
622
|
+
content: Do you have the capability to detect attacks that target the virtual
|
623
|
+
infrastructure directly (e.g., shimming, Blue Pill, Hyper jumping, etc.)?
|
624
|
+
- id: IAM-13.3
|
625
|
+
content: Are attacks that target the virtual infrastructure prevented with
|
626
|
+
technical controls?
|
627
|
+
- id: IS-22
|
628
|
+
questions:
|
629
|
+
- id: SEF-02.2
|
630
|
+
content: Do you integrate customized tenant requirements into your security
|
631
|
+
incident response plans?
|
632
|
+
- id: SEF-02.3
|
633
|
+
content: Do you publish a roles and responsibilities document specifying what
|
634
|
+
you vs. your tenants are responsible for during security incidents?
|
635
|
+
- id: IS-23
|
636
|
+
questions:
|
637
|
+
- id: SEF-03.2
|
638
|
+
content: Does your logging and monitoring framework allow isolation of an
|
639
|
+
incident to specific tenants?
|
640
|
+
- id: IS-24
|
641
|
+
questions:
|
642
|
+
- id: SEF-04.2
|
643
|
+
content: Does your incident response capability include the use of legally
|
644
|
+
admissible forensic data collection and analysis techniques?
|
645
|
+
- id: SEF-04.3
|
646
|
+
content: Are you capable of supporting litigation holds (freeze of data from
|
647
|
+
a specific point in time) for a specific tenant without freezing other tenant
|
648
|
+
data?
|
649
|
+
- id: SEF-04.4
|
650
|
+
content: Do you enforce and attest to tenant data separation when producing
|
651
|
+
data in response to legal subpoenas?
|
652
|
+
- id: IS-25
|
653
|
+
questions:
|
654
|
+
- id: SEF-05.2
|
655
|
+
content: Will you share statistical information for security incident data
|
656
|
+
with your tenants upon request?
|
657
|
+
- id: IS-31
|
658
|
+
questions:
|
659
|
+
- id: STA-03.2
|
660
|
+
content: Do you provide tenants with capacity planning and use reports?
|
661
|
+
- id: IS-21
|
662
|
+
questions:
|
663
|
+
- id: TVM-01.2
|
664
|
+
content: Do you ensure that security threat detection systems using signatures,
|
665
|
+
lists, or behavioral patterns are updated across all infrastructure components
|
666
|
+
within industry accepted time frames?
|
667
|
+
- id: IS-20
|
668
|
+
questions:
|
669
|
+
- id: TVM-02.2
|
670
|
+
content: Do you conduct application-layer vulnerability scans regularly as
|
671
|
+
prescribed by industry best practices?
|
672
|
+
- id: TVM-02.3
|
673
|
+
content: Do you conduct local operating system-layer vulnerability scans regularly
|
674
|
+
as prescribed by industry best practices?
|
675
|
+
- id: TVM-02.4
|
676
|
+
content: Will you make the results of vulnerability scans available to tenants
|
677
|
+
at their request?
|
678
|
+
- id: TVM-02.5
|
679
|
+
content: Do you have a capability to rapidly patch vulnerabilities across
|
680
|
+
all of your computing devices, applications, and systems?
|
681
|
+
- id: TVM-02.6
|
682
|
+
content: Will you provide your risk-based systems patching time frames to
|
683
|
+
your tenants upon request?
|
490
684
|
- id: DCS
|
491
|
-
|
685
|
+
title: Datacenter Security
|
492
686
|
controls:
|
493
687
|
- id: DCS-01
|
494
|
-
|
688
|
+
title: Asset Management
|
495
689
|
specification: Assets must be classified in terms of business criticality, service-level
|
496
690
|
expectations, and operational continuity requirements. A complete inventory
|
497
691
|
of business-critical assets located at all sites and/or geographical locations
|
@@ -501,11 +695,8 @@ ccm:
|
|
501
695
|
- id: DCS-01.1
|
502
696
|
content: Do you maintain a complete inventory of all of your critical assets
|
503
697
|
that includes ownership of the asset?
|
504
|
-
- id: DCS-01.2
|
505
|
-
content: Do you maintain a complete inventory of all of your critical supplier
|
506
|
-
relationships?
|
507
698
|
- id: DCS-02
|
508
|
-
|
699
|
+
title: Controlled Access Points
|
509
700
|
specification: Physical security perimeters (e.g., fences, walls, barriers,
|
510
701
|
guards, gates, electronic surveillance, physical authentication mechanisms,
|
511
702
|
reception desks, and security patrols) shall be implemented to safeguard sensitive
|
@@ -516,7 +707,7 @@ ccm:
|
|
516
707
|
guards, gates, electronic surveillance, physical authentication mechanisms,
|
517
708
|
reception desks, and security patrols) implemented?
|
518
709
|
- id: DCS-03
|
519
|
-
|
710
|
+
title: Equipment Identification
|
520
711
|
specification: Automated equipment identification shall be used as a method
|
521
712
|
of connection authentication. Location-aware technologies may be used to validate
|
522
713
|
connection authentication integrity based on known equipment location.
|
@@ -525,7 +716,7 @@ ccm:
|
|
525
716
|
content: Is automated equipment identification used as a method to validate
|
526
717
|
connection authentication integrity based on known equipment location?
|
527
718
|
- id: DCS-04
|
528
|
-
|
719
|
+
title: Offsite Authorization
|
529
720
|
specification: Authorization must be obtained prior to relocation or transfer
|
530
721
|
of hardware, software, or data to an offsite premises.
|
531
722
|
questions:
|
@@ -534,7 +725,7 @@ ccm:
|
|
534
725
|
in which data may be moved from one physical location to another (e.g.,
|
535
726
|
offsite backups, business continuity failovers, replication)?
|
536
727
|
- id: DCS-05
|
537
|
-
|
728
|
+
title: Offsite Equipment
|
538
729
|
specification: Policies and procedures shall be established for the secure disposal
|
539
730
|
of equipment (by asset type) used outside the organization's premise. This
|
540
731
|
shall include a wiping solution or destruction process that renders recovery
|
@@ -546,7 +737,7 @@ ccm:
|
|
546
737
|
content: Can you provide tenants with evidence documenting your policies and
|
547
738
|
procedures governing asset management and repurposing of equipment?
|
548
739
|
- id: DCS-06
|
549
|
-
|
740
|
+
title: Policy
|
550
741
|
specification: Policies and procedures shall be established, and supporting
|
551
742
|
business processes implemented, for maintaining a safe and secure working
|
552
743
|
environment in offices, rooms, facilities, and secure areas storing sensitive
|
@@ -560,7 +751,7 @@ ccm:
|
|
560
751
|
content: Can you provide evidence that your personnel and involved third parties
|
561
752
|
have been trained regarding your documented policies, standards, and procedures?
|
562
753
|
- id: DCS-07
|
563
|
-
|
754
|
+
title: Secure Area Authorization
|
564
755
|
specification: Ingress and egress to secure areas shall be constrained and monitored
|
565
756
|
by physical access control mechanisms to ensure that only authorized personnel
|
566
757
|
are allowed access.
|
@@ -570,7 +761,7 @@ ccm:
|
|
570
761
|
their data is allowed to move into/out of (to address legal jurisdictional
|
571
762
|
considerations based on where data is stored vs. accessed)?
|
572
763
|
- id: DCS-08
|
573
|
-
|
764
|
+
title: Unauthorized Persons Entry
|
574
765
|
specification: Ingress and egress points such as service areas and other points
|
575
766
|
where unauthorized personnel may enter the premises shall be monitored, controlled
|
576
767
|
and, if possible, isolated from data storage and processing facilities to
|
@@ -581,18 +772,25 @@ ccm:
|
|
581
772
|
where unauthorized personnel may enter the premises, monitored, controlled
|
582
773
|
and isolated from data storage and process?
|
583
774
|
- id: DCS-09
|
584
|
-
|
775
|
+
title: User Access
|
585
776
|
specification: Physical access to information assets and functions by users
|
586
777
|
and support personnel shall be restricted.
|
587
778
|
questions:
|
588
779
|
- id: DCS-09.1
|
589
780
|
content: Do you restrict physical access to information assets and functions
|
590
781
|
by users and support personnel?
|
782
|
+
- id: FS
|
783
|
+
controls:
|
784
|
+
- id: FS-08
|
785
|
+
questions:
|
786
|
+
- id: DCS-01.2
|
787
|
+
content: Do you maintain a complete inventory of all of your critical supplier
|
788
|
+
relationships?
|
591
789
|
- id: EKM
|
592
|
-
|
790
|
+
title: Encryption & Key Management
|
593
791
|
controls:
|
594
792
|
- id: EKM-01
|
595
|
-
|
793
|
+
title: Entitlement
|
596
794
|
specification: Keys must have identifiable owners (binding keys to identities)
|
597
795
|
and there shall be key management policies.
|
598
796
|
questions:
|
@@ -600,7 +798,7 @@ ccm:
|
|
600
798
|
content: Do you have key management policies binding keys to identifiable
|
601
799
|
owners?
|
602
800
|
- id: EKM-02
|
603
|
-
|
801
|
+
title: Key Generation
|
604
802
|
specification: Policies and procedures shall be established for the management
|
605
803
|
of cryptographic keys in the service's cryptosystem (e.g., lifecycle management
|
606
804
|
from key generation to revocation and replacement, public key infrastructure,
|
@@ -614,18 +812,11 @@ ccm:
|
|
614
812
|
- id: EKM-02.1
|
615
813
|
content: Do you have a capability to allow creation of unique encryption keys
|
616
814
|
per tenant?
|
617
|
-
- id: EKM-02.2
|
618
|
-
content: Do you have a capability to manage encryption keys on behalf of tenants?
|
619
|
-
- id: EKM-02.3
|
620
|
-
content: Do you maintain key management procedures?
|
621
|
-
- id: EKM-02.4
|
622
|
-
content: Do you have documented ownership for each stage of the lifecycle
|
623
|
-
of encryption keys?
|
624
815
|
- id: EKM-02.5
|
625
816
|
content: Do you utilize any third party/open source/proprietary frameworks
|
626
817
|
to manage encryption keys?
