RubyGems - csa-ccm - Versions diffs - 0.1.2 → 0.1.3 - Mend

csa-ccm 0.1.2 → 0.1.3

Files changed (24) hide show

checksums.yaml +4 -4
data/CAIQ_v3.0.1-09-01-2017_FINAL_filled.answers.yaml +1380 -0
data/CAIQ_v3.0.1-09-01-2017_FINAL_filled.control.yaml +2141 -0
data/appveyor.yml +36 -0
data/caiq-3.0.1.yaml +531 -419
data/caiq.yaml +2141 -0
data/lib/csa/ccm/answer.rb +6 -29
data/lib/csa/ccm/cli/command.rb +67 -62
data/lib/csa/ccm/cli/resource.rb +0 -9
data/lib/csa/ccm/cli/version.rb +1 -1
data/lib/csa/ccm/control.rb +3 -5
data/lib/csa/ccm/control_domain.rb +2 -5
data/lib/csa/ccm/matrix.rb +167 -46
data/resources/csa-caiq-v3.0.1-12-05-2016.yaml +2141 -0
data/samples/ccm-answers.schema.yaml +21 -0
data/samples/ccm-answers.yaml +1 -1
data/samples/ccm.schema.yaml +35 -0
data/tmp/ccm-301-2.yaml +2141 -0
data/tmp/ccm-301.yaml +531 -419
data/tmp/test.answers.yaml +597 -0
data/tmp/test.control.yaml +2141 -0
metadata +13 -6
data/3.0.1.yaml +0 -1517
data/resources/~$csa-caiq-v3.0.1-09-01-2017.xlsx +0 -0

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a7011ff17953162f760e8791b78e0115c5317f36976c5123bc2b5cedc7f6109
-  data.tar.gz: 322a021656e03630799f6695738efc4c642e56a7e9cdd0b98a97236c15b36cba
+  metadata.gz: 55180ab1c78b1b3dc93b2e5ecd0c76b04e9e4d12ed0126d5fe1d4006f5efe4c2
+  data.tar.gz: 00f7af48d6ddb79d9b1e760d434e40159cb1e7407c9d525fb66f088f54954850
 SHA512:
-  metadata.gz: 4a942b423af43fddc9a12f150a2da04f93865a224ba19d58c72039052ebc228fdc38da4a3d13dc47e44ba51c46a3903aab9f9dbe5fade4086abe5016c003903c
-  data.tar.gz: 891e69588dbcc034eb23cb258783962a90af24cb0d65673cb06af21ae4a00b55a73c8e5b7976c116672d33d1755e2409841b2988842c72deab5e5a1dee0f2cd8
+  metadata.gz: fa0d2d7322786ed652ee5d02718b488cb7e6e0edb5ddf43e2b22afb486384ef0f6c4c18814e8752733cc96d81ccd66a622588cb848ccda175b7f401b02f3de01
+  data.tar.gz: 58cbad62d040070721b5bf3aa8097534a61962e66900e8457139185bb797478817470f50f1f7407afe4f48b5f4c67d6c374e4ef7661b5e1e26d8d0b1a62a2406

data/CAIQ_v3.0.1-09-01-2017_FINAL_filled.answers.yaml ADDED

@@ -0,0 +1,1380 @@
+---
+ccm:
+  metadata:
+    version: 3.0.1
+    title: CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3.0.1
+    source_file: CAIQ_v3.0.1-09-01-2017_FINAL_filled.xlsx
+  answers:
+  - control_id: AIS-01
+    question_id: AIS-01.1
+    answer: 'yes'
+    comment: Ribose API design and implementation adheres to industry acceptance standards.
+  - control_id: AIS-01
+    question_id: AIS-01.2
+    answer: 'yes'
+    comment: In our implementation cycle, static code security analysis tools (e.g.
+      Brakeman) are automatically run for each commit ensuring the resulting code
+      does not contain any known vulnerabilities.
+  - control_id: AIS-01
+    question_id: AIS-01.3
+    answer: 'yes'
+    comment: For both design and implementation phases of our API, which constitutes
+      a "change" in our change management procedure, we perform requirement reviews
+      pre- and post-change implementation, including for legal, statutory, and compliance
+      obligations. This is performed during our weekly sprint cycles.  All code is
+      peer reviewed.
+  - control_id: AIS-01
+    question_id: AIS-01.4
+    answer: NA
+    comment: Ribose does not rely on software suppliers.  All software is developed
+      by Ribose.
+  - control_id: AIS-01
+    question_id: AIS-01.5
+    answer: 'yes'
+    comment: Ribose will test the applications piror to deployment to production.
+  - control_id: AIS-02
+    question_id: AIS-02.1
+    answer: 'yes'
+    comment: Customers are required to register with a password and have to agree
+      to our Terms of Service and Privacy Policy.
+  - control_id: AIS-02
+    question_id: AIS-02.2
+    answer: 'yes'
+    comment: Requirements and trust levels for customers's access are defined and
+      documented in Terms of Service and Privacy Policy.
+  - control_id: AIS-03
+    question_id: AIS-03.1
+    answer: 'yes'
+    comment: |-
+      Database import and export procedures contain a model verification procedure to prevent database integrity issues.
+      Application communication takes place over the secure HTTPS/TLS to make tampering of data impossible.
+  - control_id: AIS-04
+    question_id: AIS-04.1
+    answer: 'yes'
+    comment: Policies, procedures and technical measures have been implemented covering
+      this control. Sensitive user information is encrypted on the database and filesystem
+      levels. Monitoring solutions like NewRelic and CloudWatch are used to monitor
+      availibility of data. Ribose does not transfer any data to third-parties, and
+      is compliant with known legal and regulatory issues.
+  - control_id: AAC-01
+    question_id: AAC-01.1
+    answer: 'yes'
+    comment: |-
+      An audit program has been established and audit plans are prepared, discussed and approved by the integrated management committee (Crimson Committee).
+      Internal and external audits for ISO 27001 (ISM), ISO 22301 (BCM) are performed at least annually.
+  - control_id: AAC-02
+    question_id: AAC-02.1
+    answer: 'yes'
+    comment: Ribose allows tenants to view your SOC2/ISO 27001 or similar third-party
+      audit or certification reports.
+  - control_id: CO-02
+    question_id: AAC-02.2
+    answer: 'yes'
+    comment: Ribose conducts application and network penetration test annually.
+  - control_id: CO-02
+    question_id: AAC-02.3
+    answer: 'yes'
+    comment: Ribose conducts application and network penetration test annually.
+  - control_id: CO-02
+    question_id: AAC-02.4
+    answer: 'yes'
+    comment: Internal audits for ISO 27001 are performed by the BC manager and internal
+      audits for ISO 22301 are peformed by the IS manager to ensure segration of duty.
+      Audit results are reviewed by the integrated management committee (Crimson Committee).
+  - control_id: CO-02
+    question_id: AAC-02.5
+    answer: 'yes'
+    comment: External audits (e.g. ISO 27001, ISO 22301 , and etc.) are performed
+      regualrly by BSI.
+  - control_id: CO-02
+    question_id: AAC-02.6
+    answer: 'yes'
+    comment: The results of the penetration tests are available to tenants at their
+      request.
+  - control_id: CO-02
+    question_id: AAC-02.7
+    answer: 'yes'
+    comment: The results of internal and external audits are available to tenants
+      at their request.
+  - control_id: AAC-02
+    question_id: AAC-02.8
+    answer: 'yes'
+    comment: Our internal audit program allows for cross-functional audit of assessments.
+  - control_id: AAC-03
+    question_id: AAC-03.1
+    answer: 'yes'
+    comment: Each customer will have his own key to encrypt his data.
+  - control_id: CO-05
+    question_id: AAC-03.2
+    answer: 'yes'
+    comment: Ribose can restore the data to a independent infrastrucutre that allows
+      us to restore a specific customer in the case of a faulure or data loss.
+  - control_id: AAC-03
+    question_id: AAC-03.3
+    answer: 'yes'
+    comment: Ribose has implemented multi-region feature to allow customers to store
+      the data in a specific region.
+  - control_id: AAC-03
+    question_id: AAC-03.4
+    answer: 'yes'
+    comment: Risk and compliance policies and procedures have been implemented. An
+      inventory of legal and regulatory obligations are annually reviewed to adapt
+      to business needs.
+  - control_id: BCR-01
+    question_id: BCR-01.1
+    answer: 'yes'
+    comment: 'The production system of Ribose will hosts at least two geographically
+      seperated locations for resilience and failover.
+      '
+  - control_id: RS-03
+    question_id: BCR-01.2
+    answer: 'yes'
+    comment: The production system of Ribose will hosts at least two geographically
+      seperated locations for resilience and failover.
+  - control_id: BCR-02
+    question_id: BCR-02.1
+    answer: 'yes'
+    comment: |-
+      Ribose has a tested framework for business continuity planning, rehearsed periodically to ensure smooth execution.
+      Security incident response testing is planned for and is aligned with NIST Special Publication 800-84 (definition of tabletop exercises).
+  - control_id: BCR-03
+    question_id: BCR-03.1
+    answer: NA
+    comment: 'Ribose is a SaaS, and our IaaS provider AWS satisies the datacenter
+      requirements. Amazon states in http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
+      on page 6 the following: "Business Continuity Management Amazon’s infrastructure
+      has a high level of availability and provides customers the features to deploy
+      a resilient IT architecture. AWS has designed its systems to tolerate system
+      or hardware failures with minimal customer impact. Data center Business Continuity
+      Management at AWS is under the direction of the Amazon Infrastructure Group.
+      Availability Data centers are built in clusters in various global regions. All
+      data centers are online and serving customers; no data center is “cold.” In
+      case of failure, automated processes move customer data traffic away from the
+      affected area. Core applications are deployed in an N+1 configuration, so that
+      in the event of a data center failure, there is sufficient capacity to enable
+      traffic to be load‐balanced to the remaining sites."'
+  - control_id: RS-08
+    question_id: BCR-03.2
+    answer: 'no'
+    comment: Customers can define the zone or region that data is available, but they
+      may not define if it is transported through a given legal jurisdiction.
+  - control_id: BCR-04
+    question_id: BCR-04.1
+    answer: 'yes'
+    comment: Ribose provides operational guides as well as an Information Security
+      Policy for authorized personnel only to ensure operational resilience.
+  - control_id: BCR-05
+    question_id: BCR-05.1
+    answer: 'yes'
+    comment: Ribose has a business continuity plan with countermeasures that covers
+      these areas.
+  - control_id: BCR-06
+    question_id: BCR-06.1
+    answer: 'no'
+    comment: Ribose uses the geographical resilience of the IaaS provider to ensure
+      that even running equipment have been disabled due to location, our backup systems
+      can be resumed in a short period of time.
+  - control_id: BCR-07
+    question_id: BCR-07.1
+    answer: 'yes'
+    comment: Ribose applications run on AWS and AWS has included independent hardware
+      restore and recovery capabilities.
+  - control_id: OP-04
+    question_id: BCR-07.2
+    answer: 'yes'
+    comment: Ribose applications are built on docker images with tags.  Ribose restore
+      the applications by using an older images.
+  - control_id: OP-04
+    question_id: BCR-07.3
+    answer: 'yes'
+    comment: Ribose builds our images by using docker, which can be deployed into
+      other cloud providers.
+  - control_id: OP-04
+    question_id: BCR-07.4
+    answer: NA
+    comment: Ribose owns the images in a private repo which will not shared with customers.
+  - control_id: OP-04
+    question_id: BCR-07.5
+    answer: 'yes'
+    comment: Ribose implements different restore/recovery for differenet scenarios.
+  - control_id: BCR-08
+    question_id: BCR-08.1
+    answer: 'yes'
+    comment: Ribose has developed business continuity plans for natural, man-made
+      and geographically-specific risks. Examples of these risks are office physical
+      temporary unavailability in case of demonstrations or typhoons which are typical
+      for Hong Kong and happen frequently.
+  - control_id: BCR-09
+    question_id: BCR-09.1
+    answer: 'yes'
+    comment: Ribose maintains OLA which is available for all staffs.
+  - control_id: RS-02
+    question_id: BCR-09.2
+    answer: 'yes'
+    comment: The security metrics are defined in OLA.
+  - control_id: RS-02
+    question_id: BCR-09.3
+    answer: 'yes'
+    comment: Ribose maintains OLA which is available for all staffs.
+  - control_id: BCR-10
+    question_id: BCR-10.1
+    answer: 'yes'
+    comment: Ribose operational staff are trained in standards (ISO 27001, ISO 20000-1,
+      ISO 22301) and the company's change management policy and procedures provides
+      adequate definitions of roles and responsibilities. Ribose uses the task sheet
+      as a operational management system.
+  - control_id: BCR-11
+    question_id: BCR-11.1
+    answer: 'yes'
+    comment: Retention periods have been defined for all critical assets such as backup,
+      documentation and log files.
+  - control_id: DG-04
+    question_id: BCR-11.2
+    answer: 'yes'
+    comment: Retention procedures are documented in Crimson.
+  - control_id: BCR-11
+    question_id: BCR-11.4
+    answer: 'yes'
+    comment: Ribose has implemented backup mechanisms to ensure compliance with regulatory,
+      statutory, contractual or business requirements.
+  - control_id: BCR-11
+    question_id: BCR-11.5
+    answer: 'yes'
+    comment: Backup data will be tested in staging servers daily.