|
627
818
|
- id: EKM-03
|
628
|
-
|
819
|
+
title: Encryption
|
629
820
|
specification: Policies and procedures shall be established, and supporting
|
630
821
|
business processes and technical measures implemented, for the use of encryption
|
631
822
|
protocols for protection of sensitive data in storage (e.g., file servers,
|
@@ -636,9 +827,6 @@ ccm:
|
|
636
827
|
- id: EKM-03.1
|
637
828
|
content: Do you encrypt tenant data at rest (on disk/storage) within your
|
638
829
|
environment?
|
639
|
-
- id: EKM-03.2
|
640
|
-
content: Do you leverage encryption to protect data and virtual machine images
|
641
|
-
during transport across and between networks and hypervisor instances?
|
642
830
|
- id: EKM-03.3
|
643
831
|
content: Do you support tenant-generated encryption keys or permit tenants
|
644
832
|
to encrypt data to an identity without access to a public key certificate
|
@@ -647,7 +835,7 @@ ccm:
|
|
647
835
|
content: Do you have documentation establishing and defining your encryption
|
648
836
|
management policies, procedures, and guidelines?
|
649
837
|
- id: EKM-04
|
650
|
-
|
838
|
+
title: Storage and Access
|
651
839
|
specification: Platform and data appropriate encryption (e.g., AES-256) in open/validated
|
652
840
|
formats and standard algorithms shall be required. Keys shall not be stored
|
653
841
|
in the cloud (i.e. at the cloud provider in question), but maintained by the
|
@@ -665,10 +853,10 @@ ccm:
|
|
665
853
|
- id: EKM-04.4
|
666
854
|
content: Do you have separate key management and key usage duties?
|
667
855
|
- id: GRM
|
668
|
-
|
856
|
+
title: Governance and Risk Management
|
669
857
|
controls:
|
670
858
|
- id: GRM-01
|
671
|
-
|
859
|
+
title: Baseline Requirements
|
672
860
|
specification: Baseline security requirements shall be established for developed
|
673
861
|
or acquired, organizationally-owned or managed, physical or virtual, applications
|
674
862
|
and infrastructure system, and network components that comply with applicable
|
@@ -683,14 +871,8 @@ ccm:
|
|
683
871
|
content: Do you have documented information security baselines for every component
|
684
872
|
of your infrastructure (e.g., hypervisors, operating systems, routers, DNS
|
685
873
|
servers, etc.)?
|
686
|
-
- id: GRM-01.2
|
687
|
-
content: Do you have the capability to continuously monitor and report the
|
688
|
-
compliance of your infrastructure against your information security baselines?
|
689
|
-
- id: GRM-01.3
|
690
|
-
content: Do you allow your clients to provide their own trusted virtual machine
|
691
|
-
image to ensure conformance to their own internal standards?
|
692
874
|
- id: GRM-02
|
693
|
-
|
875
|
+
title: Risk Assessments
|
694
876
|
specification: |-
|
695
877
|
Risk assessments associated with data governance requirements shall be conducted at planned intervals and shall consider the following:
|
696
878
|
• Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure
|
@@ -705,7 +887,7 @@ ccm:
|
|
705
887
|
content: Do you conduct risk assessments associated with data governance requirements
|
706
888
|
at least once a year?
|
707
889
|
- id: GRM-03
|
708
|
-
|
890
|
+
title: Management Oversight
|
709
891
|
specification: Managers are responsible for maintaining awareness of, and complying
|
710
892
|
with, security policies, procedures, and standards that are relevant to their
|
711
893
|
area of responsibility.
|
@@ -716,7 +898,7 @@ ccm:
|
|
716
898
|
and standards for both themselves and their employees as they pertain to
|
717
899
|
the manager and employees' area of responsibility?
|
718
900
|
- id: GRM-04
|
719
|
-
|
901
|
+
title: Management Program
|
720
902
|
specification: |-
|
721
903
|
An Information Security Management Program (ISMP) shall be developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security program shall include, but not be limited to, the following areas insofar as they relate to the characteristics of the business:
|
722
904
|
• Risk management
|
@@ -736,7 +918,7 @@ ccm:
|
|
736
918
|
content: Do you review your Information Security Management Program (ISMP)
|
737
919
|
at least once a year?
|
738
920
|
- id: GRM-05
|
739
|
-
|
921
|
+
title: Management Support / Involvement
|
740
922
|
specification: Executive and line management shall take formal action to support
|
741
923
|
information security through clearly-documented direction and commitment,
|
742
924
|
and shall ensure the action has been assigned.
|
@@ -745,7 +927,7 @@ ccm:
|
|
745
927
|
content: Do you ensure your providers adhere to your information security
|
746
928
|
and privacy policies?
|
747
929
|
- id: GRM-06
|
748
|
-
|
930
|
+
title: Policy
|
749
931
|
specification: Information security policies and procedures shall be established
|
750
932
|
and made readily available for review by all impacted personnel and external
|
751
933
|
business relationships. Information security policies must be authorized by
|
@@ -767,7 +949,7 @@ ccm:
|
|
767
949
|
content: Do you disclose which controls, standards, certifications, and/or
|
768
950
|
regulations you comply with?
|
769
951
|
- id: GRM-07
|
770
|
-
|
952
|
+
title: Policy Enforcement
|
771
953
|
specification: A formal disciplinary or sanction policy shall be established
|
772
954
|
for employees who have violated security policies and procedures. Employees
|
773
955
|
shall be made aware of what action might be taken in the event of a violation,
|
@@ -776,11 +958,8 @@ ccm:
|
|
776
958
|
- id: GRM-07.1
|
777
959
|
content: Is a formal disciplinary or sanction policy established for employees
|
778
960
|
who have violated security policies and procedures?
|
779
|
-
- id: GRM-07.2
|
780
|
-
content: Are employees made aware of what actions could be taken in the event
|
781
|
-
of a violation via their policies and procedures?
|
782
961
|
- id: GRM-08
|
783
|
-
|
962
|
+
title: Business / Policy Change Impacts
|
784
963
|
specification: Risk assessment results shall include updates to security policies,
|
785
964
|
procedures, standards, and controls to ensure that they remain relevant and
|
786
965
|
effective.
|
@@ -789,7 +968,7 @@ ccm:
|
|
789
968
|
content: Do risk assessment results include updates to security policies,
|
790
969
|
procedures, standards, and controls to ensure they remain relevant and effective?
|
791
970
|
- id: GRM-09
|
792
|
-
|
971
|
+
title: Policy Reviews
|
793
972
|
specification: The organization's business leadership (or other accountable
|
794
973
|
business role or function) shall review the information security policy at
|
795
974
|
planned intervals or as a result of changes to the organization to ensure
|
@@ -804,7 +983,7 @@ ccm:
|
|
804
983
|
content: Do you perform, at minimum, annual reviews to your privacy and security
|
805
984
|
policies?
|
806
985
|
- id: GRM-10
|
807
|
-
|
986
|
+
title: Assessments
|
808
987
|
specification: Aligned with the enterprise-wide framework, formal risk assessments
|
809
988
|
shall be performed at least annually or at planned intervals, (and in conjunction
|
810
989
|
with any changes to information systems) to determine the likelihood and impact
|
@@ -818,12 +997,8 @@ ccm:
|
|
818
997
|
and performed at least annually, or at planned intervals, determining the
|
819
998
|
likelihood and impact of all identified risks, using qualitative and quantitative
|
820
999
|
methods?
|
821
|
-
- id: GRM-10.2
|
822
|
-
content: Is the likelihood and impact associated with inherent and residual
|
823
|
-
risk determined independently, considering all risk categories (e.g., audit
|
824
|
-
results, threat and vulnerability analysis, and regulatory compliance)?
|
825
1000
|
- id: GRM-11
|
826
|
-
|
1001
|
+
title: Program
|
827
1002
|
specification: Risks shall be mitigated to an acceptable level. Acceptance levels
|
828
1003
|
based on risk criteria shall be established and documented in accordance with
|
829
1004
|
reasonable resolution time frames and stakeholder approval.
|
@@ -831,14 +1006,41 @@ ccm:
|
|
831
1006
|
- id: GRM-11.1
|
832
1007
|
content: Do you have a documented, organization-wide program in place to manage
|
833
1008
|
risk?
|
1009
|
+
- id: RI
|
1010
|
+
controls:
|
1011
|
+
- id: RI-02
|
1012
|
+
questions:
|
1013
|
+
- id: GRM-10.2
|
1014
|
+
content: Is the likelihood and impact associated with inherent and residual
|
1015
|
+
risk determined independently, considering all risk categories (e.g., audit
|
1016
|
+
results, threat and vulnerability analysis, and regulatory compliance)?
|
1017
|
+
- id: RI-01
|
1018
|
+
questions:
|
834
1019
|
- id: GRM-11.2
|
835
1020
|
content: Do you make available documentation of your organization-wide risk
|
836
1021
|
management program?
|
1022
|
+
- id: RI-05
|
1023
|
+
questions:
|
1024
|
+
- id: IAM-07.2
|
1025
|
+
content: Do you monitor service continuity with upstream providers in the
|
1026
|
+
event of provider failure?
|
1027
|
+
- id: IAM-07.3
|
1028
|
+
content: Do you have more than one provider for each service you depend on?
|
1029
|
+
- id: IAM-07.4
|
1030
|
+
content: Do you provide access to operational redundancy and continuity summaries,
|
1031
|
+
including the services you depend on?
|
1032
|
+
- id: IAM-07.5
|
1033
|
+
content: Do you provide the tenant the ability to declare a disaster?
|
1034
|
+
- id: IAM-07.6
|
1035
|
+
content: Do you provide a tenant-triggered failover option?
|
1036
|
+
- id: IAM-07.7
|
1037
|
+
content: Do you share your business continuity and redundancy plans with your
|
1038
|
+
tenants?
|
837
1039
|
- id: HRS
|
838
|
-
|
1040
|
+
title: Human Resources
|
839
1041
|
controls:
|
840
1042
|
- id: HRS-01
|
841
|
-
|
1043
|
+
title: Asset Returns
|
842
1044
|
specification: Upon termination of workforce personnel and/or expiration of
|
843
1045
|
external business relationships, all organizationally-owned assets shall be
|
844
1046
|
returned within an established period.