+  - control_id: CCC-01
+    question_id: CCC-01.1
+    answer: 'yes'
+    comment: Crimson
+  - control_id: CCC-01
+    question_id: CCC-01.2
+    answer: 'yes'
+    comment: Crimson
+  - control_id: CCC-02
+    question_id: CCC-02.1
+    answer: 'yes'
+    comment: change management procedure
+  - control_id: RM-04
+    question_id: CCC-02.2
+    answer: NA
+    comment: no outsouce development
+  - control_id: CCC-03
+    question_id: CCC-03.1
+    answer: 'yes'
+    comment: change management procedure and deployment procedure
+  - control_id: CCC-03
+    question_id: CCC-03.2
+    answer: 'yes'
+    comment: Crimson
+  - control_id: CCC-03
+    question_id: CCC-03.3
+    answer: 'yes'
+    comment: customer feedback and change management procedure
+  - control_id: CCC-03
+    question_id: CCC-03.4
+    answer: 'yes'
+    comment: code review
+  - control_id: CCC-04
+    question_id: CCC-04.1
+    answer: 'yes'
+    comment: Approved software list
+  - control_id: CCC-05
+    question_id: CCC-05.1
+    answer: 'yes'
+    comment: Crimson
+  - control_id: DSI-01
+    question_id: DSI-01.1
+    answer: 'yes'
+    comment: metadata in AWS console
+  - control_id: DG-02
+    question_id: DSI-01.2
+    answer: 'yes'
+    comment: instance type
+  - control_id: DG-02
+    question_id: DSI-01.3
+    answer: 'yes'
+    comment: IP
+  - control_id: DG-02
+    question_id: DSI-01.4
+    answer: 'yes'
+    comment: multi-region
+  - control_id: DG-02
+    question_id: DSI-01.5
+    answer: 'yes'
+    comment: multi-region
+  - control_id: DSI-01
+    question_id: DSI-01.6
+    answer: 'yes'
+    comment: data labeling policy
+  - control_id: DSI-01
+    question_id: DSI-01.7
+    answer: 'yes'
+    comment: multi-region
+  - control_id: DSI-02
+    question_id: DSI-02.1
+    answer: 'yes'
+    comment: inventory list
+  - control_id: DSI-02
+    question_id: DSI-02.2
+    answer: 'yes'
+    comment: multi-region
+  - control_id: DSI-03
+    question_id: DSI-03.1
+    answer: 'yes'
+    comment: AES encryption
+  - control_id: IS-28
+    question_id: DSI-03.2
+    answer: 'yes'
+    comment: OpenSSL
+  - control_id: DSI-04
+    question_id: DSI-04.1
+    answer: 'yes'
+    comment: Crimson
+  - control_id: DG-03
+    question_id: DSI-04.2
+    answer: 'yes'
+    comment: Space privacy and git security settings facilitate security inheritance.
+      Objects within a space or in a git repository cannot have different security
+      settings than the parent.
+  - control_id: DSI-05
+    question_id: DSI-05.1
+    answer: 'yes'
+    comment: data masking
+  - control_id: DSI-06
+    question_id: DSI-06.1
+    answer: 'yes'
+    comment: We have established information labeling procedures that cover this control.
+  - control_id: DSI-07
+    question_id: DSI-07.1
+    answer: 'yes'
+    comment: A data masking procedure has been established and is enforced.
+  - control_id: DG-05
+    question_id: DSI-07.2
+    answer: 'yes'
+    comment: It is company policy to prohibit the copying of production customer data
+      to testing environments or other locations such as an office network
+  - control_id: DCS-01
+    question_id: DCS-01.1
+    answer: 'yes'
+    comment: inventory list
+  - control_id: FS-08
+    question_id: DCS-01.2
+    answer: 'yes'
+    comment: CMDB
+  - control_id: DCS-02
+    question_id: DCS-02.1
+    answer: 'yes'
+    comment: "Ribose utilizes a CCTV camera system and biometric + proximity card
+      based access control to secure the office location.\nThe Ribose office is located
+      in a building which has 24/7 security sentries.\n\nAmazon have stringent physical
+      security measures that deal with unauthorised access to their data center, as
+      described in http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
+      page 4.\n\n\"Physical and Environmental Security \n\nAWS’s data centers are
+      state of the art, utilizing innovative architectural and engineering approaches.
+      Amazon has many \nyears of experience in designing, constructing, and operating
+      large‐scale data centers. This experience has been applied \nto the AWS platform
+      and infrastructure. AWS data centers are housed in nondescript facilities. Physical
+      access is strictly \ncontrolled both at the perimeter and at building ingress
+      points by professional security staff utilizing video surveillance, \nintrusion
+      detection systems, and other electronic means. Authorized staff must pass two‐factor
+      authentication a \nminimum of two times to access data center floors. All visitors
+      and contractors are required to present identification and \nare signed in and
+      continually escorted by authorized staff. \nAWS only provides data center access
+      and information to employees and contractors who have a legitimate business
+      \nneed for such privileges. When an employee no longer has a business need for
+      these privileges, his or her access is \nimmediately revoked, even if they continue
+      to be an employee of Amazon or Amazon Web Services. All physical access \nto
+      data centers by AWS employees is logged and audited routinely.\""
+  - control_id: DCS-03
+    question_id: DCS-03.1
+    answer: 'yes'
+    comment: Ribose uses Amazon security groups. Server instances defined by environment
+      type (MY, QA) are automatically placed in the right security group according
+      to their label. It is not possible for a newly deployed server to contact other
+      instances outside it's security group unless specifically specified. No IP configuration
+      is required to setup this connection authentication.
+  - control_id: DCS-04
+    question_id: DCS-04.1
+    answer: 'yes'
+    comment: Ribose is a SaaS and uses IaaS provider's datacenters. Ribose staff adheres
+      to a Property Removal and Offsite Security Procedure to relocate or transfer
+      company assets.
+  - control_id: DCS-05
+    question_id: DCS-05.1
+    answer: 'yes'
+    comment: "1 i) Ribose has implemented and enforced a secure disposal procedure.\n1
+      ii) Ribose' IaaS provider Amazon states the following:\n\n\"Storage Device Decommissioning
+      \n \nWhen a storage device has reached the end of its useful life, AWS procedures
+      include a decommissioning process that is \ndesigned to prevent customer data
+      from being exposed to unauthorized individuals. AWS uses the techniques detailed
+      \nin DoD 5220.22‐M (“National Industrial Security Program Operating Manual “)
+      or NIST 800‐88 (“Guidelines for Media \nSanitization”) to destroy data as part
+      of the decommissioning process. All decommissioned magnetic storage devices
+      are \ndegaussed and physically destroyed in accordance with industry‐standard
+      practices.\"\n\nAs stated in http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
+      page 6."
+  - control_id: DCS-06
+    question_id: DCS-06.1
+    answer: 'yes'
+    comment: |-
+      1) Emergency exit and fire extinguisher procedures have been established and published in the Ribose security space.
+      2) A clean desk policy has been established as stated in our security policy.
+      3) Regular access audits are performed.
+  - control_id: DCS-06
+    question_id: DCS-06.2
+    answer: 'yes'
+    comment: security awareness training
+  - control_id: DCS-07
+    question_id: DCS-07.1
+    answer: 'yes'
+    comment: multi-region
+  - control_id: DCS-08
+    question_id: DCS-08.1
+    answer: 'yes'
+    comment: cctv
+  - control_id: DCS-09
+    question_id: DCS-09.1
+    answer: 'yes'
+    comment: |-
+      Secure physical access to the Ribose office is ensured by utilising biometric scanners using a system that is reviewed on a quarterly basis.
+      Ribose also maintains a list of approved users that can access the office computer room. This list is reviewed on a quarterly basis.
+  - control_id: EKM-01
+    question_id: EKM-01.1
+    answer: 'yes'
+    comment: Cryptographic Key management policies
+  - control_id: EKM-02
+    question_id: EKM-02.1
+    answer: 'yes'
+    comment: 'A separate encryption key management system and process is used for
+      Ribose customers for security of their data. '
+  - control_id: IS-19
+    question_id: EKM-02.2
+    answer: 'yes'
+    comment: |2-
+      Ribose customers do not have access to keys or key management because it is not used by them directly.  Customers have no responsibility of this control.
+  - control_id: IS-19
+    question_id: EKM-02.3
+    answer: 'yes'
+    comment: Crimson
+  - control_id: IS-19
+    question_id: EKM-02.4
+    answer: 'yes'
+    comment: Crimson
+  - control_id: EKM-02
+    question_id: EKM-02.5
+    answer: 'no'
+    comment: Ribose uses a combination of open source and proprietary code to develop
+      its encryption solutions
+  - control_id: EKM-03
+    question_id: EKM-03.1
+    answer: 'yes'
+    comment: database and S3 are encrypted
+  - control_id: IS-18
+    question_id: EKM-03.2
+    answer: 'yes'
+    comment: AWS can transfer the container images to and from Amazon ECR via HTTPS.
+      AWS images are also automatically encrypted at rest using Amazon S3 server-side
+      encryption.
+  - control_id: EKM-03
+    question_id: EKM-03.3
+    answer: 'yes'
+    comment: Each customer will have his own key to encrypt his data.
+  - control_id: EKM-03
+    question_id: EKM-03.4
+    answer: 'yes'
+    comment: Crimson
+  - control_id: EKM-04
+    question_id: EKM-04.1
+    answer: 'yes'
+    comment: Our key management system uses industry-best filesystem encryption and
+      is maintained by ourselves.
+  - control_id: EKM-04
+    question_id: EKM-04.2
+    answer: 'yes'
+    comment: Ribose maintains its own encryption keys.
+  - control_id: EKM-04
+    question_id: EKM-04.3
+    answer: 'yes'
+    comment: database and environment vairable
+  - control_id: EKM-04
+    question_id: EKM-04.4
+    answer: 'yes'
+    comment: Ribose's key management operates as a service for development teams to
+      use in their application code.
+  - control_id: GRM-01
+    question_id: GRM-01.1
+    answer: 'yes'
+    comment: The document "Technical Baseline Guidance" specifies baselines for UNIX
+      systems, Windows systems, OSX systems, Juniper and Cisco systems. In ISP it
+      is stated that this document is reviewed annually for changes or updates and
+      baseline deviations must be approved through change management procedures.
+  - control_id: IS-04
+    question_id: GRM-01.2
+    answer: 'yes'
+    comment: review annually
+  - control_id: IS-04
+    question_id: GRM-01.3
+    answer: NA
+    comment: Ribose is SAAS, but not PAAS or IAAS
+  - control_id: GRM-02
+    question_id: GRM-02.1
+    answer: 'yes'
+    comment: brakeman
+  - control_id: GRM-02
+    question_id: GRM-02.2
+    answer: 'yes'
+    comment: Data classification, location and retention period is defined.
+  - control_id: GRM-03
+    question_id: GRM-03.1
+    answer: 'yes'
+    comment: Security awareness sessions are mandatory and employees are required
+      to sign an attendance list or finish an exam.
+  - control_id: GRM-04
+    question_id: GRM-04.1
+    answer: 'yes'
+    comment: Ribose is ISO/IEC 27001:2013 certified and the ISMP is similar to the
+      operation of an ISMS.
+  - control_id: GRM-04
+    question_id: GRM-04.2
+    answer: 'yes'
+    comment: internal and external audits
+  - control_id: GRM-05
+    question_id: GRM-05.1
+    answer: 'yes'
+    comment: supplier evaluations
+  - control_id: GRM-06
+    question_id: GRM-06.1
+    answer: 'yes'
+    comment: ISO 27001, ISO 22301, ISO 20000-1
+  - control_id: GRM-06
+    question_id: GRM-06.2
+    answer: 'yes'
+    comment: Tos and privacy policy
+  - control_id: GRM-06
+    question_id: GRM-06.3
+    answer: 'yes'
+    comment: Crimson
+  - control_id: GRM-06
+    question_id: GRM-06.4
+    answer: 'yes'
+    comment: announced in commitments
+  - control_id: GRM-07
+    question_id: GRM-07.1
+    answer: 'yes'
+    comment: |-
+      Chapter 21 in the Information Security Policy covers the control specification:
+      "Staff of Ribose has the responsibility to enforce compliance with this policy. Violations of security policy are subject to disciplinary action.
+      Team leads shall require employees, contractors and third party users to follow the principles and standard as described in this policy.
+      Information Security Officer has the responsibility to enforce compliance with this policy, and ensure that internal audit mechanisms exist to monitor and mea- sure compliance with this policy."
+      Ribose staff is required to sign the "appropriate usage of company resources and facilities" document:
+      "I agree to adhere to the guidelines stated in the Company’s policies and procedures as may be amended from time to time.
+      I agree to:
+      1. Conform to the Company’s obligations pertaining to the use of software.
+      2. Install and use only that software which is relevant for my work in the Company.
+      3. Not use any software downloaded from the Internet without proper authorization.
+      4. Not use any software beyond the period for which its use is authorized or legally permitted.
+      5. Abide by Company’s policy in respect of password control.
+      6. Access only those web sites, which are relevant to my work at hand.
+      7. Not indulge in "Hacking"
+      8. Not circulate or distribute offensive/ pornographic material through e-mail or in any other manner.
+      I am aware that relevant process documents are available on the LAN and shall refer to them in case of doubt.
+      I am fully aware that violation of the above undertaking in any manner will lead to disciplinary action, including termination of my employment (or secondment)."