|
@@ -846,10 +1048,8 @@ ccm:
|
|
846
1048
|
- id: HRS-01.1
|
847
1049
|
content: Are systems in place to monitor for privacy breaches and notify tenants
|
848
1050
|
expeditiously if a privacy event may have impacted their data?
|
849
|
-
- id: HRS-01.2
|
850
|
-
content: Is your Privacy Policy aligned with industry standards?
|
851
1051
|
- id: HRS-02
|
852
|
-
|
1052
|
+
title: Background Screening
|
853
1053
|
specification: Pursuant to local laws, regulations, ethics, and contractual
|
854
1054
|
constraints, all employment candidates, contractors, and third parties shall
|
855
1055
|
be subject to background verification proportional to the data classification
|
@@ -860,7 +1060,7 @@ ccm:
|
|
860
1060
|
are all employment candidates, contractors, and involved third parties subject
|
861
1061
|
to background verification?
|
862
1062
|
- id: HRS-03
|
863
|
-
|
1063
|
+
title: Employment Agreements
|
864
1064
|
specification: Employment agreements shall incorporate provisions and/or terms
|
865
1065
|
for adherence to established information governance and security policies
|
866
1066
|
and must be signed by newly hired or on-boarded workforce personnel (e.g.,
|
@@ -870,8 +1070,6 @@ ccm:
|
|
870
1070
|
- id: HRS-03.1
|
871
1071
|
content: Do you specifically train your employees regarding their specific
|
872
1072
|
role and the information security controls they must fulfill?
|
873
|
-
- id: HRS-03.2
|
874
|
-
content: Do you document employee acknowledgment of training they have completed?
|
875
1073
|
- id: HRS-03.3
|
876
1074
|
content: Are all personnel required to sign NDA or Confidentiality Agreements
|
877
1075
|
as a condition of employment to protect customer/tenant information?
|
@@ -882,7 +1080,7 @@ ccm:
|
|
882
1080
|
content: Are personnel trained and provided with awareness programs at least
|
883
1081
|
once a year?
|
884
1082
|
- id: HRS-04
|
885
|
-
|
1083
|
+
title: Employment Termination
|
886
1084
|
specification: Roles and responsibilities for performing employment termination
|
887
1085
|
or change in employment procedures shall be assigned, documented, and communicated.
|
888
1086
|
questions:
|
@@ -893,7 +1091,7 @@ ccm:
|
|
893
1091
|
content: Do the above procedures and guidelines account for timely revocation
|
894
1092
|
of access and return of assets?
|
895
1093
|
- id: HRS-05
|
896
|
-
|
1094
|
+
title: Portable / Mobile Devices
|
897
1095
|
specification: Policies and procedures shall be established, and supporting
|
898
1096
|
business processes and technical measures implemented, to manage business
|
899
1097
|
risks associated with permitting mobile device access to corporate resources
|
@@ -908,7 +1106,7 @@ ccm:
|
|
908
1106
|
(PDAs)), which are generally higher-risk than non-portable devices (e.g.,
|
909
1107
|
desktop computers at the provider organization’s facilities)?
|
910
1108
|
- id: HRS-06
|
911
|
-
|
1109
|
+
title: Non-Disclosure Agreements
|
912
1110
|
specification: Requirements for non-disclosure or confidentiality agreements
|
913
1111
|
reflecting the organization's needs for the protection of data and operational
|
914
1112
|
details shall be identified, documented, and reviewed at planned intervals.
|
@@ -918,7 +1116,7 @@ ccm:
|
|
918
1116
|
reflecting the organization's needs for the protection of data and operational
|
919
1117
|
details identified, documented, and reviewed at planned intervals?
|
920
1118
|
- id: HRS-07
|
921
|
-
|
1119
|
+
title: Roles / Responsibilities
|
922
1120
|
specification: Roles and responsibilities of contractors, employees, and third-party
|
923
1121
|
users shall be documented as they relate to information assets and security.
|
924
1122
|
questions:
|
@@ -926,7 +1124,7 @@ ccm:
|
|
926
1124
|
content: Do you provide tenants with a role definition document clarifying
|
927
1125
|
your administrative responsibilities versus those of the tenant?
|
928
1126
|
- id: HRS-08
|
929
|
-
|
1127
|
+
title: Acceptable Use
|
930
1128
|
specification: Policies and procedures shall be established, and supporting
|
931
1129
|
business processes and technical measures implemented, for defining allowances
|
932
1130
|
and conditions for permitting usage of organizationally-owned or managed user
|
@@ -939,14 +1137,8 @@ ccm:
|
|
939
1137
|
- id: HRS-08.1
|
940
1138
|
content: Do you provide documentation regarding how you may access tenant
|
941
1139
|
data and metadata?
|
942
|
-
- id: HRS-08.2
|
943
|
-
content: Do you collect or create metadata about tenant data usage through
|
944
|
-
inspection technologies (e.g., search engines, etc.)?
|
945
|
-
- id: HRS-08.3
|
946
|
-
content: Do you allow tenants to opt out of having their data/metadata accessed
|
947
|
-
via inspection technologies?
|
948
1140
|
- id: HRS-09
|
949
|
-
|
1141
|
+
title: Training / Awareness
|
950
1142
|
specification: A security awareness training program shall be established for
|
951
1143
|
all contractors, third-party users, and employees of the organization and
|
952
1144
|
mandated when appropriate. All individuals with access to organizational data
|
@@ -959,11 +1151,8 @@ ccm:
|
|
959
1151
|
program for cloud-related access and data management issues (e.g., multi-tenancy,
|
960
1152
|
nationality, cloud delivery model, segregation of duties implications, and
|
961
1153
|
conflicts of interest) for all persons with access to tenant data?
|
962
|
-
- id: HRS-09.2
|
963
|
-
content: Are administrators and data stewards properly educated on their legal
|
964
|
-
responsibilities with regard to security and data integrity?
|
965
1154
|
- id: HRS-10
|
966
|
-
|
1155
|
+
title: User Responsibility
|
967
1156
|
specification: |-
|
968
1157
|
All personnel shall be made aware of their roles and responsibilities for:
|
969
1158
|
• Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations.
|
@@ -973,14 +1162,8 @@ ccm:
|
|
973
1162
|
content: Are users made aware of their responsibilities for maintaining awareness
|
974
1163
|
and compliance with published security policies, procedures, standards,
|
975
1164
|
and applicable regulatory requirements?
|
976
|
-
- id: HRS-10.2
|
977
|
-
content: Are users made aware of their responsibilities for maintaining a
|
978
|
-
safe and secure working environment?
|
979
|
-
- id: HRS-10.3
|
980
|
-
content: Are users made aware of their responsibilities for leaving unattended
|
981
|
-
equipment in a secure manner?
|
982
1165
|
- id: HRS-11
|
983
|
-
|
1166
|
+
title: Workspace
|
984
1167
|
specification: Policies and procedures shall be established to require that
|
985
1168
|
unattended workspaces do not have openly visible (e.g., on a desktop) sensitive
|
986
1169
|
documents and user computing sessions had been disabled after an established
|
@@ -989,18 +1172,17 @@ ccm:
|
|
989
1172
|
- id: HRS-11.1
|
990
1173
|
content: Do your data management policies and procedures address tenant and
|
991
1174
|
service level conflicts of interests?
|
992
|
-
|
993
|
-
|
994
|
-
|
995
|
-
|
996
|
-
|
997
|
-
|
998
|
-
of the virtual machine?
|
1175
|
+
- id: HR
|
1176
|
+
controls:
|
1177
|
+
- id: HR-02
|
1178
|
+
questions:
|
1179
|
+
- id: HRS-03.2
|
1180
|
+
content: Do you document employee acknowledgment of training they have completed?
|
999
1181
|
- id: IAM
|
1000
|
-
|
1182
|
+
title: Identity & Access Management
|
1001
1183
|
controls:
|
1002
1184
|
- id: IAM-01
|
1003
|
-
|
1185
|
+
title: Audit Tools Access
|
1004
1186
|
specification: Access to, and use of, audit tools that interact with the organization's
|
1005
1187
|
information systems shall be appropriately segmented and restricted to prevent
|
1006
1188
|
compromise and misuse of log data.
|
@@ -1013,7 +1195,7 @@ ccm:
|
|
1013
1195
|
content: Do you monitor and log privileged access (e.g., administrator level)
|
1014
1196
|
to information security management systems?
|
1015
1197
|
- id: IAM-02
|
1016
|
-
|
1198
|
+
title: User Access Policy
|
1017
1199
|
specification: |-
|
1018
1200
|
User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. These policies, procedures, processes, and measures must incorporate the following:
|
1019
1201
|
• Procedures, supporting roles, and responsibilities for provisioning and de-provisioning user account entitlements following the rule of least privilege based on job function (e.g., internal employee and contingent staff personnel changes, customer-controlled access, suppliers' business relationships, or other third-party business relationships)
|
@@ -1029,11 +1211,8 @@ ccm:
|
|
1029
1211
|
- id: IAM-02.1
|
1030
1212
|
content: Do you have controls in place ensuring timely removal of systems
|
1031
1213
|
access that is no longer required for business purposes?
|
1032
|
-
- id: IAM-02.2
|
1033
|
-
content: Do you provide metrics to track the speed with which you are able
|
1034
|
-
to remove systems access that is no longer required for business purposes?
|
1035
1214
|
- id: IAM-03
|
1036
|
-
|
1215
|
+
title: Diagnostic / Configuration Ports Access
|
1037
1216
|
specification: User access to diagnostic and configuration ports shall be restricted
|
1038
1217
|
to authorized individuals and applications.
|
1039
1218
|
questions:
|
@@ -1041,7 +1220,7 @@ ccm:
|
|
1041
1220
|
content: Do you use dedicated secure networks to provide management access
|
1042
1221
|
to your cloud service infrastructure?
|
1043
1222
|
- id: IAM-04
|
1044
|
-
|
1223
|
+
title: Policies and Procedures
|
1045
1224
|
specification: Policies and procedures shall be established to store and manage
|
1046
1225
|
identity information about every person who accesses IT infrastructure and
|
1047
1226
|
to determine their level of access. Policies shall also be developed to control
|
@@ -1054,7 +1233,7 @@ ccm:
|
|
1054
1233
|
content: Do you manage and store the user identity of all personnel who have
|
1055
1234
|
network access, including their level of access?
|
1056
1235
|
- id: IAM-05
|
1057
|
-
|
1236
|
+
title: Segregation of Duties
|
1058
1237
|
specification: User access policies and procedures shall be established, and
|
1059
1238
|
supporting business processes and technical measures implemented, for restricting
|
1060
1239
|
user access as per defined segregation of duties to address business risks
|
@@ -1064,7 +1243,7 @@ ccm:
|
|
1064
1243
|
content: Do you provide tenants with documentation on how you maintain segregation
|
1065
1244
|
of duties within your cloud service offering?
|
1066
1245
|
- id: IAM-06
|
1067
|
-
|
1246
|
+
title: Source Code Access Restriction
|
1068
1247
|
specification: Access to the organization's own developed applications, program,
|
1069
1248
|
or object source code, or any other form of intellectual property (IP), and
|
1070
1249
|
use of proprietary software shall be appropriately restricted following the
|
@@ -1075,12 +1254,8 @@ ccm:
|
|
1075
1254
|
content: Are controls in place to prevent unauthorized access to your application,
|
1076
1255
|
program, or object source code, and assure it is restricted to authorized
|
1077
1256
|
personnel only?
|
1078
|
-
- id: IAM-06.2
|
1079
|
-
content: Are controls in place to prevent unauthorized access to tenant application,
|
1080
|
-
program, or object source code, and assure it is restricted to authorized
|
1081
|
-
personnel only?
|
1082
1257
|
- id: IAM-07
|
1083
|
-
|
1258
|
+
title: Third Party Access
|
1084
1259
|
specification: The identification, assessment, and prioritization of risks posed
|
1085
1260
|
by business processes requiring third-party access to the organization's information
|
1086
1261
|
systems and data shall be followed by coordinated application of resources
|
@@ -1090,23 +1265,8 @@ ccm:
|
|
1090
1265
|
questions:
|
1091
1266
|
- id: IAM-07.1
|
1092
1267
|
content: Do you provide multi-failure disaster recovery capability?
|
1093
|
-
- id: IAM-07.2
|
1094
|
-
content: Do you monitor service continuity with upstream providers in the
|
1095
|
-
event of provider failure?
|
1096
|
-
- id: IAM-07.3
|
1097
|
-
content: Do you have more than one provider for each service you depend on?
|
1098
|
-
- id: IAM-07.4
|
1099
|
-
content: Do you provide access to operational redundancy and continuity summaries,
|
1100
|
-
including the services you depend on?
|
1101
|
-
- id: IAM-07.5
|
1102
|
-
content: Do you provide the tenant the ability to declare a disaster?
|
1103
|
-
- id: IAM-07.6
|
1104
|
-
content: Do you provide a tenant-triggered failover option?
|
1105
|
-
- id: IAM-07.7
|
1106
|
-
content: Do you share your business continuity and redundancy plans with your
|
1107
|
-
tenants?
|
1108
1268
|
- id: IAM-08
|
1109
|
-
|
1269
|
+
title: User Access Restriction / Authorization
|
1110
1270
|
specification: Policies and procedures are established for permissible storage
|
1111
1271
|
and access of identities used for authentication to ensure identities are
|
1112
1272
|
only accessible based on rules of least privilege and replication limitation
|
@@ -1114,11 +1274,8 @@ ccm:
|
|
1114
1274
|
questions:
|
1115
1275
|
- id: IAM-08.1
|
1116
1276
|
content: Do you document how you grant and approve access to tenant data?
|
1117
|
-
- id: IAM-08.2
|
1118
|
-
content: Do you have a method of aligning provider and tenant data classification
|
1119
|
-
methodologies for access control purposes?
|
1120
1277
|
- id: IAM-09
|
1121
|
-
|
1278
|
+
title: User Access Authorization
|
1122
1279
|
specification: Provisioning user access (e.g., employees, contractors, customers
|
1123
1280
|
(tenants), business partners and/or supplier relationships) to data and organizationally-owned
|
1124
1281
|
or managed (physical and virtual) applications, infrastructure systems, and
|
@@ -1141,7 +1298,7 @@ ccm:
|
|
1141
1298
|
owned or managed (physical and virtual) applications, infrastructure systems
|
1142
1299
|
and network components?
|
1143
1300
|
- id: IAM-10
|
1144
|
-
|
1301
|
+
title: User Access Reviews
|
1145
1302
|
specification: User access shall be authorized and revalidated for entitlement
|
1146
1303
|
appropriateness, at planned intervals, by the organization's business leadership
|
1147
1304
|
or other accountable business role or function supported by evidence to demonstrate
|
@@ -1153,15 +1310,8 @@ ccm:
|
|
1153
1310
|
content: Do you require at least annual certification of entitlements for
|
1154
1311
|
all system users and administrators (exclusive of users maintained by your
|
1155
1312
|
tenants)?
|
1156
|
-
- id: IAM-10.2
|
1157
|
-
content: If users are found to have inappropriate entitlements, are all remediation
|
1158
|
-
and certification actions recorded?
|
1159
|
-
- id: IAM-10.3
|
1160
|
-
content: Will you share user entitlement remediation and certification reports
|
1161
|
-
with your tenants, if inappropriate access may have been allowed to tenant
|
1162
|
-
data?
|
1163
1313
|
- id: IAM-11
|
1164
|
-
|
1314
|
+
title: User Access Revocation
|
1165
1315
|
specification: Timely de-provisioning (revocation or modification) of user access
|
1166
1316
|
to data and organizationally-owned or managed (physical and virtual) applications,
|
1167
1317
|
infrastructure systems, and network components, shall be implemented as per
|
@@ -1176,12 +1326,8 @@ ccm:
|
|
1176
1326
|
to the organizations systems, information assets, and data implemented upon
|
1177
1327
|
any change in status of employees, contractors, customers, business partners,
|
1178
1328
|
or involved third parties?
|
1179
|
-
- id: IAM-11.2
|
1180
|
-
content: Is any change in user access status intended to include termination
|
1181
|
-
of employment, contract or agreement, change of employment or transfer within
|
1182
|
-
the organization?
|
1183
1329
|
- id: IAM-12
|
1184
|
-
|
1330
|
+
title: User ID Credentials
|
1185
1331
|
specification: |-
|
1186
1332
|
Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures:
|
1187
1333
|
• Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation)
|
@@ -1192,24 +1338,6 @@ ccm:
|
|
1192
1338
|
- id: IAM-12.1
|
1193
1339
|
content: Do you support use of, or integration with, existing customer-based
|
1194
1340
|
Single Sign On (SSO) solutions to your service?
|
1195
|
-
- id: IAM-12.2
|
1196
|
-
content: Do you use open standards to delegate authentication capabilities
|
1197
|
-
to your tenants?
|
1198
|
-
- id: IAM-12.3
|
1199
|
-
content: Do you support identity federation standards (e.g., SAML, SPML, WS-Federation,
|
1200
|
-
etc.) as a means of authenticating/authorizing users?
|
1201
|
-
- id: IAM-12.4
|
1202
|
-
content: Do you have a Policy Enforcement Point capability (e.g., XACML) to
|
1203
|
-
enforce regional legal and policy constraints on user access?
|
1204
|
-
- id: IAM-12.5
|
1205
|
-
content: Do you have an identity management system (enabling classification
|
1206
|
-
of data for a tenant) in place to enable both role-based and context-based
|
1207
|
-
entitlement to data?
|
1208
|
-
- id: IAM-12.6
|
1209
|
-
content: Do you provide tenants with strong (multifactor) authentication options
|
1210
|
-
(e.g., digital certs, tokens, biometrics, etc.) for user access?
|
1211
|
-
- id: IAM-12.7
|
1212
|
-
content: Do you allow tenants to use third-party identity assurance services?
|
1213
1341
|
- id: IAM-12.8
|
1214
1342
|
content: Do you support password (e.g., minimum length, age, history, complexity)
|
1215
1343
|
and account lockout (e.g., lockout threshold, lockout duration) policy enforcement?
|
@@ -1223,24 +1351,80 @@ ccm:
|
|
1223
1351
|
been locked out (e.g., self-service via email, defined challenge questions,
|
1224
1352
|
manual unlock)?
|
1225
1353
|
- id: IAM-13
|
1226
|
-
|
1354
|
+
title: Utility Programs Access
|
1227
1355
|
specification: Utility programs capable of potentially overriding system, object,
|
1228
1356
|
network, virtual machine, and application controls shall be restricted.
|
1229
1357
|
questions:
|
1230
1358
|
- id: IAM-13.1
|
1231
1359
|
content: Are utilities that can significantly manage virtualized partitions
|
1232
1360
|
(e.g., shutdown, clone, etc.) appropriately restricted and monitored?
|
1233
|
-
|
1234
|
-
|
1235
|
-
|
1236
|
-
|
1237
|
-
|
1238
|
-
|
1361
|
+
- id: SA
|
1362
|
+
controls:
|
1363
|
+
- id: SA-02
|
1364
|
+
questions:
|
1365
|
+
- id: IAM-12.2
|
1366
|
+
content: Do you use open standards to delegate authentication capabilities
|
1367
|
+
to your tenants?
|
1368
|
+
- id: IAM-12.3
|
1369
|
+
content: Do you support identity federation standards (e.g., SAML, SPML, WS-Federation,
|
1370
|
+
etc.) as a means of authenticating/authorizing users?
|
1371
|
+
- id: IAM-12.4
|
1372
|
+
content: Do you have a Policy Enforcement Point capability (e.g., XACML) to
|
1373
|
+
enforce regional legal and policy constraints on user access?
|
1374
|
+
- id: IAM-12.5
|
1375
|
+
content: Do you have an identity management system (enabling classification
|
1376
|
+
of data for a tenant) in place to enable both role-based and context-based
|
1377
|
+
entitlement to data?
|
1378
|
+
- id: IAM-12.6
|
1379
|
+
content: Do you provide tenants with strong (multifactor) authentication options
|
1380
|
+
(e.g., digital certs, tokens, biometrics, etc.) for user access?
|
1381
|
+
- id: IAM-12.7
|
1382
|
+
content: Do you allow tenants to use third-party identity assurance services?
|
1383
|
+
- id: SA-14
|
1384
|
+
questions:
|
1385
|
+
- id: IVS-01.2
|
1386
|
+
content: Is physical and logical user access to audit logs restricted to authorized
|
1387
|
+
personnel?