+  - control_id: IS-06
+    question_id: GRM-07.2
+    answer: 'yes'
+    comment: security awareness training
+  - control_id: GRM-08
+    question_id: GRM-08.1
+    answer: 'yes'
+    comment: During the annual review of risk assessments any policies that require
+      modification will be updated following the document control procedure.
+  - control_id: GRM-09
+    question_id: GRM-09.1
+    answer: 'yes'
+    comment: ISC consists of management and all team leads. This can be proven with
+      the ISC meeting minute notes as verified during internal and external audits.
+  - control_id: GRM-09
+    question_id: GRM-09.2
+    answer: 'yes'
+    comment: internal and external audits
+  - control_id: GRM-10
+    question_id: GRM-10.1
+    answer: 'yes'
+    comment: Risk assessments have been performed and have been audited during internal
+      and external audits. Every risk assessment will be reviewed annually.
+  - control_id: RI-02
+    question_id: GRM-10.2
+    answer: 'yes'
+    comment: Outputs from audit results, threat and vulnerability analysis, and regulatory
+      compliance are reviewed in Crimson Committee Meetings and tasks are created
+      in task list for continuous imrpovement .
+  - control_id: GRM-11
+    question_id: GRM-11.1
+    answer: 'yes'
+    comment: Crimson
+  - control_id: RI-01
+    question_id: GRM-11.2
+    answer: 'yes'
+    comment: Published in ribose.com
+  - control_id: HRS-01
+    question_id: HRS-01.1
+    answer: 'yes'
+    comment: papertrails and datadog
+  - control_id: IS-27
+    question_id: HRS-01.2
+    answer: 'yes'
+    comment: ISO 27001
+  - control_id: HRS-02
+    question_id: HRS-02.1
+    answer: 'yes'
+    comment: Stringent background checks are performed as pre-employment checks. Contractors
+      and third-parties are subject to background checks depending on business requirements
+      and risks. See Ribose HR space.
+  - control_id: HRS-03
+    question_id: HRS-03.1
+    answer: 'yes'
+    comment: security awareness training
+  - control_id: HR-02
+    question_id: HRS-03.2
+    answer: 'yes'
+    comment: attendance list
+  - control_id: HRS-03
+    question_id: HRS-03.3
+    answer: 'yes'
+    comment: All staff are required to sign NDA and the Ribose Confidential Information
+      Agreement
+  - control_id: HRS-03
+    question_id: HRS-03.4
+    answer: 'yes'
+    comment: security awareness training
+  - control_id: HRS-03
+    question_id: HRS-03.5
+    answer: 'yes'
+    comment: security awareness training
+  - control_id: HRS-04
+    question_id: HRS-04.1
+    answer: 'yes'
+    comment: Employment procedures are documented in the Ribose HR space. Our HR process
+      is outsourced.
+  - control_id: HRS-04
+    question_id: HRS-04.2
+    answer: 'yes'
+    comment: exit procedures
+  - control_id: HRS-05
+    question_id: HRS-05.1
+    answer: 'yes'
+    comment: Mobile device policies are covered in the ISP and regularly reviewed
+      by the ISC to adjust for business risks.
+  - control_id: HRS-06
+    question_id: HRS-06.1
+    answer: 'yes'
+    comment: Our employee agreements and confidential agreements are reviewed on every
+      usage.
+  - control_id: HRS-07
+    question_id: HRS-07.1
+    answer: 'yes'
+    comment: We have a company organogram describing the roles of all staff.
+  - control_id: HRS-08
+    question_id: HRS-08.1
+    answer: 'yes'
+    comment: Covered by ISP Mobile Devices chapter.
+  - control_id: IS-26
+    question_id: HRS-08.2
+    answer: 'yes'
+    comment: privacy policy
+  - control_id: IS-26
+    question_id: HRS-08.3
+    answer: 'yes'
+    comment: Agreed privacy policy before use
+  - control_id: HRS-09
+    question_id: HRS-09.1
+    answer: 'yes'
+    comment: All staff are required to participate in the CFISA security awareness
+      training and mobile device security training.
+  - control_id: IS-11
+    question_id: HRS-09.2
+    answer: 'yes'
+    comment: All staff are required to participate in the CFISA security awareness
+      training and mobile device security training.
+  - control_id: HRS-10
+    question_id: HRS-10.1
+    answer: 'yes'
+    comment: All staff are required to participate in the CFISA security awareness
+      training and mobile device security training.
+  - control_id: IS-16
+    question_id: HRS-10.2
+    answer: 'yes'
+    comment: All staff are required to participate in the CFISA security awareness
+      training and mobile device security training.
+  - control_id: IS-16
+    question_id: HRS-10.3
+    answer: 'yes'
+    comment: All staff are required to participate in the CFISA security awareness
+      training and mobile device security training.
+  - control_id: HRS-11
+    question_id: HRS-11.1
+    answer: 'yes'
+    comment: Roles and responsbilities
+  - control_id: IS-16
+    question_id: HRS-11.2
+    answer: 'yes'
+    comment: papertrails
+  - control_id: IS-16
+    question_id: HRS-11.3
+    answer: 'yes'
+    comment: Images are managed by git and only authorized users can make changes
+  - control_id: IAM-01
+    question_id: IAM-01.1
+    answer: 'yes'
+    comment: |-
+      Ribose uses S3 storage to place log archives. Ribose also uses a remote syslog service.
+      S3 and the remote syslog have strong authentication mechanisms. papertrails and datadog
+  - control_id: IAM-01
+    question_id: IAM-01.2
+    answer: 'yes'
+    comment: papertrails and datadog
+  - control_id: IAM-02
+    question_id: IAM-02.1
+    answer: 'yes'
+    comment: Ribose has defined a data governance procedure that covers the account
+      life cycle (removal) of Ribose users.
+  - control_id: IS-07
+    question_id: IAM-02.2
+    answer: 'yes'
+    comment: Crimson
+  - control_id: IAM-03
+    question_id: IAM-03.1
+    answer: 'yes'
+    comment: VPC
+  - control_id: IAM-04
+    question_id: IAM-04.1
+    answer: 'yes'
+    comment: All user accounts are centrally egistered in the Access Rights spreadsheet.
+      Network, system and document access is based on least priviledge.
+  - control_id: IAM-04
+    question_id: IAM-04.2
+    answer: 'yes'
+    comment: All user accounts are centrally egistered in the Access Rights spreadsheet.
+      Network, system and document access is based on least priviledge.
+  - control_id: IAM-05
+    question_id: IAM-05.1
+    answer: 'yes'
+    comment: An Access Control Policy has been defined in the Information Security
+      Policy.
+  - control_id: IAM-06
+    question_id: IAM-06.1
+    answer: 'yes'
+    comment: Access control to the Ribose version control system (git) is enforced
+      by change management requiring senior management approval.