|
1388
|
+
- id: IVS-01.3
|
1389
|
+
content: Can you provide evidence that due diligence mapping of regulations
|
1390
|
+
and standards to your controls/architecture/processes has been done?
|
1391
|
+
- id: SA-06
|
1392
|
+
questions:
|
1393
|
+
- id: IVS-08.2
|
1394
|
+
content: For your IaaS offering, do you provide tenants with guidance on how
|
1395
|
+
to create suitable production and test environments?
|
1396
|
+
- id: SA-09
|
1397
|
+
questions:
|
1398
|
+
- id: IVS-09.2
|
1399
|
+
content: Are system and network environments protected by a firewall or virtual
|
1400
|
+
firewall to ensure compliance with legislative, regulatory, and contractual
|
1401
|
+
requirements?
|
1402
|
+
- id: IVS-09.3
|
1403
|
+
content: Are system and network environments protected by a firewall or virtual
|
1404
|
+
firewall to ensure separation of production and non-production environments?
|
1405
|
+
- id: IVS-09.4
|
1406
|
+
content: Are system and network environments protected by a firewall or virtual
|
1407
|
+
firewall to ensure protection and isolation of sensitive data?
|
1408
|
+
- id: SA-10
|
1409
|
+
questions:
|
1410
|
+
- id: IVS-12.2
|
1411
|
+
content: Are policies and procedures established and mechanisms implemented
|
1412
|
+
to ensure wireless security settings are enabled with strong encryption
|
1413
|
+
for authentication and transmission, replacing vendor default settings (e.g.,
|
1414
|
+
encryption keys, passwords, SNMP community strings)?
|
1415
|
+
- id: IVS-12.3
|
1416
|
+
content: Are policies and procedures established and mechanisms implemented
|
1417
|
+
to protect wireless network environments and detect the presence of unauthorized
|
1418
|
+
(rogue) network devices for a timely disconnect from the network?
|
1419
|
+
- id: SA-15
|
1420
|
+
questions:
|
1421
|
+
- id: TVM-03.2
|
1422
|
+
content: Is all unauthorized mobile code prevented from executing?
|
1239
1423
|
- id: IVS
|
1240
|
-
|
1424
|
+
title: Infrastructure & Virtualization Security
|
1241
1425
|
controls:
|
1242
1426
|
- id: IVS-01
|
1243
|
-
|
1427
|
+
title: Audit Logging / Intrusion Detection
|
1244
1428
|
specification: Higher levels of assurance are required for protection, retention,
|
1245
1429
|
and lifecycle management of audit logs, adhering to applicable legal, statutory,
|
1246
1430
|
or regulatory compliance obligations and providing unique user access accountability
|
@@ -1252,19 +1436,13 @@ ccm:
|
|
1252
1436
|
content: Are file integrity (host) and network intrusion detection (IDS) tools
|
1253
1437
|
implemented to help facilitate timely detection, investigation by root cause
|
1254
1438
|
analysis, and response to incidents?
|
1255
|
-
- id: IVS-01.2
|
1256
|
-
content: Is physical and logical user access to audit logs restricted to authorized
|
1257
|
-
personnel?
|
1258
|
-
- id: IVS-01.3
|
1259
|
-
content: Can you provide evidence that due diligence mapping of regulations
|
1260
|
-
and standards to your controls/architecture/processes has been done?
|
1261
1439
|
- id: IVS-01.4
|
1262
1440
|
content: Are audit logs centrally stored and retained?
|
1263
1441
|
- id: IVS-01.5
|
1264
1442
|
content: Are audit logs reviewed on a regular basis for security events (e.g.,
|
1265
1443
|
with automated tools)?
|
1266
1444
|
- id: IVS-02
|
1267
|
-
|
1445
|
+
title: Change Detection
|
1268
1446
|
specification: The provider shall ensure the integrity of all virtual machine
|
1269
1447
|
images at all times. Any changes made to virtual machine images must be logged
|
1270
1448
|
and an alert raised regardless of their running state (e.g., dormant, off,
|
@@ -1280,7 +1458,7 @@ ccm:
|
|
1280
1458
|
validation of the image's integrity, made immediately available to customers
|
1281
1459
|
through electronic methods (e.g., portals or alerts)?
|
1282
1460
|
- id: IVS-03
|
1283
|
-
|
1461
|
+
title: Clock Synchronization
|
1284
1462
|
specification: A reliable and mutually agreed upon external time source shall
|
1285
1463
|
be used to synchronize the system clocks of all relevant information processing
|
1286
1464
|
systems to facilitate tracing and reconstitution of activity timelines.
|
@@ -1289,7 +1467,7 @@ ccm:
|
|
1289
1467
|
content: Do you use a synchronized time-service protocol (e.g., NTP) to ensure
|
1290
1468
|
all systems have a common time reference?
|
1291
1469
|
- id: IVS-04
|
1292
|
-
|
1470
|
+
title: Capacity / Resource Planning
|
1293
1471
|
specification: The availability, quality, and adequate capacity and resources
|
1294
1472
|
shall be planned, prepared, and measured to deliver the required system performance
|
1295
1473
|
in accordance with legal, statutory, and regulatory compliance obligations.
|
@@ -1300,9 +1478,6 @@ ccm:
|
|
1300
1478
|
content: Do you provide documentation regarding what levels of system (e.g.,
|
1301
1479
|
network, storage, memory, I/O, etc.) oversubscription you maintain and under
|
1302
1480
|
what circumstances/scenarios?
|
1303
|
-
- id: IVS-04.2
|
1304
|
-
content: Do you restrict use of the memory oversubscription capabilities present
|
1305
|
-
in the hypervisor?
|
1306
1481
|
- id: IVS-04.3
|
1307
1482
|
content: Do your system capacity requirements take into account current, projected,
|
1308
1483
|
and anticipated capacity needs for all systems used to provide services
|
@@ -1312,7 +1487,7 @@ ccm:
|
|
1312
1487
|
meet regulatory, contractual, and business requirements for all the systems
|
1313
1488
|
used to provide services to the tenants?
|
1314
1489
|
- id: IVS-05
|
1315
|
-
|
1490
|
+
title: Management - Vulnerability Management
|
1316
1491
|
specification: Implementers shall ensure that the security vulnerability assessment
|
1317
1492
|
tools or services accommodate the virtualization technologies used (e.g.,
|
1318
1493
|
virtualization aware).
|
@@ -1321,7 +1496,7 @@ ccm:
|
|
1321
1496
|
content: Do security vulnerability assessment tools or services accommodate
|
1322
1497
|
the virtualization technologies being used (e.g., virtualization aware)?
|
1323
1498
|
- id: IVS-06
|
1324
|
-
|
1499
|
+
title: Network Security
|
1325
1500
|
specification: Network environments and virtual instances shall be designed
|
1326
1501
|
and configured to restrict and monitor traffic between trusted and untrusted
|
1327
1502
|
connections. These configurations shall be reviewed at least annually, and
|
@@ -1341,7 +1516,7 @@ ccm:
|
|
1341
1516
|
- id: IVS-06.4
|
1342
1517
|
content: Are all firewall access control lists documented with business justification?
|
1343
1518
|
- id: IVS-07
|
1344
|
-
|
1519
|
+
title: OS Hardening and Base Controls
|
1345
1520
|
specification: 'Each operating system shall be hardened to provide only necessary
|
1346
1521
|
ports, protocols, and services to meet business needs and have in place supporting
|
1347
1522
|
technical controls such as: antivirus, file integrity monitoring, and logging
|
@@ -1353,7 +1528,7 @@ ccm:
|
|
1353
1528
|
(e.g., antivirus, file integrity monitoring, and logging) as part of their
|
1354
1529
|
baseline build standard or template?
|
1355
1530
|
- id: IVS-08
|
1356
|
-
|
1531
|
+
title: Production / Non-Production Environments
|
1357
1532
|
specification: 'Production and non-production environments shall be separated
|
1358
1533
|
to prevent unauthorized access or changes to information assets. Separation
|
1359
1534
|
of the environments may include: stateful inspection firewalls, domain/realm
|
@@ -1363,14 +1538,11 @@ ccm:
|
|
1363
1538
|
- id: IVS-08.1
|
1364
1539
|
content: For your SaaS or PaaS offering, do you provide tenants with separate
|
1365
1540
|
environments for production and test processes?
|
1366
|
-
- id: IVS-08.2
|
1367
|
-
content: For your IaaS offering, do you provide tenants with guidance on how
|
1368
|
-
to create suitable production and test environments?
|
1369
1541
|
- id: IVS-08.3
|
1370
1542
|
content: Do you logically and physically segregate production and non-production
|
1371
1543
|
environments?
|
1372
1544
|
- id: IVS-09
|
1373
|
-
|
1545
|
+
title: Segmentation
|
1374
1546
|
specification: |-
|
1375
1547
|
Multi-tenant organizationally-owned or managed (physical and virtual) applications, and infrastructure system and network components, shall be designed, developed, deployed, and configured such that provider and customer (tenant) user access is appropriately segmented from other tenant users, based on the following considerations:
|
1376
1548
|
• Established policies and procedures
|
@@ -1380,18 +1552,8 @@ ccm:
|
|
1380
1552
|
- id: IVS-09.1
|
1381
1553
|
content: Are system and network environments protected by a firewall or virtual
|
1382
1554
|
firewall to ensure business and customer security requirements?
|
1383
|
-
- id: IVS-09.2
|
1384
|
-
content: Are system and network environments protected by a firewall or virtual
|
1385
|
-
firewall to ensure compliance with legislative, regulatory, and contractual
|
1386
|
-
requirements?
|
1387
|
-
- id: IVS-09.3
|
1388
|
-
content: Are system and network environments protected by a firewall or virtual
|
1389
|
-
firewall to ensure separation of production and non-production environments?
|
1390
|
-
- id: IVS-09.4
|
1391
|
-
content: Are system and network environments protected by a firewall or virtual
|
1392
|
-
firewall to ensure protection and isolation of sensitive data?