+  - control_id: IS-33
+    question_id: IAM-06.2
+    answer: 'yes'
+    comment: Access control to the Ribose version control system (git) is enforced
+      by change management requiring senior management approval.
+  - control_id: IAM-07
+    question_id: IAM-07.1
+    answer: 'yes'
+    comment: BCP and risk management procedure
+  - control_id: RI-05
+    question_id: IAM-07.2
+    answer: 'yes'
+    comment: datadog
+  - control_id: RI-05
+    question_id: IAM-07.3
+    answer: 'yes'
+    comment: Mainly AWS, can be switched to Rackspace or Azure
+  - control_id: RI-05
+    question_id: IAM-07.4
+    answer: 'yes'
+    comment: network diagram
+  - control_id: RI-05
+    question_id: IAM-07.5
+    answer: 'yes'
+    comment: customer feedback
+  - control_id: RI-05
+    question_id: IAM-07.6
+    answer: NA
+    comment: SaaS, not Iaas.  failover will be performed automatically
+  - control_id: RI-05
+    question_id: IAM-07.7
+    answer: 'yes'
+    comment: on request
+  - control_id: IAM-08
+    question_id: IAM-08.1
+    answer: 'yes'
+    comment: |-
+      Chapter 11, Access Control Policy of the ISP covers this control:
+      Principles
+      - Access to network, systems, applications and information are granted to users on a need-to-know basis, taking into considerations of the business need versus security implications, separation of duties within business pro- cesses, and classification of information.
+      - For network connectivity or services, the security principle “Everything is generally forbidden unless expressly permitted” shall also be considered when granting accesses.
+  - control_id: IS-08
+    question_id: IAM-08.2
+    answer: 'yes'
+    comment: Data classification is defined.
+  - control_id: IAM-09
+    question_id: IAM-09.1
+    answer: 'yes'
+    comment: |-
+      An Access Control Policy has been defined in the Information Security Policy.
+      Ribose users have fine grained access control over the spaces that they administer.
+  - control_id: IAM-09
+    question_id: IAM-09.2
+    answer: NA
+    comment: Ribose users have fine grained access control over the spaces that they
+      administer.
+  - control_id: IAM-10
+    question_id: IAM-10.1
+    answer: 'yes'
+    comment: An Access Control Policy has been defined in the Information Security
+      Policy.
+  - control_id: IS-10
+    question_id: IAM-10.2
+    answer: 'yes'
+    comment: log changes in auditing and papertrails
+  - control_id: IS-10
+    question_id: IAM-10.3
+    answer: NA
+    comment: Ribose will notice customers for security incidents
+  - control_id: IAM-11
+    question_id: IAM-11.1
+    answer: 'yes'
+    comment: |-
+      Entry and Exit Procedures are described in the Ribose Operations wiki
+      1. Entry Procedures
+      2. Exit Procedures
+  - control_id: IS-09
+    question_id: IAM-11.2
+    answer: 'yes'
+    comment: exit procedures
+  - control_id: IAM-12
+    question_id: IAM-12.1
+    answer: 'yes'
+    comment: Users can access all applications in Ribose after sign on.
+  - control_id: SA-02
+    question_id: IAM-12.2
+    answer: 'yes'
+    comment: devise
+  - control_id: SA-02
+    question_id: IAM-12.3
+    answer: 'yes'
+    comment: devise
+  - control_id: SA-02
+    question_id: IAM-12.4
+    answer: 'yes'
+    comment: User Access Management policy
+  - control_id: SA-02
+    question_id: IAM-12.5
+    answer: 'yes'
+    comment: role-based
+  - control_id: SA-02
+    question_id: IAM-12.6
+    answer: 'yes'
+    comment: 2 factor authentication enabled for AWS console
+  - control_id: SA-02
+    question_id: IAM-12.7
+    answer: 'yes'
+    comment: AWS supports integration with third-party identity assurance services.
+  - control_id: IAM-12
+    question_id: IAM-12.8
+    answer: 'yes'
+    comment: Password Management Policy
+  - control_id: IAM-12
+    question_id: IAM-12.9
+    answer: 'no'
+    comment: Ribose enforces the password policy
+  - control_id: IAM-12
+    question_id: IAM-12.10
+    answer: 'yes'
+    comment: Users need to enter the password himself when first logon.
+  - control_id: IAM-12
+    question_id: IAM-12.11
+    answer: NA
+    comment: account locking is disabled to prevent hackers to lock someone's account.
+  - control_id: IAM-13
+    question_id: IAM-13.1
+    answer: 'yes'
+    comment: administrators
+  - control_id: IS-34
+    question_id: IAM-13.2
+    answer: 'no'
+    comment: detections by Amazon
+  - control_id: IS-34
+    question_id: IAM-13.3
+    answer: 'yes'
+    comment: BCP and risk management procedure
+  - control_id: IVS-01
+    question_id: IVS-01.1
+    answer: 'yes'
+    comment: AIDE installed
+  - control_id: SA-14
+    question_id: IVS-01.2
+    answer: 'yes'
+    comment: audit and logging are enabled
+  - control_id: SA-14
+    question_id: IVS-01.3
+    answer: 'yes'
+    comment: Legal and Regulatory Compliance Procedure
+  - control_id: IVS-01
+    question_id: IVS-01.4
+    answer: 'yes'
+    comment: papertrails and S3
+  - control_id: IVS-01
+    question_id: IVS-01.5
+    answer: 'yes'
+    comment: papertrails
+  - control_id: IVS-02
+    question_id: IVS-02.1
+    answer: 'yes'
+    comment: changes are restrcited by git and user permission
+  - control_id: IVS-02
+    question_id: IVS-02.2
+    answer: 'yes'
+    comment: changes are restrcited by git and user permission
+  - control_id: IVS-03
+    question_id: IVS-03.1
+    answer: 'yes'
+    comment: NTP
+  - control_id: IVS-04
+    question_id: IVS-04.1
+    answer: 'yes'
+    comment: Crimson and git repo ribose-infrastructure
+  - control_id: OP-03
+    question_id: IVS-04.2
+    answer: 'yes'
+    comment: ribose-infrastructure
+  - control_id: IVS-04
+    question_id: IVS-04.3
+    answer: 'yes'
+    comment: capacity plan and auto scaling
+  - control_id: IVS-04
+    question_id: IVS-04.4
+    answer: 'yes'
+    comment: AWS metrics and datadog
+  - control_id: IVS-05
+    question_id: IVS-05.1
+    answer: 'yes'
+    comment: penetration test and vulnerability scanning
+  - control_id: IVS-06
+    question_id: IVS-06.1
+    answer: NA
+    comment: SaaS
+  - control_id: IVS-06
+    question_id: IVS-06.2
+    answer: 'yes'
+    comment: network diagram
+  - control_id: IVS-06
+    question_id: IVS-06.3
+    answer: 'yes'
+    comment: change management procedure
+  - control_id: IVS-06
+    question_id: IVS-06.4
+    answer: 'yes'
+    comment: ribose-infrastructure
+  - control_id: IVS-07
+    question_id: IVS-07.1
+    answer: 'yes'
+    comment: ribose-infrastructure
+  - control_id: IVS-08
+    question_id: IVS-08.1
+    answer: 'yes'
+    comment: prodcution environment for customers and staging environment for internal
+      developers
+  - control_id: SA-06
+    question_id: IVS-08.2
+    answer: NA
+    comment: SaaS
+  - control_id: IVS-08
+    question_id: IVS-08.3
+    answer: 'yes'
+    comment: different VPC
+  - control_id: IVS-09
+    question_id: IVS-09.1
+    answer: 'yes'
+    comment: VPC and security groups
+  - control_id: SA-09
+    question_id: IVS-09.2
+    answer: 'yes'
+    comment: VPC and security groups
+  - control_id: SA-09
+    question_id: IVS-09.3
+    answer: 'yes'
+    comment: different VPC
+  - control_id: SA-09
+    question_id: IVS-09.4
+    answer: 'yes'
+    comment: VPC and security groups
+  - control_id: IVS-10
+    question_id: IVS-10.1
+    answer: 'yes'
+    comment: SSH and SSL
+  - control_id: IVS-10
+    question_id: IVS-10.2
+    answer: 'yes'
+    comment: VPC
+  - control_id: IVS-11
+    question_id: IVS-11.1
+    answer: 'yes'
+    comment: administrators
+  - control_id: IVS-12
+    question_id: IVS-12.1
+    answer: 'yes'
+    comment: Wireless Communication Policy
+  - control_id: SA-10
+    question_id: IVS-12.2
+    answer: 'yes'
+    comment: Wireless Communication Policy
+  - control_id: SA-10
+    question_id: IVS-12.3
+    answer: 'yes'
+    comment: whitelist of company-owned/managed MAC addresses used to reject any rogue
+      wireless network devices.
+  - control_id: IVS-13
+    question_id: IVS-13.1
+    answer: 'yes'
+    comment: Crimson states which legal and privacy regulations affect the data handling
+      and location
+  - control_id: IVS-13
+    question_id: IVS-13.2
+    answer: 'yes'
+    comment: Ribose IaaS provider Amazon has various levels of protection
+  - control_id: IPY-01
+    question_id: IPY-01.1
+    answer: 'yes'
+    comment: Ribose-api in github
+  - control_id: IPY-02
+    question_id: IPY-02.1
+    answer: 'yes'
+    comment: json
+  - control_id: IPY-03
+    question_id: IPY-03.1
+    answer: 'yes'
+    comment: same as service
+  - control_id: IPY-03
+    question_id: IPY-03.2
+    answer: 'yes'
+    comment: same as service
+  - control_id: IPY-04
+    question_id: IPY-04.1
+    answer: 'yes'
+    comment: ssl
+  - control_id: IPY-04
+    question_id: IPY-04.2
+    answer: NA
+    comment: https is a common protocol
+  - control_id: IPY-05
+    question_id: IPY-05.1
+    answer: 'yes'
+    comment: Xen
+  - control_id: IPY-05
+    question_id: IPY-05.2
+    answer: 'yes'
+    comment: Refer to the AWS Cloud Security Whitepaper for additional details - available
+      at http://aws.amazon.com/security."
+  - control_id: MOS-01
+    question_id: MOS-01.1
+    answer: 'yes'
+    comment: Training is included and performed. This is incorporated in our Information
+      Security Policy, chapter "Mobile Device Policy"
+  - control_id: MOS-02
+    question_id: MOS-02.1
+    answer: 'yes'
+    comment: Approved software list
+  - control_id: MOS-03
+    question_id: MOS-03.1
+    answer: 'yes'
+  - control_id: MOS-04
+    question_id: MOS-04.1
+    answer: NA
+    comment: Ribose does not allow BYOD.
+  - control_id: MOS-05
+    question_id: MOS-05.1
+    answer: 'yes'
+    comment: This is incorporated in our Information Security Policy, chapter "Mobile
+      Device Policy"
+  - control_id: MOS-06
+    question_id: MOS-06.1
+    answer: 'yes'
+    comment: This is incorporated in our Information Security Policy, chapter "Mobile
+      Device Policy"
+  - control_id: MOS-07
+    question_id: MOS-07.1
+    answer: 'yes'
+    comment: Ribose has a documented application validation process in the Ribose
+      development space wiki named "Application Validation Process"
+  - control_id: MOS-08
+    question_id: MOS-08.1
+    answer: NA
+    comment: Ribose does not allow BYOD.
+  - control_id: MOS-09
+    question_id: MOS-09.1
+    answer: NA
+    comment: Ribose does not allow BYOD.
+  - control_id: MOS-10
+    question_id: MOS-10.1
+    answer: 'yes'
+    comment: meraki
+  - control_id: MOS-11
+    question_id: MOS-11.1
+    answer: 'yes'
+    comment: 'Mobile device policy requires use of entire disk encryption. '
+  - control_id: MOS-12
+    question_id: MOS-12.1
+    answer: 'yes'
+    comment: This is incorporated in our Information Security Policy, chapter "Mobile
+      Device Policy"
+  - control_id: MOS-12
+    question_id: MOS-12.2
+    answer: 'yes'
+    comment: This is incorporated in our Information Security Policy, chapter "Mobile
+      Device Policy"
+  - control_id: MOS-13
+    question_id: MOS-13.1
+    answer: NA
+    comment: Ribose does not allow BYOD.
+  - control_id: MOS-13
+    question_id: MOS-13.2
+    answer: NA
+    comment: Ribose does not allow BYOD.
+  - control_id: MOS-14
+    question_id: MOS-14.1
+    answer: 'yes'
+    comment: Screensaver functionality has been enabled.
+  - control_id: MOS-15
+    question_id: MOS-15.1
+    answer: 'yes'
+    comment: meraki
+  - control_id: MOS-16
+    question_id: MOS-16.1
+    answer: 'yes'
+    comment: password policy
+  - control_id: MOS-16
+    question_id: MOS-16.2
+    answer: 'yes'
+    comment: Password policy has been enforced.
+  - control_id: MOS-16
+    question_id: MOS-16.3
+    answer: 'yes'
+    comment: Password policy has been enforced.
+  - control_id: MOS-17
+    question_id: MOS-17.1
+    answer: NA
+    comment: Ribose does not allow BYOD.
+  - control_id: MOS-17
+    question_id: MOS-17.2
+    answer: NA
+    comment: Ribose does not allow BYOD.