|
1393
1555
|
- id: IVS-10
|
1394
|
-
|
1556
|
+
title: VM Security - Data Protection
|
1395
1557
|
specification: Secured and encrypted communication channels shall be used when
|
1396
1558
|
migrating physical servers, applications, or data to virtualized servers and,
|
1397
1559
|
where possible, shall use a network segregated from production-level networks
|
@@ -1404,7 +1566,7 @@ ccm:
|
|
1404
1566
|
content: Do you use a network segregated from production-level networks when
|
1405
1567
|
migrating physical servers, applications, or data to virtual servers?
|
1406
1568
|
- id: IVS-11
|
1407
|
-
|
1569
|
+
title: VMM Security - Hypervisor Hardening
|
1408
1570
|
specification: Access to all hypervisor management functions or administrative
|
1409
1571
|
consoles for systems hosting virtualized systems shall be restricted to personnel
|
1410
1572
|
based upon the principle of least privilege and supported through technical
|
@@ -1418,7 +1580,7 @@ ccm:
|
|
1418
1580
|
(e.g., two-factor authentication, audit trails, IP address filtering, firewalls
|
1419
1581
|
and TLS-encapsulated communications to the administrative consoles)?
|
1420
1582
|
- id: IVS-12
|
1421
|
-
|
1583
|
+
title: Wireless Security
|
1422
1584
|
specification: |-
|
1423
1585
|
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to protect wireless network environments, including the following:
|
1424
1586
|
• Perimeter firewalls implemented and configured to restrict unauthorized traffic
|
@@ -1430,17 +1592,8 @@ ccm:
|
|
1430
1592
|
content: Are policies and procedures established and mechanisms configured
|
1431
1593
|
and implemented to protect the wireless network environment perimeter and
|
1432
1594
|
to restrict unauthorized wireless traffic?
|
1433
|
-
- id: IVS-12.2
|
1434
|
-
content: Are policies and procedures established and mechanisms implemented
|
1435
|
-
to ensure wireless security settings are enabled with strong encryption
|
1436
|
-
for authentication and transmission, replacing vendor default settings (e.g.,
|
1437
|
-
encryption keys, passwords, SNMP community strings)?
|
1438
|
-
- id: IVS-12.3
|
1439
|
-
content: Are policies and procedures established and mechanisms implemented
|
1440
|
-
to protect wireless network environments and detect the presence of unauthorized
|
1441
|
-
(rogue) network devices for a timely disconnect from the network?
|
1442
1595
|
- id: IVS-13
|
1443
|
-
|
1596
|
+
title: Network Architecture
|
1444
1597
|
specification: Network architecture diagrams shall clearly identify high-risk
|
1445
1598
|
environments and data flows that may have legal compliance impacts. Technical
|
1446
1599
|
measures shall be implemented and shall apply defense-in-depth techniques
|
@@ -1459,10 +1612,10 @@ ccm:
|
|
1459
1612
|
or egress traffic patterns (e.g., MAC spoofing and ARP poisoning attacks)
|
1460
1613
|
and/or distributed denial-of-service (DDoS) attacks?
|
1461
1614
|
- id: IPY
|
1462
|
-
|
1615
|
+
title: Interoperability & Portability
|
1463
1616
|
controls:
|
1464
1617
|
- id: IPY-01
|
1465
|
-
|
1618
|
+
title: APIs
|
1466
1619
|
specification: The provider shall use open and published APIs to ensure support
|
1467
1620
|
for interoperability between components and to facilitate migrating applications.
|
1468
1621
|
questions:
|
@@ -1470,7 +1623,7 @@ ccm:
|
|
1470
1623
|
content: Do you publish a list of all APIs available in the service and indicate
|
1471
1624
|
which are standard and which are customized?
|
1472
1625
|
- id: IPY-02
|
1473
|
-
|
1626
|
+
title: Data Request
|
1474
1627
|
specification: All structured and unstructured data shall be available to the
|
1475
1628
|
customer and provided to them upon request in an industry-standard format
|
1476
1629
|
(e.g., .doc, .xls, .pdf, logs, and flat files).
|
@@ -1479,7 +1632,7 @@ ccm:
|
|
1479
1632
|
content: Is unstructured customer data available on request in an industry-standard
|
1480
1633
|
format (e.g., .doc, .xls, or .pdf)?
|
1481
1634
|
- id: IPY-03
|
1482
|
-
|
1635
|
+
title: Policy & Legal
|
1483
1636
|
specification: Policies, procedures, and mutually-agreed upon provisions and/or
|
1484
1637
|
terms shall be established to satisfy customer (tenant) requirements for service-to-service
|
1485
1638
|
application (API) and information processing interoperability, and portability
|
@@ -1494,7 +1647,7 @@ ccm:
|
|
1494
1647
|
content: Do you provide policies and procedures (i.e. service level agreements)
|
1495
1648
|
governing the migration of application data to and from your service?
|
1496
1649
|
- id: IPY-04
|
1497
|
-
|
1650
|
+
title: Standardized Network Protocols
|
1498
1651
|
specification: The provider shall use secure (e.g., non-clear text and authenticated)
|
1499
1652
|
standardized network protocols for the import and export of data and to manage
|
1500
1653
|
the service, and shall make available a document to consumers (tenants) detailing
|
@@ -1509,7 +1662,7 @@ ccm:
|
|
1509
1662
|
relevant interoperability and portability network protocol standards that
|
1510
1663
|
are involved?
|
1511
1664
|
- id: IPY-05
|
1512
|
-
|
1665
|
+
title: Virtualization
|
1513
1666
|
specification: The provider shall use an industry-recognized virtualization
|
1514
1667
|
platform and standard virtualization formats (e.g., OVF) to help ensure interoperability,
|
1515
1668
|
and shall have documented custom changes made to any hypervisor in use, and
|
@@ -1522,10 +1675,10 @@ ccm:
|
|
1522
1675
|
content: Do you have documented custom changes made to any hypervisor in use,
|
1523
1676
|
and all solution-specific virtualization hooks available for customer review?
|
1524
1677
|
- id: MOS
|
1525
|
-
|
1678
|
+
title: Mobile Security
|
1526
1679
|
controls:
|
1527
1680
|
- id: MOS-01
|
1528
|
-
|
1681
|
+
title: Anti-Malware
|
1529
1682
|
specification: Anti-malware awareness training, specific to mobile devices,
|
1530
1683
|
shall be included in the provider's information security awareness training.
|
1531
1684
|
questions:
|
@@ -1533,7 +1686,7 @@ ccm:
|
|
1533
1686
|
content: Do you provide anti-malware training specific to mobile devices as
|
1534
1687
|
part of your information security awareness training?
|
1535
1688
|
- id: MOS-02
|
1536
|
-
|
1689
|
+
title: Application Stores
|
1537
1690
|
specification: A documented list of approved application stores has been communicated
|
1538
1691
|
as acceptable for mobile devices accessing or storing provider managed data.
|
1539
1692
|
questions:
|
@@ -1542,7 +1695,7 @@ ccm:
|
|
1542
1695
|
stores for mobile devices accessing or storing company data and/or company
|
1543
1696
|
systems?
|
1544
1697
|
- id: MOS-03
|
1545
|
-
|
1698
|
+
title: Approved Applications
|
1546
1699
|
specification: The company shall have a documented policy prohibiting the installation
|
1547
1700
|
of non-approved applications or approved applications not obtained through
|
1548
1701
|
a pre-identified application store.
|
@@ -1552,7 +1705,7 @@ ccm:
|
|
1552
1705
|
that only approved applications and those from approved application stores
|
1553
1706
|
can be loaded onto a mobile device?
|
1554
1707
|
- id: MOS-04
|
1555
|
-
|
1708
|
+
title: Approved Software for BYOD
|
1556
1709
|
specification: The BYOD policy and supporting awareness training clearly states
|
1557
1710
|
the approved applications, application stores, and application extensions
|
1558
1711
|
and plugins that may be used for BYOD usage.
|
@@ -1561,7 +1714,7 @@ ccm:
|
|
1561
1714
|
content: Does your BYOD policy and training clearly state which applications
|
1562
1715
|
and applications stores are approved for use on BYOD devices?
|
1563
1716
|
- id: MOS-05
|
1564
|
-
|
1717
|
+
title: Awareness and Training
|
1565
1718
|
specification: The provider shall have a documented mobile device policy that
|
1566
1719
|
includes a documented definition for mobile devices and the acceptable usage
|
1567
1720
|
and requirements for all mobile devices. The provider shall post and communicate
|
@@ -1573,7 +1726,7 @@ ccm:
|
|
1573
1726
|
that clearly defines mobile devices and the accepted usage and requirements
|
1574
1727
|
for mobile devices?
|
1575
1728
|
- id: MOS-06
|
1576
|
-
|
1729
|
+
title: Cloud Based Services
|
1577
1730
|
specification: All cloud-based services used by the company's mobile devices
|
1578
1731
|
or BYOD shall be pre-approved for usage and the storage of company business
|
1579
1732
|
data.
|
@@ -1583,7 +1736,7 @@ ccm:
|
|
1583
1736
|
that are allowed to be used for use and storage of company business data
|
1584
1737
|
via a mobile device?
|
1585
1738
|
- id: MOS-07
|
1586
|
-
|
1739
|
+
title: Compatibility
|
1587
1740
|
specification: The company shall have a documented application validation process
|
1588
1741
|
to test for mobile device, operating system, and application compatibility
|
1589
1742
|
issues.
|
@@ -1592,7 +1745,7 @@ ccm:
|
|
1592
1745
|
content: Do you have a documented application validation process for testing
|
1593
1746
|
device, operating system, and application compatibility issues?
|
1594
1747
|
- id: MOS-08
|
1595
|
-
|
1748
|
+
title: Device Eligibility
|
1596
1749
|
specification: The BYOD policy shall define the device and eligibility requirements
|
1597
1750
|
to allow for BYOD usage.
|
1598
1751
|
questions:
|
@@ -1600,7 +1753,7 @@ ccm:
|
|
1600
1753
|
content: Do you have a BYOD policy that defines the device(s) and eligibility
|
1601
1754
|
requirements allowed for BYOD usage?
|
1602
1755
|
- id: MOS-09
|
1603
|
-
|
1756
|
+
title: Device Inventory
|
1604
1757
|
specification: An inventory of all mobile devices used to store and access company
|
1605
1758
|
data shall be kept and maintained. All changes to the status of these devices,
|
1606
1759
|
(i.e., operating system and patch levels, lost or decommissioned status, and
|
@@ -1612,7 +1765,7 @@ ccm:
|
|
1612
1765
|
company data which includes device status (e.g., operating system and patch
|
1613
1766
|
levels, lost or decommissioned, device assignee)?
|
1614
1767
|
- id: MOS-10
|
1615
|
-
|
1768
|
+
title: Device Management
|
1616
1769
|
specification: A centralized, mobile device management solution shall be deployed
|
1617
1770
|
to all mobile devices permitted to store, transmit, or process customer data.
|
1618
1771
|
questions:
|
@@ -1621,7 +1774,7 @@ ccm:
|
|
1621
1774
|
to all mobile devices that are permitted to store, transmit, or process
|
1622
1775
|
company data?
|
1623
1776
|
- id: MOS-11
|
1624
|
-
|
1777
|
+
title: Encryption
|
1625
1778
|
specification: The mobile device policy shall require the use of encryption
|
1626
1779
|
either for the entire device or for data identified as sensitive on all mobile
|
1627
1780
|
devices and shall be enforced through technology controls.
|
@@ -1631,7 +1784,7 @@ ccm:
|
|
1631
1784
|
either the entire device or for data identified as sensitive enforceable
|
1632
1785
|
through technology controls for all mobile devices?
|
1633
1786
|
- id: MOS-12
|
1634
|
-
|
1787
|
+
title: Jailbreaking and Rooting
|
1635
1788
|
specification: The mobile device policy shall prohibit the circumvention of
|
1636
1789
|
built-in security controls on mobile devices (e.g., jailbreaking or rooting)
|
1637
1790
|
and is enforced through detective and preventative controls on the device
|
@@ -1645,7 +1798,7 @@ ccm:
|
|
1645
1798
|
via a centralized device management system which prohibit the circumvention
|
1646
1799
|
of built-in security controls?
|
1647
1800
|
- id: MOS-13
|
1648
|
-
|
1801
|
+
title: Legal
|
1649
1802
|
specification: The BYOD policy includes clarifying language for the expectation
|
1650
1803
|
of privacy, requirements for litigation, e-discovery, and legal holds. The
|
1651
1804
|
BYOD policy shall clearly state the expectations over the loss of non-company
|
@@ -1659,7 +1812,7 @@ ccm:
|
|
1659
1812
|
via a centralized device management system which prohibit the circumvention
|
1660
1813
|
of built-in security controls?
|
1661
1814
|
- id: MOS-14
|
1662
|
-
|
1815
|
+
title: Lockout Screen
|
1663
1816
|
specification: BYOD and/or company owned devices are configured to require an
|
1664
1817
|
automatic lockout screen, and the requirement shall be enforced through technical
|
1665
1818
|
controls.
|
@@ -1668,7 +1821,7 @@ ccm:
|
|
1668
1821
|
content: Do you require and enforce via technical controls an automatic lockout
|
1669
1822
|
screen for BYOD and company owned devices?
|
1670
1823
|
- id: MOS-15
|
1671
|
-
|
1824
|
+
title: Operating Systems
|
1672
1825
|
specification: Changes to mobile device operating systems, patch levels, and/or
|
1673
1826
|
applications shall be managed through the company's change management processes.
|
1674
1827
|
questions:
|
@@ -1676,7 +1829,7 @@ ccm:
|
|
1676
1829
|
content: Do you manage all changes to mobile device operating systems, patch
|
1677
1830
|
levels, and applications via your company's change management processes?
|
1678
1831
|
- id: MOS-16
|
1679
|
-
|
1832
|
+
title: Passwords
|
1680
1833
|
specification: Password policies, applicable to mobile devices, shall be documented
|
1681
1834
|
and enforced through technical controls on all company devices or devices
|
1682
1835
|
approved for BYOD usage, and shall prohibit the changing of password/PIN lengths
|
@@ -1692,7 +1845,7 @@ ccm:
|
|
1692
1845
|
content: Do your password policies prohibit the changing of authentication
|
1693
1846
|
requirements (i.e. password/PIN length) via a mobile device?
|
1694
1847
|
- id: MOS-17
|
1695
|
-
|
1848
|
+
title: Policy
|
1696
1849
|
specification: The mobile device policy shall require the BYOD user to perform
|
1697
1850
|
backups of data, prohibit the usage of unapproved application stores, and
|
1698
1851
|
require the use of anti-malware software (where supported).
|
@@ -1707,7 +1860,7 @@ ccm:
|
|
1707
1860
|
content: Do you have a policy that requires BYOD users to use anti-malware
|
1708
1861
|
software (where supported)?
|
1709
1862
|
- id: MOS-18
|
1710
|
-
|
1863
|
+
title: Remote Wipe
|
1711
1864
|
specification: All mobile devices permitted for use through the company BYOD
|
1712
1865
|
program or a company-assigned mobile device shall allow for remote wipe by
|
1713
1866
|
the company's corporate IT or shall have all company-provided data wiped by
|
@@ -1720,7 +1873,7 @@ ccm:
|
|
1720
1873
|
content: Does your IT provide remote wipe or corporate data wipe for all company-assigned
|
1721
1874
|
mobile devices?
|
1722
1875
|
- id: MOS-19
|
1723
|
-
|
1876
|
+
title: Security Patches
|
1724
1877
|
specification: Mobile devices connecting to corporate networks or storing and
|
1725
1878
|
accessing company information shall allow for remote software version/patch
|
1726
1879
|
validation. All mobile devices shall have the latest available security-related
|
@@ -1734,7 +1887,7 @@ ccm:
|
|
1734
1887
|
content: Do your mobile devices allow for remote validation to download the
|
1735
1888
|
latest security patches by company IT personnel?
|
1736
1889
|
- id: MOS-20
|
1737
|
-
|
1890
|
+
title: Users
|
1738
1891
|
specification: The BYOD policy shall clarify the systems and servers allowed
|
1739
1892
|
for use or access on a BYOD-enabled device.
|
1740
1893
|
questions:
|
@@ -1745,10 +1898,10 @@ ccm:
|
|
1745
1898
|
content: Does your BYOD policy specify the user roles that are allowed access
|
1746
1899
|
via a BYOD-enabled device?
|
1747
1900
|
- id: SEF
|
1748
|
-
|
1901
|
+
title: Security Incident Management, E-Discovery, & Cloud Forensics
|
1749
1902
|
controls:
|
1750
1903
|
- id: SEF-01
|
1751
|
-
|
1904
|
+
title: Contact / Authority Maintenance
|
1752
1905
|
specification: Points of contact for applicable regulation authorities, national
|
1753
1906
|
and local law enforcement, and other legal jurisdictional authorities shall
|
1754
1907
|
be maintained and regularly updated (e.g., change in impacted-scope and/or
|
@@ -1760,7 +1913,7 @@ ccm:
|
|
1760
1913
|
content: Do you maintain liaisons and points of contact with local authorities
|
1761
1914
|
in accordance with contracts and appropriate regulations?
|
1762
1915
|
- id: SEF-02
|
1763
|
-
|
1916
|
+
title: Incident Management
|
1764
1917
|
specification: Policies and procedures shall be established, and supporting
|
1765
1918
|
business processes and technical measures implemented, to triage security-related
|
1766
1919
|
events and ensure timely and thorough incident management, as per established
|
@@ -1768,17 +1921,11 @@ ccm:
|
|
1768
1921
|
questions:
|
1769
1922
|
- id: SEF-02.1
|
1770
1923
|
content: Do you have a documented security incident response plan?
|
1771
|
-
- id: SEF-02.2
|
1772
|
-
content: Do you integrate customized tenant requirements into your security
|
1773
|
-
incident response plans?
|
1774
|
-
- id: SEF-02.3
|
1775
|
-
content: Do you publish a roles and responsibilities document specifying what
|
1776
|
-
you vs. your tenants are responsible for during security incidents?
|
1777
1924
|
- id: SEF-02.4
|
1778
1925
|
content: Have you tested your security incident response plans in the last
|
1779
1926
|
year?
|
1780
1927
|
- id: SEF-03
|
1781
|
-
|
1928
|
+
title: Incident Reporting
|
1782
1929
|
specification: Workforce personnel and external business relationships shall
|
1783
1930
|
be informed of their responsibility and, if required, shall consent and/or
|
1784
1931
|
contractually agree to report all information security events in a timely
|
@@ -1790,11 +1937,8 @@ ccm:
|
|
1790
1937
|
content: Does your security information and event management (SIEM) system
|
1791
1938
|
merge data sources (e.g., app logs, firewall logs, IDS logs, physical access
|
1792
1939
|
logs, etc.) for granular analysis and alerting?
|
1793
|
-
- id: SEF-03.2
|
1794
|
-
content: Does your logging and monitoring framework allow isolation of an
|
1795
|
-
incident to specific tenants?
|
1796
1940
|
- id: SEF-04
|
1797
|
-
|
1941
|
+
title: Incident Response Legal Preparation
|
1798
1942
|
specification: Proper forensic procedures, including chain of custody, are required
|
1799
1943
|
for the presentation of evidence to support potential legal action subject
|
1800
1944
|
to the relevant jurisdiction after an information security incident. Upon
|
@@ -1805,32 +1949,19 @@ ccm:
|
|
1805
1949
|
- id: SEF-04.1
|
1806
1950
|
content: Does your incident response plan comply with industry standards for
|
1807
1951
|
legally admissible chain-of-custody management processes and controls?
|
1808
|
-
- id: SEF-04.2
|
1809
|
-
content: Does your incident response capability include the use of legally
|
1810
|
-
admissible forensic data collection and analysis techniques?
|
1811
|
-
- id: SEF-04.3
|
1812
|
-
content: Are you capable of supporting litigation holds (freeze of data from
|
1813
|
-
a specific point in time) for a specific tenant without freezing other tenant
|
1814
|
-
data?
|
1815
|
-
- id: SEF-04.4
|
1816
|
-
content: Do you enforce and attest to tenant data separation when producing
|
1817
|
-
data in response to legal subpoenas?
|
1818
1952
|
- id: SEF-05
|
1819
|
-
|
1953
|
+
title: Incident Response Metrics
|
1820
1954
|
specification: Mechanisms shall be put in place to monitor and quantify the
|
1821
1955
|
types, volumes, and costs of information security incidents.