+  - control_id: MOS-17
+    question_id: MOS-17.3
+    answer: NA
+    comment: Ribose does not allow BYOD.
+  - control_id: MOS-18
+    question_id: MOS-18.1
+    answer: NA
+    comment: Ribose does not allow BYOD.
+  - control_id: MOS-18
+    question_id: MOS-18.2
+    answer: 'yes'
+    comment: meraki
+  - control_id: MOS-19
+    question_id: MOS-19.1
+    answer: 'yes'
+    comment: meraki
+  - control_id: MOS-19
+    question_id: MOS-19.2
+    answer: 'yes'
+    comment: meraki
+  - control_id: MOS-20
+    question_id: MOS-20.1
+    answer: NA
+    comment: Ribose does not allow BYOD.
+  - control_id: MOS-20
+    question_id: MOS-20.2
+    answer: NA
+    comment: Ribose does not allow BYOD.
+  - control_id: SEF-01
+    question_id: SEF-01.1
+    answer: 'yes'
+    comment: A contact law enforcement policy has been established with details of
+      the Hong Kong Police Force Technology Crime Division(TCD).
+  - control_id: SEF-02
+    question_id: SEF-02.1
+    answer: 'yes'
+    comment: A security incident procedure has been established.
+  - control_id: IS-22
+    question_id: SEF-02.2
+    answer: 'yes'
+    comment: A security incident procedure has been established.
+  - control_id: IS-22
+    question_id: SEF-02.3
+    answer: 'yes'
+    comment: Terms of Use
+  - control_id: SEF-02
+    question_id: SEF-02.4
+    answer: 'yes'
+    comment: BCP
+  - control_id: SEF-03
+    question_id: SEF-03.1
+    answer: 'yes'
+    comment: A security incident procedure has been established.
+  - control_id: IS-23
+    question_id: SEF-03.2
+    answer: NA
+    comment: SaaS
+  - control_id: SEF-04
+    question_id: SEF-04.1
+    answer: 'yes'
+    comment: ISO 27001
+  - control_id: IS-24
+    question_id: SEF-04.2
+    answer: 'yes'
+    comment: Ribose has established a forensics evidence procedure.
+  - control_id: IS-24
+    question_id: SEF-04.3
+    answer: 'yes'
+    comment: account can be disabled
+  - control_id: IS-24
+    question_id: SEF-04.4
+    answer: NA
+    comment: SaaS
+  - control_id: SEF-05
+    question_id: SEF-05.1
+    answer: 'yes'
+    comment: papertrails
+  - control_id: IS-25
+    question_id: SEF-05.2
+    answer: NA
+    comment: SaaS
+  - control_id: STA-01
+    question_id: STA-01.1
+    answer: 'yes'
+    comment: This control has been incorporated in the External Service Provider Audit
+      Checklist which has been used for key vendors. These checklists are subject
+      to annual review.
+  - control_id: STA-01
+    question_id: STA-01.2
+    answer: 'yes'
+    comment: This control has been incorporated in the External Service Provider Audit
+      Checklist which has been used for key vendors. These checklists are subject
+      to annual review.
+  - control_id: STA-02
+    question_id: STA-02.1
+    answer: 'yes'
+    comment: All users will be notified of security incidents through the Ribose blog.
+      This is listed in the communications procedure.
+  - control_id: STA-03
+    question_id: STA-03.1
+    answer: 'yes'
+    comment: capacity plan and auto scaling
+  - control_id: IS-31
+    question_id: STA-03.2
+    answer: NA
+    comment: SaaS
+  - control_id: STA-04
+    question_id: STA-04.1
+    answer: 'yes'
+    comment: internal and external audits
+  - control_id: STA-05
+    question_id: STA-05.1
+    answer: 'yes'
+    comment: supplier evaluations
+  - control_id: LG-02
+    question_id: STA-05.2
+    answer: 'yes'
+    comment: supplier evaluations
+  - control_id: LG-02
+    question_id: STA-05.3
+    answer: 'yes'
+    comment: supplier evaluations
+  - control_id: STA-05
+    question_id: STA-05.4
+    answer: 'yes'
+    comment: supplier evaluations
+  - control_id: STA-05
+    question_id: STA-05.5
+    answer: 'yes'
+    comment: supplier evaluations
+  - control_id: STA-06
+    question_id: STA-06.1
+    answer: 'yes'
+    comment: Annual review during of the risk assessment and External Service Provider
+      Audit Checklist is performed.
+  - control_id: STA-07
+    question_id: STA-07.1
+    answer: 'yes'
+    comment: OLA and datadog
+  - control_id: STA-07
+    question_id: STA-07.2
+    answer: 'yes'
+    comment: Ribose performs annual reviews of supplier evalutations
+  - control_id: STA-07
+    question_id: STA-07.3
+    answer: 'yes'
+    comment: Ribose defined OLA/SLA with the alignment of suppliers
+  - control_id: STA-07
+    question_id: STA-07.4
+    answer: 'yes'
+    comment: Ribose performs annual reviews of supplier evalutations
+  - control_id: STA-08
+    question_id: STA-08.1
+    answer: 'yes'
+    comment: Ribose performs annual reviews of supplier evalutations
+  - control_id: STA-08
+    question_id: STA-08.2
+    answer: 'yes'
+    comment: Ribose performs annual reviews of supplier evalutations
+  - control_id: STA-09
+    question_id: STA-09.1
+    answer: 'yes'
+    comment: Ribose performs annual reviews of supplier evalutations
+  - control_id: STA-09
+    question_id: STA-09.2
+    answer: 'yes'
+    comment: vulnerability scans and penetration tests are performed annually.
+  - control_id: TVM-01
+    question_id: TVM-01.1
+    answer: 'yes'
+    comment: Relevant policies and procedures are defined in the ISMS
+  - control_id: IS-21
+    question_id: TVM-01.2
+    answer: 'yes'
+    comment: meraki
+  - control_id: TVM-02
+    question_id: TVM-02.1
+    answer: 'yes'
+    comment: suricata
+  - control_id: IS-20
+    question_id: TVM-02.2
+    answer: 'yes'
+    comment: vuls openscap
+  - control_id: IS-20
+    question_id: TVM-02.3
+    answer: 'yes'
+    comment: Ossec
+  - control_id: IS-20
+    question_id: TVM-02.4
+    answer: NA
+    comment: SaaS
+  - control_id: IS-20
+    question_id: TVM-02.5
+    answer: 'yes'
+    comment: packer
+  - control_id: IS-20
+    question_id: TVM-02.6
+    answer: 'yes'
+    comment: maintenance page (statuspage)
+  - control_id: TVM-03
+    question_id: TVM-03.1
+    answer: 'yes'
+    comment: antivirus installed
+  - control_id: SA-15
+    question_id: TVM-03.2
+    answer: 'yes'
+    comment: antivirus installed