|
1822
1956
|
questions:
|
1823
1957
|
- id: SEF-05.1
|
1824
1958
|
content: Do you monitor and quantify the types, volumes, and impacts on all
|
1825
1959
|
information security incidents?
|
1826
|
-
- id: SEF-05.2
|
1827
|
-
content: Will you share statistical information for security incident data
|
1828
|
-
with your tenants upon request?
|
1829
1960
|
- id: STA
|
1830
|
-
|
1961
|
+
title: Supply Chain Management, Transparency, and Accountability
|
1831
1962
|
controls:
|
1832
1963
|
- id: STA-01
|
1833
|
-
|
1964
|
+
title: Data Quality and Integrity
|
1834
1965
|
specification: Providers shall inspect, account for, and work with their cloud
|
1835
1966
|
supply-chain partners to correct data quality errors and associated risks.
|
1836
1967
|
Providers shall design and implement controls to mitigate and contain data
|
@@ -1845,7 +1976,7 @@ ccm:
|
|
1845
1976
|
security risks through proper separation of duties, role-based access, and
|
1846
1977
|
least-privileged access for all personnel within your supply chain?
|
1847
1978
|
- id: STA-02
|
1848
|
-
|
1979
|
+
title: Incident Reporting
|
1849
1980
|
specification: The provider shall make security incident information available
|
1850
1981
|
to all affected customers and providers periodically through electronic methods
|
1851
1982
|
(e.g., portals).
|
@@ -1854,7 +1985,7 @@ ccm:
|
|
1854
1985
|
content: Do you make security incident information available to all affected
|
1855
1986
|
customers and providers periodically through electronic methods (e.g., portals)?
|
1856
1987
|
- id: STA-03
|
1857
|
-
|
1988
|
+
title: Network / Infrastructure Services
|
1858
1989
|
specification: Business-critical or customer (tenant) impacting (physical and
|
1859
1990
|
virtual) application and system-system interface (API) designs and configurations,
|
1860
1991
|
and infrastructure network and systems components, shall be designed, developed,
|
@@ -1865,10 +1996,8 @@ ccm:
|
|
1865
1996
|
- id: STA-03.1
|
1866
1997
|
content: Do you collect capacity and use data for all relevant components
|
1867
1998
|
of your cloud service offering?
|
1868
|
-
- id: STA-03.2
|
1869
|
-
content: Do you provide tenants with capacity planning and use reports?
|
1870
1999
|
- id: STA-04
|
1871
|
-
|
2000
|
+
title: Provider Internal Assessments
|
1872
2001
|
specification: The provider shall perform annual internal assessments of conformance
|
1873
2002
|
and effectiveness of its policies, procedures, and supporting measures and
|
1874
2003
|
metrics.
|
@@ -1877,7 +2006,7 @@ ccm:
|
|
1877
2006
|
content: Do you perform annual internal assessments of conformance and effectiveness
|
1878
2007
|
of your policies, procedures, and supporting measures and metrics?
|
1879
2008
|
- id: STA-05
|
1880
|
-
|
2009
|
+
title: Third Party Agreements
|
1881
2010
|
specification: |-
|
1882
2011
|
Supply chain agreements (e.g., SLAs) between providers and customers (tenants) shall incorporate at least the following mutually-agreed upon provisions and/or terms:
|
1883
2012
|
• Scope of business relationship and services offered (e.g., customer (tenant) data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations)
|
@@ -1891,11 +2020,6 @@ ccm:
|
|
1891
2020
|
- id: STA-05.1
|
1892
2021
|
content: Do you select and monitor outsourced providers in compliance with
|
1893
2022
|
laws in the country where the data is processed, stored, and transmitted?
|
1894
|
-
- id: STA-05.2
|
1895
|
-
content: Do you select and monitor outsourced providers in compliance with
|
1896
|
-
laws in the country where the data originates?
|
1897
|
-
- id: STA-05.3
|
1898
|
-
content: Does legal counsel review all third-party agreements?
|
1899
2023
|
- id: STA-05.4
|
1900
2024
|
content: Do third-party agreements include provision for the security and
|
1901
2025
|
protection of information and assets?
|
@@ -1903,7 +2027,7 @@ ccm:
|
|
1903
2027
|
content: Do you provide the client with a list and copies of all subprocessing
|
1904
2028
|
agreements and keep this updated?
|
1905
2029
|
- id: STA-06
|
1906
|
-
|
2030
|
+
title: Supply Chain Governance Reviews
|
1907
2031
|
specification: Providers shall review the risk management and governance processes
|
1908
2032
|
of their partners so that practices are consistent and aligned to account
|
1909
2033
|
for risks inherited from other members of that partner's cloud supply chain.
|
@@ -1913,7 +2037,7 @@ ccm:
|
|
1913
2037
|
to account for risks inherited from other members of that partner's supply
|
1914
2038
|
chain?
|
1915
2039
|
- id: STA-07
|
1916
|
-
|
2040
|
+
title: Supply Chain Metrics
|
1917
2041
|
specification: Policies and procedures shall be implemented to ensure the consistent
|
1918
2042
|
review of service agreements (e.g., SLAs) between providers and customers
|
1919
2043
|
(tenants) across the relevant supply chain (upstream/downstream). Reviews
|
@@ -1935,7 +2059,7 @@ ccm:
|
|
1935
2059
|
- id: STA-07.4
|
1936
2060
|
content: Do you review all agreements, policies, and processes at least annually?
|
1937
2061
|
- id: STA-08
|
1938
|
-
|
2062
|
+
title: Third Party Assessment
|
1939
2063
|
specification: Providers shall assure reasonable information security across
|
1940
2064
|
their information supply chain by performing an annual review. The review
|
1941
2065
|
shall include all partners/third party providers upon which their information
|
@@ -1948,7 +2072,7 @@ ccm:
|
|
1948
2072
|
content: Does your annual review include all partners/third-party providers
|
1949
2073
|
upon which your information supply chain depends?
|
1950
2074
|
- id: STA-09
|
1951
|
-
|
2075
|
+
title: Third Party Audits
|
1952
2076
|
specification: Third-party service providers shall demonstrate compliance with
|
1953
2077
|
information security and confidentiality, access control, service definitions,
|
1954
2078
|
and delivery level agreements included in third-party contracts. Third-party
|
@@ -1960,11 +2084,20 @@ ccm:
|
|
1960
2084
|
- id: STA-09.2
|
1961
2085
|
content: Do you have external third party services conduct vulnerability scans
|
1962
2086
|
and periodic penetration tests on your applications and networks?
|
2087
|
+
- id: LG
|
2088
|
+
controls:
|
2089
|
+
- id: LG-02
|
2090
|
+
questions:
|
2091
|
+
- id: STA-05.2
|
2092
|
+
content: Do you select and monitor outsourced providers in compliance with
|
2093
|
+
laws in the country where the data originates?
|
2094
|
+
- id: STA-05.3
|
2095
|
+
content: Does legal counsel review all third-party agreements?
|
1963
2096
|
- id: TVM
|
1964
|
-
|
2097
|
+
title: Threat and Vulnerability Management
|
1965
2098
|
controls:
|
1966
2099
|
- id: TVM-01
|
1967
|
-
|
2100
|
+
title: Antivirus / Malicious Software
|
1968
2101
|
specification: Policies and procedures shall be established, and supporting
|
1969
2102
|
business processes and technical measures implemented, to prevent the execution
|
1970
2103
|
of malware on organizationally-owned or managed user end-point devices (i.e.,
|
@@ -1974,12 +2107,8 @@ ccm:
|
|
1974
2107
|
- id: TVM-01.1
|
1975
2108
|
content: Do you have anti-malware programs that support or connect to your
|
1976
2109
|
cloud service offerings installed on all of your systems?
|
1977
|
-
- id: TVM-01.2
|
1978
|
-
content: Do you ensure that security threat detection systems using signatures,
|
1979
|
-
lists, or behavioral patterns are updated across all infrastructure components
|
1980
|
-
within industry accepted time frames?
|
1981
2110
|
- id: TVM-02
|
1982
|
-
|
2111
|
+
title: Vulnerability / Patch Management
|
1983
2112
|
specification: Policies and procedures shall be established, and supporting
|
1984
2113
|
processes and technical measures implemented, for timely detection of vulnerabilities
|
1985
2114
|
within organizationally-owned or managed applications, infrastructure network
|
@@ -1996,23 +2125,8 @@ ccm:
|
|
1996
2125
|
- id: TVM-02.1
|
1997
2126
|
content: Do you conduct network-layer vulnerability scans regularly as prescribed
|
1998
2127
|
by industry best practices?
|
1999
|
-
- id: TVM-02.2
|
2000
|
-
content: Do you conduct application-layer vulnerability scans regularly as
|
2001
|
-
prescribed by industry best practices?
|
2002
|
-
- id: TVM-02.3
|
2003
|
-
content: Do you conduct local operating system-layer vulnerability scans regularly
|
2004
|
-
as prescribed by industry best practices?
|
2005
|
-
- id: TVM-02.4
|
2006
|
-
content: Will you make the results of vulnerability scans available to tenants
|
2007
|
-
at their request?
|
2008
|
-
- id: TVM-02.5
|
2009
|
-
content: Do you have a capability to rapidly patch vulnerabilities across
|
2010
|
-
all of your computing devices, applications, and systems?
|
2011
|
-
- id: TVM-02.6
|
2012
|
-
content: Will you provide your risk-based systems patching time frames to
|
2013
|
-
your tenants upon request?
|
2014
2128
|
- id: TVM-03
|
2015
|
-
|
2129
|
+
title: Mobile Code
|
2016
2130
|
specification: Policies and procedures shall be established, and supporting
|
2017
2131
|
business processes and technical measures implemented, to prevent the execution
|
2018
2132
|
of unauthorized mobile code, defined as software transferred between systems
|
@@ -2025,5 +2139,3 @@ ccm:
|
|
2025
2139
|
content: Is mobile code authorized before its installation and use, and the
|
2026
2140
|
code configuration checked, to ensure that the authorized mobile code operates
|
2027
2141
|
according to a clearly defined security policy?
|
2028
|
-
- id: TVM-03.2
|
2029
|
-
content: Is all unauthorized mobile code prevented from executing?
|